Questions on Data Analytics and Fraud

The Association of Certified Fraud Examiners has just released a new benchmarking report on anti-fraud technology, with some interesting findings about fraud detection that make me wonder whether compliance folks are managing internal controls as efficiently as we might.

ACFE published its 2024 Anti-Fraud Technology Benchmarking Report on Tuesday, based on a survey of nearly 1,200 anti-fraud professionals around the world. The first part of the report paints a rather rosy forward-looking picture, that within a few years, organizations all over the place will be using AI and advanced data analytics to root out fraud. Let’s start with that good stuff:

  • 91 percent of respondents already use data analytics in their fraud detection programs today.
  • 83 percent expect to use generative AI in their anti-fraud programs in the next two to five years.
  • 59 percent expect to increase their budgets for anti-fraud technology over the next two years (although 82 percent worry that budget constraints might be a significant challenge to them adopting new tech in coming years).

Then comes the latter half of the report, with findings that suggest many organizations aren’t using existing technology to improve their anti-fraud programs today:

  • 57 percent of respondents said their organizations don’t use case management software.
  • 71 percent said they don’t use digital forensics or e-discovery software.
  • 67 percent said they don’t use online-evidence capturing software. 

Those numbers don’t warm the internal control enthusiast’s heart. We might attribute them to the size of the respondents’ employers. Nearly half came from organizations with fewer than 1,000 employees (which are less likely to have advanced technology), while only 22 percent came from truly large companies (which would). Still, even before we get to generative AI and all the whiz-bang stuff — it seems like plenty of companies aren’t yet using sophisticated anti-fraud tech right now.

Then come other findings about how businesses are using the anti-fraud technologies that they do have. That brings us to my original question about whether compliance (and internal audit) teams are managing internal controls as efficiently and skillfully as possible.

Anti-Fraud Across the Enterprise

Let’s first start with a look at the risk areas where organizations are using data analytics to detect fraud. See Figure 1, below.

Source: ACFE

Notice, compliance officers, that bribery and corruption are far down the list, cited by only 25 percent of respondents. That number has barely budged in two years. (Although travel and entertainment fraud, along with payments fraud, place higher up the list; so maybe some respondents were conflating FCPA misconduct with those risks.)

But where people are using data analytics right now, today, is most commonly in exception reporting and anomaly detection (cited by 57 percent of respondents). Think about what that means. You have an automated or embedded control of some kind — say, an alert any time a payment goes to a third party that hasn’t completed due diligence — and the “control” is you, the human, reviewing that unusual transaction the technology brought to your attention.

So a few questions come to me right there. First, how often are companies using this sort of advanced analytics specifically to identify FCPA trouble — or are FCPA risks still an area ripe for better data analytics in coming years?

Second, how are these management review controls actually working? That is, do you have enough compliance analysts to keep pace with the volume of FCPA alerts you receive, and have those people been trained enough to make those management judgments well? (Perhaps the answer is “yes” to this question for FCPA risk specifically; but in the anti-money laundering world the answer seems to be “no” based on enforcement actions I’ve read over the years.) 

Questions like these are important because if we want to use data analytics for exception reporting and analysis, but companies don’t have personnel in sufficient numbers or skill to execute those management review controls skillfully, this is where AI will need to fill the gap. 

So as we have these rosy predictions that companies will rush to embrace generative AI in the near future, these other findings suggest how we might need to put generative AI to work: by helping overworked humans execute management review controls more efficiently. That’s the big-picture stuff compliance officers might want to talk about with your head of internal audit and chief technology officer next time you’re all at a company happy hour.

Remember the Data

We have one other finding to consider, too. Amid all the anti-fraud data analytics that is going on, Figure 2 shows the sources of the data that businesses are analyzing.

Source: ACFE

I am not surprised that structured internal data (that is, data with clearly defined labels and formats, pulled from an Excel spreadsheet or some other type of report) would lead the pack. I do wonder, however, how companies could get their numbers up for all the other sources of data. 

For example, if you’re trying to assess corporate culture, you won’t find answers in structured internal data; you’ll find it in unstructured internal data such as emails or text messages of employees complaining about the boss or their compensation plans. Or you’ll find it from other third-party data, such as anonymous opinions on 

Plenty of significant compliance risks — corruption, money laundering, procurement fraud — won’t necessarily be found in the structured data that companies are analyzing right now. So how, in the fullness of time, will you design your anti-fraud and compliance programs to ingest all the other types of data that will provide better answers? That’s another question to ponder. 

Meanwhile, I look forward to the ACFE benchmarking report of 2027 or so, to see whether all these predictions about adoption of generative AI actually come to pass. 

Leave a Comment

You must be logged in to post a comment.