by Scott Moritz
Managing Director – Leader, Protiviti’s Fraud Risk Management Practice
In recognition of the 25th anniversary of the Association of Certified Fraud Examiners (ACFE) and International Fraud Awareness Week, Protiviti, whose practitioners include more than 100 members of the ACFE, is releasing a series of tips on fraud awareness to help raise awareness of the various ways that fraud can affect an organization and the proactive steps organizations can take to better position themselves in the ongoing fight against fraud.
Enabling technologies can drive a lot of efficiencies across a wide array of compliance processes, including fraud detection. However, what steps should organizations take to determine if their systems have been properly configured? Is the company examining the right data and are a reasonable number of alerts resulting in actual investigations that lead to the prevention of fraud?
A critically important control within any fraud prevention program is the performance of qualitative assessments of the investigations undertaken by the organization. These assessments should consider not only the investigations that started as fraud prevention system alerts, but also those that started as a result of other types of triggering mechanisms. The latter is important because there may be some blind spots in the overall process that could have been detected had the system been examining other categories of data or was configured differently.
Any sort of rules-based or anomaly detection system should be subject to periodic qualitative review and continuous process improvement. For example, if your company suddenly is experiencing a spike in losses associated with counterfeit checks and very few, if any, investigations were initiated as a result of fraud detection system alerts, it’s probably a good time to examine exactly what rules and anomaly detection scripts are being run and to apply any lessons learned from the recent uptick in counterfeit checks that the company has been processing.
New fraud schemes and technical exploits are emerging every day and your fraud detection processes should include a mechanism to adapt to these emerging threats. In addition, you should ask analysts and investigators who are working the alerts and investigations about which systems are working well and which are producing nothing but noise. Organizations are always fighting for headcount, but if your systems are not configured properly, how do you even know what the appropriate staffing level is for the unit?
Fraud detection systems are valuable tools that should drive efficiencies and enable you to do more with few people. They also should include tools to allow you to measure their effectiveness. Too often, companies buy expensive tools that are not properly configured and are never adjusted. In a worst-case scenario, analysts and investigators become slaves to a badly broken process, clearing meaningless alerts that yield nothing of value.
In order to realize the promise of increased efficiencies that drove the decision to buy these systems in the first place, companies must periodically measure how their systems are performing and continually adjust and adapt them and associated investigative processes to reduce the amount of false positives, increase the number of alerts that warrant investigation and reduce the number of investigations that take place despite the fact that the system did not generate alerts it should have.