Author: Prashanth Ashwathram: Vice President- Technology & Consulting
Operational risk rarely announces itself as a single obvious failure. More often, it appears as small mismatches across systems no one is comparing, such as payroll records that don’t align with badge activity, vendor records that don’t match delivery evidence, or overtime patterns that don’t match project reality. The broader problem sitting underneath it is this: most organizations already hold the data needed to catch a wide range of operational risks, including fraudulent pay, unauthorized vendor activity, unearned overtime, and compliance gaps, but they hold it in separate systems that were never designed to be compared against each other.
For CFOs, HR leaders, compliance teams, and internal audit functions, the issue is not simply whether fraud exists today. It is whether the organization has enough connected visibility to detect financial leakage, policy violations, and control gaps before they become larger business problems. When a company suspects a risk like this, the instinct is almost always to investigate harder. Pull more records, cross-check more logs, assign more compliance hours to chase down anomalies. The assumption underneath that instinct is that the problem is hidden somewhere, buried in data nobody has looked at closely enough yet.
In most cases, that assumption is wrong. The evidence usually already exists. HR records show who's employed. Timesheets show hours logged. Badge access systems show who physically entered a building. Login systems show who accessed company systems and when. Individually, each of these systems is doing its job. The risk isn't hidden in any one of them. It's hidden in the fact that none of them are compared against each other.
This is the situation a Fortune 500 pharmaceutical retailer found itself in, detailed in KPI Partners' case study, Real-Time Payroll Fraud Detection, Powered by the KPI Partners Enterprise Analytics Accelerator. With a workforce of more than 300,000 employees and multi-billion-dollar annual revenue, the organization was facing growing concern that some employees were drawing salaries without any corresponding proof of presence or system access, a pattern commonly referred to as "ghosting." Payroll fraud happened to be this organization's specific entry point into a much broader capability, and that's what makes the case worth reading even for leaders who have never suspected ghosting in their own workforce.
When suspicion of ghost employees surfaced, the only available response was manual investigation, cross-referencing HR records, timesheets, badge access logs, and login data by hand across systems that weren't designed to talk to each other. That process consumed more than 40 hours per month and still produced inconclusive results, because the real signal only shows up when someone's HR status, timesheet entries, badge activity, and login activity are looked at together, not reviewed one system at a time. On top of that, the organization was operating under strict governance requirements around the secure handling of sensitive employee data, which meant any new approach had to meet a high bar for compliance and data protection, not just speed.
The result was a familiar bind for any large employer facing suspected internal fraud: real financial exposure, a workforce too large to investigate manually at scale, and no single view of the data that would actually reveal what was happening.
Faced with inconclusive manual reviews, the natural next step is often to add more investigative hours or bring in additional compliance staff. That response treats the problem as a resourcing gap, when the real gap was structural, and comparing records by hand simply doesn't scale to a workforce of hundreds of thousands of people.
The more useful question wasn't how to investigate faster. It was whether the organization could automatically correlate identity across every system that already held part of the picture, so a mismatch between someone's HR status, logged hours, badge activity, and system access would surface on its own, rather than depending on someone noticing it by hand.
There's a second assumption worth challenging here, one that shapes how most organizations approach risks like this in the first place. The default instinct is often to buy a dedicated, specialized fraud or governance platform, a purpose-built third-party tool that sits alongside everything else the business already runs. That path comes with real costs beyond the license fee: a new system to configure, a new vendor relationship to manage, and a new silo of data that still has to be reconciled with everything else. It also tends to be narrow by design, built to solve one problem well but not easily extended to the next risk area the organization identifies.
The approach taken in this case was different. Instead of treating fraud detection as a standalone point solution, the detection layer was implemented on cloud data infrastructure, using Google BigQuery for data processing and Google Composer for orchestration. This helped avoid creating another disconnected fraud-specific data silo and gave the organization a foundation that could extend to adjacent risk areas, including vendor fraud, overtime abuse, and compliance monitoring.
For any organization evaluating a similar risk, this is a distinction worth pressing on with potential partners: are they proposing a narrow point solution, or an analytics approach that can connect with the organization’s existing data environment and scale across future risk areas?
Using Google Cloud Platform, specifically Google BigQuery for data processing and Google Composer for orchestration, the team built secure, cloud-based pipelines that ingested and correlated identity data from the core HR system, the timesheet system, the badge access system, and the network login system into a single analytical foundation. The project used KPI Partners' Enterprise Analytics Accelerator, which delivered pre-built ETL processes, data models, metrics, dashboards, reports, and visualizations purpose-built for cross-system identity analysis, compressing what would otherwise have been a much longer build.
On top of that foundation, the solution applied advanced identity matching and behavior modeling to detect ghosting patterns, cases where pay records showed no corresponding evidence of physical presence or system activity. Every fraud alert and report was surfaced automatically for business users through Tableau, without requiring specialized technical training to interpret. The architecture was cloud-agnostic, compatible with Google Cloud Platform, Amazon Web Services, and Microsoft Azure, with every piece of sensitive employee data encrypted both in transit and at rest. The full implementation was completed in five months.
The financial case for automating this correlation, rather than continuing to do it by hand, is stark. The organization projected a 1,000 percent return on investment in the first year, with a payback period of just one month, meaning the cost of the implementation was recovered within weeks of going live. Manual analysis hours dropped by 90 percent, freeing HR and compliance teams from repetitive cross-referencing work to focus on higher-value activities. The architecture scaled to comprehensive analysis across more than 100,000 employee records without any loss of performance, and business users were able to access clear, automated fraud insights without needing additional headcount or specialized analytics resources.
Beyond the numbers, the organization also reported a shift in how it operated day to day. Fraud detection moved from a reactive, after-the-fact process to something closer to continuous monitoring. According to the case study, one senior HR compliance leader noted that the solution changed how the organization thinks about operational risk and workforce accountability more broadly, not just how it catches fraud.
Ghosting fraud is what surfaced first here, but it's worth stepping back to what actually made that detection possible: a governed layer that could see HR status, timesheet activity, badge access, and system logins side by side, all at once. That same layer doesn't care whether the anomaly it's looking for is a ghost employee, a vendor invoice that doesn't match a delivery, an overtime pattern that doesn't match a project schedule, or a compliance control that's quietly slipping. Following this initiative, the organization itself began evaluating that same correlation approach for vendor fraud, overtime abuse, and broader compliance monitoring, precisely because the underlying capability generalizes.
This is the real reason the case is worth reading beyond pharmaceutical retail, and beyond payroll fraud specifically. Any organization running separate systems for HR, timesheets, physical access, vendor management, and system logins is almost certainly sitting on the data it would need to catch a much wider range of operational risks than the one it happens to be worried about today. The limiting factor usually isn't the data. It's the absence of a governed way to bring it together.
For any leader wondering whether this applies to them, the more useful question isn't "do we have a fraud problem?" It's whether the organization has a way to see its own workforce, vendor, and compliance data side by side at all, because that visibility tends to be useful for far more than the one risk it was originally built to catch.
Read the full case study, Real-Time Payroll Fraud Detection, to see how KPI Partners helped a global pharmaceutical retailer move from manual fraud investigation to automated, governed risk detection and how the same model can extend to other operational risk areas.