How to Monitor for Fraud & Compliance When Internal Control Structure Is Displaced

As organizations monitor financial activity for potential fraud or compliance issues, many rely on the review of physical invoices, statements and/or receipts. Furthermore, many look for red flags when having face-to-face discussions with those in a position to authorize payments. As of mid-March, many organizations’ abilities to perform these otherwise standard tasks have been severely diminished, if not completely eliminated. 

So, what now? Many organizations can no longer have these in-person meetings and may not even have access to physical company documents. This is the perfect opportunity to reiterate the power of ongoing data monitoring. The reality of 2020 is that almost every transaction that occurs within an organization leaves an electronic trail full of useful and insightful information. It’s time to start building a compliance/fraud monitoring program with data analytics at the epicenter. 

There’s reliable evidence to suggest that these types of programs can help organizations lessen the economic effect and duration of fraud schemes. The Association of Certified Fraud Examiners (ACFE) publishes the results of a far-reaching fraud survey every two years in its “Report to the Nations” (Report).

The most recent Report’s results show that proactive data monitoring/analysis is the most successful control for reducing the duration of a fraud scheme and the second most successful in terms of economic effect, reducing each by more than 50 percent (pages 28–29):

The first step to take in implementing a program like this is to contact those within your organization who maintain and have access to the data required to develop this program. They likely sit within IT. The next step is identifying who within your organization has experience slicing and dicing data sets. This person doesn’t need to be a full-blown data scientist, but should be someone who at least knows how to make Excel dance. The initial hurdle of identifying the right team members may be challenging, but finding them will be crucial to making this a successful and worthwhile effort.

Now it’s time to schedule a call (perhaps one of those Zoom meetings everyone keeps talking about) with these individuals to discuss the objectives of the program, data needed to reach these objectives and which stakeholders should be involved. In general, the goal of this conversation should be to outline a compliance or fraud monitoring analytics program, which typically follows these steps:

• Strategic Question: Are we able to comfortably and successfully monitor our organization’s financial activity for possible compliance, abuse or fraud issues while we’re all working remotely?
• Objectives: Build a monitoring program leveraging data analytics that allows us to analyze 100 percent of transactions and isolate those that are highest risk. 
• Data: The kinds of data addressed here likely include some, or all, of the following: 
  • Accounts payable
  • General ledger
  • Billing
  • Invoices
  • Expense reimbursement
  • Time sheets
  • Vendor/customer/employee master files
  • Accounts receivable

More advanced programs might consider emails, text messages, instant messages and social media data.

• Procedures: What are the specific risk-centric questions you’re going to ask of the data, and what tools are you going to use to do so? The questions are asked in the form of queries/filtering of the data. They could be as simple as the following: 
  • Was the transaction for a rounded dollar amount?
  • Does the transaction appear to be duplicative? 
  • Does this vendor have a close relationship with one of our employees?
  • Did the payment receive proper authorization? 
  • Was the transaction an outlier when compared to typical activity?

The tools used could be Microsoft Excel, Access or, if you’re dealing with large data sets, SQL or Galvanize (formerly ACL). Every transaction within the set of data in question should pass through each of these procedures. This will give you 100 percent coverage.

• Analyze: Not all transactions that answered “yes” to the risk-centric questions necessarily warrant in-depth review. It’s important that the objectively highest-risk transactions reach an individual for analysis. Organizations can easily rank these transactions by determining which metrics lead to higher risk: a higher value, a riskier department within the organization, a transaction made more recently in time, answering “yes” to more than one of the risk questions, etc. 

Conducting this risk ranking will help you choose the top X percent of transactions to review based on resources and timing. During the analyze step in the process, you may be able to identify additional tools to use, such as Tableau, that will help you better visualize the results.

• Manage: Once the highest-risk transactions have been reviewed and the issues have been isolated, action will likely be taken. These actions could include updating codes of conduct, interviewing employees involved, reminding team members how to properly perform tasks or even terminating an individual. Through this process, additional issues might be identified. It’s important to take lessons learned and update and manage the program accordingly.

A benefit to developing a program like this is that nothing must be done in person. The stakeholders involved can be contacted via phone or video conferencing, the data is likely stored on either a server or the cloud, the analyses can be done on a computer at home or via remote desktops, and the results can be shared virtually. 

These kinds of trying times are the perfect opportunity for organizations to re-evaluate their processes. Often, we do things a certain way because they’ve always been done that way. By no means does that mean the old way is the only way. We may discover a plethora of new efficiencies to implement that will better serve us even once we’re back at the office. 

This kind of program is especially relevant if you’re in a decision-making position or if you work in internal audit. According to the ACFE, the second and third most common ways frauds are detected is through an internal audit and management review, as illustrated on page 17 of the Report:

Implementing these types of procedures can help your organization improve the odds of catching fraud early and reducing fraud losses. Using technology, especially in a remote environment, can be a great way to enhance your management reviews and internal audits when face-to-face time and business as usual aren't possible.    

BKD is here to help, and we offer services that assist in implementing these kinds of programs—and although we would love to meet in person, all of this can be done virtually.

As with most topics related to COVID-19, changes are being made rapidly. Please note that this information is current as of the date of publication. For more information, reach out to your BKD Trusted Advisor^™ or submit the Contact Us form below.