India Fraud Survey Edition II - Deloitte
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
India Fraud Survey Edition II Forensic
#letstalkfraud| India Fraud Survey, Edition II
3
#letstalkfraud| India Fraud Survey, Edition II
Foreword
Disruptive events, enabled by disruptive consistently, will be more likely to emerge
technologies and business models are winners in this race for economic
increasingly characterizing both the Global dominance. A lot of this success would
and the Indian economy. The rapid pace of also depend on how businesses structure
adoption of e-commerce, online banking, themselves internally – such as having a
and social media means consumers today strong focus on instituting robust internal
have access to information about products processes and controls, reliance on
and services before they are formally automation for monitoring transactions
introduced in the market, and are able to and identifying suspicious activity,
pass judgement on their effectiveness. gathering business intelligence through
Events such as the recent demonetization analytics, and developing transparent
announcement by the government are governance models. Incidentally, these are
further changing the dynamics of the among the areas that India organizations
economic environment. Regulatory have traditionally been slow to develop.
frameworks, particularly those that govern
business conduct, are evolving to keep The limited preparedness to foresee
pace with these developments. the impact of changing trends and build
a robust backend supporting system
In this dynamic environment, traditional can slow down progress and make
businesses can no longer afford to sit organizations vulnerable to several risks
back, unscathed by the changing world including those of fraud. This edition
around them. Organizations have little reveals the inertia among large and
choice but to adapt and remain relevant small organizations in their fraud and
to customers. While some may see this noncompliance management efforts. It also
as an unsurmountable challenge, fraught provides suggestions that organizations will
with uncertainty, I feel we are fortunate to find useful in their quest to know and fight
witness the evolution of a new economic emerging fraud and noncompliance issues.
order.
I hope you find this report a compelling
India and Indian businesses, no doubt, read, as I did.
will continue to grow in size despite the
challenges they face. Businesses that
succeed in becoming agile, leveraging Regards
technology effectively, and innovating N Venkatram
4
#letstalkfraud| India Fraud Survey, Edition II
Introduction
“Fraud is rising in India,” “stopping fraud mitigate old menaces such as bribery and
is the responsibility of the CEO,” “fraud corruption, indicating a lack of commitment
cannot be eliminated,” and “junior people and resources to dedicate towards fraud
commit frauds.” These are some of the risk management. Given the inherent
sentiments on fraud we hear as part of our limitations of these organizations, there is
jobs. One topic, multiple perspectives. need for government intervention to help
small and medium enterprises tackle fraud.
Today everyone has an opinion on fraud. In this regard, increased digitization in all
Be it a working professional, far from the spheres of business combined with strong
rigors of the finance discipline or a small enforcement of anti-fraud laws may benefit
company struggling to recover losses, small organizations.
or a multinational concerned about
reputation. It is this diversity of opinions Successful fraud risk management efforts
and experiences that makes the fraud tend to go beyond strong internal controls
landscape in India complex. Consequently, or the presence of policies. Employees
fraud risk management efforts tend to can play an influential role in the success
become unique and challenging across of fraud risk management efforts, as
organizations. indicated by a majority of respondents to
our working professionals’ fraud survey.
This is what our survey results also indicate. Perhaps it is time organizations – large and
Multinational organizations appear small – nurtured a community of 'employee
to be primarily focused in preventing influencers' who can reinforce ethical
known frauds such as bribery and behaviors and mitigate the risk of fraud.
corruption, diversion/ theft of funds and
vendor favoritism, even as the business The 2016 edition of the India Fraud
landscape exposes them to new fraud and survey also puts the spotlight on five new
noncompliance risks such as cybercrime, business trends that will likely impact the
social media and anti-competitive behavior. fraud landscape in the future –Blockchain,
So while we observe increased adoption Internet of Things, Robotics, Cashless
of automation and continuous monitoring transactions and Online market places.
as part of fraud risk management As a first, we also have perspectives from
efforts, these initiatives will always find it the Deloitte member firms in Japan and
challenging to detect new and emerging Australia on the fraud concerns in their
frauds. countries and possible challenges faced by
some of their clients while working in India.
Small and medium enterprises on the
other hand, appear to be struggling to We hope you find this survey report useful.
Uday Bhansali Rohit Mahajan
President - Financial Advisory APAC Leader, Partner and Head – Forensic
Deloitte India Financial Advisory, Deloitte India
5
#letstalkfraud| India Fraud Survey, Edition II 6
#letstalkfraud| India Fraud Survey, Edition II
Contents
••Key findings 8
••Focused on safeguarding themselves 12
from well-known frauds, large
companies grapple to understand
emerging frauds
••Focused on growth, the commitment 36
to fight fraud is found wanting among
small and medium companies
••Employees want to play an active role 52
in fighting fraud - Perspectives from
working professionals
••The future of fraud – Business 58
developments that can impact the
fraud landscape in India
••Foreign perspectives on dealing with 70
fraud in India
••Acknowledgements 73
••About the survey 73
7#letstalkfraud| India Fraud Survey, Edition II Key findings 8
#letstalkfraud| India Fraud Survey, Edition II
Large companies’ survey
- Perspectives from companies with over ` 200 Crore turn over
and/or over 200 employees
70% of respondents felt incidents of fraud
will increase in the next two years
Top reasons that contribute to fraud include – diminishing ethical values (38%), lack of
efficient control system (37%), inadequate due diligence (37%) and unrealistic goals linked
to monetary compensation (37%)
Vendor favoritism (42%), diversion/ theft of funds (33%) and
bribery and corruption (30%) were the top fraud incidents
experienced by organizations
Procurement (35%) and vendor/ partner
selection (25%) were considered the functions
most vulnerable to fraud risks
Junior and Middle management
employees were considered the most
likely to commit fraud
Top three measures undertaken to prevent fraud include – Internal Audit/
Risk assessment (89%), Tone at the top and implementation of anti-fraud
policies (79%), and fraud awareness workshops and trainings (66%)
Fraud is mostly detected through
whistleblower hotlines
Response to fraud is complex and determined on a case to case basis – 43% said investigations were
commenced based on the severity of fraud; 36% said the fraudster was allowed to resign in lieu of pressing
legal charges; and 33% said fraud was communicated to employees, the Board and regulatory agencies
Preparedness to emerging fraud and noncompliance
risks such as social media and anti-competitive behavior
appears to be low
9#letstalkfraud| India Fraud Survey, Edition II
Small and medium enterprises survey
- Perspective from companies with under ` 200 Crore turn over
and/or under 200 employees
54% of respondents felt incidents of fraud will
increase in the next two years
Top three reasons that contribute to fraud
include the following – diminishing ethical values
(68%), limited/ lack of segregation of duties (68%)
and limited employee education on fraud (60%)
Top three frauds experienced by organizations
include – Diversion/ theft of funds (32%),
bribery and corruption (28%) and conflict of
interest (26%)
The most common forms of corruption
experienced include – collusive bribery (69%)
and facilitation payments (69%)
Procurement (44%) and sales and distribution
(29%) were considered the functions most
vulnerable to fraud risks
32% felt complying with anti-fraud regulation
placed additional burden on them
Fraud prevention efforts were found wanting –
48% felt there wasn’t enough commitment; 42%
felt there was inadequate budget and resource
allocation to prevent fraud; 25% reviewed their
fraud risk management frameworks only upon
an incident occurring; and 23% addressed fraud
observations within 1-2 months of the incident
Top three measures undertaken to prevent
fraud include – Independent Audits (71%),
implementing a code of conduct (62%), and
regular monitoring and assessment of fraud
risks (52%)
Deploying technology to curb fraud is
a challenge with 17% citing budgetary
constraints, and 23% claimed lack of clarity
around the utility of such tools
Response to fraud is complex and determined
on the basis of the materiality of fraud (19%)
Top actions taken upon detection of fraud
include – internal investigation (71%), review/
updating of existing controls (53%) and asking
the fraudster to resign (53%)
10#letstalkfraud| India Fraud Survey, Edition II
Working professionals’ survey
65% of respondents felt 70% felt their employers
incidents of fraud will increase encouraged them to provide
in the next two years enough opportunities to share
instances of unethical behavior
Top three reasons that contribute
Are laws on curbing fraud
to fraud include – Weak/ ineffective
effective? – Yes (47%), No (42%)
controls (65%), technological
advancements (43%), and general
decline in ethical values (42%)
Top three frauds experienced by
organizations include – bribery Primary responsibility to fight
and corruption (43%), financial fraud lies with the citizens (56%)
statement fraud (40%), and
embezzlement of funds (39%)
Frauds personally experienced Top three measures the Government
by working professionals include can take that will help reduce fraud in
–bribery and corruption at India – stronger enforcement (90%),
government offices (59%), identity greater adoption of technology (63%)
theft (37%) and sector specific and government advisory on key fraud
frauds (31%) schemes (63%)
In response to fraud, 55% of Top 3 measures that corporates can take
respondents claimed they did to reduce fraud – openly discuss fraud
nothing as there was no way to and educate employees (61%), recognize
recover losses and reward ethical behavior (59%), and
name and shame wrong do-ers (57%)
11#letstalkfraud| India Fraud Survey, Edition II Focused on safeguarding themselves from well-known frauds, large companies grapple to understand emerging frauds Conventional frauds continue to dominate the fraud landscape In line with our 2014 survey, around 70% of Corporate India continues to believe that fraud will rise over the next two years. Fraud was attributed mainly to diminishing ethical values, lack of an effective/ efficient control system, inadequate due diligence on employees/ third parties and unrealistic targets/ goals linked to monetary compensation, indicating that fraud continues to be driven by concerns internal to the organization. Correspondingly, procurement (35%), vendor/ partner selection and management (25%), and sales and marketing (18%) were identified as the functions most susceptible to fraud. Among the type of frauds experienced, survey respondents indicated vendor/ customer/ business partner favoritism, diversion and bribery and corruption as the top three frauds. Further, the survey indicated that organizations could lose an average of between `10 Lakh and `1 crore to fraud. A little more than a quarter of respondents indicated they were unable to quantify the fraud loss. 12
#letstalkfraud| India Fraud Survey, Edition II
Figure 1: Which of the following types of fraud/misconduct/ malpractice has your
organization experienced in the last two years?
My company has not experienced any
type of fraud 20%
Other (please specify) 6%
eCommerce
related frauds 8%
Counterfeiting 13%
Supply Chain fraud 18%
Capital market related frauds
like insider trading 2%
Intellectual
property fraud 7%
Corporate
espionage 2%
Data theft
21%
Financial misreporting 10%
Regulatory
non-compliance 14%
Internet and/or
Cyber fraud 18%
Bribery and
corruption 30%
Vendor/customer/business
partner favoritism
42%
Material
pilferage 21%
Diversion/theft
of funds 33%
Note: This is a multiple choice question and responses will not add up to 100%
Interestingly, while respondents did not Given the robust anti-bribery and possible outcomes of indulging in private
rate bribery and corruption as the most corruption compliance policies that large bribery schemes. Upon unearthing of such
common fraud experienced by their domestic and multinational corporations schemes the organization in question may
organizations, favoritism in appointing have in place, it is heartening to note that face reputational damage from the media,
vendors and business partners is often organizations may now be tackling public denial of capital from financial institutions
in the backdrop of kickbacks and bribes bribery better than they may have in the and volatility in stock prices. Although
being exchanged between colluding past. However, in our experience, private currently there is requirement for a law
parties. It appears that organizations may bribery schemes are no less dangerous to that specifically prohibits private sector
be differentiating between private bribery organizations. bribery1, indulging in it may be a potential
and public bribery schemes: the former violation of the Companies Act, 2013 as well
does not involve a government servant, Potential conflict of interest, deteriorating as Clause 49 of the SEBI Listing Agreement
but employees of private organizations product/ service quality as a result of that seeks to reinforce good corporate
colluding with each other for mutual hiring favored business partners, and governance and fraud risk management2.
benefits. diversion/ theft of funds are some of the
1
The proposed amendments to the Prevention of Corruption (Amendment) Bill, 2013 cover organizations who indulge in bribe- giving, unlike the 1998 Act that
only covered public servants who were recipients of bribery. Further, the draft Indian Penal Code (Amendments) Bill, 2011 is the only proposed legislation that
encompasses graft / corruption by individuals, firm, society etc that undertakes any economic activity.
2
The companies Act, 2013, looks at bribery and corruption as practices that may amount to fraud schemes such as procurement fraud, diversion of goods/theft etc.
Although, the act of indulging in bribery itself is not a violation of the Act, the resulting fraud and the inability of organizations to prevent it may result in a violation.
Similarly, if the end result of private bribery involves insider trading and unauthorized related party transactions, these actions may violate Clause 49 of the SEBI listing
agreement. Source - http://www.mondaq.com/india/x/434208/Securities/Disclosures+Under+SEBI+Listing+And+Disclosure+Regulations+2015
13#letstalkfraud| India Fraud Survey, Edition II
In the area of public corruption, in being enlisted on stock exchanges (in
there appears to be increased awareness of India and overseas) (44%) and reduction in
how indulging in such practices can impact profits (41%) were perceived to be the most
the organization. Overseas regulatory damaging outcomes of indulging in bribery
noncompliance (52%), potential difficulties and corruption.
Figure 2: In your opinion, what are the ways in which corruption can impact your company?
23%
Corruption imposes
additional costs on
37% doing business
41%
None of these
Corruption does not Corruption reduces
impact my business profits
34%
28% Corruption affects
Corruption dents my reputation and,
shareholder morale consequently, the ability to
and results in win business and attract
greater dissent talented professionals
44% 52%
Incidents of corruption
make it difficult for my There is rise in regulatory
company to get listed on risks from foreign
stock exchanges in India
and overseas
33% legislations such as US
FCPA and UK BA, owing to
Incidents of corruption the trans-national nature
make it difficult for my of our business
company to seek funding
from banks
Note: This is a multiple choice question and responses will not add up to 100%
Rising regulatory focus by the Indian of respondents believing that stringent
government is also building a case for a enforcement of anti-bribery regulations
corruption free corporate India with 30% could end this menace.
14#letstalkfraud| India Fraud Survey, Edition II
Organizations are unable to tackle counterfeiting extended to reputation in light of fierce competition for
Counterfeiting primarily occurs due to the inability of market share. In recent times, the proceeds from counterfeit
organizations to educate employees and customers on the products have also facilitated terrorist financing and
potential damages of dealing with duplicates and counterfeit anti-national activities. Accordingly, about 39% of survey
products. While, in the past, counterfeiting’s primary impact respondents have indicated that they were unsure/unable to
was loss of revenue for organizations, today it has also quantify the effects of counterfeiting.
Figure 3: In your opinion, what is the perceived loss due to intellectual property (IP) theft and counterfeiting to organizations?
18% Cannot be quantified Dont't know/Unsure
21%
as the effects are
long term
3% More than 10%
of revenues
3% 5-10% of revenues 8%
Less than 1%
of revenues
13% 1-5% of revenues
Note: 34% did not respond to the question.
According to survey respondents, organizations can take using third party experts to gather intelligence, and through
several measures to curb counterfeiting such as drawing employee education.
up clauses specific to counterfeiting/IP theft in contracts,
15#letstalkfraud| India Fraud Survey, Edition II
Point of View: Leveraging technology to curb counterfeiting
As consumerization in India grows, there is also an accompanied rise in the movement of counterfeit goods in the market. Several
industry reports point to counterfeits amounting to at least 25 percent3 of total goods circulating in the market across various
product categories. While corporates are aware of this menace, efforts to curb counterfeits often tend to be inadequate. In our
experience, investing in anti-counterfeit technologies may provide better safeguards against counterfeiting. Some options are
discussed below.
$
Working with digital marketplaces
Radio Frequency Identification – The proliferation of ecommerce has
(RFID) – RFID can provide labelling been accompanied by a rise in online
technology like barcodes, but with sales of counterfeits and duplicate
greater capability. Barcodes typically products. However, unlike physical
encode product-labelling information market places, it may be relatively easy
like names and serial numbers, but to combat online counterfeit product
nothing more. They require direct sales, if organizations work closely with
Smartphone applications – These line-of-sight for access, can store only web platform providers. A simple move
allow consumers to quickly check if small amounts of information, and such as search engine optimization –
an item is authentic prior to making have minimum size requirements for where organizations invest to create
a purchase. It also empowers effectiveness. As such, small sized content that promotes authentic
brand owners to identify, track, and items present challenges for item level products – can help consumers become
prevent brand infringers from selling barcode labelling. RFID technology, more aware of authentic products, their
counterfeit products. Typically, retail on the other hand, embeds labelling features and pricing. Consequently, if
companies can put a Unique Product information in non-volatile memory search results start showing authentic
Identifier (UPI) on the product or on devices, which in turn embeds in a products in the top listings, fakes tend
the packaging. Consumers can use product. Unlike barcodes, RFID tags to get pushed to the bottom where
their smartphones to scan the UPI. come in various sizes (sometimes as they may not enjoy visibility. Further,
If the item is counterfeit, the system small as a grain of rice), have greater by adopting a more visible digital
will notify the consumer that the storage capacity, and do not require profile – such as having a web page
product cannot be authenticated4. direct line-of-sight for access. The with online sales capability, a Facebook
Some smartphone applications absence of size and line-of-sight page, Twitter handle, etc., brands can
also allow users to take photos of limitations allows RFID tags to embed stymie efforts by counterfeiters trying
possible counterfeits and upload virtually into any product for flexible to steal the ecommerce spotlight.
them to an online map that’s linked labelling down to the item level. This Increasingly, ecommerce platforms are
to a GPS locator5. This can alert other capability enables automatic tracking also blacklisting vendors providing fake
consumers of counterfeits in specific and inventory control with strategically products and initiating action against
locations. placed interrogators. them 6.
Like many other fraud schemes, it is industry has successfully embraced some options and adopt those that are cost
easier to prevent counterfeiting than of these technologies and managed to curb effective and user friendly.
to respond to incidents of large scale counterfeiting to a significant extent. Other
counterfeiting. The luxury products product companies can also explore these
3
Source: http://indianexpress.com/article/india/india-others/about-rs-39000-crore-loss-in-one-year-due-to-illicit-markets-in-manufacturing-sectors-ficci-report/
4
The Smart phone App ‘Authenticateit’ follows this technique to check for counterfeiting.
5
Black Market Billions is a crowdsourcing app that operates with this technique.
6
Source: http://fortune.com/2016/11/14/amazon-counterfeit-items-lawsuit/
16#letstalkfraud| India Fraud Survey, Edition II
Focus remains on mitigating the changing business landscape and push stem from limited understanding and the
known frauds to adopt technology in improving business inability of organizations to detect patterns
Overall, there appears to be little change outcomes, it is surprising to note that that may point to such fraud risks. If the
in most of the trends discussed so far organizations continued to rate concerns current levels of fraud awareness were to
compared to our 2014 survey. Frauds such as cybercrime, IP fraud, e-Commerce continue, organizations may be unlikely to
identified as concerns have been limited to fraud, and counterfeiting relatively low in mitigate new frauds in the future.
well-known categories such as bribery and terms of organizational impact. We believe
corruption, theft and favoritism. Despite this inexperience of new fraud risks could
Point of View: Organizations need to prepare for fraud arising from new business dynamics
In the last two years, three of the most significant fraud and potential fraud in adopting e-procurement models. In theory,
reputational damage cases reported by the media arose due while e-procurement may not pose the same fraud risks as a
to social media exposure. These large global brands were conventional procurement process, and may be touted as the
questioned by consumers on their quality assurance practices, ‘fraud free’ frontier for the procurement function, practical
which upon investigation led to the discovery of noncompliance, experience can show otherwise. For instance, our 2014 fraud
malpractice and fraud. In two of these cases, the brands had to survey indicated online payments, procurement of materials,
recall products from the market resulting in huge losses, and and trading in stock markets as areas vulnerable to fraud risks
had to invest in brand re-building measures until consumers in e-commerce transactions.
could regain faith.
Further, in the past, organizations were aided by relative
Interestingly, these brands remain heavily invested in social inaction from governments to bring about paradigm change
media for customer engagement. Yet, they did not foresee the in the way business was conducted. However, that appears
potential risks arising from this platform. to be changing today. The last two years have indicated a
determination on the government’s part to ensure ease of
In our experience, large organizations in India continue to be conducting business–whether that is by moving towards
saddled with legacy practices and tend to remain fixated on simplifying laws and tax structures or by pushing for cashless
them–whether it is for business process improvements or transactions. In such a scenario, organizations will experience
fraud risk management. So, while one may see a very robust new frauds, unless they proactively anticipate them and
fraud risk management framework to prevent, say procurement establish processes to mitigate these frauds.
fraud, there may be little or no steps taken to anticipate
17#letstalkfraud| India Fraud Survey, Edition II
Preparedness to tackle emerging fraud and regulatory
noncompliance risks remains low
Limited understanding of cybercrime regulatory risks, were identified as the
Reputational damage, IP theft and most likely impact of cybercrime.
Figure 4: According to you, what is the greatest impact of cybercrime?
50%
Reputational
damage
34%
Cost of
40% investigation
and damage
Service
control
disruption
33%
42% Actual financial
Regulatory loss from the
risks activity
50% 37%
IP theft, Theft or loss
Note: This is a
multiple choice including theft of personal
question and of data information
responses will not
add up to 100%
18#letstalkfraud| India Fraud Survey, Edition II
Considering the media has reported about 2014 fraud survey states that only 5% of
organizations losing several million dollars survey respondents indicated that their
to cybercrime globally, it is surprising organizations had sustained losses from
to note that survey respondents rated cloud-based intrusions. Around 43% were
financial loss from cybercrime low on the unaware of data loss or leakages arising
scale. We believe this could be due to the from hacking or hijacking of cloud services
limited understanding of how cybercrime and a similar percentage of those surveyed
can manifest itself. reported no losses. This is no different
from what we observe today.
For instance, cloud computing fraud is one
of the manifestations of cybercrime. With In the area of cybercrime prevention,
increasing number of users demanding majority of organizations still appear to
simultaneous access to data and be grappling with cybercrime, with a third
applications over multiple devices such saying they didn’t discuss the incident for
as desktop PCs, notebook computers, fear of tarnishing their reputation. In our
smartphones, and now smart watches, view, a clear plan to tackle cybercrime is
cloud computing is gaining appeal for both the need of the hour. Such a plan would
enterprise and personal use. The current comprise of a responsibility matrix in
state of technology makes it possible case of an incident, root-cause analysis
to edit and share documents and data and situational diagnosis of the potential
across multiple devices and locations. impact of the incident, and remediation
Some subscriptions also allow users to plan. In many cases, the onboarding of
collaborate and interact in real-time. As the specialist third parties for undertaking
number of cloud-based service providers these activities is also documented in the
grow, risk to systems and intellectual response plan.
property have also grown.
As the world moves towards increased
While well-known service providers have adoption of digital technologies, it is
sophisticated security and access control imperative for organizations to become
systems, the safeguards employed by aware of the potential fraud risks involved.
scores of lesser-known service providers Failure to do so can result in business
may not be relatively well documented. disruption.
Some of the key risks that users of cloud
computing may face include data loss from
unauthorized use of low-quality systems,
hacking, theft of intellectual property, and
theft of confidential customer data. Our
19#letstalkfraud| India Fraud Survey, Edition II
Point of View: Hacking shows no signs of scaling down hackers discovered that such data was worth a lot of money on
the black market. Consequently, hacker focus has shifted in the
This year the world has possibly experienced the largest last few years from denying service to stealing data.
number of large scale data breaches ever7. Many of these
breaches–involving government departments as well as private There are various tools available today which can help hackers
organizations-were a result of hacking by third parties. Going attack thousands of victims in just hours. Varieties of such
by recent news, it is likely that such breaches and large scale tools and “ready programs” are available on the darknet8.
hacking are becoming more common. Additionally, hacker forums tend to exemplify the spirit of web-
based collaboration and education, offering a rich menu of
The economic drivers behind hacking have evolved dramatically tutorials, advice and technology designed to steal data.
over the years. In the past, hacking was done for amusement.
Hackers focused on defacement (also known as hacktivism) Unfortunately, many organizations have been unable to keep
to embarrass large organizations and their security set up. up with the advancements in the hacking ecosystem and
They would often black mail site operators with attacks that remain equipped with old cyber security models designed
brought websites down (a “denial of service” attack), leading to to keep the ‘hacker-of-the-90s’ out. This needs to change;
the invention of the network firewall to stop this. However, as organizations need to invest in building a robust preventive
companies began digitizing organizational data on a large scale, framework. Such a framework must include the following:
Data protection: Subscribing to suitable Continuous monitoring Focused training programs –
Developing a robust data and up-to-date protection of internal controls can help Organizations can segregate
classification regime that tools which can block links identify potential instances of their employees into different
restricts data access to very to known malicious sites can data leaks or breaches, as well user groups based on the
few employees can be a start. prevent access at an enterprise as suspicious activity. information they are privy
Several large organizations level. Further, encryption must to such as those in the
already restrict access to data be strongly recommended procurement function, finance
around financial information, for all devices accessing and accounts staff, customer
employee information, organizational networks relationship team, sales team,
business plans and client for data. etc. Depending on the level of
details. Alongside this, information these employees
organizations can also limit hold, focused training
the transfer of data to reduce programs must be organized
potential access points for to help them recognize
hackers to invade internal potential hacking scenarios
systems. and avoid them. Further,
any known instances of
hacking attacks can be shared
throughout the organization
In addition to a preventive framework, organizations must also to warn employees. A leading
invest in a cyber incident response plan to prevent large scale best practice is to have
hacking. This includes conducting a comprehensive forensic the IT security team share
readiness assessment, investigation to understand the this information alongside
potential scale of the incident, assessing the damages caused recommended actions.
based on the data that was sought, and having a remediation
plan, including root cause analysis.
As organizations mature, there is bound to be increased
reliance on digital platforms to host data. Without the right
security measures, these data platforms are likely to invite new
age hackers.
7
Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
8
A darknet is a computer network with restricted access that is used chiefly for illegal peer-to-peer file sharing.
20#letstalkfraud| India Fraud Survey, Edition II
Social media–to be or not to be on said their organizations used social media
it–remains a concern for publicity and advertising, followed by
A majority of survey respondents did understanding customer behaviour and
not respond to the question of why their engagement.
organizations used social media. Among
those respondents that did, the majority
Figure 5: What is the primary purpose of your company using social media?
5% @
For direct
selling of goods/ $
services
2%
24% To track information
For Publicity on fraudulent
and advertising activities in your
industry
2% 9%
Our organization
To attract does not use
new talent social media
15%
1%
To understand
customer behavior To track
and engage better competitor
with them activity
41%
Did not respond
to the question
1%
Don't know
21#letstalkfraud| India Fraud Survey, Edition II
When asked to identify the fraud risks information–both belonging to the online, reporting concerns to the risk
that their organizations faced on social company and to customers–that can be management team. Creating a social media
media, respondents pointed to misuse misused for monetary gain by fraudsters. policy for employees to follow and working
of intellectual property by unauthorized with social media vigilante organizations
users (68%), and use of fake profiles To manage fraud risks on social media, to spot fraud early were identified as the
masquerading as the company to a majority of respondents said they other common measures adopted by
fool customers (65%). Both of these relied on a dedicated social media team organizations.
situations can result in loss of confidential to monitor brand specific conversations
Figure 6: What measures has your company taken to
manage fraud and reputation risks on social media?
33%
Social media risks are covered as part of the larger fraud
risk management framework in our organization
36%
Work closely with social media vigilante organizations to
spot signs of fraud early and act on it
35%
Created a social media fraud response plan with timelines
and clear responsibilities to address social media fraud 48%
Have a dedicated social media team to monitor brand
specific conversations online and report the same to the
larger risk management team
33%
Assigned dedicated spokespeople who can comment
on the brand on social media
32%
An optional training program, on social media use by
employees, is made available
39%
Created a social media policy that is to be followed
by all employees
Note: This is a multiple choice question and responses will not add up to 100%
When asked how they reacted to being issue was being dealt with. Another 13% as yet another channel for communication,
confronted by a smear campaign, most said they did not use social media, but not very different from conventional media.
respondents did not respond. Among conventional media such as advertisement There also appears to be a strong desire to
those who did, 27% said they engaged or press release, to respond to smear control social media and drown out voices
with their audience by providing facts campaigns. These sentiments indicate that of dissent. In our experience, this may not
and sharing status updates on how the organizations appear to view social media help organizations in the long term.
22#letstalkfraud| India Fraud Survey, Edition II
Point of View: Controlling the uncontrollable – How There have also been cases where fraudsters have created
organizations can stay safe on social media fake social media profiles offering job opportunities on behalf
of organizations, which may be unaware of such misuse of
Many organizations are choosing to have a social media their brand. Unethical competitors can run campaigns using
presence today in order to capitalize on its potential for fake accounts posing as consumers or reviewers posting
inexpensive, large scale communication–whether it is to unfavourable product/service reviews. Yet another example
further a cause, generate publicity, or generally be noticed of social media fraud is identity theft. We have observed
by specific target groups. The genesis of social media lies in that fraudsters use social media platforms to steal personal
promoting free thought and communication. Unfortunately, information and use it to access financial information. Such
this very fundamental tenet tends to pose significant fraud and frauds can be committed from anywhere around the world,
reputation risks for organizations. making it difficult to identify the fraudster(s).
For starters, verification of facts prior to posting information We have also observed cases where confidential
tends to be overlooked in the rush for being the ‘first to post’. information pertaining to business plans, financials and
This can result in the rapid spread of misinformation, which can intellectual property was released on social media by
be difficult to curb. Recently, social media in India has witnessed fraudsters. In these cases, privacy laws tend to have limited
significant polarization of views pertaining to many current effectiveness because these confidential documents may
topics – whether it be the release of certain films (possibly likely reside in cloud storage systems making it difficult to
influencing stock prizes of the organization producing the movie), limit the number of infringed copies. Further, social media
the government’s move towards demonetization of currency, networks often change their privacy settings and unless
and organizational performance in B2C companies in light of users monitor this carefully, they may inadvertently reveal
festival season sales. In other instances, customer complaints on confidential information to all users of the platform.
social media have gone viral, with people trolling the company’s
accounts, thus preventing a chance for resolution.
23#letstalkfraud| India Fraud Survey, Edition II
Removing offending posts on social media is difficult and, be practical for all organizations, educating customers
many times offense may appear to be the only defence for on the best possible way to resolve complaints may help
organizations. In our experience, the following measures reduce instances of negative coverage on social media. For
may help organizations safeguard themselves from social instance, organizations can provide a confidential space on
media fraud. social media–like a closed group that encourages private
conversation–to report issues with their brand.
•• Monitoring the brand for misuse of •• Having a social media fraud response plan –
brand name – There are tools available to monitor brand Organizations may not always be able to prevent social
mentions and brand sentiment on social media. These media fraud, but they can be better prepared to deal with
can help understand how the brand is perceived and take it. Having a reaction plan and corresponding timelines to
corrective action wherever necessary. Often, such action deal with well-known instances of social media fraud may
can prevent undesirable information from going viral. help limit the spread of misinformation and control the
damage. Such a plan can include a list of actions that the
•• Training and awareness for employees on social
organization can take when confronted with social media
media use – Clear guidelines on what content is
fraud or reputational damage. This can include the process
permissible for social media sharing, who is authorized to
to investigate the issue and timelines for identifying the
comment on the brand in their official capacity, disclaimers
root cause(s), procedures for on-boarding of third party
that employees must use on their personal profiles to
experts to investigate the issue (should the need arise),
isolate risks to the brand, etc. must be outlined. Further, a
guidelines on communication to clients and employees to
dedicated training program outlining common scenarios
quell fears, and maintaining a list of authorized individuals
that result in information compromise on social media can
who can coordinate the organization’s response and post it
help employees understand the potential implications of
through official channels.
their actions.
•• Managing employee accessibility to social media Social media provides an opportunity for organizations to
sites through content filtering or by limiting network improve their customer reach at a fraction of the costs that
through-put to social media sites. Often, using traditional media may incur. If adequate safeguards
employees use smart phones to access are put in place to prevent fraud, this platform may
social media sites, opening up the risk become a robust channel for organizations to
of malware that may post information grow business, attract quality talent, and gain
on social networks without their customer loyalty.
knowledge. Appropriate controls may
need to be installed and continuously
updated on mobile devices to better manage
such risks.
•• Customer education – Disgruntled customers
can pose a significant risk of bad-mouthing the brand
on social media. To curb this, many organizations have
a dedicated customer service channel on social media
where customers are encouraged to post complaints and
check the status of their complaint. While this may not
24#letstalkfraud| India Fraud Survey, Edition II
Anti-competitive behavior – Are you That this is a relatively newer risk in the
covered? Indian context is corroborated by the
The last two years have seen rising responses in our survey wherein a large
legislative action by the Competition number of respondents have either
Commission of India (CCI). Companies chosen not to respond or have chosen ‘not
have been collectively levied fines ranging sure’/’don’t know as a response. Clearly,
from a few crores to as much as several a greater degree of awareness needs
hundred crore rupees for violating the to be created amongst businesses for
principles of competitive behavior outlined requirements under the Competition Law
in the Competition Act. This exposes and make them have robust compliance
organizations to a relatively newer risk in processes.
the Indian context–that of their growth
strategies and consequent business
actions being scrutinized for inappropriate
behavior in regards to competition.
Figure 7: Do you believe your organization can be pulled up for anti-competitive
behavior by the CCI in the near future?
41%
27%
14%
8% 8%
2%
Did not No–Our Yes–we are Yes–we are a No–Our Don’t Know
respond to organization operating in fast growing sector
the question has a a relatively company doesn’t
reputation of new sector/ and our come
being ethical industry that equally well under the
and following is fast growing. established ambit of
fair business Our unique rivals may do the CCI
practices. processes, this in a bid to
although pull us down
legal, may be
disrupting
the market
and drawing
the ire of our
competitors
25#letstalkfraud| India Fraud Survey, Edition II
Figure 8: In your opinion, does being part of an anti-competitive behavior law suit
have a significant impact on your organization?
No–our brand is large enough
to be insulated (monetarily or
otherwise) from the impact of 11%
CCI proceedings
Did not respond to the question 41%
Yes–only on our company’s reputation.
Being seen as part of such a law
suit may dent customer confidence
17%
irrespective of the final verdict
Yes–monetarily only. Fighting these
cases using specialist lawyers is
expensive and fines imposed by 9%
the CCI can also be quite high
Not sure 22%
There appears to be lack of understanding adversely impacted. The Competition Law
of the risk emanating from non-compliance redefines business conduct and some
to Competition Law as also about what of the traditional ways of doing business
actions/behavior may constitute an may now be looked upon as unacceptable
anti-competitive behavior under the Law. business practices. There has been a
Most respondents to the survey believed significant increase in the number of
they were unlikely to be impacted by a information filings with CCI as well as the
CCI investigation whereas many others number of investigations that it is carrying
were unsure when asked if a CCI law suit out. The CCI has levied fines of more than
would have a significant impact on their USD 2 billion over the past five years.
reputation.
Compliance with the requirements of the
Indian businesses will need to take this law Competition Law is a subjective matter that
seriously else they risk significant penalties can be extremely complex. Hence, there
being levied and their reputation being seems to be some confusion in the minds
26#letstalkfraud| India Fraud Survey, Edition II
of survey respondents while responding to pertaining to anti-competitive behavior
our question with regards to compliance and including a section on anti-competitive
measures. When asked how organizations behavior as part of employee training
addressed potential risks arising from programs. Another set of respondents said
non-compliance to the Competition Law, their organizations had taken no specific
respondents shared mixed reactions. steps and that anti-competitive behavior
One set of respondents indicated hiring was subjective, making it difficult to prepare
specialist law firms to help draft policies to handle such cases.
Figure 9: What measures has your organization taken to address the risk of anti-competitive
behavior?
52% 52%
41% 39%
36%
Anti-competitive The organization A section on We have hired a We have a
behavior is has not taken any anti-competitive specialist law firm dedicated in-
subjective and specific measures behavior is to help us draft house legal team
organizations to address the risk included as part policies pertaining that counsels
cannot prepare of anti-competitive of the regular to anti-competitive our various
specifically to behavior training programs behavior; these departments
handle such cases undertaken by our policies are against anti-
employees implemented across competitive
the organization practices
Note: This is a multiple choice question and responses will not add up to 100%
27#letstalkfraud| India Fraud Survey, Edition II
Point of View: Mitigating chances of a CCI inquiry – Some with the competition, customers and suppliers). These
steps for consideration programs should be focused on educating the participants
on potential infringements and how to avoid them.
To avoid punitive action under the Competition Act, Indian Some examples of infringements include, salespeople
business organizations need to evolve a strong culture generally buying “shelf space” for their products and
of compliance covering increasing awareness about the imposing restrictions on wholesalers and retailers. This
requirements of law, robust code of conduct, promoting fair kind of conduct is exclusionary in nature as it prohibits
business practices as also individual conduct while interacting the wholesaler/retailer to stock competitor’s product.
with competitors. Some specific considerations include: Other examples include informally discussing prices and
promotional schemes with competitors at industry events or
•• Seek employee undertakings with regards to compliance
social gatherings. Ideally, such training programmes should
with the Competition Act
be conducted every six months and reviewed annually.
•• Develop an anti-trust law compliance manual – Such a
•• Closely monitoring business information shared at
manual should ideally contain the following: introduction to
meetings with trade associations, which bring together
the Competition Act and key requirements under the law,
key competitors. At the very minimum,the agenda of any
outline businesses, business processes and key personnel
such meeting should be vetted by the legal counsel of the
that carry high risk; do’-s and don’t’-s for the employees,
company and details of the meeting’s discussion should be
expected behaviour while dealing with competitors,
shared with the legal counsel.
suppliers, dealers, traders etc.
•• Review all trade association memberships and prepare
•• Create better awareness through regular training programs
specific guidelines for participation in such meetings
for competition law compliance – A broader programme
should be designed for all employees and specific programs •• Conduct mock raids to sensitize employees to the possibility
can be developed for key business roles that have higher of sudden scrutiny by the regulator.
perceived compliance risks (teams who interact regularly
28#letstalkfraud| India Fraud Survey, Edition II
Conventional processes dominate overall fraud
prevention, detection and response strategies
There are mixed reactions on who Irrespective of who has the primary
shoulders the responsibility of fraud risk responsibility to manage fraud risks, it is
management, with respondents indicating important for a robust system to be in
that the Board should be responsible for place to review fraud risk management
fraud prevention, whereas the Internal measures. It is heartening to note that
Audit team should be responsible for fraud 39% of respondents indicated that their
detection and investigation. organizations undertook continuous
monitoring of controls. However,
While leading practices and our own organizations must also ensure that
experience indicate that the Chief Financial controls are periodically updated in
Officer (CFO) and the Chief Risk Officer/ line with the business landscape and
General Counsel undertake primary knowledge of potential frauds, failing
accountability for fraud risk management, which they may not be able to prevent new
changing business and regulatory frauds. As new data gets generated within
landscapes mean other stakeholders organizations, an automated system of
need to assist these primary stakeholders continuous monitoring is the way forward.
wherever appropriate. For instance, in
the information technology industry, the
role of the Chief Information Officer (CIO)
and Chief Information and Security Officer
(CISO) becomes important in case of
cybercrime, and these individuals and their
teams need to support the CFO in getting
information pertaining to the incident, as
well as help plug gaps in internal controls.
Similarly, in the real estate business,
procurement is a significant fraud risk that
is fraught with legal complications and
hence the Legal Head may have to support
the CFO in information gathering and
resolution of potential fraud. In the Pharma
industry, the Chief Compliance Officer
usually assists the CFO wherever there
are allegations pertaining to regulatory
noncompliance.
29#letstalkfraud| India Fraud Survey, Edition II
Figure 10: How often do you review your fraud risk management measures?
Annually
15%
22% Did not respond to
the question
Once a
1%
month
Once a
10%
quarter
Once every
2%
6 months
We don’t review our
8%
framework unless
we encounter an
incident
We review our framework
3%
39% We undertake subject to regulatory
requirements changing
continuous
monitoring of
controls
30#letstalkfraud| India Fraud Survey, Edition II
Point of View: Automation is the is where, we believe, machine learning
future of fraud risk management technology can be useful.
A fraudster is always one step ahead Machine learning uses computer systems
and with technological advancements, with artificial intelligence capability
he/she is also developing newer ways to to autonomously learn, predict, act,
perpetrate sophisticated fraud schemes and explain without being explicitly
that appear difficult to detect or prevent. programmed. This means the computer
Recent instances of large scale hacking can learn from the outcomes of analysing
and social engineering are indicators existing data, and those learnings can
of what technology, in the hands of then be applied to newly generated data
fraudsters, can result in. To stay ahead of to provide insights. This can be better
the curve, organizations need to invest in understood through the example of
the next generation of automated fraud online chess. A computer which either
risk management measures to ensure wins or loses, assigns a value to the series
safety. of winning moves it used during that
game. After playing several such games,
Historically, most organizations have built the system can predict which moves are
home-grown systems that use business most likely to result in a winning situation.
rules to manage their fraud detection
processes. These hand-crafted rules Similarly, a machine learning system
which are framed as “if-then” statements could learn to distinguish between
are called Robotics Process Automation suspicious transactions (which are
(RPA) techniques. An example would be: potentially outside the normal patterns
“if several transactions are made within a of activity) and legitimate ones. Further,
short amount of time in a different state, machine learning can also analyse big
then send the account for manual review” data more efficiently, build statistical
or “if an isolated transaction takes place models quickly, and react to new
by using a customer’s credit card from suspicious behaviours faster.
a country other than what is mentioned
in the registered address, then send this Machine learning can also be extended
transaction for further screening”. These to multiple environments such as
rules have been built and refined based ecommerce and m-commerce to prevent
on decades of manual experience of and detect frauds. These systems can
analysing fraud data. Many of these rules scale up to meet the demands of big data
are set up to provide additional analysis with greater flexibility than traditional
for unusual transaction behaviour. methods used for fraud prevention
Although proven to be very useful, and detection. We are already seeing
particularly for the e-commerce and increasing implementation of machine
m-commerce industries, RPA techniques learning systems at banks and it is a
tend to work efficiently primarily in a matter of time before this becomes
structured data environment. widespread across other industries. We
believe the advent of machine learning
In today’s day and age, however, the for fraud prevention will change how
amount of data being produced and organizations manage their fraud risk
the complexity of analysis has grown programs. Human oversight and intuition
to unprecedented levels. This is making will remain critical to success, but
the manual process of building and machines will increasingly do the heavy
maintaining business rules expensive, lifting.
time intensive and less predictive. This
31#letstalkfraud| India Fraud Survey, Edition II
In the area of fraud prevention we are challenge for companies seeking details
seeing a rise in preference for conducting for due diligence. Depending on the scope
due diligence prior to onboarding of relationship sought with the business
business partners. This is a welcome partner, due diligence needs may be
change, but can also be a challenge for outsourced to specialist organizations.
companies considering India still has a
very fragmented data regime, posing a
Figure 11 : What measures does your company adopt to prevent incidents of fraud?
Engage third party experts to assess
24% our fraud risk management frameworks
at least once a year
Dedicated fraud prevention unit that
30% researches new frauds and communicates
them to the fraud risk management teams
Effective tone at the top, followed by
79% implementing policies for fraud and
consequence management, code of conduct, etc.
Conducting a due diligence check (Third party/
61% Senior Management/Business associate, etc.)
Dedicated training programs to address most
50% susceptible frauds such as bribery and corruption,
conflict of interest, procurement fraud, etc.
66% General fraud awareness trainings and workshops
Fraud risk assessment/monitoring of fraud control
65% frameworks–either manually or using technology such
as fraud analytics and fraud management systems
89% Internal Audit/Risk Assessment
Note: This is a multiple choice question and responses will not add up to 100%
32You can also read
