The time has come for a change in continuing education. Pertinent and relevant training that engages and leaves attendees with tools to manage the latest requirements in risk and controls management. Trainers should not be reciting from text books and training firms, large or small, should have a foundation of experienced trainers and consultants that are not merely for hire, but actually part of the company you are hiring. It is time for Verracy!
Last week I taught a course on leveraging data analytics to detect fraud. I love teaching fraud courses and have had a decade-and-a-half love affair with data analytics — specifically what a mature analytics program can do for an organization. When teaching, my favorite moment is seeing the lightbulb go on for class participants when something truly hits home. But I struggle to explain how I knew when I found a fraud. Sometimes it was the unusual correlation between changes in related accounts, sometimes it was the new Audi R8 in the parking lot that sent me down a fraud sleuthing trail and sometimes it was just having the courage to keep asking questions. But how do I teach that? I can explain what I saw, what it made me suspect and how I went about verifying, but how do I translate that into something they can use when my students will probably never see something that exactly resembles my experiences? Can you teach intuition? Maybe, maybe not — but you can teach practices that help hone intuition.
Some people think I am a fraud magnet — that I don’t necessarily find fraud as much as it saddles up next to me and I trip over it. However, what really made me good at finding fraud was when I didn’t find it, but should have. That first big missed fraud, the one that slipped by me, made me forever stop taking things for granted and accepting things at face value. That large fraud occurred in an area I recently audited, and while I was a relatively young auditor, I was hard working and proud of my skills. If you had asked me, I would have confidently told you I could detect fraud in any area of the business I audited. After all, I had already caught several fraudsters. In my mind, I was clearly a skilled fraud hunter, right? Wrong.
So, when a large-scale fraud got past me, my pride was wounded and I was embarrassed. I spent countless hours analyzing everything I missed and I discovered that in my prior fraud cases, the fraud had been hard for me to miss due to feeble concealment efforts. I had merely noticed the obvious red flags directly under my nose and I understood what they potentially represented. In hindsight, not so impressive. But in this case, the fraud I missed was ultimately discovered via a tip (yes, a tip) and the concealment was good — really good — and the fraud pretty sophisticated. So, what went wrong for the mighty fraud hunter?
I didn’t listen to my instincts. I had doubts although the red flags were present. There was typical fraudster behavior and transactions that didn’t make sense. There were account behaviors that were very unusual, but the fraud scheme didn’t jump up and introduce itself to me and I missed it. But did I really miss it? Not really. There were issues that that bothered me and my instincts were screaming at me that there was a problem, but I was afraid to push too hard, appear ignorant, or heaven forbid, offend anyone.
The fraud involved an individual in a position of trust and power, who was extremely knowledgeable and charming. He was a subject matter expert who many in the organization deferred to regarding his area of the business. He was an expert in the area where the fraud occurred and I was not. Explanations, process descriptions and documentation all left my team and I with questions. But most of it “sort of” made sense. Enough sense to make me believe I just didn’t have enough knowledge in that area of the business to fully comprehend what I was being told. Looking back, I didn’t just doubt my knowledge, I doubted myself.