Analysis of the Root Causes of Fraud Using Risk Causal and Fraud Diamond Matrix: A Case Study on Retail Financing Company

DOI: 10.21532/apfjournal.v6i1.202 ABTRACT Fraud risk management strategies can be carried out in three stages: prevention, detection, and response, but the most efficient stage is prevention. Fraud is part of operational risk which is defined as the risk of loss caused by the failure or inadequacy of internal processes, people, systems or technology, and external events. The perpetrators of fraud can also be analyzed using the fraud motivation model. This study aims to use the results of detection and response as input for the prevention stage using root cause analysis. This study uses the Risk Causal and Fraud Diamond (RCFD) Matrix as an analytical tool to determine the dominant root cause. This study uses 300 data samples and categorizes the root causes of fraud in the RCFD Matrix. The results show that there are three dominant root causes: 3.O System & Technology Opportunity, 2.O Internal Process Opportunity, and 1.P People Pressure. These results provide recommendations for fraud prevention strategies to effectively reduce or eliminate the dominant root cause.


INTRODUCTION
Fraud is an act of deception or manipulation that can cause losses to various parties and provide benefits to the perpetrator. Fraud can be in the form of intentional acts or omissions designed to deceive (COSO, 2016). Because fraud is a detrimental act, it becomes a "common enemy" that must be handled through the synergy of all parties.
Fraud is a form of operational risk which, in risk event taxonomy, can be divided into Internal Fraud and External Fraud (BCBS, 2002;Hemrit & Mounira, 2012). Operational risk is the risk that arises due to failure or inadequacy of internal processes, people, systems or technology, and external events, causing direct or indirect losses (BCBS, 2002).
From the company's perspective, the perpetrators of fraud are humans, and humans are the main capital for the company. The perpetrator of fraud, in carrying out his actions, is motivated by several factors, such as pressure, opportunity, rationalization, and capability. Therefore, in managing fraud risk, apart from focusing on human resources, it must also pay attention to internal process factors, systems and technology, as well as external factors.
Fraud handling strategies can be divided into several stages. One of the strategic guidelines for handling fraud was prepared by the Financial Services Authority (OJK) consisting of prevention, detection, investigation, reporting, sanc-tion, monitoring, evaluation, and followup. Meanwhile, the United Nations has arranged three stages of handling fraud: prevention, detection, and response (Bartsiotas & Achamkulangare, 2016).
Of the three stages, the prevention stage is the easiest and cheapest stage to do. This is because at the prevention stage, fraud has not occurred, so it can be said that there is no potential loss. Therefore, the detection and response stages must be able to provide input on how an entity prevents fraud.
In the Association of Certified Fraud Examiners (ACFE) Report to the Nation 2020, it is stated that 22% of fraud incidents occurred in the banking and financial services industry. Referring to Indonesian Banking Statistics data for the period March 2020 (OJK, 2020), it can be seen that consumption financing has a share of 27.45% in Commercial Banks and 41.99% in Islamic Banks. For financing companies, the object for consumer goods financing in the period May 2020 had the largest portion, or 67.63% (APPI, 2020). Based on the data regarding consumption financing, we conducted a case study on a retail consumer financing company.
This paper seeks to provide a conception of how the detection and response process to fraud can contribute to the fraud prevention stage. One way that can be done is how to determine the root causes of fraud through risk causal analysis and fraud motivation. From the analysis of the root causes of fraud, it is hoped that effective preventive measures can be determined.

LITERATURE REVIEW AND HYPO-THESIS Operational Risk and Fraud Risk in Retail Financing Company
Operational risk is the risk that arises as a result of failure or inadequacy of internal processes, people, systems or technology, and external factors, causing direct or indirect loss (BCBS, 2001). From this definition it can be said that operational risk originates from four factors: internal processes, people, systems and technology, and external factors. Risk events that can occur include (Coleman, 2011;Shiels & Trust, 2010): • Internal processes, relating to process design, documentation and reporting errors. • Humans, relating to negligence, incompetence, inadequate training, and deliberate mistakes, such as fraud. • Systems and Technology, which are related to errors in programming, data management, or use of external applications to bypass system verification. Systems and technology are risk causal that must be considered in the current digitalization era when companies increasingly rely on systems.
• External factors, relating to political events, regulations, natural disasters (force majeure), and crimes committed by external parties.
Fraud is defined as an act of manipulative deviation that aims to benefit the perpetrator and harms the bank, customers and other parties (Bank Indonesia, 2011). Meanwhile, ACFE defines fraud as a deliberate action that aims to persuade other people to act detrimental to that person. Every organization has a risk of fraud. Although it is impossible to eliminate the risk of fraud, at least this risk can be reduced or managed properly so that it can be prevented and detected (COSO, 2016).
Basel Committee on Banking Supervision (2002) has compiled taxonomy of operational risk events related to fraud: Internal Fraud and External Fraud. This distinction is based on the perpetrators of fraud. The internal parties include company employees, while the external parties include business partners, and or a combination of the two parties (Ramadhan, 2020). Internal fraud is called occupational fraud because this fraud is committed by someone in the company that employs him, through abuse of authority or use of company resources, with the aim of enriching oneself (ACFE, 2020). From the company side, internal fraud is easier to manage than external fraud, because it is under the company's control.
Internal fraud or occupational fraud can be classified into three parts, or better known as the Fraud Tree consisting of corruption, asset misappropriation, and financial statement fraud. In the 2020 ACFE Report to the Nation, 86% of reported internal fraud was in the form of asset misappropriation.
In the financial industry, such as banking, the most common type of fraud is financing fraud or loan / credit fraud. In a study conducted by Mohd-Sanusi et al (2015), 69% of banking fraud cases were in financing fraud. Types of fraud in financing include fictitious loans, nominee loans, and bribes and kickbacks (FFEC, 2002). Financing fraud can also occur because first parties or customers do not intend to fulfill the obligation to pay installments, due to collusion with internal elements (Detica NetReveal, 2010).
Retail financing, also known as retail banking or consumer banking, is financing or banking that provides financial services to the individual or small business segment (Clark et al, 2007). In financial companies that focus on retail financing, the potential for fraud risk is higher due to the large volume of transactions and processes that depend on human work.

Motivation to Commit Fraud
Fraud perpetrators are human beings who deliberately commit harmful actions. Therefore it can be said that the incidence of fraud is closely related to human behavior. The perpetrators of fraud certainly have a motivation or driving factor in committing fraud. There are at least four theories regarding the motivation to commit fraud: the Fraud Triangle, Fraud Diamond, Fraud Pentagon, and Fraud Hexagon.
The Fraud Triangle was put forward by (Cressey, 1953). The model mentions three main elements that cause fraud: pressure, opportunity, and rationalization (Zulfa, Bayagub, & Firdausi, 2018). Cressey considers that the perpetrator of fraud is a person who has violated the trust given. Fraud perpetrators have financial problems that cannot be shared with others, and the perpetrators are aware that these problems can be resolved by violating the trust that has been given (Ramamoorti, 2008). From a psychological perspective, the fraud triangle consists of perceived need/ pressure (getting money, keeping a job, or social motives), perceived opportunity, and rationalization (Ramamoorti, 2008;Murphy & Dacin, 2011).
Perceived pressure includes dimension of financial pressure, where someone has financial problems that are difficult to overcome through legal means according to the rules. These financial problems can occur due to several things such as the inability to pay debts, narcotics and drug bondage, the need to fulfill promises to investors, the need to meet productivity targets, and the desire to have a social status symbol such as a luxurious house, luxury car, and others (Ramadan, 2020). The second element is perceived opportunity, where the possibility of fraud being detected is quite small. This happens because the perpetrators of fraud commit intrigue so that their actions are difficult to find out and because of weaknesses in the control function of the organization (Ramadhan, 2020). The third element is rationalization, where it is based on the fact that the majority of the perpetrators of fraud are doing it for the first time. The perpetrators do not feel guilty, but they are in the wrong situation. From a psychological point of view, the perpetrator experiences a conflict or cognitive dissonance between moral standards and the committed fraud (Ramamoorti, 2008). However, despite knowing that the act of fraud was wrong, the perpetrator still sought justification or rationalization for the act. Justifications that are commonly used as excuses are "borrowing is not stealing", "entitled to get more", and "forced by necessity" The Fraud Triangle theory was then developed into Fraud Diamond, by adding the fourth element: capability. Another thought is that the cause of the Fraud Triangle is still at the plan stage or has not been realized. To realize the fraud plan, the perpetrator needs capability so that fraud can be realized. The capability element is the expansion of the Fraud Triangle (Wolfe & Hermanson, 2004). Capability is a factor that enables fraud to be successfully carried out by the perpetrator. This capability factor is supported by several elements including position or authority, intelligence and creativity, and coercion (Abdullahi et al, 2015).
Position or authority allows someone to commit fraud. This can happen because the fraud that is committed is part of the job description that must be done. Intelligence and creativity elements allow the fraudsters to detect weaknesses in internal control and system or process design, so that their actions are difficult to detect. The third element is coercion. It is the condition of someone who is able to pressure others to commit fraud. Such pressure can be in the form of asking team members (subordinate) to achieve targets in any way. In this condition, the superior has the capability to press subordinates to commit fraud.
Fraud motivation theory continues to develop. Fraud Diamond developed by Jonathan Marks has developed into Fraud Pentagon, by adding the element of arrogance. This fifth element has characteristics such as high ego and arrogance, ability and power so that the perpetrator can circumvent the internal control system, and usually the goal of arrogance is on non-financial benefits, such as social status, lifestyle, and fear of losing one's position (Crowe, 2011). Another motivation model developed is SCORE, consisting of Stimulus, Capability, Opportunity, Rationalization, and Ego. The SCORE model was then developed again by including the element of collusion, which is an agreement to commit fraud by two or more people (Vousinas, 2019).

Fraud Prevention
Traditionally, fraud prevention has been the responsibility of management through the oversight functions of the board and audit committee. In addition, the role of internal and external auditors in fraud prevention is also a function used by the company. (Ibrahim et al, 2015). However, because fraud is an action that can harm all parties, the responsibility for the prevention function must also be carried out by all elements in the company.
ACFE (2016), mentions several procedures to prevent fraud, including: • Employee Anti-Fraud Education, which is an educational program for employees within the company regarding the definition of fraud, its impact on the organization, how to identify and report fraud, and penalties for perpetrators • Tone at the top, which is the management's commitment to creating a work environment that is open to differences and upholds ethics. • Proactive Audit Procedures, which are proactive audit procedures using data or data analysis methods, fraud risk assessments, and surprise audits if possible • Reporting programs, which are programs for reporting fraud incidents by creating a channel for complaints regarding fraud that occurred. This complaint channel can be used by all parties, both internal and external, to report fraud incidents that have occurred.

Root Cause Analysis
Root cause analysis (RCA) is a method or way to improve the quality of management. Root cause analysis is needed to find out what is actually causing the problem. The process of root cause analysis is not easy because it requires precision and skills in order to identify the real root causes. Root cause analysis aims to prevent the same problem from happening again. RCA is a method to gain insight from the identified findings. RCA analyzes the underlying cause of the problem (The Institute of Internal Auditor, 2013). The assumptions related to RCA, among others, are that the root of the problem can be identified so that it can be corrected. The output of the RCA is an effective recommendation that has an impact at the preventive stage, not just normative (Tomić & Spasojević Brkić, 2011). The benefits of RCA include providing added value to the organization, having the potential for cost efficiency, learning about cause-effect relationships and determining solutions, providing a logical approach to the problem-solving process, and reducing risk (Chartered Institute of Internal Auditors, 2018).
RCA steps include: collecting data, determining problems, analyzing using tools such as SIPOC (suppliers, inputs, processes, outputs, customers) analysis or Ishikawa diagrams (Fishbone), determining causal factors, identifying root causes, and formulating recommendations for improvement (Tomić, B., & Spasojević Brkić, V, 2011;IIA, 2013). The analysis stage can be carried out using the why-because analysis method and five whys or why-why analysis (IIA, 2013;Harsono, 2008). The use of techniques and tools must pay attention to organizational conditions such as the duration and skills of RCA implementers (examination team) (Ramadhan, 2020). Exploring the root causes of fraud can also be carried out through investigative interviews, namely a question and answer process between the examiner and the party suspected of having committed or knowing the incident of fraud, with the aim of uncovering the incident, including identifying the elements of mens rea (evil intentions) of the perpetrator (KPK, 2016 ;Syukur, 2015).
In order to make the RCA process easier to carry out and the results to be analyzed are accurate, it is necessary to formulate root cause categories. The root causes can be arranged deductively, starting from the general things to the details of the general things (tiering). The root cause categories can be arranged from general aspects such as resources, personal, process, leadership, and client aspects (The Institute of Chartered Accountants in England and Wales, 2016). Practice Advisory 2320-2 on Root Cause Analysis focuses on human aspects related to decisions and actions that are taken or not taken. The root cause categories that can be arranged include competence, personal quality, inadequate training, technology, organizational culture, number of resources, and decisionmaking processes.
In the context of fraud risk management, root cause analysis can be used as input in the prevention process. Fraud prevention has two meanings: prevention and / or deterrence. Prevention can be carried out using the RCA method by eliminating the root causes to prevent fraud. Meanwhile, deterrence is more about behavior modification, such as applying strict sanctions so that the perpetrator does not commit fraud (AICPA, 2002;Furlan & Bajec, 2008).

METHODS Conceptual Framework
Three strategies in managing fraud risk are prevention, detection and response (Bartsiotas & Achamkulangare, 2016).
The best and most efficient strategy is a prevention strategy, because this strategy is carried out before the fraud is committed by the perpetrator. Fraud prevention will be effective if the root cause of fraud can be overcome or eliminated. The expected result is how the results from the detection and response stages can be used as input for fraud prevention strategies. An overview of this concept can be seen in the following diagram (Figure 2).

Risk Causal Fraud Diamond (RCFD) Matrix
Fraud is a part of operational risk that occurs as a result of failure or inadequacy of internal processes, people, systems or technology, and external factors. Fraud is also human behavior which is motivated by several factors. However, even though fraud is committed by humans, it does not mean that the human factor stands alone. Apart from the internal factors of the individual, the behavior of the perpetrators of fraud is also influenced by other factors such as a non-functioning supervision process, gaps in systems or technology, or influence from external parties. Therefore, this study aims to explain the incidence of fraud caused by a combination of individual internal factors (fraud motivation) and operational factors (risk causal). In the context of fraud motivation in retail financing companies, we argue that the Fraud Diamond model is the most relevant model for analyzing identified fraud incidents. Fraud Diamond states four motivational factors for fraud: pressure, opportunity, rationalization, and capability.
Based on the Risk Causal and Fraud Diamond factors, an analysis tool was built with the name the Risk Causal and Fraud Diamond (RCFD) Matrix. In principle, this matrix is a classification of the root causes of fraud using a combination of Risk Causal and Diamond Fraud parameters. For more details, the RCFD Matrix can be seen in the following figure 3.
The explanation of the RCFD Matrix category is as follows: • 1.P. People -Pressure: The existence of pressure from internal individuals to commit fraud, such as urgent needs, lifestyle, and pressure from superiors.

Figure 3. Risk Causal and Fraud Diamond (RCFD) Matrix
Source: Processed data Note: • For purposes of recapitulation and reporting, root cause categories are coded.
• Not all parameters can be combined, e.g. Rationalization is only related to the human factor (people) • Types of root causes can be tailored to each organization • The RCFD Matrix analysis can be divided according to requirements, e.g. per function or per region.
• 4.P. External Factor-Pressure: The existence of pressure from external parties so that the perpetrator commits fraud, such as conflicts of interest and third parties who commit fraud. • 1.O. People-Opportunity: The existence of opportunity to commit fraud because the superior's supervisory function is not functioning, such as the superior's incompetence.

• 2.O. Internal Process-Opportunity:
The existence of opportunity to commit fraud due to process design errors, work overload, improper division of tasks, and too broad span of control • 3.O.
System & Technology-Opportunity: The existence of opportunity to commit fraud due to insufficient or failed systems & technology, such as unavailable work tools and the system that does not verify.

• 4.O. External Factor-Opportunity:
The existence of opportunity to commit fraud due to external factors, such as natural disasters which cause some standard process flows to be unnecessary because they must be completed as quickly as possible. • 1.R. People-Rationalization: The existence of individual dissatisfaction or cognitive conflict that justifies the fraudulent act taken, such as borrowing is not stealing and entitled to get more. • 1.C. People -Capability: The existence of ability to abuse authority or work so that fraud occurs, such as accessing and changing data and asking subordinates to commit fraud • 3.C. System & Technology-Capability: The existence of ability or creativity to find weaknesses in systems & technology so that fraud occurs, such as bypassing the system verification process and using external applications to make fictitious transactions.

Data Analysis
This study took random sampling data of 300 fraud occurrences in the reporting period of 2019 and 2020. The data consists of four business regions and two operational functions. Data distribution can be seen in Table 3.2. From the sampling, classification is then determined based on the RCFD Matrix criteria. Data analysis is conducted using descriptive statistical methods to determine the mode or category values that most frequently arise from functions and regions. For company wide scope, the Pareto diagram is used to determine recommendations for improvement based on a priority scale (Ivančić, 2014).

RESULT AND DISCUSSION
Analysis of sample data is carried out based on the results of examinations related to field facts, additional data or information obtained from interviews with fraud perpetrators and the final conclusion of the fraud incident that occurred, such as fictitious financing submitted by the sales department or embezzlement of customer installments that were not deposited by the collection officer. The data was obtained from the results of the investigation by the fraud detection team in the risk management function. The output of the data analysis is the determination of the root causes criteria based on the RCFD Matrix parameter. The results are broken down based on business region, operational function, and company wide.
After knowing the dominant root cause category of each business region and operational function as well as the company wide, a re-analysis is carried out to determine recommendations for improvements to be proposed. Recommendations for improvement for business region and operational functions are based on the value of the mode, while recommendations for improvement for the company wide will use pareto diagram analysis.
RCFD Matrix business region and operational functions can be seen in Tables 4.1 and 4.2. Visualization using spider diagrams to make it easier to determine the dominant root cause can be seen in

Source: Processed data
Each business region has different characteristics. From the internal side of the company (employee), it can be classified based on leadership style, level of education, and local culture. From the external side of the company, it can be classified based on customer segmentation, character, and culture of the local community. The characteristics of the Jakarta, Java I, Java II, and Sumatra business regions are certainly different, so the pattern of fraud incidents will also be different.
Based on the classification of the RCFD Matrix criteria, it is known that for Region   Recommendations that can be given in the fraud prevention strategy are as follows: • 3.O Systems and Technology-Opportunity: the digitization process is a must for companies wishing to compete in the industrial revolution 4.0. However, the digitization process must still be equipped with control functions such as system validation of transactions. System validation is carried out based on certain rules or the use of machine learning algorithms. • 2.O Internal Process-Opportunity: company rules and policies are formulated to be implemented properly. Non-compliance with the rules can increase the perceived opportunity of fraudsters. Recommendations for prevention strategies include conducting surprise audits periodically, imposing firm sanctions (deterrence), and conducting job analysis of each operational function. • 1.P People -Pressure: shows the fraud incident caused by the pressure experienced by the perpetrator. Recommendations for prevention strategies include providing educational programs or anti-fraud campaigns for employees, improving tone of the top or management commitment in mitigating fraud risk, and optimizing the whistleblowing system.

CONCLUSION
Fraud is a common enemy that must be tackled synergistically by all parties. Fraud risk management can be divided into three stages: prevention, detection and response.
The best and most efficient stage is the prevention stage, because at this stage the fraud incident has not occurred so that it can reduce the potential for financial loss or other impacts due to fraud. The Risk Causal and Fraud Diamond (RCFD) Matrix is a tool to analyze the root causes of fraud. RCFD Matrix contains categories of root causes of fraud arranged based on a combination of risk causal and fraud diamonds. The purpose of developing this matrix is to help determine effective prevention strategies based on root cause analysis. The application of the RCFD Matrix as an analytical tool must be supported by valid data obtained from field facts and interviews with the perpetrators of fraud. The example of the RCFD Matrix can be applied to the company wide, business region, and operational functions. The analysis aims to create a priority scale in fraud prevention strategies. This analysis can be adjusted according to the type and nature of the industry of different companies. This RCFD Matrix study was conducted in retail financing companies. However, the RCFD Matrix can also be applied in companies with different business models and different industrial fields. It is suggested that further research apply the RCFD Matrix in different industries or in government institutions as the testing and falsification phase of the RCFD Matrix.