Bart Henderson: The risk of fraud is measurable so why do we keep missing it?

Key topics:Fraud is measurable distortion within accounting systems, not mysteryMissed fraud comes from incomplete models, ignored data, and simplificationDigitisation enables continuous monitoring and earlier anomaly detection.Sign up for your early morning brew of the BizNews Insider to keep you up to speed with the content that matters. The newsletter will land in your inbox every morning on weekdays. Register here.Support South Africa's bastion of independent journalism, offering balanced insights on investments, business, and the political economy, by joining BizNews Premium. Register here.If you prefer WhatsApp for updates, sign up to the BizNews channel here..By Bart Henderson*.There is a persistent myth in business, audit, and risk circles that fraud is elusive—too complex, too unpredictable, too dependent on human behaviour to be properly measured. It’s a convenient narrative. It’s also wrong.Risk is measurable. Not perfectly, not absolutely—but measurably enough to prevent most of the catastrophic failures we continue to witness across global markets.The distinction matters.In enterprise risk, we deal with two fundamental categories: pure risk and speculative risk. Pure risk is the domain of control—known exposures that can be identified, mitigated, and monitored.Speculative risk is the domain of probability—forward-looking, modelled, and aggregated based on assumptions and data.Modern fraud risk management sits at the intersection of both.We build models on what we know—transaction flows, control environments, behavioural patterns—and then layer in variables: probabilities, predictive analytics, and statistical weighting. The presence of uncertainty does not invalidate the model. It defines its boundaries.And yet, despite decades of advancement in data analytics, computing power, and regulatory oversight, we continue to see the same outcome: large-scale frauds, systemic control failures, and organisations collapsing under risks they supposedly understood.Why?Because the problem has never been whether risk can be measured. The problem is what organisations choose to measure—and, more importantly, what they choose to ignore.The Comfort of Incomplete MeasurementEvery risk model begins with the identification of known risk. That is the foundation—pure risk, systematically mapped across the enterprise.From there, we move into the unknown: assigning probabilities, modelling scenarios, and incorporating variables. This is where data mining, algorithms, and quantitative methods come into play..Read more:.FT’s Martin Wolf: We must be able hold tech platforms accountable for deep fake fraud.But here’s the uncomfortable truth: measurement is not constrained by capability. It is constrained by appetite.At some point, every organisation decides how far to go—how deeply to interrogate anomalies, how aggressively to challenge assumptions, and how much imperfection it is willing to tolerate.That decision is almost always governed by return on investment. This creates a secondary, often invisible risk: oversight by design.When analysis is deemed too costly, risk is only partially measured. When data is messy, it is excluded rather than corrected. When models become complex, they are simplified for efficiency.None of this eliminates risk. It simply relocates it—into blind spots.Fraud Is a Distortion, Not a MysteryAll major frauds share a common structural truth:They distort the relationship between income, expenses, and assets to conceal economic reality. Fraud cannot avoid the accounting system—it must manipulate it.Every large-scale financial fraud requires distortion of one or more of three anchors:ExpensesRevenueAssets.And that distortion creates detectable inconsistencies across the system. This is the critical shift in thinking.You do not need to predict how fraud will occur.You monitor for where the system stops making sense.The Closed System PrincipleAccounting is a closed system. Every transaction must reconcile—at least on the surface. That constraint is what makes fraud detectable.Regardless of method, fraud must:pass through journalsimpact accountsand ultimately reconcile but it reconciles poorly..And that is where the signal lives.The Signal Layer: What to MeasureIf fraud is a distortion, then detection becomes a measurement problem. You monitor for structural inconsistencies:Asset–expense mismatches (capitalisation of costs, deferred losses)Revenue–cash flow inconsistencies (reported growth without liquidity)Balance sheet growth without operational support (assets expanding faster than underlying activity)End-of-period adjustments and reclassifications (forced alignment of irreconcilable numbers).These are not random indicators.They are the inevitable by-products of forcing false narratives through a system that demands balance.Black Swans Don’t Come from NowhereWhen fraud surfaces, it is often described as a black swan—rare and unpredictable. But most so-called black swans are neither.They are the result of:incomplete modelspoor data qualityand deliberate exclusion of complexity.Take Steinhoff. For years, the group reported strong performance underpinned by inflated asset values and questionable transactions with related parties—creating the appearance of profitability and balance sheet strength that did not reflect economic reality.This was not random. It required transactions, entries, valuations, counterparties, and internal alignment across multiple entities.It left a trail.The failure was not detection capability.It was a failure to interrogate the system deeply enough.Enterprise-Wide Fraud Risk Management: The Missing DisciplineFraud does not occur in isolation. It moves across systems, functions, and people. Yet most organisations still treat fraud risk as a siloed compliance activity.This is fundamentally flawed.To manage fraud risk effectively, you must understand the enterprise as an integrated system:how transactions originatehow they movewhere controls intersectand where they fail.This requires depth. It requires time. It requires intellectual investment. And it is precisely what most risk functions lack.Too many manage frameworks. Too few understand systems.Audit: A Model Under StrainThe repeated failures of major corporates are not anomalies—they are patterns.Audits are periodic, sample-based, and reliant on judgement. They provide reasonable assurance, not certainty.More importantly, they operate within economic structures that prioritise efficiency and liability management.The result is a system that often validates coherence—rather than interrogating truth.Digitisation Changes the Equation The solution is not more regulation. It is digitisation.Not as a concept—but as a structural shift:Full-population data analysisContinuous monitoringAutomated anomaly detectionCross-system reconciliation.Digitisation expands the measurable universe and reduces dependence on subjective judgement. It allows organisations to detect distortions as they emerge—not after they collapse.The Real Constraint: ChoiceWe do not lack tools. We do not lack data. We do not lack mathematical capability. We lack commitment.Commitment to:measure beyond convenienceinterrogate beyond complianceand understand beyond surface-level frameworks.Until that changes, fraud will continue to be discovered after the fact—and explained as unpredictable.It is neither.Conclusion: The Gap Where Fraud LivesFraud is not invisible. It exists within systems that generate data, relationships, and constraints..Read more:.Banxso faces liquidation as deepfake scandal, fraud allegations, and regulatory crackdown intensify.It must reconcile within those systems.But it reconciles imperfectly. And in that imperfection lies detection.Every time an organisation simplifies a model, excludes a dataset, or limits scope for efficiency, it creates a gap.And fraud lives in that gap.Fraud is not a mystery, it is a distortion, and distortions can be measured. The only question is: Why aren’t you measuring them?.*Bart Henderson is a veteran fraud risk specialist and forensic investigator with nearly three decades of experience operating at the highest levels of financial crime detection, investigation, and litigation support across South Africa and beyond. An original official research partner for the NEPAD APRM, Bart spent over two decades advancing fraud risk methodologies across South Africa and the broader African continent. During this time, he developed and refined what became a pioneering 72 Red Flag / 400 Rule forensic audit and investigation model—a system that broke decisively from traditional silo-based methodologies and anticipated what is now widely recognised as Enterprise-Wide Fraud Risk Management. As a lecturer, Bart has presented lectures on the subject at multiple White Collar Crime Summits and Symposia, also on contract to the Institute of Internal Auditors (SA), Institute of Chartered Accountants (ZW), AUSAID, Central Bank of Kenya, Central Bank of Nigeria, and to a host of State-Owned Enterprises throughout Africa. In both prosecution and defence environments, Bart has been advisor, and represented high-net-worth individuals, senior executives, government officials, cabinet ministers, and a former Head of State. His investigative work has supported leading law firms and consulting organisations on some of South Africa’s most sensitive and complex matters across government, state-owned enterprises, and listed entities.

Bart Henderson: The risk of fraud is measurable so why do we keep missing it?

Related Stories

Bart Henderson: The artisan pipeline is failing in plain sight

Easy to build, AI trading bots creating terrifying financial risks

SA’s Hidden Tax: When identity stops being certain in a world of AI and institutional drift

Bart Henderson: How enterprise-wide fraud risk management solves fraud as a distortion