Department of Business Informatics –ANALYTICS TO

JOHANNES KEPLER UNIVERSITY LINZ Altenberger Str. 69 4040 Linz, Austria www.jku.at DVR 0093696

Submitted by

Michaela Trierweiler

Submitted at

Department of Business Informatics – Information Engineering

Supervisor

Assoz. Univ.-Prof. Mag. Dr. René Riedl

July 2019

EVALUATION THE USE OF BIG DATA ANALYTICS TO FACILITATE COMPLIANCE AND FRAUD PREVENTION An empirical study about usefulness and usage of big data analytics to prevent occupational fraud in German speaking companies

Master Thesis to obtain the academic degree of

Master of Science (MSc) in the Master’s Program

Business Informatics

08. July 2019 Michaela K. Trierweiler 2/103

STATUTORY DECLARATION

I hereby declare that the thesis submitted is my own unaided work, that I have not used sources other than those indicated, and that all direct and indirect sources are acknowledged as references. This printed thesis is identical to the electronic version submitted. Utting am Ammersee, 08.07.2019 Signature, Michaela Trierweiler

NOTE

This work contains parts in the German language when the content is related to direct cited references like laws and figures and when describing the empirical part in order to demonstrate the terms used for the online-survey without any bias. Headlines and terms within the result charts a with bi-lingual descriptions in German and English when terms are not common in both languages. This makes it possible to use the same figures regardless of a reader´s language and to keep just one version of them for the sake of consistency.


ABSTRACT

Motivation and Problem Statement: In the context of increasing digitalization and the worldwide increasing number of cases of occupational fraud – in combination with internet crime – this master’s thesis evaluates and discusses the question of how big data analytics methods are used to minimize any risk of losses by preventing fraud and ensuring compliance with appropriate countermeasures. Approach: As a study with practical impact or insights, the evaluation of the usefulness of big data analytics for compliance reasons and fraud prevention was conducted as a multi-step empirical study starting with expert interviews and combining the results with aspects found in literature and own experiences to spread an online survey among companies in the German-speaking area. The main participants were managing directors, compliance or fraud managers, or came from information technology-related departments. In total, 75% of the respondents came from research-relevant functions. Results: This study shows that information technology-based and analytical fraud prevention and detection measures are less widely distributed than traditional human-related or organizational measures and activities. But even small and medium enterprises can benefit from big data analytics as a countermeasure, and some small enterprises are already using big data techniques in the area of fraud risk management. However, significant skepticism about the value of big data methods to prevent fraud is recognizable, and there is uncertainty about the company’s capability to cope with big data analytics. The three most common obstacles to using big data techniques are limited information technology resources, the need for too-specific knowledge the company cannot afford, and the high complexity during implementation and daily usage. Classical and established technical countermeasures like access restrictions and regular software updates are viewed as more suitable and practicable for the companies’ risk and fraud management. Conclusions: Big data analytics, as part of information technology-based anti-fraud mechanisms, needs to be embedded within the governance, risk, and compliance strategy of a company. It is part of a mixture of different mechanisms and concepts containing technical, organizational, and people-related fraud prevention countermeasures and activities. The outcome of this research contributes to the future development of an anti-fraud framework in further research projects by providing insights from practitioners as a first-hand information base. Keywords: Big data, fraud prevention, compliance, corporate governance, analytics, IT-security, anti-fraud-management, MTO, GRC


Glossary 2FA two-factor authentication ACFE American Association of Certified Fraud Examiners; www.acfe.com aka also known as AI artificial intelligence AT ISO country code for Austria B2B business-to-business: business relationships with other companies B2C business-to-consumer: business relationships with private persons BDA big data analytics BI business intelligence Bitkom Bundesverband Informationswirtschaft, Telekommunikation und neue

Medien e. V.; www.bitkom.org ca. circa, approximatly CH ISO country code for Switzerland CIO chief information officer CISO chief information security officer COBIT Control Objectives for Information and Related Technology: international

framework for IT governance COSO The Committee of Sponsoring Organization of the Treadway Commission DACH a common acronym for Germany–Austria–Switzerland DE ISO country code for Germany DICO e.V. German Institution of Compliance/Deutsches Institut für Compliance e.V;

www.dico-ev.de DOA delegation of authority (EU-)GDPR The European General Data Protection Regulation (effective since May 26th,

2018) E&Y Ernst & Young (auditing firm) ERM enterprise risk management ERP enterprise resource planning systems EUR Euro (currency) FDA forensic data analytics GRC governance, risk, and compliance I-1, I-2, I-3 acronyms for the expert interview partners ICS | IKS internal control system | Internes Kontrollsystem IIA Austria Austrian Institution for internal Revision/Institut für Interne Revision

Österreich; https://www.internerevision.at IOT internet of things IP internet protocol KDD knowledge discovery in databases: a basic principle to extract information

out of existing data developed by Kononenko et al. in 2007


KPI key performance indicator KPMG KPMG (auditing firm) M&A merger and acquisition (process) Mio. million MTO man–technology–organization (based on the MTO concept of Strohm and

Ulich) NPO non-profit organization PDF portable document format PIR personal information record (related to GDPR) PwC Price Waterhouse Coopers (auditing firm) ROI return on investment RQ research question SAP/SAP HANA brands from SAP corporation, an ERP software developer SIU Special Investigation Unit SLR systematic literature review (based on the concepts of Kitchenham et al.) SME small and medium enterprises SOX compliance rules according to the Sarbanes-Oxley Act of 2002: relevant and

obligatory for stock-listed companies in the United States URL uniform resource locator


TABLE OF CONTENTS

Glossary ......................................................................................................................................... 4 1. Problem Definition and Theoretical Background ..................................................................... 8

1.1 Introduction ...................................................................................................................... 8 1.2 Problem Definition and Validation ................................................................................... 9

1.2.1 Context and Motivation ......................................................................................... 9 1.2.2 Scope of the Research and Use of the MTO Concept ....................................... 10 1.2.3 Fraud Theory: Types and Dimensions of Occupational Fraud ........................... 11 1.2.4 Anti-Fraud Management ..................................................................................... 16 1.2.5 Definition of BDA in the Context of this Research .............................................. 18 1.2.6 Fraud Prevention with Big Data .......................................................................... 21

1.3 Aim and Research Questions ........................................................................................ 23 2 Methodology ......................................................................................................................... 24

2.1 Research Process – Mixed Method Approach .............................................................. 24 2.2 Use of Terms ................................................................................................................. 25 2.3 Methods of Data Collection and Analysis ...................................................................... 26

2.3.1 Questioning Techniques ..................................................................................... 26 Interview ............................................................................................................. 26 Questionnaire/Survey ......................................................................................... 27

2.3.2 Analytical Methods ............................................................................................. 30 Qualitative Content Analysis .............................................................................. 30 Quantitative Content Analysis ............................................................................ 31

2.4 Literature Research ....................................................................................................... 33 2.5 Realization of Preliminary-Study – Expert Interviews .................................................... 34 2.6 Realization of Online Survey – Quantitative Research .................................................. 36

3 Results .................................................................................................................................. 39 3.1 Results of the Pre-Study and Implications for This Research ....................................... 39 3.2 Results of the Online Survey: Summary and Highlights ................................................ 41

3.2.1 Summary and Highlights: Participant Structure .................................................. 42 3.2.2 Summary and Highlights: Fraud Management Status ........................................ 43 3.2.3 Summary and Highlights: Use of Big Data ......................................................... 46

4 Discussion ............................................................................................................................. 49 4.1 Answer to Research Question 1: Summary of Established Fraud Prevention

Mechanisms and Activities ............................................................................................ 49 4.2 Answer to Research Question 2: The Value of Big Data for Fraud Prevention and

Compliance Mechanisms .............................................................................................. 52 4.3 Answer to Research Question 3: Carryover to SMEs ................................................... 57 4.4 Big Data in the Context of an MTO-Based Anti-Fraud Framework ............................... 57 4.5 Conclusion and Further Implications ............................................................................. 58

5 Summary ............................................................................................................................... 60


6 List of Tables ......................................................................................................................... 63 7 List of Figures ....................................................................................................................... 63 8 References ............................................................................................................................ 64 9 Appendices ........................................................................................................................... 71

9.1 Design and Structure of the Online Questionnaire ........................................................ 71 9.2 Online Survey, Examples of Addressing potential Participants ..................................... 82 9.3 Literature Search Strategy ............................................................................................. 84 9.4 Full Set of Result Charts of the Online Survey .............................................................. 85

9.4.1 Module 1: Demographics of the Participants ...................................................... 85 9.4.2 Module 2: Questions about Fraud Status and Fraud Prevention ....................... 89 9.4.3 Module 3: Questions about the Use of Big Data Analytics ................................. 96 9.4.4 Module 4: Personal Opinions on Some Critical Statements ............................. 103


1. Problem Definition and Theoretical Background 1.1 Introduction

Compliant and ethical behavior should be natural in human and business interactions and therefore implicit in corporate structures and organizations as well. However, increasing – or at least more frequently detected – cases of occupational misbehavior, such as bribery, corruption, accounting fraud, credit card fraud, phishing, malware, and hacking attacks, paired with identity fraud [1] [2] [3] [4], suggest the opposite. New business models based on more technology, such as brokerage services are conducted remotely, often as cross-border transactions, and thus are becoming more anonymous. The identification of someone’s identity and trustworthiness is more and more difficult to capture. For instance, psychological barriers to committing fraud lower with the spatial distance of using internet shops and E-commerce platforms [5]. This development enables new kinds of fraud based on technology and forces organizations to adapt and upgrade their countermeasures.

In the private arena, people are presenting more and more personal details on social media platforms, e.g. by registering their profiles on various online platforms, by asking search engines for information, and by storing private data in digital clouds rather than locally. In consequence, people are presenting more and more behavior, attitudes, and preferences to the public and allowing the capture and storage of these data and information in large databases within the internet or cloud platforms.

Analytical methods for dealing with large amounts of data have developed during the last few years, as for data are assumed to be the new goldmine. Big data analytics (BDA) has reached a grade of maturity, and lots of analytical software is available. According to some recent studies or symposiums, BDA – often in the sense of predictive analytics – is mostly used for sales prediction and customer behavior analysis to fine-tune the marketing strategy and invent new products and services [6] [7] [8], or for other traditional business decisions by increasing transparency of existing data [9], simple to earn money with it. But BDA is only little implemented for risk management purposes [7] [9] [10]. Another field of use is the field of predictive maintenance for optimized machine services, the better synchronization of logistics, and to secure a higher quality during production processes [11].

However, it may also be possible to use BDA not to earn money but to prevent the loss of money. For instance, Heißner and Benecke think that intelligent big data technology used by experienced analysts is already capable of predicting a crime with its likelihood, the affected company’s division, and the place and time it is to happen [12]. Fraud data analytics could even help to identify fraudulent billing schemes committed via shell companies [13], to identify mobile phone fraud and identity theft [14], or even detect click fraud [15].

Establishing information technology (IT)-based anti-fraud-mechanisms is an investment a company must make, and if it works, the lever could be a big one: any coin not lost needs not to be earned with other customers. Not to ignore the damage on a company’s image and reliability once a fraud or hacking attack has been known to the public.

Obviously, there are hotspots of fraud areas like credit card fraud [16] and the banking sector where BDA techniques [14] are established to help to prevent fraud or at least detect a fraud attempt as early as possible, but how is big data used in other areas of business? How useful is BDA seen, and how far is it already implemented in different types of companies? How much is


BDA established to prevent fraud and what other measures and anti-fraud activities are implemented in the German speaking business environment?

This thesis addresses these questions by conducting an empirical study. The next sections provide more details on the context and motivation, the aim of this research, its scope, and the research questions. For readers not familiar with anti-fraud management, it provides some definitions and sums up the main concepts, and it defines BDA in the context of this research. The further parts of this paper treat the research methods used, bridge their application for this study, and present and discuss the results. Finally, a conclusion and outlook for future research approaches is provided.

1.2 Problem Definition and Validation

This chapter provides details on the context and motivation and explains the theoretical backgrounds on fraud theory and BDA that are relevant to this research.

1.2.1 Context and Motivation The topic of IT-based anti-fraud and more analytical approaches has risen in the past few years. Earlier literature about fraud prevention often came from Anglo-American experts who have long-term practical experience. These textbooks mostly concentrate on explaining some dedicated analytics methods or on special fraud types connected to the banking sector or the financial accounting area. This is not surprising, because occupational fraud mostly originates in accounting departments [17] and was investigated by financial accountants from the beginning in sensitive business functions to ensure correct tax payments to the government. Thus, well-known auditing firms1 have been engaged here for a long time and are increasing their business efforts in forensic and fraud detection services as a field of additional consultancy services. In parallel, more and more companies are installing functions like compliance officers and fraud prevention managers to deal with these threads, to ensure ethical business standards, and to follow legal authorities’ request to install such functions. People working in these capacities can exchange knowledge within certain circles and associations like the German Institution for Compliance (DICO e.V.), the Austrian Institution for Internal Revision (IIA Austria), and the American Association of Certified Fraud Examiners (ACFE). The ACFE has defined some standards regarding types of occupational fraud and how to deal with them.

In the present day, dealing with occupational fraud has become a much wider field than just looking into accounting fraud, bribery, or corruption because of the constantly increasing technology-based fraud attacks like credit card fraud and phishing attacks using identity theft and social engineering methods. Digitalization creates new opportunities but also introduces new risks related to data protection, data privacy compliance, and cyber breaches [18]. Companies need to arm themselves against more technologically skilled fraudsters and e-crime attacks. Small and medium enterprises (SMEs) with specialized knowledge are interesting to hackers because they are assumed not to be armed like larger companies [19]. According to the ACFE Report to Nation

1 Ernst & Young (E&Y), KPMG, Price Waterhouse Coopers (PwC), and Deloitte


2016, this gap in fraud prevention and detection leaves small companies unimmunized and at a high risk of significant damage to their limited resources [17].

If BDA is viewed in the sense of being part of IT-based anti-fraud mechanisms, it needs to be embedded within and connected to IT security and compliance efforts. Looking into use cases about companies’ investments in digitalization, an interview-based study from 2017 indicates with more than 50% mentions that there are significant interests in investments in the areas of security reporting and incident management, internet of things (IOT) security of cyber-physical systems, and, early warning systems and intrusion detection [20]. However, a KPMG study from 2016 indicates that this opportunity is not well noticed or used by companies, as only 3% of all fraud detections resulted from technical or analytical methods [10]. During my professional career, I was in contact with certain fraud prevention techniques several times and experienced the usefulness of such measures. However, I also recognized that most of them were more organizational countermeasures than technical ones.

The reasons that companies are not very interested in using technology or analytical methods to prevent fraud may include the complexity, the specific skills required, the questionable return on investment (ROI) [21], not enough pain (seeing themselves as not at risk), their underestimation of the situation and lack of awareness of legal consequences, or just having enough other counteractions already in place. Therefore, these reasons are one aspect discussed during this research. Another question connected to the situation is that different fraud types might require different countermeasures, and BDA in particular might only be useful in certain cases or certain industry segments.

1.2.2 Scope of the Research and Use of the MTO Concept This thesis discusses the state of implementation of IT-based anti-fraud systems, especially using BDA techniques, among German-speaking companies and organizations of different sizes and industry sectors. Anti-fraud management is part of compliance management; therefore, these terms are used synonymously in some parts of this work.

Companies must avoid fraud and work according to certain compliance standards, for instance the Sarbanes-Oxley Act of 2002 (SOX). In Austria and Germany, fraud is viewed as a criminal act and is punished with imprisonment. When using data to find a fraudster, the analysis might encounter personal information. This leads to the need to consider data privacy regulations like the European General Data Protection Regulation (EU-GDPR) or to involve workers’ councils [22] [23]. However, to discuss those different legal aspects would go far beyond the scope of this research work and was therefore left out. In practice, organizations must design procedures and governance structures to act in legal compliance when searching and analyzing data [24].

When establishing a powerful anti-fraud management system, a company must consider different aspects related to project management, stakeholder management, risk analysis, segregation of duty, and education. Besides these soft factors of organizational and human-related factors, a comprehensive anti-fraud management system is now also connected to IT security and data analytics aspects. This combination of soft factors and IT-related factors leads to my opinion that an anti-fraud management system is a sociotechnical system in the sense of Strohm and Ulich’s [25] man–technology–organization (MTO) concept, because to optimize anti-fraud management concepts in an enterprise means a joint optimization of the application of technology, the organization, and the people working there. Therefore, when this research touches on the different types of fraud prevention measures established in an organization, the MTO concept is used for


classification and better understanding of the participants of the empirical part of this research and for the readers of this thesis. This classification is mentioned verbal and indicated in the relevant result figures with a small thumbnail consisting of a triangle representing the three dimensions MTO. This research does not discuss or evaluate the reasons and motivations for people to commit fraud; these are given as background information in the theory part of this thesis.

1.2.3 Fraud Theory: Types and Dimensions of Occupational Fraud This section provides a short introduction to occupational fraud and describes the main aspects by giving some definitions and explaining the main types of fraud and what facilitates a fraudulent action.

Legally, fraud is part of the white-collar crime area, and the main elements of fraud are intention, deception, and damage to another party in the sense of financial loss. For example, §263 of the German Strafgesetzbuch defines fraud as follows and has even enlarged this element of crime with §263a for computational fraud by manipulating digital data [26] and mentions some specific fraud types in subsequent paragraphs:

“Wer in der Absicht, sich oder einem Dritten einen rechtswidrigen Vermögensvorteil zu verschaffen, das Vermögen eines anderen dadurch beschädigt, daß er durch Vorspiegelung falscher oder durch Entstellung oder Unterdrückung wahrer Tatsachen einen Irrtum erregt oder unterhält, wird mit Freiheitsstrafe bis zu fünf Jahren oder mit Geldstrafe bestraft.” [27]

The Austrian Strafgesetzbuch defines fraud similarly in §146 as shown below. It regulates several grades of severity in §147f and mentions especially fraud by abuse data processing in §148a:

“Wer mit dem Vorsatz, durch das Verhalten des Getäuschten sich oder einen Dritten unrechtmäßig zu bereichern, jemanden durch Täuschung über Tatsachen zu einer Handlung, Duldung oder Unterlassung verleitet, die diesen oder einen anderen am Vermögen schädigt, ist mit Freiheitsstrafe bis zu sechs Monaten oder mit Geldstrafe bis zu 360 Tagessätzen zu bestrafen.” [28]

The bandwidth of white-collar crime is huge and includes delicts that harm a company directly, such as stealing paper or paying too much salary, as well as delicts that look good for a company at first glance, such as corruption to gain a large profitable deal [29]. For a better differentiation of the different kinds of fraud in business contexts, Joseph T. Wells, founder of the ACFE, developed in 2007 a classification system for occupational fraud – informally known as the “fraud tree” – that covers most kinds of misconduct of executives, managers, and employees of organizations [30]. This tree model was refined over the years and is now viewed as one of the state-of-the-art definition concepts. Common to all versions is the split into three main types: corruption, asset misappropriation, and financial statement fraud (aka accounting fraud). Figure 1 shows the current taxonomy tree available on the ACFE’s webpage.

All these types of fraud could be summarized under the definition of non-compliant behavior, meaning behavior that is corporately and social inadequate and therefore not wished for because it harms a company [29] or an individual. This generic perception that fraud is equal to divergent behavior gives the first indication of what fraud analytics must focus on: calculating and finding behavior and patterns that do not match against existing and defined standards.


Figure 1 – ACFE Fraud Tree - Occupational Fraud and Abuse Classification System [31]

When examining the facilitators of fraud, Cressey came to the conclusion that three critical elements must come together: incentive/pressure, opportunity, and attitude/rationalization [30]. Incentive and pressure are indicators of one’s personal motivation to commit fraud, while opportunity describes the circumstances that relieve fraud attempts. Attitude is connected to personal integrity and to ethical behavior, while rationalization means how a fraudster justifies his misbehavior. Cressey has developed a framework commonly known as the fraud triangle as shown in Figure 2.


Figure 2 – The Fraud Triangle [30, p. 276]

This concept was further developed by Wolfe and Hermanson [32] and supplemented with a fourth dimension: capability. Hence, the framework changed its shape and is now commonly known as the fraud diamond, shown in Figure 3. In particular, the second capability (intelligence, creativity, and experience [30] [32]) in the sense of technical and computation skills is relevant when thinking about e-crime and IT-based fraud.

A similar concept to the fraud triangle is the fraud scale (see Figure 4) developed by Albrecht et al. It illustrates the relations between the three fraud dimensions and what intensity (high-low) is required in a particular situation to let one commit a fraud [30].

Similar to preventing or extinguishing a fire by removing oxygen, heat, or flammable material, one must eliminate or at least minimize one of the four dimensions to prevent fraud attempts. Henselmann [30] has stated that fraud fighters mostly concentrate on eliminating the opportunity, because this seems the easiest in that it can be achieved by establishing certain internal controls and effective risk management policies, but these fighters should also consider incentive and attitude.

There are other fraud theories discussed in the literature, but they just cover a certain view concerning what promotes fraud attempts or could be seen as integrated into the fraud diamond. Thus, they are not explained further here.


Figure 3 – The Fraud Diamond [30, p. 279]

Figure 4 – The Fraud Scale [30, p. 280]


Theses major concepts of fraud theory describe from an abstract point of view what kinds of countermeasures are relevant and useful to minimize fraud and gain moral behavior.

For instance, the banking and insurance sector is already full of IT-based anti-fraud mechanisms embedded in a holistic governance, risk, and compliance (GRC) concept to minimize risks. If the IT-based risk assessment is combined with fraud detection research and analytical tools, the threat analysis could be enriched with real key figures, and the efficiency of IT-based anti-fraud controls could be automated, evaluated, and continuously fine-tuned [33].

Fraud can be executed internally, externally, or in collaboration. Figure 5 provides an example of internal and external fraud detection streams in the banking sector. It reduces the opportunity to commit fraud because a strong control component is active, realized by a real-time warning system [33]:

§ On the left side – internal fraud attempt: An employee does a balance inquiry from a non-active customer account > The employee looks for the age of this customer > The employee changes the address and contact details > The system generates a first warning > The employee transfers money from this bank account > The system generates an alert and attempt is stopped

§ On the right side – extern fraud attempt: A user makes a money withdrawal from a cash-point machine > The same user makes another money withdrawal at a second cash terminal > The system generates a first warning > The user makes a third attempt at a money withdrawal > The system generates an alert and attempt is stopped > The user’s cash card is disabled, and no further withdrawals are possible

Figure 5 – Fraud Prevention in Real Time – Example from Banking Sector [33, p. 143]

The interaction and relation of the four dimensions of the fraud diamond indicate already the complexity of fraud prevention. This raises the need for collaboration between different departments within an enterprise and the need to use different types of mechanisms to establish an effectively working fraud-prevention system. Therefore, a successful anti-fraud management system is a combination of people-related, technology-related, and organization-related (MTO) items whose characteristics are individually tailored to a company’s size, structure, and industry sector. Some major concepts for anti-fraud management systems are described in the next section.


1.2.4 Anti-Fraud Management Although management and every employee are responsible for compliant and ethical behavior on an individual level, there are some basic concepts about corporate anti-fraud management systems, and these kinds of concepts are described in this section.

Basically, effective anti-fraud management is relevant for every organization for three primary reasons:

§ To act according to current law standards § To avoid direct financial loss § To avoid indirect financial loss via bad publicity and loss of confidence from suppliers and

customers

Different functions and departments within an organization could be responsible to care about anti-fraud management and continuously develop this system, including compliance managers, fraud officers, and risk management, IT security, corporate governance, internal audit, and forensic departments [34] [23]. A working fraud management framework should be integrated into the GRC framework of an organization , but with a specific viewpoint: controls are derived from the examined risks to avoid malicious or fraudulent acts. These controls are implemented within the scope of the operational fraud management [35] [36]. Fraud management consists of all measures that help to prevent, detect, and investigate fraud. Therefore, fraud management has a preventive component as well as proactive and reactive components and is integrated into a company´s compliance management structure [37].

Hofmann [38], for instance, has developed a framework to prevent fraud based on the KPMG three-layer model. The three layers, shown Figure 6, consist of the inter-company level, the intra-company relations, and the political-legal environment. In his work, Hofmann has only focused on the intra-company part, meaning establishing organizational countermeasures and cultural, ethical standards, and on the political-legal situation. However, he has also stated that anti-fraud strategies are located at the interface between the five disciplines of business administration, jurisprudence, ethics, psychology, and sociology. According to Hofmann, it is key to integrate fraud management into the corporate risk management structure, register the individual fraud risks by probability and potential damage, and classify them, for instance, by structure, staff, and style.

Besides all of these organizational and soft countermeasures, an effective fraud-prevention program is supported by software tools in order to be able to detect fraudulent actions and even recognize them in advance to prevent them, especially when thinking on the inter-company level and about digital and automated business transactions and relations. Embedded real-time components enable short reaction times in combination with information for a high-quality decision. The goal is to target fraudulent activities with high damage potential. However, the IT-based fraud detection must be directly connected to the business processes; otherwise, a detection engine would not deliver the right suspect items to investigate [33].

The real-time fraud prevention example from above indicates one major concept of a fraud countermeasure: the warning signal analysis (e.g., red flag analysis or mapping against blacklists). When using this analytical method, predefined risk factors and standards such as thresholds, blacklisted accounts, embargo lists, etc. are determined. Those datasets that match these predefined factors or have a certain deviation from the standard are marked with a red flag to demonstrate the need for further investigation. Based on these flags, appropriate samples are collected [23]. This kind of IT-based fraud prevention is already common in the banking sector and allows for monitoring of currently running financial transactions, including stopping a suspicious


transaction that needs to be checked and then released or rejected [39] [40]. In case of the need to identify a certain pattern within the analyzed data, which is more complex than just comparing against a predefined filter, hypothesis testing methods are suitable [23].

Figure 6 – Three Layer Model of Anti-Fraud-Management [38, p. 54]

An example of a technical, more operational fraud management framework is the enterprise resource planning systems (ERP)-related framework from SAP using the HANA technology as shown in Figure 7. SAP HANA acts as a corporate-wide repository for all fraud-relevant objects that need to be investigated. The data of different and heterogeneous (SAP-based and non-SAP based) sources are replicated and consolidated there in a fraud database via cyclic or event-based processes. In HANA, all data relevant to an analysis (e.g., a pattern or predictive analysis) are combined from the different tables to create uniform views on the objects. Results from an analysis indicating a fraud activity create alerts to be reviewed by a case management team. For continuous improvement, findings from these investigated fraud cases are then fed back into the internal control systems (ICS/IKS) and added as new classifications into the fraud database.


Figure 7 – Fraud Management Framework Based on SAP HANA [35, p. 52]

As described above, anti-fraud management is not a standalone discipline and should be developed in the context of each company’s business model. Furthermore, it is embedded in the context of compliance rules including training, awareness building, and internal auditing. It is part of a company’s internal risk management and corporate governance structures and is related to IT, IT security aspects, and data analytics methods. Therefore, the next section explains how BDA is used and viewed in the context of this research.

1.2.5 Definition of BDA in the Context of this Research Basically, big data is related to large sets of complex data where traditional processing techniques and/or algorithms are unable to operate. It aims to find hidden patterns and has led to a development from a model-driven science paradigm to a data-driven science-paradigm [41]. On the one hand, big data accumulates different, already existing analytical streams like data mining, business intelligence (BI), transactional analysis, or click-stream analysis, or the exploitation of sensor-produced data. On the other hand, it adds some new characteristics, because more aspects than the pure quantity of data need to be considered when talking about BDA. Common to all strategic considerations related to big data is the requirement to select the right data from internal and external data sources, to be able to analyze them efficiently and quickly and to give advice to the dedicated business requestor in an organization [42]. To transfer this to anti-fraud big data analytics means to find the right anomalies and not get hundreds of false-positive events that could be hardly managed accordingly [22] [34].

To differentiate between big data and BI or data mining, big data has commonly been characterized by three “Vs”: volume (the pure amount of data), velocity (the fast-moving and fast-incoming data), and variety (data coming from heterogenic data sources). In 2013, Demchenko developed a much more complete definition. He has described big data as having five “Vs” as properties (see Figure 8) and being related to specific dimensions: new data models, new analytical methods, new infrastructure and tools, and new sources and targets of data [43]. Demchenko has improved Gartner’s definition as follows [44, p. 106]:

“Big Data (Data Intensive) Technologies are targeting to process high-volume, high-velocity, high-variety data (sets/assets) to extract intended data value and ensure high-veracity of original data and obtained information that demand cost-effective, innovative forms of data and information processing (analytics) for enhanced insight, decision making, and processes control; all of those demand (should be supported by) new data models (supporting all data states and stages during the whole data lifecycle) and new infrastructure services and tools that allow obtaining (and processing) data from a variety of sources (including


sensor networks) and delivering data in a variety of forms to different data and information consumers and devices.”

Figure 8 – The Five Vs of Big Data [43, p. 6]

Zacher from IDC has made similar arguments. He has stated that big data is neither a product nor a customer requirement but rather a concept and a procedure. Thus, big data collects different approaches and technologies with respect to data provision and data analysis offered by various suppliers [45]: meaning visualization of data and correlations, automation of analytical processes, ad-hoc usage of heterogenic data sources, as well as decision-support systems and predictive analytics methods [46].

Freiknecht has defined and compared BI, big data, and data mining by their behavior regarding the four aspects of data entry, data sources, data processing, and data output, as shown in Table 1 but has emphasized that a strict separation is more a theoretical distinction. In reality, the three complement each other [47]. Fels et al. have described big data as an evolutionary development out of BI in terms of both being decision-making supporting systems. The integration results from the fact that big data techniques are able to use structured data like a BI solution does, meaning that big data is able to work with structured data that have previously been stored in a BI data


warehouse. These data could be imported into the big data application, processed there, and exported into the data warehouse again [48].

Business Intelligence Big Data Analytics Data Mining

Data entry Unstructured Structured in data warehouse

Huge volume of data Very large volume Prepared, cleared data

Data sources ERP Systems HDFS, NoSQL, web

requests, streams Called from data

warehouse

Data processing

Selection, converting and transformed (KDD process)

Map-Reduce, YARN, Spark, etc. --

Storing in data warehouse and processing via data mining

Cluster analysis, classification, filtering, association analysis

Data output

Presentation of data from various perspectives

Key-value pairs, raw data Pattern and correlations

Newly gained information that serves decision-making

Table 1: Comparison of Definitions of BI, Big Data, and Data Mining [47, p. 18]

In this research, BDA is considered a concept of tools and activities that are part of a corporate governance, compliance, and/or IT security strategy, and thus especially as part of the technical, IT-based fraud countermeasures and forensic investigations. Ernst & Young (E&Y) has defined the term forensic data analytics (FDA) as “the collection and analysis of all types of data with the objective to manage legal, compliance and fraud risks” [18, p. 4]. A software tool used for auditing needs to deliver clear, plausible, correct, true, and coherent answers in a specific context to eligible/legitimate questions regarding the sense and usage of data and information. All relevant electronic data must be captured in a particular context and analyzed in a critical and rational way [49].

Hence, I gave the following explanation to all participants in this empirical study as the relevant definition for anti-fraud BDA:

The use of big data for regular (daily or even real-time) analysis of electronic data of critical processes and areas in an enterprise by automatized software tools that will give warning signals (the answer) on defined abnormalities (the specific context) to look into an issue; the use and combination of different and heterogenic data sources are of particular interest.

Moving one step further and analyzing non-predefined patterns, anti-fraud BDA affects the areas of machine learning and artificial intelligence. But neither machine learning nor artificial intelligence aspects were asked to the interview partners, because these areas go far beyond the scope of this study.


1.2.6 Fraud Prevention with Big Data According to the ACFE, the presence of anti-fraud controls is correlated to lower loss by fraud and quicker detection time, but proactive data monitoring/analysis was only the key for detection in approximately 37% of the investigated cases (third last) but reduced the median loss by more than 50% (second most) and increased the speed with which a fraud was detected [17] [21]. This reciprocal correlation indicates that BDA could play an effective role in upcoming fraud detection and prevention initiatives. In most cases, fraud is discovered long after it took place, so currently the main use of analytical methods is to minimize the harm and adjust the policies and rules to prevent a particular fraud from happening again [50] [35] . The main goal is to use big data analytical tools to analyze claims and transactions in real time, identifying large-scale patterns or detecting anomalous behavior from an individual user [50]. As part of a forensic process, FDA techniques in combination with human intelligence can help to better monitor, prevent, detect, investigate, and predict anomalies in daily business activities [18]. In that sense, anti-fraud BDA as an automated process is able to support continuous auditing purposes [23] but needs to investigate the full datasets that are available and legally allowed to be used. When using BDA or data mining techniques in anti-fraud systems, the most commonly used option is transaction monitoring systems, a specialized software that uses “IF-THEN” filters or fraud scorings to do real-time analytics but needs to handle complex algorithms [51] or machine learning approaches.

During the literature search for this empirical study, some summarizing literature was found in the form of textbooks from practitioners and gave a good overview and initial information. However, from a scientific point of view, it was necessary to find papers and primary studies about concrete usage of big data techniques to support fraud prevention. I have found two types of papers: some are about particular use cases of big data and algorithms in specific business areas or for dedicated applications, while others are more like SLRs and hence take a basic approach to summarizing existing methods. A selection of both groups was composed to deepen the theoretical background and is presented in Table 2. The following term-based summary is structured in terms of the technique, the type of method mentioned, and the reference to the scientific source where this big data method was discussed. The list is in alphabetical order for easier reading.

Big Data Analytics Technique Type Paper

(Artificial) neural networks Machine learning, supervised (classification and regression)

[52] [53] [51] [54] [55] [56]

A/B testing [53]

Apriori algorithm Data mining [51]

Artificial immune systems Machine learning, supervised (classification and regression)

[55]

Association rules [56]

AutoClass Clustering and outlier detection [54]

Bayesian (belief) networks Machine learning, supervised (classification and regression)

[52] [55] [56]

Benford’s law Frequency testing [57]


Break point analysis Clustering and outlier detection [55]

Cluster analysis or data segmentation

[53] [56]

Data mining [53]

Decision trees Machine learning, supervised (classification and regression)

[52] [51] [55] [56]

Evolutionary programming [51]

Fuzzy logic [51]

Genetic algorithms [53] [51] [56]

Gradient boosted trees Machine learning [58] [56]

Hadoop processing Sequence mining [51]

Hidden Markov model Machine learning, supervised (classification and regression)

[52] [51] [55]

K-means clustering Clustering and outlier detection [55]

K-nearest neighbor Machine learning, supervised (classification and regression)

[52] [51] [55]

Latent variable models [56]

Logistic regression | regularized regression

Machine learning, supervised (classification and regression)

[58] [55] [56]

Naïve Bayes Machine learning, supervised (classification and regression)

[52] [51] [55] [56]

Natural language processing [53]

Outlier detection methods Data mining [55]

Peer group analysis Clustering and outlier detection [55]

Principal component analysis [53]

Random forest (trees) Machine learning [52] [58] [51] [54]

Regression analysis [51]

Rotation forest [54]

Self-organizing maps Pattern matching, clustering, and outlier detection

[53] [54] [55]

Stacking-bagging technique [51]

Support vector machines Machine learning, supervised (classification and regression)

[52] [51] [54] [55] [56]

Transaction monitoring systems Data mining [51]

Table 2: Composition of Big Data Techniques for Fraud Prevention Found in the Literature


These specific kinds of algorithms are known to very few people in an organization, such as data scientists, and this information was not the basis for designing the questionnaire with respect to the target audience. With respect to future research, the conduction of a mapping study to cluster and describe the existing big data techniques is an option.

1.3 Aim and Research Questions

As described in the previous chapters, IT-based anti-fraud management is assumed to be complex and cost-intensive and therefore only manageable for large corporations. Smaller organizations might not see the value for their own businesses or may not have the structures to facilitate an IT-based anti-fraud system.

Furthermore, there are industries that face a higher risk of fraud than others, and these are technically better armed than other industries. However, fraud can affect any company negatively and cause damage.

This research wants to examine what countermeasures are installed to prevent fraud in different kinds of organizations and what role BDA plays here. In case big data is not used, this research is intended to determine the reasons for not using big data to prevent fraud and ensure compliance. Perhaps there are practices in some areas that could be transferred to other segments or sizes of companies. With the results and findings from this study, this research is intended to contribute to the development of an anti-fraud framework in future research projects.

Therefore, this study evaluates and discusses the current use and perception of usefulness of BDA methods to prevent fraud within German-speaking companies of different sizes and industry sectors by conducting an empirical study.

To determine what role BDA plays in that particular sense today, the following three research questions were defined:

RQ-1. Which countermeasures to prevent fraud are in place in different types of companies? Is there any proof that there are more technical and analytical anti-fraud measures in large companies than in SMEs, or is there even a focus in specific industry sectors?

RQ-2. What role does BDA play, and how common (distributed) is it currently? If it is not well distributed, why not? What are the reasons for not using BDA to prevent fraud?

RQ-3. If use cases are more common in large companies, are there benefits that could be carried over to SMEs?


2 Methodology This chapter describes the stages of the research process; the terms, techniques, and concepts used. Furthermore, it provides the details of the literature review and the setup for the expert interviews and the online survey, plus explains assumptions and limitations.

2.1 Research Process – Mixed Method Approach

My intention was to research with a practical impact and insight view. Therefore, an empirical study questioning experts and practitioners covering that field in daily business seemed like the best approach to find out how much big data is already used in different organizations to support compliance and fraud prevention.

The research was set up as a mixed-method design following the sequential process of an exploratory design with the qualitative study at the beginning of the study. The quantitative study was given priority with respect to the research questions. Therefore, the expert interviews as the qualitative part worked as a preliminary study [59, p. 81f] for two reasons:

• First, to gain a better understanding of what will be relevant for the quantitative survey (more simply, to find the right questions). When thinking about the legal consequences of committing fraud, this study touches on a highly sensitive topic; thus, it was important to elaborate beforehand what kind of questions could not be asked or needed to be softened by asking for compliance violation instead. Otherwise, I would have risked obtaining no really valuable and reliable answers to some survey questions. This approach minimized the risk of gaps. The interviews helped to construct the main research instrument better [60].

• Second, to be able to conduct a more focused literature research and select the right papers, studies, and textbooks.

The next figure illustrates this staggered approach and mixed-method concept following the qual à QUANT principle [59, p. 81]:

Figure 9 – Multi-Step Research Design (Exploratory Design Following the qual à QUANT Principle)

I. Literature Research

Basic researchabout fraudprevention and big data

Refine literatureresearch to find more fitting studies in a second review

II. Qualitative Analysis

Run three to five interviews withexperts from fraud-effected (large) enterprises to learnfrom theirexperience

III. Quantitative Analysis

Develop and runonline survey

Extract and analyze results of valid participants

IV. Conclusion

Discuss the results in the context of other related research and conclude further implications


The arrows show the sequence, but their parallelism indicates that the stages were not isolated; there has been overlapping and iterations during the research process as well. To approximate the topic, an initial generic literature search was performed. After that, a preliminary study with three guided interviews with experts from IT security and compliance was conducted to learn and capture the qualitative aspects of this research area directly from experienced practitioners. This helped to design and sharpen the focus of the main study and to select the best literature in a second, more systematic literature review. Based on the theory outcome and the feedback provided in the interviews, the main part of this work was designed as a questionnaire distributed as an online survey to German-speaking companies. This quantitative survey allowed for insight into the dissemination and use of big data for fraud prevention over different business areas or company sizes. Finally, the results were analyzed and discussed in the context of other related studies and research.

When combining qualitative and quantitative methods to gather data, a researcher must be careful when integrating the different answers, because both concepts use codices to structure the answers, but in a different usage. In qualitative research, the codices are developed ad hoc according to the existing data material. They have been used to classify answers and to find text passages more quickly to compare and interpret them. In quantitative research, however, the codes represent the countable facts [60]. This circumstance was considered by using the predefined questions plus additional derived clusters of information from the guided interviews as codes. These codes were used as questions and answer options (= countable code) for the online survey. For more details, see Appendix 9.1 where the questions for the survey, the answer options, and the references are provided.

2.2 Use of Terms

As seen in the previous theory sections, two wide and complex areas of interest – big data and fraud prevention – need to be linked. During the first literature review, I found some expressions used in parallel to describe similar concepts or measures. Therefore, I decided to use these for the second literature review and the selection of libraries as well.

In the context of this thesis paper, one will find in appropriate contexts a coequal meaning of the following terms:

• Fraud prevention | fraud detection | compliance | anti-fraud management

• BI | analytics | big data

Furthermore, these terms are used in parallel for more accommodating reading:

• Company | organization

• Questionnaire | (online) survey

• Expert interview | guided interview | semi-structured interview


2.3 Methods of Data Collection and Analysis

This section describes the theoretical backgrounds for the qualitative and quantitative research. It explains the chosen questioning techniques and why a specific method was used.

2.3.1 Questioning Techniques When using questioning techniques, stakeholders are asked about dedicated subjects or specific requirements by using oral or written words. If the individual can articulate these requirements properly, this is a valuable instrument for capturing someone’s ideas, knowledge, or experience to get insights into a specific topic [61, p. 105]. For this research work, the methods of guided (semi-structured) interview and online survey were selected as a suitable combination of questioning techniques.

Interview The interview is one of the open questioning techniques and is a well-proven method for gaining qualitative data. Qualitative data are written texts containing structured, non-randomized symbols (including pictures) [62]. To produce a text as the result of an interview, the interview needs to be recorded as video or audio, and a transcript needs to be made afterward to act as proper protocol [61]. An interview requires careful preparation: select the right interview partner, define how the interview is conducted (meaning face-to-face, written, or by telephone [63, p. 193]), and, consider how far the interrogator may influence the interviewee via the grade of explanations and steering during the interview [62]. Most of the interviews require some kind of structure, which is provided by the interview questions. In semi-structured interrogations, predefined questions and encouragement to answer provide the necessary guidance [62] [63]. In this case, the interview is classified by its method as a guided interview. If such a guided interview is done with a particular group of people that have specific knowledge important to the research, the interview is called an expert interview due to the dedicated target group [62]. Depending on the research focus, it may be necessary to have a specific target group with special expertise contribute. When focusing on the capturing of the experience, perceptions, ideas, and reflections of the interviewee concerning a certain research topic, the interview could be conducted as a problem-centered interview (in Anglo-American research, referred to as a “semi-structured interview” [64, p. 465]). All of these are subtypes of the guided interview form [65] [62].

Once the question guidelines and the target group are defined, the interview partners must be identified and asked to participate. During the interrogation, a confiding and frank conversation climate is helpful, and legal aspects like privacy and anonymity must be agreed upon before starting the interview and making any recording [65].

The main criteria for a good guided interview structure, are as follows [65] [64]:

• The guide must be clear and allow an overview

• The guide should focus on the specific topic and is adapted to this

• A natural speaking situation must be possible

• The guide should follow a certain logical structure and during the interview process shall steer but not restrict; allow open answers


A semi-structured interview should work as a tool that helps to capture the ideas of the interview partner. In the case of a problem-centered approach, the researcher, acting as interrogator, has made himself familiar with the area of interest [64] and potential answers in order to be able to conduct the interview on a par and lead the interview partner back in case there have been explanations of side effects due to the basically open structure of such an interview.

When preparing the questions for an interview that are mostly open questions, a few aspects need to be considered, such as who the interviewee is, what his/her knowledge base is, and whether or not explanations of terms are necessary. It is important not to combine several topics in the same question and to point out what kind of answer is expected (e.g., a keyword or a single information, a full list, or a narration). Furthermore, the importance of a question for the research should be highlighted to encourage the interviewee to answer [66].

Due to the fact that the researcher already has knowledge about the research topic and wants to examine and deepen his/her own expertise, semi-structured interviews are appropriate for pre-studies [64] and are used in that sense for this research (more details are described in Section 2.5).

Questionnaire/Survey A survey is a high structured interrogation with predefined questions and answers in a defined order. Using standardized questions should allow a maximum grade of objectivity to be achieved and is the basis for the reliability and validity of the rating [67]. Such a questionnaire allows for a count of the given answers related to quantitative aspects of one’s research. These kinds of closed questions require a known spectrum of answer options. In contrast, the open questions do not have any presetting; thus, they are not common in standardized surveys [67], because the analysis of the answers requires different techniques such as the “Qualitative Content Analysis,” according to Mayring. A mixture of both types is called the hybrid question, which has predefined answer options plus an “other” category with a field to enter free text [67]. In this study, closed and hybrid questions were used. The answer options were defined using feedback from the expert interviews and findings from the research literature.

Basically, five types of questions are distinguished according to their need for information: a) attitude; b) facts and knowledge; c) events, intentions, and behavior; d) social-statistical attributes; and d) network questions [67]. The first three of these types were used in this research.

When asking for the respondent’s attitude toward a specific item, the answers are typically captured using a rating scale. Rating scales should follow some principles [68]:

• When using verbalized scales, the scale labels need to be completely written to be unique and precise at the same time; they must be symmetrical or balanced by having the same amount of positive and negative answer options with similar distances between them.

• When using a neutral or middle answer option, consider its position, because depending on the question’s sensitivity or complexity, a real neutral answer could be given, or it just be used to avoid answering the question. Leaving out a middle category is not recommended, because otherwise the person is forced to give a false answer, which leads to a bias or noise in the results.

• The use of direct rating scales (e.g., in the form of a Likert scale) is helpful when asking for a grade of acceptance, and such scales are easy to understand and count.

• The display format should be horizontal to minimize primacy effects, which are tendencies to select answer options from the first half of the selection list.


Facts and knowledge can be captured with preset answer options [67], and the survey participant selects the best fitting answer(s) out of these. In an online survey, a radio-button selection typically allows only one answer, whereas a checkbox allows the selection of multiple answers.

Asking about events and behavior requires two-step questioning, because they are related to an occurrence in the past. First, the prevalence question asks for a yes-no answer regarding whether or not a certain event has happened. In the case of a “yes” answer, the subsequent related questions are displayed to capture the incidence rates [67] from the answer options of these questions, which could also be questions regarding facts and knowledge.

The main principles for the structure of a survey questionnaire are [63, p. 228ff] [67] [69] as follows:

• Start with warm-up questions that are interesting and easy to answer in order to create a positive atmosphere and avoid pure “yes-no” answers

• Place the research-important questions in the first part after the warm-up phase or in the middle where the interrogation partner is still cognitively fit

• Place sensitive questions in the middle or towards the end in case a participant drops off, because the previous answers will still be kept

• Demographically statistical questions should be placed at the end when the attention span is low; but at the beginning as a warm-up is also fine

• Cluster topics and questions with regard to content, creating modules that make it possible to answer questions related to each other in a row is user-friendly, enabling respondents to focus and avoid irritation garnered by hopping between topics

• Have a user-friendly layout and give clear instructions; be explanatory

• Create an appropriate landing page explaining the purpose of the survey and providing an introduction to the topic

• Use bridge passages between different modules to reduce complexity

• Thank the participants for their time and effort on the final page

Regarding the wording for a questionnaire, the research literature suggests the following [63, p. 231ff] [70] [71]:

• Use short and precise phrases as much as possible; if necessary, explain technical terms or give background information

• Do not use dialect speech, (double) negative phrasing, or ask two things in one question

• The answer options need to be as disjunct, complete, and precise as possible

• Avoid multidimensional answer options because of their complexity

• Use indirect questions rarely and only under particular conditions, such as when seeking sensitive answers that otherwise risk being skipped

• Do not use suggestive questions or make implicit assumptions

• Avoid hypothetical questions; they are too complex and require too much intellectual effort

• The answer options need to be in a logical order, and the list should be not too long


A questionnaire can be distributed via postal mail, but since the 1990s, it is more common to use the internet for standardized surveys. Already in 2012, a third of all market research interviews have been done via the internet [72]. Today, this is the common standard for performing surveys, using the always-on mentality of people (via their smartphones, tablet PCs, and laptops) in combination with the advantage of a survey database including data capturing and visualization options for the results. Therefore, the preferred method for this research was to develop and use an online survey.

Nevertheless, a few aspects need to be considered when conducting an online survey: First, who can be asked to participate via the internet? Who has access? And second, how should the sample group be selected [72]? For this research, the people in the target group are all business people with internet access and e-mail addresses and are thus basically reachable. The more difficult part was to find the right contact details to select the sample group. This was the case for two primary reasons: first, the sensitive and specific topic required respondents at the management or expert level in an organization. These people are often very busy, their contact details are not publicly listed on their companies’ webpages, and it was only one answer per company necessary to represent the company’s perception towards this research area. Second, the EU-GDPR neither allows one to send out mass e-mails to people with whom one has no relation nor allows one to collect contact details from unpublished sources. This means that a researcher must use personally known contacts or search the internet for publicly available contact details in order to compile a sample list. In this research, this limitation was addressed by using the following types of available contacts:

• Sending e-mails to personal contacts met during my professional career or in private environments (ca. 380)

• Sending e-mails to publicly available contacts on the research-relevant website www.dnwe.de (ca. 25)

• Asking research-relevant associations (i.e., Dico e.V., IIA Austria) to act as multipliers by asking their community members via newsletters to participate in my study

• Placing blog posts on social media channels (i.e., XING, Linked-In, and Facebook)

Following the principle “the more participants, the better accuracy,” a certain quantity of answers is needed. This means that it is necessary to reach as many relevant people as possible and convince them to contribute to minimizing the non-responses. Depending on the topic or target group, the usefulness of the survey topic or a personal benefit must be highlighted to motivate people to participate [63]. As an incentive to contribute to this research, every participant was invited to subscribe to receive a summary of the results, after this thesis paper is published. See Appendix 9.2 for examples of the circulation of the request for participants to join the survey.


2.3.2 Analytical Methods This section explains the theoretical aspects regarding the analysis of the collected data during the expert interviews and the online survey of this research.

Qualitative Content Analysis To produce an analyzable text as a result of an interview, the interview must be recorded in some way and afterward transcribed into a textual transcript that can be trawled through and coded. There are technical tools such as the QCAmap software [73] available to support a text analysis. Such tools are helpful when there are very long or multiple texts to be compared. However, for this research, the interviews worked as preliminary study. Therefore, just three experts were asked for their opinions and insights, and it was possible to analyze the transcripts without any specific tool. This manual approach, which uses a table structure where each question has been entered as a code, made it possible to concentrate on the content while reading through and summarizing based on Mayring’s concepts of qualitative content analysis.

There are seven basic types of interview transcription [73, p. 45ff]:

• The selective protocol as an economic procedure where the researcher defines selection criteria with respect to the research question and transcribes only the relevant parts.

• The comprehensive protocol is a tightening of the full material where the researcher summarizes reasonable passages. The researcher must be trained for this procedure.

• The clean read and smooth verbatim transcript type is done word for word, but decorative words or utterances are left out and dialect speech is converted into standard language. This allows for simple understanding but keeps the original wording and meaning.

• The pure verbatim protocol is done word for word including all utterances, dialect speech, etc.

• The International Phonetic Alphabet (IAP) is used when one wants to preserve as much as coloration of the oral language as possible. A special set of characters must be used, and the text is not easy to read.

• A protocol with special characters contains the wordings and a set of signs to describe nonverbal aspects and expressions; for example, laughter or low voice is notated.

• A protocol with comment column is an extensive form and allows the researcher to add all special perceptions beside the text. This method is used for transcription of focus group discussions when a moderator is present.

Although the interviews just served as a preliminary study to gain deeper insight into the research area and were not the main part of this research, the clean read and smooth verbatim transcript was chosen in order to create the most complete picture and possibly be able to use the transcripts in future research. A documentation of nonverbal expressions was neither necessary for the content nor possible, because two of the interviews were conducted by telephone.

Basically, content analysis is not a standardized instrument and needs to be adapted to each study. Hence, the “General content-analytical procedural model” from Mayring [73, p. 54] was adapted and shortened to the following stages:

• Definition of the material by using all three transcripts

• Consideration of the formal characteristics of the material by adding line numbers, anonymizing the interview partner, and handing over the transcript to get a formal approval to use the transcript


• Definition of the direction of analysis as a summary of the answers along with the questions that are acting as codices enriched with new codes found suitable when analyzing the text

• Determination of techniques of analysis and establishment of a concrete procedural model by documenting the outcome in a table.

• Analytical steps are taken by means of the category system: summary/inductive category formation, explication/context analysis, structuring/deductive, or mixed

• Interpretation of the results in relation to the main problem and issue by writing summaries and make notes regarding where the given information should be used during the next research steps (e.g., what could be added as a question or answer option in the online survey)

Three basic procedures of qualitative text analysis are defined as follows, but could also be mixed [73, p. 64f]:

• Summary: The object is to reduce the material in such a way that the essential contents and statements remain in order to create a comprehensive overview of the base through abstraction.

• Explication: The object is to provide additional material on individual doubtful text components to increase the understanding, explaining, and interpreting of the particular text passage.

• Structuring: The object is to filter out particular aspects of the material, to provide a cross-section through the material with defined abstraction criteria, or to assess the material according to certain other criteria.

First, the text passages were mapped to the codes (questions) and paraphrased, and parts of them were generalized and reduced. Second, some new useful codes were created and filled with aspects mentioned by the interviewee during the analysis. Since the aim was not to quantify or derive generalizations out of the experts’ answers, this concentration was just made to focus on dedicated aspects that could be integrated into the next stage of this research. In that sense [73, pp. 70–81], I used a mixture of the summary and structuring principle by using deductive (predefined categories) and inductive (new categories) elements.

Quantitative Content Analysis A successful analysis requires clever and precise data collecting plus careful and thoroughly cleaning and preparation of these data. This might sound trivial, but it is mostly time consuming and/or technically demanding, and error-prone [74].

The analytical process for quantitative data follows a much more sequential procedure than the one for qualitative analysis. Basically, it consists of the following 10 steps [59, p. 105ff]:

1. Preparation of the data 2. Entry of the data 3. Checking the data regarding completeness, errors, and plausibility 4. Formatting and preparing multi-answer options 5. Coding of the open questions respectively the given answers


6. Using basic counts and descriptive statistical methods 7. Analyzing contexts: correlations and differences between groups 8. Complex statistical analysis and modeling 9. Presentation, discussion, and evaluation of the results 10. Creating the research report

Kuckartz [59, p. 105ff] and Lück and Landrock [74] have explained the key aspects to be considered when conducting a quantitative data analysis. This is summarized and accumulated in the following:

• It is important to bring the raw data in a digital, computational form, or a data matrix. This makes it possible to use statistical software tools and to ensure liability for the upcoming steps. Ideally, there is a code plan that acts as mapping between the questions and the answer variables. Modern survey tools automatically declare the questions and answer options with variables and organize the raw data in data matrices.

• The characteristic of each variable could be a binary, number, integer, characters, alphanumerical, or signs. If a piece of data is not electronically captured during the survey like in an online questionnaire, it must be typed in correctly or scanned.

• The removal of error entries and running a check for plausibility are key before starting the analysis; otherwise, the calculations will not run correctly. Errors could emerge, for instance, through a misconception of the questionnaire (no disjunct answer options), technical problems, misinterpretation, or participant unwillingness to answer a certain question. It is important to identify those datasets and handle them accordingly: keep if the value might be correct, delete if it is certain that the value is wrong, and replace in case of a high likelihood of estimating the correct answer. Every data correction must be documented in order to have an audit trail.

• Multiple answers need to be formatted to be countable. When the captured answer is not a number, it could be helpful to transform this answer into labels like “1/0” to be countable, and it might be necessary to estimate missing answers.

• For the basic analysis, a simple count of absolute and relative incidences is generated. This first, explorative work with the data makes it possible to become familiar with the set of answers and to get initial ideas about correlations and tendencies. A graphical representation with bar or pie charts is suitable for a proper visualization. In that stage, average values or medians can be calculated. If necessary, open questions could now be encoded and analyzed.

• Higher statistical procedures like pivot tables, regression tests, or cluster analyses could be set upon the previously done basic counts.

• During the final phase, the results must be verbalized and described in a research report. This should contain the relevant coefficient, parameters, and error rates. The interpretation of the results should be in the context of other empirical studies. Besides the report, a proper documentation of all conceptual and analytical steps is necessary to be comprehensible and allow reproduction.

The concrete process of conduction of the quantitative data analysis performed for this study is explained in Section 2.6.


2.4 Literature Research

When thinking of literature research as a kind of starting point for a researcher’s work, one can begin with a more or less freely structured search on the internet to find papers, books, and other literature. However, this procedure risks finding more secondary, summarizing literature instead of scientific papers or primary studies and therefore might lack quality in the end. For the evaluation of the quality of an empirical study, it can be important to raise the questions of if there is an interest in the evidence being valid, if the evidence could be applied in practice, or if the study could be compared with other studies [75].

As part of the mixed research method approach, the examination of literature for this research area was an iterative process. It began with a generic literature search with the Google search engine and Carrot search engine followed by reading textbooks and some studies to get familiar with the topic in general and to be able to conceptualize this research. In a further step, the second literature review was more structured and influenced by the results of the expert interviews. During that stage, the literature review followed some principles of Kitchenham et al. for conducting systematic literature reviews (SLRs).

One basic principle of SLRs is to document the search process in a review protocol containing the terms used, the libraries searched, and the criteria for choosing a specific source [76]. Table 3 lists the libraries and why they were assigned as relevant for this research.

Library/Source Type Reason Chosen

ACFE Commercial Closest to research topic; used studies for evaluation and comparison of own results

Carrot search engine Generic Used for initial search

Compliance Digital Academic Closest to research topic

Deloitte Commercial Used studies for evaluation and comparison of own results

Google search engine Generic Used for initial search

IEEE Xplore Digital Academic Important for the field of business informatics

KPMG Commercial Used studies for evaluation and comparison of own results

Research Gate Academic Widely used publishing platform for research work

Statista Statistical Relevant statistics for designing the questionnaire

Table 3: Libraries used During Second Literature Search and Corresponding Selection Criteria


The search terms used to find relevant items after the pre-study phase were in German and English, depending on the library’s language. The full search strategy is documented in Appendix 9.3, and the list below shows the search terms used:

• Fraud prevention • Anti-fraud (management) • Fraud-Aufdeckung • Fraud & forensic • Compliance & big data • Bedrohungsabwehr • Compliance Sicherung • Fraud & big data • Frühwarnsystem/Früherkennung • Big Data & Betrugsprävention

Furthermore, an SLR avoids bias by using peer-reviews and is ideally performed by a group of researchers [76]. Since this was an individual work, the interviews with the experts and findings from the initial literature search acted as a kind of validation and helped to refine the search terms and to focus on the right papers.

In summary, a mixture of secondary and primary literature was chosen with a focus on dedicated fraud studies, statistics and conference papers for the discussion of the results of my own study.

2.5 Realization of Preliminary-Study – Expert Interviews

This section describes the realization of the qualitative research part for this empirical study. It starts with ground considerations about the aim, how to find participants, and the conduction itself, and lists the questions used for the semi-structured interviews.

The aim of the expert interviews was to carve out important and relevant aspects for companies affected by fraud: how they were affected, which technical countermeasures were installed when the fraud happened, and how big data could help to prevent this. These aspects of experiences and implemented methods to ensure compliance and prevent fraud are enriched with explanations found in literature to design the questionnaire for the quantitative part of this study. The main aim was to find the best targeted questions with respect to the research questions.

The intention was to find three to five experts – IT security or compliance officers – who were willing to speak frankly about the fraud prevention situation in their organizations. The interviews were to contain only a few questions, allow free speech and explanations by the interview partner, and take a maximum of 60 minutes.

With support from my professional network, 13 relevant experts were asked to participate. Ten declined, but three agreed. In preparation for the interviews, the questions (see Table 4) were given to the interview partners beforehand. The interviews were conducted during June 2018. The interviews were held in the German language by telephone or face-to-face and were audio-recorded after checking for permission to do so. The duration of each interview was between 40- and 50-minutes net time. Due to the sensitive nature of the topic, in order to avoid compromising


an interview partner, the questions were formulated using “compliance breach” and “fraud attempt” equally.

Confidentiality was secured by anonymization of all indicators for the company and renaming the interview partners “I-1” through “I-3.” The recordings were transmitted in a clean read, verbatim transcript. Afterward, this transcription was sent to the interview partner to obtain approval for further use during this research and to ensure that the meaning and intentions of the interview partner were kept properly. The transcripts have been saved as PDF files to freeze the status and keep unchangeable.

Questions for the Expert Interviews (translated from German)

To classify the technical possibilities available in the market for ensuring compliance:

(1) In what year did this (attempted) breach occur? To classify the nature of the compliance breach: (2) Was that an external or internal breach? (3) In which sector/department of your company did this (attempted) breach occur? To classify the temporal proximity between occurrence and detection: (4) How and when (how long after the occurrence) was this (attempted) breach detected? To classify the existing security and prevention measures: (5) At the time of the compliance breach, which measures (technical, organizational, employee-related) were established for prevention or detection in the company?

To classify the security and prevention measures introduced after that occurrence/that will be introduced in future: (6) In view of that occurrence, what new/additional measures have been/will be introduced in the company to prevent future compliance breaches? (7) To what extent are analytical methods (especially big data) a factor in this process? To classify the usefulness of analytical methods for ensuring compliance: (8) If analyses (especially big data) play an important role in ensuring compliance or preventing fraud: What are the experiences gained by the company since their introduction?

(9) If the company does not use or will not use BDA methods: What are the reasons for that?

(10) Regardless of a concrete case: How do you assess the chances and the usefulness of BDA methods for fraud prevention?

Table 4: Overview Questions for Expert Interviews

After receiving approval to use the interview transcriptions, the content was analyzed in reference to the concept for structured content analysis from Mayring. All three interviews were used as raw material. The questions above acted as code and were placed in an Excel table to add the related


answers from each interview in a horizontal, equal manner and were paraphrased to be better comparable. The text positions (interview, page, and line) from the interview transcript were noted as particular reference. Besides this deductive analysis, some new aspects came up and led to new categories to be utilized for answer options in the subsequent online survey. This information found inductively included signals about some fraud types, skillsets of people working in fraud prevention departments, existing tools and techniques, and how to handle personal information records (PIRs) when dealing with a fraud attempt.

A results summary of the interviews is presented in Section 3.1 of this paper. If questions and answers from the interviews were used in the online questionnaire they are indicated as reference numbers in the table provided in Appendix 9.1.

2.6 Realization of Online Survey – Quantitative Research

This section describes the implementation of the quantitative research part of this empirical study. It begins with initial deliberations about the relevant participants, the duration, the questionnaire, and the sample size. Furthermore, it explains the structure of the questionnaire and provides some specifics about the design of the questions.

Due to the sensitive topic of this research, it was necessary to conduct an anonymous survey in order to avoid causing any harm to the participating organization. Therefore, a dedicated LimeSurvey server in a capsuled environment within the university’s IT landscape was used as the survey tool. IP addresses were not stored, but cookies were set to avoid double entries.

Regarding the target group for this empirical study, German-speaking organizations re of primary interest. If the study is to be considered representative, the population N are all companies in Austria and Germany is approximately 4 million (AT ca. 450,000 in 2011 [77]; DE ca. 3.5 million [78]). Calculating with a standard sampling error of e = 5% and the confidence interval of 95% (z-value = 1.96 standard), the returns rate needs to be 385 valid feedbacks to reflect the sample size [79]. Taking into account that only one answer per company is required, as well as the restrictions set by the GDPR for addressing people, it would be difficult to get this amount of valid feedback.

The questionnaire was open for 15 weeks from mid-December 2018 until the end of March 2019. During that period of time, by looking for participants – as described in Section 0 – via direct e-mails, blog posts, and multiplier newsletters, this study gained a participant rate of 95 answers that could be analyzed.

Regardless of the size of a company, knowledge about the use of big data on the one hand and fraud prevention countermeasures on the other should be allocated within a company or organization to the following roles and functions: managing director/general manager, chief information officer (CIO), chief information security officer (CISO), high-level functions in finance management, or experts in the fields of analytics, IT security, fraud prevention, or compliance. These categories of people were addressed by direct speech or indirectly by asking personal contacts in different companies to forward my request to the appropriate function within the company for which they work.

To avoid language barriers, the questionnaire was written in German. Participants were expected to take approximately 10 to 15 minutes to fill out this questionnaire. Therefore, the questions were detailed in order to make it as clear as possible what I wanted to know, and the answer options


were predefined as much as possible. On the one hand, this facilitates a count of the given answers for the analysis. On the other hand, it is convenient for a participant to give an answer by just selecting it by clicking on a radio button or ticking a checkbox. The answer options were ordered logically or in plain alphabetical order when there were multiple choices to select.

The content of the questionnaire in LimeSurvey was structured in six parts:

• A landing page to explain the purpose and backgrounds of this research

• Module 1: to capture generic parameters about the company’s type, size, occupation, and the role of the respondent

• Module 2: to ask about the company’s fraud situation and the implemented state of countermeasures

• Module 3: to ask about the use of BDA and technical concepts established in the company, which help to ensure compliance and protect the organization from fraud attacks

• Module 4: to ask, using a five-point Likert scale, questions about the participant’s personal opinion concerning a few critical statements about the facilitation of big data techniques to prevent fraud attacks

• The thank-you page with a link to a separate form to capture the interest of a participant to retrieve a summary of the survey results

The complete questionnaire with its structure, questions, and answer options was predesigned as a text document and then transferred into the online survey tool. It is shown in Appendix 9.1 with the original texts in the German language and the references for when questions and answer -options were found in literature or were a result of the expert interviews.

Although a common recommendation is to avoid indirect questions, the sensitive topic of this research made it necessary to get some answers by asking softened questions or use indirect questions as an indicator instead. Indicators are surrogates for facts with the property of being observable or countable and point to circumstances that are not directly observable. Indicators are commonly linked by correspondence rules (i.e., if…then…) to the real area or question of interest [80]. Question M3-Q6 acted in that sense when asking about the implemented technical countermeasures. Some answer options were directly connected to BDA. Even when a participant does not know if this is a kind of a big data technique but knows that this technique is used in the organization, he or she could positively answer this aspect. To design valid indicators, the researcher also needs adequate knowledge to cope with the challenge to connect the indicator question as closely as possible to the real question [80]. Hence, the literature review was extensive, was combined with existing domain knowledge from my professional work and led to the decision to use compliance and fraud prevention synonymously.

The survey began with the demographical questions as a kind of warm-up. Although it is recommended to place the most sensitive questions in the middle or more toward the end, to avoid drop-offs, it was necessary from a logical standpoint to place the fraud-related questions before the big data-related questions in the middle section of the questionnaire. The questions on page four about personal opinions were easier and complement the research topic. A hypothetical question was only used in M2-Q3 to soften the sensitivity to avoid the risk of false or no answers.

To process the captured answers, a file exported into an Excel spreadsheet was taken from the LimeSurvey engine. All respondents who had filled at least the first page (Module 1) were taken into account. Columns that contained only technical information about timestamps from the survey tool were deleted, and only relevant content was selected.


The data preparation took several steps and was documented by making a copy after each step to freeze this stage: first, the questions and answers and the headlines for the result charts were translated from German into English. In a second step, the answers given in the free text fields (answer option “other”) were reviewed to understand their content and to harmonize the spelling to make them countable. Third, the “Yes/No” answers were converted into “1/0” so they could be counted easily. As a fourth action, the preset, fact-collecting answer options were concentrated in a single-column style to allow for the use of Excel pivot table functions to count and create the result charts.

The major outcome of this analysis is described in Section 3.2, and the full chart set is available in Appendix 9.4.


3 Results This chapter describes the results and findings from both phases of the empirical study, beginning with a summary of the expert interviews followed by an overview of the results from the online survey with a focus on specific, remarkable aspects. The complete answers, presented in the order of the questionnaire, are added in Appendix 9.4. This chapter also lists big data techniques used for fraud prevention that have been found in the research literature. The answers to the research questions are presented and discussed in Chapter 4 of this paper.

3.1 Results of the Pre-Study and Implications for This Research

The theoretical background, conception, and proceeding details for the qualitative research part of this empirical study are explained in the preceding sections of this thesis. Therefore, this part concentrates on the major outcomes of the expert interviews and their implications for the subsequent quantitative online survey.

The first interview was conducted with a compliance responsible person from a medium-sized, worldwide-active company working in the IOT sector. The research-relevant aspects were explained using a recent fraud case of fraud in projects with irregular invoices. This fraud attack was committed via collaboration between internal and external parties and was detected before any damage was caused. It was prevented by human factors because the manager doing the invoice control became suspicious due to the fact that the invoices referred to an already closed project. This raised questions about the relevance, and during this investigation the fraud attempt was discovered. The timeframe between the fraudulent invoice claim and its discovery was approximately half a year. Consequences for future fraud prevention measures were to install a stronger segregation of duty for a better four-eyes principle and a whistleblower hotline. These actions are part of the organizational fraud countermeasures. Information technology-related improvements have not been made, and there are no real IT fraud prevention mechanisms in place.

The interview partner I-1 does not view BDA as helpful in the particular business model of this company, and they are not implemented. However, additional and specific key performance indicators (KPIs) or risk indicators could be set up for better project controlling. Big data is instead assumed to be helpful in forensics during a merger and acquisition (M&A) process. Cultural and organizational actions are considered better fraud prevention measures. The measures implemented in this company are regular employee training sessions, investigations when a situation is suspicious, and work with segregation of duty and a four-eyes principle. Compliance is not considered a surveillance method but more of an ethical concept where employees are aware and will announce suspicious cases.

Implications for the online survey were to get in contact with compliance associations to ask for support to distribute the questionnaire. Besides the coded questions and derived answer options for the questionnaire, some signals for fraud cases were mentioned by the interview partner, which could be of interest for future research occupying the development of a signal-based framework for fraud prevention.


The second interview was conducted with a compliance responsible person from a medium-sized, worldwide-active company working in the business-to-business (B2B) production sector. During the interview, no particular fraud case was discussed, but “fake president fishing attacks” are common in this area of business, as is bribery. Detection and prevention occur via indications from the affected employee: for example, an employee tells the manager that money was offered to the employee to influence a decision positively for a particular external party. No technical system is involved, but culture and ethical behavior help to prevent fraud here and are viewed as the basis for successful fraud prevention. Technical fraud prevention measures are implemented, for instance, against hacking attacks by using firewalls. Once a case is detected, a specific reaction chain is followed: first, speaking with the affected employee, adding workers’ council or legal support in some cases, and then deciding what system, data, and information should be investigated further. At this second step, analytical methods come into play. This means that data analytics is used as a forensic measure, not as a preventive one. Besides established compliance rules and once-a-year obligatory awareness trainings, newsletters with anti-fraud and compliance information are circulated to the staff and are also available in the intranet.

Big data is not assumed to be helpful for fraud prevention because the fraud cases were too various and depend too much on a company’s individual risks. If analytical methods should be widely used for fraud prevention, there is a risk of getting too many false positive alerts that cannot be manageably handled. Nevertheless, the company works together with an external fraud examiner and is about to install a test pilot for an analytical tool that should improve the compliance prophylaxis by using some KPI-based rules for pattern deviations. Furthermore, the interview partner stated that if an employee knows that there are some controls, he or she might behave more compliantly than if there were no controls or rules. A working fraud management system is viewed as a bundle of measures and actions of process controls, segregation of duty, and the four-eyes principle in alignment with a corporation-wide compliance culture including regular trainings. However, this control set must be coordinated with the company’s specific risks.

The information from this interview was used to prepare answer options for the questionnaire.

The third interview was conducted with an IT security specialist in a high management position working for a large, worldwide-active corporation in the distribution sector. With respect to fraud management, this company has a high grade of technical implementations with a focus on incident response processes and countermeasures against email fraud including blind tests with fake emails and URL defense checks. In addition, this corporation works with the Control Objectives for Information and Related Technology (COBIT) framework for SOX controls. Recently, the company was affected by email fraud committed by external parties when a few employees did not recognize this phishing attempt and clicked, caused mass e-mails to be sent using the internal address book. This attempt occurred during the regularly workday, so the thread recognition software sent an alert, and aware employees reported this suspicious email by using the integrated button in the mail application. The reaction time was a few hours, so no business-sensitive data was stolen, nor any other damage done. However, as a new measure, a new closed-loop training model was implemented. With this particular training model, fake e-mails are sent out, and if an employee does click on a link, this employee is automatically forwarded to a training website.

This organization follows a best-of-breed approach when using IT-based or analytical methods to prevent fraud. It currently uses up to 50 different applications and has tripled its budget for IT security investments during the last two years. The interview partner stated that in just five years the company will have an integrated fraud prevention IT landscape. For the last three years, big


data analytical methods have been established to filter the daily business events for suspicious items by anomaly detection and pattern deviations. Currently, BDA is neither used predictively nor fully integrated. I-3 thinks that BDA is currently important for a successful security program for three main reasons: to improve the maturity level of the security systems, to handle the increasing amounts of data, and to understand better where existing measures could be adjusted and improved to enable quicker response times.

Besides these technical countermeasures, the company has a strong compliance culture with a code of conduct, regularly employee trainings, and a strict segregation of duty paired with a delegation of authority (DOA) following the four-eyes principle. It is important not to use these internal technical controls for employee assessments and work aligned with the workers’ council.

Multiple answer options for the online questionnaire were derived from this interview. It provided a good insight about already existing IT-based and analytically based methods and software tools to prevent fraud and compliance misbehavior. Some new interesting aspects for potential future research were addressed, such as the needed skillset of a fraud manager working in a data analytics environment.

Summarizing the results from the expert interviews, there seems to be a different perception of the use of BDA between IT Security and compliance and between mid-sized companies and large organizations: the compliance responsible persons from both of the mid-sized companies think more about cultural and ethical aspects of preventing fraud instead of using IT and analytical techniques. However, all three interviewees agreed that analytics methods need to be used with respect to laws and privacy regulations and must be tailored to the individual risks facing an organization. Since this is just a snapshot, it was of interest to know if this picture would be reflected in the results of the quantitative survey.

The direct implications from the pre-study are: to takeover answer options for many of the questions; the decision to rethink the target group for the survey; and to add the compliance managers’ networks as a multiplier for the distribution of the questionnaire. Besides that, the experts confirmed the need to soften some questions and use indicators or indirect, hypothetical questions for sensitive topics.

3.2 Results of the Online Survey: Summary and Highlights

This section describes the results of the online survey by summarizing the data and highlighting certain remarkable aspects. Numbers in parentheses indicate the amount of answers given on that answer option. The complete set of answer charts is presented in Appendix 9.4 The results with respect to the research questions are described in Section 4.

The questionnaire was conducted in the German language with respect to the target group to avoid misunderstandings due to language barriers, as shown in Appendix 9.1. The questions and answer options were translated afterward during the analysis process. Therefore, the result charts contain now bilingual descriptions to reflect the mapping and to be able to use the same versions in all future documents. The numbers in parentheses below indicate the number of mentions.


3.2.1 Summary and Highlights: Participant Structure During the 15-week runtime of the online survey, a total of 135 attempts at participation were counted. Forty attempts did not include any relevant answers, so 95 valid answer set were taken into account for the analysis. Out of these 95 answer sets, 76 finished including the questions in Module 2 regarding the fraud aspects. Sixty-nine participants answered the questions about big data in Module 3, and finally 65 participants gave their personal opinions about some critical statements.

The research was conducted within the German-speaking business community, mainly in Germany and Austria. The ratio between participants from Germany and from Austria is roughly two thirds versus one third, plus some answers from Switzerland and the Czech Republic. Additionally, some participants mentioned having international or worldwide business activities.

The main legal form of participants was the limited liability company (42), followed by corporations and stock-listed companies (34 in total). The accumulation on publicly listed companies is quite well for this research, because these kinds of companies are forced to install measures to ensure compliant behavior to secure their shareholders values, besides all ethical rules. It is remarkable that a few non-profit organizations (NPOs) like a church and university also completed the questionnaire.

The main five industry sectors were, in descending order, the services sector (16), the production industry (15), IT and telecommunications (13), finance and insurance (12), and sales (11). There were no participants from the areas of lifestyle and holiday and environment, but all other sectors are represented, which means that this research is based on a wide and diverse answer range with a focus on highly transaction-based business sectors. When double-checking this allocation with just the 76 respondents that filled in the second part of the questionnaire, the allocation remains nearly stable; the top five sectors are still the same.

This same picture was recognizable when looking into the participants’ functions within their companies in that the distribution of functions also seems reliable. The top four roles of the people who filled out the questionnaire were senior management or chief executive officer (CEO) (26), (head of) internal audit (20), other (19), and compliance officer (11). The group of “others” consists mainly of people working in marketing and sales, research and development, and one head of supply chain management. However, there were also answers from finance managers (7), CIOs (4), and IT security specialists (3). Although this research had no contributions from people working as BI or BDA specialists and a few answers coming from departments outside of the defined target group, a majority of approximately 75% perform relevant functions. Therefore, the answers can be considered reliable for this research.

Regarding the size of an organization, the most participants work in large companies with an annual turnover greater than 50 Mio. EUR (56). The second most work at the smallest sized companies with a turnover below 1 Mio. per year (16). The contribution of the large-sized companies to this research is also reflected when examining the quantity of employees: 51 companies have more than 500 employees, followed by 14 companies with 10 to 49 and 13 companies with fewer than 10 employees.

The question with respect to the location of the headquarters was asked in order to understand which legal requirements a company must fulfill to establish fraud prevention measures. For instance, a company located in Austria, even a smaller one, but with a stock-listed mother company in the US, must comply with SOX regulations, which leads to stronger countermeasures than those found in similar companies without such a mother company.


The question about the ERP system used provides an idea of how powerful a system is and how many data are available to use for BDA purposes. Companies working with SAP, for instance, should be able to feed transactional data into databases and analyze them or use the system-integrated measures and algorithms to detect fraud. Forty-five companies are working with SAP, followed by Microsoft Office applications (10) and Navision (9). The information about the ERP systems was used to checking the answer option of having a fraud detection engine in use in a company’s current ERP solution provider. A correlation between what kinds of fraud prevention measures are established in companies using SAP compared to companies not using SAP was not calculated for this research but would be an option for future research.

3.2.2 Summary and Highlights: Fraud Management Status The area of questions about the fraud situation within a company was a sensitive area to address. This is reflected by the fact that only 28 out of 95 respondents admitted to having had a fraud attempt within the last 12 months. Based on this 30% of answers, fraud attempts were fairly evenly committed by external hackers, internal employees, and combinations of internal and external people. The main affected areas within companies were accounting and finance (12), sales and marketing (9), and procurement (9). By far the most frequently mentioned detection method for this fraud attempt was announcement by an employee (e.g., using a whistleblower hotline) (18). Only four respondents mentioned having been supported by an IT-based warning system.

The difficulty of asking questions around a highly sensitive topic is evidenced by the fact that 30 of 76 participants explicitly clicked on “no answer” in response to the question about the change in fraud attempts during the last three years. However, 20 respondents admitted to having a roughly constant level of fraud attempts, and 18 to have a slight increase.

When looking into the typical fraud types that are relevant for the industry of a company, the top three were “false invoices and manipulated documents” (34), “phishing attacks” (30), and “data theft” (25). These are followed by a middle section with around 20 mentions each for “asset theft,” “internet crime and hacking,” “corruption and bribery,” and “account hacking or identity theft.”

To get a better understanding of the general attitude toward risk handling (GRC), 36 companies stated that they have a special compliance department or a compliance officer function, and 29 have an IT security function. However, the third largest group has no special department, and the management just takes care of GRC issues. Five respondents stated that they do not have a special department in-house but work with an external specialist. What is remarkable is the low overall answer rate (18) regarding the perception that every employee is responsible for compliant behavior within his or her job function. This might either indicate that a consistent and living integrity culture has not been established, or that this aspect is just this simple and obvious, not worth mentioning it. However, the answers indicate that in many companies there is a combination of dedicated functions taking care of the company’s risk management.

Narrowing to the focus of this research – the established countermeasures against fraud differentiated into measures related to human, organizational, and technical aspects (MTO) – there were three dedicated questions concerning each dimension of the MTO concept. Based on 76 answer sets with multiple answers possible, the top three for each category are presented in Table 5. The number in parentheses indicates the amount of answers. When comparing the numbers of answers, the top answers of all three dimensions are widely spread over all company types. However, comparing the second and third place of the IT and technical countermeasures, their count is less than half of the count of the man and organizational related ones. This indicates


that technical and IT-based fraud prevention methods are still not popular in companies compared to classical prevention and detection measures.

Man-Related IT/Technical Organizational

Rank 1 Regularly inform all employees about compliance, security, and fraud-prevention (e.g., by circular letter or via intranet) (58)

Work with access authorization and role-based access concepts for relevant (IT) systems (59)

Use the four-eyes principle for approvals and critical processes (68)

Rank 2 Live a culture of integrity (51)

Use “red flags” and active warning systems to detect fraud (21)

Have signatory rules for all business sectors (DOA) (55)

Rank 3 Conduct regular employee training (46)

Work with limit systems that stop transactions or decisions with certain thresholds to the next higher level of authority (20)

Have external audits (e.g., SOX) (50)

Use operating procedures and corporate governance rules (50)

Table 5: Top Three Countermeasures Sorted by the MTO Concept

Some of the participants may not have been aware that some of the predefined answer-options are – or at least could be – related to big data techniques. Therefore, their amount of answers shown in Figure 10 provides an initial indicator regarding the use of BDA to prevent and detect fraud. These are the indirect signs for the use of BDA to ensure compliance and prevent fraud:

• Working with active warning systems (“red flags”)

• Using particular algorithms and software for pattern matching or transaction mining

• Maintaining and using internal databases with documented fraud cases for comparison and detection

• Using external anti-fraud databases (e.g., STIXX, TAXII, and SpyCloud) to compare upcoming events with those fraud typologies

With respect to the maturity level of a company to fight against fraud, the use of certain frameworks provides an indirect indicator here: some of them are IT-related, while others cover a holistic governance and risk management approach. It is interesting that, as the top answer, 41 of 76 companies use their own developed compliance program as a framework and, in third place, at least 20 have established their own developed anti-fraud policy. This demonstrates the need to tailor the bundle of measures to the individual company, and preset frameworks like the Committee of Sponsoring Organization of the Treadway Commission (COSO) or COBIT are used as supporting guidelines. In contrast, the second-place answer with 29 participants, including 15 large and nine small companies, is that the respondent does not know about the use of any framework at all, which demonstrates the lack of awareness in this matter, because this answer option was chosen particularly, and no other option was selected in parallel.


Figure 10 – Established Technical and IT-Related Measures to Combat Fraud

Summarizing the overall fraud management status, the answers from this survey demonstrate that most fraud activities are committed in the areas of accounting and finance, sales and marketing, and procurement. By far the most frequently mentioned detection method for fraud attempts was announcement by an employee, such as when using a whistleblower hotline. Only a few

3

5

7

9

12

14

15

19

20

21

59

0 10 20 30 40 50 60 70

Sonstiges / Other

Machine-Learning Techniques

Nutzen externer Datenbanken und Feeds mitBetrugstypologien / use of anti-fraud databases (e.g.

STIXX, TAXII, SpyCloud)

Führen einer Datenbank mit Betrugstypologien undPrüfen von Sachverhalten / use of a database with

documented fraud cases for comparison and detection

Nutzung spezieller Betrugs Assessment Tools / use ofparticular fraud risk assessment tools

Weiß ich nicht, keine Angabe / Do not know, noanswer

Arbeiten nach Standards, z.B. COBIT / Workaccording standards like COBIT

Einsatz spezieller Prüfverfahren und Prüfsoftware /use of particular algorithms and software for pattern-

matching, transaction mining

Arbeiten mit Limit-Systemem / work with limit systems

Aktive Suche nach definierten „Red-Flags“ / active warning system

Zugriffsberechtigung, Rollenkonzept für allerelevanten (IT-) Systeme / access authorization, role-based access concepts for relevant technical systems

Which IT- and technology- based measures have been established to prevent fraud?

(Welche Maßnahmen zur Compliance-Sicherung / Betrugsabwehr sind in Ihrem Unternehmen etabliert? *Bereich Technik / IT*)

N = 76, multiple answers possible

implicit big data analytics


respondents mentioned having been supported by an IT-based warning system. Besides the manipulation of invoices and other documents, the types of fraud committed demonstrate a significant rate of cybercrime with phishing attacks and data theft. The most common countermeasures are organizational measures, followed by people-related ones. Technical and IT-based fraud prevention measures are still not very common in companies compared to classical countermeasures. The use of frameworks is not widely distributed, which could be interpreted as a lack of awareness or underestimation of their value.

3.2.3 Summary and Highlights: Use of Big Data The overall attitude toward big data is positive: 29 respondents, including 11 from SMEs, mentioned BDA as an interesting field of tools, and 17 confirmed already having it in use or screening the market continuously for suitable big data solutions and applications. In contrast, 10 companies – five SMEs and five large businesses – think that BDA is not relevant for their particular current business. When big data is used, then it is in place business driving areas such as marketing and sales (37), process optimizations (32), and developing new business models (24). However, fraud prevention (25) in third place and the support of IT security (24) in fifth place are really close to the top as well.

When going into details about fraud risk prevention with BDA, big data methods are mainly used to prevent internet crime and hacking attacks (29) or for general support of the internal control system (26), followed by preventing fishing attacks (19) and false accounting statements (19). During the preliminary study, one interview partner mentioned the perception that big data is a supporter or facilitator of a company’s risk management. Surprisingly, 26 respondents explicitly answered “do not know” regarding what type of fraud big data would help to prevent in their company. This could be interpreted in two ways: the survey participant may not know any details, or he/she did not want to confirm any details but is aware of the usefulness.

That this research touches on a sensitive area and not all participants want to disclose their activities regarding fraud prevention with big data could be supposed based on the answers given about the plans for investing money into big data for fraud prevention. By far the most frequently listed answer was “do not know anything about plan,” which is astonishing when considering the functions of these respondents within their companies. The 39 answers were given by, among others, 12 managing directors, two heads of IT security, and six heads of internal audit, which are all functional roles that should involve awareness of such investments of their company. This assumption is sustained by the outcome of two further questions: first, the question regarding the currently implemented type of IT-based anti-fraud systems, where 34 respondents stated that they did not have any or did not know, even though this group included 26 answers from managing directors, accounting managers, IT security experts, and internal audit specialists. Second, for the question about a prospective IT-based anti-fraud system, 54 answers were “none or do not know” and came from respondents including a high rate of managing directors and internal auditors.

When asking the participants explicitly about the reasons why big data is not used to prevent fraud in their companies, the main answer with 28 mentions was “do not know,” but the top three actually specified reasons were limited IT-resources (20), the need for too-specific knowledge the company cannot afford (16) and the high complexity of implementation and daily usage (13). Surprisingly, the handling of too many false positive alerts is not viewed as a problem at all, although this was mentioned during the expert interviews.


Instead of big data methods, many other mechanisms are considered more suitable for preventing fraud, namely using access restrictions (58), performing regular software updates to close security gaps (49), and using and establishing role concepts (43), followed by increasing technical thresholds such as two-factor authentication or strict password policies against external intrusion, and implementing physical security systems like access-controlled doors or video surveillance. In sum, organizations today are still counting more on classical proven and long-established countermeasures like those summarized in a paper from 2006 [81].

Besides the companies’ perceptions about the usefulness and real use of big data for fraud prevention, in the final module the questionnaire asked each participant for his or her personal opinion. This individual perception was captured by asking about the extent to which the person agrees or disagrees to some critical statements about the usefulness of BDA for fraud prevention, as shown in Figure 11.

This last set of questions intended to get an idea, if there is a difference between the companies’ and the individual´s approach, and to some aspects mentioned during the expert interviews.

• Indeed, the individual seems more critical about the usefulness of BDA to combat fraud or at least is not sure about it (T1), than the companies are with respect to the third rank of the use of big data to prevent fraud.

• The vast majority thinks that it is more important to identify and tackle the individual risks of a company instead of analyzing with big data methods just everything (T2). This opinion shows, in an indirect way, a potential for BDA to be used in particular cases and to lower dedicated risk situations, but it is common sense that the use of big data needs to be tailored.

• Remarkable is the small difference in the answers to the question if complexity of big data is an obstacle for SMEs (T3). Nearly the same quantity of people agreed and disagreed with this statement, which demonstrates the chance for SMEs to draw benefits from use of big data. This positive opinion is reflected by those SME employees that confirmed the use of dedicated test methods and algorithms to prevent fraud and by the SME employees that think big data is an interesting area.

• At present, more participants stated that big data analytics is useful for fraud detection and quicker response times, but they are not sure if BDA will be suitable for real fraud prevention in the sense of prediction (T4). The survey participants share this opinion with experts from the expert interviews.


Figure 11 – Personal Opinions about the Usefulness of BDA for Preventing Fraud

In summary, the overall attitude toward big data is positive: more that 40% of the participants stated that BDA is an interesting field of tools, and 25% confirmed having it already in use or screening the market continuously for suitable big data solutions and applications. In contrast, 10 respondents think that BDA is not relevant for their particular current business. Big data analytics is used for classical areas such as marketing and sales and process optimizations, but to use BDA for fraud prevention and the support of IT security is highly ranked as well.

2

8

1

4

8

13

8

8

31

18

6

22

21

20

27

17

3

6

23

14

0 5 10 15 20 25 30 35

Critical Thesis T4.The significance of big dataanalytics is currently more

important for fraud detection andfast response-times; for fraud

prevention it might be suitable inthe future.

Critical Thesis T3.Big data analytics is complex andtherefore more suitable for large

companies thans SME.

Critical Thesis T2.It is more important to identify the

individual risks of a companyinstead of analyzing everything by

means of big data.

Critical Thesis T1.Big data is less suitable for

ensuring compliance orpreventing fraud. It is moreimportant to emphasize the

ethical and compliant behaviourof all employees.

Summary of opinions on 4 critical statements concerning the Usefulness of big data anatalyics for preventing fraud (Zusammenfassung des Meinungsbildes zu 4 kritischen Aussagen)

5 (do strongly agree)4 (do slightly agree)3 (do not know)2 (do slightly disagree)1 (do not agree)

N = 65


4 Discussion This chapter describes the answers with respect to the research questions and discusses the results and outcome of this empirical study in the context of other fraud prevention research and studies. Further, it classifies BDA into the MTO concept and draws conclusions plus makes suggestions for future research.

4.1 Answer to Research Question 1: Summary of Established Fraud Prevention Mechanisms and Activities

This section presents the outcome with respect to Research Question 1: which countermeasures to prevent fraud are in place in different types of companies? Is there any proof that there are more technical and analytical anti-fraud measures in large companies than in SMEs, or is there even a focus in specific industry sectors?

Within the survey, the questions about different established fraud countermeasures have been divided according the MTO-principle, so the result is presented using the same approach. The given answer set allows for a distinction between large and small companies by splitting them at the cluster of 50 Mio. Turnover per year.

Overall, large and small organizations have similar measures in place to ensure compliance and prevent fraud. Additionally, the weight between organizational measures as most established versus technology-based measures as last established is the same picture created by the overall results described in Section 3.2.2. However, there are some remarkable differences when looking at the rank of the measures in terms of their use:

• Even SMEs use telephone hotlines to encourage the announcement of a misbehave or a fraud attempt. Such a whistleblower hotline is an additional investment or even a process that needs to be managed permanently, and with respect to the probably limited resources of an SME this implementation is likely noticeable.

• Test methods and algorithms are used in all sizes of SMEs. Even the smallest cluster – below 1 Mio. turnover per year – had three mentions of using such resources. If test methods and algorithms are interpreted as indirect indicators for a potential use of BDA, this gives the impression that SMEs are not afraid to use analytical methods at all; in contrast, those are ranked fourth within the cluster of the large enterprises.

• Work according standards like COBIT is on a shared third place within the group of SMEs, which is an interesting aspect when considering designing an anti-fraud framework for SMEs.

• With respect to the smaller size of the organization and the amount of people working there, SMEs use sample checks the second most frequently as a feasible method to proof and audit their processes and transactions instead of having regular external audits that normally require lots of resources a small company could not easily afford. Therefore, audits are more common in large enterprises.

In Table 6, the numbers in parentheses indicate the total mentions in that particular area of MTO and show the top three given answers in a direct comparison between large and small companies. Significant deviations are highlighted in blue characters.


Large Companies, Turnover ≥ 50 Mio. EUR SMEs, Turnover < 50 Mio. EUR

Man-related (190) 1. Regularly inform all employees about

compliance, security, and fraud-prevention (e.g., via circular letter or intranet) (42)

2. Conduct regular employee training (36) 3. Have a culture of integrity established

(35)

Man-related (55) 1. Regularly inform all employees about

compliance, security, and fraud-prevention (e.g., via circular letter or intranet) (16) Have a culture of integrity established (16)

2. Conduct regular employee training (10) 3. Offer whistleblower/ethics hotline (7)

Technology- or IT-based (128) 1. Work with access authorization and role-

based access concepts for relevant (IT) systems (39)

2. Use “red flags” and active warning systems to detect fraud (16)

3. Work with limit systems that stop transactions or decisions with certain thresholds to forward to the next higher level of authority for approval (13)

4. Use dedicated test methods and algorithms (e.g., Benford’s law and software for pattern-matching, transaction-mining, etc.) (12)

5. Work according to standards like COBIT (10)

Technology- or IT-based (52) 1. Work with access authorization and role-

based access concepts for relevant (IT) systems (20)

2. Work with limit systems that stop transactions or decisions with certain thresholds to forward to the next higher level of authority for approval (7) Use dedicated test methods and algorithms (e.g., Benford’s law and software for pattern-matching, transaction-mining, etc.) (7)

3. Use “red flags” and active warning systems to detect fraud (5) Work according to standards like COBIT (5)

Organization (388) 1. Use the four-eyes principle for approvals

and critical processes (46) 2. Have external audits (e.g., SOX) (41) 3. Have signatory rules for all business

sectors (DOA) (38) Use operating procedures and corporate governance rules (38)

Organization (123) 1. Use the four-eyes principle for approvals

and critical processes (22) 2. Use sampling tests (17)

Have signatory rules for all business sectors (DOA) (17)

3. Use operating procedures and corporate governance rules (12)

Table 6: RQ-1: Comparison of Established Fraud Prevention Measures Following the MTO Concept

When there is a special department in a company to avoid misconduct and misuse, the large organizations most frequently mentioned having a compliance department or compliance officer and next most frequently mentioned a specialist for IT security or even a CISO. In contrast, the SMEs have no such special departments; the general management has to ensure compliant behavior and takes care of the anti-fraud measures. Although the generic responsibility of each employee for compliant behavior was not frequently mentioned, by sorting this answer according to SMEs and large enterprises, this option became the third most important measure for both groups.


Furthermore, most companies, despite their size, have established their own developed compliance or anti-fraud program. Some companies are working in accordance with frameworks like COSO and COBIT, and a few are even using dedicated anti-fraud and anti-bribery ISO standards. No SMEs were using SOX compliance rules as a framework. However, it is remarkable that in both groups the answer rate for not knowing or not having any framework established was so high. This led me to assume that there is a lack of suitable frameworks, or at least that they are not known. A special analysis with respect to different business sectors was not conducted due to the given amount of answers.

When checking my results for German-speaking companies against a global KPMG study from 2016 [10, p. 16], the implications are similar: frauds are mainly detected by internal announcements, and organizational countermeasures are still the best established.

However, there is a difference in the perception of where the fraud attack came from. My research participants mentioned external hacking attacks the most, whereas the KPMG study sees the pure internal fraud as the most [10, p. 18]. My results indicate a tendency toward technology-based or cyber fraud, which might be caused by the time difference between the two studies.

Further, KPMG has stated that strong internal controls plus data analytics are needed to combat cyber fraud [10, p. 22] and has wondered about the low level of technical and analytical fraud countermeasures. Both results suggest that technical and IT-based fraud prevention measures, especially those based on analytics, are still not popular in companies compared to classical countermeasures, although the increase of e-crime and cyber fraud forces companies to prepare themselves with more technical, analytical, and IT-based countermeasures.

The current ACFE Report to Nations from 2018 [21, p. 27] argues in a similar way: having a code of conduct, performing external and internal audits, and providing a whistleblower hotline are ranked as being more widely distributed than IT and technical prevention and detection standards. However, data monitoring analysis has halved the loss caused by fraud and doubled the speed of detecting a fraud, though just a third of the participants of the ACFE report have implemented such controls [21, p. 5]. This confirms my results that the potential of analytical methods to prevent occupational fraud is also still underestimated in German-speaking companies.

The comparison of this research indicates that large enterprises and SMEs have established similar fraud prevention activities: building employee awareness, training people, and establishing a culture of integrity are the most popular man-related fraud prevention mechanisms.

Regarding the organizational aspects, the use of the four-eyes principle and signatory rules (DOA), plus governance and work procedure guidelines, are common for both sizes of organizations. In terms of auditing and checks to detect fraud, there is a difference: regular external audits are more frequently established in large companies than in SMEs, which tend to use sampling checks instead of big auditing routines.

Comparing the technical fraud prevention measures, it is interesting to recognize that SMEs are using dedicated test methods and algorithms or software for pattern matching and transaction mining the second most often, whereas for large companies these mechanisms are in fourth place. This allows me to conclude that analytical fraud prevention and detection methods already play a certain role, even in smaller firms.


The overall answers from this research indicate that there is already a range of IT-based and analytical fraud prevention approaches in both sizes of companies; however, they are still underrepresented compared to cultural and organizational prevention activities.

4.2 Answer to Research Question 2: The Value of Big Data for Fraud Prevention and Compliance Mechanisms

This section summarizes the outcome with respect to Research Question 2: What role does BDA play, and how common (distributed) is it currently? If it is not well distributed, why not? What are the reasons for not using BDA to prevent fraud?

As described in Section 3.2.3, the overall attitude toward big data is positive, with nearly half of respondents attesting that big data is an area of interest and 17 of 69 companies already having it in use. In contrast, respondents from 10 organizations – half large corporations and half SMEs – stated that big data is not relevant for their particular business model. This leads to the assumption that there are business models for which big data is clearly relevant and others for which it is not.

As presented in Figure 12, the total number of given answers (202) made by 69 participants reveals a wide area of interest in using big data and using these new types of analytical methods in multiple areas within the same company. Therefore, the generic usefulness of big data is widely accepted and viewed as a promising area for many business processes.

With respect to this research question, 25 companies use or would use big data for fraud prevention, which is roughly a third of the companies represented in this study. However, a majority of two thirds was not sure about plans to invest money and other resources in big data for fraud prevention. This result differs massively from the outcome of the 2014 BARC study, where 70% of respondents from the DACH region had plans to use big data for risk analysis and 46% for fraud detection [9, p. 35] in the financial area. A similar difference is apparent when comparing my German-Austrian results to a worldwide Forrester study as of July 2016 [82], where 70% of the participants stated that they use data analytics to spot fraud. Considering the number of scientific papers (see some samples in Chapter 1.2.6) covering the topic of fraud management by BDA, there are proven track records or at least use cases where BDA does support anti-fraud management in certain business cases. This led me to assume that BDA is substantially useful in the area of fraud management, and that BDA is able to bring value to companies in terms of minimizing and preventing fraud risks that could be harmful to a company and lead to monetary loss. However, the state of implementation of BDA for fraud prevention is not as far advanced as it theoretically could be.


Figure 12 – RQ-2: Areas of Interest for the Use of BDA

As illustrated in Figure 13, limited IT resources, the need for very specific knowledge, and the complexity of big data are considered the main obstacles to using big data for fraud prevention. Uncertainty about effectiveness and proof of concepts are not viewed as being as critical. This could be interpreted as base acceptance and the above-mentioned threats could be the real drawbacks for the implementation and use of big data for fraud prevention.

A recent E&Y global study from 2018 came to a similar conclusion: although there is broad usage of data sources with structured and unstructured data available, a better integration is required to gain results and insights from these data. In terms of specific knowledge, skills, and handling complexity, integration is viewed as becoming a greater challenge [18, p. 14ff]. The need for a specific skillset to cope with big data, especially for fraud prevention, seems to have existed for many years; this lack of resources and the knowledge gap of have not yet been closed. A 2012 IBM global study [83, p. 15] and a 2014 BARC study of the DACH region [9, p. 23] have already evaluated the need for specific technical and analytical skills for big data handling.

It is remarkable that the picture has changed in the subject of data quality, which was a highly ranked obstacle in the 2012 IBM study. The answers in the present study ranked that obstacle lower. This could be interpreted as improvements having been made in the meantime and companies having become more aware of the benefits of good data quality and therefore striving

1

5

7

8

12

12

15

24

24

25

32

37

0 5 10 15 20 25 30 35 40

Sonstiges / Other: condition based maintenance andpredictions

Absicherung von Investitionen / securing investments

Neue Formen der Mitarbeiter-Zusammenarbeit / Newtypes of Collaboration

Merger & Akquisition

Check von Finanzierungsrisiken / Check FinancialRisks

Weiß ich nicht / Do not know

Beschaffungsmanagement / Procurement

Generierung neuer Geschäftsmodelle / develop newbusiness models

Unterstützung / Support of IT-Security

Fraud-Prevention

Prozess-Optimierungen / process optimization

Marketing & Sales (Kundenanalysen, Vertriebs-prognosen) / customer analysis & sales forecast

In which areas does or would your organization use BDA?(In welchen Unternehmensbereichen wird/würde Ihr Unternehmen BDA nutzen?)

N = 69, multiple answers possibletotal = 202 answers


to reach a certain level in this area. New technologies like HANA architecture [35] have helped to reduce the efforts necessary to ensure good data quality.

The high rate of “do not know” answers might either indicate an unclear company attitude or result from the sensitivity of this research topic. Furthermore, some threats are ranked lower compared to other studies. For example, the fear of not being cost-effective [84] [9] and dealing with data privacy aspects [9] [18] were not considered significant issues by the participants of this empirical study.

Figure 13 – RQ-2: Reasons for Not Using BDA to Prevent Fraud

0

5

5

7

9

11

12

13

16

20

28

0 5 10 15 20 25 30

Risiko von zu vielen Fehlalarmen / risk of too manyfalse positives

Rechtliche Aspekte wie Datenschutz undMitbestimmungsrechte des Betriebsrats / legal

aspects, e.g. data privacy or workers council's rights

Schwierigkeiten, die richtigen Risiko-Szenarien zubeschreiben / difficulties to describe the risks properly

Schlechte Datenqualität im Unternehmen / bad dataquality in organization

Lohnt sich nicht, denn unser Unternehmen ist wenigbetroffen / not relevant, our business model is not

much affected

Unsicherheit über tatsächliche Wirksamkeit undMachbarkeit / Missing Proof of Concept

Unsicherheit über Cost-Benefit, ROI / uncertaintyregarding cost benefit, ROI

Zu komplex in der Einführung und im laufendenBetrieb / implementation and daily use too complex

Es erfordert spezielles Wissen, ist mit unsererPersonalstruktur nicht abbildbar / too specific know-

how required which we do not have

Eingeschränkte IT-Kapazitäten, Limited IT-Resources


If you don’t use big data analytics nor intend to use: What are the reasons?

(Welche Gründe sprechen gegen die Nutzung von Big Data zur Betrugsabwehr?)



Going into the details of currently implemented BDA techniques, and despite the limitation of many participants not knowing what kind of big data technique is currently used to combat fraud in their company, the main big data and IT-based countermeasures established are ranked as follows:

1. Use of internal databases and reports to analyze relevant processes and transactions 2. Use of rule engines and automated warning systems setting “red flags” for a suspicious

item, process, or transaction 3. Use Microsoft Office tools like Excel and Access, which means conducting the

investigations and the analysis more by hand instead of in an automated way or just using these tools for results presentation, which most people in companies are able to cope with

4. The following countermeasures tied for fourth place: o Mapping software o The integrated solution of the ERP supplier o Link analysis and social-media network analysis o Sending automated notifications to a special investigation unit (SIU) for further

investigation

Looking into the future implementation of big data and IT-based countermeasures, there is a tendency to first enlarge the use of internal databases and reports and second add rule-based red flag warning systems, which are already common countermeasures. However, in third place is establishing predictive modeling methods, which is considered to be a BDA technique.

When comparing these results with the answers given to the question about IT- and technology-based anti-fraud measures (see Figure 10), the picture is quite congruent: The use of rule-based red flag warning systems is in front, while databases for collecting and comparing patterns and use algorithms are mentioned in the same lower level.

If we turn this question around, the large total amount of answers (270) about what IT-based measures other than big data are more suitable for preventing fraud (see Figure 14) indicates that the participants are more familiar with the classical proven, established technical countermeasures. Additionally, it underlines the skepticism and uncertainty of many organizations about the usefulness and value of big data for the purpose of fraud prevention.


Figure 14 – RQ-2: Alternative Suitable IT-Based Countermeasures Against Fraud

In summary, the overall attitude toward big data is positive: BDA is used for classical areas such as marketing and sales and process optimizations, but fraud prevention and the support of IT security is mentioned as top three and four answer. However, a significant skepticism about the value of big data methods to prevent fraud is recognizable, and there is uncertainty about the company’s capability to cope with BDA. The three most common obstacles to using big data techniques are limited IT resources, the need for too-specific knowledge the company cannot afford, and high complexity during implementation and daily usage. Classical and established technical countermeasures like access restrictions or regular software updates are seen as more suitable and practicable for the companies’ risk and fraud management.

3

7

21

22

37

37

43

49

58

0 10 20 30 40 50 60 70

Sonstiges / Other

Keines / Weiß ich nicht // None / Do not know

Einführung von Software-gestütztenSicherheitsprüfungen, z.B. Logfiles, legale

Schnüffelprogramme / software-based security, e.g.logfiles, legal sniffing programs, key loggers

Fraud-Controlling: Einführung und systematischeAnalyse von Warnkriterien für künftige, rechtzeitigeEntdeckung eines Betrugs / establish a rule-based

detection system, not necessarily based on big data

Einführung von physischen Sicherheitsmaßnahmen,z.B. Zugangskontrollsystemen, Videoüberwachung /

physical security systems, e.g. access-controlled doorsor video surveillance

Erhöhung des technischen Schutzes gegenEindringen von außen, z.B. 2FA, Erhöhung von

Passwortsicherheiten / increase technical thresholds,e.g 2FA, stricter password policy

Erarbeitung von Rollenkonzepten / use and establishrole concepts

Software-Updates und Schließen vonSicherheitslücken / perform software updates and

close security gaps

Beschränkungen von Zugriffsrechten / accessrestrictions

Instead of Big Data, Which Other IT-Based Measures Do You Think Are More Suitable to Protect Your Company Against Fraud?

(Welche anderen IT-gestützten Maßnahmen zur Compliance-Sicherung / Schadensvermeidung halten Sie für geeigneter?)

• All of these measures together constitute a suitable concept

• system-integrated controls and checks of business transactions

• establish responsibility of employees as a cultural habit


All of these measures together constitute a suitable concept system-integrated controls and checks of business transactions establish responsibility of employees as a cultural habit


4.3 Answer to Research Question 3: Carryover to SMEs

This survey produced similar results for large companies and SMEs. Thus, there is not currently a clear picture of differences in the usage or particular carryovers from large to small organizations.

Therefore, in terms of Research Question 3 – “If use cases of fraud prevention via BDA are more common in large companies, are there benefits that could be carried over to SMEs?” – further research is necessary. A dedicated literature-based study to collect and compare results and ideas from other research might be an appropriate approach to this question.

4.4 Big Data in the Context of an MTO-Based Anti-Fraud Framework

This section interconnects the results of this research with my previous research and experiences from my professional career.

This research confirms my experience that BDA is one element of a set of measures to prevent fraud and ensure compliant behavior. The current use of big data to prevent fraud as evaluated in this study, as well as the use cases found in the research literature, indicate that BDA has its place and is already established but must be tailored to a company’s specific risk scenarios. Second, this research helped to refine the understanding of what measures are relevant, especially for the relatively new area of BDA.

To sum up all the measures in an easy, understandable way, the classification into man-related, technology-based, and organization-oriented seems very suitable and is based on Strohm and Ulich’s [25] idea that technology and organizations need to be developed together (joint optimization) because human work is based on technical and social systems and interactions. This “socio-technical system design” is briefly described as the MTO-concept. The three dimensions of MTO are universal, so they are suitable as a framework for classifying fraud countermeasures. Future research needs to develop a framework and break down the MTO principles to a procedure that could be followed by organizations to design their individual anti-fraud management programs.

With the outcome of this research, an overview chart previously developed by me could be refined and enriched with some new findings as presented in Figure 15.


Figure 15 – Fraud Prevention Framework Based on the MTO Concept (refined from [85])

4.5 Conclusion and Further Implications

This research demonstrates that BDA methods are widely accepted for business development purposes but are not yet usually used as risk-minimizing measures. However, the research also demonstrates that BDA could play a significant role in fraud prevention, because there are already areas of business that use analytics as an effective weapon against fraud. It is worth noting that not all business areas will benefit from BDA as a fraud prevention tool in the same way. There is a need to tailor the analytical methods to the company’s individual fraud risk and to embed the BDA into a company’s GRC program.

The empirical part of this study indicates that IT-based and analytical fraud prevention and detection measures are less widely distributed than traditional human-related or organizational measures and activities. However, even SMEs can benefit from BDA as a countermeasure, and some SMEs already use big data techniques in the area of fraud risk management. It is important to lower the obstacles of limited IT resources, resolve the lack of analytical and technical skills, and reduce the complexity of implementation and daily use of BDA methods. Reducing these barriers would help all sizes and kinds of companies to use more BDA to protect themselves from fraud, especially when considering the confirmed dangers of e-crime and cyber fraud. It would be worthwhile to develop BDA-based fraud prevention tools or services, especially for those organizations that cannot afford the implementation of BDA fraud countermeasures by their own resources and skills, so they could buy these services.


In addition, this study demonstrates that the use of specific ISO standards or frameworks for fraud prevention has not yet been widely established either. This might result from either a lack of information about useful existing frameworks or the lack of a suitable framework as such. Thus, developing a universal anti-fraud framework based on the MTO concept would be an interesting design science project for future research. In that case, future research could benefit from the collected data of this research by combining them with other research and existing literature.

Due to the given number of answers to the online survey, a comparison of established IT-based fraud prevention measures between different business sectors was not suitable for providing reliable results and therefore was not evaluated and discussed. The expert interviews indicated a tendency of bias of compliance-responsible persons to give more value to organizational fraud prevention measures that to technical ones. However, this could not be confirmed with the online survey due to the variety of job functions of the individuals participating in this study.

Besides these limitations, future research is necessary in terms of finding dedicated beneficial uses cases where BDA helped a large company but could also be helpful for fraud prevention in an SME. Therefore, a literature-based study might be an appropriate approach to this question.

Side aspects encountered during this research with potential for future research are the evaluation of the skillset of a fraud manager working in a data analytics environment and a correlation between what kinds of fraud prevention measures are established in companies using SAP compared to companies not using SAP as their ERP system.

Since there are many scientific papers covering a single fraud type that could be prevented with BDA, as well as some summarizing literature, I did not establish a comprehensive overview and collection of which BDA method is suitable to combat which type of fraud. Therefore, performing a mapping study to cluster and describe the existing big data techniques is also an option for future research.


5 Summary This research discusses the state of implementation of IT-based anti-fraud systems, especially using BDA techniques, among German-speaking companies and organizations of different sizes and industry sectors. Legally, fraud is part of the white-collar crime area. Thus, anti-fraud management and compliance is a basic requirement for any business in any country. Besides this generic ethical aspect, there are practical questions and problems for an organization to solve when dealing with fraud attempts and preventing misuse and misbehavior.

There is a long history of fighting fraud in the area of accounting and finance, because optimizing the profit structure or pretending to be better than the real figures or the real target achievement is an inherit problem. Today, technological opportunities fuel other types of fraud like e-crime and cyber fraud, and more and more business transactions are done remotely and therefore anonymously, or even just as machine-to-machine interactions. This leads to companies’ need to prepare themselves for these new kinds of attacks such as phishing attacks, hacker intrusions, and software-manipulated documents and records. Simply put, fraudsters now have more opportunities to commit fraud.

On the other hand, the increased amount of data recorded in business transactional systems and by electronic items such as e-mails and log files allow for a forensic search in the case of a detected fraud. Real-time monitoring of activities is able to provide a warning signal in case of a suspicious operation to prevent a fraud attempt. To deal with these new, enormous amounts of data, specific techniques are required that are subsumed under the umbrella of big data techniques and algorithms. Although there is a history of data mining, big data have a new quality in terms of velocity and variety, and these data offer many possibilities to combine data from heterogeneous sources. In terms of comb through the big data to find anomalies, data privacy regulations must be respected.

Therefore, this research deals with the practical aspects of fraud prevention measures and activities and their state of implementation. A special focus is put on the use and perception of usefulness of BDA methods to prevent fraud and ensure compliance. An empirical study was designed to address the questions of what types of fraud prevention measures are used in different sizes of companies, what role big data play there, and if big data is not used, what the barriers are and which measures are considered more suitable. A mixed method approach was used to evaluate these questions and aspects, and a definition of big data for fraud prevention was created.

The research design was a combination of classical literature research performed in an iteration, the conduction of semi-structured interviews with topic-related experts from different economies, and an online survey used to capture the details. The theory part in Section 1.2 explains the typical types of occupational fraud and fraud management and provides a definition of big data and a brief summary of the current state of research about big data techniques used for fraud prevention. The methodology section describes the aspects of qualitative and quantitative research and their implementation for this research. The expert interviews acted as preliminary study to refine the research scope and evaluate what kinds of questions could be asked during the online survey, considering that fraud is a sensitive topic. Not everybody is willing to answer questions about fraud due to the severity of the crime and unwillingness to disclose prevention measures. Therefore, the collection of data and presentation of the results was anonymized. With respect to GDPR


regulations, only directly known or publicly available contacts were asked for their participation or to forward the questionnaire to relevant individuals in their organizations.

Demographically, the survey was conducted within the German-speaking business area – mainly Germany and Austria – and targeted positions that should be familiar with fraud prevention activities in their companies, such as CIOs, managing directors, high-level accounting experts, experts in IT security, compliance officers, and anti-fraud managers. Approximately 75% of the responses came from individuals performing these relevant functions.

During the 15-week runtime of the online survey, 95 valid answer sets were taken into account for the analysis. Out of these 95 answer sets, 76 answered the questions about fraud management aspects. Sixty-nine participants also answered the questions about big data, and finally 65 respondents finished the complete questionnaire and gave their personal opinions concerning some critical statements about the value of BDA in preventing fraud.

Anti-fraud management is not a standalone discipline and should be developed in the context of each company’s business model. It should be part of a company´s internal risk management and corporate governance structures (GRC programs) and is related to IT and IT security aspects as well as data analytical methods.

Summarizing the results of the expert interviews, there was a common opinion that analytics methods must be used with respect to laws and privacy regulations and must be tailored to the individual risks of an organization. However, there was a different perception of the usefulness of big data for fraud prevention between the compliance-related and IT-related persons. Implications from the preliminary study part of this research are to use certain given answers from the interviewee as answer options for some questions from the online questionnaire and the need to soften some questions and use indicators or indirect, hypothetical questions for sensitive topics.

Regarding the overall fraud management status, the answers from the online survey indicate that most fraud attempts are committed in the areas of accounting and finance, sales and marketing, and procurement. By far the most frequently mentioned detection method for fraud attempts was indication by an employee, such as by using a whistleblower hotline. Only a few participants acknowledged having been supported by an IT-based warning system. Besides the manipulation of invoices and other documents, the types of fraud committed indicate a significant rate of cybercrime such as phishing attacks and data theft. Twenty-five companies use or would use big data for fraud prevention, which is roughly a third of the companies surveyed. However, the two-thirds majority is not sure about plans to invest money and other resources into big data for fraud prevention. The overall answers from this study reveal that there is already a range of IT-based and analytical fraud prevention approaches established in both sizes of companies. However, they are still underrepresented compared to the use of cultural and organizational countermeasures.

Large enterprises and SMEs have established similar fraud prevention activities: building employee awareness, training people, and establishing a culture of integrity are the most popular human-related fraud prevention mechanisms. Regarding organizational aspects, the use of the four-eyes principle and signatory rules (DOA) plus governance and work procedure guidelines are common for both sizes of organizations. In terms of auditing and checks to detect fraud, there is a difference: regular external audits are more established in large companies than in SMEs, which use sampling checks instead. Comparing the technical fraud prevention measures, it is interesting to note that SMEs already use dedicated test methods and algorithms or software for pattern-matching and transaction-mining second most frequently, whereas large companies use these


mechanisms fourth most frequently. This led me to determine that analytical fraud prevention and detection methods already play a certain role, even in smaller firms.

In summary, the overall attitude toward big data is positive, although 10 companies think that BDA is not relevant for their current business. Big data analytics is mainly used for areas such as marketing and sales or process optimizations, but fraud prevention and the support of IT security are mentioned hereafter as areas of use. However, a significant skepticism about the value of big data methods of preventing fraud is recognizable within the German-speaking business area. There is uncertainty about the company’s capability to cope with BDA. The three most common threats to using big data techniques are limited IT resources, the need for too-specific knowledge the company cannot afford, and high complexity during implementation and daily usage. Instead, classical and established technical countermeasures like access restrictions or regular software updates are viewed as more suitable and practicable for the companies’ risk and fraud management.

Reducing the barriers mentioned above would help all sizes and kinds of companies to use more BDA to protect them from fraud. It would be worthwhile to develop BDA-based fraud prevention tools or services, especially for those organizations that cannot afford to implement BDA fraud prevention measures using their own resources and skills.

In addition, this study demonstrates that the use of frameworks is not yet well established, which might result from either a lack of information about useful existing frameworks or the lack of a suitable framework as such. Thus, developing a universal anti-fraud framework based on the MTO concept, for example, would be an interesting design science project for future research.


6 List of Tables Table 1: Comparison of Definitions of BI, Big Data, and Data Mining [47, p. 18] ......................... 20 Table 2: Composition of Big Data Techniques for Fraud Prevention Found in the Literature ...... 22 Table 3: Libraries used During Second Literature Search and Corresponding Selection Criteria ..................................................................................................................................................... 33 Table 4: Overview Questions for Expert Interviews ..................................................................... 35 Table 5: Top Three Countermeasures Sorted by the MTO Concept ........................................... 44 Table 6: RQ-1: Comparison of Established Fraud Prevention Measures Following the MTO Concept ........................................................................................................................................ 50

7 List of Figures Figure 1 – ACFE Fraud Tree - Occupational Fraud and Abuse Classification System [31] ......... 12 Figure 2 – The Fraud Triangle [30, p. 276] .................................................................................. 13 Figure 3 – The Fraud Diamond [30, p. 279] ................................................................................. 14 Figure 4 – The Fraud Scale [30, p. 280] ...................................................................................... 14 Figure 5 – Fraud Prevention in Real Time – Example from Banking Sector [33, p. 143] ............. 15 Figure 6 – Three Layer Model of Anti-Fraud-Management [38, p. 54] ......................................... 17 Figure 7 – Fraud Management Framework Based on SAP HANA [35, p. 52] ............................. 18 Figure 8 – The Five Vs of Big Data [43, p. 6] ............................................................................... 19 Figure 9 – Multi-Step Research Design (Exploratory Design Following the qual à QUANT Principle) ...................................................................................................................................... 24 Figure 10 – Established Technical and IT-Related Measures to Combat Fraud ......................... 45 Figure 11 – Personal Opinions about the Usefulness of BDA for Preventing Fraud .................... 48 Figure 12 – RQ-2: Areas of Interest for the Use of BDA .............................................................. 53 Figure 13 – RQ-2: Reasons for Not Using BDA to Prevent Fraud ............................................... 54 Figure 14 – RQ-2: Alternative Suitable IT-Based Countermeasures Against Fraud .................... 56 Figure 15 – Fraud Prevention Framework Based on the MTO Concept (refined from [85]) ........ 58


8 References2 [1] K. Pal, “How to combat financial fraud by using big data?,” KDnuggets, Mar-2016.

[Online]. Available: https://www.kdnuggets.com/2016/03/combat-financial-fraud-using-big-data.html. [Accessed: 19-Feb-2019].

[2] D. Eaves, “Top-10 fraud trends we’ve seen in 2014 | Fraud Report,” Latest Thinking Blog, 01-Dec-2014. [Online]. Available: https://www.experian.co.uk/blogs/latest-thinking/identity-and-fraud/top-10-fraud-trends/. [Accessed: 19-Feb-2019].

[3] A. Kovačević, “Big data solutions to take a bite out of fraud,” Big Data Made Simple, 08-Dec-2017. [Online]. Available: https://bigdata-madesimple.com/big-data-solutions-to-take-a-bite-out-of-fraud/. [Accessed: 19-Feb-2019].

[4] Bundeskriminalamt, “Cybercrime, Bundeslagebild 2017,” BKA, Wiesbaden, Jul. 2018. [5] J. Senger, “Psychologische Hürden für Betrüger sinken,” Datability, Der richtige Umgang

mit unseren Daten, Reflex Verlag, Berlin, p. 11, Dec-2013. [6] J. Mauerer, “Studie ‘Predictive Analytics 2018’: Predictive Analytics nimmt Fahrt auf,” 09-

Aug-2018. [Online]. Available: https://www.computerwoche.de/a/predictive-analytics-nimmt-fahrt-auf,3545396. [Accessed: 12-Mar-2019].

[7] “Big Data im Praxiseinsatz - Szenarien, Beispiel, Effekte,” BITKOM, Berlin, 2012. [8] Computerwoche, “BITKOM Big Data Summit 2014,” 13-Feb-2013. [9] C. Bange and N. Janoschek, “Big Data Analytics 2014 - Auf dem Weg zur

datengetriebenen Wirtschaft,” BARC-Institut Würzburg, März 2014. [10] “Global profiles of the fraudster: Technology enables and weak controls fuel the fraud,”

KPMG international, May 2016. [11] Freudenberg IT, “Big Data auf dem Vormarsch: Fertiger entdecken die Vorteile der

Echtzeitüberwachung ihrer Produktion,” IT Innovation Readiness Index 2015, Teil 7, 22-Oct-2015. [Online]. Available: http://www.freudenberg-it.com/de/teil-7-2015.html. [Accessed: 27-Oct-2015].

[12] S. Heißner and F. Benecke, “Die Zukunft von Compliance,” Compliance Business, vol. 2, Jun. 2016.

[13] L. Vona, “Using data analytics to find fraud under those shells,” www.fraud-magazine.com, Mar-2019. [Online]. Available: https://www.fraud-magazine.com/article.aspx?id=4295004889. [Accessed: 13-Mar-2019].

[14] R. Bose, “Intelligent Technologies for Managing Fraud and Identity Theft,” in Third International Conference on Information Technology: New Generations (ITNG’06), Las Vegas, NV, USA, 2006, pp. 446–451.

[15] M. Kantardzic, C. Walgampaya, B. Wenerstrom, O. Lozitskiy, S. Higgins, and D. King, “Improving Click Fraud Detection by Real Time Data Fusion,” in 2008 IEEE International Symposium on Signal Processing and Information Technology, Sarajevo, Bosnia and Herzegovina, 2008, pp. 69–74.

[16] G. E. Melo-Acosta, F. Duitama-Munoz, and J. D. Arias-Londono, “Fraud detection in big data using supervised and semi-supervised learning techniques,” in 2017 IEEE Colombian Conference on Communications and Computing (COLCOM), Cartagena, Colombia, 2017, pp. 1–6.

[17] Association of Certified Fraud Examiners, “Report to the Nations on Occupational Fraud and Abuse - 2016 Global Fraud Study,” Austin - Texas - USA, 2016.

2 This list of references contains the references used in the main part of this thesis, as well as those used in the following appendices.


[18] Ernst & Young Fraud Investigation & Dispute Services, “Global Forensic Data Analytics Survey 2018: How can you disrupt risk in an era of digital transformation?,” 2018.

[19] “Ohne Schutzschild,” IT-Security Channel Compendium, p. 8, Jun-2015. [20] J. Mentel and C. Velten, “Digital Infrastructure 2020 - IT-Infrastruktur für das digitale

Zeitalter,” Crisp Research, Kassel, Autumn 2017. [21] Association of Certified Fraud Examiners, “Report to the Nations - 2018 Global Fraud

Study on Occupational Fraud and Abuse,” Austin - Texas - USA, 2018. [22] I-02, “Transcript Expert Interview 2,” 13-Jun-2018. [23] W. Rupietta, “Datenanalysen als Erweiterung der Revisionsmethodik,” ZIR, vol. 06.15,

pp. 273–282, 2015. [24] “Fighting Fraud with Big Data Analytics,” CIOReview, 13-Apr-2018. [Online]. Available:

https://www.cioreview.com/news/fighting-fraud-with-big-data-analytics-nid-26041-cid-141.html. [Accessed: 19-Feb-2019].

[25] E. Ulich, “Arbeitssysteme als Soziotechnische Systeme – eine Erinnerung,” Journal Psychologie des Alltagshandelns, vol. 6, no. 1, 2013.

[26] “§ 263a StGB - Einzelnorm.” [Online]. Available: https://www.gesetze-im-internet.de/stgb/__263a.html. [Accessed: 07-Mar-2019].

[27] “§ 263 StGB - Einzelnorm.” [Online]. Available: https://www.gesetze-im-internet.de/stgb/__263.html. [Accessed: 07-Mar-2019].

[28] “§ 146 StGB (Strafgesetzbuch), Betrug - JUSLINE Österreich.” [Online]. Available: https://www.jusline.at/gesetz/stgb/paragraf/146. [Accessed: 07-Mar-2019].

[29] S. Heißner, “Täter und Delikte,” in Erfolgsfaktor Integrität, Wiesbaden: Springer Fachmedien Wiesbaden, 2014, pp. 37–70.

[30] K. Henselmann and S. Hofmann, Accounting fraud: case studies and practical implications. Berlin: Erich Schmidt, 2010.

[31] Association of Certified Fraud Examiners, “Fraud Tree,” The Fraud Tree - Occupational Fraud and Abuse Classification System. [Online]. Available: https://www.acfe.com/rttn2016/images/fraud-tree.jpg. [Accessed: 07-Mar-2019].

[32] D. T. Wolfe and D. R. Hermanson, “The Fraud Diamond: Considering the Four Elements of Fraud,” CPA Journal, vol. 74.12, pp. 38–42, 2004.

[33] F. Holzenthal, “IT-gestützte Geldwäsche- und Betrugsbekämpfung in Banken und Versicherungen Mehrwert durch einen holistischen GRC-Ansatz,” ZRFC, vol. 3/14, pp. 140–143, 2014.

[34] I-03, “Transcript Expert Interview 3,” 20-Jun-2018. [35] O. Derksen, “Fraud Analyse von Massendaten in Echtzeit,” in Big Data - Systeme und

Prüfung, Deggendorfer Forum zur digitalen Datenanalyse, Ed. Berlin: Schmidt, 2013, pp. 45–59.

[36] B. Galley, “Fraud-Risk-Management,” in Unternehmenseigene Ermittlungen: Recht - Kriminalistik - IT, Berlin: Erich Schmidt Verlag, 2016, pp. 50–67.

[37] “DIIR Revisionsstandard Nr. 5.” DIIR Arbeitskreis „Abwehr wirtschaftskrimineller Handlungen in Unternehmen “, Sep-2015.

[38] S. Hofmann, Handbuch Anti-Fraud-Management Bilanzbetrug erkennen - vorbeugen - bekämpfen. Berlin: Schmidt, 2009.

[39] R. Quedenfeld, L. Beuther, I. Ganguli, U. Mühlroth, and M. Studer, “IT-basierte Überwachungssysteme,” in Handbuch Bekämpfung der Geldwäsche und


Wirtschaftskriminalität, vol. 4., völlig neu bearbeitete Auflage, Berlin: Erich Schmidt Verlag, 2017, pp. 129–137.

[40] M. E. Edge, P. R. F. Sampaio, and M. Choudhary, “Towards a Proactive Fraud Management Framework for Financial Data Streams,” in Third IEEE International Symposium on Dependable, Autonomic and Secure Computing (DASC 2007), Columbia, MD, USA, 2007, pp. 55–64.

[41] K. Taylor-Sakyi, “Big Data: Understanding Big Data,” p. 9, Jan. 2016. [42] M. Zacher, “Big Data Analytics 2013 | Research | IDC Germany,” www.idc.de, 2013.

[Online]. Available: https://idc.de/de/research/multi-client-projekte/big-data-analytics-2013. [Accessed: 18-Mar-2019].

[43] Y. Demchenko, “Defining the Big Data Architecture Framework (BDAF) - Outcome of the Brainstorming Session at the University of Amsterdam,” UvA, 17-Jul-2013.

[44] Y. Demchenko, C. de Laat, and P. Membrey, “Defining architecture components of the Big Data Ecosystem,” in 2014 International Conference on Collaboration Technologies and Systems (CTS), Minneapolis, MN, USA, 2014, pp. 104–112.

[45] C. Pütter, “Einsatz in Unternehmen: IDC-Studie: Ziele von Big-Data-Projekten,” www.cio.de, 20-Jan-2014. [Online]. Available: https://www.cio.de/a/idc-studie-ziele-von-big-data-projekten,2941230. [Accessed: 18-Mar-2019].

[46] M. Zacher, “IDC-Studie: Big Data – Business Value in deutschen Unternehmen auf dem Prüfstand,” www.idc.de, 13-Dec-2013. [Online]. Available: https://idc.de/de/ueber-idc/press-center/57064-idc-studie-big-data-business-value-in-deutschen-unternehmen-auf-dem-prufstand. [Accessed: 18-Mar-2019].

[47] J. Freiknecht, Big Data in der Praxis: Lösungen mit Hadoop, HBase und Hive: Daten speichern, aufbereiten, visualisieren. München: Hanser, 2014.

[48] G. Fels, C. Lanquillon, H. Mallow, F. Schinkel, and C. Schulmeyer, “Technik,” in Praxishandbuch Big Data: Wirtschaft - Recht - Technik, J. Dorschel, Ed. Wiesbaden: Springer Gabler, 2015, pp. 255–330.

[49] H. J. Will, “Forensische Datenanalyse – Ein Vorgehen für die Interne Revision?,” Interne Revision, vol. 3, pp. 94–102, 2007.

[50] S. Sharma and V. Mangat, “Technology and Trends to Handle Big Data: Survey,” in 2015 Fifth International Conference on Advanced Computing & Communication Technologies, Haryana, India, 2015, pp. 266–271.

[51] M. U. Sapozhnikova, A. V. Nikonov, A. M. Vulfin, M. M. Gayanova, K. V. Mironov, and D. V. Kurennov, “Anti-fraud system on the basis of data mining technologies,” in 2017 IEEE International Symposium on Signal Processing and Information Technology (ISSPIT), Bilbao, 2017, pp. 243–248.

[52] S. J. Omar, K. Fred, and K. K. Swaib, “A state-of-the-art review of machine learning techniques for fraud detection research,” in Proceedings of the 2018 International Conference on Software Engineering in Africa - SEiA ’18, Gothenburg, Sweden, 2018, pp. 11–19.

[53] N. Balasupramanian, B. G. Ephrem, and I. S. Al-Barwani, “User pattern based online fraud detection and prevention using big data analytics and self organizing maps,” in 2017 International Conference on Intelligent Computing, Instrumentation and Control Technologies (ICICICT), Kerala State,Kannur, India, 2017, pp. 691–694.

[54] N. Ghatasheh, “Fraud Prevention Framework for Electronic Business Environments: Automatic Segregation of Online Phishing Attempts,” in 2016 Cybersecurity and Cyberforensics Conference (CCC), Amman, Jordan, 2016, pp. 89–95.


[55] S. Makki et al., “Fraud Analysis Approaches in the Age of Big Data - A Review of State of the Art,” in 2017 IEEE 2nd International Workshops on Foundations and Applications of Self* Systems (FAS*W), Tucson, AZ, USA, 2017, pp. 243–250.

[56] A. Gepp, M. Linnenluecke, T. O’Neill, and T. Smith, “Big Data in Accounting and Finance: A Review of Influential Publications and a Research Agenda,” in 4th Forensic Accounting Teaching and Research Symposium, 2018.

[57] C. S. N. Alsagoff, “Microsoft Excel as a tool for digital forensic accounting,” in 2010 International Conference on Information Retrieval & Knowledge Management (CAMP), Shah Alam, Selangor, 2010, pp. 97–101.

[58] M. Herland, T. M. Khoshgoftaar, and R. A. Bauder, “Big Data fraud detection using multiple medicare data sources,” Journal of Big Data, vol. 5, no. 1, Dec. 2018.

[59] U. Kuckartz, Mixed Methods: Methodologie, Forschungsdesigns und Analyseverfahren. Wiesbaden: Springer VS, 2014.

[60] A. Kelle, “Mixed Methods,” in Handbuch Methoden der empirischen Sozialforschung, N. Baur and J. Blasius, Eds. Wiesbaden: Springer VS, 2014, pp. 153–166.

[61] C. Rupp and die SOPHISTen, Eds., Requirements-Engineering und -Management: Aus der Praxis von klassisch bis agil, 6. Auflage. München: Carl Hanser Verlag, 2014.

[62] C. Helfferich, “Leitfaden- und Experteninterviews,” in Handbuch Methoden der empirischen Sozialforschung, N. Baur and J. Blasius, Eds. Wiesbaden: Springer VS, 2014, pp. 559–574.

[63] M. Häder, “Erhebungsmethoden,” in Empirische Sozialforschung, VS Verlag für Sozialwissenschaften, 2010, pp. 187–337.

[64] A. Kurz, C. Stockhammer, S. Fuchs, and D. Meinhard, “Das problemzentrierte Interview,” in Qualitative Marktforschung, P. D. R. Buber and P. D. H. H. Holzmüller, Eds. Gabler, 2009, pp. 463–475.

[65] K. Niebert and H. Gropengießer, “Leitfadengestützte Interviews,” in Methoden in der naturwissenschaftsdidaktischen Forschung, D. Krüger, I. Parchmann, and H. Schecker, Eds. Springer Berlin Heidelberg, 2014, pp. 121–132.

[66] C. Züll, “Offene Fragen,” SDM-Survey Guidelines (GESIS Leibniz Institute for the Social Sciences), 2015.

[67] J. Reinecke, “Grundlagen der standardisierten Befragung,” in Handbuch Methoden der empirischen Sozialforschung, N. Baur and J. Blasius, Eds. Wiesbaden: Springer VS, 2014, pp. 601–617.

[68] N. Menold and K. Bogner, “Gestaltung von Raitingskalen in Fragebögen,” SDM-Survey Guidelines (GESIS Leibniz Institute for the Social Sciences), 2015.

[69] J. Klöckner and J. Friedrichs, “Gesamtgestaltung des Fragebogens,” in Handbuch Methoden der empirischen Sozialforschung, N. Baur and J. Blasius, Eds. Wiesbaden: Springer VS, 2014, pp. 675–685.

[70] T. Lenzner and N. Menold, “Frageformulierung,” SDM-Survey Guidelines (GESIS Leibniz Institute for the Social Sciences), 2015.

[71] K. Bogner and U. Landrock, “Antworttendenzen in standardisierten Umfragen,” SDM-Survey Guidelines (GESIS Leibniz Institute for the Social Sciences), 2015.

[72] W. Bandilla, “Online-Befragungen,” SDM-Survey Guidelines (GESIS Leibniz Institute for the Social Sciences), 2015.

[73] P. Mayring, Qualitative content analysis: theoretical foundation, basic procedures and software solution. Klagenfurt, 2014.


[74] D. Lück and U. Landrock, “Datenaufbereitung und Datenbereinigung in der quantitativen Sozialforschung,” in Handbuch Methoden der empirischen Sozialforschung, N. Baur and J. Blasius, Eds. Wiesbaden: Springer VS, 2014, pp. 397–409.

[75] T. Dyba, B. A. Kitchenham, and M. Jorgensen, “Evidence-based software engineering for practitioners,” IEEE Software, vol. 22, no. 1, pp. 58–65, Jan. 2005.

[76] B. Kitchenham, “Guidelines for performing systematic literature reviews in software engineering,” in Technical report, Ver. 2.3 EBSE Technical Report. EBSE, sn, 2007.

[77] “Anzahl Unternehmen in Österreich per 31.12.2011 nach ÖNACE2008-Klasse.” 2012. [78] “Anzahl der Unternehmen in Deutschland nach Beschäftigtengrößenklassen in 2017,”

Statista, Sep-2018. [Online]. Available: https://de.statista.com/statistik/daten/studie/1929/umfrage/unternehmen-nach-beschaeftigtengroessenklassen/. [Accessed: 05-Dec-2018].

[79] “Organisationshandbuch - Ermittlung des Stichprobenumfangs.” [Online]. Available: https://www.orghandbuch.de/OHB/DE/Organisationshandbuch/5_Personalbedarfsermittlung/51_Grundlagen/514_Stichprobe/5144%20Ermittlung%20des%20Stichprobenumfang/stichprobenumfang-node.html. [Accessed: 18-Jul-2016].

[80] N. Burzan, “Indikatoren,” in Handbuch Methoden der empirischen Sozialforschung, N. Baur and J. Blasius, Eds. Wiesbaden: Springer VS, 2014, pp. 1029–1036.

[81] J.-H. Wang, Y.-L. Liao, T. Tsai, and G. Hung, “Technology-based Financial Frauds in Taiwan: Issues and Approaches,” in 2006 IEEE International Conference on Systems, Man and Cybernetics, Taipei, Taiwan, 2006, pp. 1120–1124.

[82] Forrester Research Inc., “Data and analytics in enterprise: level of integration 2016 | Statistic,” Statista, 2018. [Online]. Available: https://www.statista.com/statistics/791097/worldwide-integration-data-analytics-by-business-area/. [Accessed: 22-Nov-2018].

[83] M. Schroeck, Rebecca Shockley, J. Smart, D. Romero-Morales, and P. Tufano, “Analytics: The real-world use of big data - How innovative enterprises extract value from uncertain data,” IBM Global Business Services, Executive Report, Oct. 2012.

[84] J. Tang and K. E. Karim, “Financial fraud detection and big data analytics – implications on auditors’ use of fraud brainstorming session,” Managerial Auditing Journal, Oct. 2018.

[85] M. Trierweiler, “Referat über Erweiterung und Optimierung von ERP-Systemen zur Betrugsbekämpfung,” presented at the Lecture: Information Engineering & Management (VL, 256.503), SS2017, Linz, JKU, 13-Jun-2017.

[86] P. Montag, Risikomanagement und Compliance im Mittelstand: Status quo und Erfolgsfaktoren der Implementierung. Berlin: Erich Schmidt Verlag, 2016.

[87] “Gewerbeverzeichnis Deutschland.” [Online]. Available: https://www.gewerbeverzeichnis-deutschland.de/branchen. [Accessed: 05-Dec-2018].

[88] “Branchenübersicht,” Statista - Das Statistik-Portal. [Online]. Available: https://de.statista.com/statistik/kategorien/. [Accessed: 02-Dec-2018].

[89] “Unternehmen in Deutschland nach Umsatzgrößenklassen 2016 | Statistik,” Statista. [Online]. Available: https://de-1statista-1com-1yccbusjq0163.han.ubl.jku.at/statistik/daten/studie/239418/umfrage/unternehmen-in-deutschland-nach-umsatzgroessenklassen/. [Accessed: 05-Dec-2018].

[90] H. Klodt, “Definition: Unternehmensgrößenstruktur,” Gabler Wirtschaftslexikon. [Online]. Available: https://wirtschaftslexikon.gabler.de/definition/unternehmensgroessenstruktur-49851. [Accessed: 05-Dec-2018].

[91] Coalition Against Insurance Fraud, “The State of Insurance Fraud Technology - Report 2016,” Coalition Against Insurance Fraud, Washington D.C., Nov. 2016.


[92] “Abkürzungen englischer Berufsbezeichnungen/Geschäftstitel (CEO, CFO usw.).” [Online]. Available: https://www.cafe-lingua.de/business-english/abkuerzungen-geschaeftstitel.php#liste-co. [Accessed: 05-Dec-2018].

[93] “C-Level-Führungskräfte: Bewerbungs- und Karrieretipps.” [Online]. Available: https://www.karriereakademie.de/karriereblog/c-level-fuehrungskraefte-bewerbungs-und-karrieretipps. [Accessed: 05-Dec-2018].

[94] M. Riedel and R. Fazzone, “Enabling Compliance - Welche Rolle spielt Technologie?,” Ernst & Young GmbH, Executive Report, 2012.

[95] I-01, “Transcript Expert Interview 1,” 13-Jun-2018. [96] L. V. A. O. G. & C. KG, “Begriffe von A - Z - Lexikon der Korruption - Compliance Praxis.”

[Online]. Available: https://www.compliance-praxis.at/Lexikon-der-Korruption/Begriffe-von-A-Z. [Accessed: 05-Dec-2018].

[97] R. Quedenfeld, L. Beuther, I. Ganguli, U. Mühlroth, and M. Studer, “Maßnahmen zur Verhinderung sonstiger strafbarer Handlungen,” in Handbuch Bekämpfung der Geldwäsche und Wirtschaftskriminalität, 4., völlig neu bearbeitete Auflage., Berlin: Erich Schmidt Verlag, 2017, pp. 524–531.

[98] “BCM | Berufsverband der Compliance Manager.” [Online]. Available: https://www.bvdcm.de/. [Accessed: 05-Dec-2018].

[99] “DICO e.V. - Deutsches Institut für Compliance e.V.,” DICO e.V. [Online]. Available: https://www.dico-ev.de/. [Accessed: 05-Dec-2018].

[100] L. V. A. O. G. & C. KG, “Österreichischer Compliance Officer Verbund / ÖCOV gegründet - Kurzartikel - Compliance Praxis.” [Online]. Available: https://www.compliance-praxis.at/Kurzartikel/Oesterreichischer-Compliance-Officer-Verbund-OeCOV-gegruendet. [Accessed: 05-Dec-2018].

[101] “Association of Certified Fraud Examiners.” [Online]. Available: https://www.acfe.com/. [Accessed: 05-Dec-2018].

[102] R. Khan, M. Corney, A. Clark, and G. Mohay, “Transaction Mining for Fraud Detection in ERP Systems,” Industrial Engineering and Management Systems, vol. 9, no. 2, pp. 141–156, Jun. 2010.

[103] S. Behringer, “Compliance-Management,” in Handbuch Compliance international: Recht und Praxis der Korruptionsprävention, M. Passarge, S. Behringer, and W. Babeck, Eds. Berlin: Erich Schmidt Verlag, 2015, pp. 5–25.

[104] J. Kregel, “Operative Supportprozesse 1: IT-Prozesse und IT-Revision,” in Operational Auditing: Revision von IT, Marketing, Produktion und Einkauf, V. H. Peemöller and J. Kregel, Eds. Berlin: Schmidt, 2015, pp. 307–444.

[105] K. Henselmann and S. Hofmann, “Appendix: Practice Aids,” in Accounting fraud: case studies and practical implications, Berlin: Erich Schmidt, 2010, pp. 290–296.

[106] KPMG - Forensic, “Measuring Ethical Climate with the Integrity Thermometer.” Aug-2016. [107] “Fair Business Compliance Certificate - Fair Business Compliance Certificate.” [Online].

Available: http://www.iso19600.org/?gclid=Cj0KCQiAi57gBRDqARIsABhDSMp9hGGquM_nw8XDOUEf5eWn8fVMPP4HKcMXPVSVgNR1DsVvzN1grqwaAnrFEALw_wcB. [Accessed: 05-Dec-2018].

[108] D. Turner, M. E. Schroeck, and R. Shockley, “Analytics: The real-world use of big data in financial services,” IBM Global Business Services, Executive Report, Oktober 2012.

[109] D. Grottini, D. G. Heinrich, and A. Siebler, “Das Interne Kontrollsystem beim Einsatz sozialer Medien in Unternehmen,” p. 13, 2018.


[110] Forrester Research Inc., “Big Data Needs Agile Information And Integration Governance,” Aug. 2013.

[111] K. Manhart, “Information statt Intuition: Analyse- und Reporting-Tools für Geschäftsführer.” [Online]. Available: https://www.channelpartner.de/a/analyse-und-reporting-tools-fuer-geschaeftsfuehrer,2554667. [Accessed: 03-Feb-2015].

[112] ISG ehem. Experton Group AG Ismaning, Ed., “Big Data Vendor Benchmark 2016.” Nov-2015.

[113] S. Brown, “Likert Scale Examples for Surveys,” 2010. [Online]. Available: https://www.extension.iastate.edu/Documents/ANR/LikertScaleExamplesforSurveys.pdf.


9 Appendices 9.1 Design and Structure of the Online Questionnaire

This appendix shows the structure survey including the questions and answer options in the original German language as well as explanations about the design in English. Additionally, the text used on the landing and thank-you pages are provided and screenshot of the contact form.

Design of the Questionnaire Explanation of the Table Structure: Please note that only the columns with the questions and the answer metric were displayed to the respondents during filling the online questionnaire.

Column 1 = Question ID for each module Column 2 = Question for each module Column 3 = Answer metric: Yes – No | Selectable answer from dropdown | Free text | Rating

scale from five to one (fully agree, agree somewhat, do not know/cannot answer, slightly disagree, disagree completely)

Column 4 = Question helps to x-check and validate dependent questions, allows plausibility-checks and combined answers, and makes it possible to evaluate some aspects found in existing literature or derived from the expert interviews made in the pre-study

Column 5 = Reference in case inputs were taken or derived from other surveys or literature; if no entry, the input comes from own domain knowledge of the author

* marks a default question; without * the question is optional (used when a forced answer

would risk a drop-off and incomplete answers) ________ marks a free text entry field (e.g., with other answers than those provided) o radio button = single answer is allowed o checkbox = multiple answers are allowed Explanation of the Question Grouping: Module 1: Captures generic parameters about the company’s type, size, occupation/branches,

and the role of the respondent. Module 2: Contains questions about the compliance countermeasures and the anti-fraud

methods installed in that company or organization. Module 3: Asks questions about BDA and technical concepts established in the company, which

help to ensure compliance and prevent the organization from fraud attacks. Module 4: Asks using a five-point Likert scale about the participant’s personal opinions

concerning a few statements about the facilitation of big data techniques to ensure compliance and to prevent fraud attacks.


Technical Aspects:

a. Survey answers are captured anonymously, no IP-tracking, no Google-Analytics b. Set cookie to avoid double entries c. Timeframe, survey is open from Dec. 14th, 2018 until March 31st, 2019 d. Contact form added as separate survey, to ensure no linking back from a person to

answers

M1 Modul 1: Erhebung von allg. Unternehmensdaten

ID Question / Frage Answer Metric / Antwortmöglichkeit X-Check Ref. Q1* In welchem Land sind

Sie/ist Ihr Unternehmen tätig?

o Deutschland o Österreich o Schweiz o Anderes Land: __________

Q2* Wie ist die Rechtsform Ihres Unternehmens?

o Einzelunternehmen / e.K. o UG / Limited o GmbH / Ges.m.b.H o Kommanditgesellschaft o OHG o Aktiengesellschaft / Börsennotiert o Andere Rechtsform: __________

[86]

Q3* In welcher Branche ist Ihr Unternehmen tätig?

o Dienstleistungen o Engineering o Fertigungsindustrie /

Produktionsgewerbe o Finanzen & Versicherungen o Freizeit, Reise & Gastronomie o Handel (Groß- und Einzelhandel) o Handel (E-Commerce &

Versandhandel o Handwerk o IT & Telekommunikation o Immobilien, Baugewerbe o Öffentlicher Sektor o Prozessindustrie (z.B. Chemie) o Transport & Logistik o Umwelt & Natur o Versorgungsindustrie, Energie o Wirtschaft – Recht - Beratung o Andere Branche: __________

[9] [87] [88]

Q4* Wie ist die Umsatzgröße Ihres Unternehmens?

o Unter 1 Mio. Jahresumsatz o 1 Mio. bis 2 Mio. Jahresumsatz o Ab 2 Mio. bis 10 Mio. Jahresumsatz o Ab 10 Mio. bis 50 Mio. Jahresumsatz o Ab 50 Mio. Jahresumsatz

[89]

Q5* Wie viele Mitarbeiter sind im Unternehmen beschäftigt?

o 1 – 9 o 10 – 49 o 50 – 249 o 250 - 500 o Mehr als 500

[86] [90] [78]

Q6* Ist das Unternehmen Teil eines Konzerns?

Ja / Nein [86]

Q6.1* Wenn Ja, wo ist der Sitz der Muttergesellschaft / das Headquarter?

o Deutschland o Österreich o Schweiz o Anderes EU-Ausland


o Sitz in den USA o Anderes Land: __________

Q7* Welche Funktion üben Sie selbst im Unternehmen aus?

o Geschäftsführer / Managing Director / Senior Management

o Accounting-Manager / Buchhaltung / Bilanzierung / CFO

o IT Verantwortlicher / CIO / CITO o IT Security Spezialist bzw.

Verantwortlicher / CISO o Compliance Verantwortlicher /

Compliance Officer o Big Data bzw. BI / Analytics Specialist o Andere Funktion: __________

[91] [92] [93] [94]

Q8* Welche Warenwirtschaft (ERP-System) bzw. Buchhaltungssystem benutzt Ihr Unternehmen?

o MS Office (Word/Excel-basiert) o SAP basiert o Oracle basiert o Datev basiert o Navision basiert o Eigenentwicklung o Sonstige Branchenlösung:

__________

Q9* Sind Ihre Kunden eher … ? o Geschäftskunden o Privatkunden / Endverbraucher o Beides

3

M2 Modul 2: Fragen zur Compliance-Sicherung im Unternehmen

Einschätzung der Wichtigkeit und des Reifegrads von Betrugsprävention für das eigene Unternehmen

ID Question / Frage Answer Metric / Antwortmöglichkeit X-Check Ref. Q1 War Ihr Unternehmen in

den letzten 12 Monaten mit einem Compliance-Verstoß/ Betrugsversuch konfrontiert?

Ja / Nein Note: in case of Ja = Yes, the questions

1.1 to 1.3 will appear, otherwise they are skipped

Q1.1 Wenn JA, welcher Unternehmensbereich war davon betroffen?

o Einkauf / Beschaffungsmanagement o Vertrieb / Marketing o Buchhaltung / Accounting o IT o Projekt-Management o Logistik/Supply-Chain o E-Commerce-Systeme o Anderer Bereich: _________

M2 Q1

Q1.2 Wenn JA, war dies ein Angriff von außen oder von innen heraus?

o Von außen (Kunde/Lieferant) o Von außen (Hacker / IT-Angriff) o Von innen (Mitarbeiter) o Von beiden Seiten (Kooperation) o Unbekannt / konnte nicht ermittelt

werden

Q1.3 Wenn JA, wie wurde der Compliance-Verstoß/ Betrugsversuch entdeckt?

o Durch Zufall o Beschwerde eines

Kunden/Lieferanten

3 This question was left out in the current analysis, due to its subordinate role with respect to the amount of feedbacks


o Aufmerksamer Mitarbeiter/ Whistleblower-Hotline

o Internes Controlling o IT-gestütztes Betrugs-Warnsystem o Buchprüfung / Audit / Revision o Ist mir nicht bekannt o Sonstiges: ___________

Q2* Wie hat sich in den letzten 3 Jahren die Anzahl der Compliance-Verstöße/ Betrugsversuche bezogen auf Ihr Unternehmen verändert?

o Anzahl ist signifikant gestiegen o Anzahl ist leicht gestiegen o Anzahl ist etwa gleichgeblieben o Anzahl ist leicht gesunken o Anzahl ist signifikant gesunken o Keine Angabe

[91]

Q3* Wenn Sie sich einen Compliance-Verstoß/ Betrugsversuch vorstellen, der für die Branche Ihres Unternehmens typisch wäre: Welcher Art von Risiko wäre hierbei Ihr Unternehmen wohl am ehesten ausgesetzt?

o Betrügerische Ausgaben, z.B. falsche Lieferanten-Rechnungen

o Bilanzfälschung o Bust-Out-Fraud o CxO-Betrug / Fake-President-Attacke o Cyber-/Internet-Betrug o Datenklau (Skimming) o Diebstahl o Identitätsdiebstahl / Account-Hacking /

Entwendung personenbezogener Daten

o Korruption/Bestechung o Kreditkarten-Betrug o Phishing-Attacke o Re-shipping scam

(Warenweiterversand über Strohmänner)

o Scheckfälschung o Schneeball-Systeme o Unlautere Absprachen (Bid-Rigging)

bzw. unlautere Gegengeschäfte o Versicherungsbetrug o Sonstiges: ___________

e.g. [31] [95] [22] [34] [96]

Q4* Hat es in Ihrem Unternehmen eine eigene Abteilung oder Stabsstelle zur Risikoabwehr?

o Ja, Compliance-Abteilung/Compliance-Officer

o Ja, Fraud-Prevention-Officer o Ja, IT-Security / Chief Information

Security Officer (CISO) o Ja, eigene Forensik-Abteilung o Nein, keine spezielle Abteilung (wird

von der Geschäftsführung betreut) o Nein, da arbeiten wir mit

spezialisierten externen Partnern zusammen und lassen uns beraten

o Alle Mitarbeiter sind dafür verantwortlich – jeder für seinen Bereich

o Weiß ich nicht o Sonstiges: ___________

[86]

Q5* Welche Maßnahmen zur Compliance-Sicherung, Betrugsabwehr sind in Ihrem Unternehmen etabliert? Bereich Mitarbeiter

o Leben einer Integritäts-Kultur o Mitgliedschaften in einem Verband zur

Compliance-Sicherung z.B. IR, ACFE, BCM, ÖCOV

o Regelmäßige Information der Mitarbeiter über Compliance/Security-Tipps/Risikoabwehr, z.B. im Intranet oder per Rundschreiben

[38] [95] [22] [34] [97] [98] [99] [100] [101]


o Regelmäßige Mitarbeiter-Assessments (Closed-Loop-Learning) zur Sensibilisierung

o Regelmäßige Mitarbeiter-Schulungen o Whistleblower-Hotline/Ethik-Hotline o Sonstiges: ___________

Q6* Welche Maßnahmen zur Compliance-Sicherung, Betrugsabwehr sind in Ihrem Unternehmen etabliert? Bereich Technik / IT

o Aktive Suche nach definierten „Red-Flags“

o Arbeiten nach Standards, z.B. COBIT o Einsatz spezieller Prüfverfahren und

Prüfsoftware, z.B. Benford‘s Law / Abweichungsanalysen / Pattern-Matching / Transaction-Mining-Verfahren

o Führen einer Datenbank mit Betrugstypologien (incl. Verdachtsfälle der Vergangenheit) und Prüfen von Sachverhalten gegen diese Warndatei

o Limit-Systeme o Machine-Learning-Verfahren o Nutzen von externen Datenbanken

und Feeds mit Betrugstypologien (z.B. STIXX, TAXII, SpyCloud) zur Erkennung

o Nutzen von speziellen Fraud Risk Assessment Tools

o Zugriffsberechtigungen und Rollenkonzepte für alle relevanten (IT-) Systeme

o Weiß ich nicht o Sonstiges: ___________

M3 Q6 [34] [38] [102] [97]

Q7* Welche Maßnahmen zur Compliance-Sicherung/ Betrugsabwehr sind in Ihrem Unternehmen etabliert? Bereich Organisation / Prozesse

o 4-Augen-Prinzip bei Freigaben und für kritische Geschäftsprozesse

o Buchprüfung / Audit / Revision, z.B. nach SOX

o Durchführung von Background-Checks

o Einbeziehung externer Spezialisten (Forensik Services)

o Erlass von Corporate Governance / Arbeitsanweisungen

o Ethics & Compliance Maßnahmen o Funktionstrennung / Segregation of

Duty o IT-gestützte Freigabe-Workflows mit

Schwellenwerten zur nächsten Ebene o Regelmäßig stattfindende Fraud-

Audits o Regelmäßig stattfindende Risk-

Assessments o Stichprobenkontrollen o Unterschriften-Regelungen für alle

Unternehmensbereiche o Vorfalls-Reaktionsplan / Notfallplan /

Incident-Response-Pläne o Sonstiges: ___________

[34] [22] [95] [38] [97]

Q8* Nach welchen Frameworks, Normen und Standards arbeitet Ihr Unternehmen im Bereich Compliance-Sicherung/Betrugsabwehr?

o ISO 26.000:2010 “Guidance on Social Responsibility”

o ISO 19600 "Compliance management systems - Guidelines"

M3 allg. [103] [34] [104] [105] [106]


o ISO 37001 "Anti-bribery management systems - Requirements with guidance for use"

o COBIT-Framework o COSO-Framework o SOX o Konzept des Ethics-Barometesr

(Integritäts-Thermometer) o Eigenes Compliance Programm bzw.

eigener Code-of-Conduct o Eigene Anti-Fraud-Policy o Keines / Weiß ich nicht o Sonstiges Framework oder sonstiger

Branchen-Standard ________

[97] [107]

M3 Modul 3: Wie ist die Einstellung des Unternehmens zu Big Data, insbesondere zur Compliance-Sicherung/Betrugsprävention

ID Question / Frage Answer Metric / Antwortmöglichkeit X-Check Ref. Q1* Wie ist die Haltung Ihres

Unternehmens allgemein zu Big Data Analytics Methoden?

o Ein interessantes Feld der Analyse-Methoden & Tools

o Wird bereits aktiv im Unternehmen eingesetzt

o Nicht relevant für das Unternehmen und sein Geschäftsmodell

o Buzz-Word / Modeerscheinung o Ist nur was für „große Unternehmen“ /

Das kann sich mein Unternehmen nicht leisten

o Weiß ich nicht o Sonstiges: __________

M4 [22] [108]

Q2* Für welche Unternehmensbereiche nutzt bzw. würde Ihr Unternehmen Big Data-Analytics nutzen?

o Absicherung von Investitionen o Bei Merger & Akquisition o Betrugs-Prävention allg. o Check von Finanzierungsrisiken o Einkauf o Generierung neuer Geschäftsmodelle o Marketing / Vertrieb

(Kundenanalysen, Vertriebsprognosen)

o Neue Formen der Mitarbeiter-Zusammenarbeit

o Prozess-Optimierungen o Unterstützung der IT-Security o Weiß ich nicht o Sonstiges: __________

[34] [95] [108] [9]

Q3* Wenn Sie Big Data Technologien zur Compliance-Sicherung/Betrugsabwehr nutzen, welche Arten von Risiko möchte das Unternehmen damit absichern?

o Abwehr von Cyber-Attacken/Hacker-Angriffe

o Abwehr von Kreditkartenbetrug o Abwehr von Phishing-Attacken o Das „Frisieren“ von Belegen o Fehlverhalten im Bereich Accounting

/ Bilanzierung o Zur Absicherung von E-Commerce-

Transaktionen o Zur allg. Unterstützung der internen

Kontroll-Systeme (IKS)

[109] [91]


o Zur Durchführung von Risk-Assements

o Weiß ich nicht o Sonstiges: __________

Q4* Wie sind die Pläne des Unternehmens für eine Investition in Big Data Tools zur Compliance- & Governance-Sicherung?

o Keine Pläne, das Unternehmen ist daran nicht interessiert

o Das Unternehmen hält das jetzige Investitionsniveau bei

o Weiß ich nicht / Keine Angabe o Ja, das Unternehmen wird in den

nächsten 12 Monaten erstmalig darin investieren

o Ja, das Unternehmen wird seine bestehenden Investitionen ausweiten

M3 Q1 [110] [34]

Q5* Wenn Ihr Unternehmen Big Data bzw. IT-gestützte Betrugs-Warnsystem(e) im Einsatz hat, welcher Art/Technologie sind diese?

o Automatisierte Meldungen an eine Forensik / Security / Special Investigation Abteilung (SIU)

o Automatisierte Red-Flags / Business Rules

o Die Lösung meines ERP-Anbieters o Interne Datenbanken / interne

Reports o Link Analysen / Social Media-

Network Analysen o Mapping-Software o MS Office-Tools wie Excel / Access o Nutzen von externen Datenbanken

und Feeds mit Betrugstypologien (z.B. STIXX, TAXII, SpyCloud, NICB, LexisNexis) zur Erkennung

o Predictive Modeling o Software als Visualisierung-Front-

End zu Excel und BI-Daten o Spezielle Case-Management-

Software o Text Mining / Natural Language

Processsing o Keines davon / Weiß ich nicht o Eine externe Software-/ Branchen-

lösung: _________ (bitte nennen)

M1 Q8; M2 Q6

[9] [111] [112] [91] [108] [38] [110]

Q6* Welche dieser Big Data gestützten Betrugs-präventionsmaßnahmen beabsichtigt Ihr Unternehmen in den nächsten 12 bis 18 Monaten einzuführen?

o Automatisierte Meldungen an eine Special Investigation Abteilung (SIU)

o Automatisierte RedFlags / Business Rules

o Die Lösung meines ERP-Anbieters o Interne Datenbanken / interne

Reports o Link Analysen / Social Media-

Network Analysen o Mapping-Software o MS Office-Tools wie Excel / Access o Nutzen von externen Datenbanken

und Feeds mit Betrugstypologien (z.B. STIXX, TAXII, SpyCloud, NICB, LexisNexis) zur Erkennung

o Predictive Modeling o Software als Visualisierung-Front-

End zu Excel und BI-Daten

M3 Q5 [9] [111] [112] [91] [108] [38] [110] [34]


o Spezielle Case-Management-Software

o Text Mining / Natural Language Processsing

o Keines davon / Weiß Ich nicht o Eine externe Software-/ Branchen-

lösung: _________ (bitte nennen) Q7* Wenn Sie Big Data Analytics

Technologien bislang nicht zur Compliance-Sicherung/ Betrugsabwehr nutzen bzw. auch in naher Zukunft nicht nutzen wollen, welche Gründe hat Ihr Unternehmen dafür? Welche Hemmnisse gibt es?

o Es erfordert zu spezielles Wissen, welches wir mit unserer Personalstruktur nicht abbilden können

o Limitierte IT-Ressourcen o Lohnt sich nicht, denn unser

Unternehmen ist wenig betroffen o Rechtliche Aspekte wie Datenschutz

und Mitbestimmungsrechte des Betriebsrats

o Risiko von zu vielen Fehlalarmen/False-Positive-Meldungen

o Schlechte Datenqualität im Unternehmen

o Schwierigkeiten, die richtigen Risikoszenarien zu beschreiben

o Unsicherheit über Cost/Benefit bzw. ROI

o Unsicherheit über tatsächliche Wirksamkeit (Proof of Concept)

o Zu komplex in der Einführung und im laufenden Betrieb

o Andere Gründe: __________

[34] [91] [108]

Q8* Anstatt von Big Data Analytics Methoden, welche anderen IT-gestützten Maßnahmen zur Compliance-Sicherung / Schadensvermeidung halten Sie für geeigneter?

o Beschränkungen von Zugriffsrechten o Einführung von physischen

Sicherheitsmaßnahmen, z.B. Zugangskontrollsystemen, Videoüberwachung

o Einführung von Software-gestützten Sicherheitsprüfungen, z.B. Logfiles, legale Schnüffelprogramme

o Erarbeitung von Rollenkonzepten o Erhöhung des technischen Schutzes

gegen Eindringen von außen, z.B. 2FA, Erhöhung von Passwortsicherheiten

o Fraud-Controlling: Einführung und systematische Analyse von speziellen Warnkriterien für die künftige, rechtzeitige Entdeckung eines Betrugs

o Software-Updates und Schließen von Sicherheitslücken

o Keines / Weiß ich nicht o Sonstiges: ________

M3Q5, M3Q6

[95] [22] [34]


M4

Modul 4: Ihre persönliche Einstellung zu Thesen im Hinblick auf die Nützlichkeit von Big Data Analytics Methoden zur Compliance-Sicherung/Betrugsprävention.

Frage: Unabhängig von der Haltung Ihres Unternehmens, inwieweit stimmen Sie folgenden Aussagen zu? 4

Skala 1 (gar nicht) – 2 (ein wenig) – 3 (weiß nicht/kann ich nicht sagen) – 3 (stimme eher zu) – 5 (stimme voll zu)

Aussage/Thesis Metric X-Check Reference T1* Big Data eignet sich grundsätzlich weniger zur

Compliance-Sicherung/Betrugsprävention, sondern es gilt, die Grundethik- und -moral bei den Mitarbeitern zu erhöhen, damit diese sich korrekt verhalten.

Scale 1 … 5 M1-Q7 [95] [22]

T2* Es ist wichtiger, die unternehmensbezogenen Risiken zu erkennen, anstatt pauschal mit Big Data alles zu analysieren.

Scale 1 … 5 [22]

T3* Big Data Analytics ist komplex und daher mehr für Konzerne und große Unternehmen geeignet als für den Mittelstand oder Kleinunternehmen.

Scale 1 … 5

T4* Big Data hat derzeit einen größeren Stellenwert im Bereich Betrugserkennung und für schnelle Reaktionszeiten; in der Prävention ist es noch eher Zukunftsmusik.

Scale 1 … 5 [34]

Content of the landing page

Herzlichen Dank für Ihre Bereitschaft, meine Forschungsarbeit zum Thema „Nutzen von Big Data Analytics zur Compliance-Sicherung/Betrugsprävention“ zu unterstützen.

Das Ausfüllen des Fragebogens selbst dauert nur wenige Minuten und alle Antworten werden anonym erhoben. Für das leichtere Ausfüllen sind bei allen Fragen Antwortmöglichkeiten zum Anklicken vorbelegt.

Der Fragebogen gliedert sich in vier Module:

Modul 1 dient der Erhebung von allg. Unternehmensdaten und erlaubt so ein Aggregieren der Daten auf Branchen, Unternehmensgrößen und -formen, bietet aber keine Rückschlüsse auf einzelne Unternehmen.

Modul 2 stellt Fragen hinsichtlich der in Ihrem Unternehmen vorhandenen Maßnahmen zur Compliance-Sicherung / Betrugsprävention.

Modul 3 stellt Fragen hinsichtlich der in Ihrem Unternehmen gemachten Erfahrungen und dem Einsatz von Big Data-Analytics im Hinblick auf Compliance-Sicherung / Betrugsprävention.

Modul 4 bittet Sie um Ihre persönliche Einschätzung zu ein paar Thesen im Kontext dieser Forschung für ein Stimmungsbild.

4 Using a 5 point Likert scale: 5 = strongly agree, 4 = agree, 3 = not sure/do not know, 2 = disagree, 1 = strongly disagree. [113]


Nach Beendigung der Datenerhebung können Sie mir Ihre Kontaktdaten hinterlassen, um eine Zusammenfassung der Forschungsergebnisse zu erhalten. Die Antworten werden im Laufe des Q1/2019 ausgewertet und analysiert.

Herzlichen Dank!

Michaela Trierweiler Dipl.-Betriebswirtin (BA) / Studium der Wirtschaftsinformatik zum MSc.

Kontakt: [email protected]

Über dieses Forschungsprojekt:

Vor dem Hintergrund steigender Digitalisierung und der weltweit ansteigenden Zahl von Betrugsfällen im Unternehmensumfeld beschäftigt sich diese Masterarbeit mit der Fragestellung, inwieweit Big Data-Analytics5 Methoden helfen können, einen Compliance-Verstoß bereits in der Anbahnung (präventiv) bzw. kurz nach dessen Eintreten zu entdecken, um so Schaden für das Unternehmen zu verhindern oder zumindest durch eine schnelle Reaktionsmöglichkeit zu minimieren.

Ein wirksames Maßnahmenbündel zur Compliance-Sicherung und Betrugsprävention besteht aus einem Dreiklang organisatorischer, technischer und mitarbeiterbezogener Maßnahmen. Dieses Forschungsprojekt beleuchtet dabei insbesondere den technischen Bereich mittels Big Data-Analysen und möchte das Nutzenpotential für den Einsatz solcher Mittel zur Compliance-Sicherung über eine empirische Untersuchung herausarbeiten.

Das Forschungsprojekt wird hochschulseitig durch das Information-Engineering Institut der Johannes-Keppler-Universität in Linz begleitet und von Prof. Dr. René Riedl betreut.

Content of the Thank-You page

Vielen Dank, dass Sie mit Ihren Antworten meine Masterarbeit unterstützen. Als Dankeschön übersende ich Ihnen gerne eine Zusammenfassung der Ergebnisse aus meiner Arbeit. Bitte hinterlegen Sie dazu Ihre Kontaktdaten in nachfolgendem Formular.

LINK zum Formular

Herzlichen Dank, Michaela Trierweiler Dipl.-Betriebswirtin (BA) / Studium der Wirtschaftsinformatik zum MSc.

5 Big Data im Sinne von regelmäßiger (täglich bis real-time) Analyse kritischer Prozesse und Bereiche durch automatisierte Software-Tools, welche bei (definierten) Auffälligkeiten einen Warnhinweis ausgeben, sich einen bestimmten Sachverhalt näher zu betrachten; insbesondere die Kombinatorik von heterogenen Datenquellen ist hier von Interesse


Screenshot of separate Contact-Form


9.2 Online Survey, Examples of Addressing potential Participants

Examples of Blogposts in Linked-In, Xing and Facebook


Examples of Newsletters from the Multiplier


9.3 Literature Search Strategy

The following table summarizes the search strategy performed with the major libraries to find relevant scientific papers.


9.4 Full Set of Result Charts of the Online Survey

This appendix shows the results from the online survey. Each question is represented by a graph. The quantity of participants is mentioned at the beginning of each module or if suitable directly in the title of the figure.

9.4.1 Module 1: Demographics of the Participants Module 1 captures generic parameter about the company´s type, size, occupation / branches, and the role of the respondent.

30

1

2

1

57

1 2 1

Teilnehmer / Participants - Länder / Countries

AT

AT, DE, HU, SK, CZ

CH

CZ

DE

Europe

global

international

N = 95

1

1

1

1

2

3

3

7

9

25

42

Vereinsparkasse / savings bank (without an owner)

University

Fonds / funds

Associates

Kommanditgesellschaft / limited partnership

NPO

Körperschaft öffentlichen Rechts / public corporation

Einzelunternehmen e.K. / sole proprietorship

Börsennotiert / listed on stock exchange

AG / corporation

GmbH / limited liability company

0 5 10 15 20 25 30 35 40 45

Rechtsform der Teilnehmer / Legal form of participants

N = 95


1

1

1

1

1

1

1

1

2

3

3

3

4

5

11

12

13

15

16

0 2 4 6 8 10 12 14 16 18

Handwerk / skilled crafts

Bildungseinrichtung / Education

Halbleiter - semiconductor industry

E-Commerce / online distribution

NPO

Druckgewerbe / publishing industry

Engeneering

Kirche / church

Transport & logistics

Immobilien - Bau / real estate - construction

Prozessindustrie / process industry (e.g. chemicals)

Wirtschaft, Recht, Beratung / economy, law, consulting

Versorgung, Energie / supply, energy

Öffentlicher Sektor / public sector

Groß- und Einzelhandel / whole sales, retail

Finanzen & Versicherung / finance & insurance

IT & Telecommunication

Fertigungsindustrie / production industry

Dienstleistungen / services

Branche / Industry

N = 95

7

9

7

16

56

0 10 20 30 40 50 60

1 Mio. ≤ EUR < 2 Mio.

10 Mio. ≤ EUR < 50 Mio.

2 Mio. ≤ EUR < 10 Mio.

EUR < 1 Mio.

EUR ≥ 50 Mio.

Umsatzgröße / Turnover p.a.

N = 95

No participant from: - Lifestyle, Holiday, Restaurants - Environment & Nature


51

13 1410

7

0

10

20

30

40

50

60

> 500 1 – 9 10 – 49 250 – 500 50 – 249

Anzahl Mitarbeiter / No. of employees N = 95

4213

113

19

7

53

Teil eines Konzerns à Ansässigkeit der Firmenzentrale / Part of a corporation à Residence of headquarter

Nein (Leer)

Ja / Yes Anderes EU-Land / OtherEU-Country

Ja / Yes AT

Ja / Yes CH

Ja / Yes DE

Ja / Yes USA

N = 95

Yes No


1

3

3

4

7

11

20

20

26

0 5 10 15 20 25 30

Bonitäts- u. Kreditanalyse / credit analyst

HR & Legal

IT security specialist / CISO

IT-Verantwortlicher / CIO / CITO

Accounting-Manager / Finance / Controlling / CFO

Compliance Verantwortlicher / Compliance Officer

Sonstiges / other

(Head of) internal audit / revision

Geschäftsführer / Managing Director / SeniorManagement / CEO

Funktion im Unternehmen / Job function within the organization

N = 95

mainly: marketing & sales, research & development, head of supply chain management

1

1

1

1

1

1

1

1

1

2

2

2

2

3

3

8

9

10

45

0 5 10 15 20 25 30 35 40 45 50

MS Dynamics

Agresso

Applus

IBM

keasy

Google GSuite

PrintPlus

Sauter+Held Marah+

Salesforce

SAP + Eigenentwicklung / in-house development

rs2 von/by Ramsauer & Stürmer

BMD

EXACT

nicht bekannt / not known

Datev

Eigenentwicklung / in-house development

Navision

MS-Office (Word/Excel)

SAP

Warenwirtschaft / ERP system / finance software

N = 95

No participant from: - Big Data / BI / Analytics


9.4.2 Module 2: Questions about Fraud Status and Fraud Prevention

Module 2 contains the questions about the compliance counter-measures and the anti-fraud methods installed in that company or organization.

28

28

39

Fraud attempts within last 12 month (Betrugsversuche in den letzten 12 Monaten)

Ja / Yes

keine Angabe / No answer

Nein / No

N = 95

0

1

2

4

6

9

9

12

0 2 4 6 8 10 12 14

E-Commerce systems

Logistik / supply chain

Project-Management

IT

Sontiges / other

Procurement

Sales / Marketing

Accounting / Finance

If yes, which part of the company was affected? (Welcher Unternehmensbereich war davon betroffen?)

e.g. HR, treasury, cyber crime, management



2

4

7

7

8

0 1 2 3 4 5 6 7 8 9

Von außen / external (customer / supplier)

Unbekannt / unknown

Kooperation / internal and external cooperation

Durch Mitarbeiter / internal fraud by employee

Von außen / external attack (hacker)

If yes, where did this attack come from? (War dies ein Angriff von außen oder innen?)

N = 28

2

2

3

3

4

4

6

18

0 2 4 6 8 10 12 14 16 18 20

Weiß ich nicht, keine Angabe / do not know, no answer

Sonstiges - other

Durch Zufall / by accident

Externe Prüfung / external audit

Beschwerde eines Kunden, Lieferanten / complaintfrom customer or supplier

IT-basiertes Warnsystem / IT-based warning system

Internes Controlling / internal controlling or audit

Meldung durch Mitarbeiter / internal announcement orwhistleblower hotline

If yes, how was the fraud attempt detected? (Wie wurde der Betrugsversuch entdeckt?)

N = 28, ultipleanswers possible


3

5

18

20

30

0 5 10 15 20 25 30 35

ist leicht gesunken / decreased slightly

ist deutlich gestiegen / increased significantly

ist leicht gestiegen / increased slightly

in etwa gleich / roughly constant

keine Angabe / no answer

Change in fraud attempts during the last 3 years (Veränderung der Anzahl der Verstöße in den letzten 3 Jahren)

N = 76, the ”No answer” was 30 times explicitly clicked

0

0

1

1

5

5

8

13

13

20

21

22

22

25

30

34

0 5 10 15 20 25 30 35 40

BustOut-Fraud / shell company fraud

Schneeball-Systeme / pyramid selling scheme

Warenweiterversand, E-Commerce-Betrug / re-shipping scam, e-commerce fraud

Scheckfälschung / forgery of checks

Versicherungsbetrug / insurance fraud

Kreditkartenbetrug / credit card fraud

Bilanzfälschung / accunting fraud

CxO / fake president attack

Unlautere Absprachen bzw. Gegengeschäfte / bidrigging, buy-back deals, collusion

Identitätsdiebstahl, Account-Hacking / identity theft,account hacking, PIR theft

Korruption, Bestechung / corruption, bribery

Cyber Attacke / internet crime / hacking attack

Diebstahl von Betriebseigentum / theft of assets

Datendiebstahl / skimming / data theft

Phishing Attack

Betrügerische Ausgaben, z.B. falsche Rechnungen /fraudulent expenses, e.g. false supplier invoices

Which type of fraud risk would be typical of your industry?(Welcher Betrugsversuch wäre typisch für Ihre Branche?)



1

2

5

8

11

18

25

29

36

0 5 10 15 20 25 30 35 40

Weiß ich nicht, keine Angabe / do not know, noanswer

Yes - Forensic Department

Nein - Zusammenarbeit mit externem Partner / No -cooperation with external partner

Yes - Fraud Prevention Officer / Fraud Manager

Sonstiges / Other

Jeder Mitarbeiter ist dafür verantwortlich / eachemployee is responsible for compliant behaviour

Keine Spezialabteilung, ins Management eingebunden/ nothing special, general manager takes care

Yes - IT security / CISO

Yes - Compliance department or compliance officer

Does your organization have a special department for risk-prevention?

(Gibt es in Ihrem Unternehmen eine eigene Abteilung oder Stabsstelle zur Risikoabwehr?)

Mainly: ERM, internal audits or a combination of both


7

13

17

35

46

51

58

0 10 20 30 40 50 60 70

Sonstiges / Other

Mitgliedschaft in Verband zur Compliance-Sicherung /membership of an association such as IR, ACFE,

BCM, ÖCOV

Regelmäßige Mitarbeiter-Assessments zurSensibilisierung / regular employee assessments

(closed loop learning) to increase sensibility

Whistleblower-Hotline / Ethik-Hotline

Regelmäßige Mitarbeiter-Schulungen / regularemployee training

Leben einer Integritäts-Kultur / living culture of integrity

Regelmäßige Information der Mitarbeiter überCompliance etc. / regular information of employees on

compliance, e.g. by circular letter or via Intranet

Which men-related measures have been established to prevent fraud? (Welche Maßnahmen zur Compliance-Sicherung / Betrugsabwehr sind in Ihrem

Unternehmen etabliert? *Bereich Mitarbeiter*)

e.g. ERM, ICS, internal audits and directives



3

5

7

9

12

14

15

19

20

21

59

0 10 20 30 40 50 60 70

Sonstiges / Other

Machine-Learning Techniques

Nutzen externer Datenbanken und Feeds mitBetrugstypologien / use of anti-fraud databases (e.g.

STIXX, TAXII, SpyCloud)

Führen einer Datenbank mit Betrugstypologien undPrüfen von Sachverhalten / use of a database with

documented fraud cases for comparison and detection

Nutzung spezieller Betrugs Assessment Tools / use ofparticular fraud risk assessment tools


Arbeiten nach Standards, z.B. COBIT / Workaccording standards like COBIT

Einsatz spezieller Prüfverfahren und Prüfsoftware /use of particular algorithms and software for pattern-

matching, transaction mining

Arbeiten mit Limit-Systemem / work with limit systems

Aktive Suche nach definierten „Red-Flags“ / active warning system

Zugriffsberechtigung, Rollenkonzept für allerelevanten (IT-) Systeme / access authorization, role-based access concepts for relevant technical systems

Which IT- and technology- based measures have been established to prevent fraud?

(Welche Maßnahmen zur Compliance-Sicherung / Betrugsabwehr sind in Ihrem Unternehmen etabliert? *Bereich Technik / IT*)


implicit big data analytics


3

14

16

27

28

31

40

42

43

44

50

50

55

68

0 10 20 30 40 50 60 70 80

Sonstiges / Other

Einbeziehung externer Spezialisten / involvement ofexternal partners (forensic services)

Regelmäßige / regular Fraud-Audits

Regelmäßige / regular Risk-Assessments

Vorfalls-Reaktionsplan / Notfallplan / incidentresponse plan

Background Checks

Stichprobenkontrollen / Sampling Checks

IT-gestützte Freigabe-Workflows mit Schwellenwertenzur nächsten Ebene / IT-based release workflows with

threshold values

Funktionstrennung / segregation of functions and duty

Ethics & Compliance Maßnahmen / ethics &compliance maesures

Erlass von Corporate Governance Regelungen,Arbeitsanweisungen / establish operating procedures

and corporate governance rules

Buchprüfung / Audit / Revision, z.B. nach SOX //external audit

Unterschriften-Regelungen für alleUnternehmensbereiche / signatory rules for all

business sectors (DOA)

4-Augen-Prinzip bei Freigaben und kritischenGeschäftsprozessen / 4-eyes principle for approvals

and critical processes

Which organizational measures or procedures have been established to prevent fraud?

(Welche Maßnahmen zur Compliance-Sicherung / Betrugsabwehr sind in Ihrem Unternehmen etabliert? *Bereich Organisation und Prozesse*)



0

5

5

6

7

8

9

13

20

29

41

0 5 10 15 20 25 30 35 40 45

Ethics-Barometer (Integritäts-Thermometer)

Sonstiges / Other

SOX

ISO 26.000:2010 "Guidance on Social Responsibility"

ISO 37001 "Anti-bribery management systems -Requirements with guidance for use"

ISO 19600 "Compliance management systems -Guidelines"

COBIT-Framework

COSO-Framework

Eigenes Framework / Own developed anti-fraud policy


Eigenes Compliance Programm bzw. eigener Code-of-Conduct / own developed compliance program or

code of conduct

Which frameworks does your organization use for compliance ensurance and fraud prevention?

(Nach welchen Frameworks, Normen und Standards arbeitet Ihr Unternehmen im Bereich Compliance-Sicherung / Betrugsabwehr?)

N = 76, multiple answers possible, but “None / Do not know” was explicitly clicked and no other was selected


9.4.3 Module 3: Questions about the Use of Big Data Analytics

Module 3 asks questions about big data analytics and technical concepts established in the company which help to ensure compliance and prevent the organization from fraud-attacks.

1

2

10

11

16

29

0 5 10 15 20 25 30 35

Sonstiges - Wir scannen den Markt ständig nachmöglichen Lösungen / other - we continually look for

suitable solutions

Ist nur für „große Unternehmen“, das kann sich mein Unternehmen nicht leisten / only relevant for large

companies, we cannot afford this

Nicht relevant für Unternehmen und Geschäftsmodell /not relevant for current business


Wird bereits aktiv im Unternehmen eingesetzt / isalready in use in the company

Ein interessantes Feld der Analyse-Methoden & Tools /an interesting field of analytical methods & tools

What is your organization's attitude towards BDA in general?(Wie ist die Haltung Ihres Unternehmens allgemein zu Big Data Analytics

Methoden?)

N = 69

The colors indicate a positive (green), a neutral (grey), and a sceptical (red) attitude.


1

5

7

8

12

12

15

24

24

25

32

37

0 5 10 15 20 25 30 35 40

Sonstiges / Other: condition based maintenance andpredictions

Absicherung von Investitionen / securing investments

Neue Formen der Mitarbeiter-Zusammenarbeit / Newtypes of Collaboration

Merger & Akquisition

Check von Finanzierungsrisiken / Check FinancialRisks


Beschaffungsmanagement / Procurement

Generierung neuer Geschäftsmodelle / develop newbusiness models

Unterstützung / Support of IT-Security

Fraud-Prevention

Prozess-Optimierungen / process optimization

Marketing & Sales (Kundenanalysen, Vertriebs-prognosen) / customer analysis & sales forecast

In which areas does or would your organization use BDA?(In welchen Unternehmensbereichen wird/würde Ihr Unternehmen BDA nutzen?)


7

7

7

14

19

19

26

26

29

0 5 10 15 20 25 30 35

Absicherung von E-Commerce-Transaktionen / securee-commerce transactions

Credit-Card Fraud

Durchführung von Risk Assessmemt / conduct riskassessments

Frisieren von Belegen / manipulation of documents orrecords

Fehlverhalten im Bereich Accounting, Bilanzierung /false accounting statements

Phishing Attacks


Zur allg. Unterstützung der IKS / general support ofinternal control systems

Cyber Attacks / Internet Crime / Hacker

If BDA is used for compliance or fraud prevention: for which type of fraud?(Welche Arten von Risiko möchte das Unternehmen mittels BDA absichern?)

N = 69, multiple answers possible, “Do not know” was explicitly clicked and no other was selected


10

6

4

10

39

0 5 10 15 20 25 30 35 40 45

Keine Pläne / No plans

Unternehmen hält Invesitions-Niveau bei / companymaintains level of investments

Unternehmen wird in den nächsten 12 Monatenerstmalig investieren / company will invest for the…

Unternehmen wird seine bestehenden Investitionenausweiten / company will expand its current…

Weiß ich nicht - Keine Angabe / Do not know - noanswer

Plans for investing money into big data tools for fraud prevention and compliance

(Pläne in Big Data Tools zur Compliance-Sicherung und Betrugsabwehr zu investieren)

N = 69


2

2

2

3

4

4

5

5

5

6

11

13

20

34

0 5 10 15 20 25 30 35 40

Predictive Modeling

Software als Visualisierung-Front-End zu Excel undBI-Daten / Visualization Software

Sonstiges / Other

Text Mining / Natural Language Processsing

Case-Management-Software

Nutzen ext. Datenbanken & Feeds mitBetrugstypologien / Use of external databases & feeds

with fraud typologies, e.g. STIXX, TAXII, SpyCloud,NICB, LexisNexis)

Automatisierte Meldung an Spezialabteilung /automated notification to forensic, security or SIU

Link Analysis / Social Media-Network Analysis

Lösung meines ERP-Anbieters / use solution of ourERP supplier

Mapping-Software

MS Office-Tools (Excel / Access)

Automatisches Red-Flag, Warnsystem, Rules Engine /automatic red flags, warning system, rules engine

Interne Datenbanken / internal reports & databases


CURRENT USE - Which type of big data / IT-based anti-fraud system has been implemented?

(Wenn Ihr Unternehmen Big Data bzw. IT-gestützte Betrugs-Warnsysteme im Einsatz hat, welcher Art oder Technologie sind diese?)

SAP, Datev, "Sauter+Held+Marah+"



0

1

1

1

1

2

2

2

3

3

4

7

10

53

0 10 20 30 40 50 60

Software als Visualisierung-Front-End zu Excel undBI-Daten / Visualization Software

Link Analysis / Social Media-Network Analysis

Sonstiges / Other: Process Mining

Text Mining / Natural Language Processsing

Nutzen ext. Datenbanken & Feeds mitBetrugstypologien / Use of external databases & feeds

with fraud typologies, e.g. STIXX, TAXII, SpyCloud,NICB, LexisNexis)

Case-Management-Software

Lösung meines ERP-Anbieters / Use solution of ourERP-supplier

MS Office-Tools (Excel / Access)

Automatisierte Meldung an Spezialabteilung /automated notification to forensic, security or SIU

Mapping-Software

Predictive Modeling

Automatisches Red-Flag, Warnsystem, Rules Engine /automatic red flags, warning system, rules engine

Interne Datenbanken / internal Reports & Databases


FUTURE USE - Which type of big data-based anti-fraud system is planned to be implemented within the next 12 to 18 months?

(Welche dieser Big Data gestützten Betrugs-Präventionsmaßnahmen beabsichtigt Ihr Unternehmen in den nächsten 12 bis 18 Monaten einzuf



0

5

5

7

9

11

12

13

16

20

28

0 5 10 15 20 25 30

Risiko von zu vielen Fehlalarmen / risk of too manyfalse positives

Rechtliche Aspekte wie Datenschutz undMitbestimmungsrechte des Betriebsrats / legal

aspects, e.g. data privacy or workers council's rights

Schwierigkeiten, die richtigen Risiko-Szenarien zubeschreiben / difficulties to describe the risks properly

Schlechte Datenqualität im Unternehmen / bad dataquality in organization

Lohnt sich nicht, denn unser Unternehmen ist wenigbetroffen / not relevant, our business model is not

much affected

Unsicherheit über tatsächliche Wirksamkeit undMachbarkeit / Missing Proof of Concept

Unsicherheit über Cost-Benefit, ROI / uncertaintyregarding cost benefit, ROI

Zu komplex in der Einführung und im laufendenBetrieb / implementation and daily use too complex

Es erfordert spezielles Wissen, ist mit unsererPersonalstruktur nicht abbildbar / too specific know-

how required which we do not have

Eingeschränkte IT-Kapazitäten, Limited IT-Resources


If you don’t use big data analytics nor intend to use: What are the reasons?

(Welche Gründe sprechen gegen die Nutzung von Big Data zur Betrugsabwehr?)



3

7

21

22

37

37

43

49

58

0 10 20 30 40 50 60 70

Sonstiges / Other

Keines / Weiß ich nicht // None / Do not know

Einführung von Software-gestütztenSicherheitsprüfungen, z.B. Logfiles, legale

Schnüffelprogramme / software-based security, e.g.logfiles, legal sniffing programs, key loggers

Fraud-Controlling: Einführung und systematischeAnalyse von Warnkriterien für künftige, rechtzeitigeEntdeckung eines Betrugs / establish a rule-based

detection system, not necessarily based on big data

Einführung von physischen Sicherheitsmaßnahmen,z.B. Zugangskontrollsystemen, Videoüberwachung /

physical security systems, e.g. access-controlled doorsor video surveillance

Erhöhung des technischen Schutzes gegenEindringen von außen, z.B. 2FA, Erhöhung von

Passwortsicherheiten / increase technical thresholds,e.g 2FA, stricter password policy

Erarbeitung von Rollenkonzepten / use and establishrole concepts

Software-Updates und Schließen vonSicherheitslücken / perform software updates and

close security gaps

Beschränkungen von Zugriffsrechten / accessrestrictions

Instead of big data analytics, which other IT-based measures do you think are more suitable to protect your company against fraud?

(Welche anderen IT-gestützten Maßnahmen zur Compliance-Sicherung / Schadensvermeidung halten Sie für geeigneter?)

• All of these measures together constitute a suitable concept

• system-integrated controls and checks of business transactions

• establish responsibility of employees as a cultural habit


All of these measures together constitute a suitable concept system-integrated controls and checks of business transactions establish responsibility of employees as a cultural habit


9.4.4 Module 4: Personal Opinions on Some Critical Statements

Module 4 asks with a 5-point Likert-scale about the participant’s personal opinions concerning a few statements about the facilitation of big data techniques to ensure compliance and to prevent fraud attacks.

2

8

1

4

8

13

8

8

31

18

6

22

21

20

27

17

3

6

23

14

0 5 10 15 20 25 30 35

Critical Thesis T4.The significance of big dataanalytics is currently more

important for fraud detection andfast response-times; for fraud

prevention it might be suitable inthe future.

Critical Thesis T3.Big data analytics is complex andtherefore more suitable for large

companies thans SME.

Critical Thesis T2.It is more important to identify the

individual risks of a companyinstead of analyzing everything by

means of big data.

Critical Thesis T1.Big data is less suitable for

ensuring compliance orpreventing fraud. It is moreimportant to emphasize the

ethical and compliant behaviourof all employees.

Summary of opinions on 4 critical statements concerning the Usefulness of big data anatalyics for preventing fraud (Zusammenfassung des Meinungsbildes zu 4 kritischen Aussagen)

5 (do strongly agree)4 (do slightly agree)3 (do not know)2 (do slightly disagree)1 (do not agree)

N = 65