The Kroll/ACFE Indonesia Fraud Risk Survey reveals that 62% of fraud incidents were detected through the whistleblowing system (WBS), which has been an effective fraud detection mechanism. This may indicate that the detection mechanism has done its job well. That’s one way to see it. But this also means that we’ve been relying on a detection mechanism over which we have minimum control.
Proven High Success Rates But Fraud Still Goes Undetected
The WBS reports are loaded with leads, and in many instances, the whistleblower is even willing to testify, which makes the allegations easier to investigate. Indonesia’s Corruption Eradication Commission’s (KPK) sting operations (Operasi Tangkap Tangan – OTT) are good examples. Most of the intel used in OTTs are originated from the KPK’s WBS (Pengaduan Masyarakat). Once a report is received, the commission sets up a surveillance operation in which phones are tapped, messages are intercepted and everything is monitored. When the colluding parties meet up to commit the fraud, they are arrested. With all the hard, direct evidence, the court can easily come to a decision. Hence, the KPK’s conviction rate is almost 100%, which is good. But that doesn’t answer the question about the unreported corruption cases.
The Challenge with WBS
The problem with reactive controls like WBS is that it’s reactive. After the system is installed and disseminated, all the organization can do is wait. Unfortunately, the system is not the only success factor. Many fraud incidents were never discovered because organizations operate in a culture that doesn’t encourage whistleblowing. In many organizations, people who blow the whistle are considered disloyal or even traitors. Most Indonesians, like other eastern societies, are brought up to appreciate seniority and to maintain harmony. And this is a challenge to any WBS in an organization, since our survey discovered that 83% of the fraud perpetrators in Indonesia are employees. With such a culture, employees would likely be silent on wrongdoings committed by their peers or management.
The statistics about WBS’ performance tells us the portion of the incidents detected by WBS. It also tells us how dependent we are to the good faith of whistleblowers. But in an environment in which bribery is a common practice, for instance, we may not be so lucky. Nobody would bother reporting something that they themselves do. So instead of relying solely on reactive detection like WBS, we need to start implementing proactive detection systems.
Data Analytics – It’s Only as Good as the Parameters
The vast development of IT has equipped us with the capability to search critical information in big data using data analytics (DA). DA is the process of analyzing datasets in order to identify trends and patterns and draw conclusions about the information they contain. Anti-fraud practitioners use DA to find suspicious activities in both transactional and static data. Judged by its name, DA may sound like an IT-heavy process. It is true that the procedure requires data processing skill and data processing applications. But unless you use this application with full machine learning capability (whereby human involvement is close to zero), the effectiveness of DA relies heavily on the parameters loaded into the system. A parameter is a set of logic that is based on certain typology of fraud and is used to filter transactions/activities. In essence, DA helps the management filter out activities/transactions that warrant further investigation.
Data Analytics is No Magic Wand
Having said that, DA is not a magic wand. It would only be effective when implemented in an organization that understands its risks well. There is a myriad of possible ways by which an organization can be defrauded, and it is impossible to convert every possible fraud method into parameters, let alone to collate and process all the data. That would be too expensive and time-consuming. Bound by limited resources, organizations need to prioritize. This is where a fraud risk assessment process is critical. Fraud risk assessment is not rocket science, nor is it a new type of strategy in dealing with fraud. Indonesian banks would be familiar with the terms since it’s one of Indonesia’s Financial Services Authority’s standard requirements in combating fraud in the financial services industry. As a matter of fact, this requirement has been around since 2011. By conducting fraud risk assessment, an organization can assess their fraud risk in a more systematic manner. It helps the management focus on fraud risks that bring the most significant impact and are more likely to occur. Fraud risk assessment would also provide the organization with a tool to assess their readiness in mitigating the respective fraud risk.
Detecting Unreported Fraud – More Proactive Controls Needed
Joseph T. Wells says in his book, “Corporate Fraud Handbook: Prevention and Detection,” “Employees who perceive that they will be caught engaging in occupational fraud and abuse are less likely to commit it.” Having an effective WBS is good, but we need more proactive detection controls, particularly because we operate in an environment that tends to appreciate harmony and avoid conflicts. As Wells pointed out, potential fraudsters would think twice if they know that WBS is not the only thing standing between them and a successful fraud scheme.
Click here to download a brief summary of the Kroll/ACFE Indonesia Fraud Risk Survey.