--- name: fraud-prevention description: Manage fraud detection and prevention including transaction monitoring, anomaly detection, whistleblower management, fraud investigations, anti-money laundering (AML), and fraud risk assessment. Use when detecting suspicious transactions, managing fraud risk, conducting fraud investigations, implementing AML controls, or developing anti-fraud programs. Triggers on phrases like "fraud detection", "fraud prevention", "anomaly detection", "whistleblower", "fraud investigation", "AML", "anti-money laundering", "suspicious activity", "transaction monitoring", "fraud risk assessment", "expense fraud", "procurement fraud", "financial fraud". --- # Fraud Detection & Prevention Protect the organization through proactive fraud detection, investigation, and prevention programs. ## Fraud Risk Assessment ### Enterprise Fraud Risk Framework ``` FRAUD RISK ASSESSMENT — FY2025 ═══════════════════════════════ FRAUD RISK CATEGORIES (per ACFE): 1. Financial statement fraud 2. Corruption (bribery, conflicts of interest, extortion) 3. Asset misappropriation (theft, skimming, expense fraud, payroll fraud) RISK ASSESSMENT METHODOLOGY: Likelihood: Unlikely (1) — Possible (2) — Likely (3) — Very Likely (4) — Almost Certain (5) Impact: Negligible (1) — Minor (2) — Moderate (3) — Major (4) — Catastrophic (5) Existing controls: Weak (1) — Fair (2) — Good (3) — Strong (4) — Excellent (5) Residual risk = Likelihood × Impact ÷ Controls (adjusted) FRAUD RISK REGISTER: ┌────┬─────────────────────────┬─────┬─────┬──────┬────────┬──────────┬────────────┐ │ # │ Fraud Type │ Like│ Imp.│ Ctrl.│ Risk │ Residual │ Owner │ ├────┼─────────────────────────┼─────┼─────┼──────┼────────┼──────────┼────────────┤ │ F1 │ Expense report fraud │ 3 │ 2 │ 4 │ 6/80 │ LOW │ Finance │ │ │ (inflated receipts, │ │ │ │ │ │ │ │ │ duplicate submissions) │ │ │ │ │ │ │ ├────┼─────────────────────────┼─────┼─────┼──────┼────────┼──────────┼────────────┤ │ F2 │ Procurement fraud │ 2 │ 4 │ 4 │ 8/16 │ LOW │ Procure. │ │ │ (vendor kickbacks, │ │ │ │ │ │ │ │ │ shell companies) │ │ │ │ │ │ │ ├────┼─────────────────────────┼─────┼─────┼──────┼────────┼──────────┼────────────┤ │ F3 │ Payroll fraud │ 2 │ 3 │ 5 │ 6/15 │ LOW │ HR + Fin. │ │ │ (ghost employees, │ │ │ │ │ │ │ │ │ unauthorized changes) │ │ │ │ │ │ │ ├────┼─────────────────────────┼─────┼─────┼──────┼────────┼──────────┼────────────┤ │ F4 │ Financial statement │ 2 │ 5 │ 5 │ 10/25 │ LOW │ CFO + │ │ │ manipulation │ │ │ │ │ │ Audit │ │ │ (earnings management, │ │ │ │ │ │ Committee │ │ │ revenue recognition) │ │ │ │ │ │ │ ├────┼─────────────────────────┼─────┼─────┼──────┼────────┼──────────┼────────────┤ │ F5 │ Cyber-enabled fraud │ 3 │ 4 │ 4 │ 12/16 │ MEDIUM │ CISO │ │ │ (business email │ │ │ │ │ │ │ │ │ compromise, wire │ │ │ │ │ │ │ │ │ fraud) │ │ │ │ │ │ │ ├────┼─────────────────────────┼─────┼─────┼──────┼────────┼──────────┼────────────┤ │ F6 │ Conflict of interest │ 3 │ 3 │ 3 │ 9/9 │ MEDIUM │ GC + HR │ │ │ (undisclosed │ │ │ │ │ │ │ │ │ relationships) │ │ │ │ │ │ │ ├────┼─────────────────────────┼─────┼─────┼──────┼────────┼──────────┼────────────┤ │ F7 │ Cash theft / skimming │ 2 │ 3 │ 5 │ 6/25 │ LOW │ Treasury │ ├────┼─────────────────────────┼─────┼─────┼──────┼────────┼──────────┼────────────┤ │ F8 │ FCPA / bribery │ 2 │ 5 │ 5 │ 10/25 │ LOW │ GC + │ │ │ (international │ │ │ │ │ │ Compliance │ │ │ operations) │ │ │ │ │ │ │ └────┴─────────────────────────┴─────┴─────┴──────┴────────┴──────────┴────────────┘ Summary: LOW risk: 6 (75%) MEDIUM risk: 2 (25%) HIGH risk: 0 Critical risk: 0 Overall fraud risk rating: LOW-MEDIUM (acceptable with controls in place) FRAUD LOSS ESTIMATION (per ACFE Report): Median fraud case loss: $150,000 (US organizations) Median duration before detection: 12 months Estimated annual fraud loss: 5% of operating revenue (typical) Our estimated exposure: $8.4M (5% of $168M revenue) Expected loss (with controls): $200K-$400K (conservative, 2-3% of estimated) ``` ## Transaction Monitoring & Anomaly Detection ### Automated Fraud Detection ``` TRANSACTION MONITORING FRAMEWORK: ══════════════════════════════════ MONITORING RULES (Automated Alerts): ┌──────────────────────────────────┬─────────────────────────────────────────┐ │ Rule │ Threshold / Trigger │ ├──────────────────────────────────┼─────────────────────────────────────────┤ │ Expense: Duplicate receipt │ Same amount + same vendor + same period │ │ Expense: Weekend/holiday claims │ Receipt date falls on non-work day │ │ Expense: Round amounts │ >$500, exact round number (e.g., $1,000)│ │ Expense: Velocity check │ >5 claims/week by same employee │ │ Expense: Policy exception │ Category outside employee's dept norm │ │ AP: Duplicate invoice │ Same invoice number + amount + vendor │ │ AP: Vendor address match │ Vendor address = employee address │ │ AP: Just-below approval │ Amount just below approval threshold │ │ AP: Weekend/holiday processing │ Invoice processed on non-work day │ │ Payroll: New bank account │ Bank account change within 30 days │ │ Payroll: Salary change >15% │ Unapproved significant increase │ │ JE: Unusual timing │ Journal entry posted after 8 PM or │ │ │ on weekend │ │ JE: Round amounts │ >$10K, exact round number │ │ JE: Just below threshold │ Amount just below approval threshold │ │ JE: Opposing entries │ Offset entries in same period │ │ Banking: Wire to new payee │ First-time wire to new beneficiary │ │ Banking: Wire amount spike │ >$50K wire (unusual for org) │ │ Access: Privileged use │ Admin account used for transactions │ │ Access: After-hours login │ System access during off-hours │ └──────────────────────────────────┴─────────────────────────────────────────┘ ANALYTICS-DRIVEN DETECTION: Benford's Law analysis: - Applied to: Expense amounts, invoice amounts, JE amounts - Frequency: Monthly - Alert: Deviation >5% from expected distribution - Last analysis: January 2025 — NO ANOMALIES DETECTED ✓ Cluster analysis: - Applied to: Vendor payments (identify related vendors) - Method: Shared attributes (address, phone, tax ID, bank account) - Frequency: Quarterly - Last analysis: Q4 2024 — 2 matches found (both legitimate) Trend analysis: - Applied to: All financial transaction categories - Method: Statistical outlier detection (z-score >3) - Frequency: Continuous (automated) - Alerts generated (Jan): 3 (all resolved — no fraud) Network analysis: - Applied to: Employee-vendor relationships - Method: Graph analytics (identify hidden connections) - Frequency: Semi-annual - Last analysis: November 2024 — NO CONCERNS MONTHLY MONITORING RESULTS: January 2025: Total alerts generated: 12 False positives: 10 (83%) Legitimate exceptions: 2 (17%) Potential fraud referred: 0 (0%) Resolution time: Avg. 2.3 days Trend (past 6 months): Alerts: Declining (automation tuning reducing false positives) False positive rate: Improving (78% → 83%) Fraud referrals: Consistently 0 (strong controls) ``` ## Whistleblower & Ethics Program ### Reporting & Investigation ``` WHISTLEBLOWER PROGRAM: ═══════════════════════ REPORTING CHANNELS: 1. Ethics hotline (third-party, 24/7): Phone: 1-800-XXX-XXXX Web: [secure portal URL] Language: 50+ languages Anonymity: Optional (anonymous reports accepted) 2. Direct manager / HR: Scope: Workplace conduct, harassment, discrimination Process: Direct reporting with confidentiality assurance 3. Compliance officer: Scope: Policy violations, regulatory concerns Process: Formal reporting with documented follow-up 4. Audit Committee (bypass management): Scope: Financial reporting, senior management misconduct Process: Direct to independent board members Contact: Via company website (private channel) REPORTING STATISTICS (FY2024): Total reports: 23 By channel: Ethics hotline: 14 (61%) Direct to manager/HR: 6 (26%) Compliance officer: 2 (9%) Audit Committee: 1 (4%) By category: Workplace conduct: 8 (35%) Harassment/discrimination: 3 (13%) Financial/procurement: 4 (17%) Data privacy/security: 5 (22%) Other: 3 (13%) Anonymity: Anonymous: 9 (39%) Identified: 14 (61%) Substantiation: Substantiated: 3 (13%) Unsubstantiated: 15 (65%) Inconclusive: 5 (22%) Retaliation reports: 0 (ZERO — positive indicator) INVESTIGATION PROCESS: Step 1: Triage (within 24 hours) - Assess severity and scope - Determine investigation type (formal/informal) - Assign investigator (internal or external) - Notify relevant parties (GC, CHRO, CEO if senior) Step 2: Investigation (timeline by severity) - Low severity: 5-10 business days - Medium severity: 10-20 business days - High severity: 20-40 business days - Critical: Immediate (ongoing, expedited) Step 3: Evidence gathering - Document review (emails, transactions, records) - Witness interviews (structured, documented) - Data analytics (transaction patterns, system logs) - External evidence (if applicable) Step 4: Findings & recommendations - Substantiated / unsubstantiated / inconclusive - Recommended corrective action (if substantiated) - Systemic improvements (process/policy updates) Step 5: Resolution & follow-up - Disciplinary action (if warranted) - Remediation (refund, system fix, policy update) - Monitoring (ensure recurrence prevention) - Closure notification (reporter, if identified) INVESTIGATION RESULTS (FY2024): Substantiated cases: 1. Expense policy violation (manager inflated travel expenses) Finding: $8,500 in improper expense claims over 6 months Action: Repayment + termination + policy training refresh 2. Vendor conflict of interest (undisclosed relationship) Finding: Employee's relative owned consulting firm on vendor list Action: Employee reassignment + vendor contract renegotiation 3. Data handling violation (improper customer data access) Finding: Employee accessed records outside scope of work Action: Final warning + access rights tightened + training Average resolution time: 14 days Employee satisfaction (post-investigation survey): 4.1/5.0 No retaliation identified: ✓ CONFIRMED ``` ## Anti-Money Laundering (AML) ### AML Compliance Program ``` ANTI-MONEY LAUNDERING PROGRAM: ══════════════════════════════ APPLICABILITY ASSESSment: Business type: SaaS (software-as-a-service) AML risk level: LOW (non-financial institution) Regulatory exposure: - BSA/AML (US): Limited applicability (not a financial institution) - EU AMLD (European): Enhanced due diligence requirements - OFAC sanctions screening: Required (all US companies) - Local AML laws (international operations): Varies by jurisdiction AML CONTROLS IMPLEMENTED: 1. Customer Due Diligence (CDD): - KYC (Know Your Customer): For enterprise contracts >$100K - Beneficial ownership identification (enterprise customers) - Enhanced due diligence (high-risk jurisdictions) - Ongoing monitoring (annual review) 2. Sanctions Screening: - OFAC SDN list screening: All customers, vendors, employees - Frequency: Onboarding + quarterly refresh - Method: Automated screening (compliance platform) - Last screening: January 2025 — 0 matches - False positive rate: 2.1% (automated filter) 3. Transaction Monitoring: - Wire transfers >$10K: Enhanced review - Unusual payment patterns: Automated alert - Cross-border transactions: Enhanced documentation - Cash transactions: Prohibited (company policy) 4. Recordkeeping: - Customer records: 5 years minimum - Transaction records: 7 years minimum - AML program documentation: Current + 3 years HIGH-RISK JURISDICTION SCREENING: Customers by jurisdiction: US: 65% (LOW risk) EU/UK: 20% (LOW-MEDIUM risk) Canada/Australia: 8% (LOW risk) Asia-Pacific: 5% (MEDIUM risk — enhanced review) Other: 2% (varies) Enhanced review for: Countries on FATF grey/black list: 0 customers Countries with high corruption index: 2 customers (enhanced review) Countries with sanctioned entities: 0 customers Status: ✓ COMPLIANT — all high-risk customers screened AML TRAINING: Annual training: Mandatory for all employees Completion rate: 100% Duration: 45 minutes Specialized training: Finance, Sales, Legal (90 minutes, enhanced) Specialized training completion: 100% AML PROGRAM REVIEW: Annual independent review: ✓ Completed (November 2024) Reviewer: External compliance consultant Findings: 0 deficiencies Recommendations: 2 (minor process improvements) Status: ✓ PROGRAM EFFECTIVE ``` ## Fraud Prevention Controls ### Preventive Measures ``` FRAUD PREVENTION CONTROLS: ═══════════════════════════ PREVENTIVE CONTROLS (Stop Fraud Before It Occurs): 1. Segregation of Duties (SoD): Status: ✓ Implemented (critical SoD enforced) Coverage: Finance, procurement, payroll, IT Monitoring: Quarterly access review 2. Approval Hierarchies: Expense claims: Manager → Dept Head (>$1K) → Finance (>$5K) Procurement: Buyer → Procurement Mgr (>$10K) → CFO (>$50K) Journal entries: Accountant → Controller (>$10K) → CFO (>$50K) Wire transfers: Dual approval mandatory (all amounts) Status: ✓ Implemented 3. Policy Framework: Code of Conduct: 100% acknowledgment (annual) Anti-fraud policy: Documented and communicated Expense policy: Clear guidelines + examples Procurement policy: Competitive bidding, vendor approval Gifts & entertainment: <$100 limit + disclosure Status: ✓ All policies current 4. Access Controls: Role-based access control (RBAC): ✓ Implemented Principle of least privilege: ✓ Enforced MFA (multi-factor authentication): ✓ All systems Session timeout: ✓ 15 minutes (financial systems) Privileged access monitoring: ✓ Daily review Status: ✓ Strong 5. Vendor Management: Vendor approval process: ✓ All vendors pre-approved Vendor due diligence: ✓ Screening on onboarding Vendor master maintenance: ✓ Restricted access Duplicate vendor check: ✓ Automated Status: ✓ Controls effective DETECTIVE CONTROLS (Identify Fraud After It Occurs): 1. Reconciliations: Bank reconciliations: Monthly (100% coverage) Sub-ledger to GL: Monthly (100% coverage) Intercompany: Monthly (100% coverage) Status: ✓ All completed on time 2. Management Review: Financial statements: Monthly (Controller + CFO) Exception reports: Monthly (automated) Variance analysis: Monthly (>5% or >$50K) Status: ✓ Completed 3. Internal Audit: Audit plan: Risk-based (annual) Coverage: Finance, operations, IT Independence: Reports to Audit Committee Status: ✓ Active 4. Continuous Monitoring: Automated alerts: ✓ Active (20+ rules) Data analytics: ✓ Monthly (Benford's, outlier) System logs: ✓ Reviewed (privileged access) Status: ✓ Operating effectively FRAUD AWARENESS PROGRAM: Employee training: Annual anti-fraud training: 100% completion (45 minutes) Phishing simulation: Quarterly (failure rate: 4.2%) Fraud awareness campaign: Annual (month-long) Leadership training: Enhanced (90 minutes) Communication: Code of Conduct reminder: Quarterly (email) Fraud hotline awareness: Ongoing (intranet, posters) Case studies (anonymized): Semi-annual Tone-from-the-top: CEO message (annual) Culture metrics: Psychological safety: 4.3/5.0 (survey) Ethics comfort level: 4.1/5.0 (survey) Reporting confidence: 4.4/5.0 (survey) Trend: Improving (all metrics +0.2 YoY) ``` ## Output ### Fraud Prevention Dashboard ``` FRAUD PREVENTION DASHBOARD — Jan 2025 ══════════════════════════════════════ Fraud Risk Overview: Overall risk: LOW-MEDIUM (acceptable) High/critical risks: 0 Medium risks: 2 (cyber fraud, conflict of interest) Low risks: 6 (well controlled) Transaction Monitoring: Active rules: 20 Alerts (January): 12 (10 false positives) Fraud referrals: 0 Resolution time: Avg. 2.3 days Benford's Law: ✓ No anomalies Whistleblower Program: Reports (YTD): 2 (both unsubstantiated) Average resolution: 12 days Retaliation: 0 reports Hotline utilization: 23 reports (FY2024) Substantiation rate: 13% (FY2024) AML Compliance: Sanctions screening: ✓ Current (Jan 2025) High-risk customers: 2 (enhanced review) OFAC matches: 0 Training: 100% complete Program review: ✓ Effective (Nov 2024) Controls: SoD conflicts: 0 active (5 mitigated) Access review: ✓ Q4 completed (98% certified) Approval compliance: 99.2% (0.8% exceptions — all resolved) Reconciliations: ✓ All on time Internal audit: On plan (8 engagements) Fraud Loss: Estimated exposure: $8.4M (5% of revenue) Expected loss (with controls): $200K-$400K Actual loss (YTD): $0 Insurance coverage: D&O + crime policy ($5M) Actions: 1. Conflict of interest disclosure campaign (Feb) 2. Cyber fraud awareness refresh (Mar) 3. Semi-annual network analysis (Apr) 4. AML quarterly screening (Apr) 5. Internal audit — Revenue Recognition (Feb start) ``` ## Integration Points - ERP/GL (NetSuite, SAP): Transaction data for monitoring and analytics - Expense platforms (Rippling, Concur): Expense fraud detection - GRC platforms (AuditBoard, ServiceNow): Fraud risk register, investigation tracking - AML platforms (ComplyAdvantage, Refinitiv): Sanctions screening, KYC - Data analytics tools (ACL, IDEA, Tableau): Benford's analysis, outlier detection - Ethics hotline platforms: Reporting, tracking, investigation management - HRIS: Employee data for payroll fraud detection - BI platforms: Fraud dashboards, trend analysis - Identity/access management (Okta, SailPoint): Access control, privilege monitoring - Cybersecurity platforms: BEC detection, email security ## Edge Cases - **CEO/C-suite fraud**: Tone-at-the-top failure; board oversight critical; external investigation - **Collusive fraud**: Multiple employees circumventing SoD; harder to detect; data analytics key - **Cyber-enabled wire fraud**: Business email compromise; urgency tactics; dual approval essential - **International FCPA violations**: Third-party agents; facilitation payments; local customs; enhanced due diligence - **Vendor master manipulation**: IT insider access; automated duplicate check; periodic review - **Expense fraud (small, frequent)**: Below radar; aggregate analysis; policy enforcement - **Payroll fraud (ghost employee)**: HR-IT collusion risk; headcount reconciliation; manager verification - **Financial reporting fraud**: Earnings pressure; revenue recognition; journal entry controls; auditor scrutiny - **Cryptocurrency fraud**: Emerging risk; policy clarification; transaction monitoring - **Post-incident response**: Forensic investigation; regulatory notification; insurance claim; reputation management