Catching rogue staff before they cost your enterprise a bundle

The city of London has been running a TV ad to heighten bike safety by showing how easy it is for people to miss changes right before their eyes. In the ad, as an investigator questions crime suspects, the flower arrangement on a table and other details in the room are switched out, but no one notices because they're focused on the investigator.

And yet, these changes are exactly what artificial intelligence (AI) applications don’t miss, which is why you should consider embedding cloud-based AI security and compliance capabilities into your enterprise resource planning (ERP) and other systems, data security specialists said in a CFO.com webinar last week.

It’s too costly for most CFOs to do more than periodically sample accounts payable, and other transactions conducted daily in their systems, the specialists said. But AI-embedded cloud systems can largely remove this cost constraint, so it’s possible for even smaller organizations to monitor much of what’s going on in your system, said Aman Desouza, director of product strategy at Oracle Risk Management Cloud.

"If you’re using manual methods to review access to your applications or sampling methods to audit transactions, you’re going to be highly vulnerable," he said.

Finding system gaps

Rogue staff who find a way around separation of duties (SOD) controls to both set up and pay a vendor they’re connected with can end up costing your organization a significant amount, especially if it goes on over time.

"The same user shouldn’t be able to create a vendor and pay a vendor," he said. "That might leave the temptation of setting up your brother as a vendor and then paying that brother, and you don’t want that temptation."

A survey by the Association of Certified Fraud Examiners (ACFE) showed fraud schemes like this persist for a median of 16 months, resulting in a typical loss of $125,000. What’s more, the longer a fraud persists, the more it costs. If it goes undetected for five years, it ends up costing more than $700,000 on average, the ACFE data showed.

Meanwhile, the vast majority of ERP and other systems are only set up to meet minimum compliance requirements and are likely to miss a fraud pattern like this, in part because the audit comes too long afterward or looks at too few transactions to detect it — and that can be a costly limitation.

"There’s 3% to 5% cash leakage to fraud in every organization," Desouza said. "Stopping the cash from leaving is much easier than trying to recover it six months later."

In an informal poll conducted among financial professionals attending the webinar, only 18% said they had some kind of AI-embedded security in their systems.

Desouza recommended embedding a capability that enables you to go beyond minimum security compliance by creating a three-tiered system, the first for controlling access, the second for monitoring transactions, and the third for managing workflows.

"There’s a truth where enterprises fail," he said, and that truth shows there’s a mismatch between the risk organizations face and where finance leaders spend their time. In the starkest mismatch, organizations face an almost 90% likelihood of strategic risk occurring, but finance leaders only spend 6% of their time on that. Instead, they spend the bulk of their time on finance and operational risk.

One of the strengths of an AI-embedded security system, he said, is it can automate control and monitoring of finance and operational risks so finance leaders can devote more time to managing strategic risk.

"Strategic risk [protection] you can’t automate," he said. "You need your brain trust. So, if you can free up time on other risks, it opens the door for your team to focus on strategic risks."