Taxonomy of Fraud Detection Metrics for Business Processes

A business process is a set of connected events, activities, and decision points, including actors and objects, which collectively produce a beneficial outcome for the customer. The success of an organization’s strategic goals and performance depends on how well these business processes are implemented and executed. However, process-based fraud (PBF), a type of fraud that occurs in business processes, can be an obstacle to achieving this. Literature analysis shows that to date PBF detection metrics have not been sufficiently addressed. Specifically, there is overlap, confusion, and no standard for fraud definitions and categories that can affect our understanding of fraud mechanisms. This study develops a taxonomy to expose the dimensions, characteristics, and objects of PBF detection and to determine their relationships by using the design science research methodology. The developed taxonomy identifies four PBF dimensions with the following characteristics: (1) process perspective {time, function, data, resource, and location}, (2) presentation layer {process map, process stream, process model, process instance, and process activity}, (3) fraud data scheme {anomalous, discrepant, missing, and wrong}, and (4) fraud domain {generic and specific}. The objective of this taxonomy is to offer a useful tool to anyone seeking to classify, develop, and evaluate PBF detection metrics, along with a holistic view of PBF detection and the determination of its borders. Additionally, it may help in standardizing the concepts of PBF detection metrics to ensure consistency between stakeholders.


I. INTRODUCTION
Fraud can be defined as any deliberate act designed to deceive others that causes victims to suffer a loss and/or perpetrators to achieve a gain [1]. The use of one's job for personal enrichment through intentional abuse or misapplication of an employer's organization, resources, or assets is a type of fraud called occupational fraud, defined by the Association of Certified Fraud Examiners 1 [2]. Process-based fraud (PBF) is a type of fraud that occurs in business processes in which they deviate from the standard and normal operating procedures [3], [4]. However, in reality, not all deviations from the standard operating procedures 2 are fraud [3]. Expert investigations are required to confirm the occurrence of fraud.
The associate editor coordinating the review of this manuscript and approving it for publication was Saqib Saeed. 1 https://www.acfe.com. 2 SOPs are a collection of documented instructions that are followed for executing a routine or repetitive activities in an organization [70]. (SOPs) The most noticeable outcomes of fraud in organizations are financial devastation and a tarnished reputation [5]. It is estimated that organizations typically lose 5% of their revenue owing to fraud [6]. Fraud ultimately leads to an increase in costs and also damages the customer experiences and relationships [5]. Consequently, fraud is a severe problem with far-reaching consequences [7], [8]. In 2012, there were 1,388 reported cases of fraud in 96 countries, resulting in losses of up to USD 1.4 billion [9]. However, manipulation is still ongoing, likely on a vast scale [10], and the number and volume of fraudulent incidents have been increasing [11].
Implementing fraud detection techniques can help organizations in identifying and recognizing fraud [12]. Detection can be well executed by using taxonomies because they can help in deciphering the initial list of fraudulent schemes [1], [13]. Taxonomies also contribute to the general knowledge base and research by classifying objects, thereby allowing researchers and practitioners to understand and analyze the complex phenomena and domains, especially when little information is available about them [14], [15]. Taxonomy is a system that can be developed conceptually or empirically for grouping objects [14]. It is a set of N dimensions, each consisting of characteristics, 3 as depicted in Fig. 1. In its simplest form, taxonomy is a type of analysis theory, 4 which specifies the dimensions/characteristics of objects by describing their shared features [16]. These objects can include anything in a domain of interest that needs to be classified by taxonomy, which, in our case, are PBF detection metrics.
The literature review presented in the following section shows that there is a lack of comprehensive taxonomies of fraud detection metrics for business processes. Consequently, the following problems arise. (1) There are overlapping and frequently confusing definitions and categories of fraud that affect our understanding of its mechanisms and consequences [17]. (2) PBF terms and concepts are not standardized. (3) The relationships between PBF detection attributes are not clear. (4) The scope of PBF is not well defined. (5) The complete PBF picture is missing (which means that some PBF detection metrics are missing [18]). (6) Currently, there is no standard method of classifying the existing and new metrics because (7) taxonomy is a part of the analysis theory, which is considered the foundation (base knowledge) for obtaining knowledge [16], and improvements without taxonomy are always confusing or incomplete.
This work analyzes how detection metrics can be best classified for possible PBF into a proposed taxonomy, which can then be used to organize, simplify, and extend the PBF detection metrics. The proposed taxonomy was developed using the method presented by Nickerson et al. [14], which is explained in Section III. 3 A dimension is sometimes designated as a variable, with its characteristics being the potential values (domains) of the variable [14]. However, dimensions and characteristics are common terms and can apply to all forms of taxonomies [14]. 4 Theory is an abstract entity that attempts to describe, explain, and improve the understanding of the world and, in some cases, provides predictions for the future and a basis for interventions and actions [16]. Gregor classified IS theories into five types: analytic, explaining, prediction, explaining and prediction, and design and action theory. For more information, please see [16].
The remainder of this paper is organized as follows. Section II gives a review of the fraud detection literature. Section III discusses taxonomy development and methodology. Section IV outlines the development process and implementation of the proposed taxonomy. Finally, conclusions and future work are presented in Section V.

II. LITERATURE REVIEW
A detailed systematic literature review of fraud detection metrics in business processes that includes all the relevant taxonomies is presented in [18]. It reveals that PBF detection is a topic that involves two main disciplines: fraud risk management and business process management (BPM). They are defined as follows.
1) Fraud Risk Management is responsible for managing all types of fraud in an organization and includes methods to prevent, identify, and respond to fraud risks [1]. This includes detecting fraud in business processes, which is used to evaluate potential fraud risks and ensure the achievement of specific business objectives [1]. Fraud risk management includes both fraud detection and fraud prevention, which are necessary to effectively combat fraud [12]. Whereas fraud detection intends to discover and recognize any fraudulent activities, fraud prevention seeks to avoid or reduce fraud. Both are independent and must be aligned and considered in fraud risk management [12]. 2) Business Process Management (BPM) is ''a structured approach employing methods, policies, metrics, management practices, and software tools to coordinate and continuously optimize an organization's activities and processes'' [19]. It is devoted to analyzing, designing, implementing, and continuously improving the business processes of organizations [20]. A business process is a set of interconnected events, activities, and decision points that can include several actors and objects, which leads to an outcome that is of value to at least one customer [21]. Business processes include systems, data, and resources that may exist both inside and outside an organization [21]. They are performed inside a single organization and may involve cooperation with other organizations [22]. Business processes are not something conducted by organizations; rather, they form the organization's business [23]. They also determine the possible revenue and, to some extent, they form the cost profile of an organization [21] because they interact directly or indirectly with the financial accounts [24]. Owing to the importance of business processes to a business, they should be protected against any threat, including fraud [1]. A summary of the literature review is presented in Fig. 2 as a literature map. As depicted, the literature lacks an entire taxonomy of detection metrics for fraud in business processes. The literature map shows that BPM and fraud risk management are the primary domains for taxonomy, and both VOLUME 8, 2020 have received considerable attention in the literature [18]. Although a considerable amount of research has focused on the detection metrics of possible fraud, less attention has been paid to PBF and its detection metrics [18].
The literature also reveals that fraud detection techniques are generally developed based on an anomaly, misuse, or hybrid detection approaches [2]. The detection of anomalous behavior depends on detecting the deviations from the normal behavior [25]. This can help in detecting new cases of fraud, but it lacks generalization capabilities and has high rates of false alarms [26]. The misuse-based detection approach relies on the known patterns of misuse to detect any questionable transactions. It is a fast and straightforward detection technique that can be implemented by using an expert system. However, it is limited to known patterns of misuse only [27]. Finally, the hybrid approach combines anomalybased and misuse-based fraud detection [2]. The selection of the best approach depends on the application domain and situation [28]. Notwithstanding, the anomaly-based approach is the most popular [2].

III. METHODOLOGY
Design science research (DSR) is a method that constructs and operationalizes research works performed in an academic environment or organizational context for building an artifact or recommendation [29]. It is based on a pragmatic viewpoint [30], which confirms the inability to separate utility from reality [29]. However, DSR should further contribute to the improvement of the scientific knowledge base beyond its pragmatic bias [29].
DSR has become an accepted paradigm in Information Systems (IS) research [31], [32]. According to March [33], artifacts can be categorized into one of the following categories: construct, model, method, and instantiation [29]. The creation of taxonomy is considered to be the formation of a model [14], [34].
Nickerson et al. [14] investigated the question of how taxonomy is constructed. They developed, presented, and evaluated a method to develop a taxonomy that has certain qualities based on well-established literature. The method itself was built following DSR [35] by adopting and following the build/evaluate cycle for developing taxonomies and evaluating them against a set of necessary conditions [14]. The method proposed by Nickerson et al. [14] was employed in this study as it is suitable for developing a fraud detection metric taxonomy for business processes. This is because it involves a comprehensive systematic approach that is approved by the scientific community [14]. The method goes through several steps, as depicted in Fig. 3. They are as follows.
1) Define the meta-characteristic of the taxonomy. The meta-characteristic is the most general characteristic, which is the cornerstone for selecting the taxonomy characteristics. Each dimension will contain characteristics that are the logical consequences of the metacharacteristic [14]. The choice of meta-characteristic depends on the purpose of the taxonomy. 2) Define the end conditions. Because the method is iterative, it needs conditions to decide when to stop. The end conditions include objective and subjective conditions. The objective conditions ensure that the taxonomy satisfies its definition and it is precisely composed of dimensions, where everyone has mutually exclusive and collectively exhaustive characteristics (i.e., each dimension must have one and only one characteristic at a time). In contrast, the subjective conditions provide the researchers flexibility to add more conditions, based on their viewpoints [14]. 3) Create taxonomy using one of two approaches. The first approach is conceptual-to-empirical (deductive), which begins with conceptualizing the dimensions of the taxonomy without considering the existing data regarding the taxonomy's objects. The conceptual approach is based on the researcher's theory on how objects are related and how they differ. Then, the researcher uses some empirical data to determine how they match with the conceptualization to adjust the taxonomy if required. The second approach is empirical-to-conceptual (inductive), which begins with identifying the empirical data groups, followed by recognizing the nature of each group. In this approach, the researcher recognizes the characteristics of the objects that serve the meta-characteristic. Both approaches (i.e., conceptual-to-empirical and empirical-to-conceptual) should be selected based on the availability of data regarding the taxonomy's objects and the knowledge of the researcher. If data access is limited and the researcher has sufficient knowledge, the conceptual-to-empirical approach is preferable. If data are available and the researcher has sufficient knowledge, then they may choose either approach [14].

IV. TAXONOMY
Following and implementing the steps stated in the method proposed by Nickerson et al. [14], as described above, the details for developing the taxonomy of detection metrics for possible fraud in business processes are as follows. All objective conditions stated by Nickerson et al. [14] can be adopted as follows. 1) All available taxonomy objects (i.e., PBF detection metrics) must be studied. 2) No changes in the taxonomy dimensions or characteristics (i.e., adding, removing, merging, and splitting) in the last iteration can occur; if they do, then another iteration is required to examine the change impact. 3) Each characteristic for every dimension should have at least one assigned object (i.e., null characteristics should not exist). 4) All dimensions, combinations of characteristics, and all characteristics within a dimension are unique such that no duplicates exist (i.e., mutual exclusiveness). For the subjective conditions, the following parameters are used, as suggested by Nickerson et al. [14]. 1) Usefulness: the taxonomy should serve a purpose.
It should have useful implications for research (rigor) and practice (relevance). 2) Explanatory: the taxonomy should provide valuable explanations about the nature of the existing or future objects, and their detailed attributes can be proposed. Consequently, if the characteristics of an object are known, the object can be found in a recognizable place in the taxonomy. Similarly, if an object is found in a specific place in the taxonomy, its characteristics can be identified. 3) Conciseness: the number of dimensions is brief yet comprehensive. 4) Robustness: dimensions and characteristics can be used to precisely distinguish between objects to ensure that the groups are distinct (i.e., non-overlapping groups). 5) Comprehensiveness: all dimensions and characteristics of the objects are identified, and there are enough parameters to classify all objects. 6) Extendibility: adding a new dimension or characteristic that is smooth (i.e., taxonomy is dynamic, not static). The objective and subjective conditions that are used for evaluating the taxonomy also validate this research. This is because the validity of DSR, which is used as the methodology for this research, should emerge as a result of evaluating the developed artifact (i.e., the taxonomy) [36]. Because some PBF detection metrics and theoretical knowledge already exist, both approaches (i.e., conceptual-toempirical and empirical-to-conceptual) can be used. For the first iteration, the conceptual-to-empirical approach is selected to develop the characteristics of the taxonomy. In this approach, the researcher should follow a logical process that is based on a firm theoretical foundation [37], which also includes a review of the relevant previous taxonomies [14].
Following the systematic literature review on fraud detection metrics in business processes [18], a ''fraud domain'' dimension that describes the area of fraud (e.g., telecommunication) can be deduced. An understanding of the fraud domain is essential for identifying the problem domain, which is a critical step in detecting fraud [38]. The fraud domain dimension has already been used to classify red flags, which are used to detect fraud [1], [39]- [41]. The fraud domain dimension can have two characteristics: ''general'' and ''specific.'' The general characteristic is used to describe the metrics that can be applied to all domains, whereas the specific characteristic is used to describe the metrics that can be applied to a specific business domain (e.g., finance, insurance, telecommunication, and information technology). General and specific domain metrics are both necessary for detecting fraud in business processes; however, the taxonomy under development is not designed to focus on a specific domain. The fraud domain can also be used to ensure that the taxonomy covers new metrics for a specific fraud area. Thus, the fraud domain as a separate dimension is added because it satisfies all objective and subjective conditions. The second suggested dimension is the ''fraud type.'' One of the main classifications of fraud type was developed by the 2013 COSO framework [42]. It classified fraud types into categories, including fraudulent reporting, safeguarding of assets, and corruption. The fraudulent reporting category contains deliberate misstatements or omissions of amounts or disclosures to deceive people (e.g., modification of accounting records). Safeguarding of assets includes preserving the assets of the entities (e.g., property, cash) from theft, whereas corruption includes bribery and other illegal practices.
The fraud type should be determined and included in the fraud detection plan [43] because it helps to detect fraud accordingly [38], [44], [45]. However, fraud type, as a dimension, does not satisfy all the objective and subjective conditions. For example, fraud type as a dimension can have two characteristics simultaneously (e.g., fraudulent reporting and safeguarding of assets). Thus, the fraud type as a dimension is excluded.
At the end of the first iteration, the taxonomy has only one accepted dimension (i.e., fraud domain). However, a taxonomy's end conditions (i.e., both objective and subjective conditions) would still not be satisfied because this is the first iteration, and a second iteration is needed. The empirical-to-conceptual approach can be implemented in this iteration by using PBF detection metrics available from the literature as empirical data. All distilled metrics are listed with their explanations and respective reference information in Table 1. Additionally, suggested groups were developed to cluster the metrics into common groups. After reviewing the table, a process attribute that refers to the process characteristics was suggested as a new dimension. The process attribute also has the characteristics function, resource, decision, and time, as shown in Table 1. Thus, the taxonomy now has two dimensions: fraud domain and process attribute. However, all end conditions of the taxonomy have not been satisfied yet because a new dimension is derived in this iteration. Accordingly, another iteration needs to be conducted. By examining the literature in this iteration, ''business process perspectives'' [51] can be considered as a replacement of the ''process attribute'' dimension, which was developed in iteration 2. The business process perspectives are more comprehensive than the process attributes because they include all characteristics of the process attributes other than ''data'' and ''control-flow.'' First, the control-flow perspective is concerned with the order of activities in the business process. Second, the resource perspective determines the action makers in process-like roles, organizational units, and authorizations. Third, the data perspective deals with the process input, consumed, and output data. Fourth, the time perspective is concerned with all process time issues, such as the execution duration and deadlines. Fifth, the function perspective describes the activities and applications of the process.
Successful detection of fraud in business processes indicates that all business process perspectives should help in detecting PBF [52]. For instance, (1) knowing the resource that posted and approved a transaction could help in detecting an unauthorized transaction or violation of duty segregation [53], (2) examining transaction activities over time may help in identifying skeptical activities such as those performed before or after off-hours [53], (3) examining the wrong process functions may indicate a fraudulent case, (4) and examining the missing data may lead to the detection of fraudulent activities.
All business process perspectives are characteristics of the process perspective as a dimension. However, the controlflow perspective merges with the function perspective because the order in which the activities are executed (i.e., the control-flow perspective) is a part of the implementation of the process activities (i.e., function perspective). Finally,  location is added as a part of the process perspective because it is imperative for the auditing process [53], [54]. Moreover, to detect fraud, it is useful to know the execution site of the activity to identify the geographic risks [53].
Successful PBF needs to examine the entire business process and identify where fraud can originate [52]. Thus, the process perspective should cover all process components, which are events, activities, decision points, objects, actors, and outcomes [21]. First, the events are items that trigger the execution of activities, such as the arrival of equipment, which initiates an inspection activity. These are involved in the function and time characteristics of the process perspective. Second, the activities refer to the steps that are required to fulfill a specific work function. Third, decision refers to a particular decision made at a specific time that affects what happens later in the process, such as the approval decision. The activities and decision points are covered by the function characteristic. Fourth, the actors play roles in the process, which includes human actors, organizations, and systems. These are classified as resource characteristics. Fifth, the objects include physical objects, such as equipment, materials, and papers, as well as immaterial objects, such VOLUME 8, 2020 as electronic records. Sixth, the outcomes are the process deliverables that are given to the customers. Both objects and outcomes are classified in the data characteristics. Therefore, the process perspective is added as a new dimension to the taxonomy and there is no need to add process components as a new dimension.
The literature reveals that business process presentation layers can also be used for auditing the process model [24]. 5 A full list of the PBF detection metrics that covers every characteristic will be presented with demonstration examples in future work owing to space limitations in this paper. 6 https://atlasti.com These presentation layers include process maps, process streams, process models, and process instances [24]. The process map layer provides an overview of all processes and helps in planning and auditing the business processes. The process stream layer includes more details than the process map; it provides more information about a group of processes (e.g., procure to pay cycle) related to specific accounts. The process model layer provides detailed information/logic about the activities of an individual process whereas the process instance layer refers to a single case of the process model. This represents the actual execution of the process model, and every presentation layer is represented by specific business processes, financial accounts, and specific information. These processes are described in Table 2.
The process activity was also added as a characteristic of the presentation layer because it represents a unit of work in the process model [21]. This characteristic refers to the execution of a single activity in the process case. The presentation layer is now complete and is added as a new dimension to the taxonomy. Thus, the taxonomy now has three dimensions (fraud domain, process perspective, and presentation layer). However, the taxonomy's end conditions have not been satisfied yet because further new dimensions were derived during this iteration. Therefore, another iteration is still required. All the applicable US Statement of Auditing Standard (SAS) No. 99 red flags [55] were used as empirical data to implement the empirical-to-conceptual approach in this iteration. They are the most successful and common indicators that are used to detect fraud [12]. The red flags are listed in Table 7 in Appendix A. Every red flag relevant to the detection of PBF is assigned to a developed joint group (i.e., suggested group) to identify the fraud data scheme. Moreover, all the existing metrics in Table 1 are used as additional empirical data to identify the fraud data scheme by assigning each metric to a suggested data scheme group, as shown in Table 3 . By studying the suggested groups in both tables, the fraud data scheme is inducted to be a new dimension; the characteristics of these dimensions are described in Table 4 . At the end of this iteration, the taxonomy has four dimensions: fraud domain, process perspective, presentation layer, and fraud data scheme. However, the taxonomy's end conditions have still not been satisfied because a new dimension has been derived during this iteration; therefore, yet another iteration is required. Checking the quality of the data (i.e., if there are any missing data) is essential for detecting any performance-related issues (i.e., fraud) [56]- [58]. Thus, data quality attributes that are found in the literature can be used to determine whether the fraud data scheme dimension is comprehensive.
Data quality attributes were surveyed in [59], and many data quality attributes were identified. The attributes proposed in [59] are presented in Table 8 in Appendix B to check whether the characteristics of the fraud data scheme cover the relevant data quality attributes. Because all relevant data quality attributes are covered, as shown in the table, the characteristics of the fraud data scheme were not updated.
Consequently, no further changes were made to the taxonomy during this iteration, and it is expected that this iteration is the last. Thus, the end conditions for the development of taxonomy will be examined to check if they are satisfied, as described in Table 5 .
As shown in Table 5, the developed taxonomy meets all the end conditions and the taxonomy development process is complete. Fig. 4 depicts the developed taxonomy with all dimensions and characteristics. VOLUME 8, 2020  Finally, to show the applicability of the taxonomy, Table 6 demonstrates and classifies all the current PBF detection metrics, which are listed in Table 1, into the taxonomy. 71372 VOLUME 8, 2020

A. CONTRIBUTION TO KNOWLEDGE (RIGOR)
The taxonomic theory is a form of conceptual knowledge in the epistemology field of design science [60]. Gregor [16] stated that IS theories can be classified into five types: analytical, explaining, prediction, explaining and prediction, and design and action theory. According to [16], the taxonomic theory can be considered as an analysis theory (type 1), which describes or classifies specific dimensions or characteristics of individuals, groups, situations, or events by outlining the shared features found in discrete observations [16]. This answers the ''what'' question and can be used as a foundation for developing more advanced theories (e.g., explanation, prediction, explanation and prediction, and design and action) [61].
The taxonomy has a theoretical purpose for developing a taxonomic theory to solve the classification problem and increase our understanding of PBF detection. By using the Nickerson et al. [14] method in this study to develop the taxonomy, the taxonomic theory can be successfully defined [14].

B. CONTRIBUTION TO PRACTICE (RELEVANCE)
Taxonomy serves a practical purpose for improving and detecting PBF by using a classification system. As stated by Recker [62], the practical implications include addressing how this research changes or influences the work practices of stakeholders. The main stakeholders of this research are PBF researchers, professional PBF examiners, and the detection technique developers for PBF.
Because the taxonomic theory considers an analysis theory, which is the first step toward developing more advanced theories [16], PBF researchers can use this to develop advanced types of theories.
Professional examiners who inspect PBF in organizations can enhance the practice of PBF detection by using the proposed taxonomy to develop and extend the PBF detection metrics that were probably missing in their work previously. In contrast, the developers of PBF detection techniques will be able to create more comprehensive PBF detection techniques and algorithms using a holistic taxonomy approach. Finally, the proposed taxonomy can be a useful tool for anyone interested in applying and evaluating detection metrics for PBF.

VI. CONCLUSION
This study developed a taxonomy of detection metrics for possible PBF by using DSR. The developed taxonomy includes the following dimensions with their characteristics: process perspectives {time, function, data, resource, and location}, presentation layers {process map, process stream, process model, process instance, and process activity}, fraud data schemes {anomalous, discrepant, missing, and wrong}, and fraud domains {generic and specific}.
This taxonomy serves the practical purpose of improving PBF detection in practice, while simultaneously serving the theoretical purpose of solving the classification problem and improving the understanding of PBF detection. In summary, this taxonomy can be used to (1) shed light on the main dimensions of PBF with its relationships, (2) determine the topic borders of PBF, (3) bridge knowledge gaps in PBF detection (e.g., find missing metrics), (4) standardize concepts to provide consistency between PBF stakeholders, (5) classify PBF detection metrics, (6) form a comprehensive checklist of best practices to define PBF detection metrics, and (7) pave the way for more advanced theories regarding PBF detection.
Owing to the sensitivity of fraud, the availability of fraud data is one of the limitations of this research. However, using open data can alleviate this limitation.
For future work, the developed taxonomy, which provides the necessary knowledge as a foundation, will be used to generate new PBF detection metrics. These metrics will be theoretically and empirically validated. Furthermore, case studies may be conducted where organizations extend the proposed taxonomy to a specific domain (e.g., IT security). Finally, expanding the proposed taxonomy to include prevention metrics of PBF may be conducted in future research. Since 2014, he has been working as an Assistant Professor at the Department of Information Systems, King Saud University. He is currently a Scientific Reviewer of two journals and two conferences. He is the author of more than ten published articles. His research interests include business process management, entrepreneurship, design research in information systems, enterprise resource planning systems, and design science research methodologies in information systems.
Dr. Alturki was a recipient of the Best Dissertation Award from the Australian Council of Professors and Heads of Information Systems (ACPHIS), in 2014. VOLUME 8, 2020