Back to course overview
Module 4Anomaly detection 12 min

Alert & review workflows

Detection without disposition is noise: triage lanes by score and dollars, the disposition log as tuning data and audit evidence, and the metrics that keep the system trusted.

A detection system's output isn't alerts — it's dispositions: every flag reviewed, concluded, and logged. The gap between those two is where most anomaly programs die (a dashboard of 400 unreviewed flags is a liability with a UI: it proves you knew). The workflow that keeps detection alive is the same shape you've built twice before — triage lanes, human review, logged outcomes — tuned for finance:

  • Lane by score × dollars. Compound high-score flags on material amounts: same-day senior review. Single-signal flags on small amounts: weekly batch, junior triage, twenty minutes with coffee. The asymmetry math is Module 1's error-cost thinking — a missed $40K diversion and a false-positive $40 expense flag are not symmetric events, and the lanes should say so.
  • Every flag gets one of four dispositions (error / legitimate-explained / policy-violation / escalate), a reviewer name, and a date. No fifth option, no 'left open'. The log compounds in value: it's audit evidence ('here is our detective control operating'), tuning data (which rules generate noise?), and pattern memory (the vendor explained-away three times this quarter reads differently the fourth time).
  • Tune on a cadence, from the log. Monthly: the noisiest rule gets examined — tighten its threshold, add a seasonality exclusion, or retire it. The alert-fatigue spiral (noise → skimming → rubber-stamped dispositions → missed real one) is detection's death; the monthly pruning is its vaccine. Target a false-positive rate the team can sustain, not one that looks rigorous in a deck.
  • Report the program in three numbers: coverage (% of transactions screened — the number that grew from 5% sampling to 100%), yield (confirmed issues found, with $ recovered — the rate-audit recoveries alone usually carry the program), and health (median time-to-disposition; a rising number is the fatigue spiral, caught early).

Where AI sits in the review itself

AI flags; it also prepares the review: for each flag, an assembled context card — the transaction, the rule/pattern tripped, the vendor's 12-month history, prior flags and their dispositions, the contract terms if relevant — so the human reviews in ninety seconds what used to take fifteen minutes of tab-hopping. This is the highest-leverage AI insertion in the whole module: it doesn't touch the judgment; it removes the archaeology around the judgment. (The draft disposition, though, stays unwritten — a pre-filled 'probably legitimate' anchors the reviewer, and anchored review is rubber-stamping with extra steps.)

Close the loop with the source systems

The best dispositions fix causes, not instances: the duplicate-payment flag that traces to a vendor emailing invoices twice gets fixed in the vendor's process; the recurring rate-audit flag on one lane gets fixed in the contract (or the carrier conversation); the ghost-vendor near-miss becomes a vendor-master control (dual approval on creation + the employee-match screen). Every month, ask the log: 'which three flags should never have been possible?' — that question, asked routinely, is how detection programs shrink their own workload.