India Fraud Survey Edition II - Deloitte
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
#letstalkfraud| India Fraud Survey, Edition II Foreword Disruptive events, enabled by disruptive consistently, will be more likely to emerge technologies and business models are winners in this race for economic increasingly characterizing both the Global dominance. A lot of this success would and the Indian economy. The rapid pace of also depend on how businesses structure adoption of e-commerce, online banking, themselves internally – such as having a and social media means consumers today strong focus on instituting robust internal have access to information about products processes and controls, reliance on and services before they are formally automation for monitoring transactions introduced in the market, and are able to and identifying suspicious activity, pass judgement on their effectiveness. gathering business intelligence through Events such as the recent demonetization analytics, and developing transparent announcement by the government are governance models. Incidentally, these are further changing the dynamics of the among the areas that India organizations economic environment. Regulatory have traditionally been slow to develop. frameworks, particularly those that govern business conduct, are evolving to keep The limited preparedness to foresee pace with these developments. the impact of changing trends and build a robust backend supporting system In this dynamic environment, traditional can slow down progress and make businesses can no longer afford to sit organizations vulnerable to several risks back, unscathed by the changing world including those of fraud. This edition around them. Organizations have little reveals the inertia among large and choice but to adapt and remain relevant small organizations in their fraud and to customers. While some may see this noncompliance management efforts. It also as an unsurmountable challenge, fraught provides suggestions that organizations will with uncertainty, I feel we are fortunate to find useful in their quest to know and fight witness the evolution of a new economic emerging fraud and noncompliance issues. order. I hope you find this report a compelling India and Indian businesses, no doubt, read, as I did. will continue to grow in size despite the challenges they face. Businesses that succeed in becoming agile, leveraging Regards technology effectively, and innovating N Venkatram 4
#letstalkfraud| India Fraud Survey, Edition II Introduction “Fraud is rising in India,” “stopping fraud mitigate old menaces such as bribery and is the responsibility of the CEO,” “fraud corruption, indicating a lack of commitment cannot be eliminated,” and “junior people and resources to dedicate towards fraud commit frauds.” These are some of the risk management. Given the inherent sentiments on fraud we hear as part of our limitations of these organizations, there is jobs. One topic, multiple perspectives. need for government intervention to help small and medium enterprises tackle fraud. Today everyone has an opinion on fraud. In this regard, increased digitization in all Be it a working professional, far from the spheres of business combined with strong rigors of the finance discipline or a small enforcement of anti-fraud laws may benefit company struggling to recover losses, small organizations. or a multinational concerned about reputation. It is this diversity of opinions Successful fraud risk management efforts and experiences that makes the fraud tend to go beyond strong internal controls landscape in India complex. Consequently, or the presence of policies. Employees fraud risk management efforts tend to can play an influential role in the success become unique and challenging across of fraud risk management efforts, as organizations. indicated by a majority of respondents to our working professionals’ fraud survey. This is what our survey results also indicate. Perhaps it is time organizations – large and Multinational organizations appear small – nurtured a community of 'employee to be primarily focused in preventing influencers' who can reinforce ethical known frauds such as bribery and behaviors and mitigate the risk of fraud. corruption, diversion/ theft of funds and vendor favoritism, even as the business The 2016 edition of the India Fraud landscape exposes them to new fraud and survey also puts the spotlight on five new noncompliance risks such as cybercrime, business trends that will likely impact the social media and anti-competitive behavior. fraud landscape in the future –Blockchain, So while we observe increased adoption Internet of Things, Robotics, Cashless of automation and continuous monitoring transactions and Online market places. as part of fraud risk management As a first, we also have perspectives from efforts, these initiatives will always find it the Deloitte member firms in Japan and challenging to detect new and emerging Australia on the fraud concerns in their frauds. countries and possible challenges faced by some of their clients while working in India. Small and medium enterprises on the other hand, appear to be struggling to We hope you find this survey report useful. Uday Bhansali Rohit Mahajan President - Financial Advisory APAC Leader, Partner and Head – Forensic Deloitte India Financial Advisory, Deloitte India 5
#letstalkfraud| India Fraud Survey, Edition II Contents ••Key findings 8 ••Focused on safeguarding themselves 12 from well-known frauds, large companies grapple to understand emerging frauds ••Focused on growth, the commitment 36 to fight fraud is found wanting among small and medium companies ••Employees want to play an active role 52 in fighting fraud - Perspectives from working professionals ••The future of fraud – Business 58 developments that can impact the fraud landscape in India ••Foreign perspectives on dealing with 70 fraud in India ••Acknowledgements 73 ••About the survey 73 7
#letstalkfraud| India Fraud Survey, Edition II Key findings 8
#letstalkfraud| India Fraud Survey, Edition II Large companies’ survey - Perspectives from companies with over ` 200 Crore turn over and/or over 200 employees 70% of respondents felt incidents of fraud will increase in the next two years Top reasons that contribute to fraud include – diminishing ethical values (38%), lack of efficient control system (37%), inadequate due diligence (37%) and unrealistic goals linked to monetary compensation (37%) Vendor favoritism (42%), diversion/ theft of funds (33%) and bribery and corruption (30%) were the top fraud incidents experienced by organizations Procurement (35%) and vendor/ partner selection (25%) were considered the functions most vulnerable to fraud risks Junior and Middle management employees were considered the most likely to commit fraud Top three measures undertaken to prevent fraud include – Internal Audit/ Risk assessment (89%), Tone at the top and implementation of anti-fraud policies (79%), and fraud awareness workshops and trainings (66%) Fraud is mostly detected through whistleblower hotlines Response to fraud is complex and determined on a case to case basis – 43% said investigations were commenced based on the severity of fraud; 36% said the fraudster was allowed to resign in lieu of pressing legal charges; and 33% said fraud was communicated to employees, the Board and regulatory agencies Preparedness to emerging fraud and noncompliance risks such as social media and anti-competitive behavior appears to be low 9
#letstalkfraud| India Fraud Survey, Edition II Small and medium enterprises survey - Perspective from companies with under ` 200 Crore turn over and/or under 200 employees 54% of respondents felt incidents of fraud will increase in the next two years Top three reasons that contribute to fraud include the following – diminishing ethical values (68%), limited/ lack of segregation of duties (68%) and limited employee education on fraud (60%) Top three frauds experienced by organizations include – Diversion/ theft of funds (32%), bribery and corruption (28%) and conflict of interest (26%) The most common forms of corruption experienced include – collusive bribery (69%) and facilitation payments (69%) Procurement (44%) and sales and distribution (29%) were considered the functions most vulnerable to fraud risks 32% felt complying with anti-fraud regulation placed additional burden on them Fraud prevention efforts were found wanting – 48% felt there wasn’t enough commitment; 42% felt there was inadequate budget and resource allocation to prevent fraud; 25% reviewed their fraud risk management frameworks only upon an incident occurring; and 23% addressed fraud observations within 1-2 months of the incident Top three measures undertaken to prevent fraud include – Independent Audits (71%), implementing a code of conduct (62%), and regular monitoring and assessment of fraud risks (52%) Deploying technology to curb fraud is a challenge with 17% citing budgetary constraints, and 23% claimed lack of clarity around the utility of such tools Response to fraud is complex and determined on the basis of the materiality of fraud (19%) Top actions taken upon detection of fraud include – internal investigation (71%), review/ updating of existing controls (53%) and asking the fraudster to resign (53%) 10
#letstalkfraud| India Fraud Survey, Edition II Working professionals’ survey 65% of respondents felt 70% felt their employers incidents of fraud will increase encouraged them to provide in the next two years enough opportunities to share instances of unethical behavior Top three reasons that contribute Are laws on curbing fraud to fraud include – Weak/ ineffective effective? – Yes (47%), No (42%) controls (65%), technological advancements (43%), and general decline in ethical values (42%) Top three frauds experienced by organizations include – bribery Primary responsibility to fight and corruption (43%), financial fraud lies with the citizens (56%) statement fraud (40%), and embezzlement of funds (39%) Frauds personally experienced Top three measures the Government by working professionals include can take that will help reduce fraud in –bribery and corruption at India – stronger enforcement (90%), government offices (59%), identity greater adoption of technology (63%) theft (37%) and sector specific and government advisory on key fraud frauds (31%) schemes (63%) In response to fraud, 55% of Top 3 measures that corporates can take respondents claimed they did to reduce fraud – openly discuss fraud nothing as there was no way to and educate employees (61%), recognize recover losses and reward ethical behavior (59%), and name and shame wrong do-ers (57%) 11
#letstalkfraud| India Fraud Survey, Edition II Focused on safeguarding themselves from well-known frauds, large companies grapple to understand emerging frauds Conventional frauds continue to dominate the fraud landscape In line with our 2014 survey, around 70% of Corporate India continues to believe that fraud will rise over the next two years. Fraud was attributed mainly to diminishing ethical values, lack of an effective/ efficient control system, inadequate due diligence on employees/ third parties and unrealistic targets/ goals linked to monetary compensation, indicating that fraud continues to be driven by concerns internal to the organization. Correspondingly, procurement (35%), vendor/ partner selection and management (25%), and sales and marketing (18%) were identified as the functions most susceptible to fraud. Among the type of frauds experienced, survey respondents indicated vendor/ customer/ business partner favoritism, diversion and bribery and corruption as the top three frauds. Further, the survey indicated that organizations could lose an average of between `10 Lakh and `1 crore to fraud. A little more than a quarter of respondents indicated they were unable to quantify the fraud loss. 12
#letstalkfraud| India Fraud Survey, Edition II Figure 1: Which of the following types of fraud/misconduct/ malpractice has your organization experienced in the last two years? My company has not experienced any type of fraud 20% Other (please specify) 6% eCommerce related frauds 8% Counterfeiting 13% Supply Chain fraud 18% Capital market related frauds like insider trading 2% Intellectual property fraud 7% Corporate espionage 2% Data theft 21% Financial misreporting 10% Regulatory non-compliance 14% Internet and/or Cyber fraud 18% Bribery and corruption 30% Vendor/customer/business partner favoritism 42% Material pilferage 21% Diversion/theft of funds 33% Note: This is a multiple choice question and responses will not add up to 100% Interestingly, while respondents did not Given the robust anti-bribery and possible outcomes of indulging in private rate bribery and corruption as the most corruption compliance policies that large bribery schemes. Upon unearthing of such common fraud experienced by their domestic and multinational corporations schemes the organization in question may organizations, favoritism in appointing have in place, it is heartening to note that face reputational damage from the media, vendors and business partners is often organizations may now be tackling public denial of capital from financial institutions in the backdrop of kickbacks and bribes bribery better than they may have in the and volatility in stock prices. Although being exchanged between colluding past. However, in our experience, private currently there is requirement for a law parties. It appears that organizations may bribery schemes are no less dangerous to that specifically prohibits private sector be differentiating between private bribery organizations. bribery1, indulging in it may be a potential and public bribery schemes: the former violation of the Companies Act, 2013 as well does not involve a government servant, Potential conflict of interest, deteriorating as Clause 49 of the SEBI Listing Agreement but employees of private organizations product/ service quality as a result of that seeks to reinforce good corporate colluding with each other for mutual hiring favored business partners, and governance and fraud risk management2. benefits. diversion/ theft of funds are some of the 1 The proposed amendments to the Prevention of Corruption (Amendment) Bill, 2013 cover organizations who indulge in bribe- giving, unlike the 1998 Act that only covered public servants who were recipients of bribery. Further, the draft Indian Penal Code (Amendments) Bill, 2011 is the only proposed legislation that encompasses graft / corruption by individuals, firm, society etc that undertakes any economic activity. 2 The companies Act, 2013, looks at bribery and corruption as practices that may amount to fraud schemes such as procurement fraud, diversion of goods/theft etc. Although, the act of indulging in bribery itself is not a violation of the Act, the resulting fraud and the inability of organizations to prevent it may result in a violation. Similarly, if the end result of private bribery involves insider trading and unauthorized related party transactions, these actions may violate Clause 49 of the SEBI listing agreement. Source - http://www.mondaq.com/india/x/434208/Securities/Disclosures+Under+SEBI+Listing+And+Disclosure+Regulations+2015 13
#letstalkfraud| India Fraud Survey, Edition II In the area of public corruption, in being enlisted on stock exchanges (in there appears to be increased awareness of India and overseas) (44%) and reduction in how indulging in such practices can impact profits (41%) were perceived to be the most the organization. Overseas regulatory damaging outcomes of indulging in bribery noncompliance (52%), potential difficulties and corruption. Figure 2: In your opinion, what are the ways in which corruption can impact your company? 23% Corruption imposes additional costs on 37% doing business 41% None of these Corruption does not Corruption reduces impact my business profits 34% 28% Corruption affects Corruption dents my reputation and, shareholder morale consequently, the ability to and results in win business and attract greater dissent talented professionals 44% 52% Incidents of corruption make it difficult for my There is rise in regulatory company to get listed on risks from foreign stock exchanges in India and overseas 33% legislations such as US FCPA and UK BA, owing to Incidents of corruption the trans-national nature make it difficult for my of our business company to seek funding from banks Note: This is a multiple choice question and responses will not add up to 100% Rising regulatory focus by the Indian of respondents believing that stringent government is also building a case for a enforcement of anti-bribery regulations corruption free corporate India with 30% could end this menace. 14
#letstalkfraud| India Fraud Survey, Edition II Organizations are unable to tackle counterfeiting extended to reputation in light of fierce competition for Counterfeiting primarily occurs due to the inability of market share. In recent times, the proceeds from counterfeit organizations to educate employees and customers on the products have also facilitated terrorist financing and potential damages of dealing with duplicates and counterfeit anti-national activities. Accordingly, about 39% of survey products. While, in the past, counterfeiting’s primary impact respondents have indicated that they were unsure/unable to was loss of revenue for organizations, today it has also quantify the effects of counterfeiting. Figure 3: In your opinion, what is the perceived loss due to intellectual property (IP) theft and counterfeiting to organizations? 18% Cannot be quantified Dont't know/Unsure 21% as the effects are long term 3% More than 10% of revenues 3% 5-10% of revenues 8% Less than 1% of revenues 13% 1-5% of revenues Note: 34% did not respond to the question. According to survey respondents, organizations can take using third party experts to gather intelligence, and through several measures to curb counterfeiting such as drawing employee education. up clauses specific to counterfeiting/IP theft in contracts, 15
#letstalkfraud| India Fraud Survey, Edition II Point of View: Leveraging technology to curb counterfeiting As consumerization in India grows, there is also an accompanied rise in the movement of counterfeit goods in the market. Several industry reports point to counterfeits amounting to at least 25 percent3 of total goods circulating in the market across various product categories. While corporates are aware of this menace, efforts to curb counterfeits often tend to be inadequate. In our experience, investing in anti-counterfeit technologies may provide better safeguards against counterfeiting. Some options are discussed below. $ Working with digital marketplaces Radio Frequency Identification – The proliferation of ecommerce has (RFID) – RFID can provide labelling been accompanied by a rise in online technology like barcodes, but with sales of counterfeits and duplicate greater capability. Barcodes typically products. However, unlike physical encode product-labelling information market places, it may be relatively easy like names and serial numbers, but to combat online counterfeit product nothing more. They require direct sales, if organizations work closely with Smartphone applications – These line-of-sight for access, can store only web platform providers. A simple move allow consumers to quickly check if small amounts of information, and such as search engine optimization – an item is authentic prior to making have minimum size requirements for where organizations invest to create a purchase. It also empowers effectiveness. As such, small sized content that promotes authentic brand owners to identify, track, and items present challenges for item level products – can help consumers become prevent brand infringers from selling barcode labelling. RFID technology, more aware of authentic products, their counterfeit products. Typically, retail on the other hand, embeds labelling features and pricing. Consequently, if companies can put a Unique Product information in non-volatile memory search results start showing authentic Identifier (UPI) on the product or on devices, which in turn embeds in a products in the top listings, fakes tend the packaging. Consumers can use product. Unlike barcodes, RFID tags to get pushed to the bottom where their smartphones to scan the UPI. come in various sizes (sometimes as they may not enjoy visibility. Further, If the item is counterfeit, the system small as a grain of rice), have greater by adopting a more visible digital will notify the consumer that the storage capacity, and do not require profile – such as having a web page product cannot be authenticated4. direct line-of-sight for access. The with online sales capability, a Facebook Some smartphone applications absence of size and line-of-sight page, Twitter handle, etc., brands can also allow users to take photos of limitations allows RFID tags to embed stymie efforts by counterfeiters trying possible counterfeits and upload virtually into any product for flexible to steal the ecommerce spotlight. them to an online map that’s linked labelling down to the item level. This Increasingly, ecommerce platforms are to a GPS locator5. This can alert other capability enables automatic tracking also blacklisting vendors providing fake consumers of counterfeits in specific and inventory control with strategically products and initiating action against locations. placed interrogators. them 6. Like many other fraud schemes, it is industry has successfully embraced some options and adopt those that are cost easier to prevent counterfeiting than of these technologies and managed to curb effective and user friendly. to respond to incidents of large scale counterfeiting to a significant extent. Other counterfeiting. The luxury products product companies can also explore these 3 Source: http://indianexpress.com/article/india/india-others/about-rs-39000-crore-loss-in-one-year-due-to-illicit-markets-in-manufacturing-sectors-ficci-report/ 4 The Smart phone App ‘Authenticateit’ follows this technique to check for counterfeiting. 5 Black Market Billions is a crowdsourcing app that operates with this technique. 6 Source: http://fortune.com/2016/11/14/amazon-counterfeit-items-lawsuit/ 16
#letstalkfraud| India Fraud Survey, Edition II Focus remains on mitigating the changing business landscape and push stem from limited understanding and the known frauds to adopt technology in improving business inability of organizations to detect patterns Overall, there appears to be little change outcomes, it is surprising to note that that may point to such fraud risks. If the in most of the trends discussed so far organizations continued to rate concerns current levels of fraud awareness were to compared to our 2014 survey. Frauds such as cybercrime, IP fraud, e-Commerce continue, organizations may be unlikely to identified as concerns have been limited to fraud, and counterfeiting relatively low in mitigate new frauds in the future. well-known categories such as bribery and terms of organizational impact. We believe corruption, theft and favoritism. Despite this inexperience of new fraud risks could Point of View: Organizations need to prepare for fraud arising from new business dynamics In the last two years, three of the most significant fraud and potential fraud in adopting e-procurement models. In theory, reputational damage cases reported by the media arose due while e-procurement may not pose the same fraud risks as a to social media exposure. These large global brands were conventional procurement process, and may be touted as the questioned by consumers on their quality assurance practices, ‘fraud free’ frontier for the procurement function, practical which upon investigation led to the discovery of noncompliance, experience can show otherwise. For instance, our 2014 fraud malpractice and fraud. In two of these cases, the brands had to survey indicated online payments, procurement of materials, recall products from the market resulting in huge losses, and and trading in stock markets as areas vulnerable to fraud risks had to invest in brand re-building measures until consumers in e-commerce transactions. could regain faith. Further, in the past, organizations were aided by relative Interestingly, these brands remain heavily invested in social inaction from governments to bring about paradigm change media for customer engagement. Yet, they did not foresee the in the way business was conducted. However, that appears potential risks arising from this platform. to be changing today. The last two years have indicated a determination on the government’s part to ensure ease of In our experience, large organizations in India continue to be conducting business–whether that is by moving towards saddled with legacy practices and tend to remain fixated on simplifying laws and tax structures or by pushing for cashless them–whether it is for business process improvements or transactions. In such a scenario, organizations will experience fraud risk management. So, while one may see a very robust new frauds, unless they proactively anticipate them and fraud risk management framework to prevent, say procurement establish processes to mitigate these frauds. fraud, there may be little or no steps taken to anticipate 17
#letstalkfraud| India Fraud Survey, Edition II Preparedness to tackle emerging fraud and regulatory noncompliance risks remains low Limited understanding of cybercrime regulatory risks, were identified as the Reputational damage, IP theft and most likely impact of cybercrime. Figure 4: According to you, what is the greatest impact of cybercrime? 50% Reputational damage 34% Cost of 40% investigation and damage Service control disruption 33% 42% Actual financial Regulatory loss from the risks activity 50% 37% IP theft, Theft or loss Note: This is a multiple choice including theft of personal question and of data information responses will not add up to 100% 18
#letstalkfraud| India Fraud Survey, Edition II Considering the media has reported about 2014 fraud survey states that only 5% of organizations losing several million dollars survey respondents indicated that their to cybercrime globally, it is surprising organizations had sustained losses from to note that survey respondents rated cloud-based intrusions. Around 43% were financial loss from cybercrime low on the unaware of data loss or leakages arising scale. We believe this could be due to the from hacking or hijacking of cloud services limited understanding of how cybercrime and a similar percentage of those surveyed can manifest itself. reported no losses. This is no different from what we observe today. For instance, cloud computing fraud is one of the manifestations of cybercrime. With In the area of cybercrime prevention, increasing number of users demanding majority of organizations still appear to simultaneous access to data and be grappling with cybercrime, with a third applications over multiple devices such saying they didn’t discuss the incident for as desktop PCs, notebook computers, fear of tarnishing their reputation. In our smartphones, and now smart watches, view, a clear plan to tackle cybercrime is cloud computing is gaining appeal for both the need of the hour. Such a plan would enterprise and personal use. The current comprise of a responsibility matrix in state of technology makes it possible case of an incident, root-cause analysis to edit and share documents and data and situational diagnosis of the potential across multiple devices and locations. impact of the incident, and remediation Some subscriptions also allow users to plan. In many cases, the onboarding of collaborate and interact in real-time. As the specialist third parties for undertaking number of cloud-based service providers these activities is also documented in the grow, risk to systems and intellectual response plan. property have also grown. As the world moves towards increased While well-known service providers have adoption of digital technologies, it is sophisticated security and access control imperative for organizations to become systems, the safeguards employed by aware of the potential fraud risks involved. scores of lesser-known service providers Failure to do so can result in business may not be relatively well documented. disruption. Some of the key risks that users of cloud computing may face include data loss from unauthorized use of low-quality systems, hacking, theft of intellectual property, and theft of confidential customer data. Our 19
#letstalkfraud| India Fraud Survey, Edition II Point of View: Hacking shows no signs of scaling down hackers discovered that such data was worth a lot of money on the black market. Consequently, hacker focus has shifted in the This year the world has possibly experienced the largest last few years from denying service to stealing data. number of large scale data breaches ever7. Many of these breaches–involving government departments as well as private There are various tools available today which can help hackers organizations-were a result of hacking by third parties. Going attack thousands of victims in just hours. Varieties of such by recent news, it is likely that such breaches and large scale tools and “ready programs” are available on the darknet8. hacking are becoming more common. Additionally, hacker forums tend to exemplify the spirit of web- based collaboration and education, offering a rich menu of The economic drivers behind hacking have evolved dramatically tutorials, advice and technology designed to steal data. over the years. In the past, hacking was done for amusement. Hackers focused on defacement (also known as hacktivism) Unfortunately, many organizations have been unable to keep to embarrass large organizations and their security set up. up with the advancements in the hacking ecosystem and They would often black mail site operators with attacks that remain equipped with old cyber security models designed brought websites down (a “denial of service” attack), leading to to keep the ‘hacker-of-the-90s’ out. This needs to change; the invention of the network firewall to stop this. However, as organizations need to invest in building a robust preventive companies began digitizing organizational data on a large scale, framework. Such a framework must include the following: Data protection: Subscribing to suitable Continuous monitoring Focused training programs – Developing a robust data and up-to-date protection of internal controls can help Organizations can segregate classification regime that tools which can block links identify potential instances of their employees into different restricts data access to very to known malicious sites can data leaks or breaches, as well user groups based on the few employees can be a start. prevent access at an enterprise as suspicious activity. information they are privy Several large organizations level. Further, encryption must to such as those in the already restrict access to data be strongly recommended procurement function, finance around financial information, for all devices accessing and accounts staff, customer employee information, organizational networks relationship team, sales team, business plans and client for data. etc. Depending on the level of details. Alongside this, information these employees organizations can also limit hold, focused training the transfer of data to reduce programs must be organized potential access points for to help them recognize hackers to invade internal potential hacking scenarios systems. and avoid them. Further, any known instances of hacking attacks can be shared throughout the organization In addition to a preventive framework, organizations must also to warn employees. A leading invest in a cyber incident response plan to prevent large scale best practice is to have hacking. This includes conducting a comprehensive forensic the IT security team share readiness assessment, investigation to understand the this information alongside potential scale of the incident, assessing the damages caused recommended actions. based on the data that was sought, and having a remediation plan, including root cause analysis. As organizations mature, there is bound to be increased reliance on digital platforms to host data. Without the right security measures, these data platforms are likely to invite new age hackers. 7 Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 8 A darknet is a computer network with restricted access that is used chiefly for illegal peer-to-peer file sharing. 20
#letstalkfraud| India Fraud Survey, Edition II Social media–to be or not to be on said their organizations used social media it–remains a concern for publicity and advertising, followed by A majority of survey respondents did understanding customer behaviour and not respond to the question of why their engagement. organizations used social media. Among those respondents that did, the majority Figure 5: What is the primary purpose of your company using social media? 5% @ For direct selling of goods/ $ services 2% 24% To track information For Publicity on fraudulent and advertising activities in your industry 2% 9% Our organization To attract does not use new talent social media 15% 1% To understand customer behavior To track and engage better competitor with them activity 41% Did not respond to the question 1% Don't know 21
#letstalkfraud| India Fraud Survey, Edition II When asked to identify the fraud risks information–both belonging to the online, reporting concerns to the risk that their organizations faced on social company and to customers–that can be management team. Creating a social media media, respondents pointed to misuse misused for monetary gain by fraudsters. policy for employees to follow and working of intellectual property by unauthorized with social media vigilante organizations users (68%), and use of fake profiles To manage fraud risks on social media, to spot fraud early were identified as the masquerading as the company to a majority of respondents said they other common measures adopted by fool customers (65%). Both of these relied on a dedicated social media team organizations. situations can result in loss of confidential to monitor brand specific conversations Figure 6: What measures has your company taken to manage fraud and reputation risks on social media? 33% Social media risks are covered as part of the larger fraud risk management framework in our organization 36% Work closely with social media vigilante organizations to spot signs of fraud early and act on it 35% Created a social media fraud response plan with timelines and clear responsibilities to address social media fraud 48% Have a dedicated social media team to monitor brand specific conversations online and report the same to the larger risk management team 33% Assigned dedicated spokespeople who can comment on the brand on social media 32% An optional training program, on social media use by employees, is made available 39% Created a social media policy that is to be followed by all employees Note: This is a multiple choice question and responses will not add up to 100% When asked how they reacted to being issue was being dealt with. Another 13% as yet another channel for communication, confronted by a smear campaign, most said they did not use social media, but not very different from conventional media. respondents did not respond. Among conventional media such as advertisement There also appears to be a strong desire to those who did, 27% said they engaged or press release, to respond to smear control social media and drown out voices with their audience by providing facts campaigns. These sentiments indicate that of dissent. In our experience, this may not and sharing status updates on how the organizations appear to view social media help organizations in the long term. 22
#letstalkfraud| India Fraud Survey, Edition II Point of View: Controlling the uncontrollable – How There have also been cases where fraudsters have created organizations can stay safe on social media fake social media profiles offering job opportunities on behalf of organizations, which may be unaware of such misuse of Many organizations are choosing to have a social media their brand. Unethical competitors can run campaigns using presence today in order to capitalize on its potential for fake accounts posing as consumers or reviewers posting inexpensive, large scale communication–whether it is to unfavourable product/service reviews. Yet another example further a cause, generate publicity, or generally be noticed of social media fraud is identity theft. We have observed by specific target groups. The genesis of social media lies in that fraudsters use social media platforms to steal personal promoting free thought and communication. Unfortunately, information and use it to access financial information. Such this very fundamental tenet tends to pose significant fraud and frauds can be committed from anywhere around the world, reputation risks for organizations. making it difficult to identify the fraudster(s). For starters, verification of facts prior to posting information We have also observed cases where confidential tends to be overlooked in the rush for being the ‘first to post’. information pertaining to business plans, financials and This can result in the rapid spread of misinformation, which can intellectual property was released on social media by be difficult to curb. Recently, social media in India has witnessed fraudsters. In these cases, privacy laws tend to have limited significant polarization of views pertaining to many current effectiveness because these confidential documents may topics – whether it be the release of certain films (possibly likely reside in cloud storage systems making it difficult to influencing stock prizes of the organization producing the movie), limit the number of infringed copies. Further, social media the government’s move towards demonetization of currency, networks often change their privacy settings and unless and organizational performance in B2C companies in light of users monitor this carefully, they may inadvertently reveal festival season sales. In other instances, customer complaints on confidential information to all users of the platform. social media have gone viral, with people trolling the company’s accounts, thus preventing a chance for resolution. 23
#letstalkfraud| India Fraud Survey, Edition II Removing offending posts on social media is difficult and, be practical for all organizations, educating customers many times offense may appear to be the only defence for on the best possible way to resolve complaints may help organizations. In our experience, the following measures reduce instances of negative coverage on social media. For may help organizations safeguard themselves from social instance, organizations can provide a confidential space on media fraud. social media–like a closed group that encourages private conversation–to report issues with their brand. •• Monitoring the brand for misuse of •• Having a social media fraud response plan – brand name – There are tools available to monitor brand Organizations may not always be able to prevent social mentions and brand sentiment on social media. These media fraud, but they can be better prepared to deal with can help understand how the brand is perceived and take it. Having a reaction plan and corresponding timelines to corrective action wherever necessary. Often, such action deal with well-known instances of social media fraud may can prevent undesirable information from going viral. help limit the spread of misinformation and control the damage. Such a plan can include a list of actions that the •• Training and awareness for employees on social organization can take when confronted with social media media use – Clear guidelines on what content is fraud or reputational damage. This can include the process permissible for social media sharing, who is authorized to to investigate the issue and timelines for identifying the comment on the brand in their official capacity, disclaimers root cause(s), procedures for on-boarding of third party that employees must use on their personal profiles to experts to investigate the issue (should the need arise), isolate risks to the brand, etc. must be outlined. Further, a guidelines on communication to clients and employees to dedicated training program outlining common scenarios quell fears, and maintaining a list of authorized individuals that result in information compromise on social media can who can coordinate the organization’s response and post it help employees understand the potential implications of through official channels. their actions. •• Managing employee accessibility to social media Social media provides an opportunity for organizations to sites through content filtering or by limiting network improve their customer reach at a fraction of the costs that through-put to social media sites. Often, using traditional media may incur. If adequate safeguards employees use smart phones to access are put in place to prevent fraud, this platform may social media sites, opening up the risk become a robust channel for organizations to of malware that may post information grow business, attract quality talent, and gain on social networks without their customer loyalty. knowledge. Appropriate controls may need to be installed and continuously updated on mobile devices to better manage such risks. •• Customer education – Disgruntled customers can pose a significant risk of bad-mouthing the brand on social media. To curb this, many organizations have a dedicated customer service channel on social media where customers are encouraged to post complaints and check the status of their complaint. While this may not 24
#letstalkfraud| India Fraud Survey, Edition II Anti-competitive behavior – Are you That this is a relatively newer risk in the covered? Indian context is corroborated by the The last two years have seen rising responses in our survey wherein a large legislative action by the Competition number of respondents have either Commission of India (CCI). Companies chosen not to respond or have chosen ‘not have been collectively levied fines ranging sure’/’don’t know as a response. Clearly, from a few crores to as much as several a greater degree of awareness needs hundred crore rupees for violating the to be created amongst businesses for principles of competitive behavior outlined requirements under the Competition Law in the Competition Act. This exposes and make them have robust compliance organizations to a relatively newer risk in processes. the Indian context–that of their growth strategies and consequent business actions being scrutinized for inappropriate behavior in regards to competition. Figure 7: Do you believe your organization can be pulled up for anti-competitive behavior by the CCI in the near future? 41% 27% 14% 8% 8% 2% Did not No–Our Yes–we are Yes–we are a No–Our Don’t Know respond to organization operating in fast growing sector the question has a a relatively company doesn’t reputation of new sector/ and our come being ethical industry that equally well under the and following is fast growing. established ambit of fair business Our unique rivals may do the CCI practices. processes, this in a bid to although pull us down legal, may be disrupting the market and drawing the ire of our competitors 25
#letstalkfraud| India Fraud Survey, Edition II Figure 8: In your opinion, does being part of an anti-competitive behavior law suit have a significant impact on your organization? No–our brand is large enough to be insulated (monetarily or otherwise) from the impact of 11% CCI proceedings Did not respond to the question 41% Yes–only on our company’s reputation. Being seen as part of such a law suit may dent customer confidence 17% irrespective of the final verdict Yes–monetarily only. Fighting these cases using specialist lawyers is expensive and fines imposed by 9% the CCI can also be quite high Not sure 22% There appears to be lack of understanding adversely impacted. The Competition Law of the risk emanating from non-compliance redefines business conduct and some to Competition Law as also about what of the traditional ways of doing business actions/behavior may constitute an may now be looked upon as unacceptable anti-competitive behavior under the Law. business practices. There has been a Most respondents to the survey believed significant increase in the number of they were unlikely to be impacted by a information filings with CCI as well as the CCI investigation whereas many others number of investigations that it is carrying were unsure when asked if a CCI law suit out. The CCI has levied fines of more than would have a significant impact on their USD 2 billion over the past five years. reputation. Compliance with the requirements of the Indian businesses will need to take this law Competition Law is a subjective matter that seriously else they risk significant penalties can be extremely complex. Hence, there being levied and their reputation being seems to be some confusion in the minds 26
#letstalkfraud| India Fraud Survey, Edition II of survey respondents while responding to pertaining to anti-competitive behavior our question with regards to compliance and including a section on anti-competitive measures. When asked how organizations behavior as part of employee training addressed potential risks arising from programs. Another set of respondents said non-compliance to the Competition Law, their organizations had taken no specific respondents shared mixed reactions. steps and that anti-competitive behavior One set of respondents indicated hiring was subjective, making it difficult to prepare specialist law firms to help draft policies to handle such cases. Figure 9: What measures has your organization taken to address the risk of anti-competitive behavior? 52% 52% 41% 39% 36% Anti-competitive The organization A section on We have hired a We have a behavior is has not taken any anti-competitive specialist law firm dedicated in- subjective and specific measures behavior is to help us draft house legal team organizations to address the risk included as part policies pertaining that counsels cannot prepare of anti-competitive of the regular to anti-competitive our various specifically to behavior training programs behavior; these departments handle such cases undertaken by our policies are against anti- employees implemented across competitive the organization practices Note: This is a multiple choice question and responses will not add up to 100% 27
#letstalkfraud| India Fraud Survey, Edition II Point of View: Mitigating chances of a CCI inquiry – Some with the competition, customers and suppliers). These steps for consideration programs should be focused on educating the participants on potential infringements and how to avoid them. To avoid punitive action under the Competition Act, Indian Some examples of infringements include, salespeople business organizations need to evolve a strong culture generally buying “shelf space” for their products and of compliance covering increasing awareness about the imposing restrictions on wholesalers and retailers. This requirements of law, robust code of conduct, promoting fair kind of conduct is exclusionary in nature as it prohibits business practices as also individual conduct while interacting the wholesaler/retailer to stock competitor’s product. with competitors. Some specific considerations include: Other examples include informally discussing prices and promotional schemes with competitors at industry events or •• Seek employee undertakings with regards to compliance social gatherings. Ideally, such training programmes should with the Competition Act be conducted every six months and reviewed annually. •• Develop an anti-trust law compliance manual – Such a •• Closely monitoring business information shared at manual should ideally contain the following: introduction to meetings with trade associations, which bring together the Competition Act and key requirements under the law, key competitors. At the very minimum,the agenda of any outline businesses, business processes and key personnel such meeting should be vetted by the legal counsel of the that carry high risk; do’-s and don’t’-s for the employees, company and details of the meeting’s discussion should be expected behaviour while dealing with competitors, shared with the legal counsel. suppliers, dealers, traders etc. •• Review all trade association memberships and prepare •• Create better awareness through regular training programs specific guidelines for participation in such meetings for competition law compliance – A broader programme should be designed for all employees and specific programs •• Conduct mock raids to sensitize employees to the possibility can be developed for key business roles that have higher of sudden scrutiny by the regulator. perceived compliance risks (teams who interact regularly 28
#letstalkfraud| India Fraud Survey, Edition II Conventional processes dominate overall fraud prevention, detection and response strategies There are mixed reactions on who Irrespective of who has the primary shoulders the responsibility of fraud risk responsibility to manage fraud risks, it is management, with respondents indicating important for a robust system to be in that the Board should be responsible for place to review fraud risk management fraud prevention, whereas the Internal measures. It is heartening to note that Audit team should be responsible for fraud 39% of respondents indicated that their detection and investigation. organizations undertook continuous monitoring of controls. However, While leading practices and our own organizations must also ensure that experience indicate that the Chief Financial controls are periodically updated in Officer (CFO) and the Chief Risk Officer/ line with the business landscape and General Counsel undertake primary knowledge of potential frauds, failing accountability for fraud risk management, which they may not be able to prevent new changing business and regulatory frauds. As new data gets generated within landscapes mean other stakeholders organizations, an automated system of need to assist these primary stakeholders continuous monitoring is the way forward. wherever appropriate. For instance, in the information technology industry, the role of the Chief Information Officer (CIO) and Chief Information and Security Officer (CISO) becomes important in case of cybercrime, and these individuals and their teams need to support the CFO in getting information pertaining to the incident, as well as help plug gaps in internal controls. Similarly, in the real estate business, procurement is a significant fraud risk that is fraught with legal complications and hence the Legal Head may have to support the CFO in information gathering and resolution of potential fraud. In the Pharma industry, the Chief Compliance Officer usually assists the CFO wherever there are allegations pertaining to regulatory noncompliance. 29
#letstalkfraud| India Fraud Survey, Edition II Figure 10: How often do you review your fraud risk management measures? Annually 15% 22% Did not respond to the question Once a 1% month Once a 10% quarter Once every 2% 6 months We don’t review our 8% framework unless we encounter an incident We review our framework 3% 39% We undertake subject to regulatory requirements changing continuous monitoring of controls 30
#letstalkfraud| India Fraud Survey, Edition II Point of View: Automation is the is where, we believe, machine learning future of fraud risk management technology can be useful. A fraudster is always one step ahead Machine learning uses computer systems and with technological advancements, with artificial intelligence capability he/she is also developing newer ways to to autonomously learn, predict, act, perpetrate sophisticated fraud schemes and explain without being explicitly that appear difficult to detect or prevent. programmed. This means the computer Recent instances of large scale hacking can learn from the outcomes of analysing and social engineering are indicators existing data, and those learnings can of what technology, in the hands of then be applied to newly generated data fraudsters, can result in. To stay ahead of to provide insights. This can be better the curve, organizations need to invest in understood through the example of the next generation of automated fraud online chess. A computer which either risk management measures to ensure wins or loses, assigns a value to the series safety. of winning moves it used during that game. After playing several such games, Historically, most organizations have built the system can predict which moves are home-grown systems that use business most likely to result in a winning situation. rules to manage their fraud detection processes. These hand-crafted rules Similarly, a machine learning system which are framed as “if-then” statements could learn to distinguish between are called Robotics Process Automation suspicious transactions (which are (RPA) techniques. An example would be: potentially outside the normal patterns “if several transactions are made within a of activity) and legitimate ones. Further, short amount of time in a different state, machine learning can also analyse big then send the account for manual review” data more efficiently, build statistical or “if an isolated transaction takes place models quickly, and react to new by using a customer’s credit card from suspicious behaviours faster. a country other than what is mentioned in the registered address, then send this Machine learning can also be extended transaction for further screening”. These to multiple environments such as rules have been built and refined based ecommerce and m-commerce to prevent on decades of manual experience of and detect frauds. These systems can analysing fraud data. Many of these rules scale up to meet the demands of big data are set up to provide additional analysis with greater flexibility than traditional for unusual transaction behaviour. methods used for fraud prevention Although proven to be very useful, and detection. We are already seeing particularly for the e-commerce and increasing implementation of machine m-commerce industries, RPA techniques learning systems at banks and it is a tend to work efficiently primarily in a matter of time before this becomes structured data environment. widespread across other industries. We believe the advent of machine learning In today’s day and age, however, the for fraud prevention will change how amount of data being produced and organizations manage their fraud risk the complexity of analysis has grown programs. Human oversight and intuition to unprecedented levels. This is making will remain critical to success, but the manual process of building and machines will increasingly do the heavy maintaining business rules expensive, lifting. time intensive and less predictive. This 31
#letstalkfraud| India Fraud Survey, Edition II In the area of fraud prevention we are challenge for companies seeking details seeing a rise in preference for conducting for due diligence. Depending on the scope due diligence prior to onboarding of relationship sought with the business business partners. This is a welcome partner, due diligence needs may be change, but can also be a challenge for outsourced to specialist organizations. companies considering India still has a very fragmented data regime, posing a Figure 11 : What measures does your company adopt to prevent incidents of fraud? Engage third party experts to assess 24% our fraud risk management frameworks at least once a year Dedicated fraud prevention unit that 30% researches new frauds and communicates them to the fraud risk management teams Effective tone at the top, followed by 79% implementing policies for fraud and consequence management, code of conduct, etc. Conducting a due diligence check (Third party/ 61% Senior Management/Business associate, etc.) Dedicated training programs to address most 50% susceptible frauds such as bribery and corruption, conflict of interest, procurement fraud, etc. 66% General fraud awareness trainings and workshops Fraud risk assessment/monitoring of fraud control 65% frameworks–either manually or using technology such as fraud analytics and fraud management systems 89% Internal Audit/Risk Assessment Note: This is a multiple choice question and responses will not add up to 100% 32
You can also read