It’s important to recognize that fraud has many forms, says David Tindall, Chief Operations Officer at Sentinel Resource Group. “To many, fraud simply connotes financial crimes, but the mechanisms involved are far more complex and transcend bribery and corruption, asset manipulation and beyond,” Tindall says. “As such, each of these fraud classifications involve unique challenges in terms of detection, mitigation, investigation and remediation.” The common challenge in all categories, he notes, is “the persistent evolution and complexity of fraud and the mechanisms by which fraud is conducted.”
Both from a physical security and a cybersecurity perspective, there are lessons security leaders can learn from each other when it comes to fraud detection and management. Combining best practices from across physical security and cybersecurity investigations, security leaders can use innovative tactics to detect, manage and reduce fraud in their organizations.
The current landscape
The proliferation of electronic systems and the reliance of companies on these increasingly sophisticated systems has created additional fraud risks, says Brian Cesaratto, CISSP, CEH, a cybersecurity and data privacy attorney at Epstein Becker Green in New York City. “In the last few years, there has been an increase in integration of systems and partnerships between different vendors, so you have an expanded attack surface as a result,” Cesaratto says. This expansion of electronic systems has also increased reliance on third-party systems to provide services, escalating risk.
The increase in remote and hybrid work as a result of the pandemic is another pain point. “Again, there’s an increased attack surface because you have computers and other outside devices connecting with cloud-based services,” says Cesaratto. Remote work models have normalized the use of new technology and messaging apps in both professional and personal devices, leading to a rise in informal communication methods, says Juan Migone, a partner at global advisory firm StoneTurn in Washington D.C. Working remotely can also “create a more nonchalant approach to compliance rules and internal controls, which in turn creates larger issues for organizations,” Migone says.
Still, Tindall points out that while technology has enabled more sophisticated crime capabilities, it has simultaneously advanced the ability to detect these crimes. “One could argue that technology has merely offered another variant to perpetrate many of these old-school fraud types,” he says.
Fraud detection & investigations best practices
With decades of advisory experience between them, here’s what these experts consider best practices for managing and detecting fraud.
Have a written fraud prevention program. “It can’t be ad hoc or verbal — you need strong, well-written policies, procedures and guidelines,” says Cesaratto. “This is the foundational requirement because that’ll explain your process and your alignment to a fraud reduction framework.”
Have a strong internal audit and compliance program. “Invest in data analytics tools and teams who can not only get your program up to speed, but also manage its evolution over time,” says Migone. It’s smart to consider rotating audit personnel responsibilities too. “This creates more well-rounded teams and also ensures a fresh set of eyes on critical matters,” he says.
Build a strong foundation. This begins with setting up and enforcing ethics policies and behavioral foundations from the top down. “The most successful entities live their ethics and compliance in day-to-day behavior and tasks, ensuring it is ingrained within the DNA of their organization,” Migone says. This helps establish a robust, long-term anti-fraud program.
Know your fraud risk and risk tolerance. Understanding this pinpoints the type of fraud you’re susceptible to, your potential levels of exposure and the acceptable risk to your organization, allowing for a more detailed mitigation plan, says Tindall. “Taking an assessment of your corporate culture goes a long way to assess your actual risk tolerance and exposure,” he adds.
Take time to train staff. Cesaratto says training staff how to recognize and report fraud is crucial for fraud prevention, and Migone stresses the importance of doing this regularly. Why? “Long-term employees may be perceived as cooperating with all risk mitigation and compliance protocols,” he says. But they may get comfortable over time and skip steps, which can create risk.
Don’t overlook leadership training. “Often, anti-fraud and risk management programs focus on teams and employees,” says Migone, but it’s vital for leadership to participate in training and model ethics and behavioral policies. “No matter a person’s role in the organization, they must be held accountable,” he says.
Look for aggressive metrics that are constantly being met. Examples include bonuses, sales goals or performance milestones. “Use data to determine trends that are statistically improbable,” Migone says. “Know the metrics and check for adjustments at the end of the period that help teams meet their bonus targets.”
Institute an insider threat prevention program. This includes background checks for potential hires and monitoring employee activity consistent with what systems they have access to, says Cesaratto. “The more risk there is for fraud, the more stringent you want the hiring, vetting, supervision and monitoring to be,” he says.
Follow your regulatory (such as Sarbanes-Oxley [SOX]) and enterprise controls. Migone notes that this might be painful at first and even slow things down some, but if they’re implemented correctly, controls can be highly effective in preventing and identifying issues. Additionally, don’t take any failure in controls lightly. “Security and compliance officers need to understand that breakdowns even in the smallest controls that are not addressed could lead to issues escalating in a future period,” he says.
Create an independent whistleblower program. No matter how small they seem, listen to complaints about potential threats or bad behaviors, Migone says. Investigate and communicate the results clearly. “The downfall of many otherwise successful whistleblower programs is lack of communication around the action,” he says. “Even when claims initially seem unfounded, it is critical to express that action was taken.”
Verify and assess fraudulent activity. “A strong fraud investigation will almost always begin with a verification of fraudulent activity, identification of the parties responsible and potential impact of the fraud,” says Tindall. Before any mitigation or recovery steps are taken, assess the scope and magnitude of the fraud. “Strong risk-based data analytic tools, qualified or independent investigators, the realization of patterns and the ability for early intervention strategies all lend to minimize fraud-related damage to both an organization and potential consumers,” he says.
Remember that small details matter. “Teach people to watch for the minutia, as missteps on smaller details can lead to larger issues down the road,” says Migone. Don’t ignore red flags, no matter how trivial they seem. “We all know the analogy of the iceberg: What may seem small on the surface can be indicative of a larger issue underneath,” he says.
Confirm and test everything. “Always verify what people in the organization are telling you with evidence and data,” says Migone. He says it’s also important to test your controls and people regularly.
Conduct a postmortem review. Once the fraud investigation is complete, there should always be a review with the goal to prevent future losses, says Tindall. Consider items such as lessons learned, how to strengthen control weaknesses and how to mitigate other potential consequences.
Using these best practices to inform fraud detection and investigations can help security leaders better hone their anti-fraud measures. From building a strong anti-fraud organizational culture to conducting thorough reviews of potentially fraudulent activity, fraud prevention professionals can create and sustain a robust program.
Potential pitfalls to avoid
When conducting fraud investigations, Tindall says he runs into numerous pitfalls that are found to be root causes of fraud. Some of the most common include:
- Not having a comprehensive risk assessment
- Over-relying on technology and/or having limited data analysis
- Failing to update controls
- Lack of monitoring
- Neglecting employee training
- Overlooking third-party and insider risks
- Failing to collaborate with key stakeholders and partners
- Not assessing your corporate culture