BICA November 2013 Fraud Slides
advertisement
BICA-Fraud-Seminar November 25, 2013 Fraud Risk Management Mario Fazekas Exactech N W E S Our Services • Computer Forensics • Mobile Forensics • Tablet Forensics • Network Forensics • Cyber Forensics • Memory Forensics • Incident Response • Cyber Liability Audits • Expert Witness • eDiscovery Digital Forensics • Vulnerability Assessments • Penetration Testing • Wireless & Web Application Security Assessments • IS Management • Incident Response • Technical Audit Assist Free Stuff… • ExactRiskTM • Fraud Risk Reviews • Ethics Surveys • Forensic Analytics • Fraud Awareness • Fraud Investigation • Forensic Acc. • AML Advisory • Forensic Readiness • IP Theft Mitigation Information Security eBook Fraud eBook FCPA eBook Bribery eBook Continuous Monitoring eBook What You Don’t Know Can Hurt You Practical Guide to Managing Fraud Risk Newsletter Fraud Risk Gap Analysis Risk & Advisory Training & Awareness 4 PROGRAM – Fraud Risk Management 1. 2. 3. 4. 5. 6. 7. Fraud and its Impacts In the 2012 Kroll Global Fraud Report, Africa reported the highest incidence of fraud with 85% of respondents falling victim to fraud in the past year. A 2012 study conducted by the Association of Certified Fraud Examiners (ACFE) found that the typical org. loses 5% of its annual revenue to fraud. According to BDO’s “Financial Cost of Fraud Report 2013”, since the start of the recession the global average cost of fraud has increased by almost 20%. According to the SAPS commercial crime statistics, Fraud has increased by 45.5% over the last 9 years (2004-2013). Introduction What is fraud? How big a problem is it & why? Who are the victims? Who are the perpetrators? What motivates the perpetrators? What are the potential Solutions? 5 6 1 BICA-Fraud-Seminar November 25, 2013 7 8 Problem in many organisations Typical adversarial models ignore the insider threat by assuming the organisation/TCB is free of threats Insider threat violates this assumption Firewall/IDS Corporate Network 10 Basically Employee’s Come in 3 Flavours! Engaged Not Engaged Actively Disengaged 11 2 BICA-Fraud-Seminar November 25, 2013 Number 1: Engaged Number 2: Not Engaged Engaged Not Engaged Employees are Work with Passion Feel a Profound Essentially Checked Out! Sleepwalking through their Working Day. Putting in Time, but not Energy or Passion. Connection with Employer Drive Innovation & move the company forward Teen Fired For Complaining About 'Boring' Job Bank Employee Let Go For Posting About Superior's Salary Seven employees fired from retailer for verbal attacks against customers and staff Waitress fired for complaining about clients Doctors, teachers and professors fired for posting about students & patients 15 All had “violated co policy” Number 3: Actively Disengaged Actively Disengaged Employee’s aren't just unhappy they are busy acting out their unhappiness. Every Day These people undermine what their Engaged CoWorkers Accomplish 18 3 BICA-Fraud-Seminar November 25, 2013 Bosses from Hell a visitor asked why half of the offices were empty on the top floor of the company's Manhattan skyscraper. "Those were my enemies," Davis said. "I got rid of them." 19 Bosses from Hell Scroogelike employer who routinely screamed at his staffers and made them all work the Friday after Thanksgiving and other public holidays, when he called many times to make sure they were still at the office. Proclaimed "Greed is healthy" in a 1986 commencement address at UC Berkeley, the inspiration for the Gordon Bosses from Hell Perhaps history's most dictatorial accountant who would publicly humiliate his top 120 executives every month at grueling, four-day, 14-hour-long meetings that made some of them physically ill. Geneen liked to see the pained expressions on their faces as he tore into them. Gekko speech in Wall Street. Bosses from Hell What is the history of Insider Threats? Forced his board members to give him signed resignation letters that he could accept if they ever dared to oppose him. Then promoted himself for the Nobel Peace Prize. Espionage and spying are amongst the oldest political and military trades. There are references to spies in ancient Greek history and ancient Egyptian spies were among the first to develop methods of carrying out acts of internal sabotage. BEREND HOWARD Benedict Arnold Judas ISCARIOT Robert HanSsen 24 4 BICA-Fraud-Seminar November 25, 2013 What kind of Insider Threat profile do these four cases create? Expert Knowledge Disgruntled Employee Wanted Power / Prestige History of Bad Behavior Needed Money Had a Plan Case 1 (Ancient) Yes Yes Yes No ? Yes Case 2 (Colonial) Yes Yes Yes Yes Yes Yes Case 3 (The 80’s) Yes Yes Yes Yes Yes Yes Case 4 (2000’s) Yes Yes Yes No ? Yes 2. What is ‘Fraud’? 25 26 Occupational Fraud & Abuse Corruption Asset Misappropriation Economic Illegal Bribery Conflict of interest -Purchase Schemes -Kickbacks Gratuities Extortion -Bid Rigging -Sales Schemes Corruption Perceptions Index (CPI) Fraudulent Statements Financial Non-Financial Improper Asset Valuation -Employment Credentials Improper Disclosures -Internal Documents Fictitious revenues -External Documents Concealed liabilities & Expenses Timing differences Inventory & Other Assets Cash Larceny -Of cash on hand -From deposit Fraudulent Disbursements Skimming -Sales - Unrecorded / Understated -Receivables – Lapping, Write-offs -Refunds Misuse It ranks countries in terms of the degree to which corruption is perceived to exist among public officials & politicians. It is a composite index, drawing on 14 different polls and surveys from 7 independent institutions carried out among business people, the general public & country analysts. Larceny -Asset Req. &Transfers -False Sales & Shipping -Purchasing & Receiving Billing Schemes - Shell Company, Non-Accomplice Vendor, Personal Purchase Payroll Schemes - Ghost Employee, Comm. Schemes, Falsified Wages Expense Reimbursement Schemes -Mischaracterized, Overstated, Fictitious, Multiple Reim. Cheque Tampering - Forgeries and counterfeits Register Disbursements - False Refunds, False Voids EFTs 28 The Myth of ‘Culture’ 30 176 29 One way to justify bribery is with the "culturally relativistic" argument. It is often suggested in developed countries that corruption is part of the "culture" of many developing countries. Yet, one could ask why there are laws against corruption in all countries, developed or developing, if, in fact, it is "a part of their culture"? Why, too, one might inquire, have the people of the Philippines, Egypt and Bangladesh mobilized against a well-armed military to bring down corrupt leaders? These events hardly square with a popular acceptance of corruption as "a part of culture." 30 5 BICA-Fraud-Seminar November 25, 2013 China 2008 It’s Our Culture / It’s Their Culture Culture The poorest of the poor – They are the real victims of corruption May 26, 2008. Mothers hold framed photographs of their children that perished in the May 12, 2008 earthquake at the Fuxing Number Two Elementary School, in Wufu town, Mianzhu city, Sichuan province, China. 31 33 Occupational Fraud & Abuse Corruption Asset Misappropriation Economic Illegal Bribery Conflict of interest -Purchase Schemes -Kickbacks Gratuities Extortion -Bid Rigging -Sales Schemes -Other -Other Fraudulent Statements Financial Non-Financial Improper Asset Valuation -Employment Credentials Improper Disclosures -Internal Documents Fictitious revenues -External Documents Concealed liabilities & Expenses Timing differences Inventory & Other Assets Cash Larceny -Of cash on hand -From deposit -Other Fraudulent Disbursements Skimming -Sales - Unrecorded / Understated -Receivables – Lapping, Write-offs -Refunds & others Misuse Larceny -Asset Req. &Transfers -False Sales & Shipping -Purchasing & Receiving Billing Schemes - Shell Company, Non-Accomplice Vendor, Personal Purchase Payroll Schemes - Ghost Employee, Comm. Schemes, Falsified Wages Expense Reimbursement Schemes -Mischaracterized, Overstated, Fictitious, Multiple Reim. Cheque Tampering - Forgeries and counterfeits Register Disbursements - False Refunds, False Voids 35 EFTs 6 BICA-Fraud-Seminar November 25, 2013 ZZZZ BEST 1982 Barry Minkow started a carpet cleaning company in his parents' garage (16) By 1986 he was worth over $250 million (20) Appeared on Oprah Winfrey show and covers of Newsweek & People Magazine Mayor of LA declared a Barry Minkow day Became involved with the mafia 1987 ZZZZ Best collapsed – worth only $50 000 Served 7 years of a 25-year sentence Minkow - auditors 38 Accounting 537 40 Minkow Movie 41 7 BICA-Fraud-Seminar November 25, 2013 Occupational Fraud & Abuse Corruption Asset Misappropriation Economic Illegal Bribery Conflict of interest -Purchase Schemes -Kickbacks Gratuities Extortion -Bid Rigging -Sales Schemes -Other -Other Fraudulent Statements Financial Non-Financial Improper Asset Valuation -Employment Credentials Improper Disclosures -Internal Documents Fictitious revenues -External Documents Concealed liabilities & Expenses Timing differences Inventory & Other Assets Cash Larceny -Of cash on hand -From deposit -Other Fraudulent Disbursements Skimming -Sales - Unrecorded / Understated -Receivables – Lapping, Write-offs -Refunds & others Misuse Larceny -Asset Req. &Transfers -False Sales & Shipping -Purchasing & Receiving Billing Schemes - Shell Company, Non-Accomplice Vendor, Personal Purchase Payroll Schemes - Ghost Employee, Comm. Schemes, Falsified Wages Expense Reimbursement Schemes -Mischaracterized, Overstated, Fictitious, Multiple Reim. Cheque Tampering - Forgeries and counterfeits Register Disbursements - False Refunds, False Voids EFTs Occupational Fraud & Abuse Corruption Asset Misappropriation Economic Illegal Bribery Conflict of interest -Purchase Schemes -Kickbacks Gratuities Extortion -Bid Rigging -Sales Schemes -Other -Other Fraudulent Statements Financial Non-Financial Improper Asset Valuation -Employment Credentials Improper Disclosures -Internal Documents Fictitious revenues -External Documents Concealed liabilities & Expenses Timing differences Inventory & Other Assets Cash Larceny -Of cash on hand -From deposit -Other Fraudulent Disbursements Skimming -Sales - Unrecorded / Understated -Receivables – Lapping, Write-offs -Refunds & others Misuse Larceny -Asset Req. &Transfers -False Sales & Shipping -Purchasing & Receiving Billing Schemes - Shell Company, Non-Accomplice Vendor, Personal Purchase Payroll Schemes - Ghost Employee, Comm. Schemes, Falsified Wages Expense Reimbursement Schemes -Mischaracterized, Overstated, Fictitious, Multiple Reim. Cheque Tampering - Forgeries and counterfeits Register Disbursements - False Refunds, False Voids EFTs How Lapping Works… R/$ Embezzled Jan Vvvvvvvvvvvvvv Feb Mar Payment received from… Payment applied to… 47 8 BICA-Fraud-Seminar November 25, 2013 Occupational Fraud & Abuse Corruption Asset Misappropriation Economic Illegal Bribery Conflict of interest -Purchase Schemes -Kickbacks Gratuities Extortion -Bid Rigging -Sales Schemes -Other -Other Fraudulent Statements Financial Non-Financial Improper Asset Valuation -Employment Credentials Improper Disclosures -Internal Documents Fictitious revenues -External Documents Concealed liabilities & Expenses Timing differences Inventory & Other Assets Cash Larceny -Of cash on hand -From deposit -Other Fraudulent Disbursements Skimming -Sales - Unrecorded / Understated -Receivables – Lapping, Write-offs -Refunds & others Misuse Larceny -Asset Req. &Transfers -False Sales & Shipping -Purchasing & Receiving Billing Schemes - Shell Company, Non-Accomplice Vendor, Personal Purchase Payroll Schemes - Ghost Employee, Comm. Schemes, Falsified Wages Expense Reimbursement Schemes -Mischaracterized, Overstated, Fictitious, Multiple Reim. Cheque Tampering - Forgeries and counterfeits Register Disbursements - False Refunds, False Voids Shell Company (Accomplice vendor) R32m secret drove mom to suicide - 28 Oct 2001 50 year old Financial Manager, Ronelle Poverello, stole R32m over 3 years Bank admits shared liability on cheques prior to 01 March 2001 (R20m) Company liable for R12m R10m VAT owed to Receiver Segregation of duties Lifestyle EFTs Occupational Fraud & Abuse Corruption Asset Misappropriation Economic Illegal Bribery Conflict of interest -Purchase Schemes -Kickbacks Gratuities Extortion -Bid Rigging -Sales Schemes -Other -Other Fraudulent Statements State vs. Ferrier Payroll manipulation by the FD resulting in a loss of R3,403,806,00 to the company Financial Non-Financial Improper Asset Valuation -Employment Credentials Improper Disclosures -Internal Documents Fictitious revenues -External Documents Concealed liabilities & Expenses Timing differences Inventory & Other Assets Cash Larceny -Of cash on hand -From deposit -Other Fraudulent Disbursements Skimming -Sales - Unrecorded / Understated -Receivables – Lapping, Write-offs -Refunds & others Misuse Larceny -Asset Req. &Transfers -False Sales & Shipping -Purchasing & Receiving Billing Schemes - Shell Company, Non-Accomplice Vendor, Personal Purchase Payroll Schemes - Ghost Employee, Comm. Schemes, Falsified Wages / Hours Expense Reimbursement Schemes -Mischaracterized, Overstated, Fictitious, Multiple Reim. Cheque Tampering - Forgeries and counterfeits Convicted on 112 counts of Fraud and sentenced to 10 years imprisonment Register Disbursements - False Refunds, False Voids EFTs Source: Adv Tommy Prins, Phyllis Atkinson & Financial Mail Occupational Fraud & Abuse Corruption Asset Misappropriation Economic Illegal Bribery Conflict of interest -Purchase Schemes -Kickbacks Gratuities Extortion -Bid Rigging -Sales Schemes -Other -Other Fraudulent Statements Financial Non-Financial Improper Asset Valuation -Employment Credentials Improper Disclosures -Internal Documents Fictitious revenues -External Documents Concealed liabilities & Expenses Timing differences Inventory & Other Assets Cash Larceny -Of cash on hand -From deposit -Other Fraudulent Disbursements Skimming -Sales - Unrecorded / Understated -Receivables – Lapping, Write-offs -Refunds & others Misuse Larceny -Asset Req. &Transfers -False Sales & Shipping -Purchasing & Receiving Billing Schemes - Shell Company, Non-Accomplice Vendor, Personal Purchase Payroll Schemes - Ghost Employee, Comm. Schemes, Falsified Wages Expense Reimbursement Schemes -Mischaracterized, Overstated, Fictitious, Multiple Reim. Cheque Tampering - Forgeries and counterfeits Register Disbursements - False Refunds, False Voids EFTs 54 9 BICA-Fraud-Seminar November 25, 2013 nnnn nnnn 58 59 10 BICA-Fraud-Seminar November 25, 2013 Occupational Fraud & Abuse Corruption Asset Misappropriation Economic Illegal Bribery Conflict of interest -Purchase Schemes -Kickbacks Gratuities Extortion -Bid Rigging -Sales Schemes -Other -Other Fraudulent Statements Financial Non-Financial Improper Asset Valuation -Employment Credentials Improper Disclosures -Internal Documents Fictitious revenues -External Documents Concealed liabilities & Expenses Timing differences Inventory & Other Assets Cash Larceny -Of cash on hand -From deposit -Other Fraudulent Disbursements Skimming -Sales - Unrecorded / Understated -Receivables – Lapping, Write-offs -Refunds & others Misuse Larceny -Asset Req. &Transfers -False Sales & Shipping -Purchasing & Receiving Billing Schemes - Shell Company, Non-Accomplice Vendor, Personal Purchase Payroll Schemes - Ghost Employee, Comm. Schemes, Falsified Wages Expense Reimbursement Schemes -Mischaracterized, Overstated, Fictitious, Multiple Reim. Cheque Tampering - Forgeries and counterfeits Register Disbursements - False Refunds, False Voids EFTs Occupational Fraud & Abuse Corruption Asset Misappropriation Economic Illegal Bribery Conflict of interest -Purchase Schemes -Kickbacks Gratuities Extortion -Bid Rigging -Sales Schemes -Other -Other Occupational Fraud & Abuse Fraudulent Statements Corruption Financial Non-Financial Improper Asset Valuation -Employment Credentials Improper Disclosures -Internal Documents Fictitious revenues -External Documents Concealed liabilities & Expenses Timing differences Inventory & Other Assets Economic Illegal Bribery Conflict of interest -Purchase Schemes -Kickbacks Gratuities Extortion -Bid Rigging -Sales Schemes -Other -Other Cash Larceny -Of cash on hand -From deposit -Other Fraudulent Disbursements Asset Misappropriation Fraudulent Statements Financial Non-Financial Improper Asset Valuation -Employment Credentials Improper Disclosures -Internal Documents Fictitious revenues -External Documents Concealed liabilities & Expenses Timing differences Inventory & Other Assets Cash Skimming -Sales - Unrecorded / Understated -Receivables – Lapping, Write-offs -Refunds & others Larceny Misuse -Asset Req. &Transfers -False Sales & Shipping -Purchasing & Receiving Larceny -Of cash on hand -From deposit -Other Fraudulent Disbursements Skimming -Sales - Unrecorded / Understated -Receivables – Lapping, Write-offs -Refunds & others Misuse Larceny -Asset Req. &Transfers -False Sales & Shipping -Purchasing & Receiving Billing Schemes - Shell Company, Non-Accomplice Vendor, Personal Purchase Billing Schemes - Shell Company, Non-Accomplice Vendor, Personal Purchase Payroll Schemes - Ghost Employee, Comm. Schemes, Falsified Wages Payroll Schemes - Ghost Employee, Comm. Schemes, Falsified Wages Expense Reimbursement Schemes -Mischaracterized, Overstated, Fictitious, Multiple Reim. Expense Reimbursement Schemes -Mischaracterized, Overstated, Fictitious, Multiple Reim. Cheque Tampering - Forgeries and counterfeits Cheque Tampering - Forgeries and counterfeits Register Disbursements - False Refunds, False Voids Register Disbursements - False Refunds, False Voids EFTs EFTs Primary methods of EFT fraud: A fictitious or alternative vendor is created with the fraudster’s own bank account details The fraudster substitutes his/her own bank account details for an existing vendor then resets the details after the fraudulent transaction. Sharing passwords or unsecure passwords Passwords PassWords Admin01 MgR3-jp2b Oct-2011 65 66 11 BICA-Fraud-Seminar November 25, 2013 Occupational Fraud & Abuse Corruption Asset Misappropriation Economic Illegal Bribery Conflict of interest -Purchase Schemes -Kickbacks Gratuities Extortion -Bid Rigging -Sales Schemes -Other -Other VIDEO - Backup-AVI Fraudulent Statements Financial Non-Financial Improper Asset Valuation -Employment Credentials Improper Disclosures -Internal Documents Fictitious revenues -External Documents Concealed liabilities & Expenses Timing differences Inventory & Other Assets Cash Larceny -Of cash on hand -From deposit -Other Fraudulent Disbursements Skimming -Sales - Unrecorded / Understated -Receivables – Lapping, Write-offs -Refunds & others Misuse Larceny -Asset Req. &Transfers -False Sales & Shipping -Purchasing & Receiving Billing Schemes - Shell Company, Non-Accomplice Vendor, Personal Purchase Payroll Schemes - Ghost Employee, Comm. Schemes, Falsified Wages Expense Reimbursement Schemes -Mischaracterized, Overstated, Fictitious, Multiple Reim. Cheque Tampering - Forgeries and counterfeits Register Disbursements - False Refunds, False Voids EFTs 68 3. How big a problem is fraud ? 69 70 71 “While Botswana continues to enjoy the status of being the least corrupt African country, according to Transparency International, fraud is likely to become Botswana's next 'crisis' with losses due to fraud likely to run into millions of Pula per annum, creating untold damage to the country's economy, and leading to business closure due to loss of revenue, the result of which will be consequent loss of employment.” 72 12 BICA-Fraud-Seminar November 25, 2013 Fraud Theory: Tip of the Iceberg 20% Group 1 Fraud (Exposed & in the Public Domain) Prosecution Considered 40% Group 2 Fraud (Known by a few & not made public) 1st sign of Fraud 40% Group 3 Fraud (Undetected) 80% Grey Unknown 74 TI Report says areas prone to Corruption in Botswana include: “Corruption in Botswana is becoming increasingly complex and challenging. The biggest challenge this year has been in the area of procurement, followed by land dealings and cheque fraud. There is also a growing trend of cheating in examinations.” Acquisition of fraudulent driver’s licences, Illicit land deals particularly in main land boards, Self Help Housing Agency and in urban and peri-urban areas, Tendering and Procurement, ID Theft, Fake Degrees & Diplomas, Nepotism in recruitment and Bribery. - DCEC (Directorate on Corruption and Economic Crime) Director, Rose Seretse 75 76 The 2013 WEF global risks lists cyber crime, entrenched organised crime and data fraud/theft as some of the current top risks 77 78 13 BICA-Fraud-Seminar November 25, 2013 The Impact of fraud Monetary loss 4. Who are the victims? • Investigative costs • Productivity reduction • Increased business risks • Security & control costs • Public relations expenses • Lost Customers • Less money for salary increases & bonuses • Lost jobs 80 Fraud Threats Fraud Threats Private Co Government NGOs Shoplifting False refunds False credit cards Hot cheques False advertising Short shipments Defective products Price fixing Customers Fraudulent F/S Shoplifting False refunds False credit cards Hot cheques Competitors Theft of trade secrets Employee bribery Vendors Suppliers Consultants Short shipment Double billing False invoices Employee bribery Insider trading Related party transactions Stockholders Creditors Customers Public Co Owners Managers Public Co Private Co Government NGOs Government Vendors Suppliers Consultants Employees Expense account padding Embezzlement Theft of cash and property Short shipment Double billing False invoices Employee bribery Kickbacks Manipulation of data False benefit claims Padded payroll Tax evasion Contract cost padding False benefit claims Employees Expense account padding Embezzlement Theft of cash and property Kickbacks Manipulation of data False benefit claims Padded payroll Insurers False loss claims Who commits fraud? 5. Who are the perpetrators? E&Y Global Fraud Survey Ernst & Young Fraud Survey 83 14 BICA-Fraud-Seminar November 25, 2013 Fraudsters in the workplace Fraudsters in the workplace 100 90 80 70 60 50 40 30 20 10 0 Honest Corrupt Source: Hibis Source: Hibis Fraud Triangle (1963) 6. What motivates them? Dr Donald Cressey ISA-240 Appendix-1 Rationalisation Pressure Opportunity 87 88 7. SOLUTIONS? 89 90 15 BICA-Fraud-Seminar November 25, 2013 Answering some common questions… 1. Petro-chemical case study Fraud is not “high risk” for us. “No fraud here” mentality Fraud losses are called something else Accounting Management Excuse Operational losses Evaporative losses from storage Rebranding Losses due to the volume of product in the pipeline during rebranding process Unallocated losses Maintenance related over-ride of retail dispensing system for servicing Contraction losses Volume differences due to temperature related contraction (hot to cold) Source: Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today’s Largest Organizations by Protiviti 91 Source: KPMG Answering some common questions… Petro-chemical case study 2. Accounting Management Excuse Actual Reason Operational losses Evaporative losses from storage Theft from storage (sealed tanks reduce evaporation) Rebranding Losses due to the volume of product in the pipeline during rebranding process Unallocated losses Maintenance related over-ride of retail dispensing system for servicing Theft from retail site (maintenance override should be minimal) Contraction losses Volume differences due to temperature related contraction (hot to cold) Theft from storage and in transit (sealed tanks have temp control) WHO IS RESPONSIBLE FOR PREVENTING FRAUD? According to both the National Commission of Fraudulent Financial Reporting(1987) and ISA 240 (Consideration of Fraud in a Financial Statement Audit): "It is management's responsibility to design & implement controls to prevent and detect fraud”: Theft from storage and in transit (rebranding should be low volume) "Management... should set the proper tone... and establish controls to prevent, deter, and detect fraud“ The internal & external auditors are NOT responsible for fraud prevention! Source: KPMG ATTENDANCE LIST HOW TO DETECT & PREVENT OCCUPATIONAL FRAUD 6-9 DECEMBER 2011 CORP CONFERENCE CENTRE 94 COMPANY DELEGATE NAME JOB TITLE Hollard Total SA Todini Mangwanda Xolani Malinga Nicole Coetzee Jeanette Bester Carla Lems M Mtimkulu Petrus Mokoena Mogalanyane Makola Nelisiwe Pule Evodia Malebo Martin Mae Lorato Modise Forensic Auditor Snr Auditor Internal Auditor Buyer Financial Clerk Buyer Inventory Admin Hilma Nangolo Katrina Nakashona Daniel Keramin M Mathibela Amos Mkhatswa Vusi Makhubu Nomfundo Dlamini Sindile Mcanyana Dudu Ncongwane Johan Hattingh Snr Internal Auditor Snr Investigator Manager: Internal Audit Internal Auditor Manager: Internal Audit Director: Finance Ass Director: Marketing Human Resource Manger Internal Auditor HOD Rand Water Dept of Rural Development RIPCO Roads Authority Mvelaserve Swaziland Railway SPTC Ned Hervormde Kerk ATTENDANCE LIST HOW TO DETECT & PREVENT OCCUPATIONAL FRAUD 6-9 DECEMBER 2011 CORP CONFERENCE CENTRE Director Director Chief Director Director Snr Internal Auditor COMPANY DELEGATE NAME JOB TITLE Hollard Total SA Todini Mangwanda Xolani Malinga Nicole Coetzee Jeanette Bester Carla Lems M Mtimkulu Petrus Mokoena Mogalanyane Makola Nelisiwe Pule Evodia Malebo Martin Mae Lorato Modise Forensic Auditor Snr Auditor Internal Auditor Buyer Financial Clerk Buyer Inventory Admin Hilma Nangolo Katrina Nakashona Daniel Keramin M Mathibela Amos Mkhatswa Vusi Makhubu Nomfundo Dlamini Sindile Mcanyana Dudu Ncongwane Johan Hattingh Snr Internal Auditor Snr Investigator Manager: Internal Audit Internal Auditor Manager: Internal Audit Director: Finance Ass Director: Marketing Human Resource Manger Internal Auditor HOD Rand Water Dept of Rural Development RIPCO Roads Authority Mvelaserve Swaziland Railway SPTC Ned Hervormde Kerk 95 Director Director Chief Director Director Snr Internal Auditor 96 16 BICA-Fraud-Seminar November 25, 2013 Answering some common questions… Fighting Fraud is a Shared Responsibility 97 98 Management & Directors: Executives Abandon Enron Fraud Exposure Rectangle Management & Directors 2 1 The Organization & Its Industry Company’s Relationship with Other Entities Financial Results & Operating Characteristics 4 3 November 25, 2013 99 2 Relationships with Others Buffalo Sabres Hockey Interior Design Shop Family-owned Farm Money to the Rigases Transaction Account from Adelphia Communications 1 Rebecca Mark-Jusbasche, formerly CEO of Azurix, Enron’s troubled water-services company left in August, 2000 Joseph Sutton, Vice Chairman of Enron, left November, 2000. Jay Baxter, Enron Vice Chairman committed suicide May 2001 Thomas White, Jr., Vice Chairman, left in May, 2001. Lou Pai, Chairman of Enron Accelerator, departed May 2001. Kenneth Rice, CEO of Enron’s Broadband services, departed in August 2001. Jeffrey Skilling, Enron CEO, left on August 14, 2001 November 25, 2013 Leased Vehicles to Adelphia The most common auditor failings were: failure to assess and respond to fraud risks lack of competence and diligence lack of professional scepticism Money to the Rigases Furniture/Design Services to Adelphia Money to the Rigases Landscaping, Maintenance to Adelphia Money to the Rigases The American Institute of Certified Public Accountants Financial Executives International Institute of Management Accountants Information Systems Audit & Control Association Institute of Internal Auditors Association of Certified Fraud Examiners Society for Human Resource Management Tickets to Adelphia 3. “WE HAVE EXTERNAL AUDITORS!" A 2013 study shows that auditors are making simple mistakes, like overlooking suspicious documents and missing blatant accounting scams. The long-term analysis of frauds from 1998 through 2010 found that auditors sometimes did not question documents that appeared to be fabricated or that they overlooked discrepancies between real inventory & amounts on the books. 100 Organization & Industry Company is doing extremely well yet competitors are not Unduly Complex Organizations Lack of Internal Audit Weak Audit Ccommittees Board of Directors with Few Outsiders 3 Private Car Dealership Rigas’ Family Entities November 25, 2013 101 November 25, 2013 102 17 BICA-Fraud-Seminar November 25, 2013 Examining financial statements Examining financial statements 4 Enron's 1999 annual report: Enron's 1998 annual report: The company's strategy gets murky: "Enron is moving so fast that sometimes others have trouble defining us. But we know who we are, we are clearly a knowledge-based company, & the skills & resources we used to transform the energy business are proving to be equally valuable in other businesses." The company describes itself as a "global energy franchise,” and goes on to say that its "unparalleled ability to deliver on these three words will propel Enron to become THE 'blue chip' Electricity & gas company of the 21st century." November 25, 2013 103 Examining financial statements Enron's 2000 annual report: The report summary says, "Enron hardly resembles the company we were in the early days… we have metamorphosed from an asset-based pipeline & power generating company to a marketing & logistics company whose biggest assets are its well-established business approach & its innovative people." November 25, 2013 November 25, 2013 104 Answering some common questions… 4. "BUT WHAT ABOUT OUR INTERNAL CONTROLS?" “If you were to ask a group of typical accountants what deters fraud, they would respond in unison: ‘Internal control!’ Using this logic, companies with adequate controls would not have fraud. But they do, time & again.” – Joe Wells, founder of the ACFE Internal Controls ≠ Fraud Prevention! Every organisation has ‘internal controls’ but they don’t all have ‘fraud prevention’! 105 “We Need to Deprogram Ourselves & Come up with a Different Approach” Controls are important, but not the whole answer We need to know more about fraud prevention Research has shown that the ideal solution is a Model Organizational Fraud Deterrence Program / Framework… 106 Implement this leading practice Anti Fraud Program… Source: Ron Warmington, GE Money PREVENTION is best… Rapid DETECTION is good… But once detected… INVESTIGATE, RECOVER THE MONEY and then CORRECT the Processes 18 BICA-Fraud-Seminar November 25, 2013 Implementing the Anti Fraud Programme (AFP): 16 Liaise with Other Banks / Police / Regulators & Build Partnerships to fight Crime 17 Issue Fraud Alerts / Continuously Refresh Methods 18 Engage with Ombuds Process 15 R&D to find / test / select / roll out Fraud Management Technology Start here 1. Establish Fraud Strategy, Accounting / Reserving Policies 19 Revise the Strategy / Update Policies / Re-set Imperatives (Risk-based / Proportionate / Practical) 2. Establish Controllership / Fraud Committee 3. Appoint FRM (Risk) and ISM (Ops) Maximise Collections & Recovery Results 4. Adopt Global Fraud Definitions Use Root Cause / Trend Analysis to drive Process Correction 5. Implement Spectrum and Garrison Fraud Reporting / Case Management Systems All Cases > USD 10,000 (plus ALL Employee Fraud Cases) loaded in Garrison… Automatic Reports to Senior Mgmt / Regulators 6. Measure Current Fraud Losses & Benchmark Key Ratios 7. Set Fraud Loss ‘Red Lines’: • % of Sales (Bpts) 14 Monitor Business Fraud Performance against Plan (Spectrum / Fraud PQRs) (Portfolio Quality Reports) By • % of Credit Losses P roduct • % of Net Income 13 CRP / NPI Processes ensure all New Product Initiatives are Fraud Repellent (Credit review point) 10 Raise Professionalism of FRMs & ISMs to meet GE Global Standards 12 Run Fraud Awareness Training Courses for ALL Staff Data Analytics - Review prior Credit Writeoffs to isolate / analyse / learn from previously undetected fraud 11 Share Best Practices & Fraud Case Studies with other GE Businesses Type 8. Determine ‘Sweet Spot’ on Fraud Management Cost v Return (ROI > 7:1 or better) Fraud Prevention Building Blocks “Most accountants think ‘internal control’ is the answer, yet organisations with controls still have fraud. Controls are only part of the answer but not the whole solution.” - Joe Wells ACFE Founder ROI on an effective AFP Recruitment Fraud Risk Assessment Policy Training & Awareness Data Analytics Internal Controls ACFE Fraud Prevention Check-up 2002 TOTAL Fraud, Prevented, Recoveries & ROI 2002 ($MM) Median Loss Based on Presence of Anti-Fraud Controls % of Cases Implemented Yes No Control Value System Accountability - Ethics Whistle blowing System 9. Adopt GE’s Global Minimum Standards / Fraud Imperatives incl. KYC / KYI / Pre-employment screening / etc. Reward Employees for Prevention / Detection Achievements 1 Tone at the Top 150.0 % Reduction Total Fraud Exposure (Incl. failed fraud attempts) 108.4 Surprise audits 25.5% $70,000 $207,000 66.2% Job rotation/mandatory vacation 12.3% $64,000 $164,000 61.0% Hotline 43.5% $100,000 $250,000 60.0% Employee support programs 52.9% $110,000 $250,000 56.0% Return on Investment = 27:1 Fraud training for managers/execs 41.3% $100,000 $227,000 55.9% (108.4+10.2)/4.4 Internal audit/fraud examination dept 55.8% $118,000 $250,000 52.8% Fraud training for employees 38.6% $100,000 $208,000 51.9% Anti-fraud policy 36.2% $100,000 $197,000 49.2% External audit of ICOFR 53.6% $121,000 $232,000 47.8% Code of conduct 61.5% $126,000 $232,000 45.7% Mgmt review of internal controls 41.4% $110,000 $200,000 10.2 Recoveries 45.0% 31.4 Net Fraud Losses External audit of financial statements 69.6% $150,000 $250,000 40.0% Independent audit committee 49.9% $137,000 $200,000 31.5% Mgmt certification of financial statements 51.6% $141,000 $200,000 29.5% 5.4% $107,000 $150,000 28.7% Rewards for whistleblowers 41.6 Gross Fraud Losses Detected / Averted / Prevented 140 72% of all Fraud Attempts Prevented / Detected / Averted 24% of Remaining Gross Fraud Losses then Recovered Net Fraud Losses were just 21% of Total Fraud Attempts $MM 4.4 Fraud Management Costs Impressive 2002 Fraud Prevention / Detection Performance… Recoveries boosted by USD 6.5 million from Czech IT Fraud Case 2003 TOTAL Fraud, Prevented, Recoveries & ROI ($MM) 2003 334.5 Total Fraud Exposure (Incl. failed fraud attempts) 282.3 Detected / Averted / Prevented 140 84% of all Fraud Attempts Prevented / Detected / Averted Return on Investment = 29:1 (282.3+10.2)/10.0 52.2 Gross Fraud Losses 20% of Remaining Gross Fraud Losses then Recovered 10.0 10.2 Recoveries 42.0 Net Fraud Losses Net Fraud Losses were just 13% of Total Fraud Attempts Fraud Management Costs Fantastic 2003 Fraud Prevention/Detection Performance… But Recoveries Need Further Attention through More/Better Investigations Source: Shannon Grayer, Microsoft 114 19 BICA-Fraud-Seminar November 25, 2013 ANTI-FRAUD PROGRAM REVIEW GAO Summary Report Graphic Performed by Exactech for Eskom Forensic Strategy Review • Review of Forensic Manual • Fraud Response Plan & Fraud Prevention Plan updates and expansion Review of Hotline Calls • All call reports for past 12 months reviewd in terms of process, trends, outcomes, root cause analysis, etc. Fraud Awareness training for managers at P/S • Employees were then trainined as a phase two in 2010 after we had trained the trainer Fraud Risk Assessment • Rotek (2009) • Roshcon (2011) Fraud Awareness Newsletter • Integrity in the Spotlight • Also usedcartoonist for general newsletter Data Analytics • Results were used to confirm findings from fraud risk assessments (2009 & 2011) US General Accounting Office COSO 1992 Cube COSO 1992 and 2004 Cubes } } 2 Entity Structure Components Philosophical Change COSO organizing frameworks: COSO 1992 – Internal Control COSO 2004 – Enterprise risk management COSO 1992 and 2004 Cubes • What’s different? The change is an explicit recognition of the limitations of internal control in preventing many high-profile corporate frauds Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring 1992 Framework 2004 Framework Slide 120 20 BICA-Fraud-Seminar November 25, 2013 Who is a Framework For? Management Models COSO 2013 Cube Frameworks Management by Objectives Balanced Scorecards Six Sigma Management by walking around Management Etc. Summary of Updates A changing business environment... Drives updates to the Framework... Expectations for governance oversight Internal COSO COCO Controls Globalization of markets and operations Changes in business models Demands and complexity of rules, regulations and standards Expectations for competencies and accountabilities Controls Use and reliance on evolving technology Auditors need some way to evaluate controls in the many different management models we see – that’s a framework! Updated COSO Cube Expectations for preventing and detecting fraud 121 Summary of Updates Two Cubes… Codification of 17 principles embedded in the original Framework Control Environment 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence Tone at the Top 5. Enforces accountability Risk Assessment 6. Specifies relevant objectives 7. Identifies and analyzes risk Value System Accountability - Ethics 8. Assesses fraud risk Whistle blowing System 9. Identifies and analyzes significant change Control Activities Information & Communication Monitoring Activities 10. Selects and develops control activities 11. Selects and develops controls over technology 12. Deploys through policies and procedures 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies I/C Framework Recruitment Fraud Risk Assessment Policy Training & Awareness Data Analytics Internal Controls COSO I/C Framework Data Analytics Training & Awareness Internal Controls Fraud Risk Assessment Creating a Control Environment Tone at the Top, Accountability, Polices, Hiring, Hotline, Code of Ethics (All contributing to the Company Culture) • Gained wide acceptance following financial control failures of early 2000’s • Most widely used • The ACFE’s 10 building blocks correspond nicely Monitoring Activities Sharing Information and Communication Performing Fraud Risk Assessments AFP Designing and Implementing Antifraud Control Activities framework around the world with COSOs internal control framework. 125 126 21 BICA-Fraud-Seminar November 25, 2013 Keep the Strategy but Change Your Tactics Where you are… Tone at the Top Value System Accountability - Ethics Whistle blowing System Recruitment Fraud Risk Assessment Policy Training & Awareness Data Analytics Internal Controls 127 What is your state of readiness? • Ready to fight • Unaware / Not alert Red Orange White Yellow • Heightened state of alertness • Relaxed / General alertness 128 A COSO-based Anti-Fraud Program 1. Establishing appropriate “tone at the top” and organizational culture 2. Documenting antifraud policies & procedures & Code of Ethics. 3. Hiring & promotion standards 4. Establishing, complementing, or evaluating Internal Audit functions 5. Responding to allegations or suspicions of fraud 6. Enforcing accountability 7. Implementing & maintaining a fraud and ethics hotline and whistleblower program Creating a Control Environment Monitoring Activities Performing Fraud Risk Assessments AFP Sharing Information and Communication Designing and Implementing Antifraud Control Activities Source: Deloitte Source: http://en.wikipedia.org/wiki/Jeff_Cooper#Combat_Mindset_-_The_Cooper_Color_Code Tone at the top Goldfields Sun International Nedbank ‘Slap & Smile’ Management Style Brad Sadler 132 22 BICA-Fraud-Seminar November 25, 2013 Are all these people “bad apples”? Page 111… WorldCom “We’ve received a tender and there are only 3 companies in the country competent to tender because of the specs, so we’ve decided to have a pre-opening tender so that whichever way it goes we’re going to make a lot of money”. Everyone applauded. They asked how much they would make and he confided “even if we don’t get the job we’ll make a million!” I raised my hand. “Excuse my ignorance, what is a pre-opening tender?”… …I was amazed, “Is that allowed?” I asked. “Of course not!” “Isn’t that fraud?” “Of course, but everyone does it!” Enron Bernie Ebbers Ken Lay Scott Sullivan Health South Adelphia Andy Fastow Tyco Richard Scrushy Dennis Kozlowski John Regis Source: Dr. Tony Dimnik and Dr. Pamela Murphy, Queen’s School of Business 133 Types of Shareholder Leakage Jeff Skilling Why The Wealthy Feel Poor! Excessive salaries (year totals) Executive/Company Base Salary Incentive Pay Exercised Remaining Options Equity Holdings Bernie Ebbers, WorldCom $4.8 million $41.6 million $24 million $389 million Kenneth Lay, Enron $6 million $16.1 million $182 million $545 million Dennis Kozlowski, Tyco $6.9 million $15 million $281 million $786 million John Regis, Adelphia $12 million $ $ $ Richard Scrushy, Healthsouth $15.4 million $93 million $300 million $16.5 million We’ve always thought that feeling wealthy was subjective. But we never knew how subjective: 3 recent studies indicate that the wealthiest among us don’t think they’re loaded enough. A Gallup study – 3 in 10 people making more than $250,000 annually don’t realize that they are “upperincome.” A Fidelity Investments survey - four out of ten American millionaires do not feel wealthy. A Boston College study - the majority of those who have more than $25 million do not consider themselves financially secure. 1. 2. 3. 136 http://www.learnvest.com/living-frugally/psychology-of-money/why-the-wealthy-feel-poor-133/ Martha: The Company The charges • Four core magazines. Emmy award-winning domestic arts television program. Weekly segment on CBS “This Morning.” Stewart sells nearly 4,000 shares of Imclone stock worth $229,000 the day before it plummeted (due to FDA’s non-approval of Imclone’s new cancer drug) do to insider knowledge • Stewart went so far as to delete a computer log of the incriminating phone call and went on to lie to investigators • “Stewart holds a Series 7 license. As a licensed stockbroker, she knows her actions may have well been illegal. She's not just some innocent who made a mistake or wanted to save her investment.” 34 books, sold over 10 million copies $80.00 $60.00 $40.00 12/31/01: $46.46 at closing. $20.00 $0.00 Dec-03-01 Jan-02-02 Jan-31-02 23 BICA-Fraud-Seminar The Economic Cost$ of the Scandal • Stewart’s television network holiday special was cancelled resulting in TV revenues dropping from $9.6m a year ago to $6.4m • Shares have fallen from $19 to just over $9 • In 2003 Stewart reported that legal fees, lost business, & lost opportunities due to the Imclone insider trading scandal had cost her over $700m • She has lost her position as Chair of the Board & CEO • Martha was sentenced in July 2004 to five months in prison for obstructing a federal securities investigation. November 25, 2013 There are Some Things Money Can’t Buy… Amount realized from selling ImClone stock on December 27, 2001: $229,002. Amount Martha would have received if she sold after the news was public: $189,495 Overall savings: $39,507 Being able to continue life as an icon… PRICELESS Nokia 808 Pureview 41 MegaPixel camera! 24 BICA-Fraud-Seminar November 25, 2013 Lots of people are upset about a recent policy change at Google whereby the search giant announced it will start using the names and photos of people who use Google+ in advertisements. Seth Godin – Marketing Guru “To satisfy Wall Street, companies hire a new kind of employee -- the kind who can and will do whatever it takes to keep making those profit numbers go ‘up and to the right’… …even if it means doing things that are bad for customers and run counter to the company’s core values. 147 The ability to rationalize is The Fraud Triangle… 148 Which one/s should be fired? influenced by the “tone at the top” and perceptions the employee has regarding management’s commitment to the “rules.” 1. Boeing CEO has affair with female Boeing executive 2. Game stores director steals packet of razor blades 3. The CEO is caught speeding at 186 kms p/h in a 120 km zone. Rationalisation Pressure Opportunity Will laws & controls help here? 149 150 25 BICA-Fraud-Seminar November 25, 2013 Boeing CEO Game Stores Director Boeing fires CEO over relationship (www.cnn.com, 7 March 2005) Boeing has ordered its CEO Harry Stonecipher to step down because of what the U.S. aircraft giant said was an improper relationship with a female executive. The company said that Debra Peabody did not report directly to Harry & that the relationship was consensual & had no effect on the conduct of the company's business. But it said the relationship violated Boeing's code of conduct… "the board concluded that the facts reflected poorly on Harry's judgment & would impair his ability to lead the company,” However, the CEO must set the standard for unimpeachable professional & personal behavior, & the board determined this was the right & necessary decision under the circumstances. Game CEO holds a disciplinary hearing, finds the accused director guilty and fires him. A few weeks earlier one of the cleaning staff had tried to steal some stationery and she was dismissed on the spot. Source: Brand Pretorius 151 152 CEO of… Policies, Plans, Codes, Guidelines Beginning of August 2006 caught speeding in Jhb End of August 2006 he resigns as CEO of Pick ‘n Pay. Fraud Policy Fraud prevention plan Code of ethics Code of conduct Social Media Whistle blower policy Reward policy Corruption policy Fraud response plan 153 What’s the Most Important thing You could ever have? Money Happiness Love Values Health 154 The most controversial lottery winner that comes to mind is Jason Canterbury who won R6.7 million in a 2003 lottery at the tender age of 18. The Cape Flats resident turned to drugs and crime to support his extravagant lifestyle after he blew his fortune, and he landed up in jail with a 28 year sentence after being charged for murder. The moral of the story is this: If you're lucky enough to win millions in the South African lottery, get yourself a good financial advisor and save at least half for a rainy day! Freedom Security Career ? By the way, Gidani offers free counseling to anyone who has won R50,000 or 155 over! 156 26 BICA-Fraud-Seminar November 25, 2013 4 factors that affect ethical decisions Zimbabwean Broke after winning SA lotto The first mega-million lottery winner in SA's history, Batsirayi Mupfawi, made headlines in 2000 after he won R14 million through a R5 lottery ticket. Mupfawi is now bankrupt with a string of debts. However, Mupfawi insists that, compared to other lottery winners in history, he is in a good position and that “I'm fortunate that nothing happened to me.” Mupfawi was referring to some of the more infamous lottery winners who obviously couldn't handle the pressures and went astray… 4 Social Pressures 3 Tension <> personal values & organizational needs 2 Professional Standards William Post, who won more than R780-million in a US draw in 1998, only to end up living on a social grant after relatives siphoned away his windfall, hired a hit man to kill him and then sued him; and Jeffrey Dampier, who died after his 1986 US win of R134- million. His sister-in-law, who had hoped to inherit his windfall, was sentenced to life in prison for his murder. 1 The Law 157 Your future workforce… (cheating in college) 11% reported cheating in 1963 49% reported cheating in 1993 75% reported cheating in 2007 159 http://www.engin.umich.edu/research/e3/ CHEATING & CRIME DAN ARIELY BEHAVIORAL ECONOMIST, Massachusetts Institute of Technology , AUTHOR OF “PREDICTABLY IRRATIONAL”, Video clip links: http://fora.tv/2008/03/04/Dan_Ariely_Predictably_Irrational http://www.ted.com/index.php/talks/dan_ariely_on_our_buggy_moral_code.html 160 Lessons… of people cheat – just a little bit! When people were reminded about morality (10 commandments) they did not cheat. A lot 162 27 BICA-Fraud-Seminar November 25, 2013 Religion isn’t about only worship and ritual; it teaches believers how to live. Thus, the holy books of every major religion are filled with precepts and principles about honesty, justice, fidelity, compassion, and charity that leave no doubt about the role ethics and personal virtue should play in our daily lives at home and at work. In his fine book The Business Bible: 10 New Commandments for Bringing Spirituality & Ethical Values into the Workplace, Rabbi Wayne Dosick tells of a soapmaker who challenged a rabbi: “What good is religion? It teaches honesty, but most people are dishonest.” (How does the Rabbi Answer…?) - Michael Josephson, The Application of Religion to Business 163 164 Letter that a principal sent to his teachers at the beginning of each new school year… Why is Ethics / Honesty Decreasing? Modeling (example) Labeling Dear Teacher, I am a survivor of a concentration camp. My eyes saw what no man should witness: Gas chambers built by learned engineers. (teaching & training) Children poisoned by educated physicians. Infants killed by trained nurses. Women and babies shot and burned by high school and college graduates. So I am suspicious of education. My request is: Help your students become human. Your efforts must never produce learned monsters, skilled psychopaths, educated Eichmanns. Reading, writing, arithmetic are important only if they serve to make our children more human. Ethics / Honesty Source: W. Steve Albrecht, Associate Dean Marriott School of Management Brigham Young University 166 How Important is Integrity? In a survey of 54,000 people Integrity was by far the #1attribute desired in a leader 1 Illustrations drawn by Jack Chick in David Daniel’s book ‘Did the Catholic Church give us the Bible?’ www.chick.com 1 (Quoted in Stephen R. Covey’s preface to Business with Integrity, p. xx) 168 28 BICA-Fraud-Seminar November 25, 2013 Modes of managing ethics Most people do mostly right things most of the time It’s the difference between ‘most’ and ‘all’ where the challenge of doing right is found – and where the greatest opportunity for ethical enhancement exists. To be sure, none of us is perfect. And that needs to be seen for exactly what it is: A FACT…A CONDITION, NOT AN EXCUSE. Compensating for our imperfections and overcoming temptations we face require commitment and self-discipline. REACTIVE COMPLIANCE INTEGRITY TOTALLY ALIGNED Aware of ethics risk Prevent unethical behaviour Promote ethical behaviour Ethics integrated with corporate purpose and strategy Rules & external enforcement Values & internal commitment Ethics entrenched in corporate culture Ethics standards created, but not enforced Behaving ethically – being people of integrity – isn’t always easy, but it is always RIGHT! It is a requirement for long-term success. Letter of the Law Spirit of the Law 169 Hitachi strives to conduct its corporate activities in a fair and open manner, which requires us to practice… Organisations expect all employees to share their commitment to a value system that adheres to high moral, ethical and legal standards and a culture of achievement.” “Basics and Ethics” & “right and wrong, not loss and gain”. 171 172 Ethical Choices Legal Illegal Ethical Un ethical 174 29 BICA-Fraud-Seminar November 25, 2013 Comment on Policies Hiring Must Be Written Annual Written Acknowledgement & Agreement by Employees Communicate to Employees, Customers, Vendors 176 Kroll % Criminal DMV Record Info. Credit Drug Employment Education Workers' History Testing Verification Verification Comp History Client Average 9.5 47.5 42.9 3.3 48.1 22.6 6.8 Automotive 13.9 53.5 56.3 4.7 Construction 15.4 55.4 44.4 2.1 32.6 * 5.4 51.1 27.6 6.1 Education 3.6 39.1 29.9 Food Services 13.4 51.7 37.5 8.5 46.3 16.8 8.4 3.3 49.7 25.9 Hospitality 10.1 53.8 8.5 48.1 5.8 47.3 * Manufacturing 12.6 * 47.4 39.0 2.3 51.4 29.2 8.7 Non-Profit Professional Services 9.7 46.3 33.0 4.1 55.8 26.0 * 10.7 50.0 47.4 6.0 46.3 24.3 6.8 Real Estate Retail 10.0 49.7 51.2 2.6 46.9 24.7 * 13.7 52.8 43.4 2.4 46.3 20.0 6.4 Staffing 8.1 47.0 50.4 3.1 51.6 21.0 4.6 Technology 6.9 42.8 34.7 2.2 51.4 22.4 1.1 Transportation 11.2 50.5 40.1 2.7 59.9 16.0 5.9177 Annual Assessment of Problems Education Anomalies at all-time High Exaggeration and falsification of academic qualifications rife. 63% of all screenings undertaken in EMEA in September 2013 contain an inaccuracy or lie http://www.hireright.co.uk/blog/2013/10/education -anomalies-at-an-all-time-high/ 178 Apples & Barrels Good Apple Good Barrel Bad Barrel Bad Apple Change Leave Change Leave Source: Prof. G J (Deon) Rossouw, University of Pretoria 30 BICA-Fraud-Seminar November 25, 2013 Staff Vetting Exit Interviews Pre-employment screening Continuous in-service screening Recruit Career Criminal Resign vs. Situational Criminal 184 I’ll Take that – survey shows it’s common for staff to take confidential company info when they resign 185 186 31 BICA-Fraud-Seminar November 25, 2013 Internal Audit 187 Perception of the enterprise risk profile by role Issue Timing Auditing Recurring Audits are conducted on a regular, recurring basis Fraud Examination / Forensic Auditing Non-Recurring Fraud examinations are non-recurring. They are conducted only with sufficient predication. Scope General The scope of the audit is a general examination of financial data. Opinion An audit is generally conducted for the purpose of expressing an opinion on the financial statements. Non-Adversarial The external audit process is nonadversarial in nature. Specific The fraud examination is conducted to resolve specific allegations. Affix Blame The fraud examination’s goal is to determine whether fraud has occurred, is occurring or will occur, and to determine who is responsible. Adversarial Fraud examinations, because they involve efforts to affix blame, are adversarial in nature. Methodology Audit Techniques Audits are conducted primarily by examining financial data. Presumption Professional Scepticism Auditors are required to approach audits with professional scepticism. Fraud Examination Techniques Fraud examinations are conducted by (1) document examination; (2) review of outside data such as public records; & (3) interviews. Proof Fraud examiners approach the resolution of a fraud by attempting to establish sufficient proof to support or refute an allegation of fraud. Objective Relationship 189 190 IIA Standard 1200: Proficiency & Due Professional Care 1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. IIA Standard 1220: Due Professional Care 1220.A1 – Internal auditors must exercise due professional care by considering the Probability of significant errors, fraud, or noncompliance. There are 3 questions that I recommend all auditors ask every client they interview during an audit. If they start out by saying, "Part of my job as an auditor is to deter fraud," it will give them license to ask some direct, but polite questions: IIA Standard 2120: Risk Management 2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. IIA Standard 2210: Engagement Objectives 2210.A2 – Internal auditors must consider the probability of significant errors, fraud, noncompliance, & other exposures when developing engagement objectives. 191 "Do you think this organization has any problems with fraud? Why or why not?" "Has anyone ever asked you to do something you thought was illegal or unethical?" "What would you do if someone asked you to do something like that?" Asking these questions also helps send the right message to the people being audited: We're actively looking for frauds, so be careful. 192 32 BICA-Fraud-Seminar November 25, 2013 Auditor asks “Could fraud happen in your department?” Tata ma chance - Gidani Eyes left = memory Eyes right = Imagination You will be able to spot these movements Watch politicians Definitely not Not at all Never Not internally 193 194 Fraud Tolerance Own / Manage Risks Oversees Risks Actions against offenders… Independent Assurance 196 The Accident Triangle The Accident Triangle 1 Serious Injury Enron 1 Serious Injury 10 Minor Injuries Fraudulent 10 Minor Injuries 30 Damage Accidents Aggressive 30 Damage Accidents 600 Near-miss Accidents . Practical Loss Control Leadership, F E Bird and G L Germain, 1969 Creative 600 Near-miss Accidents . Practical Loss Control Leadership, F E Bird and G L Germain, 1969 33 BICA-Fraud-Seminar November 25, 2013 Dan Ariely’s controlled experiment Accountability 34 BICA-Fraud-Seminar November 25, 2013 Video Clip: Michael Franzese History franzese.mov 205 206 26 U.S. Mafia families since 1920 16 minor & 10 major families... 1 2 3 4 5 6 7 8 9 10 Boston Buffalo Chicago New York Detroit John Gotti Tampa ‘Lucky’ Luciano 207 “Accountability is the whole key here and if the directors of companies have a good system of accountability from all stakeholders, I think most of these frauds could be prevented” 208 RESPONSIBILITY: authority, the ability to act independently & make decisions. ACCOUNTABILITY: required to account for one’s conduct - Michael Franzese 209 210 35 BICA-Fraud-Seminar November 25, 2013 Jeffrey Dahmer… C=P-A Jeffrey Lionel Dahmer (1960 – 1994) was an American serial killer and sex offender. Dahmer murdered 17 men & boys & his murders were particularly gruesome, involving rape, torture, dismemberment, necrophilia & cannibalism. “If a person doesn’t think there is a God to be accountable to, then what’s the point of trying to modify your behavior to keep it within acceptable ranges?” I always believed the theory of evolution as truth, that we all just came from the slime. When we died, you know, that was it, there is nothing…” - Jeffrey Dahmer, in an interview with Stone Phillips, Dateline, NBC, Nov. 29, 1994. Corruption = Power – Accountability Power without accountability breeds corruption The Circle of Morality© 3. Ethics 4. Actions The Circle of Morality™ 5. Consequences 2. Values 1. Beliefs (Beliefs are KEY to an Ethical Foundation) For a shift to higher Ethics, there must be meaningful enough Consequences to the Actions of individuals to cause a shift in the Beliefs of a majority of society that is significant enough to change individual Values. Source: CA Crawford & Associates, P.C. 213 Accountability – some examples 212 Link the fraud prevention plan (FPP) to the activities of managers, which is then used as a tool for performance management. The Balanced Score Card (BSC) approach can be used to form the link between management activity & output to the FPP. Every senior leader in the company is asked to find an example of exemplary ethical behavior in his business unit and recommend the responsible employee for the Chairman’s Award. If he fails to do this, he receives a negative evaluation. Internal Climate Surveys – Each year ask your people to assess leadership, whether we behave in accordance to those values. To talk is easy, to live the values is a different thing. Do we “walk the talk?” Leaders scoring less than the passing mark are penalised. 214 Three Monkeys Mizaru, Kikazaru & Iwazaru Corruption Fraud Ethics Shizaru 216 36 BICA-Fraud-Seminar November 25, 2013 Staff Members… Hotline & Whistle-blower Program …it’s your duty to do the right thing & report any signs of fraud or corruption 217 Concept started after Challenger disaster in January 1986 2010/12 Global Fraud Surveys “Whistle-blower Protection Act of 1989” Prohibits an employer from taking adverse action against an employee who acted in good faith to report the waste of public funds, property, manpower or a violation or suspected violation of legally adopted rule or law 220 Hotline basics External Anonymous Confidential Toll-free Easily accessible Available 24/7 ‘Live’ Callback code Language capability Regular communications Hotline…supportive leadership 222 37 BICA-Fraud-Seminar November 25, 2013 223 224 A COSO-based Anti-Fraud Program Creating a Control Environment Monitoring Activities Performing Fraud Risk Assessments AFP Sharing Information and Communication Designing and Implementing Antifraud Control Activities 1. Establishing a fraud risk assessment process that considers fraud risk factors and fraud schemes Involving appropriate personnel in the fraud risk assessment process Performing fraud risk assessment on a regular basis Source: Deloitte 225 What Is Fraud Risk? What Is a Fraud Risk Assessment? The vulnerability that an organisation has to those capable of overcoming all three elements of the fraud triangle is fraud risk. Fraud risk can come from sources both internal and external to the organisation. Why Should an Organisation Be Concerned About Fraud Risk? Every organisation is vulnerable to fraud; there is no organisation that has immunity to that risk. The key to reducing that vulnerability is to be consciously aware and realistic about what the organisation’s weaknesses are. Only then can management ensure that it can establish mechanisms that effectively prevent or detect fraudulent activities. 227 FRA is a process aimed at proactively identifying and addressing an organisation’s vulnerabilities to internal & external fraud. As every organisation is different, the FRA process is often more an art than a science. What gets evaluated and how it gets assessed should be tailored to the organisation—there is no one-size-fits-all approach. Additionally, organisational fraud risks continually change. It is therefore important to think about a fraud risk assessment as an ongoing, continuous process, rather than just an activity. A FRA starts with an identification & prioritisation of fraud risks that exist in the business. The process evolves as the results of the identification & prioritisation begin to drive education, communication, organisational alignment, and action around effectively managing fraud risk and identifying new fraud risks as they emerge. 228 38 BICA-Fraud-Seminar November 25, 2013 What makes a good FRA? A good FRA is one that fits within the culture of the organisation, is sponsored and supported by the right people, encourages everyone to be open in their participation, and is generally embraced throughout the business as an important and valuable process. Preparing the Company for a Fraud Risk Assessment Preparing the company for the fraud risk assessment is a critical element to ensuring its success. The culture of the organisation should play a large role in influencing the approach taken to prepare the company for the fraud risk assessment. The goals of the preparation should be to: Assemble the right team to lead and conduct the FRA. Determine the best techniques to use in conducting the FRA – interviews, surveys, focus groups, anonymous feedback Obtain the sponsor’s agreement on the work to be performed – scope, methods, individuals & form of output Educate the organisation and openly promote the process. Collaborative Effort of Management and Auditors The Right Sponsor Independence/Objectivity of the People Leading & Conducting the work A Good Working Knowledge of the Business Access to People at All Levels of the Organisation Engendered Trust The Ability to Think the Unthinkable A Plan to Keep It Alive and Relevant 229 230 Executing the Fraud Risk Assessment Choosing a Framework When conducting a FRA, it is helpful to use a framework for performing, evaluating, and reporting on the results of the work. Fraud risk can be analyzed and reported both qualitatively and quantitatively using a consistent framework. The following sample FRA frameworks illustrate how the elements of FRA are applied under different approaches. Sample Fraud Risk Assessment Framework #1 Using this framework, the FRA team incorporates the following 8 steps into the FRA strategy: 231 232 233 234 Sample Fraud Risk Assessment Framework Pervasiveness Velocity 39 BICA-Fraud-Seminar November 25, 2013 Theft of autoreclosers, panels & circuit breakers… 235 236 Sample Fraud Risk Assessment Framework Suspect’s brother’s farm! Pervasiveness Velocity 237 Is this the Image You Want for Your Employer? 238 What about this? 40 BICA-Fraud-Seminar November 25, 2013 So What? Domino’s, in an effort to not draw attention to the video, waited days to respond, and did not bring on additional resources to help. Eventually they started a Twitter account and published an apology video on YouTube, but the damage was already done. Domino’s eventually was able to get the videos removed from YouTube, but did not realize that a majority of the dialogue related to the story was actually happening on Twitter. Outcome - Domino’s stock price dropped 10% over the week costing shareholders millions. 241 242 Sample Fraud Risk Assessment Framework #2— Fraud Risk Index Sample Fraud Risk Assessment Framework #2— Fraud Risk Index 2. THE CULTURE QUOTIENT The Culture Quotient is an assessment of how the organisation and its people behave or are perceived to behave. The Culture Quotient includes: The Fraud Risk Index is the overall assessment of fraud risk for the organisation based on three components: 1. 2. 3. The Environmental Risk Index The Culture Quotient The Prevent/Detect Index - Tolerance Index - an assessment of the organisation’s tolerance for bad behaviour. An organisation that has a high tolerance for bad behaviour can significantly increase the company’s vulnerability to fraud risk. - Entitlement Index - an assessment that helps determine whether people in the company display or promote a sense of entitlement. An organisation that sustains a strong sense of entitlement from its employees or leaders can have a higher risk of fraud. - Notification Index - an assessment of how likely it is that employees will come forward when they suspect something is wrong. An organisation where there is a low probability that employees will come forward is at significantly greater risk of fraud than an organisation where it is likely that employees will come forward. 1. THE ENVIRONMENTAL RISK INDEX The Environmental Risk Index is an assessment of macro-level fraud risk indicators that can affect the organisation’s vulnerability to fraud. These include factors such as pressures on the business, the organisation’s system of internal controls, the tone at the top, and the overall quality of the mechanisms that the company has in place to prevent and detect fraud. Both the Environmental Risk Index and Culture Quotient are elements of the Fraud Risk Index that are aimed at identifying and evaluating macro-level indicators of fraud risk that the company may be exposed to. 243 244 Sample Fraud Risk Assessment Framework #2— Fraud Risk Index Sample FRA Framework #2—Fraud Risk Index 3. THE PREVENT/DETECT INDEX The Prevent/Detect Index assesses the quality of the specific mechanisms that the organisation has in place to prevent or detect potential fraud, particularly those fraud schemes for which the company is at the greatest risk. This component of the assessment can be used to identify the company’s greatest fraud risks by pinpointing areas and methods that provide opportunities for potential fraudsters to get something— of either real or perceived value—out of the business. To calculate the Prevent/Detect Index, a standard, comprehensive population of fraud schemes, such as the ACFE Occupational Fraud Classification System, is used to evaluate each scheme that applies to the business and determine which schemes are the high-risk schemes that the organisation should focus on. For those fraud schemes that apply to the company, an evaluation of each scheme should be performed to ID: The likelihood that the scheme could be perpetrated The significance of the fraud risk to the company Whether there are preventive or detective internal controls in place to moderate the risk to a sufficient level Leadership Risk Profile The Leadership Risk Profile is developed to provide a macro-level organisational view of which business leaders, if any, increase the organisation’s vulnerability to fraud through their: 245 Leadership style / Operating behaviours / Decision-making practices The FRA team should develop or obtain an organisational chart that shows the organisational structure of the business and identifies its leaders. The team should then develop a profile of each of the leaders and evaluate the fraud risk associated with their leadership styles, operating behaviours (including how they interact with their team and partners across the business), and decision-making practices. As part of this evaluation, the team should consider any information that indicates unique pressures on or incentives for each leader that could increase the organisation’s fraud risk such as: A significant amount of personal net worth invested in the company A large portion of compensation tied to activities that the leader can manipulate (e.g., sales volumes or other business performance measures) A pending divorce Recent organisational changes that have either greatly expanded or reduced/eliminated the leader’s span of control Living larger than life Vices - Dependence on drugs or alcohol or Gambling problems 246 41 BICA-Fraud-Seminar November 25, 2013 Reporting the Results of the Fraud Risk Assessment Responding to Residual Fraud Risks High High Risk Medium Risk I M P A C T Avoid Transfer Low Risk Medium Risk Assume Low Mitigate PROBABILITY High The success of the fraud risk assessment process hinges on how effectively the results are reported and what the organisation then does with those results. A poorly communicated report can undermine the entire process and bring all momentum established to a screeching halt. The report should be delivered in a style most suited to the language of the business. If management prefers short, punchy PowerPoint presentations, the fraud risk assessment team should not give them a 50page Word document. 248 Considerations When Reporting the Assessment Results To maximise the effectiveness of the process, the team should consider the following points when developing the report of the results. Report Objective—Not Subjective—Results A lot of instinct and judgment goes into performing the fraud risk assessment. When reporting the results of the assessment, the team must stick to the facts and keep all opinions and biases out of the report. A report that is peppered with the assessment team’s subjective perspective will dilute and potentially undermine the results of the work. Considerations When Reporting the Assessment Results Focus On What Really Matters Less is often more when it comes to reporting the results of the fraud risk assessment. The team should take care not to turn the report into a laundry list of things that management will have to sort through and prioritise. Instead, the report should be presented in a way that focuses on what really matters, clearly highlighting those things that are most important and that will make the most impact on the organisation’s fraud risk management efforts. Identify Actions That Are Clear and Measurable to Drive Results The report should include some key recommendations for action that are clear, measurable, and will drive results. The actions should be presented in a way that makes it apparent what exactly needs to be done. The report should not include recommendations that are vague or that wouldn’t reduce the risk of fraud. Additionally, the actions reflected in the report should have already been vetted with and agreed to by the recommended action owners. Keep It Simple The assessment results should be reported in a way that is easy to understand and that resonates with management. The reader of the report should be able to quickly look at and comprehend the results. A simple one page visual can sometimes make the most impact. 249 Sample Report Formats Below are two examples of simple formats that can be used or adapted to report on the results of a fraud risk assessment based on the Fraud Risk Index framework discussed earlier. Executive Summary Report Format The following report format is a simple one-page executive-summary-type report. It gives the reader a snapshot view of the results of the work, along with insight into what is driving the results and what actions can be taken to reduce the fraud risk. Using a simple format like this forces the assessment team to focus on what really matters and what will make the most impact. Fraud Risk Index Graphic Report Format Environmental Risk Index Environmental RiskCritical Index High (Danger) Culture Quotient Culture Quotient Severity of Impact This sample report format would work well in an organisation that uses dashboards or tends to be visually oriented. The gauges can be substituted with any type of visual representation that the organisation uses in the normal course of business. This report should be accompanied by a one- or two-page action plan. Low (Safe) 250 Prevent/Detect Index FRAUD RISK INDEX Tolerance Index High Entitlement Index H Moderate Notification Index Prevent/Detect Low Index Overall Assessment Key Risk Drivers Tolerance Index Entitlement Index Notification Index Key Risk Reduction Actions 251 Probability of Occurrence 252 42 BICA-Fraud-Seminar November 25, 2013 xxxxxxx xxxxx Reporting the Leadership Risk Assessment Results The results of the Leadership Risk Profile should be treated with great sensitivity. The fraud risk assessment team should discuss with the sponsor what the best method would be for conveying the results of that work. If a formal report is requested, a color-coded organisation chart can be used as quick visual to convey the fraud risk associated with each leadership area across the business. 253 Making an Impact with the Fraud Risk Assessment 254 The FRA and the Audit Process To make the most of the fraud risk assessment process, management should use the results to: Begin a dialogue across the company. Look for fraud in high-risk areas. Hold action owners accountable for progress. Keep the assessment process alive and relevant. 255 The FRA should play a significant role in informing and influencing the audit process. In addition to being used in the annual audit planning process, the fraud risk assessment should drive thinking and awareness in the development of audit programs for areas that have been identified as having a moderate to high risk of fraud. Although auditors should always be on guard for things that might be indicators of fraud risk, the results of the fraud risk assessment can help them design audit procedures in a way that enables them to look for fraud in known areas of high risk. 256 It’s about bringing to surface what can wreck your ship The following template can be used by auditors to evaluate how effectively the moderate to high fraud risks are being managed by the business: 257 43 BICA-Fraud-Seminar November 25, 2013 The Fraud Triangle is the Problem, so any Solution must address all 3 parts Free Fraud Health Check 12 Questions Training & Awareness Rationalisation Pressure Control Environment Opportunity Fraud Risk Assessment Data Analytics Internal Controls No Cost & No Obligation 259 A COSO-based Anti-Fraud Program Monitoring Activities Performing Fraud Risk Assessments AFP Designing and Implementing Antifraud Control Activities Sharing Information and Communication Controls 1. Defining and documenting mitigating controls and linking them to identified fraud risks 2. Modifying existing controls, designing and implementing new preventative and detective controls as necessary; and implementing supporting technologies Creating a Control Environment Source: Deloitte 260 – Standard policies & procedures – Segregation of duties – Authorization levels/approvals – Exception reports (‘was-is’) – Reconciliations – Periodic audits – Monitoring visits – Process redesign Undesirable Events, like Fraud Preventive Preventive Detective Corrective November 25, 2013 Preventive Detective Corrective Preventive Detective Corrective Preventive Detective Corrective 262 Segregation of Duties Matrix Employee 1 Process 1 custody authorization recording execution Process 2 custody authorization recording execution Process 3 custody authorization recording execution Etc. Employee Employee 2 3 X Employee 4 Employee 5 QUALITY? X Employee 6 Etc . Utterly Trusted X X X X X X Her Trusted status X X X Her Unshakeable trustworthiness X X X X 263 44 BICA-Fraud-Seminar November 25, 2013 Payment The purpose of testing internal controls is to provide Direct evidence that internal controls are in place and operating as intended by management and Indirect evidence that fraud has not occurred. Purchase order Invoice X Audit Evidence However, in terms of the fraud audit plan, audit procedure are designed to detect the fraud schemes and are designed to provide: Direct evidence concerning the existence of a specific fraud scheme and Indirect evidence that controls are in place and "Trust but verify" - triangulate in order to acquire organizational knowledge that you can rely on. operating as intended by management. 265 266 Fraud Awareness & Training A COSO-based Anti-Fraud Program Training on evidence collection, case management, witness statements, etc. 1. Promoting the importance of antifraud programs and controls and the organization’s position on antifraud programs and controls both internally and externally through communications programs 2. Designing and delivering fraud awareness training Creating a Control Environment Monitoring Activities Specialist Forensic Staff Training Performing Fraud Risk Assessments AFP Designing and Implementing Antifraud Control Activities Sharing Information and Communication Source: Deloitte The goal of these 3 courses is the same – to ensure you are ready to write and pass the CFE exam. Each one is aimed at a different level of learner knowledge. Exactech offers option 2: the ACFE EXAM REVIEW Course as a public (US$1500,00) or in-house (US$1400,00) course run over 10 days in 2, 5-day block sessions. LEARNERSHIP The ACFE learnership is a 27-day program done over 2 years. It costs about $4 000,00 p/p and is for people who have little or no fraud/forensic knowledge. NO KNOWLEDGE 01 ACFE LEARNERSHIP REVIEW The CFE Review course is a 10-day course over 2 weeks. It costs $1 500,00 p/p & is for people who have a basic knowledge of fraud such as auditors, accountants, risk managers etc. BASE KNOWLEDGE More detailed fraud info for high risk areas like ID theft, IT fraud In areas of specific responsibilities – procurement, finance Training for Staff Buy-In & Responsibilities Rights & Responsibilities Management Awareness Client & supplier Awareness New Staff Induction Existing staff Refresher Staff Awareness Fraud Awareness Workshops PREP The CFE Prep course is a downloadable selfstudy course that you do in your own time and costs about US$945,00. It is for people who are knowledgeable about fraud. HIGH KNOWLEDGE & SELF-DISCIPLINED 02 03 CFE EXAM REVIEW COURSE CFE EXAM PREP COURSE 45 BICA-Fraud-Seminar November 25, 2013 Outdoors / Warehouses… Industrial Theatre TONY KGOROGE HAMILTON DHLAMINI Sustainability - Newsletters “This is undoubtedly the right way to go. It is going to make a huge difference in the company. The hotline has come alive! The newsletter is definitely a very good idea - informative and transparent. The content of the newsletter is excellent - short, sharp and to the point. It is also interesting” Free Newsletter 275 276 46 BICA-Fraud-Seminar November 25, 2013 SARB Fraud Awareness Program Look Feel Tilt 277 278 279 280 281 282 47 BICA-Fraud-Seminar November 25, 2013 Delegate Comments “It was well worth the time spent on this topic and look forward to having this awareness campaign annually”. “I loved the practical association where information was linked to real life scenarios”. “I thoroughly enjoyed this Fraud Awareness session. It was very informative and I learnt a lot. It was well presented & I don’t think anyone in the room fell asleep!” “This kind of training is well overdue, well done IAD”. “I found that the awareness presentation very informative” “It brings forth the core values of the bank”. “It not only addresses the issues pertaining to the organisation but to the individual staff member as well” “This is something that we need to have annually!” 283 284 285 286 FAW - 2013 – WCC Seminar - Utah Delivering messages across different channels ‘Awareness’ doesn’t = Behavior Working sessions, 1:1s, conversations, coaching Action STAGE 2 I KNOW BUT I DON’T DO STAGE 3 I KNOW & I DO The next challenge is not to stop at “Awareness” but migrate the “awareness” to good anti-fraud practices… Level of change STAGE 1 I DON’T KNOW Focus groups, working parties, consultations, Surveys Acceptance booklets, videos, presentations Understan -ding Awareness newsletters, emails, intranet, letters, memos Tell Source: HIMIS / First Legion Consulting 287 Sell Consult Collaborate Level of Involvement 48 BICA-Fraud-Seminar November 25, 2013 Pre & Post Questionnaires Pre & Post Questionnaires How prevalent do you consider theft, fraud & corruption to be within your organisation? How prevalent do you consider theft, fraud & corruption to be within your organisation? 10% 3% 28% Extremely prevalent Extremely prevalent Fairly prevalent 53% 37% Fairly prevalent 69% Not at all prevalent Not at all prevalent Pre Post 289 Pre & Post Questionnaires 290 Pre & Post Questionnaires 291 292 3 Data States… A COSO-based Anti-Fraud Program 1. Providing periodic evaluation of the effectiveness of the AFP 2. Utilizing independent evaluations of AFP by Internal Audit or other groups 3. Implementing technology to aid in the continuous monitoring and detection activities Sensitive Sensitive Regulatory Data Corporate Data Creating a Control Environment Monitoring Activities Performing Fraud Risk Assessments AFP Sharing Information and Communication Designing and Implementing Antifraud Control Activities Intellectual property Credit card data Financial information Privacy data Trade secrets Health care information Data-at-Rest Data-in-Motion Data-in-Use Source: Deloitte 49 BICA-Fraud-Seminar November 25, 2013 Proactive Fraud Risk Management People Analytical Steps Technology Steps Investigative Steps Step1: Understand the Business Step 4: Use Technology to gather Data about symptoms Step 6: Investigate Symptoms Step 2: Understand Possible Frauds that Exist Step 5: Analyse Results Follow-Up Step 3: Catalogue Possible Fraud Symptoms Automate Detection Procedures Technolog y YOU Process Data http://www.gsaig.gov/assets/File/other-documents/Background-SixStepApproach.pptx.pdf Computerised Methods TechnologyBased Discovery Sampling Financial Stmt Analysis Behaviour Analysis People Focussed Bad Guy List Re-engineered ‘new’ methods FRAUD DETECTION Transaction Focussed NonTechnology Based Inductive Analysis Deductive Analysis Chance Detection Data Mining Software Digital Analysis ‘Benford’s Law’ Strategic Fraud Detection Hotline Based Tip Received Fortuitous Tip Information-Insight-Intelligence Finding Duplicates Inform ation Insight Intellig ence 50 BICA-Fraud-Seminar November 25, 2013 We choose the information we wish to see about each duplicated invoice number. We wish to search for duplicate transactions using the invoice number field. (It is possible to search for duplicates using a combination of fields.) Finding Missing Items This is a list of the duplicated invoice numbers. We could also print out the result, send it to a new ACL table or export it to another program, such as Excel. Eleven invoices in this range have not been captured. If we examine the other values in the table, we see even more invoices are unaccounted for. To find out if any transactions have not been captured, we look for missing invoice numbers. Ghost Employees 51 BICA-Fraud-Seminar November 25, 2013 We compare the Employee master file with the Payroll table (see below) to identify any ghost employees We choose fields from the Payroll table that will give us additional information about each employee. Both ghost employees “work” for department E21. Finding Fictitious Suppliers & COI D & B and Chile Co are the same supplier trading under two different names; the same applies to Samgo and Clean Drain. (This test could be run using phone numbers, addresses or any other relevant field.) We will check if any suppliers that have different names have the same bank account numbers. We compare the Supplier master file with the Employee master file (see below) to identify any employees whose bank account numbers correspond to supplier bank account numbers. We choose fields from the Employee master file that will give us additional information about each employee posing as a supplier. We choose fields from the Supplier master file that will give us additional information about the applicable fictitious suppliers. Potential COI. Notice their bank account details are the same as those of two of the employees. (We could compare addresses, phone numbers or any other relevant information of the employees and the suppliers.) 52 BICA-Fraud-Seminar November 25, 2013 Stolen Inventory This table contains the quantity on hand of different stock items as per the Accounting system. We link these two tables as each contains information needed for our analysis. This table contains the quantity on hand of different stock items as per a physical stock count. Improperly authorised transactions We now compare the physical quantities on hand with the quantities as per the Accounting system. In our example, we decided that any discrepancy greater than 5% would be problematic. We thus ran a filter to identify such discrepancies. This table contains a This table contains list of authorised a list of managers This table contains a transactions. list of authorisation & their respective levels and the authority levels We link these three maximum permitted e.g. level A but tables as each transaction value for without any contains information amounts listed for each level e.g. Level needed for our A, maximum = 20 000 each level. analysis. We run a filter to identify those authorised amounts that exceed the maximum allowable amount. The result is a list of improperly authorised transactions and the persons who authorised these. 53 BICA-Fraud-Seminar November 25, 2013 Manage: Dashboard Visualisation Manage: Dashboard Visualisation Achieving Higher Coverage Audit Analytic Capability Model Lower Cost and Business Process Improvement Level 5 Monitoring Solution 1 Data Analysis # Tests Level 4 Solution 2 Applied Analytics Automated Solution 5 Continuous Monitoring Level 3 Managed Automated Manual Level 2 Applied Level 1 Basic Solution 3 Managed Analytics Solution 4 Continuous Auditing Maturity Level 1 Assurance Automated Automated Manual Manual Maturity Level 2 Maturity Level 3 Cost Time 54 BICA-Fraud-Seminar November 25, 2013 3 Data States… Inadequate use of Data Analytics Sensitive Sensitive Regulatory Data Corporate Data Intellectual property Credit card data Financial information Privacy data Trade secrets Health care information Data-at-Rest Data-in-Motion Data-in-Use Source: PwC 2013, State of Internal Audit Profession Study Network Forensics - Data in Motion USING THE DEVIANT BEHAVIORS OF OTHERS TO FIND FRAUD – ‘UDBOFF’ Analyst Workstation Presented by RYAN HUBBS, CFE, CIA, PHR, CCSA Senior Manager, Database Matson, Driscoll & Damico (MD&D), Forensic Accountants, Houston, TX at the 22nd Annual ACFE Fraud Conference Loader Money, Sex, and Power are strongly rooted in human behavior and history. In many instances they have played significant roles in deviant behavior especially when human beings can not obtain them through normal societal means or under societal norms. Collectors Network A Network B Network C 328 The 3 Drivers in the Workplace The UDBOFF Hypothesis in Action Sex - Viewing, Transmitting, or Downloading Pornography - Sexual Harassment, Sexual Jokes and Innuendo, Voyeurism - Office Affairs Power Money Sex - Bullying - Intimidation - Retaliation Power - General Harassment - Vulgarity, Profanity, and Abusive Language to People Money - Fraud, Theft and Corruption 329 Do we have workplace deviant behavior? - Inter-office affairs, false accusations, pornography, bullying/intimidation, sexual harassment, profanity, etc UDBOFF Test - Selected last 6 months of expense account documentation as a quick test to see if there were any anomalies. Was there fraud? - Yes! Over $20,000 in expense account and P-card fraud spanning 2+ years plus conflicts of interest, contractor fraud, and bid rigging. 330 55 BICA-Fraud-Seminar November 25, 2013 Where to Now? 331 332 Where to Now? Basically each organisation has 4 choices open to them: Do nothing (not a good choice, obviously!) 2. In-source 3. Outsource 4. Co-source 1. Which option is best for you depends on whether you currently have a forensic function, if you have the necessary skills and if they are available. Each option has its potential pros and cons. A. Do Nothing… 1. Lack of management buy-in / endorsement 2. Lack of Budget (We’ll do something ‘next year’) “How much money do you think you will lose between now and ‘next year’?” 334 “A good plan executed today is better than a perfect plan executed at some indefinite point in the future.” - General George S. Patton Top Ten Take-Aways 1. 2. CONTROL CO-SOURCE IN-SOURCE 3. 4. 5. 6. 7. DO NOTHING OUT-SOURCE 8. 9. 10. Strategy remains the same but your Tactics must change: Use Surveys to find out what’s up in your org! Do regular awareness training (incl personal interest) Use Pre & Post Questionnaires in Training Co-source with a Transfer-of-Skills Run DA and the FRA together Automate processes (e.g. CCM) Have ‘Zero Tolerance’ - don’t tolerate the small things Report Fraud – but remain anonymous Still need the right combination of People, Process, Data AND Technology COST 56 BICA-Fraud-Seminar November 25, 2013 Questions? http://www.exactech.co/ David Mogapi david.mogapi@exactech.co.za +267 74303410 Mario Fazekas mario.fazekas@exactech.co +27 (0)83 611 0161 Antonio Pooe antonio.pooe@exactech.co 337 57
