Detecting complex account fraud in the enterprise: The role of technical and non-technical controls
Introduction
Corporate and financial fraud, the obtaining of money, goods and services through illicit or deceptive means, is a serious ongoing problem for the modern enterprise [4], [37]. Holtfreter [34] cites figures of up to US$600 billion in employee-related frauds. Newer threats to the financial sector, involving techniques of social engineering to gather account details and remote network-based attacks [13], are increasingly the purview of organized criminal networks [69]. The popular literature, in particular, provides coverage to a range of these types of fraud, including intellectual property theft, financial mismanagement, identity and ownership fraud. A number of authors argue that general fraud levels are increasing [35], [74].
Scholarly research in the area of fraud is difficult. Studies of financial fraud are hampered by problems of access to offender, organization and offence data. Firms can also be reluctant to admit that they have a security or fraud problem within their operations. Managers may not wish to open their firm to enquiry or analysis from outside groups, including academic researchers, lest it affect their reputation in the market. It is rare for external researchers to be granted access to original, unsanitized data. In addition, empirical analysis of fraud incidents is made harder because the data itself can be poorly organized or incomplete [22]. Further, many authors hold that this control environment is the purview of the audit function [16], [51], comprising a significant political and regulatory mandate [26]. Indeed, formal normative control frameworks exist for the purposes of effective audit conduct [12].
Amid the problem of increasing fraud levels on one hand, and the difficulty associated with researching fraud on the other, important gaps exist in research understanding of fraud identification and fraud detection. Much prior work has focused on theoretical approaches for developing technical detection systems (such as [4], [7], [20], [30], [37], [49]) and operational methods for fraud prevention and awareness (such as [66]). However, as Caplan [8, p.103] notes, “fraud risk factors cannot easily be combined into effective predictive models”. We know little of the system controls actually used in firms to detect and handle fraud [21], and the social approaches that complement these technical means [3]. In the words of D'Arcy and Hovav [17, p.117], the “disproportionate focus on technical security countermeasures may partially explain why IS misuse remains a significant problem”. The research corpus needs input on the types of controls that comprise the firm's security posture and how these controls interact with each other with respect to different threat types.
A second gap in understanding exists with respect to the response of controls to new fraud species. Much prior work has also focused on individual fraud types, such as identity theft [29], intellectual property fraud [31] or insurance fraud [14]. However, given the modern firm's level of popularity and interconnection, it may not be feasible to focus on just one kind of fraud at the expense of all others that could befall the firm. Also, in order to obtain the greatest business case value, managers will likely need to be able to justify control funding based on detection success rates: employing networks of controls is hence a cost-effective approach to detect and prosecute fraud. Non-technical (or socio-technical) controls may also assist in this context. In the words of Dhillon and Backhouse [21, p.126], “computer security is not, per se, a technical problem. It is a social and organizational problem because the technical systems have to be operated and used by people”. To further complicate matters, analysis of real world data is made more difficult by the number of organizational and individual actors that interact with the firm with respect to fraud commission, detection and prevention. Neither the firm nor the offenders operate in isolation: they share information and techniques, altering their behavior and strategy accordingly. An analysis method is hence needed that can effectively simplify our view of these control mechanisms.
This paper presents a case study of a large telecommunications carrier in the Asia Pacific region. The paper reveals the types of controls used to detect account-related fraud. This detection is compared against the degree of loss (equivalent dollars lost) and time exposure (the length of time for which the offender has been able to execute damage in the firm).
The aim of this paper is to illustrate and explore how technical and non-technical controls relate to each other in order to detect and investigate fraud. The goal of this paper is not to develop a new method for detecting fraud, but rather to highlight the use of non-technical controls as part of the control mix. In doing so, we aim to answer calls from authors such as [22], [39], [60] for further work into non-technical organizational security controls. The paper contributes in two ways. First, analysis by way of empirical data is rare in the published research literature. This paper provides insight into both the theatre of real world threats and the methods used to detect fraud in an actual firm. Second, this paper provides some of the first published evidence of the use of different control combinations to detect and ameliorate different fraud types and their complexities. This work hence illustrates the effectiveness of quantitative detection response with respect to fraud complexity.
This discussion leads to the study's research questions:
What is the relationship between technical and non-technical controls in preventing and detecting fraud losses?
How does this relationship change in the context of time exposure and the prevention and detection of losses?
The rest of this paper is structured as follows. The next section provides a brief overview of prior theory on control and detection management. The paper then details the research method, including the multidimensional scaling (MDS) technique for data analysis. This is followed by an overview of the fraud environment at play with respect to the case firm. In order to lend context to the analysis, the paper first presents an overview of the types of fraud seen in the case firm. The paper then presents the analysis of the controls in use, dividing the analysis into quantitative controls used to detect fraud at its inception, and the collections of controls used to detect more complex fraud with positive time exposure levels. Finally, conclusions are offered.
Section snippets
Theory on controls
The modern enterprise is a complex interaction of individuals and groups. Heightened internetworking between firms has also contributed to this complexity, as firms join together for the benefits of partnership and cooperation. These firms operate within a complex environment, comprising real and perceived threats from both within and outside the firm. The concept of organizational control has received considerable coverage in the business literature [27], [50]. Managerial control systems play
The case study firm
The case firm in this study was a large, well known telecommunications provider in the Asia Pacific region. The firm provides telecommunications products and services to a range of individuals and firms. The firm offers a range of hardware products and telecommunications services. These include conventional voice services, such as landline, long-distance and mobile voice communications, as well as data services such as both broadband and dialup internet access. These services are in addition to
Research method
This study aims to examine the relation between fraud controls and the types of fraud detected by these controls. As is the case with much criminality, the fraud environment is complex, and the fraud types seen by modern firms are evolving. Similarly, control structures at many firms are also complex, as the firm moves to build effective means to detect new threats [4]. Firms cannot viably control for every fraud, so some simplification is needed. Also, from an analysis perspective, it is more
Analysis of the fraud environment
Paper length precludes in-depth analysis of the nature of offences, however several observations are worth noting here. First, analysis of the fraud data records revealed that the firm was subject to approximately three new fraud cases each day, every day over its period of operation. This volume of fraud activity speaks to the speed at which the threat environment moves, the magnitude of the offender population and attractiveness of the modern telecommunications firm as a vector for complex
Analysis of control use
Three sets of this analysis were conducted. The first focused on fraud cases that were detected on their date of inception, with zero time exposure, and with zero dollar loss to the firm. The second analysis focused on the controls used in those cases with positive time exposure, but that had not yet resulted in financial losses to the firm. The third analysis explored those controls that detected more complex cases of fraud, resulting in both positive time exposure and financial loss to the
Confirmatory interviews
The dimensional models were then validated, as in [68], with four fraud investigators at the case firm, and investigators at eight other large financial and telecommunications firms, and a law enforcement unit. Most interviews were held at the investigators' place of work. The rest were held at a place nominated by the interviewee. A semi-structured interview process was used as it allowed the researchers to probe and expand upon salient points [72]. Two of the interviewees requested a list of
Discussion and conclusions
This paper examined the relationship between fraud controls and the types of fraud they detected, using a case study of a large telecommunications firm and a set of confirmatory interviews. The paper provided insight into fraud control structures at work in a real firm. The study's findings with respect to the research questions are as follows.
What is the relationship between technical and non-technical controls in preventing and detecting fraud losses?
Technical controls are typically suited to
Dr. Sigi Goode is an associate professor in information systems at the Australian National University. His research interests lie in behavioural effects in information security, intellectual property fraud and open source software.
References (74)
- et al.
Detection of automobile insurance fraud with discrete choice models and misclassified claims
The Journal of Risk and Insurance
(2002) - et al.
An analysis of the growth of computer and internet security breaches
Communications of the AIS
(2003) - et al.
Is information security under control? Investigating quality in information security management
IEEE Security and Privacy
(2007) - et al.
Statistical fraud detection: a review
Statistical Science
(2002) - et al.
Classification: an overview of selected methodological issues
- et al.
Using Kohonen's self organizing feature map to uncover automobile bodily injury claims fraud
The Journal of Risk and Insurance
(1998) Internal controls and the detection of management fraud
Journal of Accounting Research
(1999)The scree test for the number of factors
Multivariate Behavioral Research
(1966)- et al.
The value of intrusion detection systems in information technology security architecture
Information Systems Research
(2005)
Identifying types of offenders for public policy
Crime and Delinquency
Toward a biometric security layer in accounting systems
Journal of Information Systems
Fighting cybercrime: a review and the Taiwan experience
Decision Support Systems
The control of insurance fraud: a comparative view
British Journal of Criminology
A psychometric study of information technology risks in the workplace
Risk Analysis
Defrauding the public interest: a critical examination of reengineered audit processes and the likelihood of detecting fraud
Critical Perspectives on Accounting
Deterring internal information systems misuse: an end user perspective
Communications of the ACM
Does one size fit all? Examining the differential effects of IS security countermeasures
Journal of Business Ethics
Multidimensional Scaling
Fuzzy techniques of pattern recognition in risk and claim classification
The Journal of Risk and Insurance
Information system security management in the new millennium
Communications of the ACM
Current directions in IS security research: towards socio-organizational perspectives
Information Systems Journal
Value-focused assessment of information systems security in organizations
Information Systems Journal
Computer crime at CEFORMA: a case study
International Journal of Information Management
Financial fraud, director reputation, and shareholder wealth
Journal of Financial Economics
Toward an integrative framework of organizational control, accounting
Organizations and Society
Images of crime: a multidimensional analysis of individual differences in crime perception
International Journal of Psychology
Identity theft: the US legal environment and organizations' related responsibilities
Journal of Financial Crime
Managing the false alarms: a framework for assurance and verification of surveillance monitoring
Information Systems Frontiers
Preventive and deterrent controls for software piracy
Journal of Management Information Systems
Cybersecurity, capital allocations and management control systems
European Accounting Review
Cybernetics and dependence: reframing the control concept
Academy of Management Review
Fraud in US organisations: an examination of control mechanisms
Journal of Financial Crime
Identifying disgruntled employee systems fraud risk through text mining: a simple solution for a multi-billion dollar problem
Decision Support Systems
An Analysis of Security Incidents on the Internet, 1989–1995
An investigation of Zipf's law for fraud detection
Decision Support Systems
Cited by (23)
Fraud Detection in Supply Chain with Machine Learning
2022, IFAC-PapersOnLineTrustworthy and profit: A new value-based neighbor selection method in recommender systems under shilling attacks
2019, Decision Support SystemsDetecting the financial statement fraud: The analysis of the differences between data mining techniques and experts' judgments
2015, Knowledge-Based SystemsCitation Excerpt :Sorkin [41] reported that there are 343 criminals and 189 civil defendants involved with fraudulent activities which have harmed more than 120,000 victims with a value of more than $8 billion in recent years in the United States. Financial fraud is becoming an increasingly serious problem and as a result, effective detecting accounting fraud has always been an important but rather complex task for accounting professionals [29,13,37,34]. Examining the financial fraud is in fact one of the hot issues given that the economic and social fallouts from the fraud can be massive [22].
Topic knowledge map and knowledge structure constructions with genetic algorithm, information retrieval, and multi-dimension scaling method
2014, Knowledge-Based SystemsCitation Excerpt :It has been extensively applied to psychology research as a psychometric method [11], to marketing research in areas such as product positioning and market segmentation [1]. Also, some studies use MDS of empirical fraud event data from a large telecommunications firm to illustrate how technical and socio-technical fraud event controls are used to detect fraud at varying levels of time exposure and dollar loss [10]. The main purpose of MDS method is to build a matrix in the lower dimensional space that corresponds to the input high-dimensional matrix to preserve the original relatedness among objects in the lower dimensional space.
BizPro: Extracting and categorizing business intelligence factors from textual news articles
2014, International Journal of Information ManagementCitation Excerpt :Using part-of-speech tagger and text analysis tool to analyze activation language, words, imagery, pleasantness, group references, and lexical diversity in 202 company annual report statements, Humpherys, Moffitt, Burns, Burgoon, and Felix (2011) found Naïve Bayes and C4.5 to achieve the highest categorization accuracy in distinguishing fraudulent from non-fraudulent 10-Ks. Other fraud detection research includes complex account fraud detection (Goode & Lacey, 2011), detecting fake websites (Abbasi, Zhang, Zimbra, Chen, & Nunamaker, 2010), and identifying fake online reviews (Hu, Liu, & Sambamurthy, 2011). While fraud detection research abounds, a large number of potential features in textual articles make it still difficult to extract and classify many BI factors.
Double-weight LDA extracting keywords for financial fraud detection system
2023, Multimedia Tools and Applications
Dr. Sigi Goode is an associate professor in information systems at the Australian National University. His research interests lie in behavioural effects in information security, intellectual property fraud and open source software.
Dr. David Lacey is a National Manager at the Australian Crime Commission. David has worked in the public and private sectors principally in risk management roles in relation to fraud, money laundering and corruption. His research interests include evaluation of control systems in prevention and detection of financial crime and performance management of intelligence and investigative functions.