Upload
lenhan
View
241
Download
2
Embed Size (px)
Citation preview
Pekka Dare Director, Training Education & Development - ICT
Jose TabuenaChief Privacy Officer – UT Southwestern Medical
Center
@ComplianceWeek | #CW2017
According to KPMG a typical fraudster is:• between the ages of 36 and 55 (69%)
• predominantly male (79%), with the proportion of women 17%, up from 13% in 2010
• a threat from within (65% are employed by the company)
• holds an executive or director level position (35%)
• employed in the organization for at least six years (38%)
• 3X as likely to be regarded as friendly as not with only 18% described as autocratic
• esteemed, describing themselves as well-respected in their organization
• likely to have colluded with others (62%, down just slightly from 70% in 2013)
• motivated by personal gain (60%), greed (36%) and the sense of ‘because I can’ (27%)
The Perpetrators
Fraud Control Process
1. Risk assessments
2. Fraud Awareness programs
3. Reducing opportunities
4. Internal controls• Automated systems
• Physical security and access controls
5. Developing an anti-fraud culture
6. Information security
The Risk Management Cycle
Identify risk
Assess
Impact of risk
Control &
reduce risk
Consistently
review
Risk Management Process
§Establish risk management group
§ Identify risk areas
§Understand/assess scale of risk
§Develop a risk response strategy
§ Implement and monitor
§Review and refine process
Fraud Awareness Programs
§Reference to fraud risk assessment and controls
§Company/sector specific
§Who? Reality is every employee within the organisation presents a possible risk
§Practical application
§ Followed up to include developing trends
Reducing Opportunities
§Developing an anti-fraud culture
§Effective controls increase perception of detection• Segregation of incompatible duties
• Sound authorisation and documentation processes
• Independent checks
• People controls
Identifying Red Flags
Role of the 1st Line of Defence in spotting red flags
• Red flags are always present – but not recognized or not acted on
• Always take action to investigate, even if it seems minor
• But, sometimes an error is just an error – have an open mind
Role of the 2nd Line of Defence in spotting red flags
• Compliance ongoing monitoring of controls
• Providing advice
• Facilitating risk management activities
Travel and Entertainment Red Flags
• Claims for T&E that never materialized
• Flights in first class when more modest means were available, in violation of company policy
• Claims for meals or entertainment in excess of per diem
Auditing Travel and Entertainment Expenses Using IDEA, 2007
14
PayrollHRExpenseDisburs.
AccountsPayable
P-Card
AccountsRec.
Vendors
Address Verification
Benford's Law
Duplicate Payments
Management Reporting
Unexpected Relationships
Internal Controls
Shared Elements Testing
High Risk Focus
SSN testing
Overpayments
Manual & Special Payments
Client-customized Testing
External Data Verification
EMPLOYEE Scores
Scoring Algorithms
CUSTOMER Scores
VENDOR Scores
Proactive Approaches: Data Analysis
• Tests: • Identify vendors and employees with common SSN and Tax ID #s• Identify vendors and employees with common bank account #s • Identify vendors and employees with common addresses
Commonalities Between Employees and Vendors
Employee Name Vendor Name SS No.Tax ID
Vendor Bank A/C
Employee Bank A/C
Vendor Address
Employee Address
Roe, Jane Montvale Plumbing 1 1 2 2Thomas, Betty Hillstreet Electric 1 1 2 2 3 3Stewart, Jon Daily Report 1 1Colbert, Stephen Pundit Report 1 1 2 2Coyote, Wile E. Acme Supplies 1 1Murphy, Heather United Circuits 1 1Brownie, Michael Emergency Management 1 1 2 2Ball, LaVar Little Baller 1 1 2 2Murray, Sophia Polar Enterprises 1 1 2 2 3 3Utonium, Professor Powerpuff Security 1 1
Information Security
• Data theft and the misuse of data are biggest enablers of fraud
• Top 5 Risks• Data protection regulation
• Mobile working
• BYOD
• Data breaches
• Data proliferation
Behavioural Profiles
• How many behavioural characteristics can you think of that would suggest high risk of fraud?
Incentive Programs
• Incentive programs for management are the norm and also common for the rank and file.
• Despite incentive programs and the potential risks being so common, the compliance team typically does not have a role in reviewing it to identify and mitigate risk prior to implementation.
• 52% never review: SCCE/HCCA Survey, April 2017
COSO Control Environment Testing
Principle 5. The organization holds individuals accountable for internal control responsibilities in the pursuit of objectives.
Points of focus for audit (3rd Line of Defence):• Enforces accountability through structures, authorities, and
responsibilities
• Establishes performance measures, incentives, and rewards
• Evaluates performance measures, incentives, and rewards for ongoing relevance
• Considers excessive pressures
• Evaluates performances and rewards or disciplines individuals
Fraud Typologies
• Examine your allocated example of fraud detailed
• Compare and contrast the various vulnerabilities and failure of controls.
• Could each one occur in your organisation; if not, why not?
UK: Internal bank fraud £245m HBOS manager jailed over £245m loans scam
• Used relationship with bank to bully business owners and strip them of assets
• Judge “[you] sold your soul, for sex, for luxury trips with and without your wife – for bling and for swag!
• Red flags?
• victims ignored when trying to report what was going on
• one offender had £2m superyacht
• jewellery, luxury hotel stays, business-class flights
Case 1: HBOS Scam
Case 2: BP Oil Spill Fraud Case
US: BP Oil Spill Fraud Case – 2 convicted
• Made up fake clients to sue BP
• List compiled of 40,000 people who wanted to sue BP
• Significant errors: Included names of the dead, people whonever gave permission for representation and even a dog’sname!
• Fraudsters passed the information up the chain to law firm
• Supposed to be paid from a $2.3 billion fund BP set aside tocompensate fishermen
Case 3: China and $7.6bn Fraud
• Involves P2P lender Ezubao concocting fake projects to attract investment
• 26 people charged with fraud - including top executives of Ezubao’s parent company
• Televised confession when principal suspect said Ezubao was "a typical Ponzi scheme"
• Largely unregulated peer-to-peer lending sector