Thursday 24 November 2011

All fraud is detectable

I am in the business of fraud risk management solutions, enterprise-wide... with probabilities and certainties, based on assumptions or balanced scorecards. Of course, there are variables (predictive analytics), but that does not detract from the fact that you can model and measure risk. 

There are some atypical risks that are largely dependent on mathematical probability and are unpredictable.

That does not mean that risk, being a measurable quantity, is consequently negated. It means that your models built initially on the known are subject, to varying degrees, to variables... in the final analysis.

There is a pure and speculative risk. It is the pure risk we want to manage and the speculative risk that we want to aggregate and predict. The problem is that there can be events that occur that were not expected (considered in the evaluation of the risk) – such as a natural disaster, or other unplanned events.

It is, of course, easier to manage when such speculative risk is known.

Then, of course, there can be dirty data and consequent “black swans” such as the unfolding disaster at Olympus, the Japanese maker of cameras and endoscopes, which has been found hiding losses by treating them as assets since the 1990s.

Once we have that assumption, we can now construct our model to include the absolutes and also the variables. In come the data mining tools and the mathematicians (quants).

We use data mining for practical exceptions (compliance and control) and data analytics. We can apply logarithms, algorithms and equations... mathematical formulae to measure ambiguity – one element factual and the other hypothetical.

For me the challenge isn’t whether risk can be measured, but rather what risk can or can’t, should or shouldn’t be measured based on fact and probability when measured against return on investment.

This in and of itself creates an additional risk – potential oversight based on expediency.

As such, any risk model must start on the systematic identification of known risk (pure) enterprise-wide and drill down into the unknown or the weighting of probabilities based on statistical data. 

The only question remaining is to what degree the precise and imprecise impact the efficiencies of the overall model. Therein lies the variable and the common pursuit of the purists. 

Risk models can only be developed under enterprise-wide risk frameworks/guidelines.

The principle of enterprise-wide fraud risk management (EWFRM) is younger than the forensic audit profession and even younger than corporate governance.

In order to manage fraud risk enterprise-wide, one needs to study and capture fraud risk enterprise-wide and then map the risks horizontally and vertically.

It is my opinion that most, practically all, risk managers today simply haven’t spent enough time studying and understanding every facet of the enterprise to be even close to calling themselves experts.

From my experience, at least 95% don’t even know what EWFRM is. This presents a challenge - a significant challenge.

It is high time that the full spectrum of audit due diligence, internal assurance and annual attestation is digitised along internationally accepted standards, removing the subjectivity of the individual auditors representing the big firms.

Forget Ansbacher, Enron, WorldCom, Parmalat, Société Générale, Dynegy, Qwest, Freddie Mac, Refco, BCCI, Dexia, Owen Wiggins Group, Regal, Barings and the litany of corporate corpses.

There have been so many massive corporate failures after getting the all-clear from a big four accounting firm that auditor opinions are becoming a joke.

Regulators for decades have tried figuring out ways to get around this fundamental flaw by passing all sorts of rules requiring that auditors be “independent” and that they exercise the requisite standards of care, yet waves of accounting scandals keep coming.

Performing an audit and exercising due care isn’t rocket science.

All fraud is detectable, because all fraud must be expensed. Accounting is a double entry process - for every transaction there must be a flip side to the transaction.

Take Olympus for instance, if Olympus was concealing losses as assets, you can’t create an asset unless you create an expense and you can’t create an expense without creating a payment.

Basically for every asset there must be a “cost of goods” or “cost of asset”.

To make a camera or endoscope, you must buy in raw material or components. To create hundreds of millions of dollars worth of stock, you must create hundreds of millions of materials purchase orders and payments

To conceal these losses by hiding the losses in fictitious assets is a monumental task. In fact, usually these frauds manifest in the form of large and unusual adjustments at year-end because of this complexity. So picking this up shouldn’t be too difficult, and it isn’t.

The answer is the digitisation of the process of audit and assurance – the business intelligence exists, so does the technology.
The race should be on to develop the models and the world bourses should be clamouring for these solutions.

http://www.iweek.co.za/byte-a-bit/all-fraud-is-detectable