By James H. Rumph, CPA, CFE, CAMS

“It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change.” This quote, which some attribute to Charles Darwin, points to the importance of agility for survival. In today’s rapidly evolving landscape, fraud risk management agility has never been more important. I can’t think of a better week than International Fraud Awareness Week, a global effort to minimize the impact of fraud by promoting anti-fraud awareness and education, to spread awareness of the importance of agility within fraud risk management.

The Need for Agility

As fraud risks continue to evolve, often the approaches we need to take to fight fraud evolve as well. Not only do fraud risks evolve, but the speed at which the tools and techniques available to fight and commit fraud has continued to increase. And the time needed to implement some fraud-fighting advancements can be significant, especially ones involving technology implementations and when you are navigating within the confounds of lagging regulatory landscapes. And as much as we proactively look to identify and assess the levels of fraud risks, we will still face challenges in keeping pace with ever-changing fraud tactics – necessitating agility to most effectively protect organizations and their customers.

Traditional static approaches to fraud prevention are no longer sufficient. Those who commit fraud are constantly evolving their methods and exploiting new technologies and vulnerabilities. Therefore, organizations must adopt a dynamic and proactive approach to detect and mitigate fraud.

Agility-Enabling Examples

Three examples of agility-enabling strategies in fraud risk management include:

1. Continuous Learning: Gone are the days of creating annual anti-fraud training programs for employees and putting them on repeat for years. Regularly update training programs for employees to help them recognize and respond to new fraud threats and consider non-traditional ways of getting this information to the right employees at the right time.
2. Cross-Functional Collaboration: Ensuring proactive ongoing collaboration between varying departments that own key parts of fraud risk management, such as finance, compliance, internal audit and IT, to help ensure timely and effective collaboration when a significant new threat is identified or a significant event occurs. Tabletop exercises are a great way to build event response muscle memory, test cross-functional collaboration, and help proactively identify opportunities prior to a fraud occurring. Even if an organization is in a high-risk industry, receiving attempts every day to test controls – that organization can strengthen its agility leveraging a scenario that stretches upon what is typically seen. Companies typically don’t detect many large-scale frauds that require an immediate public response, but leveraging a scenario like this for a tabletop exercise is a great way to see if established response plans will be sufficient – rather than finding out they are not during a time of need.
3. Timely Monitoring and Response: Implementing systems that provide real-time monitoring and analysis of transactions can help detect suspicious activities as they occur. Depending on a variety of factors, this can range from machine learning and other artificial intelligence-enabled technologies to continuously learn from new fraud patterns and continually adapt detection algorithms accordingly to simple rules-based alerting that is periodically reviewed for potential adjustments. Even if real-time monitoring is not feasible, timely monitoring and response is a key for agility in fraud risk management. Generally, the longer fraud goes undetected and unresolved, losses grow exponentially.

Emerging Risks: Deep Fake-Enabled Fraud

One of the emerging threats that has gotten much attention over the past couple years is deep fake-enabled fraud. Bad actors can use artificial intelligence to create highly realistic but fake audio, video, images and documents. This media can be used to impersonate individuals, manipulate information and deceive victims.

For example, a deep fake video could be used to impersonate a CEO, instructing an employee to transfer funds to an account controlled by a bad actor. The realism of deep fakes can make it difficult for traditional verification methods to detect such activity.

To combat deep fake-enabled fraud, organizations can approach it in an agile way by:

1. Raising Awareness: Provide timely and relevant education to employees and stakeholders about the risks of deep fakes and how to recognize potential threats. Even if an image looks real or a voice sounds familiar, awareness of the capabilities of deep fake technology can help people to not overly rely on those items as evidence.
2. Leverage a Cross-Functional Red Team: As organizations look to identify ways to leverage artificial intelligence to have positive outcomes, organizations can also be forming cross-functional red teams to help brainstorm ways artificial intelligence may be used against the organization and its security defenses. Organizations can even conduct tabletop exercises leveraging both the red team and those looking to use artificial intelligence to have positive outcomes (the blue team). These teams working collaboratively can be referred jointly as the purple team. By being proactive in identifying and addressing emerging risks, organizations can reach positive outcomes.
3. Proactively Monitor and Respond: While the level of appropriate verification of identities and evidence can vary based on a variety of factors, processes should include steps to appropriately confirm identities and the validity of requests in which evidence is received to support. This is especially true in heightened risk scenarios, like a supplier bank account change. Many organizations may not be able to justify the cost of advanced fraud detection technologies in the identity and digital media space verification currently, but detection capabilities continue to advance, with costs becoming more manageable as more suppliers offer the capabilities. Less technologically advanced monitoring and verification methods can also be leveraged to help mitigate risk (e.g., calling a supplier leveraging a known phone number to validate a change of bank account information request). Proactive monitoring can help inform response to not only specific events, but also more broadly for internal control enhancement decisions.

Conclusion

Agility is key to survive and thrive, not only for a species, but also for organizations. The evolving nature of fraud and related available internal controls requires organizations to be agile in their risk management strategies. As called out in this article, three examples of agility enabling strategies are (1) continuous learning, (2) cross-functional collaboration, and (3) timely monitoring and response.

James Rumph, CPA, CFE, CAMS, CIA is a business advisory fraud risk, financial forensics and litigation support Director within the CPA firm Schneider Downs & Co., Inc. – whose overall bench includes over 550 employees and eight Certified Fraud Examiners. He was also previously a public accounting and FBI forensic accountant, insurance company forensic investigator and Fortune 100 financial services-industry fraud risk management executive.