Predicting credit card fraud with Sarbanes‐Oxley assessments and Fama‐French risk factors

• Published date: 01 April 2020
• Author: James Christopher Westland
• Date: 01 April 2020
• DOI: http://doi.org/10.1002/isaf.1472

RESEARCH ARTICLE

Predicting credit card fraud with Sarbanes-Oxley assessments

and Fama-French risk factors

James Christopher Westland

IDS, University of Illinois, U nited States of

America

Correspo ndence

James Christophe r Westland, IDS, University

of Illinois, United State so f America.

Email: westland@ uic.edu

Summary

This research developed and tested machine learning models to predict signifi-

cant credit card fraud in corporate systems using Sarbanes-Oxley (SOX) reports,

new s reports o f breac hes an d Fama- Frenc h risk fac tors (FF ). Expl oratory a nalys is

found that SOX information predicted several types of security breaches, with the

strongest performance in predicting credit card fraud. A systematic tuning of hyper-

paramters for a suite of machine learning models, starting with a random forest, an

extremely-randomized forest, a random grid of gradient boosting machines (GBMs),

a random gridof deep neural nets, a fixed grid of generallinear models where assem-

bled into two trained stacked ensemble models optimized for F1 performance; an

ensemble that contained all the models, and an ensemble containing just the best

performing model from each algorithm class. Tuned GBMs performed best under

all conditions. Without FF, models yielded an AUC of 99.3% and closeness of the

training and validation matrices c onfirm that the model is robust. The mo st important

predictorswere firm specific, as would be expected, since control weaknessesvary at

the firm level. Audit firm fees were the most important non-firm-specific predictors.

Adding FF to the model rendered perfect prediction (100%)in the trained confusion

matrix and AUC of 99.8%. The most important predictors of credit card fraud were

the FF coefficient for the High book-to-market ratio Minus Low factor. The second

most influe ntial variable was the ye ar of reporting, an d third most important w as

the Fama-Frenc h 3-factor mode l R2– togetherthese described most of the variance

in credit card fraud occurrence. In all cases the four major SOX specific opinions

rendered by auditors and the signed SOX reporthad little predictive influence.

KEYWORDS

auditing, Fama-French risk factors, internal control, Sarbanes-Oxley, se curitybreach es

Sarbanes-O xley attestations and firm sec urity

Following th e Enron and WorldCom co llapses that marked the en d

of the dot-com bubble, U.S. legislators sought to better protect

and inform investo rs through passage of the Sarbanes-Oxley Act of

2002 (SOX). Section 404 of SOX (SOX 404) requires companies to

review their internal controls under the supervision of externalaudi-

tors and declare whether their controls are effective. Section 404a

prescribes the scope and rules for internal control assessments and

section 404b prescribes the reporting requirements. Section 302 of

SOX (SOX 302) requires companies to self-report on effectiveness

of internal controls, but otherwise defers to the relevant sections

of the Securities Exchange Act of 1934 for specifics. A significant

motivation fo r SOX's focus o n internal control is the potential fo rf irms

to suffe r systems intrusion from external actors com monly referred

to as security breaches. These may lead to materially significant

losses and misstatements which could result in financial results that

are not fairly presented. (Rice & Weber, 2012)(Rice, Weber, & Biyu,

2014)(Ashbaugh-Skaife, Collins, Kinney, & LaFond, 2008)(Ge,Koester,

IntellSys Acc Fin Mgmt. 2020;27:95–107. wileyonlinelibrary.com/journal/isaf © 2020 John Wiley & Sons, Ltd.

Received: 1 August 2019 Revised: 8 March 2020 Accepted: 21 March 2020

DOI: 10.1002/isaf.1472

56

95