Development of an IT-supported Anti-Fraud-Framework for SMEs: An Architectural Concept for Risk Management Using the ‘Man-Technology-Organization’ Approach Michaela K. Trierweiler 1 1 Johannes Kepler University, Altenberger Straße 69, Linz, 4040, Austria Abstract Small and medium enterprises (SMEs) are an important economic factor in many countries. In the European Union, they represent the majority of companies, provide two thirds of all jobs, and drive a lot of innovation. This makes them attractive for perpetrators of fraud; limited resources in terms of money, staff, and IT knowledge make them vulnerable. This research deals with the question of how to minimize fraud as a specific risk to SMEs. In concrete terms, it sets out how a framework should look and establishes the guidance that should be given in the context of fraud prevention. This study is set up as a design science research project with the aim of producing a concrete framework as a solution and contributing artifact. Previous research shows that there is a gap in academic research regarding fraud prevention concepts tailored to SMEs. This assumption seems valid as an integrative literature review revealed only a few appropriate papers plus a great deal of non-academic or semi-academic literature. In particular, information systems research is underrepresented in this area. Existing SME-related fraud prevention frameworks concentrate more on internal related fraud risks rather than on fraud committed by external parties, such as cybercrime. This suggests that a comprehensive fraud prevention concept is missing for SMEs and is worthy of being developed, especially considering that any enterprise is a socio-technical system. Keeping in mind that such a framework must be generic enough to cover different fraud risks and company situations while also giving concrete advice, this research applies domain-specific modeling principles to find the best notation and style of presentation. This work-in-progress paper proposes a preliminary architectural model for a new fraud prevention concept suitable for SMEs. Keywords1 fraud prevention, framework, SME, MTO, risk management, socio-technical system, design science 1. Introduction and Research Scope Small and medium enterprises (SMEs) are considered to be the engine of many economies. In the European Union, nine out of 10 enterprises are SMEs and they generate two thirds of all jobs [1]. SMEs drive innovation and are seen as a key factor in driving competitiveness and employment. Therefore, they are lucrative targets for criminals [2]–[6]. Analysis of the fraud situation in SMEs (as recorded by the Association of Certified Fraud Examiners in their bi-annual Report to Nations) proves the importance of fraud prevention for SMEs. Over the last several years, they were the most common victims of fraud with an approximately share of 30%. Since 2018, SMEs have suffered the highest financial losses and thus the biggest negative impacts compared to companies of other sizes [4], [7], [8]. In addition, SMEs face different fraud risks than those faced by larger companies [8]. Therefore, P 7th International Workshop on Socio-Technical Perspective in IS development (STPIS’21), October 11th-12th, 2021, Trento, Italy EMAIL: mkt.jku@gmail.com (Michaela K. Trierweiler) ORCID: 0000-0003-3016-9889 (Michaela K. Trierweiler) © 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Wor Pr ks hop oceedi ngs ht I tp: // ceur - SSN1613- ws .or 0073 g CEUR Workshop Proceedings (CEUR-WS.org) 204 they need different fraud risk management concepts (or at least tailored countermeasures) that are suited to the personnel resources, organization and technical possibilities of SMEs. In legal terms, fraud is part of the field of white-collar crime. The main elements are intention, deception, and damage to another party in the sense of financial loss (see, for example, §263 and §263a of the German criminal law [9] or §146 of the Austrian criminal law [10]). The bandwidth of white- collar crime is huge and includes both delicts that harm a company directly (such as paying too much salary) and delicts that may seem beneficial for a company at first glance, such as corruption to gain a large and profitable deal [11]. In 2007, Joseph T. Wells developed a classification system for occupational fraud and abuse in business contexts that is known as the fraud tree [12]. This system covers most kinds of misconduct by executives, managers, and employees [13]. The model has been refined over the years and is now considered to be one of the state-of-the-art fraud definition concepts. All types of fraud considered in this taxonomy could be summarized as non-compliant and as a undesired behavior because they harm either an organization [11] or an individual. The existing literature discusses different fraud theories and concepts about the facilitators of fraud. Although very different fraud models have been developed in recent decades [14], the widely accepted perception follows the approach of Cressey, developed in the 1950s, where three critical elements must apply: incentive/pressure, opportunity, and attitude/rationalization [13]. This concept, known as the fraud triangle, was further developed by Wolfe and Hermanson [15] by supplementing a fourth dimension and is now commonly known as the fraud diamond. The added fourth dimension of capability (defined as intelligence, creativity, and experience [13], [15]) could be interpreted in the sense of technical and computational skills. It is therefore relevant when considering cybercrime and IT-based fraud. In recent research, such as [16]–[20], a fifth dimension of arrogance is discussed, along with its impact on fraud management. This leads to an approach named the fraud pentagon. Fundamentally, small companies are more likely to lack internal controls [4], have no proper risk management systems in place, and lack staff in IT functions, because the focus of employment lies in staffing the core roles and functions that are critical for running and developing the business. Micro SMEs [21], defined as those that have fewer than ten employees, have a very flat organizational structure and often combine functions in one role. This makes active fraud prevention (or even a simple thing such as the four-eyes principle when signing documents or releasing payment requests) difficult to establish. In SMEs, a compliant corporate culture, including fraud prevention and detection, is usually practiced by example or just because it is seen as commonly accepted good manners. It is seldom methodically established as a part of enterprise risk management. The most well-protected and legally regulated area is accounting because this is the most lucrative part. Besides accounting fraud (e.g., fraudulent statements) there are many other forms of occupational fraud, such as identity theft, bribery, asset misappropriation, and corruption [12]. The existing fraud risk situation is currently fostered by the COVID-19 crisis: the sudden rise of rapidly implemented information and communication techniques (ICT) makes it easier for fraudsters to attack [22] and a significant increase in cyber fraud, payment fraud, or identity theft [23]–[27] is projected. Increasing digitalization, and the omnipresence of apparently straightforward IT tools such as email programs in daily business transactions, results in a reciprocal relationship between IT and fraud prevention. IT tools often are vectors for fraud attacks (e.g., email phishing attempts); on the other hand, specific software and hardware tools, real-time or big data analytics [28], [29], or even AI [30] can help to prevent and detect fraud. However, highly technological or ERP-based measures are seldom used in SMEs. The literature review reveals a lack of discussion of IT-related fraud prevention measures, which is notable considering the importance of IT in today’s business world. Many researchers focus on organizational measures and do not deliver comprehensive guidelines or pursue a generalized research approach. Furthermore, in many cases, research in this area is neither related to information systems (IS) research nor considers fraud risk as a problem in an enterprise that has an ICT landscape embedded within a socio-technical business environment where people and technology working jointly together. This research aims to contribute to filling this gap through a design science research project. The project is setup in three major stages, starting with an integrative literature review to examine the state of existing research and to build a knowledge base. This is followed by designing an alternative fraud prevention concept as new artifact that overcomes potential limitations found in existing concepts. The research concludes with an evaluation based on piloting the new framework in some SMEs and 205 gathering feedback in terms of understandability, complexity, and integration in order to refine the framework to its final state. Based on the assumption that bigger companies have a greater need for fraud prevention than smaller companies (as well as more workers and resources with which to establish anti-fraud controls and countermeasures), the following research questions (RQs) have been defined: RQ 1. What kinds of SME-tailored fraud management frameworks can be found in the existing literature? What fraud types do they consider and how are IT-related fraud risks discussed? RQ 2. What does an IT-supported fraud prevention framework need to look like in order to fit into an SME to cover the individual fraud risk and consider given resources? What IT security concepts can be applied to such a new framework as an artifact to be created? RQ 3. How does this newly developed IT-supported fraud prevention framework perform in different SME contexts? Where are the limitations of the framework and what adjustments are necessary? This research contributes to the existing field in two ways: first, it bridges epistemic research and applied sciences by creating a new artifact; second, this artifact supports practitioners in SMEs to minimize fraud risks in their individual contexts. This new approach is based on the man-technology- organization (MTO) concept of Strohm and Ulich [31]. An effective anti-fraud management system is a socio-technical system in the sense that it requires collaboration between technology (e.g., IT security aspects), organizational procedures (e.g., the four-eyes principle), and workers (e.g., awareness training and ethical culture). Therefore, a new framework must be comprehensive, science-based, compatible with SMEs’ fraud risk needs, and understandable for non-academics. This objective has a major influence on the design and notation used for describing the new framework model. The relevance and benefits of such a framework are based on the fact that SMEs have limited know-how on such controls; they could easily lose reputation and money in the event of fraud. Existing IT frameworks are often very complex and do not meet the requirements of SMEs or are beyond the knowledge base of SMEs. Therefore, a more practical and tailored guidance is required. The present work-in-progress paper describes the development and evaluation of a new concept and proposes a preliminary architectural draft for an SME-appropriate fraud prevention approach that includes IT-related risks and countermeasures. 2. Methodology and Research Design This section describes the methodologies used in the present research. 2.1. Literature Review The literature review in context of this research fulfilled three aims. The first aim was to establish the current state of academic research and to find potential existing frameworks. The second aim was to verify the gap-spotting approach in terms of clarifying the research focus and to define the research entry point for the design science procedure. The third aim was to find the best resources in order to design a new framework for a universal fraud prevention concept for SMEs. An integrative literature review was performed in several stages, starting with the application of structured literature review principles as suggested by Kitchenham [32], Massaro et al. [33], and Fink [34] using three academic databases (Compliance Digital [German language], EBSCOhost, and Scopus). Strict search strings were used (containing “fraud | framework | SME”) to find peer-reviewed research papers. The number of results was very small, which suggested a gap in research. To clarify this outcome and to obtain robust results for the definition of the academic resource pool, a second round of systematic searching was performed. In this round, the search strings were more generic and additional databases (IEEE, ResearchGate, Academia) were used along with snowballing and free searches. After this second round, the literature review showed a gap in terms of academic research in 206 the field of fraud prevention frameworks for SMEs. It also revealed a large amount of case-descriptive or consultancy-related literature. Based on the used search strings,736 hits were found; after reading titles, abstracts, and skim-reading the text, only 33 items were found to be relevant. Especially the third target of building an adequate resource pool as baseline for the design phase required to include more practitioners’ view (reflected in textbooks) and to add non-academic (so called grey literature) works as well. The final source pool consists of 61 items. These sources were assessed according to guidelines from Snyder [35] and Garousi et al. [36]. Four academic works were excluded because of their poor empirical base, one journal article was not available, one publication was a doublet based on same research, and one of the grey literature items was excluded due to missing contribution to my research. Consequently, the final core pool of literature consisted of 54 items that were screened and classified according to the following criteria: • Schematic allocation of relevant keywords (define scoping and relevance of each source) • Geographic coverage (check transferability to European economy) • Empirical base (decide on the meaningfulness of the scientific work) • Qualifiers for content (e.g., what the source discusses) • Qualifiers for intended use during the further research steps. The geographical coverage of the sources (generic, North America, and Asia) suggested the need for adaption before doing a transfer to European requirements because economical situations differ. The small number of design science approaches showed that there was a lack of concrete frameworks. The quantitative analyses carried out by some researchers were often based on a small number of valid answers (with N ranges from 37 to 250). This low empirical base and evidence needed to be considered when adapting information to the present research. In terms of content, most of the papers related to the search term “fraud and SME” contained descriptive statistics about the fraud situation in certain countries or business areas. However, they did not give a holistic prevention approach that included IT- supported prevention measures. Most of the sources concentrated on organizational or internal control aspects. These sources were used in the present research for problem statements or for explaining important background aspects. Sources that mention a concrete framework or guideline often referred to existing frameworks, such as Internal Control – Integrated Framework, published by Committee of Sponsoring Organizations of the Treadway Commission (COSO-2013) [35]. Many other authors have used the COSO-2013 as justification for their own introduction or problem statement. The concentration on accounting fraud (or other very specific fraud types such as payroll fraud or employee fraud) indicated a lack of research in handling certain fraud types (especially IT-related or cybersecurity- related fraud attempts). The concentration on specific industry sectors also suggested a missing holistic or universal approach. To summarize, the fact that only a limited number of scientific papers and sources deal with all three scope-criteria (fraud, framework and SME) indicated a gap in the academic discourse in that area. Because of this small scientific base, grey-literature and textbooks from fraud prevention or auditing experts were added to the information pool for this research (always keeping in mind that such texts are often written in the context of the Anglo-American economic situation). In addition, established frameworks from other disciplines will be analyzed to find useful concepts to be transferred into the present approach during the design phase of this research. 2.2. Design Science Research Concept In order to design a framework model in a structured way, this research project is conducted by following the design science principles of Hevner et al. [36] and the design science process model (DSPM) from Peffers et al. [37]. The final artifact will obtain proof-of-concept during the evaluation phase in a specific SME context that is yet to be defined. The socio-technical approach is in line with Hevner’s [38] three-cycle view of design science as reflected in the relevance cycle connecting the environment with the designing phase. 207 Six fraud management frameworks dedicated to SME were found during the literature search. This information defined the entry point of this research as an objective-centered solution. This entry point enables the planning of a new (or improved) prevention framework. It was necessary to analyze and compare existing anti-fraud frameworks in order to identify gaps and add missing technology and aspects. Useful content could be found by evaluating well-established auditing frameworks such as the Sarbanes-Oxley Act (2002) or the US National Institute of Standards and Technology (NIST) cybersecurity framework (2014). The framework developed in this way is the artifact in the sense of the design science approach. Regarding the nominal process sequence, Table 1 shows the six stages of the design science process model (DSPM) plus an iteration, and briefly declares the use respectively to the present research work. Table 1 Relationship of the DSPM Sequence [37] to the Present Research Stage of DSPM Relationship to current research Identify Fraud is a white-collar crime and entails the risk of losing money and Problem/ reputation; thus, fraud prevention is relevant for enterprises of all sizes. SMEs Motivation are increasingly affected. Currently, there are only a few non-holistic fraud prevention frameworks that are dedicated to SMEs. Define As part of enterprise risk management, fraud prevention measures could be Objectives of transferred from existing fraud-fighting concepts and from other areas such as the Solution IT security or generic compliance recommendations. These must be tailored to the needs and resources of SMEs. Such a framework must contain concrete measures, checklists, and action plans outlining the steps an SME should take against different types of fraud within their industry. (This phase contributes to answering RQ-2). Design and The notation of this framework will apply domain-specific modeling principles. Development It must be understandable for scientists and practitioners. The architectural structure is presented with this paper. (This phase contributes to answering RQ-2). Demonstration A conceptual model and drafts will be presented at relevant conferences and in discussions with practitioners (e.g., compliance managers) from the business network (expert evaluation). (This phase contributes to answering RQ-3). Evaluation The core evaluation is planned as a pilot implementation with two SMEs of different sizes and from different industries. The aim is to get a real-life proof- of-concept for completeness, practicability, and understandability. Such an evaluation is an interactive method and requires collaboration between the researcher and the piloting company. Therefore, the method of action research seems to be the best approach. A second, more theoretical approach is to apply an SME-related IT security maturity model to evaluate the feasibility of an IT-supported fraud prevention framework. (This phase contributes to answering RQ-3). Process The feedback from demonstrations and evaluation phases will be used to Iteration rework and refine the artifact. Communication Communication is planned in the form of a scholarly publication and a professional publication (textbook). Parts of it will be written bi-lingually in German and English to allow access by a broader audience. 208 2.3. Evaluation of the New Framework in Certain SME Contexts Once the new framework is created, an evaluation will be required to ensure utility, efficacy, understandability, and completeness. This evaluation will also identify potential limitations. Some literature [39]–[41] suggests different methods suitable for evaluation purposes in design science research contexts; these include benchmarking, expert evaluation, experiments, action research, prototyping, and case studies. Several strategies for selecting the appropriate method are proposed by IS researchers [42]–[44]. These take into consideration aspects of risk, effectiveness, efficacy, and technical aspects with the aim of evaluating how well the artifact performs. After comparing possible evaluation methods by their intended use, the concept of action research seems to be the best approach for this current research because it allows a practical problem to be solved through the joint cooperation of science and practice [45], [46]. The latter, in this context, would be a SME willing to pilot, implement, and utilize the new framework. In contrast, a case study approach [47] does not seem to be suitable in this research because no hypothesis with variables on an individual or single existing phenomenon shall be validated. The aim of this research is to test the artifact implementation in a real- world situation, which results in a concrete and tailored instance of the framework for the piloting SME. Action research can provide scientific knowledge but also improve organizational problems where some technology is adopted or even built from scratch, supported by state-of-the-art corresponding knowhow [48]. Action research is an interactive method that considers both the practical concerns of people working with the framework and the goals of the researcher in order to obtain feedback on how the artifact performs; it is set up as an iterative process [49]. The cyclic approach of action research was interpreted by Checkland as an approach where the researcher is interested in a certain research theme that is related to a real-world problem situation and where the researcher participates the situation (consultancy to the piloting SME during implementation) to enable reflections that will lead to findings related to the research theme [50]. This approach seems suitable for the present research because the framework of ideas (the new artifact), the methodology, and the area of concern are defined in advance. Regarding the answer to RQ-3, proper planning and acquisition of piloting SMEs is necessary. The approach in this study is to present, discuss, and implement the new fraud prevention framework in two piloting SMEs of different sizes and in different industries. Potential partners will need to come from very different areas in order to obtain diverse feedback regarding understandability, comprehensiveness, and applicability (in the sense of implementation while running the daily work and not to interfere with current business processes). The intention is to pilot the framework with a small SME with less than 20 employees and a medium-sized SME with more than 100 employees [21]. The different numbers of employees impacted by the framework will allow conclusions to be drawn about the practicability of the framework and the impact on given resources. In terms of industry sectors, the aim is to run one pilot implementation in a more technology-oriented company (such as a software development company with a high level of digital maturity) and to perform a second evaluation in a more traditional industry. This will test the applicability of the prevention framework for different types of fraud risks. If the framework is suitable for very different company situations, this may indicate that it provides a generic prevention concept that could be applied to various SME situations. Feedback about applicability will be captured by interviewing the piloting companies about their experiences during the implementation phase and some month after in order to gather feedback about its usability during daily work. Finding piloting partners may be difficult because the SME must see clear benefits in undertaking the effort of such a scheme. Therefore, this research will be supported by presentations and through discussion of the framework with experts from related domains (such as compliance, auditing, and IT security). In addition, a theoretical evaluation will be conducted by applying digital maturity models to the framework for the question about necessary IT prerequisites a SME must have to be able to implement such an IT-supported fraud prevention framework; especially if the SME might not have an own dedicated IT or security department but needs to implement dedicated software and other IT-related tools to better protected against fraud attempts. 209 2.4. Notation of Framework: Use of Domain-Specific Modeling Principles After first drawings of the components, their interconnections, and related sub-process and possible content for the current fraud-prevention framework, it got clear to design and describe the framework in its own notation by applying principles for domain specific modelling suggested by Kelly and Tolvanen [51]. The framework will consist of several layers and types of information (such as flowcharts) to show dependencies, business workflows, checklists, step plans, and recommendations for software tools. It will also be necessary to include a glossary outlining the different types of fraud and the proven countermeasures that an SME could implement. This combination of graphical and textual content must find a form of notation that is both understandable and abstract enough to allow existential generalizations [52]. IT-specific notations such as Unified Modelling Languages (UML) or the concept of BPMN 2.0 would cover only parts of the framework; others, such as ArchiMate®, are too complex to be understood by those who are not IT experts. 3. Summary of Findings to Date and Current State of Artifact Design The first examination of the six fraud prevention frameworks dedicated to SMEs revealed that these concepts showed a narrow scope and offered little advice on prevention measures. These concepts either concentrated on a very specific context [53], [54], or only covered employee fraud [55], [56] and not external fraud risks. One case study [57] pursued a more behavioral approach by developing a code of conduct and incident response chains, while another study [58] concentrated on reporting options for fraud. An alternative prevention concept must also consider external fraud vectors. Internal control mechanisms must be supplemented by IT techniques to detect fraud at an early stage. When looking into existing and well-established frameworks from other disciplines, some transferable information seems promising. For instance, the IT management and IT governance framework COBIT-2019 (Control Objectives for Information and Related Technologies) developed by the Information Systems Audit and Control Association allows different perspectives and focus areas, one of which is related to SMEs [59], [60]. The NIST Cybersecurity Framework [61], [62] allows SME specific security approaches. As an example, a transfer of the five stages of NIST cybersecurity framework (identify, protect, detect, respond, recover) [63] into fraud prevention measures including a classifying of these measures as man-, technology- or organization-related. The MTO classification allows the creation of different cluster for the implementation and makes it easier for SMEs to decide what prevention measure to be installed and in what order. With regard to the implementation itself, the use of the ISIS12 (Information Security Management System in 12 steps) concept [64] could be adapted to create a roadmap for implementing a fraud-prevention framework. An in-depth analysis of the six concepts found during the literature review and a detailed review of established frameworks from other disciplines is currently in progress. Therefore, the present architectural fraud prevention framework (as visualized in Figure 1) is at a preliminary stage. It consists of five connected dimensions (Tier 1). The framework deals with risk management in order to allow the SME to identify the individual fraud risk. It touches on fraud forensics because the need for risk management is often realized after an incident has occurred. The core part of the framework discusses and describes the fraud types and their countermeasures along the MTO concept to enable the selection of suitable measures. In addition, the proposed framework gives ideas of where to find external support and suggests a roadmap for implementation. A continuous improvement cycle must follow the implementation in order to keep the implemented measures up to date. Figure 1 illustrates the different components, connections, and interplay. But a second conceptualization is helpful to understand the layers of granularity in each tier. This information will be worked out in detail for the final publication and the concrete guideline for SME practitioners. 210 Figure 1: Prelim. Fraud Prevention Framework for SMEs Figure 2 shows the content-related structure consisting of six layers (I–VI) with an increase in granularity for each level. For example, Layer VI will contain concrete recommendations and references or weblinks, whereas Layers I and II are more introductory and will provide background overviews. Layers III–VI build the core of the framework and will offer a concrete toolbox for selecting and implementing the most suitable countermeasures for the individual fraud risk as identified during the risk assessment. Layers III – VI reflect the Tier 2 containing all sub-processes and a high level of content and detailed information. Figure 2: Prelim. Architectural and Content-related Structure of Fraud Prevention Framework for SMEs 211 4. Conclusion, Limitations and Further Research This research project concentrates on finding the best measures and activities for preventing or detecting fraud in small and medium organizations. It is supplemented with related aspects of IT security, risk management, and implementational aspects. The present work-in-progress paper gives an idea of why a comprehensive fraud-fighting framework is valuable for SMEs. It also shows why this framework must be created in a generalized and flexible manner to enable SMEs to choose the fraud prevention activities that are most suitable for their business model and resource situation. Therefore, the final framework might include advice for modifications of some suggested fraud prevention measures to make them applicable to micro-SMEs, as well. Limitations might occur if a generic framework cannot be created, since different fraud types or industries would require very different prevention approaches. This would increase complexity and might reduce the applicability and understandability of the framework. Upcoming steps during this design science research project will include an in-depth analysis of the six fraud prevention concepts found during the literature review and the evaluation of existing frameworks from other disciplines. These insights will be incorporated into the design and creation of the Tier 2 details for the above-mentioned five dimensions (Tier 1 boxes). The MTO approach will be used to enable manageable cluster for the implementation of different measures that will interplay and build a fraud prevention and detection framework for the SME. The SME context for the evaluation will be defined (e.g., the use of very different industry partners) and a roadmap for evaluation will be prepared according to the principles of action research in order to acquire piloting SME partners and to prepare for expert evaluation. 5. References [1] European Commission, “User guide to the SME Definition,” Publications Office of the European Union, Luxembourg, Aug. 2020. Accessed: Feb. 12, 2021. [Online]. Available: https://ec.europa.eu/docsroom/documents/42921 [2] D. Kempf, “Ohne Schutzschild,” IT-Security Channel Compendium, Jun. 2015. [3] Ponemon, “2017 State of Cybersecurity in Small & Medium-Sized Businesses (SMB),” Ponemon Institute LLC, Sep. 2017. Accessed: Nov. 28, 2020. [Online]. Available: https://www.csrps.com/wp-content/uploads/2019/03/2017-Ponemon-State-of-Cybersecurity-in-Small- and-Medium-Sized-Businesses-SMB.pdf [4] ACFE, “Report to the Nations - 2020 Global Fraud Study on Occupational Fraud and Abuse,” Association of Certified Fraud Examiners Inc., Austin - Texas - USA, 2020. Accessed: Dec. 01, 2020. [Online]. Available: https://acfepublic.s3-us-west-2.amazonaws.com/2020-Report-to-the-Nations.pdf [5] M. Barth et al., “Spionage, Sabotage und Datendiebstahl – Wirtschaftsschutz in der vernetzten Welt,” Bitkom e.V., Berlin, Studienbericht 2020, 2020. [6] Ernst & Young Fraud Investigation & Dispute Services, “Global Forensic Data Analytics Survey 2018: How can you disrupt risk in an era of digital transformation?,” 2018. [Online]. Available: https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/assurance/assurance-pdfs/ey-global- fda-survay.pdf [7] ACFE, “Report to the Nations on Occupational Fraud and Abuse - 2016 Global Fraud Study,” Association of Certified Fraud Examiners, Austin - Texas - USA, 2016. Accessed: Apr. 07, 2018. [Online]. Available: https://www.acfe.com/rttn2016/docs/2016-report-to-the-nations.pdf [8] ACFE, “Report to the Nations - 2018 Global Fraud Study on Occupational Fraud and Abuse,” Association of Certified Fraud Examiners, Austin - Texas - USA, 2018. Accessed: May 15, 2018. [Online]. Available: https://s3-us-west-2.amazonaws.com/acfepublic/2018-report-to-the-nations.pdf [9] Bundesamt für Justiz, “§ 263a StGB - Einzelnorm.” https://www.gesetze-im- internet.de/stgb/__263a.html (accessed Mar. 07, 2019). [10] jusline.at, “§ 146 StGB (Strafgesetzbuch), Betrug - JUSLINE Österreich.” https://www.jusline.at/gesetz/stgb/paragraf/146 (accessed Mar. 07, 2019). 212 [11] S. Heißner, “Täter und Delikte,” in Erfolgsfaktor Integrität, Wiesbaden: Springer Fachmedien Wiesbaden, 2014, pp. 37–70. doi: 10.1007/978-3-658-05608-7_2. [12] Association of Certified Fraud Examiners, “The Fraud Tree - occupational fraud and abuse classification systems,” The Fraud Tree - Occupational Fraud and Abuse Classification System, 2016. https://www.acfe.com/rttn2016/images/fraud-tree.jpg (accessed Mar. 07, 2019). [13] K. Henselmann and S. Hofmann, Accounting fraud: case studies and practical implications. Berlin: Erich Schmidt, 2010. [14] J. Marks, “Fraud Pentagon - Enhancements to the Three Conditions Under Which Fraud May Occur,” BoardAndFraud, May 21, 2020. https://boardandfraud.com/2020/05/21/fraud-pentagon- enhancements-to-the-fraud-triangle-and-under-which-fraud-may-occur/ (accessed Jan. 05, 2021). [15] D. T. Wolfe and D. R. Hermanson, “The Fraud Diamond: Considering the Four Elements of Fraud,” CPA Journal, vol. 74.12, pp. 38–42, 2004, [Online]. Available: https://digitalcommons.kennesaw.edu/cgi/viewcontent.cgi?article=2546&context=facpubs [16] N. Christian, Y. Z. Basri, and W. Arafah, “Analysis of Fraud Triangle, Fraud Diamond and Fraud Pentagon Theory to Detecting Corporate Fraud in Indonesia,” The International Journal of Business Management and Technology, vol. 3, no. 4, pp. 73–78, Aug. 2019. [17] K. Fuad, A. B. Lestari, and R. T. Handayani, “Fraud Pentagon as a Measurement Tool for Detecting Financial Statements Fraud,” Vung Tau City, Vietnam, 2020. doi: 10.2991/aebmr.k.200127.017. [18] S. Maulidiana and T. Triandi, “Analysis of Fraudulent Financial Reporting Through the Fraud Pentagon Theory,” South Tangerang, Indonesia, 2020. doi: 10.2991/aebmr.k.200522.042. [19] Muhsin, Kardoyo, and A. Nurkhin, “What Determinants of Academic Fraud Behavior? From Fraud Triangle to Fraud Pentagon Perspective,” KSS, vol. 3, no. 10, p. 154, Oct. 2018, doi: 10.18502/kss.v3i10.3126. [20] M. Nindito, “Financial Statement Fraud: Perspective of the Pentagon Fraud Model in Indonesia,” Academy of Accounting and Financial Studies Journal, Jun. 2018, Accessed: Jan. 02, 2021. [Online]. Available: https://www.abacademies.org/abstract/financial-statement-fraud-perspective-of- the-pentagon-fraud-model-in-indonesia-7319.html [21] European Commission, “SME definition,” Internal Market, Industry, Entrepreneurship and SMEs - European Commission, Jul. 05, 2016. https://ec.europa.eu/growth/smes/sme-definition_en (accessed Feb. 12, 2021). [22] P. Schöber and P. Schmitz, “Hochkonjunktur für die Schatten-IT,” IT-Business, Oct. 23, 2020. https://www.it-business.de/hochkonjunktur-fuer-die-schatten-it-a-973554 (accessed Oct. 23, 2020). [23] ACFE, “Fraud in the Wake of COVID-19: Benchmarking Report,” Jun. 2020. https://www.acfe.com/covidreport.aspx (accessed Jun. 18, 2020). [24] ACFE, “Fraud in the Wake of COVID-19: Benchmarking Report December Edition,” Dec. 2020. https://www.acfe.com/covidreport.aspx (accessed Mar. 14, 2021). [25] D. Buil-Gil, F. Miró-Llinares, A. Moneva, S. Kemp, and N. Díaz-Castaño, “Cybercrime and shifts in opportunities during COVID-19: a preliminary analysis in the UK,” European Societies, pp. 1–13, Aug. 2020, doi: 10.1080/14616696.2020.1804973. [26] Deloitte Poland, “The impact of COVID-19 on the fraud risks faced by organisations.” Apr. 2020. Accessed: Mar. 14, 2021. [Online]. Available: https://www2.deloitte.com/content/dam/Deloitte/pl/Documents/Brochures/pl_COVID_19_Fraud%20 Risks_EN_newApril2020.pdf [27] L. Pasculli, “COVID19-related fraud risks and possible anti-fraud measures (Written evidence submitted to the Treasury Committee on the Economic Impact of Coronavirus),” Coventry University, EIC0792, Jun. 2020. [Online]. Available: https://www.researchgate.net/publication/345760552_COVID19- related_fraud_risks_and_possible_anti- fraud_measures_Written_evidence_submitted_to_the_Treasury_Committee_on_the_Economic_Impa ct_of_Coronavirus [28] F. Holzenthal, “IT-gestützte Geldwäsche- und Betrugsbekämpfung in Banken und Versicherungen Mehrwert durch einen holistischen GRC-Ansatz,” ZRFC, vol. 3/14, pp. 140–143, 2014. [29] O. Derksen, “Fraud Analyse von Massendaten in Echtzeit,” in Big Data - Systeme und Prüfung, Deggendorfer Forum zur digitalen Datenanalyse, Ed. Berlin: Schmidt, 2013, pp. 45–59. 213 [30] M. Spindler and H. Kögel, “Erkennung von Versicherungsbetrug mit künstlicher Intelligenz,” Bitkom Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e.V., Berlin, Faktenpapier No.9, 2020. [31] E. Ulich, “Arbeitssysteme als Soziotechnische Systeme – eine Erinnerung,” Journal Psychologie des Alltagshandelns, vol. 6, no. 1, 2013, [Online]. Available: http://www.allgemeine- psychologie.info/cms/images/stories/allgpsy_journal/Vol%206%20No%201/Arbeitssystem_Ulich.pdf [32] B. Kitchenham, “Guidelines for performing systematic literature reviews in software engineering,” EBSE, Technical Report, Ver. 2.3, 2007. Accessed: Oct. 07, 2017. [Online]. Available: https://pdfs.semanticscholar.org/e62d/bbbbe70cabcde3335765009e94ed2b9883d5.pdf [33] M. Massaro, J. Dumay, and J. Guthrie, “On the shoulders of giants: undertaking a structured literature review in accounting,” Accounting, Auditing & Accountability Journal, vol. 29, no. 5, pp. 767–801, Jan. 2016, doi: 10.1108/AAAJ-01-2015-1939. [34] A. Fink, Conducting research literature reviews: from the internet to paper, Fifth edition. Los Angeles: Sage, 2020. [35] Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Guidance on Internal Control,” www.coso.org, 2013. https://www.coso.org/pages/ic.aspx (accessed Jun. 09, 2021). [36] A. R. Hevner, S. T. March, J. Park, and S. Ram, “Design Science in Information Systems Research,” MIS Quarterly, vol. 28, no. 1, pp. 75–105, Mar. 2004. [37] K. Peffers, T. Tuunanen, M. A. Rothenberger, and S. Chatterjee, “A Design Science Research Methodology for Information Systems Research,” Journal of Management Information Systems, vol. 24, no. 3, pp. 45–77, Dec. 2007, doi: 10.2753/MIS0742-1222240302. [38] A. R. Hevner, “A Three Cycle View of Design Science Research,” Scandinavian Journal of Information Systems, vol. 19, no. 2, pp. 87–92, 2007. [39] M. Shaw, “What Makes Good Research in Software Engineering?,” STTT, vol. 4, no. 1, pp. 1– 7, 2002. [40] A. Cleven, P. Gubler, and K. M. Hüner, “Design alternatives for the evaluation of design science research artifacts,” 2009, p. 1. doi: 10.1145/1555619.1555645. [41] K. Peffers, M. Rothenberger, T. Tuunanen, and R. Vaezi, “Design Science Research Evaluation,” in Design Science Research in Information Systems. Advances in Theory and Practice, vol. 7286, Berlin, Heidelberg: Springer Berlin Heidelberg, 2012, pp. 398–410. doi: 10.1007/978-3-642- 29863-9_29. [42] N. Prat, I. Comyn-Wattiau, and J. Akoka, “Artifact Evaluation in Information Systems Design Science Research - A Holistic View,” Jun. 2014, p. 16. [43] J. Pries-Heje, R. Baskerville, and J. R. Venable, “Strategies for Design Science Research Evaluation,” ECIS 2008 Proceedings. 87, p. 13, 2008. [44] J. Venable, J. Pries-Heje, and R. Baskerville, “FEDS: a Framework for Evaluation in Design Science Research,” European Journal of Information Systems, vol. 25, no. 1, pp. 77–89, Jan. 2016, doi: 10.1057/ejis.2014.36. [45] T. Wilde and T. Hess, “Forschungsmethoden der Wirtschaftsinformatik: Eine empirische Untersuchung,” WIRTSCHAFTSINFORMATIK, vol. 49, no. 4, pp. 280–287, Aug. 2007, doi: 10.1007/s11576-007-0064-z. [46] K. C. Laudon, J. P. Laudon, and D. Schoder, Wirtschaftsinformatik: eine Einführung, 3., Vollständig überarbeitete Auflage. Hallbergmoos/Germany: Pearson, 2016. [47] N. Döring and J. Bortz, Forschungsmethoden und Evaluation in den Sozial- und Humanwissenschaften, 5. vollständig überarbeitete, Aktualisierte und erweiterte Auflage. Berlin Heidelberg: Springer, 2016. [48] P. S. M. dos Santos and G. H. Travassos, “Action Research Can Swing the Balance in Experimental Software Engineering,” in Advances in Computers, vol. 83, Elsevier, 2011, pp. 205–276. doi: 10.1016/B978-0-12-385510-7.00005-9. [49] J. Recker, Scientific research in information systems: a beginner’s guide. Heidelberg: Springer, 2013. [50] N. F. Kock, Ed., Information systems action research: an applied view of emerging concepts and methods. New York, N.Y: Springer, 2007. [51] S. Kelly and J.-P. Tolvanen, Domain-specific modeling: enabling full code generation. Hoboken, N.J: Wiley-Interscience : IEEE Computer Society, 2008. 214 [52] R. J. Wieringa, Design science methodology for information systems and software engineering. New York, NY: Springer Berlin Heidelberg, 2014. [53] S. Phuttima, W. Rueangsirasak, and R. Chaisricharoen, “Fraud Detection System for Steel Logistic SME Business on Cloud Services Model,” in The 4th Joint International Conference on Information and Communication Technology, Electronic and Electrical Engineering (JICTEE), Chiang Rai, Thailand, Mar. 2014, pp. 1–7. doi: 10.1109/JICTEE.2014.6804088. [54] N. A. Aris, S. M. M. Arif, R. Othman, T. Chantrathevi, and R. Tapsir, “Internal Control Mechanism Framework for Fraud Prevention in Small Medium Automotive Industry,” in 2013 IEEE Symposium on Humannities, Science and Engineering Research (SHUSER), Malaysia, Jun. 2013, pp. 594–598. [55] S. Dawson, Internal control/anti-fraud program design for the small business: a guide for companies not subject to the Sarbanes-Oxley Act. Hoboken: Wiley, 2015. [56] L. D. A. Yearwood, “A Conceptual Framework for the Prevention and Detection of Occupational Fraud in Small Businesses,” Master Thesis, Concordia University College of Alberta, Alberta Canada, 2011. [57] S. Lincke and D. Green, “Combating IS fraud: A teaching case study,” in AMCIS 2012 Proceedings, Seattle, Washington, Aug. 2012, vol. 2, pp. 578–584. [Online]. Available: http://aisel.aisnet.org/amcis2012/proceedings/ISEducation/2 [58] K. T. Çalıyurt, “Reporting Fraud Using the Fraud-Free Company Model: A Case for the SMEs in Emerging Economies?,” in Emerging Fraud, K. Çaliyurt and S. O. Idowu, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012, pp. 3–18. Accessed: Dec. 01, 2020. [Online]. Available: http://link.springer.com/10.1007/978-3-642-20826-3_1 [59] M. Andenmatten, “COBIT 2019 – Das neue Enterprise Governance Modell für Informationen und Technologien,” Disruptive agile Service Management, Nov. 26, 2018. https://blog.itil.org/2018/11/cobit-2019-das-neue-enterprise-governance-modell-fuer-informationen- und-technologien/ (accessed Jun. 19, 2020). [60] P. M. Asprion and D. Burda, “COBIT — Enzyklopädie der Wirtschaftsinformatik,” Enzyklopädie der Wirtschaftsinformatik - Online Lexikon, Feb. 27, 2019. https://www.enzyklopaedie- der-wirtschaftsinformatik.de/wi-enzyklopaedie/lexikon/daten-wissen/Grundlagen-der- Informationsversorgung/COBIT (accessed Jun. 19, 2020). [61] C. Johnson, “Sizing Up the NIST Cybersecurity Framework,” NIST Taking Measure, Oct. 31, 2016. https://www.nist.gov/blogs/taking-measure/sizing-nist-cybersecurity-framework (accessed Jun. 19, 2020). [62] N. Keller, “Small and Medium Business Perspectives,” NIST, Feb. 01, 2018. https://www.nist.gov/cyberframework/small-and-medium-business-perspectives (accessed Jun. 19, 2020). [63] The MEP National Network, “MANUFACTURERS GUIDE TO CYBERSECURITY - For Small and Medium-Sized Manufacturers,” THE MEP NATIONAL NETWORK. Accessed: Nov. 08, 2020. [Online]. Available: https://www.nist.gov/system/files/documents/2019/11/14/mepnn_cybersecurity_guide_10919-508.pdf [64] ISIS12-Netzwerk, “Handbuch zur effizienten Gestaltung von Informationssicherheit für Kleine und Mittlere Organisationen (KMO).” IT-Sicherheitscluster e. V., 93053 Regensburg, Apr. 27, 2020. [Online]. Available: https://www.isis12.de 215