The fundamental concepts of creating a fraud risk assessment document are well known and widely published. I have no intention of reiterating the process. But, in a recent project, I was engaged to help the company respond to an internal audit recommendation. The request led me to an exploration and reconsideration of the common approach.
The essence of the recommendation was to develop or implement “enhanced fraud monitoring procedures”. They were quoting the current literature in Fraud Risk Management Guide, Second Edition. I am not suggesting that this was wrong, but it made me think.
The audit comment was based on concerns about alleged schemes that may or may not have occurred within the organization. So, my first thought was to study the data patterns of the alleged schemes.
I must admit this has caused me to think and think again about what the Fraud Risk Management Guide expects of management. So, as with every blog, I start with researching the topic.
What does the Internet say
Enhanced fraud monitoring involves using advanced technology like AI and machine learning to analyze data in real-time, strengthening identity verification, and implementing robust internal controls. Key procedures include continuous transaction monitoring, behavioral analytics, data aggregation from all channels, and regular risk assessments to keep pace with emerging threats.
The reality of implementing this statement will of course, vary based on industry: banking, manufacturing, online retail, etc. So, let’s acknowledge that and move on.
The new Criteria
Besides inherent risk and likelihood ratings in your fraud risk assessments, I would like you to consider a new rating called “difficulty in detecting a fraud scheme”. Let’s call this truth and honesty in reporting. It will force you to better understand the fraud risk statement that you are trying to manage. Let me give you an example:
Illustrative example of a fraud risk statement: Employee provides advanced communication to a vendor, providing that vendor with preferential treatment in the tendering process.
In this example, the dollar value of the contract did not require sealed bids, but suppliers were required to submit quotes. The service is for an operational purpose rather than cost of sales.
As we consider this, let’s think about what fraud prevention or fraud detection control would mitigate this risk. Or think about the difficulty in really mitigating this fraud risk. Why is this important to understand? Let’s go back to the beginning.
The internal auditor's recommendation was to implement “enhanced fraud monitoring procedures”. If there is nothing we can do, then the internal audit comment is a self-serving comment that puts management between a rock and a hard place.
To be clear, I am not blaming anyone; as always, my goal is to make you think about fraud risk. That is the reason for harsh language.
New Way to Think
The new criteria would require risk manager or the auditor to rate the fraud risk statement based on the difficulty of preventing or detecting the scheme. It would focus on the fundamental mechanics of the scheme rather than internal controls. The ratings could work like this:
- High Difficulty: Scheme would not provide an overt audit trail in the transactional records.
- Medium Difficulty: Scheme would provide an overt audit trail but would not be visible without internal investigation.
- Low Difficulty: Scheme would provide an overt audit trail and would be visible to normal management review.
Why is this Important?
In building an “enhanced fraud monitoring system” we want to place our resources where our resources can be the most effective. Our control strategy must be in line with what we can realistically accomplish rather than what sounds good. With this in mind, we can link the difficulty factor to the control strategy:
High Difficulty Rating: I would suggest that trying to monitor for an occurrence would not work. Therefore, management strategy is to react to an allegation by working to stop the scheme. Deterrence strategies would be more effective.
Medium Difficulty Rating: I would suggest that normal management oversight could not be expected to detect the fraud scheme, but through AI systems, it is possible to detect the scheme. Fraud detection strategies would be more effective.
Low Difficulty Rating: I would suggest that normal management oversight could be expected to detect the fraud scheme. Fraud prevention strategies would be more effective.
What do I suggest?
I am not sure; I am still pondering the idea. Here is what I do know: it is time that we redesign the fraud risk assessment process. If we are supposed to gain a deeper understanding of potential fraud schemes, then we must understand how these fraud risk statements operate in the real world.
I argue that the goal of fraud risk assessment is to understand and manage fraud risk rather than mitigate fraud risk. A subtle difference but an important difference.
The months Trivia
1. Who invented AI? Alan Turing had concepts and experiments related to machine intelligence. See the movie The Imitation Game
2. What country is # 1 in AI, and how much will the country spend in 2025? The United States is #1 in AI, with a projected investment of over $470.9 billion in 2025.
3. What is Bill Gates' concern about AI? AI's potential for misuse, such as cyberattacks and spreading misinformation, and the risk of mass job displacement.
4. Who is labeled as the “father” of AI? McCarthy introduced the term "artificial intelligence" in 1955 for a workshop he organized at Dartmouth College in 1956.
5. Who is labeled as the “godfather” of AI? Geoffrey Hinton, a British-Canadian computer scientist, is widely recognized as the "godfather of AI". He received the 2024 Nobel Prize in Physics for his foundational work on artificial neural networks.
6. AI romance schemes: How do they work? Using AI to create fake personas that build emotional connections with victims before asking for money. They achieve this through tactics like automatically generating realistic profiles with deep-fake photos, sending automated but convincing messages, and using AI voice or video to appear real during calls. These scams exploit loneliness by creating idealized companions that are consistent and flattering, which can then be used to solicit funds for fabricated emergencies or "investment opportunities".
I found these on an internet search. But no peeking. What is the best answer?
1. What is a common AI-powered technique used to replicate a person's voice for scam purposes?
a) Voice morphing
b) Voice cloning
c) Sound substitution
d) Sonic mimicry
2. Which of the following is a potential giveaway that a video is an AI-generated "deepfake"?
a) The speaker's clothing changes between cuts.
b) The video is very long and has a lot of camera movement.
c) The image has a low resolution.
d) There are visible watermarks from a legitimate media source.
3. How does AI make phishing attacks more dangerous and harder to spot?
a) By creating highly personalized messages that mimic a legitimate sender's tone and style.
b) By sending emails from an easily identifiable foreign domain.
c) By intentionally including obvious spelling and grammar errors.
d) By targeting only a small number of victims at a time.
4. When analyzing a suspicious image for AI manipulation, what visual inconsistency should you look for?
a) Perfectly aligned shadows.
b) Reflections on shiny surfaces that don't make sense.
c) A clear, crisp background.
d) People with the correct number of fingers (AI has improved on this).
5. What can an AI system do to detect fraudulent financial transactions in real-time?
a) Ask the customer a series of security questions over the phone.
b) Look for anomalies or unusual activity based on learned patterns.
c) Require manual approval for all transactions over a certain amount.
d) Send the customer a new debit card.
