I've just got back from lecturing at a CIPFA weekend school for auditors in Blackpool. Mastering the human factor was a primary theme. It covered everything from how to spot fraud to how to change organizational behaviour. It even included a session on the controversial topic of Neuro Linguistic Programming (NLP).
Teaching fraud detection principles is more of an art than a science. You have to learn the tips of the trade from an experienced practitioner, largely through lots of anecdotes and case studies. It's not a black and white technique. There's lots of uncertainty and trial and error. Sometimes frauds come to light by accident. But often it's by instinct. And what sets off such suspicion? Generally it's a small thing that seems out of place: a total that's too high, a figure that's too round, or a behaviour that's out of the ordinary. The interesting thing for me is to try to work out how to capture and automate this valuable inituition.
There are some easy techniques for automated detection of fraud, based on simple rules. For example, highlighting totals that exceed or are just below an authorization limit. Or spotting sudden changes in the velocity or location of transactions. But experienced fraudsters do not always leave such obvious traces. So we need to create models reflecting the more subtle characteristics of fraud.
Several years ago I obtained a DTI research grant to build an experimental system for fraud detection based on a model of the human immune system. It might sound ambitious but we did get it to work, though the results were not interesting enough to persuade us to deploy the system for day-to-day business use. So-called computational immunology is a concept that offers great long-term potential but still needs a lot more research and development. Ascertaining how human immune systems actually work might help somewhat.
Artificial neural network techniques offer a simpler solution. We need good sets of data and some time and resource to train the system to recognize abnormal behaviour. It's not that difficult, though it can take a lot of effort to eliminate sources of false positives. But the important thing is to commence the journey. Because the future of Internal Audit lies not in manual checks, but in intelligent automation.