Fraud risks should be developed as part of an overall risk assessment. You’re not likely to make friends throughout the organization by conducting this on your own. If you think it’s high time to look into the fraud potential of purchasing cards, it’s probably a good idea to include the p-card manager in the discussions. That way it’s a joint effort that will benefit both parties and hopefully result in a more continuous approach to fraud risks in that area.
If you are serious about a fraud prevention and detection program, you are testing 100% of the data, not just random samples. Use ad hoc testing in addition to more formalized or regular tests. A purpose-built data analytics tool will allow you to access and analyze data from any source internal or external, without compromising data security.
Find out where controls are not working or ineffective. Look for controls that cannot be governed by application control settings. Once you’ve run some tests, standardize them so they can be used by others and to reduce the impact of staff turnover. What you’re doing is creating a repository of analytics that can be used over and over again.
3. Improve the process by implementing continuous analysis
Run tests on a continuous basis and provide management with immediate notification of a controls breach. Create a process for control remediation to close the loop. This is about building relationships again. By instating a process to deal with issues, you are strengthening your fraud program and this can have a huge impact on the way you work with other areas of the business as well as on the bottom line, if cost can be recovered.4. Review results
By leveraging and automating technology, you will have more time for the fun part of fraud investigations. Drill down into the patterns and indicators that emerge from your analyses:
– Quantify the risks
– Identify and target high risk areas
– Consider risk monitoring dashboards
5. Expand scope and repeat
This process of building a profile, testing data, improving controls and reviewing information needs to be done on a regular basis. Automated, scheduled testing will make this simple.6. Report
As we conclude an investigation, most of us will make recommendations on how to tighten controls or change processes to reduce the likelihood of non-compliance, but how many people are following up on these recommendations? Look into it and find out if the recommended actions have had the desired effect.
I recently heard a fraud case study where informal communication was key. The case had to do with a large bottling company that uses fuel cards for its fleet of truck drivers. Last summer, when fuel costs were at their highest, the company reduced costs by $1.4 million. How? In addition to simple tests using both internal and credit card data, word of mouth played a big part. Fraudsters were using the cards during hours they weren’t working. A few of them were confronted and the jig was up. Word spread like wildfire and the fraudulent activity ceased pretty quickly once the truck drivers knew their transactions were being monitored, not just tested randomly, but continuously.
from: Dustin Lewis, CISA Senior Technical Consultant – ACL Services Ltd.