Fiyinfolu Okedare on Shifting from Reactive Investigation to Strategic Risk Management and the Power of Integrated GRC
In this exclusive interview, Fiyinfolu Okedare, Director of Consulting (FCA, CISA, CFE, CRISC), provides executive leadership with a clear roadmap for dismantling traditional, reactive fraud strategies. Mr. Okedare argues compellingly that to succeed in the digital economy, organizations must view fraud not as an audit issue, but as a fundamental strategic business risk that requires executive ownership from the Board down.
He details the practical steps for this transition: leveraging advanced analytics to detect anomalies in real time, enforcing the integrity of critical systems against misuse of privileged access, and redesigning core workflows where fraud vulnerabilities most frequently surface. Mr. Okedare also shares vital insights into the technical challenges of extracting forensic evidence from complex ERP systems and outlines how the future of fraud investigation demands preparation for blockchain obfuscation. This conversation is essential for CEOs and Board members seeking to integrate IT auditing, fraud examination, and risk management into a unified framework that builds resilience and protects long-term shareholder trust.
Q&A with Fiyinfolu Okedare
Q: As a Director of Consulting, how do you advise executive leadership to transition their fraud prevention strategy from a reactive approach (investigation) to a proactive one focused on Fraud Risk Assessment?
A: As Director of Consulting, I stress that effective fraud prevention is about staying ahead of bad actors, not just catching them post-factum. By treating fraud as a business risk, rather than merely a compliance issue, we encourage executive alignment to integrate fraud risk into enterprise risk management. This shift moves organisations from reactive investigations to proactive assessments that identify vulnerabilities before they escalate.
We begin by mapping critical processes such as finance, procurement, HR, and IT through a fraud lens. ICFR audits help pinpoint existing controls, gaps, and access privileges, forming the backbone of a tailored Fraud Risk Assessment. To enhance this effort, I advocate for cross-functional fraud risk committees that bring together finance, internal audit, IT, and compliance, fostering collaboration to drive coordinated mitigation strategies.
While technology supports our initiatives, a strong culture is vital for lasting change. By viewing fraud risk management as a safeguard for assets and stakeholder trust, organisations can transition it from a cost to a strategic investment, ultimately driving transformation.
Q: How has the use of advanced analytics and automated monitoring fundamentally changed the efficiency and accuracy of identifying high-risk transactions or anomalies during a fraud risk assessment?
A: Advanced analytics and automated monitoring have really changed the game for how we look at fraud risk. In the past, finding high-risk transactions relied a lot on manual checks and fixed rules. Now, thanks to machine learning and behavioral analytics, we can spot patterns that might go unnoticed by our eyes, all while analyzing tons of data in real-time.
At Forvis Mazars, we’ve deployed Atlas Analytics that don’t just flag unusual activity but also learn from historical fraud cases. This approach allows us to identify outliers, recognise unusual transaction patterns, and even detect transactions occurring during atypical or high-risk hours, signals that often indicate potential fraudulent behaviour.
The best part? Speed! When it comes to fraud detection, getting ahead of the problem can make all the difference. By embedding analytics into our fraud risk assessments, we help clients transition from just reacting to potential fraud to proactively addressing risks, often catching issues before they escalate into real losses.
Q: Given the rise of digital services, which two types of Technology Risks do you find are most frequently exploited by fraudsters today, and how should organizations mitigate them?
A: In today’s digital landscape, two key technology risks often exploited by fraudsters are privileged access misuse and insecure third-party integrations. These risks can bypass traditional defences and take advantage of inherent trust within systems, making them particularly concerning.
Privileged access misuse typically involves internal actors or compromised credentials that enable unauthorised changes to critical records and systems. To mitigate this risk, organisations should implement strict role-based access controls and enforce Multi-Factor Authentication (MFA) across all essential systems.
Similarly, third-party integrations, like APIs, can introduce vulnerabilities when vendor controls are lacking. Conducting thorough vendor risk assessments and monitoring these integrations for anomalies is crucial, while in essence, effective technology risk management must be woven into fraud governance to secure not only systems but also the trust we establish across every digital touchpoint.
Q: Your experience covers Business Process Re-engineering. Where in the typical business lifecycle do you see the most significant fraud vulnerabilities that require immediate process redesign?
A: Fraud vulnerabilities often surface during transaction processing and approval stages, particularly in procurement, payroll, and expense management. Organizations that rely on legacy processes with manual approvals and siloed systems can face risks like duplicate payments and fictitious vendors. In my Business Process Re-engineering initiatives, we aim to redesign these workflows to include preventive controls, such as automated validation rules and audit trails.
Change management and system configuration are also critical areas where fraud can be introduced through unauthorized changes to master data. Without a robust review process, these changes can go unnoticed until significant losses occur.
By redesigning processes with a focus on fraud prevention, we enhance transparency, accountability, and automation. Balancing efficiency and resilience is crucial. This proactive approach allows organizations to shift from reactive measures to effective governance, staying one step ahead of potential fraud risks.
Q: Fraud investigations often involve navigating complex IT environments, including ERP systems like SAP, Oracle EBS, or T24. What is the biggest challenge when extracting reliable forensic evidence from these major integrated platforms?
A: The biggest challenge in obtaining reliable forensic evidence from ERP platforms like SAP, Oracle EBS, or T24 is the complexity and fragmentation of audit trails. Designed for operational efficiency, these systems often scatter critical logs across various modules, databases, and middleware layers.
In fraud investigations, time is critical. Retrieving meaningful evidence, such as user actions and data changes, requires a thorough understanding of the system and the ability to craft custom queries. Without proper logging configurations, key evidence may be incomplete or inaccessible, making it even harder to piece together events.
Additionally, data normalization complicates the situation further, as different ERP systems structure their logs uniquely. This inconsistency can hinder efforts to correlate events or establish a clear timeline, particularly in environments where fraud spans multiple systems, such as finance, procurement, and HR. Organisations should embrace proactive forensic readiness to secure useful audit trails effectively.
Q: You conduct Vulnerability Assessments and Penetration Testing. How do the insights gained from offensive security testing directly inform and improve the scope and effectiveness of a Fraud Investigation?
A: Offensive security testing, particularly through vulnerability assessments and penetration testing (VAPT), offers critical insights into how fraud can exploit technical weaknesses. By simulating real-world attacks, these assessments expose entry points for unauthorized access or data manipulation that traditional audits might miss. Misconfigured firewalls or exposed APIs may not generate compliance alerts, yet they can serve as significant avenues for data breaches.
Moreover, penetration testing aids in verifying the integrity of forensic evidence. Discovering that logs can be altered or that access trails are incomplete directly influences the processes for collecting and analyzing digital evidence in fraud investigations.
In essence, offensive testing enhances fraud investigations by clarifying the mechanisms behind breaches, rather than merely identifying their occurrence. This establishes a crucial connection between cybersecurity efforts and the accountability required in forensic analyses.
Q: In the context of the Nigerian business environment, what role should Digital Forensics play in proving intent and establishing accountability in major corporate fraud cases?
A: Digital forensics plays a vital role in linking suspicion to accountability in corporate fraud cases, particularly in Nigeria, where proving intent can be challenging. It provides the necessary technical evidence to reconstruct events, track user actions, and validate or refute claims effectively.
In environments where manual overrides and undocumented decisions occur frequently, forensic analysis of logs, emails, access records, and system changes is crucial. This analysis helps establish clear timelines, identify unauthorized activities, and link digital footprints to specific individuals, supporting internal investigations and legal proceedings.
Moreover, having robust digital forensics enhances the credibility of any investigation. Findings backed by verifiable system evidence are more persuasive to regulators and courts. Organisations should prioritise forensic readiness by ensuring they retain logs and maintain the integrity of evidence. Ultimately, digital forensics not only uncovers what happened but also clarifies why events occurred and identifies those responsible.
Q: How does a robust Change Management Review process, one of your specialties, help minimize the risk of fraudulent activities being introduced or masked within critical systems?
A: A robust Change Management Review process is vital for shielding critical systems from fraud. Every change, technical or procedural, must follow a strict approval workflow to uphold integrity and visibility.
Unauthorized alterations, like access right tweaks or concealed reporting logic changes, create serious vulnerabilities. I recommend pre-deployment risk reviews, strict duty segregation, and rigorous post-change verification to enforce accountability at every step.
Moreover, embedding audit trails and rollback mechanisms allows full traceability and swift reversal of changes. This is essential in ERP systems where tweaks can distort financial reports. Strong Change Management thus bolsters IT governance and fraud prevention, building a secure, trusted environment.
Q: Your team handles Third-Party Assurance Reviews (SOC 1, SOC 2). How does a failure in vendor control, highlighted during an assurance review, often create the opening for external or collaborative fraud?
A: In our experience with Third-Party Assurance Reviews, such as SOC 1 and SOC 2, we’ve seen that weaknesses in vendor control can create significant vulnerabilities. Issues like inadequate access management and poor data handling expose organisations to both external fraud and internal exploitation, especially when sensitive financial data is involved.
Additionally, internal staff may collude with outsiders or leverage inadequate oversight to hide their actions. This is why assurance reviews are crucial; they help pinpoint these risks early. By addressing vulnerabilities, companies can strengthen controls, ensure compliance, and better protect against fraud.
In essence, third-party assurance is about trust just as much as it is about compliance. When vendor controls fail, the organization’s exposure multiplies. That is why we treat these reviews as a frontline defense in fraud governance.
Q: The roles of the CISA, CFE, and CRISC are distinct. How do you integrate the unique perspectives of technology auditing, fraud examination, and risk management into a unified and effective Fraud Governance Framework?
A: Each certification – CISA, CFE, and CRISC- offers a distinct lens, but together they form a powerful triad for building a resilient fraud governance framework.
CISA emphasises the confidentiality, integrity, and availability of the IT Assets that are inherent within an IT environment. CFE provides investigative rigour, allowing for the interpretation of anomalies as potential indicators of fraud. CRISC connects IT risk to enterprise objectives, prioritising mitigation based on business impact and aligning with the risk appetite of the organisation.
By integrating these 3 perspectives, I build frameworks that are technically sound, investigative-ready, and strategically aligned. My professional intent is not only about ticking boxes but also creating systems that anticipate fraud, respond decisively, and protect long-term value.
Q: With the increasing use of cryptocurrencies and digital payments, what is the most significant emerging trend in fraud investigation that your team is preparing for over the next few years?
A: As cryptocurrencies and digital payments rise in popularity, one trend gaining attention is blockchain obfuscation. With decentralized finance (DeFi) platforms expanding, fraudsters increasingly leverage mixers, privacy coins, and cross-chain swaps to conceal illicit activities and launder money.
Traditional methods like tracking bank transactions and using enterprise resource planning (ERP) logs are proving less effective. To adapt, we’re investing in platforms like Chain Analysis to enhance our understanding of wallet clustering, mixer patterns, and on-chain/off-chain correlations, especially in cases involving phishing and insider fraud.
Looking ahead, merging blockchain intelligence with flexible verification methods will be crucial. By remaining vigilant and informed, we can effectively navigate these evolving risks and create a safer financial environment together.
Q: For our audience of CEOs and Board members, what is the single most important best practice in Fraud Risk Assessment and Investigation that must be championed from the executive level down to be truly effective?
A: The most important best practice is executive ownership of fraud risk as a strategic business issue, not just a compliance or audit concern. When fraud governance is championed from the top, it sets the tone for accountability, transparency, and proactive risk management across the organization.
This starts with embedding fraud risk into enterprise risk frameworks, ensuring it is discussed at board meetings, tracked through KPIs, and aligned with business objectives. CEOs and board members must demand regular fraud risk assessments, not just post-incident investigations, and ensure cross-functional collaboration between finance, IT, audit, and compliance units of their organizations.
Equally critical is fostering a culture of ethical vigilance. When leadership visibly supports whistleblower protection, enforces consequence management, and invests in fraud prevention technologies, it signals that fraud is taken seriously at every level.
In short, fraud risk management must be led, not delegated. When executives own the narrative, the organization becomes not just compliant but resilient.
