The growth of automated business systems, such as enterprise resource planning (ERP) and customer relationship management (CRM) applications, continues to propel productivity gains and new efficiencies in the e-business world. These business systems allow organizations to easily manage accounts payable, human resources, account receivables, inventory, payroll, and more in real-time. However, automated business systems are subject to errors, misuse, and fraud, just like manual, unautomated systems. Furthermore, automated business systems can open the door for business “hacks” resulting in asset misappropriation and significant financial losses. Both intentional and unintentional problems can jeopardize the integrity of transactions and reporting of an enterprise.
Sources of integrity compromise can be broken into categories that range from the most malicious to guiltless acts of well-meaning employees. Vulnerabilities in electronic transaction systems can: (1) permit access to target business applications to launch fraudulent schemes, (2) unknowingly introduce system errors that affect asset appropriation, such as create duplicate payments, or (3) allow system control to be overridden or circumvented, which then provides others the opportunity to abuse or misuse the system to commit fraud.
Organizations must take measures to reduce and eliminate all forms of errors, misuse, and fraud. Present day financial controls of modern business enterprises do not do enough to mitigate business risks from fraud and error within the organization. According to reports from the Association of Certified Fraud Examiners (ACFE), fraud and white collar hacks collectively drain 6 percent of a typical business enterprise's annual revenue. In 2002, these losses purportedly totaled over $600 billion. A survey by one well-known accounting firm pegged the average loss per company at greater than $2 million. Another accounting firm calls the problem of fraud and error “a bigger loss problem than viruses and worms combined.”
The ACFE study found that an average fraud scheme lasted 18 months before it was detected. More than half of the detected schemes accounted for losses greater than $100,000; nearly one in six caused losses greater than $1 million. The study also reported that nearly two-thirds of all identified fraud was detected by “accident” or employee tips.
New motivations for evaluating financial controls, including the Sarbanes-Oxley Act of 2002, have driven some enterprises to re-think their financial controls. Section 404 of the Sarbanes-Oxley Act caused the Securities and Exchange Commission (SEC) to establish rules about annual reports of certain companies, especially publicly held companies. Such rules require an annual report to contain (1) a statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting, as well as (2) management's assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting. Section 404 also requires the company's auditor to attest to, and report on management's assessment of the effectiveness of the company's internal controls and procedures for financial reporting in accordance with standards established by the Public Company Accounting Oversight Board. These requirements alone have triggered a search by both a company's management and auditors for solutions to the establishment and maintenance of internal control structures, which are inevitably reflected in a company policies and procedures.
The Sarbanes-Oxley Act has heightened the importance of establishing enterprise policies regarding business activities and practices, ensuring compliance to those policies, and correcting lack of compliance promptly and efficiently. Failure to establish and abide by some government-imposed requirements can result in criminal as well as civil penalties, so many businesses and other organizations are scrambling to establish policies and compliance monitoring systems.
The real-time nature of information, analysis, decision-making, and policy validation creates additional complexities in financial controls and compliance monitoring. Partly because so much information in modern business enterprises is conducted by computer systems, some businesses and government organizations are exploring whether it is feasible to implement automated transaction monitoring systems as an alternative or supplemental to traditional people-based financial controls. In the process of exploring automated monitoring systems, many enterprises are facing tradeoffs between stringent controls, operational efficiency, and business risk. While stringent systems controls may stop a small percent of insiders who intend to defraud the enterprise, stringent controls place a heavy burden on the vast majority of insiders who are honest. Theoretically, automated transaction monitoring should allow an enterprise to remove many system restrictions and rely on real-time analysis to flag transactions that do not comply with enterprise policies. However, prior efforts to provide efficient and effective automated transaction monitoring systems have not been entirely successful.
Some prior approaches to automated transaction monitoring focused on narrow fields of critical transaction data flows and were implemented to detect overt indications of profound and clear problems. Software tools that assist in recording and documenting the investigative actions of a human auditor are known (case management systems). Some functions in querying available data were automated but only so under the direction of a human operator. Such limited approaches are watchful of only a small percentage of transactions on a computer system. Problematic issues in areas outside of the monitored fields can be overlooked though such issues may result in problems in seemingly non-critical transactions, may affect critical transactions with subtlety, and may result in disperse adverse affects that amount in summations to problems deserving attention but that may go undetected.
Accordingly, there is room for improvement in automated transaction monitoring systems that are operative for establishing enterprise policies and procedures, monitoring compliance with such policies and procedures, and reporting violations or deviations from the established policies and procedures. But there are various requirements for a system that will be effective and acceptable to the business community. Automated transaction monitoring must rely upon sophisticated data acquisition and multi-perspective analysis to correlate information from ERP systems, legacy mainframe applications, network monitoring solutions, and external data sources. These various systems implement the known business functions of accounts payable, accounts receivable, general ledger, human resources & payroll, and inventory management. After collecting relevant transaction information, automated transaction monitoring solutions must analyze each transaction and the context of the transaction with the same level of scrutiny that an internal human auditor and fraud examiner would employ. This complex analysis requires a combination of domain engineering, automated link analysis, behavior, deductive analysis, and standard business intelligence.
Furthermore, an effective transaction analysis system should flag suspicious activities and attempt to distinguish real concerns from hundreds of indicators of fraud, misuse, and errors. The system should detect acts of concealment and conversion designed to circumvent standard auditing techniques. The system should preferably operate in continuous or near real-time mode, so as to detect efforts at concealment and prevent complications and expense from later remedy.
Providing an acceptable transaction monitoring and analysis system has proven a daunting task. Nonetheless, the benefits of such a system are clear: (1) transaction integrity monitoring should build an audit trail of transactions within a financial system and direct internal auditors to the most suspicious transactions, (2) transaction integrity monitoring should establish a business environment that deters employees and other insiders from breaking enterprise policies or defrauding the company, (3) transaction integrity monitoring should provide the benefits of rigorous financial controls without the administrative overhead and bureaucratic burden, (4) even if compliance with policies is not 100% or employees learn to game the system, risk managers should have a solution that keeps pace with real-time business transactions, and (5) an acceptable transaction integrity monitoring system should act as the ultimate layer of security from outsiders who penetrate the network as authorized users.
As will be described and explained in detail below, the present inventors have constructed various systems and methods that meet these and other requirements for an efficient, effective, robust, and comprehensive automated electronic transaction integrity monitoring.