Can the Workflow Prevent Fraud?

Hi there!

The Japanese movie “Seven Meetings” (“Nanatsu no Kaigi” ) based on Mr. Jun Ikedo’s original work was released in February 2019. I have read the novels and watched the NHK Saturday drama series, so when there’s a movie starring Mansai Nomura I have to watch it. I haven’t seen it yet, but the story is a murky drama about corporate injustice with a shadowy and complex atmosphere.

When I was working on software development my boss once told me “Don’t cover up bugs! Report it quickly every time.” I think the boss wanted to say, “I don’t want to hide problems. We should deal with them within the organization.”

That’s why I’m sharing my feelings about whether workflow can contribute to fraud prevention.

There are various types of fraud; sometimes they are kept in-house, and there are social injustices that appear in the news. Since this article’s theme is “Can workflow contribute to fraud prevention?” I will talk about occupational fraud.

So, what is occupational fraud? The general definition is:

The effectiveness of workflow against fraud is:

So what type of fraud can workflows handle?

Bribery in business transactions, because it is the receiving of illegal rewards, can be difficult to prevent or detect in the workflow (as it is usually executed outside the workflow).
However, giving illegal payments, profits and bribes (usually monetary) are often done by the company. Therefore, prevention and discovery will be possible if the flow of money is represented within the workflow.

Regarding conflicts of interest, the workflow is considered effective. A common example of fraud is if a director sells their own property to the company, setting a higher sale price of the property.
If a workflow that performs proper checks and approvals (asking for objective judgments) is in operation, then the practice of buying and selling at an unfair sale price (like in the above case) will not be possible.

It’s hard to make a case for the effectiveness of the workflow. Since the financial statements themselves are a culmination of various operations, it is difficult to say that the workflow for creating financial statements is effective in the detection and prevention of fraud. In addition, listed companies and large companies are required to have financial statements audited by certified public accountants and audit corporations under the Financial Instruments and Exchange Act and the Companies Act. In a sense, it doesn’t matter whether there is a workflow.

However, if the information for creating financial statements is created based on the workflow results, it can be said that the financial statements are correct information in accordance with business rules. Therefore that can lead to there being less room for financial statement fraud.

I think the workflow will be more effective in this fraud.

I think the above operations can roughly cover the detection and prevention of fraud.

Most companies make use of workflows, whether on paper or on computer systems. If workflows can prevent fraud then there will be no negative publicity, let alone a novel or movie featuring fraud. It is still possible to proceed with a certain amount of fraud if you have some malicious intentions.
However, the workflow is not perfect. It is possible to find failures in processes. There is no formula, but here are two common examples.

If approval for a process is given by the leader of the department to which the applicant belongs, then that leader will be able to approve applications they have made themselves. That is, the applicant and the authorizer are the same.
For example, if the application is a travel expense adjustment, it is a concern that fake travel can be approved easily. This also makes it easier to approve fraudulent applications such as private purchases. It is a weakness in the workflow, and it’s a sort of fraud that takes advantage of an approval rule deficiency.

If you have the authority to look into the application documents and data in the middle of a workflow, it becomes possible to fraudulently tamper with them. For example, if the application is for a travel expense adjustment, fraud can be committed by amending the application documents and data to show more than the actual payment amount after approval has been given (in addition, the trail must be tampered with). In the case of paper documents, this can be done by having the authority to enter the accounting department (the key to the room) and access to the person’s tray or desk. In the computer system, fraud can be done by having the authority to change workflow data.

First of all, it is necessary to prepare business rules which assume a negative view of human nature. For example, if you say the approval rules for “the leader of the department to which the applicant belongs”, as mentioned in the “Abuse of approval rule” section:

you need to revise the rules. Furthermore, by implementing it systematically, fraud prevention becomes ever more possible.

In the case of paper documents, it can be implemented (to some extent) by including an approval stamp section on the document, and in the case of systematization, the system sets the strict approval rules.

In the case of paper, this can be achieved (to some extent) by strengthening access to the application form (strict key retention management) and, on computer systems, stricter authority rules like the example below:

I think many people will have noticed, what has been described above is just for individual fraud. Since the workflow is the business rule itself, the workflow is not effective if the organization’s business rule is intentionally fraudulent or illegal.

However, many businesses do not tolerate company-wide fraud. Instead, I suppose they can be scrutinized closely by the auditors, shareholders, and directors for organized fraud. The countermeasure as a workflow is to ensure that finished workflow documents and data cannot be falsified. In summary, paper documents should be stored using thorough management, and computer systems shouldn’t provide a function to change data.

On the subject of not providing a function to change completed workflow data, in Questetra BPM Suite Users cannot change data. Furthermore, as a security policy Questetra provide:

The above has been enacted. Other than by request of the responsible party determined for a legitimate and serious reason, no amendment of data or change will be accepted. As of February 2019, we have not received any data correction requests. Based on such an operational system, you can ascertain that business data cannot be falsified because you are a customer of Questetra.

So, regarding the question “Can the Workflow Prevent Fraud?”, I can say…

Unfortunately, that might sound less helpful to you.

The attributes mentioned above are those of a fraudulent person. However, considering that people who commit fraud are usually familiar with the rules and mechanisms of the system they are defrauding, it will be a deterrent if these mechanisms are difficult to circumvent.
On the other hand, companies are also demanding operational efficiency such as “work style reforms”. It seems to be necessary to consider rules and mechanisms that take into account the cost of fraud that is commensurate with fraudulent activities.
I have described an obvious thing but, it seems that there has not been much debate about whether it is possible to keep the balance of the fraud prevention mechanism (such as the workflow).
I would like you to understand a little about the tendency of fraud and use it when creating your own rules and mechanisms. (I highly recommend you use Questetra!)

＜Reference＞
“Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse”, Association of Certified Fraud Examiners.