FCPA Travel & Expense

In 2015- focus on external threats, internal threats, or both?

on January 06, 2015

Predictions are traditional at the beginning of the year and the world of fraud and compliance is no different. In this tradition, ACFE Insights blog recently provided their Top Fraud Predictions for 2015. In it, they talked a lot about how technologies will shape the fraud industry in 2015, and as an expense monitoring technology company, we at Oversight have our opinions on these predictions.

While I agree with Scott Patterson that new technologies make for both greater complexity and sophistication in fraud schemes as well as greater opportunities to detect and prevent fraud, this is no different than any other year for the past several hundred. Every year sees new opportunities to perpetrate fraud and new methods and tools for detecting and preventing it.

The three major types of occupational fraud (those in which an employee, manager, officer, or owner of an organization commits fraud to the detriment of that organization) are corruption, asset misappropriation, and fraudulent statements (see the Association of Certified Fraud Examiners [ACFE] fraud tree). While the details of how these frauds are committed have evolved over time, the basics haven’t changed. The questions organizations face in 2015 are the same ones they have faced previously, beginning with, “Will we focus on external threats, internal threats, or both?”

The challenge for everyone in 2015 will be the focusof these efforts. Most organizations place their anti-fraud emphasis on external fraud and security threats.  When I was in the information security business in the 1990s, all of the information security software companies and consultants were focused on helping organizations combat the “evil hacker dude.” The “evil hacker dudes” were a boon to the information security industry through their website defacements that prompted every CEO, CFO, and CIO to fear awakening to CNN reports that their company’s website was the latest hacker target. Ironically, FBI and Computer Security Institute (CSI) data at the time indicated that over 50% and as high as 75% of the financial losses due to computer incidents had resulted from inside threats, but the focus was on the external threats because of their public nature.

In many ways, it’s far easier for organizations to focus on external threats. Faceless threats are easier to dislike and easier to understand.  Internal threats are another story.  Facing these threats means believing that colleagues are willing to do things detrimental to others in the organization. But the reality is that the (ACFE--The Fraud Triangle) applies on the inside the same way it does on the outside – opportunity, financial pressure/need, and rationalization. Combatting fraud requires removing the distinction between inside and outside and focusing on identifying when fraud is occurring and then taking steps to prevent it from happening again.

Most organizations are loath to discuss insider incidents and it is the exception, rather than the rule, when companies choose to prosecute rather than terminate perpetrators of inside theft. Organizations want to think the best of their employees and it is all too common to hear “we’ve never had a fraud here.” Our 2014 Spend Analysis Report for T&E proves this simply isn’t true.

The reality is that companies who say they have never had a fraud are either statistical anomalies or they have just never identified a fraud. In the 2013/2014 Annual Global Fraud Survey commissioned by Kroll and executed by the Economist Intelligence Unit, over 630 of 901 senior executives polled reported at least one type of fraud in the previous year. We wrote a blog that stated a similar statistic: 27% of high-level executives were the ones committing expense fraud.

Leading companies are leveraging technologies like automated monitoring and analysis to combat fraud on both the inside and outside of organizations. Customers of Oversight Insights On Demand™ tell us that “inspecting what they expect” allows them to address errors, misuse, and potential fraud in timely and cost-effective ways. They tell us they see reductions in unexpected results as much as 70% in the first six months and savings from reduced errors and non-compliant activities that pay for the solution in as little as 30 days. As organizations look to technology as part of their 2015 anti-fraud efforts, automated monitoring and analysis should be at the top of the list.