By Gerard McDonnell, Regional Solution Director, Fraud & Security Intelligence at SAS
Fraud and corruption are unfortunate consequences of managing complex, geographically dispersed companies. Employees, customers, suppliers, and vendors have many reasons for engaging in fraudulent activities that can be grouped into the opportunistic, pre-meditated, and malicious (i.e., when an individual is disgruntled and believes they deserve more than they are getting) categories. Ultimately, it is an opportunity for a person to take money for themselves. Without the existence of continuous controls, these indiscretions can typically take an average of 32 months for an organisation to detect. By then, not only have the perpetrators disappeared, but the losses to the business are also significant with minimal chances of recovering them.
Corporate fraud is ultimately a cultural issue. Auditing departments and special groups reporting into the CFO or the board can deploy continuous controls to reduce fraudulent activity in the procure-to-pay, HR, contract and expense management processes proactively. Without a continuous control function, and management by auditors who operate independent from the rest of the organisation, fraud can be allowed to grow like a mould and be just as difficult to root out completely. This is why it is important to eradicate it as quickly as possible.
During any economic downturn such as the current one, people are resorting to these desperate measures more than before to grab extra funds from wherever they can. The Association of Certified Fraud Examiners (ACFE) supports this, noting that 79% of respondents to their latest benchmarking survey in November 2020 observed an increase in fraud, and an overwhelming majority (90%) expected fraud to continue increasing over the next 12 months. Supply chain networks are especially vulnerable to fraud due to their current volatility and sudden shifts in demand for products from consumers. PwC found that 43% of Malaysian organisations experienced fraud in the previous two years. In fact, Transparency International’s latest assessment of global corruption notes that many countries in Asia Pacific continue to struggle to combat corruption, registering an average score of 45 out of 100.
While many organisations rely on whistleblowing from employees to detect fraud, few are made aware of fraud incidents in this manner. In the same PwC survey, for example, less than 15% of Malaysian organisations were made aware of fraud incidents from whistle-blowers. Organisations need other ways to detect fraud, waste and abuse. Implementing continuous controls accomplishes this goal by allowing organisations to:
- Monitor for suspicious activity continuously, rather than calling in an investigator for a single case,
- Be more aware and transparent at the board level about the risks
- Strengthen approval processes that are slowed by manual steps.
This allows companies to catch more complex fraudulent activity before losses mount, reduce the long-term costs of audit, detection and investigation activities, and protect their brand reputation.
How do continuous controls prevent fraud?
Continuous control is a system that empowers organisations to monitor activities related to core business processes in the supply chain, procurement, and HR functions, for example, where fraud, waste and abuse may typically occur. These systems are now beginning to incorporate advanced analytics capabilities with artificial intelligence (AI) and machine learning (ML) solutions to learn good and bad behaviour and then automate some of the decision processes, particularly for detecting fraud, waste and abuse. This allows auditors to gain visibility and control over fraud issues so that they can deliver more value to the C-suite.
Some organisations automate the clearance process completely, which speeds up their approval process dramatically by clearing low risk cases and allowing fraud analysts to focus on high-risk cases. Decisions that would take days or weeks can be reduced to minutes because the system is providing internal auditors with information that would have taken them significant time to gather.
