How Technology is Improving Expense Report Auditing
How common is expense report fraud? According to the Association of Certified Fraud Examiners’ 2016 Report to the Nations on Occupational Fraud and Abuse, 85 percent of all business fraud schemes involve some form of asset misappropriation, with expense fraud making up about 14 percent of such schemes. The median loss for expense fraud was $40,000 per incident, and the median duration before discovery was two years.
Obviously, this is a costly problem. Before the prevalence of expense management automation, there were few good solutions—only tradeoffs.
Many companies have an approval process, but very little accounting oversight. That controls for time and cost, but not fraud risk. At the other end of the spectrum, some companies audit every expense report. That provides a high degree of control, but is costly and difficult to scale. A growing company will soon find itself hiring people just to review expense reports. Employees will have to wait longer to get paid. Finance will have difficulty making accurate cash projections.
Still others split the difference and conduct random audits, which may be more efficient from a resource and reimbursement perspective, but less effective at fraud control. An Oversight Systems study of 10 million transactions found that one percent of expense reports were fraudulent, so you can see the odds of catching fraud by random audit are small.
Flagging for fraud
Now, advanced expense management systems can identify and flag questionable reports, so you can focus your accounting and auditing resources on higher-risk reports, instead of having to choose from the old menu of unpalatable options. As these systems grow in functionality and companies become more sophisticated in their use of them, you can stop most expense reporting fraud without incurring huge costs.
The first step companies can take is reviewing their own policies to see what kinds of things they need to audit for. Maybe it’s missing receipts, line items that exceed policy limits in a particular category, reports that are submitted long after the fact, or reports that exceed a set total. If you’ve been auditing everything manually, you probably have a good idea of what your usual offenders are.
Once you’ve got that figured out, you configure your expense platform to flag and present only those reports that fall within a certain set of conditions to be reviewed further by somebody from the AP team. The rest go straight through to be processed.
The next level of sophistication is being able to stop an end user before they even submit a report that would be flagged according to those criteria. Then, instead of accounts payable having to audit flagged reports and send back those that are non-compliant, the onus is on the submitter to get it right in the first place. You can do things like, block submission for reports that don’t have required receipts, or that have item totals that are too high, or have been assigned the wrong general ledger code.
You have the ability to configure the system to message the end-user for each instance, and instruct them on what they need to do in order to submit the report. For example, you could remind them to attach a receipt, but if they don't have the original receipt, to attach their credit card statement or another acceptable form of documentation.
Systems can also detect and flag duplicate expenses and provide a notification such as ‘Hey, it looks like you already submitted that expense on this other report.” The end user has the opportunity to remove the expense or justify it so A/P can review it.
There’s a twofold, purpose here, or maybe even three fold. You want to nip fraud attempts in the bud, but you also want to catch honest errors that slow down processing and train people to submit accurate reports. And, you want to let everyone know that there are controls in place that are checking to make sure expense submissions are legit.
If you're not auditing, or using a "dumb" system or Excel or something like that, would-be fraudsters may feel like they can get away with it.
If, on the other hand, they're using a system that has some smarts and stops them when they try to submit a duplicate expense, or they're seeing that sometimes their report gets held up in audit, or it has that policy language embedded to remind them what the policies are as they go along, psychologically they're less likely to take that risk.
As we see in other areas of fraud, as systems get smarter, so do fraudsters. Ultimately, we think companies will find it desirable to go beyond configuring systems to flag and audit based on their own internal policies and apply much larger data sets to the problem.
Cloud vendors have access to data from a wide range of companies and industries. When you take all of the information about expense reporting policies, accounting review triggers, user behavior and other fraud indicators and feed it into a smart algorithm, it can do things such as come up with a fraud risk score that’s based on many data points, beyond just what you’ve told the system to flag.
Now you’re taking smarts and best practices and benchmarks from across a larger customer base and applying them to your reports, so you can apply that additional layer of security without being an expert in fraud detection. That can help you catch corner cases that you may not have anticipated in setting your own policies and configuring your system.
It’s an ‘and’ world
None of this has to be mutually exclusive. You can set parameters and conditions for accounting review triggers, but if you’re the kind of company that currently audits every report, you could continue to do so as a check on the system until you’re comfortable with it. Or, you could audit flagged reports and then conduct random audits of unflagged reports to make sure the system isn’t missing anything. Or, you could audit flagged reports and also unflagged reports over a certain risk score.
It’s a bit of a "trust but verify" approach that you can actually report out on as you work your way toward a high degree of confidence in your system. You can check how many expense reports went to auditors to be reviewed, and how many of those were approved versus how many were sent back because they were truly fraudulent. Then you can fine tune your system, and possibly your policies.
Expense report fraud is not an insignificant problem. With a median cost per incident of $40,000, it could be tempting to weigh the costs of manually auditing reports against that. However, the actual amount of fraud at your company could go much higher, especially if you have lax review standards and a skilled fraudster or fraudsters perpetrating their scheme over many years.
Fortunately, with automated expense systems, companies no longer need to make those kinds of tradeoffs. Instead of throwing in the towel or devoting a ton of accounting resources to reviewing reports, you can use a smarter, more modern approach to detecting and auditing high risk reports so you can spend your time on more strategic things.