Fraud Response Management - Deloitte
Fraud ResponseManagement:Is your organizationprepared to execute anefficient and effectiveresponse?Centre for Corporate Governance
Some organizations have designed and tested disasterplans to help them respond to unforeseen catastrophesthat could have the potential to threaten their veryexistence. These organizations have learned, often timesthrough personal experience, that the time to plan isbefore catastrophe hits and not after. Yet some of theseorganizations may not have applied this same thinkingto the business risks associated with fraud and,consequently, may not have adequate processes in placeto deal with allegations of fraud and misconduct. Thisrisk oversight could be worrisome considering thepotentially significant impact of fraud.An effective Fraud Response Management program isdesigned to allow the organization to react to varioustypes of fraud and misconduct allegations in a measuredand consistent manner. The overarching goal of a fraudresponse program is to protect the organization fromthe economic, reputational and legal risks associatedwith the fraud allegation. Specifically, a fraud responsemanagement program may encompass:! the procedures and processes through which anorganization is alerted to allegations of potential fraudand misconduct;! the manner in which those allegations are initially andsubsequently communicated within the organization;! the assignment of responsibility and accountability forhandling those allegations;! decision making authority;! the methods and procedures by which allegations areinvestigated;! consideration of legal implications, documentationand evidentiary procedures;! reporting of investigation results within theorganization;! remedial recommendations; and,! procedures for dealing with outside parties.These processes, when effectively designed andimplemented, can become one of the most criticalelements of an organization's anti-fraud program. Thesesteps, however, should be tailored to fit theorganization. Failing to implement an effective fraudresponse management program as part of yourorganization's overall anti-fraud programs and controlsmay put your organization at significant risk. Fraud1Source: ACFE 2008 Report to the Nation2 2009 Deloitte Touche Tohmatsu India Private LimitedA recent Association of Certified FraudExaminers (“ACFE”) survey suggeststhat the typical fraud lasts two yearsfrom the time it began until the timeit was caught1 by the victimorganizationhappens and will likely continue to plague organizationsand world markets for some time. Preparedness is partof the solution.Some important considerations when designing aneffective fraud response management program caninclude:! monitoring compliance with applicable legal andregulatory standards;! confirming that the complaint intake system providesfor anonymous reporting;! defining roles and responsibilities for those involved inthe fraud response management process;! establishing clear and meaningful investigativeprotocols to include interviewing, evidence collection,computer forensic examinations, and analysis;! identifying competent fraud investigation resources,especially global response teams, in advance of acrisis;! utilizing a case management system that allows theorganization to efficiently track and log the progressand resolution of fraud allegations;! establishing consistent reporting within and outsidethe organization; and,! identifying processes and control improvementsenterprise-wide to help gain efficiencies and preventrecurrences.As organizations expand their global presence, it can beimportant that they have a well devised Fraud ResponseManagement program in place that allows them torespond appropriately to allegations of fraudand misconduct around the world. This can be especiallyimportant in light of the world economic conditions
because the risk of fraud can increase in an economicdownturn. The economic downturn can also create theadded challenge of compelling organizations to be moreefficient with their resources, including those utilized forresponding to and managing fraud allegations.Further, more countries around the world are imposingadditional anti-fraud and anti-corruption provisions onbusinesses.3“Regulators and judgesare increasingly askingnot just whether acompany has an antifraud, anti-moneylaundering, or corporateethics policy in place,but they are also askinghow well such programswork and whether theirquality and results makesense. They are asking, inThe fact that tips continue to be theother words, how goodmost effective means of detectingfraud suggests that organizations could are they? This trendraises the stakes for thoseimprove their detection efforts bycharged withestablishing formal structures togovernance.”receive reports about possible2fraudulent conduct.When an allegation of fraud surfaces, the organizationdecides how to proceed and to what extent it mayinvestigate. In some instances, outside counsel isretained to conduct an investigation. Sometimes,organizations may rely on their own internalinvestigative groups that sit within the internal audit,compliance, legal or security functions to address theallegations. Such efforts, should be well managed asthat can aid companies in avoiding duplication of effortsand allow for better coordination in investigating andresponding to potential fraud allegations. Theinvestigation process itself can be disruptive to normalbusiness operations and can bring rise to a host ofpotential legal and regulatory risks that can haveconsequences beyond actual fraud losses.A partner from Deloitte Financial Advisory Services LLPLegal and regulatory backgroundIn India and other countries like U.S., there are a myriadof laws and regulations related to fraud. Some of theseare discussed below. With the current global financialcrisis and the recent discovery of several significantfrauds, it seems logical that new regulations and arenewed focus on fraud response could be forthcoming.The United States Sentencing Guidelines (“USSG”)provide specific criteria that include organizationalmechanisms for reporting and responding to allegationsof fraud. The USSG provide that the culpability score fororganizations is generally determined by six factors forconsideration by the sentencing court — four factorsthat may increase the ultimate punishment and two thatmay mitigate it.42Source: ACFE 2008 Report to the NationGermany is a prime example of a foreign government imposing responsibility on a nationally based entity to conduct a large internal investigation into allegations of fraud and corruption.According to USSG, aggravating factors include: involvement or tolerance of criminal activity; prior history of the organization; violation of an order; and obstruction of justice. Mitigating factors include:existence of an effective compliance and ethics program (“ECEP”); and either self-reporting, cooperation, or acceptance of responsibility.34 2009 Deloitte Touche Tohmatsu India Private Limited3
Failure to have a proper fraud response managementprogram might be viewed as tolerating and/orcondoning the activity. It is important to note that justhaving a compliance or ethics program may not besufficient to result in a reduction of the culpability score.The USSG expressly provides that an organization willnot be eligible to receive a favorable adjustment forhaving an effective compliance and ethics program ifthe organization delays reporting an offense and/or ifindividuals within certain levels of the organization“participated in, condoned or were willfully ignorant ofthe offense.” Failure to properly respond to allegationsof fraud or misconduct by ignoring such allegations is adangerous game for organizations to play.5Securities Exchange Board of India (SEBI) specifiedprinciples of corporate governance and introducedClause 49 in the Listing Agreement of the stockexchanges.The CEO/CFO requirements of the clause includedisclosure to the auditors as well as to the AuditCommittee of the instances of significant fraud thatinvolves management or employees having a significantrole in the company's internal control systems.Clause 49 also requires CEO/CFO to certify financialinformation of the company and attest to whether anymatters have come to their attention that wouldpotentially compromise the accuracy of that financialinformation or the underlying related internal controls.An allegation of fraud or misconduct that has not beenproperly responded to by the organization couldjeopardize such a certification and subject theexecutives involved to severe criminal penalties.Other corruption statutes include The Prevention ofCorruption Act in India, the Foreign Corrupt PracticesAct (FCPA)6 in U.S., which sets forth the legalframework, for covered entities and relevanttransactions, regarding the maintenance of accuratebooks and records, reporting of violations,establishment of controls to prevent and limit5misconduct, and cooperation with federalinvestigations.For companies covered under FCPA and eager to dobusiness in India, compliance with the FCPA is anincreasingly urgent priority. Enforcement actions havebeen ramped up in recent years as acceleratingglobalization has increased the opportunities for FCPAabuse.Before entertaining global expansion, especially intohigh risk countries, multinational corporations shouldfully understand the FCPA and its potential ramifications.This is a prerequisite for early detection andprevention.ent According to participants of the July2008 Deloitte Dbrief on financialfraud in an economic downturn, lessthan half of the 1,200 respondents(46%) believe their organization hasestablished protocols for conductinginvestigations, including identifyingresources available to use.Anti-money laundering, anti-terrorist financing, andrelated banking laws have created specificresponsibilities for financial institutions to investigateand report on potential violations. Implicit in thesestatutory requirements is the establishment of aneffective fraud response program that can facilitatecompliance. The Prevention of Money laundering(Amendment) Act, 2009 (PML Amendment Act), inIndia, which comes into force with effect from June 1,2009 has expanded the scope of the Prevention ofMoney Laundering Act, 2002 (PML Act).The USSG and related commentary may be found at http://www.ussc.gov.6The Foreign Corrupt Practices Act of 1977 (FCPA) prohibits bribery of foreign officials for the purpose of obtaining or keeping business, and the Anti-Kickback Act of 1986 prohibits bribery of governmentemployees in relation to awarding of federal contracts.4 2009 Deloitte Touche Tohmatsu India Private Limited
In a speech given by the former US SEC CommissionerRoel Campos, in which he discussed corporateresponsibility, he stated that “There have not been anynew or different theories or standards of liabilityimposed on directors in the aftermath of Sarbanes-Oxleyby Commission or SRO [self-regulatory organizations]rules.” Commissioner Campos further indicated that “theduty of care generally requires directors to exercise anobjective, reasonably prudent standard of skill and carein the discharge of their functions. This obligationincludes an oversight responsibility to see that thecorporation functions within the law to achieve itspurposes.”7“Passivity is not an option.”Commissioner Roel C. Campos, U.S. Securities and Exchange CommissionThis duty arises if an officer or director learns of factssuggesting that management may have engaged infraud or that the corporation's prior financial statementpublic filings may be inaccurate.8 Failure to faithfullyexercise such duty could expose officers and directors toliability. Commissioner Campos indicated that the"situations where directors have to be worried about anSEC action against them are where they act veryunreasonably and in bad faith. Where you see SECactions against directors is where information regardingpossible improper accounting practices or possibleimproper recognition of revenue is actually brought tothe attention of directors and a reasonable director,acting in good faith, would investigate. If the directorsdo not conduct an independent investigation, they arenot acting reasonably or in good faith and should notbe protected by the business judgment rule. It is thatsimple and it is not a different analysis after SarbanesOxley.” Commissioner Campos went on to emphasizethat “Passivity is not an option.”The board of directors should be informed of suspectedfraud so that they can decide whether and how toinvestigate. The board may delegate to theorganization's internal investigations group theresponsibility for collecting, investigating and reportingpotential allegations of fraud and misconduct to theboard and may implement definitive protocols specifyingwhich matters should be immediately brought to theboard's attention. For example, the board may have adifferent view of an embezzlement of Rs.5,000 by anaccounts payable clerk than it may have of financialstatement manipulation by a member of seniormanagement. Again, an independent investigation byan outside party is sometimes necessary or advisable.From a global perspective, various jurisdictions aroundthe world have enacted their own versions of SarbanesOxley in countries such as Japan, China, and membercountries of the European Union. Some nations havealso passed corruption statutes. For example, theOrganization for Economic Co-operation andDevelopment (“OECD”) Anti-bribery Convention hasresulted in the quasi-globalization of the US FCPA law.The OECD Anti-bribery Convention has been ratified by30 OECD countries and seven non-OECD countries.Separately, the BASEL II accord issued by the BaselCommittee on Banking Supervision9 promotes a riskbased approach to help address potential failuresthat banks can face from operational and financial risks.The second “pillar” of BASEL II provides guidance on riskmanagement and supervisory assessment for bankinginstitutions. Both the assessment of the risk of fraud, aswell as the effective response to allegations of fraud,can be critical components of any banking institution'srisk management program.The Committee of Sponsoring Organizations of theTreadway Commission (“COSO”) has issued some of themost comprehensive guidance for organizations withrespect to risk management and specifically fraud riskmanagement. Risk response is a key component of7Speech by SEC Commissioner: How to be an Effective Board Member by Commissioner Roel C. Campos, U.S. Securities and Exchange Commission, HACR Program on Corporate ResponsibilityThe leading Delaware cases addressing the duty of oversight and related issues are Graham v. Allis-Chalmers Mfg. Co., 188 A.2d 125 (Del. 1963); In re Caremark Int'l Derivative Litig., 698 A.2d 959 (Del. Ch.1996); Aronson v. Lewis, 473 A.2d 805 (Del. 1984); Boeing Co. v. Shrontz, No. 11,273, 1992 Del. Ch. LEXIS 84 (Del. Ch. Apr. 20, 1992); In re Dataproducts Corp. Shareholders Litig., [1991 Transfer Binder] Fed.Sec. L. Rep. (CCH) ¶ 96,227 (Del. Ch. Aug. 21, 1991). See also Charles Hansen, The Duty of Care, The Business Judgment Rule, and The American Law Institute Corporate Governance Project, 48 BUS. LAWYER1355, 1359 (Aug. 1993).9The Basel Committee on Banking Supervision is an institution created by the central bank Governors of the Group of Ten nations. It was created in 1974 and meets regularly four times a year. Its membership isnow composed of senior representatives of bank supervisory authorities and central banks from the G-10 countries and representatives from Luxembourg and Spain.8 2009 Deloitte Touche Tohmatsu India Private Limited5
COSO's Enterprise Risk Management (ERM) integratedframework. ERM is such an important concept thatStandard & Poor's recently announced it would considerERM, of which risk response is a core component, in itsratings.10 As such, there may be a financial cost forcompanies that do not have a conscientious fraudresponse management program in place.In July 2008, new guidance was published by theInstitute of Internal Auditors (“IIA”), the AmericanInstitute of Certified Public Accountants (“AICPA”) andthe Association of Certified Fraud Examiners (“ACFE”) tohelp executives, boards of directors, audit committees,and other personnel within the organization create astrong fraud risk management program. Entitled“Managing the Business Risk of Fraud: A PracticalGuide”, the guidance shares leading fraud riskmanagement practices and discusses how the differentelements of the fraud risk management process canwork together to create a more effective whole. Theguidance stresses a number of fundamental conceptsthat relate to fraud response management. Specifically,the guidance highlights the importance of setting rolesand responsibilities within the organization andemphasizes monitoring key performance metrics.11Potential components of a Fraud ResponseManagement program complaint systemAllegation systemThis refers to the process(es) by which allegationsare handled. An effective system can receive,manage, and track allegations. Other factors toconsider may include the mode of administrationof the hotline and the reporting mechanism.Allegation triageThis involves the assignment of the matter to theappropriate party for investigation in accordancewith established roles and responsibilities. Itfurther involves the decision as to the level ofinvestigation warranted based upon the nature,scope, and seriousness of the allegations.Case investigationThis involves the execution of the actualinvestigation steps based upon existingguidelines, policies, and procedures. Investigationexecution can follow well-designed protocols andlegal guidance, as appropriate.Case managementThis component of the program involvesoversight of the investigation process, as well asthe collection of critical information relative toperformance. Established metrics andexpectations can aid in efficient as well aseffective investigation execution.Reporting and communicationThis aspect involves the effective and timelyreporting of investigation results to theappropriate stakeholders. It also involves interimupdates and the reporting of identified controlissues.Source: Committee of Sponsoring Organizations of theTreadway Commission, Enterprise Risk ManagementIntegrated Framework10116For more information on the S&P announcement, see ging-business-risk.pdf 2009 Deloitte Touche Tohmatsu India Private Limited
Benefits of internal investigationsA carefully planned and properly executed investigationcan address a number of organizational objectives. First,the investigation can help determine the extent ofpotential liabilities and/or losses that may exist bygathering relevant information and facts. Such data canoften be critical to various stakeholders in theorganization including senior management, the board ofdirectors and audit committee, shareholders, outsideauditors, and others. Second, a properly executedinvestigation can result in partial or full recovery oflosses, stop future losses and help mitigate otherpotential consequences.Organizations need to understand the potential liabilitiesassociated with the incident and take steps to reducecriminal or regulatory exposure through self-reportingand timely cooperation with government authorities.12Indeed, a properly executed investigation can reduce thelikelihood of a separate government investigation of thematter or at least reduce the scope of potentialenforcement actions. A properly executed investigationcan also help shape public perception by showing thatthe organization made a good-faith effort to investigateand understand the potential misconduct. Lastly, theinvestigation can assist the organization in developingand implementing a remediation plan that helps addressinternal control, disciplinary and other critical issues thatmay have been identified during the invest
An effective Fraud Response Management program is designed to allow the organization to react to various types of fraud and misconduct allegations in a measured and consistent manner. The overarching goal of a fraud response pr ogram is to protect the organization from the economic, reputational and legal risks associated with the fraud allegation.
Types of economic crime/fraud experienced Customer fraud was introduced as a category for the first time in our 2018 survey. It refers to fraud committed by the end-user and comprises economic crimes such as mortgage fraud, credit card fraud, claims fraud, cheque fraud, ID fraud and similar fraud types. Source: PwC analysis 2
Types of economic crime/fraud experienced Customer fraud was introduced as a category for the first time in our 2018 survey. It refers to fraud committed by the end-user and comprises economic crimes such as mortgage fraud, credit card fraud, claims fraud, cheque fraud, ID fraud and similar fraud types. Source: PwC analysis 2
Card Fraud 11 Unauthorised debit, credit and other payment card fraud 12 Remote purchase (Card-not-present) fraud 15 Counterfeit Card Fraud 17 Lost and Stolen Card Fraud 18 Card ID theft 20 Card not-received fraud 22 Internet/e-commerce card fraud los
XaaS Models: Our Offerings @DeloitteTMT As used in this document, "Deloitte" means Deloitte & Touche LLP, Deloitte Tax LLP, Deloitte Consulting LLP, and Deloitte Financial Advisory Services LLP. These entities are separate subsidiaries of Deloitte LLP. Deloitte & Touche LLP will be responsible for the services and the other subsidiaries
Deloitte & Touche South Africa is referred to throughout this report as Deloitte South Africa, and Deloitte Pan African Trust is referred to throughout this report as Deloitte Africa. Deloitte Africa holds practice rights to provide professional services using the Deloitte name which it extends to Deloitte entities within its territory,
Fraud risk management strategy Fraud prevention Anti-fraud culture Risk awareness Whistleblowing Sound internal control systems A fraud policy statement, effective recruitment policies and good internal controls can minimise the risk of fraud. Fraud detection Performing regular checks. Warning signals/fraud risk indicators:
Handling Debit Card Fraud STRATEGIZE- Debit card fraud and disputes must have a strategy based on evolving fraud. INVENTORY - Inventory all types of debit card fraud and how you mitigate fraud. TRAIN - Train your front line and investigators. DOCUMENT - Clearly document the strategy and fraud management and
Accounting involves recording business transactions and, this in turn, leads to the generation of financial information which can be used as the basis of good financial control and planning. Inadequate record keeping and a lack of effective planning ultimately lead to poor financial results. It is vital that owners and managers of businesses recognise the indications of potential difficulties .
