When fraud surfaces, people often ask “How did this happen?” and “Why wasn’t this detected earlier?” For audit functions, the second question is of great importance. Undetected risks harm financials, damage governance credibility, raise regulatory concerns, and shakes stakeholder confidence.
Fraud on a large scale is a persistent issue. PwC’s Global Economic Crime Survey 2024 found that around 41% of organisations worldwide experienced financial or economic fraud in the two years before the survey. While many organisations face this risk, their ability to detect it varies widely.
This difference stems from how financial statement audits are structured. Such audits aim to provide reasonable assurance against material misstatements but are not meant to be in-depth forensic investigations. Standard procedures focus on financial reporting accuracy and control effectiveness. As a result, some behavioural, operational, or emerging risk signals may go unnoticed.
Understanding this boundary helps clarify the challenge. If fraud risk extends beyond typical audit scope, detection methods must be integrated into the audit process. They must be applied consistently, supported by rigorous analysis, and be adaptable to changing risk patterns. This requires a shift in how audits address fraud risk.
Reading the conditions for fraud
Recalibrating audit methods starts with knowing the conditions that allow fraud. The Fraud Triangle is a useful tool here. It shows three key factors that must come together for fraud to happen: incentive, opportunity, and rationalisation.
Take a procurement function that is under constant pressure to cut costs. Performance targets create the incentive. Easy system access and limited oversight provide the opportunity. If employees justify shortcuts as “meeting targets” or see weak enforcement as acceptance, rationalisation completes the triangle. When these factors align, it signals increased risk. Audit planning should be aimed at detecting this.
Fraud does not sample evenly
Recognising the conditions that enable fraud adds value only if the audits turn that insight into actual detection. A quick look at traditional audit methods gives useful context.
Traditional audits rely on sampling. They test a subset of transactions to draw conclusions about the whole. This approach assumes that anomalies are spread evenly. It works well for predictable patterns, like checking control effectiveness or finding unintentional errors.
Fraud, however, does not follow predictable patterns. It is intentional and often designed to evade detection. Transactions may be split to stay under approved limits, timed to avoid oversight, or structured to look normal on their own. In these cases, sampling makes it harder to spot underlying behavioural patterns. Instead, we need full-population testing (FPT). This means examining entire datasets rather than just selected parts. FPT reveals recurring anomalies, unusual approval behaviours, timing issues, and inconsistencies across systems that go unnoticed when transactions are looked at separately. The focus shifts from isolated exceptions to clear behavioural signatures.
Sampling still has its place, but it should be a targeted follow-up to risk signals highlighted by analytics.
Building detection in, not on
Detection is most effective when FPT is continuous and part of the control environment, not just added on. Advanced analytics is key here. It offers clear, cross-functional visibility across transactions and controls. Artificial intelligence (AI) enhances this by spotting patterns and evolving signals that static rules cannot catch.
Detection shifts from just finding rule breaches to identifying patterns of behaviour. Activities that seem compliant on their own can indicate risk against set norms. For instance, a payment within policy limits might not raise alarms. Yet, if it is regularly approved outside normal hours, clustered in a small approval group, or linked to vendors with little history, a larger pattern becomes clear.
As behaviours change, detection logic adjusts thresholds and improves pattern recognition. This tightens the response time between new tactics and institutional action.
AI-enabled fraud detection: best practices
Bringing advanced analytics and AI into the audit goes beyond just technical setup. Detection abilities need strong governance to maintain credibility, efficiency, and defensibility.
- Models must be clear. Audit conclusions cannot rely on unclear outputs. Document risk scoring logic, threshold calibration, and model assumptions. These should be validated independently. Transparency helps findings withstand scrutiny and regulatory checks.
- Detection thresholds must match investigation capabilities. Too many false positives can overwhelm teams and reduce trust in the system. Regular tuning is needed to balance sensitivity and operational capacity.
- AI outputs should support, not replace, professional judgment. They must prioritise and inform reviews, not automate conclusions. Clear escalation protocols and documented challenge processes ensure model signals are interpreted correctly in a business context.
- Continuous validation is crucial. Models trained on past data might miss new fraud patterns. Ongoing performance checks, bias assessments, and recalibrations protect against decline over time.
When governed well, AI enhances the control environment. Analytics can continually assess segregation of duties, privilege concentrations, and access appropriateness. This shifts fraud detection into a feedback loop for optimising controls instead of just a compliance task.
Final thoughts
Regulatory and stakeholder expectations are raising the standards for oversight. Now, it is not just about policies but also about showing clear monitoring capability.
Integrating fraud detection changes the role of audit. It shifts from looking back for assurance to focusing on future risk intelligence. This involves targeted fraud risk assessments, FPT, AI-driven anomaly detection, and governance controls in a unified framework.
For audit leaders, the key is methodology. They must identify where current methods depend on limited testing. This includes targeting high-risk process intersections and creating the data and governance systems to monitor them continuously.
How Infosys BPM can help
Recalibrating audit methodology demands operationalised detection capability. Infosys BPM’s Fraud Detection Services integrate advanced analytics, AI-driven anomaly detection, and cross-functional data visibility into enterprise environments, enabling FPT rather than reliance on limited sampling. This enables identifying emerging fraud signals across systems and processes. Detection logic evolves alongside changing risk patterns, narrowing the gap between anomaly identification and institutional response. The result is embedded, defensible oversight — where fraud detection becomes a sustained analytical capability rather than a periodic control exercise.
