The Identification and Control of Fraudulent Behavior

The Association of Certified Fraud Examiner’s (ACFE) 2010 Report to the Nations on Occupational Fraud and Abusecompiled 1,843 cases of occupational fraud worldwide between January 2008 and December 2009. The survey estimated that a typical organization lost 5 percent of its annual revenue to fraud with a median loss of $160,000; nearly one-quarter of the frauds involved losses of at least $1 million. Applied to the 2009 Gross World Product, this figure translates to fraud losses of more than $2.9 trillion. The ACFE study provides data that helps in the prevention of fraud. The study showed that small organizations are disproportionately victimized by fraud and typically lack controls compared to larger organizations, and that more than 80 percent of fraud was committed by individuals working in one of six departments: accounting, operations, sales, executive/upper management, customer service or purchasing.

To combat cases of fraud, many companies have hired teams of auditors, physical and virtual security experts, compliance personnel, lawyers and even fraud investigators. However, in the majority of cases, utilizing these measures has only minimized the amount of fraud that has occurred. Clearly, the hiring of these individuals is not the total solution to the fraud problem. Some of the larger Fortune 500 companies have gone farther and hired a corporate security officer to coordinate the activities of all of the areas mentioned. The creation and implementation of a CSO, in some cases, has successfully reduced the amount of fraud within the corporation. Yet, for many companies the hiring of a CSO is not always possible, and in many situations it is the lack of this type of coordination that allows for fraud to occur. The lack of coordination makes any strategic program implementation very difficult. Whether the coordination of efforts is through a single voice like a CSO or with the unified efforts of several departments working together, a planned, coordinated approach to fraud reduction is an effective reduction strategy.

This coordinated approach should focus on specific characteristics of fraud prevention. The ACFE report indicated that fraud is more likely to be detected by tip than any other means. Surprise audits are another strategy that has shown to be effective in the fight against fraud. Less than 30 percent of victim organizations in the study conducted surprise audits; however, the study showed that organizations that utilized surprise audits tended to have lower fraud losses or detected frauds more quickly.

In developing a unified strategy that coordinates organizational efforts to reduce fraud, the unified approach should include aspect of identification and access control, specifically, a single credential to identify employees and control access into all levels of the organization and within all organizational systems. This includes access to all buildings, IT infrastructures, inventory and financial systems, along with debt services. Single credential means one product and process that works with all systems to authorize and track all persons gaining access into the corporate structure.

A unified credential approach to identification and access control means a process in which an employee, visitor, client or whoever is given access into corporate systems uses one identification process in order to access any and all of the systems they are granted access to. The process can be a simple password or access card. However, the best approach is the combination of both. The idea behind this concept is two-fold. First, a single credential makes it easier for the user, eliminating their desire to circumvent the system. Second, a single credential makes the identification of a user easier for the corporate entity to track. This allows for the auditing not only in individual systems but, most importantly, across all of the organizational systems.

As indicated in the ACFE report, auditing is one of the most under utilized tools to thwart fraud. Auditing should be used on a surprise or regulated basis and the audit should track exceptional behaviors within the workings of all the corporate systems together. Exceptions or abnormal patterns of behavior within the working structures of the day-to-day operations of any single or group of users can determine the start of or existence of fraudulent behavior. It is this single method of monitoring that can dramatically reduce fraud. By monitoring access to systems and use within these systems unusual behavior can be recognized.

The idea of exception reporting is not new. The idea is to look at those patterns of behavior that have strayed from conformity or the majority. This data is the most important in determining and monitoring adverse behaviors. It is the ability to obtain this type of data not just from the access control system but also from all of the organization’s systems. Computer log-on into desktop computers, procurement systems, payroll systems and client records together produces a clearer picture of behaviors. The goal to reducing fraud is the collection of behaviors that can determine patterns of unusual or abnormal behaviors. Whether collecting data from a study conducted by ACFE or from the coordinated direction of the CSO, auditing of adverse behaviors is a solid method of deterrence in the fight against occupational fraud.

Bernard J. Scaglione, CPP, CHPA, CHSP is the Director of Healthcare Security Services for G4S Secure Solutions. He has 30 years of experience in the healthcare security field including a Master’s Degree from Rutgers University School of Criminal Justice in New Jersey. Ben currently serves on the Board of the International Association for Healthcare Security and Safety (IAHSS). He served on IAHSS Education Council from 2005 until 2011. Ben is past Chairman of the ASIS International Healthcare Council and the Past President of the New York City Metropolitan Healthcare Safety and Security Directors Association. He has been a columnist for Security Magazine and contributing author for the Journal of Healthcare Protection Management. Ben was an adjunct faculty member at Pratt Institute in New York teaching engineers and architects in physical security. He taught at Interboro Institute in New York and at New Jersey City University. He was also an instructor at John Jay College Peace Officer Academy.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.