Presentation work Paper- Cost Effective Fraud Risk Managemen1. ©2017
COST-EFFECTIVE FRAUD PREVENTION AND DETECTION MEASURES
When it comes to fraud risk management, one major constraint faced by organisations of all sizes
is the budget. In this session, participants will discover effective fraud prevention and detection
tools that can be implemented with very low cost and almost zero capital expenditure.
Participants will also learn the advantages and disadvantages of such tools, challenges in their
implementation, and how to effectively implement a plan to prevent and detect fraud.
CHARANJEET BHATIA, CFE, CISM
Head of Fraud Risk Management
FGB
Charanjeet Bhatia is an MBA with more than 19 years of experience in risk management, audit
and sales functions, and has worked in the banking sector in India, Tanzania, and the UAE. He is
currently working with FGB as Head of Group Fraud Risk Management and has also been
elected as Vice Chairman of the Fraud Prevention committee of the UAE Banking Federation.
Bhatia has conducted more than 500 fraud investigations as lead investigator on cases including
conflict of interest, data theft, document forgery, bribery and corruption, workplace ethics
violations, occupational fraud, syndicate fraud, electronic banking fraud and security. He has set
up fraud risk management function from scratch in previous companies and has strengthened the
function at others by covering the complete life cycle of fraud risk management.
“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the
ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of
this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without
the prior consent of the author.
2. COST-EFFECTIVE FRAUD PREVENTION AND DETECTION MEASURES
2017 ACFE Fraud Conference Middle East
©2017 1
NOTES
In this session, participants will learn how to:
Introduce cost-effective fraud prevention and detection
tools
Choose the appropriate tools
Overcome challenges in the implementation of tools
Level: Intermediate
Recommended prerequisites: An understanding of the
fraud examination process
Field of study: Specialised Knowledge
Introduction
While there are numerous expensive tools available to
implement fraud risk management programs, some
organisations are not able to implement them due to
budgetary constraints. In this presentation, you will learn
about cost-effective tools to aid fraud prevention and
detection measures at their organisations. You won’t need
any expensive systems and large team of staff to implement
these cost-effective tools.1
The intent of this presentation is not to undermine
sophisticated systems and technology for fraud prevention
and detection, but rather to complement them with these
frugal tools. This presentation is only covering fraud
prevention and fraud detection components of effective
fraud risk management programs.
When we talk about fraud risk management, the idea is to
address the Fraud Triangle, meaning minimise the pressure
to commit fraud, reduce the opportunities to commit fraud,
and eliminate rationalisation to justify the fraud.2
Fraud
prevention and detection programs should aim to achieve
1
Fraud Risk Management Program,
www.acfe.com/fraudrisktools/guide.aspx
2
To learn more about the Fraud Triangle, please visit
www.acfe.com/fraud-triangle.aspx
3. COST-EFFECTIVE FRAUD PREVENTION AND DETECTION MEASURES
2017 ACFE Fraud Conference Middle East
©2017 2
NOTES
these three key objectives by using a mix of techniques and
tools.
Let’s look at how various fraud prevention and detection
tools can be used to address the Fraud Triangle. Let’s also
look at each component of the fraud prevention program in
detail.
Triangle
Components/Tools
Pressure Opportunity Rationalisation
Fraud Awareness Y Y Y
Fraud Detection Tools Y
Deterrent Action Y Y
FRA/RCSA Y
Staff Screening Y Y
Fraud Awareness
Fraud awareness is the very basic and most commonly used
fraud prevention tool. Through fraud awareness,
stakeholders are made aware of various types of fraud, how
to protect against them, and what should be done if they
occur. Fraud awareness can be generic in nature so that
common understanding about fraud is shared with relevant
stakeholders. In certain high-risk areas, fraud awareness
should be customised and information should be shared on
a need-to-know basis. It could be a double-edge sword, as it
can educate somebody who is under pressure about the
modus operandi to commit fraud.
Some examples of the various types of fraud awareness
tools are:
Train the trainer programs
Other control functions used as extended arms
Conference calls
4. COST-EFFECTIVE FRAUD PREVENTION AND DETECTION MEASURES
2017 ACFE Fraud Conference Middle East
©2017 3
NOTES
Company intranet
Use of existing stationary, Email statement, checkbook
cover, welcome kit
Fraud awareness as part of induction program
Fraud awarenes should be made part of the staff, vendor,
and customer onboarding process, and staff refreshers
should be done on an annual basis. Fraud awareness can
also be done through the use of screen savers on office
computers, audio message on call centre waiting lines,
ATMs, company intranet, and company websites.
Care has to be taken that mandatory fraud awareness
programs do not become a tick-box exercise, which usually
happens with a lot of mandatory programs if the audience is
not convinced of the advantages of such programs.
The content and presentation of fraud awareness initiatives
must be created with the audience in mind. For example, an
email alert should consist of a catchy headline, relevant
image, and key message in a crisp manner. No one is going
to read a long email that doesn’t directly concern them. A
fraud risk professional has to think like a marketing
professional when designing fraud awareness programs.
Review of Product and Process Before Launch
A process to review new products and processes from a
fraud risk perspective is a very good investment, as fraud
risks can be identified before launch and mitigation
measures decided. At the least, this ensures that
stakeholders make an informed decision. Some ways
through which fraud risk can be identified include:
What can go wrong? – Onboarding, delivery,
processing
Who can do wrong? – Staff, customers, vendors, third
parties
5. COST-EFFECTIVE FRAUD PREVENTION AND DETECTION MEASURES
2017 ACFE Fraud Conference Middle East
©2017 4
NOTES
Where (premises) can it go wrong? – Internally or
externally
Standard mitigating measures should include both
prevention and detection controls, as well as some form of
built-in sampling process to identify red flags.
While it is tempting to begin by planning to review all such
documents, always consider team strength and capability
when making final decisions. If the fraud risk team is
supposed to review all the documents, and for some reason
certain types of fraud occur that were not highlighted
during review of the concerned product, it might affect the
credibility of the fraud risk team.
RCSA/Fraud Risk Assessment (FRA)
There’s no denying that fraud risk assessments are a great
fraud prevention tool in the hands of experienced fraud risk
management professionals. If the team strength permits,
this must be done by the fraud risk function.
FRA can be done at two levels, the first being organisation
wide to cover areas related to organisational policies, and it
is more of a checklist-based activity. This helps in
benchmarking the fraud risk management function and can
provide input in charting the roadmap.
The second type of FRA is done at the process or product
level and is more detailed. Even if an organisation is
already conducting RCSA, internal audits, and so on, it
makes sense to conduct an FRA because other control tests
usually evolve around pure operational risks and might not
be as detailed as the FRA in terms of approach. FRA
involves meetings with stakeholders, including people
running the process on the floor, and review of SOPs and
policies, data analytics, and testing of controls for design
6. COST-EFFECTIVE FRAUD PREVENTION AND DETECTION MEASURES
2017 ACFE Fraud Conference Middle East
©2017 5
NOTES
and effectiveness. Depending on the organisational
structure, process-level FRA can be done jointly with
RCSA or ops-risk teams.
Any fraud incident that happens subsequent to the FRA
should be checked to see whether it is part of an identified
risk or if it is a new risk that could not be identified during
the FRA. Similarly, if a fraud scenario was already
identified during the FRA, someone should check whether
the control design was defective or the control did not work
as intended. Such incidents should be considered when
scheduling the next FRA for the specific process area.
Fraud Detection Tools (FDT)
Data Analytics
If there’s a system available, then it can be used to
configure rules that can generate alerts. Certain systems
can also use transaction history to identify suspicious
transactions, etc. In case such a system is not available,
simple data analytics by defining queries can be done.
Some samples might be:
Common fields (landline number, email ID, PO
Box, fax number, mobile number, trade license
number) for unrelated customer, staff, vendor
records
Mapping physical access records with system
access records
Running reports on leave data versus system access
records
Keyword alerts on communication records
Mystery Shopping
Mystery shopping is an excellent tool for identifying
vulnerabilities that could be exploited to commit fraud.
It is similar to penetration testing used to identify
7. COST-EFFECTIVE FRAUD PREVENTION AND DETECTION MEASURES
2017 ACFE Fraud Conference Middle East
©2017 6
NOTES
vulnerabilities in the IT infrastructure except that it
helps in identifying vulnerable processes and people.
If done by trained professionals, it can help in getting
assurance that controls are working as intended. It
should be done after consulting with senior
management but with the assurance that it must be kept
confidential. In order to avoid any legal implications,
the legal department of the company should be
consulted before initiating mystery shopping.
Mystery shopping can be done through a basic inquiry
process, which could be telephonic or a personal
meeting. Advanced mystery shopping might require
initiating onboarding process/transaction processing,
and this is where it is important to consider
safeguarding measures, as this knowledge could be
used by a corrupt mystery shopper to commit actual
fraud. Remember the adage, “Who will guard the
guards?”
Whistleblowing
No fraud risk management program can be effective
unless a whistleblowing mechanism is established in an
organisation. In order to derive full benefits of a
whistleblowing mechanism, it must be exposed both
within and outside the organisation. While it is good to
have a whistleblowing hotline, a good whistleblowing
program is not dependent upon it. A good
whistleblowing system doesn’t necessarily have to be
expensive to start and maintain. It could be set up with
publicising communication channels, providing
assurance regarding confidentiality, and promising
protection (which must be backed by solid policies and
practices). If an organisation can live up to its promises,
8. COST-EFFECTIVE FRAUD PREVENTION AND DETECTION MEASURES
2017 ACFE Fraud Conference Middle East
©2017 7
NOTES
then there’s no reason why a whistleblowing program
can’t be effective.
Some of the cost-effective communication channels
include:
Email ID
PO Box
Webform – Intranet, website
Phone number (could be on during working hours
on a recorded line, which should be accessible to
group of people)
Channels for whistleblowing should be made visible
through the company Intranet, website, vendor RFP
documents, customer welcome letters, staff onboarding,
etc.
For a whistleblowing program to remain effective, the
company must ensure that all alerts received by the
team are evaluated and not summarily dismissed just
because enough evidence is not available. An alert in
itself might not provide enough information to take
action, but using information about other instances
involving key people, processes, units, etc., an
evaluation should be done as the next step. Engaging
the whistleblowing program is an important step in
making progress on the investigation. While it might be
helpful to understand the motives of the whistleblower,
they should not be given a lot of attention because the
most important thing is whether allegations are true.
Another important aspect of an effective
whistleblowing program is to keep it independent, and
management must understand that if the program is to
be effective, it has be seen as independent, unbiased,
and objective. Things like identity, designation, and
9. COST-EFFECTIVE FRAUD PREVENTION AND DETECTION MEASURES
2017 ACFE Fraud Conference Middle East
©2017 8
NOTES
motives of a whistleblower should not play a big role
when evaluating alerts.
Walks on the Floor
Periodic walks on the floor without overtly declaring
identity might provide more intelligence for fraud
detection than any structured program. Some
considerations while undertaking this are:
Before, during, and after office hours
On days when certain staff are working and others
are not (Saturdays/public holidays)
Processing areas, customer facing areas, restricted
areas
Avoid confrontation, rather observation
Areas near photocopiers, printers
Quick look at dustbins
Area around shredders
Networking
Talking to your colleagues in the same industry can
provide useful intelligence regarding ongoing fraud
trends—something unusual noted by them. This works
only when such sharing is a two-way process, and it
requires contribution by all parties involved. Care
should be taken not to divulge confidential information,
though relevant information regarding modus operandi,
detection, and response should be considered for
sharing. Sometimes having open lines with anti-fraud
professionals in other industries can also provide useful
information. Attending industry forum meetings,
conferences, etc., creates opportunities to network with
people that have similar professional interests.