Multi-Dimensional Fraud Detection Metrics in Business Processes and their Application

Occupational fraud is defined as the deliberate misuse of one’s occupation for personal enrichment. It poses a significant challenge for organizations and governments. Estimates indicate that the funds involved in occupational fraud cases investigated across 125 countries between 2018 and 2019 exceeded US$3.6 billion. Process-based fraud (PBF) is a form of occupational fraud that is perpetrated inside business processes. Business processes underlie the logic of the work that organizations undertake, and they are used to execute an organization’s strategies to achieve organizational goals. Business processes should be examined for potential fraud risks to ensure that businesses achieve their objectives. While it is impossible to prevent fraud entirely, it must be detected. However, PBF detection metrics are not well developed at present. They are scattered, unstandardized, not validated, and, in some cases, absent. This study aimed to develop a comprehensive PBF detection metric by leveraging and operationalizing a taxonomy of fraud detection metrics for business processes as an underlying theory. 41 PBF detection metrics were deduced from the taxonomy using design science research. To evaluate their utility, the application of the metrics was undertaken using illustrative scenarios, and a real example of the implementation of the metrics was provided. The developed metrics form a complete, classified, validated, and standardized list of PBF detection metrics, which include all the necessary PBF detection dimensions. It is expected that the stakeholders involved in PBF detection will use the metrics established in this work in their practice to increase the effectiveness of the PBF detection process. Keywords—Business process fraud; fraud detection; fraud indicators; fraud measures; fraud metrics; PBF; red flags


I. INTRODUCTION
Fraud refers to an action that is designed to deceive others. Fraud results in a loss for the victim and gain for the perpetrator [1]. The Association of Certified Fraud Examiners (ACFE) 1 defines occupational fraud as the "use of one's occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization's resources or assets" [2, p. 86]. Organizations and individuals alike can be financially or physically affected by fraud [3].
Fraud can either be internal, when it is committed by someone inside an organization, or external, when it originates from outside an organization [4]. In this research, the focus is on internal or occupational fraud.
Fraud is becoming a globally prevalent threat [5]. It is estimated that the overall loss resulting from 2,504 cases of occupational fraud that were investigated between January 2018 and September 2019 exceeded US$3.6 billion across 125 countries [2]. The ACFE estimates that organizations lose approximately 5% of their revenues to fraud each year [2]. The wave of financial scandals that has been sweeping the world in the current century has also heightened the awareness of the need to manage fraud risk [6].
Process-based fraud (PBF) is a form of fraud that occurs in business processes. It can be identified by measuring the deviation from the process model [7]. However, deviation in the business process model is not always regarded as fraud; in order to confirm that fraud has taken place, a domain expert must investigate the matter.
Business process refers to a collection of related events, activities, decision points, actors, and objects that lead to an outcome that is valuable to at least one customer [8]. Business processes are core assets of organizations [8], and they are essential in the implementation of organizational strategy [9]. Business processes should be examined to detect any associated potential fraud risks that may threaten the achievement of business objectives [10]. However, at present, PBF detection metrics are not well addressed [11]. They are incomplete, overlapping, scattered, and not standardized [11]. Furthermore, the increase in fraud in recent years reflects the persistent nature of the issue [12]. Therefore, as it is impossible to prevent PBF completely, detecting it when it occurs is essentially.
This manuscript aims to develop comprehensive metrics that cover all the components necessary for the effective detection of PBF. The developed metrics will contribute to the effective detection of PBF as they provide a comprehensive, validated, and standardized list of PBF detection metrics.
First, the metrics are deduced from the taxonomy of fraud detection metrics for business processes [13]. The taxonomy serves as the underlying theory using design science research (DSR). The use of this taxonomy provides a complete understanding of PBF detection, coverage of all PBF detection elements, and a checklist of best practices that define PBF detection metrics [13]. Second, an illustrative scenario, as an evaluation method [14], is provided for each of the developed metrics in order to validate their utility. Ultimately, an implementation that uses the process mining technique is proposed to demonstrate the technical application of the metrics. 571 | P a g e www.ijacsa.thesai.org The remaining contents of this paper are organized as follows: Section II provides the background of the topic; Section III explains the methodology followed in the current work; Section IV proposes the complete PBF detection metrics; Section V provides a real example of the implementation of the metrics; Section VI shows and discusses the results; and, finally, in Section VII, the conclusions and direction in which the work in this field may progress in the future are presented.

II. BACKGROUND
Implementing fraud detection and fraud prevention systems is essential for effective fraud risk management [15]. Fraud prevention consists of measures to avoid or reduce fraud. In addition, in fraud detection, measures that help identify fraud when it occurs are used [15]. Since preventing every instance of fraud is impossible, continuous application of fraud detection techniques is necessary to protect against any instances that were not prevented [3].
Fraud detection techniques can be placed into one of three categories [16]. First, the misuse-based detection technique uses a predefined list (i.e., known patterns) of possible fraud schemes to detect fraud. It is an expert fraud detection system that uses predefined metrics. Its advantage is a low false alarm rate, but it cannot detect instances of fraud that follow new patterns [16]. Second, the anomaly-based technique can be implemented using machine learning techniques, which leads to the detection of any suspicious behavior that deviates from standard behavior [17], [18]. It does not require a predefined list of fraud schemes, and it can detect new cases of fraud. However, it suffers from a high false alarm rate [19]. Third, the hybrid technique attempts to combine the previous two techniques to overcome their limitations [16].
Successful fraud detection must include an examination of business processes to identify the potential origins of fraud [20]. Business processes are the core of business process management (BPM), which is a management discipline that uses business processes to implement organizational strategy [9]. It is a management discipline that requires continued focus, and often, significant changes in management style [9]. PBF detection metrics form the intersection between fraud risk management and BPM, as reflected in the bidirectional arrow mentioned in Fig. 1. The use of such metrics is common in fraud risk assessment and process monitoring and control 2 which are elements of fraud risk management and BPM, respectively.
Fraud detection can be achieved using a taxonomy to predefine initial fraud schemes [1], [21]. A taxonomy is a set of dimensions, each consisting of a set of mutually exclusive and collectively exhaustive characteristics [22]. A taxonomy of fraud detection metrics for business processes was proposed 2 Performance measures are usually identified during the process analysis phase of BPM. In some cases, they are identified during the process identification phase [8]. Moreover, business process measures can be classified as measures for business process models and execution [63]. Since fraud detection is the goal, this study focuses on measures executed in the process monitoring and control phase to determine how well the executed processes work with regard to the chosen measures [9].
in [13], as depicted in Fig. 2. The taxonomy provides a holistic view of fraud detection in business processes. It consists of the dimensions examined in the following subsections.

A. Fraud Domain
This dimension covers the application domain of fraud detection. Knowing the fraud domain is crucial in the detection of fraud because it allows an understanding to be gained of the problem domain [23]. In addition, specific fraud, which is particular to certain domains, exists, and these cases require special handling. This dimension contains two characteristics:  General: Describes all metrics that can be used in any application domain.
 Specific: Covers a particular application domain, such as finance.

B. Fraud Data Scheme
This dimension covers all the potential fraud schemes in the data. Fraud data schemes provide a list of possible data schemes used for committing fraud, which means that understanding them is critical for detection. This dimension contains the following data schemes:  Anomalous: Covers any data that can be characterized as ambiguous or exceptional (e.g., too long, too short, excessive, and outliers).
 Discrepant: Describes inconsistent data (e.g., the conflict between input and output, and between past and current).
 Missing: Covers insufficient and absent data.

C. Presentation Layer
This dimension aims to examine all layers of the business processes, as illustrated in Fig. 3. 3 The layers are essential for detecting fraud because every layer can give specific auditing information [24]. Additionally, some fraud cases do not become apparent by looking at a single layer. The dimension contains the following characteristic layers:  Process map: Gives an overview of all business processes and determines their relationships. The process map also contains aggregated data on all business processes in the organization. It is useful for planning fraud detection in business processes.
 Process stream: Offers a greater level of detail compared to the process map. It helps set the scope by focusing on a collection of processes that form a specific (and usually vital) business cycle, such as the purchase-to-pay cycle. This layer allows fraud examiners to aggregate data on a particular business cycle.
 Process model: Represents a single business process, such as the payment process. It provides more detail on the structure of the process, its controls, activities, and actors. This layer contains aggregated data on many instances of a specific business process.
 Process instance: Depicts the details of one particular instance of a process model. It contains concrete data on one specific business process instance, such as payment instance number 123.
 Process activity: This is the lowest layer in the presentation layer dimension. It can be considered an element of the process instance layer with a particular focus. It gives concrete data with more detail on a specific activity in a particular process instance, such as approval activity.

D. Process Perspective
This dimension looks at business process from various angles because, for successful fraud detection, it is necessary to examine all aspects of business process [20]. This dimension contains the following characteristics:  Time: This perspective regards business process's time (e.g., throughput time, actual processing time, waiting time, and deadlines).
 Function: This perspective is concerned with the implementation of the activities in business process (e.g., work frequency, work sequence, work decision, process steps, and process control flow).
 Data: The data perspective covers all the data that are entered, consumed, and delivered by business process (e.g., process objects).
 Resource: This perspective involves all the actors that interact with business process, including customers, 3 For more information, see [13], [24]. software, business role, business units, suppliers, and employees.
 Location: This perspective is concerned with the location of business process's execution.
The results of the literature review on PBF detection metrics 4 are summarized in Fig. 4 in the form of a literature map [11]. The literature map illustrates the topics relevant to fraud detection metrics in business processes, as well as the frequency of their recurrence in the literature. Omair and Alturki [11] demonstrated that, at present, the explicitly defined PBF detection metrics, which are listed in Table Ⅰ, do not adequately address the essential conceptual perspectives of business process.
Combined metrics and process mining can improve fraud detection [25]. Process mining is a methodology that aims to discover, monitor, and improve real processes by analyzing their event logs [26]. It connects model-based process analysis (e.g., simulation) and data-oriented analysis techniques (e.g., data mining) [27]. Process mining associates the actual processes with their data and the process models [28].
Process mining has been successfully applied to detect fraud [23], [29]- [31]. It can reveal fraudulent transactions that cannot be detected using traditional audit methods [29], [32], [33]. Relying on measurements of throughput processing (not just measurements of the input-output relation), process mining can identify a problem's root cause. This involves identifying the process model, and, subsequently, the performance of the process [34].
Using process mining to detect fraud has many advantages. Since event logs are automatically logged in most existing systems [35], it is possible to save time and effort, and to improve detection accuracy by taking real and complete data as opposed to samples [36]. Also, reading from event logs ensures independence from human intervention, which guarantees unaltered and error-free data [37]. According to the ACFE report [2], the median time for detecting fraud is 14 months. During the interval between occurrence and detection, the most significant financial losses tend to occur. However, using online process mining solutions can change this reality [38].  4 For the complete literature review and analysis, see [11].

Process map (aggregated data)
Process stream (aggregated data) Process model (aggregated data) Process instance, including process activity, (concrete data) 573 | P a g e www.ijacsa.thesai.org  Not executing an activity that is prescribed in the standard operating procedure (SOP). The skipped activity is either a routine activity or a decision activity [42].

Wrong resources
The activity is performed by an actor who is not defined in the SOP.
[7], [30], [31], [42]- [46] 3 Wrong duty The same actor executes different activities, which should require different privileges. This includes "wrong duty sequence" in the sequence activity, "wrong duty decision" in the decision activity, and "combined wrong duty", a combination of wrong duty sequence and wrong decision sequence [42].

Wrong decision
Decision activity execution is a deviation from standard decision execution, as stated in the SOP.
[7], [30], [31] Process mining anomaly techniques include control flow analysis, role resource analysis, throughput time analysis, and decision point analysis [39]. The study undertaken by [4], which proposed a process mining method for PBF detection, suggested the concept "1 + 5 + 1", which includes (1) log preparation; (5) (a) log analysis, (b) performance analysis, (c) social analysis, (d) conformance analysis, (e) process analysis; and (1) refocusing and iteration. A combination of the red flag approach (i.e., metrics approach) and process mining were proposed in [25] to reduce the false positive rate in detecting fraud. The method connects the red flag approach with process mining by using the red flag to present unusual behavior, whereas process mining involves visualizing the business process flow. In [40], a validated method, based on the most accepted lifecycle model for the implementation of the process mining project [41], was proposed for an application in auditing information systems. It used process mining as an expert system engine to address the limitations of other auditing methods involved in fraud detection, including sampling, due to questionable effectiveness as they lack automation and have a narrow scope.

III. METHODOLOGY
In her remarkable and exceptional work, Gregor [47] explained information systems (IS) theories in terms of five types: analytic theory, explaining theory, prediction theory, explaining and prediction theory, and design and action theory 5 Taxonomy is a taxonomic theory and can be classified as an analysis theory [47]. Analysis theories define or classify specific dimensions or characteristics of individuals, groups, situations, or events by describing the shared features found in discrete observations [47]. These theories answer what questions, and they are used as a foundation for developing more advanced theories, as shown in Fig. 5 [47], [48]. The DSR methodology can be used to conduct research when the desired goal is an artifact or a recommendation [49]. DSR artifacts are classified into constructs, models, methods, and instantiations [50]. The developed PBF detection metrics are subsumed under the method artifact type [51]. This study aims to design an artificial (i.e., human-made) artifact (i.e., PBF detection metric), which fits well within the DSR 5 For more information, see [47].  [52]. Furthermore, the pragmatic viewpoint of DSR, which confirms the inability to separate utility from reality [49], is suitable for the nature of the activity of PBF detection.
Following the DSR paradigm, the taxonomic theory [13] was used in this research as the foundation for deriving PBF detection metrics. The taxonomy [13] was developed using DSR's build/evaluate cycle [52], which led to the definition of the building blocks of PBF detection metrics by implementing the method of Nickerson et al. [22]. Since taxonomy can be used as a foundation to produce new knowledge [22], [47], [48], [53], the taxonomy of fraud detection metrics for business processes [13] was used deductively to develop the PBF detection metrics (i.e., the taxonomy's objects). Adapting [54], the following steps were taken to develop the metrics:  Define the measured entity in the study, namely, business process.
 Specify the attributes of the defined entity (i.e., business process), which are already developed by the taxonomy (i.e., the taxonomy's dimensions and characteristics) [13].
 Define the metrics by matching the attributes of the defined entity.
Theoretical validation of the developed metrics can be achieved through the use of a validated taxonomic theory [13]. In addition, in order to evaluate the utility of every developed metric, an illustrative scenario was used [16]. Lastly, an implementation was provided to explain the metrics technical application.

IV. PBF DETECTION METRICS
Using the taxonomy of fraud detection metrics for business processes as the underlying theory [13], PBF detection metrics can be derived by matching the characteristics of the taxonomy's dimensions. Selecting the matched characteristics depends on the application domain, project scope, and the case situation. However, general PBF detection metrics can be developed by matching the selected characteristics from the process perspectives, presentation layers, and fraud data schemes dimensions. 6 7 Table II shows the derived list of PBF detection metrics, including the metric's ID, name, description, and the illustrative scenario. The generally derived PBF detection metrics covered all the dimensions of PBF detection (i.e., full-dimensional metrics), as stated in the taxonomy of fraud detection metrics for business processes [13]. The execution time of the approval activity in invoice XYZ is not valid. 6 Other metrics can be similarly developed by matching the selected characteristics that should be specified for every project. 7 The selected characteristic of the fraud domain dimension is general. This is because the scope of the developed metrics does not focus on a specific fraud domain. The payment instances are more than the invoice instances as processes in the order-to-cash stream; however, they should be the same.

22
Wrong activity data Indicates whether the data produced or consumed by the process activity are incorrect.
The attached document in activity XYZ at invoice A is invalid.

23
Missing activity data Indicates whether the data produced or consumed by the process activity are missing.
The signature data in activity XYZ of invoice A is missing.

24
Discrepant activity data Shows whether the data produced or consumed by the process activity are inconsistent.
The attached form in the activity XYZ at invoice A has a signature date that follows the activity date.

Discrepant instance data
Shows whether the data produced or consumed by the process instance are inconsistent.
In an invoice instance, the input data of activity B does not match the output data of activity A, though they should be equal.

Discrepant stream data
Indicates whether the data produced or consumed by a process stream are inconsistent.
The total amount of orders and the total cash received as processes in the order-to-cash stream should be equal but they differ.

27
Anomalous activity data Shows whether the data produced or consumed by the process activity are suspicious.
The activity XYZ has unnecessary recorded data (maybe to complicate the auditing process).

Anomalous instance data
Indicates whether the data produced or consumed by a process instance are suspicious. Two processes that are usually executed in the same place in the orderto-cash stream were executed at different locations.

41
Missing activity location Shows whether the process activity's location is missing.
The execution location of activity XYZ in a payment instance is not specified.

V. IMPLEMENTATION
Based on [25], [40], [41], as well as the taxonomy developed in [13], a method can be proposed for implementing PBF detection metrics. The method uses data and process mining to ensure an effective PBF detection process. Both techniques are used to detect fraud in business processes [45], [55]. Although data mining and process mining share many features, the key difference is that data mining aims to discover previously unknown and interesting patterns in the datasets, while process mining focuses on finding process relationships [28]. Thus, data mining techniques for detecting fraud are usually unsuitable for analyzing the behavior of control flow in a business process [39]. However, process mining can be used to assess the control flow of a business process [56] and to analyze process performance, event sequence, and process roles [57]. Still, process mining focuses on the control flow of transactions [56] and not on process content (e.g., transaction value). Therefore, data mining and process mining are both needed.
Real data [58] on purchase-to-pay process events in a multinational paints and coatings company were used for implementation. 8 The implementation method is illustrated in Fig. 6 and described in the following steps: www.ijacsa.thesai.org Fig. 6. Implementation Steps. Adapted from [25], [40], [41].
Stage 0: At this stage, the scope and aims should be defined after establishing a thorough understanding of the application domain. This includes understanding the business process, identifying the theoretical existence of fraud schemes, cataloging all potential fraud methods and red flags 9 , defining the general multi-dimensional metrics by using the taxonomy, and defining specific multi-dimensional metrics for the selected fraud schemes and methods. Every metric may include a metric formula, data source, metric description, data update frequency, metric unit, threshold or compared value, related fraud scheme, and fraud method or red flag.
In this implementation, the aim was to detect fraud in the purchase-to-pay process by examining execution deviations. The scope was determined based on the following dimensions and characteristics of the taxonomy of fraud detection metrics for business processes [13]:  Fraud domain: In this implementation, the purchase-topay business process was selected. Thus, {specific: finance and general} were chosen as the fraud areas for the implementation because general PBF detection metrics are also used.
 Presentation layer(s): {process stream, model, instance, and activity} were selected to satisfy the aim. However, the process stream layer was not included in the implementation due to missing data.
 Process perspective(s): {time, function, data, and resource} were selected. Location perspective data are not available. However, depending on the case situation and data availability, it may be useful to include all process perspectives. 9 Red flags are signs of potentially fraudulent behavior [62].
 Fraud data scheme(s): To specify critical data schemes that can effectively detect fraud in this implementation, {anomalous, discrepant, missing, and wrong} were selected. The selection of the fraud data scheme characteristics was based on the case situation and the quality of existing data. However, if possible, it is always useful to include all fraud data schemes.
The selected dimensions, along with their characteristics, ought to assist in developing the predefined metrics. Fraud examiners can also add more useful metrics based on their experience. In this implementation, the generic and specific metrics defined in Appendix A are used based on the case situation and the existing data. 10 The specific multidimensional metrics for the fraud schemes and fraud methods are defined based on the common fraud schemes appearing in the fraud tree [10]. 11 The fraud tree was selected for the following reasons: (1) it represents a comprehensive classification of the most common occupational financial fraud schemes; and (2) it is developed by a standards organization (ACFE).

Stage 1:
At this stage, all the useful process data for detecting PBF should be collected. Examples of data that should be collected are the past audit reports, process events log, and process model, as depicted in Fig. 7 [59]. This model is referred to as the de jure model, which represents the desired, ideal, or required process. 10 Sound knowledge of business rules is valuable in defining effective metrics. 11 For more information about the fraud tree, see [10].
•Define the aim and determine the scope, drawing on the taxonomy dimensions to select which characteristic(s) to include in every dimension. •Establish predefined PBF detection metrics.
Stage 0: Justify and plan •Gather related process data such as past audit report(s), de jure model, business process blueprint, data about the domain under analysis, historical and / or current log data, or any other useful data for understanding.

Stage 1: Extract data
•Build the real process model with general statistical information about instances, acivities, and different sequences. Furthermore, the predefined PBF detection metrics are used to build business intelligence dashboards.

Stage 2:
Using the process mining discovery technique, the de facto model with general statistical information was constructed as shown in Fig. 8. The de facto model describes reality with potential violations [60]. It was implemented using the Celonis process mining software. 12 It is possible for the auditor to analyze differences between the de jure and de facto models in order to detect fraud [33].
Moreover, the predefined metrics were represented on dashboards, as shown in Appendix B. In this case, the Celonis process mining software was also used. Process. 12 See www.celonis.com Stage 3: This stage involves enriching the de facto model based on the process perspective characteristics selected in stage 0, as shown in Appendix B. In addition, the de facto model is linked to the dashboards that are used to represent the predefined metrics using Celonis process mining software.

Stage 4:
Conformance checking and process deviation analysis should be applied to combine misuse-based techniques and anomaly-based techniques. The misuse-based technique is implemented by creating dashboards that leverage business intelligence (BI) techniques for the predefined metrics, while the anomaly-based technique is implemented using the conformance checking technique.
Conformance checking is used to compare the business process with its SOP [30]. This is relevant to auditing [40] because it can detect, locate, and explain the deviation from the behavior expected in business process [56]. It helps detect the occurrence of event skipping and enables analysis of the flow of the business process [30]. Using conformance checking to classify standard and non-standard business process variants can assist in detecting potential risks [33].
A process variant is a single path (i.e., routing) that is followed by at least one business process instance [33]. All business process instances that follow the same path are grouped into the same variant [33]. Thus, it is possible to examine process variants to find out all business process instances that are in non-standard paths [33]. In turn, each process variant can be prioritized using the metrics, thereby reducing the rate of false positives in detecting fraud [25]. Reducing false positives saves time and cost [61].

Stage 5:
In this stage, the fraud symptoms should be investigated with domain experts to confirm the presence or absence of fraud [25].

VI. RESULTS AND DISCUSSION
Using the enriched model in stage 3, the conformance checking procedure was applied to extract non-conformances that form potentially fraudulent cases. The findings of the conformance checking revealed that there were 431 process flow variants (control-flow perspective). The number of variants is usually large because the process should be flexible to meet all business needs. Thus, the use of metrics as filters is essential to save time and effort, and to discover new signs of fraud.
Using the enriched model assists in fraud detection without the influence of the fraud examiner [40]. Moreover, using the predefined metrics in stage 0 ensures the accuracy and comprehensiveness of fraud detection. This is because the www.ijacsa.thesai.org predefined metrics can be used to detect fraud in the content perspective (not just the control-flow perspective) of the business process.
The combination of visual analytics and process mining can help to identify data integrity issues such as missing, nonconforming, or anomalous activities undertaken by a privileged user, or those with suspiciously short execution times [56]. Furthermore, applying the metrics using process mining reduces the number of false positives in fraud detection [25]. Thus, conformance checking and process deviation analysis are used to detect PBF [62].
In Appendices A and B, the implementation screens and results are provided. Each implementation screen serves as a link between the process flow view and the data view to present a complete view. The results show that 13 metrics produced results that should be investigated.
This implementation shows that the developed metrics can be used in the following ways: (1) directly, thereby conserving time and effort; (2) as a template, thereby facilitating the definition of other metrics and ensuring consistency among PBF detection stakeholders; and (3) to determine the implementation scope. Additionally, the developed metrics are process-oriented metrics that can measure throughput processing, as opposed to just measuring process input-output relations. This helps to detect and predict fraud, with its root cause, in its initial stages.

VII. CONCLUSIONS
This study sought to develop a comprehensive list of fraud detection metrics for business processes. A taxonomy of fraud detection metrics for business processes was used as a "building" theory to generate all possible metrics for detecting fraud in business processes. Compared to the 8 existing PBF detection metrics, 41 comprehensive metrics were developed, classified, and demonstrated. These metrics cover each of the PBF detection dimensions that are not entirely (e.g., presentation layer) or partially incorporated into existing PBF detection metrics. Additionally, their applications were demonstrated by using illustrative scenarios. Finally, their technical implementation was explained by providing an implementation that offers an accurate and comprehensive view for PBF examiners.
The study's contributions to the literature are twofold. First, the study offers improved DSR artifacts (i.e., the developed metrics and their implementation method), which can enhance the ability to detect PBF. Second, the study enriched the construction of the taxonomic theory [13] (i.e., by leveraging the taxonomy for a purpose beyond analysis). This is a step toward developing advanced theories such as design and action theory. The study also is relevant due to its practical contribution in improving PBF detection in the workplace. PBF stakeholders can improve their practices by using the developed PBF detection metrics to bolster their effectiveness.
The limited availability of data on fraud is one of the limitations of this study. This relates to the fact fraud is a sensitive topic in public discussion, and so it is not an issue spoken about openly. However, the data issued by standard-setting organizations such as the Committee of Sponsoring Organizations (COSO) 13 and the ACFE can mitigate this limitation to a certain degree. Nevertheless, the data from these organizations are mainly from the finance domain. In addition to these limitations, reviewing the metrics results with domain experts (i.e., the investigation step) is needed to confirm fraud cases. However, the scope here is specified to detect possible PBF.
Extending and validating the metrics in other domains (e.g., the telecommunications sector) is suggested as a possible direction for future research. In addition, case studies within organizations, which prioritize the use of the metrics in their specific context, are suggested. Linking each metric to a full list of possible deviation patterns is another worthwhile research opportunity. For example, the wrong instance function is a suitable metric that can be linked with deviation patterns such as looping, swapping, and inserting activities in the process model.

Metric description
The metric checks if the execution times of (first) "Record Invoice Receipt" and (first) "Clear Invoice" are the same, and it also checks whether "Create Purchase Order Item" activity occurred at the same time as "Receive Order Confirmation"

Metric description
By using "Anomalous instance function", this specific metric can be defined, which checks activity frequency for "Cancel Invoice Receipt" to determine whether it occurs more than once. This is because fraud may be undertaken by creating fake invoices (e.g., to increase expenses for any reason), which are canceled at a later date.

Metric formula
Result 0