There is a need to change the approach of current Procure to Pay processes to detect recurring leakages, frauds and compliance violations. The paper discusses why pattern-based detection using an AI-based system in the Procure to Pay context should be used.
Current control mechanisms as part of the Procure to Pay process including the automated controls setup in the ERP platform as well as manual process controls are insufficient to prevent all the leakages as well as detect frauds and compliance leakages as part of the process. These process control mechanisms have multiple limitations that can be overcome using an AI-based anomaly detection platform. The limitations and the advantages of using an AI-based platform are illustrated below.
Leakage and fraud outcome ambiguity
ERP systems and most leakage and fraud detection systems in the market are rule-based. However, due to the ambiguity of the outcomes, usage of rules-based systems results in large number of false positives. Moreover, these systems are fixed and repeat the same pattern of anomalies which have already been investigated by auditors and confirmed as false positives in the past. Additionally, rule-based systems do not change with variation in data patterns. Dated rules must then be manually re-configured. For instance, rule-based systems are unable to detect all the recurring leakages such as duplicate payments with an acceptable false positive rate. On the one hand, if the rules are defined too narrowly then the system is unable to detect a large number of actual duplicate payments. On the other hand, if the rules are defined broadly then there is insufficient bandwidth to investigate all the cases.
In AI-based systems, pattern-based detection is used in conjunction with the rules to learn from the past pattern of anomalies to reduce false positives. The system learns from investigator feedback and mimics human judgement. Additionally, the system can learn from the changing data patterns. The system provides a list of scored and prioritized red flags that can be investigated by auditors such that their bandwidth can be optimally allocated. In the case of duplicate payments, applying machine learning models to the results of the rules increases precision of the results without losing coverage of the actual cases.
Fraudsters constantly evolve and adapt to control measures. Fraud detection based on rules such as setting thresholds does not allow the system to adapt, thereby enabling the fraudsters to circumvent the rules. Adaptive AI-based systems are therefore needed to augment rule-based models with mechanisms to learn over time.
Additionally, in the audit-fraudster arms race, fraudsters often devise new fraud schemes. It is critical for systems to learn from the patterns in the underlying data to identify rare anomalies, that cannot be pre-determined and cannot be configured in rule-based systems.
Exception control and monitoring
Current process control mechanisms are based on fixed rules encoded as part of the ERP or GRC systems. These rules are rigid and lack the flexibility to manage exceptional scenarios as part of the usual procurement activities. Most companies therefore have an exceptional route to handle scenarios that fall out of the ordinary process of procurement. To illustrate, a common rule that is setup as a process control is to ensure that there is no large variance between price in the purchase order and that of the invoice. The rule setup systemically throws exceptions when the above difference exceeds a threshold percentage or amount. To handle these exceptional scenarios, there is a process to allow the difference to be booked to a price-variance account. The exception scenarios may increase if the rules are fixed based on the lowest common denominator in cases where there are variabilities depending on the procurement category and/or vendor type and/or process type.
The loophole of the exceptional scenario can be exploited to undermine the process control. The exception scenario can also be restricted systemically, for example by setting-up another higher percentage threshold. However, this undermines the exception process which is designed for contingencies or scenarios that are out of the ordinary. Exception prevention mechanisms that are too tight hamper process efficacy and thus a flexible exception control mechanism is needed. Additionally, in cases where there are many exceptions due to tighter rules catering to the lowest common denominator, the manual check process may be cumbersome. Therefore, an automated system that is flexible is critical to achieve the right trade-off between process efficiency and compliance.
AI systems that learn from the past patterns of exception and feedback from investigators to prevent only the egregious exceptions serve to balance efficiency and process control. For instance, in the case of discrepancy between PO and the invoice, the system learns from past pattern of exceptions to flag off only those cases where the booking to the price variance account is not in keeping with the past patterns. Therefore, we recommend that while the process control can be in the form of fixed rules that are preventative and automated, the exception control process must be automated, preventive and machine learning based. The fallout from the exception control and monitoring system is then investigated manually. This process setup achieves optimal balance of flexibility, efficiency and risk mitigation.