The Role of Business Fraud Detection in Risk Management Response

Like any hidden business risk, fraud can be costly and embarrassing if not managed properly. So we’re clear, I’m talking about misconduct, wrongdoing, theft, lying, and outright fraud here. But regardless of what we call it, the three-level risk management response covered below—of which business fraud detection is an essential part—is exactly the same. 

Let’s examine what risk management response looks like and what specific steps to take for fraud detection… 

Level One – Fraud Deterrence and Prevention

The first part of the three-level risk management response is proactive deterrence and prevention. This is achieved through strong anti-fraud controls and especially through effective manager and staff daily behaviors. For a deeper dive into prevention, refer to my article titled “Business Fraud Prevention: A Contrarian’s Take on Best Practices.”

At the risk of leaning too far into prevention (we’re talking about business fraud detection, after all), I offer my experience over four decades. What I’ve discovered is that in 90% of business fraud cases, the reason prevention failed was human. The controls in place were adequate in theory. However, inconsistent human execution of those controls was the primary reason the fraud occurred and went undetected for far too long.

Implicit in fraud detection is the assumption that prevention efforts failed, which leads us to the next fraud risk management level.

Level Two – Business Fraud Detection

Level two involves catching what slips through prevention defenses as fast as possible. Prompt detection when the cost is small, the reputation risks are low, and the efforts are modest is the goal when prevention efforts fail.

Ultimately, business fraud detection takes place through four simple actions.

1. Ensure Expectations Are Clear

The first action is to get crystal clear on what’s expected of you and every employee. I suggest having a “Hey, Boss!” discussion as soon as you can get it scheduled. An upcoming staff meeting is a great opportunity to ask questions and have everyone on your team hear the answers.

For example…

“Hey, Boss, am I (or are we) expected to look for fraud and similar wrongful acts while performing our work?”

Assuming the answer is “yes” (as it should be), proceed to question two.

“What kind of fraud should we look for?”

Answers might include the following: 

• Theft
• Manipulated financial or operating results
• Shadow deals with third parties
• Technology schemes
• Other schemes related to your industry and management concerns

Once clear on what to look for, it’s time for the third and more important question.

“Hey, Boss. How hard should we look?”

Let’s pause and clarify. The answers to these three questions will vary depending on who is asking.

Internal auditors and government auditors should ask during planning meetings on each and every audit by adding the words “on this project” to the end of each question. For example, “Hey, Boss, are we expected to look for fraud on this project? What kind should we look for on this project? How hard should we look on this project?”

With clear answers to these questions, auditors will be ready to build detection-based audit program steps, make sampling decisions such as the applicability of data analytics tools, create interview questions, and lay out the overall audit program for the project.

Likewise, employees, supervisors, and managers might ask, “Hey, Boss, am I expected to look for fraud in my daily work? If so, what kind should I look for? Please give me specific examples. And how hard should I look? Actively in each transaction? Passively as I perform other tasks? Please be clear on what you expect of me.”

2. Identify Potential Indicators

The second step involves building a bridge from the risks specified in the “Hey, Boss” discussion above to the red flags, indicators, or other symptoms those risks would leave behind for us to see. This brainstorming asks and answers the question, “If this fraud was present, what would it look like in our records or the behaviors we could see?”

Here’s a tip for this phase that really sharpens focus. Ask, “If we knew this fraud scheme was happening to us right now, and if we were charged with proving it, what records would we pull? Who would we talk to and what would we ask? If we think from the perspective of the fraudster/thief, how might we get caught? What trail are we leaving behind?”

The end objective of fraud risk brainstorming is a robust list of red flags in manual documents, computerized records, and behaviors.

3. Search for Red Flags 

In step three of business fraud detection, we go look for these red flags. 

How?

• We use daily staff and supervisor review steps and controls. 
• We sort through management control and exception reports. 
• We build audit program steps specifically designed to bring red flags to the surface. 
• We ask staff if they have seen anything that was strange, odd, or curious to them or if they have signed or processed anything they were not sure was correct. 

With the appropriate authority, we might ask if they are aware of anyone breaking the rules. Detection-focused controls, audit steps, and interview questions are essential to step three.

4. Determine the Root Cause of Red Flags

In step four, we examine any red flags found to determine their true root cause. Maybe it’s fraud, but maybe it’s a mistake or a plain old error. Formal root cause analysis and critical thinking are the keys to step four.

Granted, these four steps are simple in principle but can become a bit more complicated in application. That’s one great reason business fraud detection or detection of any other risk is best done in a team format. 

Here’s what these steps look like in sequence:

• Get your team together and ask the boss what he or she expects. That way, we all hear the same answer at the same time. 
• Take those instructions and brainstorm lists of red flags and symptoms as a team. 
• Go look for those same flags and indicators as a team, whether that’s on an audit or just daily management attention to details that cross your desk. 
• Follow up as a team to determine the root cause of anomalies found.

Level Three – Referral to the Experts

If the hair on your neck is standing up or you have that hollow feeling in your stomach, shift immediately to level three of risk management: referral to those skilled and authorized to handle suspected fraud incidents. One of the greatest dangers to the proper handling of fraud events is managers and auditors who investigate on their own. When in doubt, call for help. Don’t do it on your own.

Make Business Fraud Detection a Priority

Although each part of the three-level risk management response plays an important role, business fraud detection is especially important. By ensuring your team understands the expectations, can identify potential indicators, knows how to search for red flags, and is able to determine root causes, your organization will be much better off. You’ll be able to uncover fraud sooner and address it accordingly.