The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
By Victor Lessoff, Managing Director, Head of Internal Investigations, TIAA
What are some key considerations when designing an internal fraud detection system?
Internal fraud by its very nature is often insidious, complex and hard to identify. Employees and other insiders who are inclined to commit internal fraud generally have knowledge of the victim organizations internal controls, and the ability to circumvent them as well as to hide their activities. Accordingly, it takes significant effort and expertise to identify and respond to indicators of internal fraud.
Due to the time and effort involved, in order to be effective, organizations must first commit to properly funding and supporting internal fraud detection at the highest levels (Executive Management and/or Board of Directors) as it may take time to develop the systems and see results. Once a commitment from the top is achieved, one of the first steps in the process should be to conduct an Internal Fraud Risk assessment to identify the scope of concern and where the highest risk areas to focus initial detection efforts lie.
After the risk assessment is completed the next steps would be to:
a. Identify the specific assets and/or areas at risk that you are trying to protect
b. Identify the various processes and scenarios where the assets are risk and from what threats
c. Identify areas/processes that have been exploited from past experience either within your company or within your industry
d. Identify areas/processes that are vulnerable that could be subject to exploitation in future
e. Consider the robustness of controls in place
f. Identify what observable behaviors may represent exceptional or suspicious behavior and what counter-fraud strategies and data can be leveraged to expose these behaviors
Ultimately resources will have to be acquired, data identified and processes defined. A governing structure and reporting channels will also have to be developed as well as a review process.
