How Medius Fraud & Risk Detection gives accounts payable teams the visibility they’ve always needed
For nearly all accounts payable (AP) departments, fraud is something you catch only in the rearview mirror. When a fake or duplicate invoice is detected at all, it’s discovered in a retrospective audit, often months after the invoice has been paid.
Finance and accounting departments are struggling with other blind spots, too. Through no fault of their own, they lack any means of analyzing trends or patterns related to fraud, both within their own organization and across their industry overall. As a result, AP leaders must trust that their (often overworked) employees will remain vigilant and spot anomalies on invoices with no easy way to track results, let alone to develop and measure best practices.
To address this lack of visibility, Medius has created its new Fraud & Risk Detection product, which we’re launching this week. This add-on product works with the Medius platform to provide an added layer of fraud and risk detection powered by machine learning and AI controls. It also provides visibility and reporting that shows risk exposure and trends. And it gives AP leaders important tools for honing their departments’ fraud and risk detection skills.
- What’s in the new Fraud & Risk Detection product?
Heinefeldt: Medius Fraud & Risk Detection includes three types of features. First, we added new anomaly detection features that help detect subtle types of fraud. Second, we’ve added features that modify AP processes to address fraud risks. For example, we’ve added a feature to randomize approvals, so that every now and then, an invoice from a single supplier is routed to someone different for approval. This helps prevent internal fraud in which a supplier is working with someone inside the AP department to approve fraudulent invoices. And finally, we’ve added visibility features, including dashboards and alerting, that provide AP departments with visibility they simply have never had before. This last point is important, because it changes how AP departments can operate. They can collaborate on detecting fraud, hone their fraud detection skills, track trends and identify problematic suppliers—the list goes on.
- Medius has been talking about fraud detection for some time. What led you and the team to develop this new product?
Heinefeldt: Medius AP Automation can already reduce a lot of fraud simply by capturing invoices and automatically pairing them with purchase orders. Through automation and machine learning analysis, we streamline and accelerate the AP process, which itself reduces opportunity for fraud.
But fraud is a serious issue, and even with automation, there’s still an opportunity to address the need for greater visibility and incorporate best practices into the workflow.
- Tell us more about the need for visibility in AP departments. What are you hearing from customers?
Heinefeldt: The truth is that today, if you talk to the heads of even the best run AP departments, they have no idea of how many fraudulent invoices they’ve let through and paid or even how many they’ve detected and stopped. AP workflow tools are designed to route invoices for approval. Fraud detection and trend analysis has never been part of the picture.
In other parts of the organization, this lack of visibility would be exceptional. For example, if you go to the web security team at any company, they can tell you how many time hackers have tried to break into their site and which techniques the attackers are using. In comparison, AP departments are operating completely in the dark. They just don’t have tools for analyzing and measuring the fraud they’re experiencing, even if those tools would be incredibly helpful.
We wanted to change that. In effect, we want to flip the lights on over the whole AP operation. There are some types of fraud you’re just never going to catch without greater visibility.
For example, research shows that 65% of all fraud schemes involve internal stakeholders. Maybe someone in the AP department has arranged for a supplier to submit fake or inflated invoices, which the insider will approve for a share of the profits.
It’s much harder to perpetrate that type of fraud if everyone on the team can see who’s approving which invoice and for how much and whether any anomalies in payment terms, amounts, or other details were detected. Medius Fraud & Risk Detection puts the types of details in a place where everyone can see them, which will probably deter some people from trying to cheat the system in ways that would have been easy to do before. We now have dashboards and alerting, providing visibility into the entire AP process that teams simply haven’t had before.
We also link to a company’s whistleblower function. By putting whistleblower controls right in the UI, we remind employees that they should report things that seem suspicious, and that there’s a safe, established way of doing that reporting indications of insider fraud.
- How else are you helping to stop insider fraud?
Heinefeldt: We’re introducing randomness into the approval process, which makes it much harder for insiders to work with suppliers to commit fraud. In many companies, invoices and purchase requisitions follow a strict approval scheme with the same people being involved approving costs for certain suppliers. Even with the Four Eyes principle applied to all approvals in Medius, there remains a risk that someone might liaise with a colleague or with AP to get fraudulent transactions processed.
But with Medius Fraud & Risk Detection, we ensure that every now and then, one of these transactions will go to someone else for approval, and you never know when. This makes it harder for any kind of collusion to take place, because you never know when someone else is going to review an invoice. We can also require users to authenticate with step-up authentication (two-factor authentication) in addition to single-sign-on authentication policies when releasing batches of invoices for payment from Medius. Together, these measures provide controls and countermeasures not available to most AP departments today. This makes transactions visible to a broader set of people, and makes it harder for insiders to, for example, collude with a supplier to approve fraudulent invoices.
With these controls in place, AP managers can have greater confidence that all their approval policies are being rigorously followed.
Ultimately, we’re providing controls and insights at every stage of the AP process, so that employees will have a better understanding of what’s coming in and what the risks are associated with it. And the system gets even more useful and accurate over time from applying machine learning to discover how the department works, how its invoices are usually formatted and presented, and so on.
- How does machine learning come into play in detecting fraud and risk?
Heinefeldt: We begin our process by capturing invoices, and if we detect risks at that stage, we highlight them immediately.
For example, if a fake invoice comes through, we can stop it right there at the capture stage. Our machine learning would detect anomalies in the invoice and stop the automatic process. But the operator needs to analyze the invoice to determine what makes it fake. The operator might delete the invoice, and the record of it is lost.
We require operators to identify reasons why the invoice should be rejected. We collect that information and use it to train the algorithm for detecting fraud at this organization and from that particular vendor.
Then, observing the solution at work, AP departments themselves can become more savvy at detecting fraud and risk themselves.
- How does the solution help employees get better at catching fraud?
Heinefeldt: When you have visibility, you can take action and hone skills in ways that would have been impossible with the old way of doing things.
Here’s what I mean. A good way to understand the role of visibility in AP fraud and risk detection is to think about how IT departments deal with phishing attacks. Everyone knows that phishing is a widespread and dangerous form of cyber-attack. Phishing attacks are dangerous in part because they work so much of the time. And when they work, they can give attackers access to critical business systems, including payment systems. They’re behind 16% of all data breaches, according to IBM.
How do IT organizations try to prevent phishing attacks? Two ways. First, they usually deploy email security tools that can quarantine inbound emails that seem suspicious or that have dangerous links or payloads. And then second, they also train employees across the organization to be on the lookout for phishing attacks. They teach everyone from the receptionist to the CEO about the exact characteristics to look for in an email message to determine if it’s a phishing attack. For example, you might notice that the From and Reply To fields are different, or that the From address is from a company you’ve never heard of in a country you’ve never done business with.
This kind of training allows IT organizations to apply a one-two punch to stop phishing attacks. They rely on automation. But they also rely on human intelligence. They rely on their employees. And they have tools for tracking the success rate of their tools and employees in detecting and stopping attacks.
This kind of visibility has never been available to AP teams when it comes to detecting fraud. Sure, there are some specialty products that provide some reporting about fraud detection, but they need to be integrated with your AP system and your ERP system. It requires a major integration project, and even then, it’s not working with your AP automation system as a seamless whole.
With Medius Fraud & Risk Detection, AP teams can suddenly see how many fake invoices they’ve received. They can see how many duplicates they’ve received. And they can discover patterns, such as a certain supplier seeming to issue lots of suspicious invoices.
And because this is a cloud product drawing on the intelligence Medius has gathered across its customer base, teams can be alerted to anomalies that they would never be able to catch on their own. For example, if a supplier submits an invoice with a new address, that might be a sign of fraud, or it might simply be a sign that the company has moved. In a case like this, it would be helpful to know that nine other Medius customers are still receiving invoices with the old address. A company on its own would have trouble getting this larger context for insights, but at Medius, we can provide it automatically.
- Are there any other benefits to this visibility?
Heinefeldt: Yes. For the first time, companies can understand their overall risk profile. They can understand how many fraudulent invoices they’re receiving. They can track trends, and they can identify patterns involving specific suppliers or even specific employees who might be involved in internal fraud schemes.
AP department leaders can also answer questions from the executive team, the board or even auditors, about rates of fraud and fraud detection best practices. And they can answer these questions with hard data—something that hasn’t been possible before.
- If Medius customers want to add Medius Fraud & Risk Detection to their platform, what’s involved?
Heinefeldt: We can turn this product on immediately. It’s already fully integrated with Medius AP Automation. There’s no special integration project required. And if customers are new to Medius and want both Medius AP Automation and Medius Fraud & Risk Detection, we can deliver both at the same time. The two products work together seamlessly, so AP teams can focus on their AP workflows right away without waiting for multi-month IT projects to complete. We want to provide solutions that AP departments can use immediately, and with Medius Fraud & Risk Detection, we’ve done just that.