Sunday, March 11, 2012

Why is it so difficult to detect/prevent frauds?

While reading up on information security audit, I noticed some interesting explanations in the ICAI 100hr ITT material on the difficulties in fraud management( pg 346) and thought I would expand on that
  1. Big Data:-Though firms like Opera Solutions and McK Global Research Institute are waking up the the opportunities and challenges in analyzing huge data volumes, companies and Bschools are yet to wake up to that. Frauds can be invisibly concealed in the mass of big data, if analytics is not developed enough to investigate trends, outliers etc.
  2. Complexity of Systems:-As butterfly effect/Chaos theory would show, it is difficult to predict the path of complex systems(which most organizations are), and thus predicting all leaks is difficult
  3. Changing User behavior:-Be it social mores(breakdown of lifelong employment social contract), use of personal computing devices in workplace, social engineering etc, employee behavior is changing and fraud management must keep up.
  4. Continuous evolution of fraud:- Similar to computer viruses, frauds can never be totally removed unless of course you have a closed system like that of Apple's Mac. There is always a cat and mouse game between fraud detection('anti virus') and fraudsters, and indeed auditors can learn a lot from the antivirus industry in terms of updates/learning on frauds etc
  5. Risk of false alarms:- Unlike the famed Mongol conqueror Genghis Khan who was rumoured to kill several suspects to avoid the guilty going unpunished, modern judicial systems in most developed countries presume a person innocent unless proven otherwise. And given that fraud accusations are not 'routine', false alarms could lead to the employee quitting or suing the company for defamation. 
  6. Privacy/Discrimination:- Since fraud prevention needs extensive data analysis and setting up behavioral profiles, that could be challenged and lead to adverse PR if the news leaks out. For instance, certain PIN codes(zip codes in USA parlance) could be fraud prone as could certain demographic groups in lending default. But fairness in lending/other rules usually demand giving rationale in certain cases, and that would need quantifiable data instead of merely suspicion. 
The above is NOT an excuse, and indeed the new tech savvy generation of auditors, IT Dept and controllers is fighting back. Still, it is important for the public to appreciate the above facts 


Neat Rat said...

Would like to mention that companies have in fact woken up to big data quite some time back. Engineer who understand big data and can work with them/ build toolsets to help others work with them are in hot demand in the valley.
Sadly, yes, B-schools (atleast Indian B-schools) are yet to even appreciate the existence of this imposing friend turned enemy.

Anandh Sundar said...

@Neat Rat-thanks for the clarification and appreciate the comment! Still, to the extent this refers to Indian companies, I think the point is valid

Neat Rat said...

Does that include otherwise alert multinationals as well? Not tough to see that happening, with decentralization of policy making and control, though.