I was speaking at a conference session a few months ago on using data analysis to detect fraud. The session was very interactive – always a good thing when attendees really engage – and we spent a while talking about some of the more common types of employee fraud and abuse, in particular, improper T&E claims and corporate credit card usage. One of the participants questioned why we were spending time discussing these areas when there were surely far more important fraud risk areas in terms of potential loss.
It was a fair question. After all, the latest ACFE Report to the Nation on Occupation Fraud and Abuse identifies the median loss to an organization from T&E fraud at $26,000, while the median loss from all types of employee asset misappropriation is reported to be $120,000, and 20% of all instances of employee fraud are in excess of $1,000,000. So there are certainly plenty of fraud areas that could represent a larger potential risk of loss in direct monetary terms; for example, “phantom vendors” and employee/vendor collusion.
Incidentally, the ACFE Report does not include statistics specifically on fraudulent use of corporate credit cards or purchasing/procurement cards (P-Cards). I think it reasonably likely that in some organizations, P-Card fraud involves significantly more monetary losses than T&E. The two areas tended to be lumped together, though, as the nature of the underlying risks, controls and processes tend to be similar.
So why is it worth spending efforts on testing and monitoring for T&E and P-Card fraud – maybe even ahead of any other fraud area? I think there are a number of reasons why, in practice, organizations focus a fair amount of effort on risk assessment, audit and control of these areas.
Firstly, there are often a very large number of employees in organizations who claim T&E expenses and use corporate credit cards. On the other hand, relatively few employees are usually in a position to manipulate processes for areas such as purchases, payments and billings. So if T&E and P-Card abuse becomes anything like commonplace, then it means that a lot of employees could be involved in what are actually illegal activities. One of the problems with T&E and P-Card areas is that it is often relatively easy to abuse the system. There may be “grey” areas where employees actually choose to consider their abuse as acceptable – even that it is OK as “everyone else seems to be doing it”. If an organization does end up with such widespread abuse, it can be a symptom of a basic problem with employee morale and integrity. If testing of T&E and P-Card transactions shows a large pattern of abuse then it can provide an opportunity to spread a message throughout the organization about ethical standards and that all claims and card usage is regularly monitored. This in itself can provide a strong deterrent effect.
Another point to consider is that even though, from a monetary perspective, each individual instance of fraud and abuse in these areas may be relatively small, the sheer volume of usage may mean that the total financial impact is significant.
Finally, a practical reason to analyze and monitor T&E and P-Card transactions is that it is relatively easy to do. The required data, including that provided by credit card companies, is usually simple to obtain. The systems and data structures are normally fairly standardized. There are also well developed suites of transaction testing applications available, designed to identify indicators of a broad range of fraudulent schemes, that can be quickly implemented. This often makes the area fall into the category of “low-hanging fruit” opportunities to monitor transactions, test the effectiveness of controls and get quick results.
Ideally, any approach to monitoring and detecting fraud should be performed within an overall risk assessment and management process. The risks of T&E and P-Card fraud should be assessed and ranked, within a risk management application, alongside a universe of other risks. An assessment of the cost benefit of implementing T&E and P-Card fraud monitoring can often indicate that it makes sense to proceed with testing in these areas. Once the monitoring results are fed back into an overall data-driven risk management dashboard, the value of efforts in these areas can become readily apparent.