March 2009
Fraud Risks & Controls
in the Financial Sector*
*connectedthinking
Foreword
Finance
Administrative
Organisation &
Internal control
Purchase
Production
F-Scan
IT
Staff
Ethics &
Integrity
Management
Security
Financial Crime is a prominent issue that financial
institutions need to tackle with great care. It is known
to be more prevalent in the financial sector than in any
other: in our last Global Economic Crime Survey (2007),
the insurance sector was the most frequent victim (57%
of insurance respondents had suffered fraud in the
last two years), closely followed by the other Financial
Services (46%), whilst the overall average was 43%.
The current economic crisis also impacts fraud risk
management as many financial institutions are currently
launching cost reduction plans (sometimes involving
reduction of staff), potentially resulting in weakening of
the control environment as controls will be performed
by less experienced staff or, in the worst, not performed
anymore. Moreover, back-office staff is currently facing
significant increases in workload on issuing valuations
statistics due to the difficult economic environment,
leading to decreased focus on the execution of controls
that are there to mitigate fraud risk. Finally, the closing
down of certain activities within financial institutions
could impact the incentive to commit fraud for those
who will leave the company in the near future.
Therefore, whilst the legal environment and regulators
have obviously pushed the Financial Sector in the right
direction, it is now time to take the lead in protecting your
earnings and your reputation in these troubled times.
In this respect, the PwC Forensic Team, together with our
Financial Sector specialists, has designed a dedicated
‘Top 10’ service offering to support you in the timely
detection and efficient prevention of your fraud risk.
Prevention
Prevention
Fraud scan – Realise the quick wins
Our ‘F-Scan’ is a competitive sector-oriented benchmarking solution aimed at
assessing the fraud vulnerability of your business. Within a week, we assess
your key risk areas against best practice for institutions of a similar size.
We focus on fraud considerations made by management in order to detect
fraud risks and weaknesses within your organisation. The outcome includes
a targeted and cost-effective action plan.
Identification
of fraud
warning signs
• Fraud warning signs identified or fraud risky business
• Decision wether fraud scan is required
• Selection by management of at least 4 domains to be included
in fraud scan
Determination
of company
characteristics
• Completion of question list on company characteristics
• Remittance of question list to PwC Forensic team
Execution
of fraud scan
on site
• Interviews with key management based on selected risk domains
• The scan is executed by members of PwC Forensic team
Analysis
of results
• At least 4 risk zones are analysed
• Score by risk zone and category
Reporting
• Findings
• Recommendations
• Urgent actions
Prevention
Fraud Internal Controls Matrix – Know where you are today
Best practice indicates that the key elements of an anti-fraud program are prevention and timely detection of fraud
and misconduct. Such objectives can be reached through strong and effective internal controls.
Your existing anti-fraud control environment can be assessed based on an internationally accepted control framework
(COBIT, COSO, etc.). Existing policies and procedures tackling fraud risk will be examined to understand which
component of your control framework (control environment, risk assessment, control activities, etc.) they do address.
The matrix derived from this exercise (see example below) will help you identify components of your control
framework that are not addressed by your existing control environment (in our example, Fraud Risk Assessment in
light blue). An action plan will then be drafted to progressively fill in the gaps.
Document Type
Title
Operational risk
Bank
Admission
Policy
Bank
Sponsorship
Policy
Conflicts of
Interest - Board
Policy
Entity scope
when specified
All
All
All
All
All
Type of document
Board Policy
Board policy
Board Policy
Board Policy
Board Policy
Date
janv-09
janv-09
mars-09
juin-09
nov-08
Fraud related policies
Control Environment
Internal Controls Components
Board Policies
Ethical
Conduct,
Legal and
Compliance
Risk
Management Accountability (Oversight)
x
x
Audit Committee (Oversight)
x
x
Code of conduct / Ethics
x
Ethics hotline
x
x
Hiring and Promotion Procedures
Investigation/ Remediation
x
Fraud Risk
Assessment
Process for assessing risk
Fraud considered
Likelihood and significance of fraud
Level within organization
Risk of management override
Asset Management
Investment process
Funds allocation
Control Activities
Back Office
In-/Outsourcing
No fraud related document identified for this sub-process.
Credit
Commitments
x
Documentation
x
x
x
x
x
Reconciliation
Signature
Refinancing
Payment
x
Prevention
Fraud Risk Map – Visualize the risks of your activities
The Fraud Risk Map presents the fraud risk assessment of a series of your activities (to be selected by you) against
various fraud types selected by PwC as being potentially relevant to the activities under scrutiny.
The map links the activities to the different fraud types with a coloured cell (green, yellow, red). Based on this visual, you
will have an overview of uncovered risks per activity and per fraud types: vertical and horizontal trends will appear.
This tool helps to identify those processes where specific fraud prevention should be performed in order to lower
the risk.
intern
extern
intern
extern
intern
Breach of Postal
Confidentiality
Betrayal of
Company
Secrets
Property
Damage/
Computer
Sabotage/
Alteration
of Data
Computer Fraud
Activity / Department
Misuse of Information
Misuse
of Insider
Information
IT Manipulations
Fraud Type
extern
intern
extern
extern
User ID account management
Access Management
User registration
x
user password management
x
password use
x
x
log-on procedures
x
x
user identification and authentication
x
x
x
x
password management system
x
x
x
x
Terminal Time-out
x
x
x
x
Business requirements for access control and sensitive system isolation
x
x
x
x
privilege management
x
Logical access management
x
Re-certification of user access rights
x
Logical security incident review and reporting
Monitoring system access and use
Reporting of Security incidents
Reporting
pre-project
feasibility analysis
x
x
x
x
x
x
x
x
x
x
Project Development
Project delivery
Initiation
project delivery/Requirements
Project delivery/Design
Project delivery/development
Project delivery/test
Deploy (operational ready)
Post-project
warranty
evaluation
x
x
x
x
Prevention
Fraud Heat Map – Capture the human factor
Fraud Risk Management is a multi-faceted concern that seems very hard to
embody into one single approach.
Products
Competition
Psychology
Context
Administration
Governance
IT
Opportunity
Behaviour
The Fraud Heat Map completes our set of approaches and produces a
contextual view that is essential when talking about fraud(s). Indeed, fraud
is often the consequence of many disruptions and/or temptations and,
consequently, context is important. The purpose of our Fraud Heat Map is
hence to crystallise into one visual all these elements that may contribute
to a weakening of the context in which one person/a number of people
operate and as such, represent potential opportunities to perpetrate fraud.
Our level of analysis is the individual who is ultimately the triggering factor.
The outcome of such an analysis is expected to be based both on facts and
perceptions/intuitions, and the visual outcome should allow you to better
anticipate fraudulent behaviours and thus reinforce controls where needed.
Fraudulent behaviour consists of three conditions generally present where
fraud occurs. They are summarized in the well-known Fraud Triangle. The
link between those elements and the organisation is perfectly reflected in
the Heat Map highlighting the key risk areas in a practical manner.
Fraud Triangle
Good for the company
Others do it
No alternative employment opportunity
No ‘visible’ harm
Rationalisation
Belief systems /
boundary systems
can break the triangle
Fraud
Diagnostic / Interactive
control systems can
break the triangle
Pressure
Market pressure
Incentive comp.
Impossible targets
Opportunity
Weak Internal controls
Powerless internal Audit
Auditor complacent
Analysts go along
Need internal controls
to break the triangle
An example: Financial Markets Trading Activities
Trading activities are an interesting example because they encompasses
many elements that expose the financial sector to risk.
• It is a highly competitive environment that is particularly results-driven,
which places the trader under constant pressure.
• The complexity of the products and of the process makes it more difficult
to detect prohibited activities and facilitates opportunities for fraud.
• In most rogue trading cases, the traders were either acting as they were
because they felt trapped in the losses made or were seeing their fraudulent
activity as something good for the company because of the gains generated.
To identify the “High Risks Zones” in the organisation, many questions need
to be raised:
- Are the IT systems secured (password and system access management
etc.)?
- What processes have been automated, and what operations require
manual intervention by the operator?
- Is the administration checking whether traders take all their holidays and
for at least 10 consecutive days?
- Are some adequate control procedures such as timely confirmation in
place?
- What controls are in place to detect abnormal behaviour?
- What is the risk awareness of the supervisors?
-Etc.
Encompassing all the these elements in one framework, the Heat Map enables
management to identify the areas at risk directly and to act accordingly.
The approach developed with the Heat Map is complementary to the ones
tackling the matter from the human angle.
Prevention
Background checks – Know who you are dealing with
Reputation is critical within the Financial Services Sector. Therefore, hiring
reliable management and building up relationships with sound clients,
suppliers and partners are of the utmost importance. The lack of correct
background information creates both reputation and business risks.
As gathering the necessary and complete information at short notice
appears to be challenging in practice, we can provide you with a
background investigation of the reliability and reputation of these potential
business relations.
Our ‘Open Source Intelligence Centre’ has access to a variety of sources
of financial and other kinds of information. We are experts in informationgathering procedures and will provide you with the key information you
need to know. Being well-informed enables you to better manage your
reputation and business risks.
Customised training – Get your people aware of fraud risk
On a regular basis, clients ask us to design fraud awareness training covering
their specific needs. It goes from the simple off-the-shelf fraud awareness
training session to the most sophisticated training package derived from a
‘Fraud Risks Assessment’ exercise performed over a few weeks, with the
input of our client’s top management and specialised staff. Occasionally, we
design specific supporting documentation that our clients can use internally
to train their staff or as guidance to refer to on a daily basis.
Fraud Risk Management Manual - Table of Content
Chapter 1
Introduction
Chapter 2
Existing Fraud Management Framework
Chapter 3
Typology of possible Fraud types
Chapter 4
Initial Fraud Risk Assessment
Chapter 5
Elements of Fraud Auditing
Chapter 6
Proposed Fraud Risk Auditing Model
Chapter 7
What to do when Fraud is suspected
Detection
Detection
orensic Technology –
F
Benefit from the latest forensic technologies
Forensic Technology incorporates cutting-edge technology in fraud
examinations. While business becomes increasingly dependent on
Information Technology, and information and knowledge is progressively
stored electronically, fraud is often buried in massive amounts of digital data.
Forensic Technology can help capture, secure and deal with substantial
volumes of information, identify which systems and personnel are critical, and
recover hidden or lost data. Furthermore, it provides the tools and knowledge
to analyse this data and fit the results into meaningful fraud assessment
reports. Below are some examples of the way we use Forensic Technology.
One of the business areas often affected
by fraud is Procurement. By using Data
Analysis (DA) and Data Mining (DM), any
indicators, trends or hidden patterns relating
to Procurement Fraud can be uncovered
from the financial system. The DA and DM
reports will be customised to the business
and IT environment and specific fraud risks
of the company.
Financial institutions are confronted with large
amounts of supporting data, both paper and
electronic. Paper documents are scanned
and archived resulting in a significant
workload to manually review them and/or to
maintain data quality. E-Discovery techniques
now combine paper files and any digital
information into document management
allowing efficient data quality reviews.
Security concerns related to applications
and databases containing critical data have
to be proactively addressed to mitigate
considerable fraud risk. The current user
access management procedures will be
mapped against the key objectives and
industry best practice standards in order to
identify gaps and areas for improvement.
Insurance companies can be confronted with
enormous amounts of claims or litigations (e.g.
due to natural disaster or class actions). At
PwC, we have the expertise to assist you with
document management for large-scale, multiparty, multi-jurisdictional litigations or claims.
If any significant fraud risk is uncovered
in the access management review, more
in-depth investigation can be performed
into actual access management, such as
reviewing and analysing outliers of access
to critical information, trend analysis (peaks
in manual entries), subsequent transactions
made by the same user (e.g. invoice booked
and paid by the same person) etc.
Moreover, our team can provide you with
advice and assistance in the management
and prioritisation of these claims. We
bring together experts and specialists in
claims, forensic investigation, forensic
technology services and other relevant
disciplines, combining the technical skills,
industry knowledge and geographical
coverage to investigate, analyse, prioritise
and resolve complex and massive amounts
of claims.
Detection
Fraud Due Diligence – Set the scene
Business is ever-changing and the organisational frameworks are moving
targets. Mergers, acquisitions and employee turnover have become a part
of our way of life. We know that the new challenges you are willing to take
are often very exciting but, in the end, can you say you have a full comfort
when taking over a target or taking up a new role in your company? Could
there be any concealed risks present?
Indeed, whilst long-term strategies can be designed with hindsight, you are
immediately exposed to key risks in the day-to-day business. Short-term
exposure can considerably damage your image and ruin your ambitions
for the future. The recent nature of your involvement will not – believe us –
prevent the deterioration of your reputation. Life is unfair!
To assist you in assessing such risks, we have elaborated, in a joint effort of
our forensic and financial risk experts, a methodology and checklist that can
help you ‘set the scene’ in a fast and efficient way.
We are happy to tailor investigations to best suit your needs and
expectations. More than others, we know how easily you can be exposed
to civil or even criminal liability!
Investigation
Investigation
Fraud Incidence Plan –
An action plan when fraud has been detected
Whatever the type of fraud, whoever the perpetrator, any form of fraud
raises a number of questions and issues for management; issues and
questions they have probably never dealt with before.
Our specialists are highly-trained and discreet. They are used to operating
in sensitive circumstances, and their range of skills and methodologies
allows them to discover information that is often outside the scope of
normal accounting or auditing procedures. Assistance may include sorting
out evidence for prosecution. We support management to allow them to
carry on with the day-to-day business, and avoid them having to spend
valuable time dealing with matters that may distract them and put their
business in an even worse position.
Asset Tracing and Recovery –
Get back what you were defrauded
Financial institutions are often confronted with significant losses on credit
or insurance files due to misconduct or even sometimes fraud by the
client. Our Asset Tracing and Recovery service is designed to answer the
questions you have in the aftermath:
• What went wrong?
• Where is the money/asset now and how can we get it back?
• Who is responsible?
• Which controls failed?
• What steps need to be taken?
These questions will be answered with a combination of investigation and
highly refined asset recovery skills drawing on the PwC expertise and
advanced Forensic Technology. Such an investigation is the starting point
for the recovery of stolen assets.
Our ability to unravel complex international fraud schemes may result in
such assets being identified, frozen and then recovered.
Foreword
Contact
Place foreword for your publication here at 10.5/12pt. PlaceRudy
foreword
for your publication here at 10.5/12pt.
Hoskens
Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt.
Place foreword for your publication here at 10.5/12pt. PlaceDirector
foreword for your publication here at 10.5/12pt.
Place foreword for your publication here at 10.5/12pt. PlaceDispute
foreword
for your&publication
here at 10.5/12pt. Place
Analysis
Investigations
foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place
+32 (0) 2 710 43 07
foreword for your publication here at 10.5/12pt.
rudy.hoskens@pwc.be
Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place
foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place
foreword for your publication here at 10.5/12pt. Place foreword
for Louchard
your publication here at 10.5/12pt. Place
Cécile
foreword for your publication here at 10.5/12pt.
Senior Manager
Place foreword for your publication here at 10.5/12pt. PlaceDispute
foreword
for your&publication
here at 10.5/12pt.
Analysis
Investigations
Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt.
(0) 2 710
44 24publication here at 10.5/12pt.
Place foreword for your publication here at 10.5/12pt. Place+32
foreword
for your
Place foreword for your publication here at 10.5/12pt. Placececile.louchard@pwc.be
foreword for your publication here at 10.5/12pt. Place
foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt.
Author’s signature
Foreword
Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt.
Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt.
Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt.
Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place
foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place
foreword for your publication here at 10.5/12pt.
Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place
foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place
foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place
foreword for your publication here at 10.5/12pt.
Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt.
Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt.
Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt.
Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place
foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt.
Author’s signature
www.pwc.be
© 2009 PricewaterhouseCoopers. All rights reserved. “PricewaterhouseCoopers” refers to the network of member firmsof PricewaterhouseCoopers International Limited, each of which is a separate
and independent legal entity. *connectedthinking is a trademark of PricewaterhouseCoopers.
The firms of the PricewaterhouseCoopers global network (www.pwc.com) provide industry-focused assurance, tax andadvisory services to build public trust and enhance value for clients and their
stakeholders. More than 155,000 people in 153countries across our network share their thinking, experience and solutions to develop fresh perspectives and practical advice.