“The interesting piece when it comes to catching fraud is that, once you’ve found it, you can easily go back and you can start to see all the things that you missed, all the early warning signs.”
If that assessment from experienced fraud, audit and governance practitioner Tom Keaton resonates with you, you are not alone. In a recent webinar, Tom joined Diligent’s Russell Dover to discuss the challenges inherent in fraud prevention and why connecting the data dots enables earlier fraud detection.
A large part of the challenge of identifying fraud lies in the scale and scope of the potential signals involved. These are not confirmed incidents; they are early warning signs that merit investigation, including:
Speak-up trends: All reports to the organisation’s whistle-blowing infrastructure are valuable indicators of potential fraud and should be prioritised for investigation. Whistleblowing incidents are the most common way fraud is discovered. However, Tom warned that an absence of speak-up calls should not be taken as an absence of fraud.
Data anomalies: fraud can show up in data across corporate systems from finance to HR and legal. Examples might include purchase orders being split into smaller values to avoid triggering controls on higher-value purchases.
Control exceptions: Exceptions should follow a robust authorisation process, but they don’t always, especially when there is external pressure. Tom cited the example of construction projects where time and resource availability mean decisions can’t be delayed: “If this happens frequently without any oversight and any anomaly detection, that's where it is extremely ripe for fraud.”
Third-party patterns: Managing third-party fraud risk is highly complex and involves a lot of data. A signal might include a new contractor being used heavily in one region but not in others, dating from the employment of a new manager.
Culture problems: A company that doesn’t have an anti-fraud culture driven from the board level, and supported by effective employee education, is at higher fraud risk than one where leadership mandates transparency, honesty and, as the industry mantra goes: “doing the right thing even when no one is looking”.
The 20:20 fraud hindsight that Tom described at the outset belies the difficulty of spotting fraud signals early in complex environments, as he explains: “Sometimes, you have a lot of the very bright red flags that are right in front of you, but if you’re not looking at the right time, or you’re not proactively paying attention, something you could have found will fall through the cracks.”
Common reasons for missing fraud signals include:
Disconnected teams and systems: Siloes, whether of people or technology systems, are a primary barrier to fraud detection. Without visibility and the facility to cross-reference data, insights are hard to gain.
Point-in-time assessments: Companies are fast-moving entities operating in dynamic environments. Annual risk assessments don’t provide the level of assurance required. Tom went further: “The annual risk assessment is dead. We have the tools and technologies to look at these things more continuously. It can be automated, and we should have things running on a daily basis.” He used travel and entertainment expenses as an example: they are typically audited annually, but should be reviewed more regularly.
Unmonitored controls and policies: Post-fraud incident reviews often reveal that policies and controls to stop the fraud existed and were documented, but weren’t being monitored. This is often due to the volumes involved, with manual monitoring processes acting as a barrier to rigour and transparency.
Misreading speak-up silence: Whistle-blowing is the single biggest route to fraud discovery, but companies that receive few calls should not be complacent; it may indicate a lack of trust in the integrity and safety of the whistle-blowing process. Russell warned: “Not getting any [whistle-blowing] tips is not necessarily the right sign. It’s a risk in itself, because every organisation has issues.” A culture that welcomes speaking up will get lots of reports, which is a common way potential fraud is identified.
A straw poll of webinar attendees revealed that these risks resonated, with 69% of respondents saying the different fraud prevention elements in their organisation were more disconnected than aligned, or that they were unsure how connected they were.
The advent of AI and advances in GRC technology platforms empower organisations to develop a more continuous and comprehensive analytical approach to fraud prevention and detection.
Modern GRC platforms also increase efficiency and capacity among fraud teams, as Tom explained: “By leaning into AI, you eliminate skillset and labour force hold-ups, so you’re able to do more with less. You can send out questionnaires more frequently and analyse results autonomously, not just at a point in time.” Ultimately, this results in earlier signal detection and clear, robust evidence to inform investigations.
The real-time capabilities of modern solutions allow teams to pull data more frequently and see shifts in employee and customer sentiment, policy engagement and controls compliance, or third-party risk, for example. Unexpected shifts or anomalies in data patterns should be investigated as potential fraud signals.
Connecting data signals across the environment eliminates the siloes that obscure visibility. This builds a more accurate and comprehensive picture of fraud risk that delivers genuine insight for the board.
Practical applications for connected fraud signals
When fraud signals are connected, and analytics and monitoring are in place, teams are in a stronger position to:
Most organisations already have the data they need to detect fraud earlier, but right now, they only learn this after the fact because fraud signals rarely appear as a single red flag, but as an accumulation of evidence over time.
Connecting data across fraud prevention infrastructure allows teams to identify patterns and anomalies as they emerge, enabling faster action and ultimately forming the foundation of a more transparent, trusted business.
Ready to spot fraud signals earlier, connect insights across teams and move from hindsight to foresight? See how the Diligent One platform helps organisations bring audit, data, investigations and compliance together to surface risk sooner. Book your demo today.
AI action plan worksheet for GRC leaders
Unlock the potential of AI in governance, risk, and compliance with this practical 90-day action plan worksheet designed for GRC leaders. This guide helps you assess AI maturity, prioritize use cases, and establish essential guardrails, ensuring a structured and accountable approach to AI implementation in your organization. Download now to transform AI discussions into a clear, actionable strategy.
Board-ready AI assurance: Turning complex AI risk into board decisions
Explore why AI assurance is a crucial board-level priority as organizations embed artificial intelligence into their operations. Understand the need for clear governance structures, risk management, and oversight in navigating the complexities of AI technology while preparing for regulatory demands like the EU AI Act.
