The basic concepts of creating fraud risk assessment documents are well known and widely published. I have no intention of repeating this process. However, in a recent project, I was responsible for helping the company respond to internal audit recommendations. This request prompted me to explore and reconsider the general approach.
The essence of the recommendation is to develop or implement “enhanced fraud monitoring procedures.” They cite the latest literature in the second edition of the Fraud Risk Management Guide. I'm not saying this is wrong, but it got me thinking.
An audit opinion is based on concerns about an alleged scheme that may or may not have occurred within the organization. Therefore, my first thought was to study the data patterns of the alleged scheme.
I must admit, this has made me think a lot about what the Fraud Risk Management Guidance expects of management. So, as with every blog, I started by researching the topic.
What does the Internet say?
Enhanced fraud monitoring includes using advanced technologies such as artificial intelligence and machine learning to analyze data in real time, strengthen identity verification, and implement robust internal controls. Key procedures include continuous transaction monitoring, behavioral analysis, data aggregation across all channels, and regular risk assessments to keep pace with new threats.
Of course, the actual implementation of this statement will vary by industry: banking, manufacturing, online retail, etc. So let's admit it and move on.
new standard
In addition to the inherent risk and likelihood ratings in your fraud risk assessment, I want you to consider a new rating called “Difficulty of Detecting Fraudulent Schemes.” We call it truth and honesty in reporting. It will force you to better understand the fraud risk claims you are trying to manage. Let me give you an example:
Illustrative example of a fraud risk statement: Employees provide advanced communications to a supplier to provide that supplier with preferential treatment during the bidding process.
In this example, the dollar value of the contract does not require a sealed bid, but the supplier is required to submit a quote. The service is for operational purposes and not for cost of sales.
As we think about this, let's consider what fraud prevention or fraud detection controls might mitigate this risk. Or think about how difficult it would be to actually reduce this risk of fraud. Why is it important to understand this? Let's go back to the beginning.
The internal auditor's recommendation was to implement “enhanced fraud monitoring procedures.” If there is nothing we can do, then the internal audit opinion is a self-serving opinion that puts management in a dilemma.
To be clear, I'm not blaming anyone; as always, my goal is to get you thinking about fraud risk. This is the reason for rough language.
new way of thinking
The new standard will require risk managers or auditors to rate fraud risk claims based on the difficulty of preventing or detecting the scheme. It will focus on the underlying mechanics of the program rather than internal controls. Ratings work like this:
- High Difficulty: Scheme does not provide a public audit trail in transaction records.
- Medium Difficulty: The scenario will provide a public audit trail, but will not be visible without internal investigation.
- Low difficulty: The scheme will provide a public audit trail and be visible to normal management review.
Why is this important?
When building the Enhanced Fraud Monitoring System, we wanted to put our resources where they would be most effective. Our control strategies must be aligned with what we can actually accomplish, not what sounds good. With this in mind, we can relate difficulty factors to control strategies:
high difficulty level: I would suggest that trying to monitor an event as it occurs won't work. The management strategy was therefore to react to the accusations by working to thwart the scheme. Deterrence strategies will be more effective.
medium difficulty: I don’t think normal management oversight can be expected to detect a fraud scheme, but with an AI system, the scheme can be detected. Fraud detection strategies will be more effective.
Less difficult: I would suggest that normal management oversight could detect fraudulent schemes. Fraud prevention strategies will be more effective.
What suggestions do I have?
I don't know; I'm still thinking about the idea. What I do know is this: It’s time for us to redesign our fraud risk assessment processes. If we want to gain a deeper understanding of potential fraud schemes, then we must understand how these fraud risk statements operate in the real world.
I believe the goal of fraud risk assessment is to understand and manage fraud risk, not to mitigate fraud risk. It's a subtle difference, but an important one.
Monthly trivia
1. Who invented artificial intelligence? Alan Turing had concepts and experiments related to machine intelligence. Watch the movie “The Imitation Game”
2. Which country ranks first in artificial intelligence and how much will the country spend by 2025? timeThe United States ranks first in the field of artificial intelligence, with investment expected to exceed $470.9 billion in 2025.
3. What is Bill Gates’ focus on artificial intelligence? AI can be misused, such as in cyberattacks and spreading misinformation, as well as the risk of mass unemployment.
4. Who is called the “father” of artificial intelligence? McCarthy introduced the term “artificial intelligence” in 1955 at a 1956 symposium organized at Dartmouth College.
5. Who is called the “godfather” of artificial intelligence? Geoffrey Hinton is a British-Canadian computer scientist widely considered the “godfather of artificial intelligence.” He won the 2024 Nobel Prize in Physics for his fundamental work on artificial neural networks.
6. AI Romance Schemes: How Do They Work? Artificial intelligence is used to create fake personas that create an emotional connection with victims before asking for money. They achieve this through strategies such as using deepfake photos to automatically generate authentic profiles, sending automated but convincing messages, and using AI voice or video to appear authentic during calls. These scams exploit loneliness by creating idealized partners who are consistent and likeable, and then using these partners to raise funds for fabricated emergencies or “investment opportunities.”
I found these on an internet search. But no peeking. What's the best answer?
1. What are common artificial intelligence technologies used to copy people’s voices for the purpose of fraud?
a) Voice distortion
b) Voice cloning
c) Sound replacement
d) Sound mimicry
2. Which of the following might indicate that a video is an AI-generated “deepfake” video?
a) The speaker's clothing changes between cuts.
b) The video is long and has a lot of camera movement.
c) Image resolution is low.
d) Have a visible watermark from a legitimate media source.
3. How does artificial intelligence make phishing attacks more dangerous and harder to detect?
a) By creating highly personalized messages that mimic the tone and style of the legitimate sender.
b) Send email from an easily identifiable external domain.
c) Intentionally contains obvious spelling and grammatical errors.
d) Target only a few victims at a time.
4. What visual inconsistencies should you look for when analyzing suspicious images for AI manipulation?
a) Perfectly aligned shadows.
b) Reflections on shiny surfaces are meaningless.
c) Clear, crisp background.
d) A person with the correct number of fingers (AI improves on this).
5. How can artificial intelligence systems detect fraudulent financial transactions in real time?
a) Ask the customer a series of security questions over the phone.
b) Look for unusual or unusual activity based on learned patterns.
c) All transactions above a certain amount require manual approval.
d) Send new debit card to customer.
