Skip to Content

Fraud risk management in the technology-led finance function

Ajay Gupta
February 4, 2020

Most organizations have either set up a captive shared services center (SSC) or outsourced their business processes to external business process outsourcing (BPO) organizations in order to reap the benefits of cost savings and process efficiencies. The key characteristic of the SSC and BPO models of delivery is the huge amount of transaction processing for internal clients (SSC) and external clients (BPO).

While the benefits of SSCs and BPO are well documented, there are also certain challenges and inherent risks associated with fraud susceptible processes in the SSC/BPO environment. It’s not possible to verify each transaction, which can lead to the risk of fraud. Further, the resources working in SSC and BPO are generally less skilled and are less control conscious, which further increases the risk.

Does every industry, organization, and function carry fraud risk?

Although fraud is applicable to every organization and every process, a global fraud survey conducted by the Association of Certified Fraud Examiners (ACFE) in 2018 found that most cases of occupational fraud occur in the banking and financial services, manufacturing, and government and public administration industries.

Other functions that pose the greatest risk of occupational fraud include executive/upper management, finance and accounting, sales, and operations. Within the finance space, for example, billing and payment processing has a higher risk of fraud compared to payroll and expense reimbursement.

The size of the organization and the complexity of the business also have an impact on fraud risk. Smaller organizations often lack robust internal controls and segregation of duties – and are therefore more susceptible to fraud risk.

What are the key reasons leading to fraud?

The average cost of fraud across corporate organizations is 5–7% of their annual revenue. Key reasons contributing to fraud and examples include:

  • A lack of or ineffective implementation of policies and procedures – for example, the purchase of travel tickets from an external supplier instead from a company approved supplier
  • A lack of awareness about anti-fraud controls – for example, SSC/BPO staff that change the bank details of supplier based on information from fraudster posing as a representative of the supplier and make payments to the wrong account
  • A lack of adequate internal controls – for example, the processing of duplicate or dummy purchase invoices and double payments.

While, every organization deploys certain control mechanisms to address the risks stated above, inadequate or ineffective controls still lead to a significant amount of fraud. In addition, while the risk of fraud is inherent in process, most organization still use traditional “maker-checker” controls to mitigate the risk of fraud. These controls include payment audits by the team lead and control testing by an internal/statutory audit team.

How can fraud analytics help?

In today’s technology-led environment, traditional control mechanisms are simply not able to capture the sheer volume of fraudulent transactions in samples selected for testing.

However, implementing fraud analytics – a robust fraud prevention and detection tool – can help to identify suspicious patterns in its entire population of data, and test the entire population of data. Most importantly, the development of automation that supports data analytics can provide assurance to huge volume of transactions.

Fraud analytics can be performed though a customized technology solution or use of CAAT tools such as ACL and IDEA that leverage customized scripts. The approach and methodology for performing fraud analytics can be deployed as follows:

  • Plan – define the scope of processes and applications, select a technology platform to build the solution, and write test procedures/SQL scripts
  • Execute – run custom query and extract data from the company applications data warehouse, and assess the current state of maturity of controls
  • Analyze – validate the exceptions, and bifurcate the exceptions into false positives and real exceptions
  • Finalize exceptions – perform root cause analysis, finalize and prioritize exceptions, and report to management
  • Improve and sustain – implement the necessary change management to plug the gaps in your existing systems and processes, set up strong governance to monitor the performance of risks and controls, and create awareness programs.

In summary, with the volume of data increasing exponentially, organizations need to implement a robust controls framework supported by fraud analytics and a technology solution to help mitigate the inherent risks associated with fraud susceptible processes in the SSC and BPO environment.

To learn how Capgemini can help your organization analyze the risks prior to RPA implementation, contact: ajaykumar.r.gupta@capgemini.com

Learn more about how Capgemini’s Intelligent Process Automation offering can stimulate the erosion of organizational silos around your front, middle and back-office processes, resulting in the emergence of a new, borderless, highly automated client-centric organization.

Ajay Gupta has diversified and rick experience in risk management, governance, risk, and compliance, automation and process transformation. He is currently the Head of Shared Service for Nordic countries at Capgemini.