20 and data analytics - internal auditor...fraud detection and data analytics bolstering anti-fraud...

I N T E R N A L A U D I T O RM I D D L E E A S T

20

Insights on Governance, Risk Management and Control

Tips for Developing & Operating Whistle-blowing Hotlines

Fraud Trends in the Arab World

Actively Combating Procurement Fraud in Construction Projects

Fraud Detection and Data AnalyticsBolstering Anti-Fraud Programs by EffectivelyIdentifying Anomalies & Red Flags

JUNE 2016 WWW.INTERNALAUDITOR.ME

INTERNAL AUDITOR - MIDDLE EAST 01 JUNE 2016

Fraud Special Issue

From The President

Thanks to the efforts of the UAE Internal Auditors Association’s (UAE-IAA) Fraud Subgroup, we have launched a Special Issue on Fraud. The articles in this Special Issue only cover Fraud and related topics.

Fraud has always fascinated people: how it is committed, how it gets discovered and what led the perpetrators to carry out these immoral actions in the first place. While internal auditors are not specialised fraud examiners, our stakeholders expect us to detect red flags and recommend prevention measures. This means that a majority of internal auditors are involved in responding to fraud risk, albeit in differing ways and with differing roles (For example, investigations, facilitating fraud risk assessments, fraud awareness training, etc). In this Special Issue you will learn about a variety of fraud related topics which include using data analytics to detect fraud, whistle blowing, procurement fraud as well as the role of internal auditing. Internal auditors can use these insightful articles to stay up to date and see how best to add value to the anti-fraud efforts at their companies.

I would like to thank Meenakshi Rezdan of the Editorial Advisory Committee, who has taken on the bulk of the editorial work for this quarter. Without her efforts, this Special Issue would not have become a reality. In addition, I would like to thank the Fraud Subgroup for their support ideas and encouragement. Last but not least, a special thanks goes out to Robin Singh for his regular and insightful contributions to our magazine.

On a different note, the Institute of Internal Auditors (IIA) and the UAE-IAA have worked extensively to prepare for the 2016 International Internal Audit Awareness Month which takes place during the month of May each year. The objective of this month is to actively promote internal auditing’s value to our stakeholders, to the business community and to students & academics. In 2015, the UAE-IAA was given the Building Awareness Champion award and we hope to achieve the same this year. I encourage all our members to participate and help advance our profession at your workplace and local community.

I hope you all enjoy reading this Special Issue. Please feel free to email any feedback you may have to [email protected]

Sincerely,

Abdulqader Obaid AliPresident

TeamMate®

Ecosystem for Assurance

Copyright © 2014 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 3946

To achieve new heights, finding the right balance of audit tools is essential. Only TeamMate offers an integrated set of solutions that include the industry’s leading audit management system, an innovative controls management system and powerful data analytics.

Audit

ControlsAnalytics

TeamMate AM

Learn more at: TeamMateSolutions.com

TeamMate CM TeamMate Analytics


I N T E R N A L A U D I T O RM I D D L E E A S T JUNE 2016 WWW.INTERNALAUDITOR.ME

F E A T U R E S

D E P A R T M E N T S

16 COVER STORY: Fraud Detection and Data Analytics Deploying data analytics to detect fraud and irregularities is an extremely effective way to manage fraud risk. BY GARY BAUER

20 Effective Whistle-blowing HotlinesHotline pitfalls and solutionsfrom the implementation stage to the commencement of an investigation. BY ROBIN SINGH

4 Reader Feedback

6 Knowledge UpdateFraud Risk Survey, Internal Audit and the Second Line of Defense, The Value of Internal Audit, A Guide to IT, Global Risks. BY VISHAL THAKKAR

8 UAE-IAA Events

10 Risk ManagementThe best way to protect anorganisation from fraud is through fraud risk management. BY NABIL AL OUF

12 Conversations with ColleaguesAn audit committee member and advocate of anti-corruption talks about fraud risk and the role of internal auditing. BY FARAH ARAJ

26 Preventing Procure-ment Fraud inConstruction Whilst the risk of procurement fraud can never be fullyeliminated, companies canimplement controls to mitigate the likelihood of such risksoccurring.BY STEPHEN CROWE

29 Human ResourcesA overview of some of thecharacteristics of fraudinvestigations in the Middle East. BY MUSTAFA ZACOUR

31 FosteringFundamentalsThe Fraud Triangle is still the best way to explain why fraud occurs and how to prevent it. BY MOHAMAD NASSAR

22 Adjusting the Lens on Economic Crime in the Arab World FraudPerspectives on fraud based on recent surveys and recurring fraud trends.BY JAMES TEBBS

TeamMate®

Ecosystem for Assurance

Copyright © 2014 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 3946

To achieve new heights, finding the right balance of audit tools is essential. Only TeamMate offers an integrated set of solutions that include the industry’s leading audit management system, an innovative controls management system and powerful data analytics.

Audit

ControlsAnalytics

TeamMate AM

Learn more at: TeamMateSolutions.com

TeamMate CM TeamMate Analytics

JUNE 201604 INTERNAL AUDITOR - MIDDLE EAST

View on Family Business GovernanceIn my opinion, the requirement of a corporate governance notion, the main subject of the article titled “Family Business Governance” (June 2015), is the common and serious problem of many family controlled businesses especially for the ones established in Middle East. Family businesses are the crucial dynamics of growth and prosperity in this region as capital is concentrated with wealthy families. Their success in private sector shall also contribute the diversification of economy towards non oil sectors. By considering these facts, I strongly believe that a governmental body should be established that stipulates the minimum standards with respect to corporate governance for all other types of companies in addition to the joint stock companies like the Central bank regulatory and monitoring function for the banking industry so that these family owned companies shall be pushed to be more professional and achievement of corporate governance issues in each stages will be more easier. Newly enacted commercial law has certain articles on corporate governance and social responsibility. Although, its extent and practical means is still a grey area, it has right steps for possible future complementary resolutions.

Mustafa DagUnited Arab Emirates

A R A B I C R E V I E W T E A M

Ayman Abdelrahim, MQM, CIA, CCSA, CFE (Lead Member)Khal id M. Alodhaibi , SOCPAQais Hamdan, CISA, CISM, PMPNoora AyoobWaleed Sweimeh, CIA

U A E I N T E R N A L AU D I T O R S A S S O C I AT I O N

PRESIDENTAbdulqader Obaid Al i , CFE, CRMA, QIALGENERAL MANAGERSamia Al Yousuf

R E G I S T R AT I O N

Internal Audi tor - Middle East magazine is l icensed by the Nat ional Media Counci l of the Uni ted Arab Emirates (License Number 244).

Reader Feedback

I N T E R N A L A U D I T O RM I D D L E E A S T

UAE Internal Audiors Association

We want your views on the articles and the magazine! Share your thoughts and feedback with us via email at [email protected]

E D I T O R - I N - C H I E FAbdulqader Obaid Al i , CFE, CRMA, QIALE D I T O RGhada Abd ElbakyE D I T O R I A L A D V I S O R Y C O M M I T T E E Asem Al Naser, CPA, CIA, QIALFarah Araj , CPA, CIA, CFE, QIAL (Lead Member)Andrew Cox, MBA, MEC, PFIIA, CIA, CISA, CFE, CGAP, MRMIARaymond Helayel , CPA, CIAMeenakshi Razdan, CA, CPA CIA, CFEHossam Samy, CRMA, CFE, CPA, CGANagesh Suryanarayana, MBA, CIA,CCSAJames Tebbs, CAVishal Thakkar, ACA, CIA

JUNE 2016VOLUME 2016: 1

C O N TAC T I N F O R M AT I O N

A D V E R T I S I N G & A D M I N I S T R AT I O N

Yasmine Abd El Aziz [email protected] Tel : +971 55 351 2335E D I T O R I A L

Ghada Abd Elbaky edi tor@internalaudi tor.meTel: +971 55 728 5147 D E S I G N & P R I N T I N G

Gulf Internat ional Advert is ing& Publ ishing L.L.C.giadco511@gmai l .comTel: + 971 2 441 2299

G U I D E L I N E S F O R AU T H O R Swww.internalaudi tor.me

Internal Audi tor - Middle East is publ ished quarter ly by the UAE Internal Audi tors Associat ion (UAE-IAA), Off ice 1503, 15th Floor, API Tr io Tower, Dubai , Uni ted Arab Emirates

D I S C L A I M E R S

Internal Audi tor - Middle East is intended only for members of the Inst i tute of Internal Audi tors in the Middle East and as such i t is not intended to be sold or re-sold by any party. The views expressed in Internal Audi tor - Middle East are solely those of the authors, and do not necessar i ly represent the v iews of the UAE-IAA or the authors’ respect ive employers. Internal Audi tor - Middle East is a peer-reviewed magazine and does not ver i fy the or ig inal i ty of the content submit ted by the authors.

INTERNAL AUDITOR - MIDDLE EAST 05 APRIL 2016

UAE IAA Upcoming Events

BY SAMIA AL YOUSUF

May - The InternalAudit Awareness

monthUAE IAA will launch an aggressive awareness campaign throughout May which is considered to be the audit month. Activities will raise awareness and highlight challenges faced in internal audit profession and internal audit rules and responsibilities in private and government sectors, activities will include:

- May 1st: more than 20 universities will have introductory presentations to raise awareness about internal audit and they will be organized by UAE IAA.

- One-day conference to be held in RAK, in collaboration with Finance Audit Department covering the challenges of internal audit, and how to deal with these challenges, after introducing the profession’s role and responsibilities.

- One-day Event to be held in Sharjah, in collaboration with Finance Audit Department covering the internal audit Awareness

- The second internal audit governmental forum will take place on 22nd in collaboration with Dubai Land Department at InterContinental Hotel, Dubai Festival City. Mr. Richard Chambers, President and Chief Executive Officer of The Institute of Internal Auditors (Global), will grace the forum as a keynote speaker.

- On 23rd of May, a forum will be conducted in Abu Dhabi, which will be a joint venture between The IIA (Global) “represented by Richard Chambers,” Transparency International and UAE IAA.

- UAE IAA and The Petroliam Institute will be hosting a joint awareness event on 25th of May.

- The audit awareness is not a monopoly in Untitled Arab Emirates as UAE IAA is planning to conduct the first conference in internal audit in Kuwait.


Knowledge Update

BY VISHAL THAKKAR

of internal audit departments use data analytics extensively

White Collar Crime and Fraud RiskSurvey by Protiviti As the white-collar crime and fraud is very dynamic, Protiviti and the Economic Crime and Justice Studies Department at Utica College carried out a in-depth survey of white-collar crime and the fraud risk management frameworks implemented contest them.

The research carried out for the survey provided many findings, but one predominant finding was, most organizations are not well positioned to conduct investigations related to fraud. This was mainly due to organizations conducting investigations are under-resourced and are spending more time reacting to fraud or investigations instead of stressing on fraud detection and having a consistent investigative approach. Most companies that are in this situation will more often than not find it very difficult to identify the concerned parties and receive required cooperation for having done so.

Other key findings from this year’s study are as under:• Instead of being proactive, most companies were reactive in managing fraud risk and

responding to fraud and corrupt practices once issues have been identified. This was mainly due to lack of relevant resources and strategy.

• Handful of companies had related tools and best practices for mitigating fraud risk.• Most organisations did not have third-party fraud and corruption risk in their purview.• Organizations that did not have strong fraud detection and reporting programs do face

a increased risk of damage to disclosures made by “whistleblowers”.• Impact of deterrent effect of surprise audits should be weighed against the consultative

internal audits.

http://www.protiviti.com/en-US/Pages/Fraud-Risk-Survey.aspx

A practice guide on Internal Audit and the Second Line of DefenseA practice guide on ‘Internal Audit and the Second Line of Defense’ provides guidance and recommendations for audit practitioners, especially to Chief Audit Executives to ensure independence and objectivity are not compromised in situations where internal audit may be responsible for second line of defense activities.

In today’s scenario, many organizations are restructuring their responsibilities, ensuring governance and monitoring functions are collaborating more to avoid duplication of efforts. Due to this change, there would be an additional weight for the Chief Audit Executive as they may be required to assume responsibilities for risk management, compliance and other governance functions. Navigating through this process would be challenging and as a result, this practice guide was developed to assist practitioners in making effective decisions regarding their roles and responsibilities to assume related governance of risk management and controls.

https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Internal-Audit-and-the-Second-Line-of-Defense-Practice-Guide.aspx

of internal audit departments use

technology extensively

Technology & InternalAuditing in the UAE

of internal auditors expect an increase in cyber risks over the next 2 – 3 years

52%

27%

80%

Source: How Technology is Shaping Internal Auditing

https://www.iiauae.org/writereaddata/Portal/AboutUsReport/0wwwpmm3.sse_Internal_Audit___Technology_in_UAE_-_

FINAL_-_DEC_2015.pdf


Knowledge Update

KPMG and Forbes Seeking value through Internal Audit Survey

KPMG and Forbes surveyed more than 400 Chief Financial Officers (CFOs) and chairs of audit committees at companies with revenue in between $1 billion and $50 billion to gather what insights internal audit functions are providing and where companies believe internal audit can provide more value.

It was highlighted in the survey that CFOs and chairs of audit committees are not getting sufficient insights into risk management of the company from their corporate internal audit function. The report highlighted a gap between expectations of chairs of audit committees and CFOs and what indeed they are getting from their respective internal audit functions, especially in providing insights on risk management and emerging risks.

Important findings of the survey are as follows:• Most significant gap was noted in the area of risk management where only 22 percent

of the respondents mentioned that their companies receive help assessing risks and risk management practices from internal audit and 57 percent said that type of information would be most valuable to receive from internal audit.

• 5 percent of the survey respondents stated that they receive informed insights on emerging risks from internal audit, as against 36 percent who would like to receive such perspectives.

• When inquired about the top 5 skills needed in internal audit professionals, 62 percent of respondents pointed to technology skills, reflecting the need for a technology-enabled approach to internal audit.

• Half companies responded to survey stated that they track risk through a compliance function and half as many through legal function, as against only 9 percent through an enterprise-wide risk management function. Respondents indicated they care more about internal audit response to emerging risks than which function was accountable for risk tracking.

http://www.kpmginfo.com/IIA/downloads/GM-OTS-1653_SeekingValueThrough_IAB_V1.pdf

A guide to helpDirectors bridge the “IT confidence gap”PwC surveyed approximately 800 public company directors during 2012-2015. The research results indicates many board members are uncomfortable with overseeing their company’s IT. An “IT confidence gap” is created for many board members due to the following factors:

• Many directors grew up in a pre-digital age

• Very few directors have IT backgrounds• Board time is at a premium• Directors want more informationTo bridge the gap, an IT oversight framework is recommended as follows:

Step 1 - Assessment: Determine how critical IT is to the company and the current state of its infrastructure

Step 2 - Approach: Agree on the board’s IT oversight approach

Step 3 - Prioritization: Identify the IT subjects most relevant to the company

Step 4 - Strategy: Integrate IT initiatives into strategy oversight

Step 5 - Risk: Integrate IT into risk management oversight

Step 6 - Monitoring and cybermetric reporting: Adopt a continuous process and measure results

http://www.pwc.com/us/en/cfodirect/publications/corporate-governance/directors-and-information-technology.html

11th Edition of Global Risks Report 2016 Around 750 experts and decision-makers in the World Economic Forum’s multi-stakeholder communities responded to 2016 Global Risks Perception Survey. The results of the top global risks for 2016 are as follows:

Top 3 Risks by

Likelihood1. Large-scale involuntary migration2. Extreme weather events3. Failure of climate - change mitigation

and adaptation

Top 3 Risks By

Impact 1. Failure of climate - change mitigation

and adaptation2. Weapons of mass destruction3. Water crises

http://www3.weforum.org/docs/GRR/WEF_GRR16.pdf


UAE-IAA Events

5th Chief Audit Executives Conference &Internal Audit Best Practices Award

BY SAMIA AL YOUSUF

During the 5th CAE’s conference held on December 2015 and for the first time in the region, UAE IAA launched the Best Practice Award in Internal Audit (BPA).

It was initiated with a clear vision “To pursue excellence in processes by recognizing Internal Audit Departments’ Best Practices”. The award aims at encouraging Internal Audit departments to share practices they follow internally which help them work with increased efficiency and effectiveness, and improve performances.

The award model is based on 4 pillars; Innovation; Successful Structured Implementation; Benefits to the Internal Audit Department; and Benefits to the Organization.

2015 winners included Etisalat - UAE, General Directorate of Residency & Foreigners Affairs – Dubai, Sharjah Islamic Bank, Masheq Bank and Road & Transport Authority (RTA).


Awareness Seminar at RAK Finance Department

Software Asset Management (SAM) Processes for Auditors

UAE-IAA Events

RAK Finance Department hosted a seminar inviting all CAEs and Internal Auditors working in RAK government departments to attend an awareness seminar about the UAE Internal Auditors Association.

H.E. Sami Saqr, the general manager of RAK finance department, welcomed the attendees and thanked Mr. Abdulqader for presenting a very informative session about the Association and the services provided.

Mr. Abdulqader was very proud to announce that the Association is considered one of the newest yet fastest moving associations in the services provided which had supported the concept of The IIA (Global) approval to conduct the Internal Audit International Conference 2018 to be held in Dubai, as it will be the first time for such a conference to be held in the MENA region as per the history of The IIA (Global).

UAE IAA hosted a technology subgroup seminar “Unlocking the Potential of Software Asset Management” on Monday, 2nd February 2016 at The Novotel Hotel, Dubai. The Seminar addressed various Software Asset Management (SAM) drivers and highlighted how SAM can assist organizations in maintaining better IT governance.

The event emphasized on why in an emerging global market like the UAE, where the IT infrastructure is getting more complex due to evolving business needs, obtaining accurate software discovery tools are definitely worth investigating. The event was attended by more than 50 auditors from different organization, and Mr. Ian Corstens -SAM Global Leader, Deloitte- graced the occasion as the guest speaker

UAE IAA in partnership with Grant Thornton presented a seminar on Enterprise Risk Management (ERM) and its strategic benefits.

The held event on 3rd March 2016 was with an objective to improve understanding of Enterprise Risk Management (ERM), broaden risk assessment perspective, benchmark and reinvent risk management tools, the seminar was attended by members of various government and non-government organizations.

Mohamad Nassar, Operational Advisory Partner of Grant Thornton - UAE was the guest speaker who shared meaningful advice on ERM and helped gain an understanding of current issues, challenges and emerging practices regarding risk management, control, and governance processes.

Enterprise Risk Management (ERM) Seminar


Risk Management

BY NABIL AL OUF EDITED BY FARAH ARAJ

Fraud risk impacts all organisations regardless of their size, maturity or geographic location. Large fraud schemes have brought down companies and even led to the imprisonment of owners and senior management. When fraud is announced to the market and the public, it may result in irreparable reputation damage and loss of investor confidence. Fraud has also been the reason for the issuance of major regulations such as the U.S. Foreign Corrupt Practices Act of 1977 (FCPA) and the U.S. Sarbanes-Oxley Act of 2002. As a result, today an organization’s stakeholders expect the board and management to adopt a “zero tolerance” approach to fraud.

Managing fraud risks involves the board as well as multiple lines of defense including senior management, compliance, legal, human resources as well as internal audit. There is a shared responsibility between each of these parties in a fraud risk management process. When it comes to internal audit, a global survey1 by the Institute of Internal Auditors (IIA) showed that over 80% of internal auditors have at least some responsibility for fraud detection and prevention.

Internal Audit Responsibilities During Audit Engagements

An effective internal audit activity can be extremely helpful in supporting a fraud risk management process. Although management and the board are ultimately responsible for fraud deterrence, internal auditors can assist management by determining whether the organization has adequate internal controls and fosters an adequate control environment.

To the degree that fraud may be present in activities covered in the normal course of audit work, the IIA’s Standards state that internal auditors have the following responsibilities with respect to fraud risk:

• Due Professional Care (Standard 1220): Internal auditors must

have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

• Risk Management (Standard 2120): The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.

• Engagement Objectives (Standard 2210): Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.

Internal audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected. A well-designed internal control system should help prevent or detect material fraud. Tests conducted by internal auditors improve the likelihood that important fraud indicators will be detected and considered for further testing.

• Consider fraud risks in the assessment of internal control design and determination of audit steps to perform.

• Have sufficient knowledge of fraud to identify red flags indicating fraud may have been committed.

• Be alert to opportunities that could allow fraud, such as control deficiencies.

• Evaluate whether management is actively retaining responsibility for oversight of the fraud risk management program.

• Evaluate the indicators of fraud and decide whether any further action is necessary or whether an investigation should be recommended.

• Recommend investigation when appropriate.

A Framework for Managing Fraud Risk

According to the IIA’s publication titled Managing the Business

MANAGINGFRAUD RISK

The best way to protect an organisation from fraud is through a proactive and collaborative approach to fraud risk management.


Risk of Fraud: A Practical Guide, “only through diligent and ongoing effort can an organization protect itself against significant acts of fraud”. The key principles to proactively manage an organization’s fraud risk include2:

While the principles above may seem straight forward, they must all be present and work together to form an effective fraud risk management process. When one takes a look at the details of these principles, they can include a wide variety of elements such as: code of conduct, fraud awareness training, whistleblower hotline, fraud risk assessments, anti-bribery and corruption programs, audits of anti-fraud controls, investigations policies and protocols and even data analytics for fraud detection. However, there isn’t a “one size fits all” approach to managing fraud risk. The sophistication of the system and its elements will depend on the size of the company, internal capabilities and the nature of business. But for any form of company proper oversight by the board and audit committee and a positive tone at the top from the CEO and executive management are essential to ensure an effective response to fraud risk.

While the principles above are all important, it is in Principle 2 where internal auditors can add value to the organisation by conducting fraud risk assessments.

Fraud Risk AssessmentThe fraud risk assessment is a tool that assists management and internal auditors in systematically and proactively identifying where and how fraud may occur and who may be in a position to commit fraud. A fraud risk assessment also helps a company comply with the IIA’s Standards, identify controls related to fraud mitigation, increase awareness of fraud risks among management & employees and help to assign internal audit resources.

The concept of fraud risk assessments is not an idea that is new to our region. In a survey3 of heads of internal audit conducted by the UAE Internal Auditors Association, 45% of internal audit heads in the non-financial services sector stated that they carry

out fraud risk assessments. But the question on the minds of many internal audit leaders is “Is the fraud risk assessment a duplication of Enterprise Risk Management efforts?” The simple answer is “No”. Traditional risk assessments link risks to the organization’s key objectives. Fraud can be overlooked. A fraud risk assessment expands upon traditional risk assessment as it focuses on the fraud scheme rather than based on the audit universe or business objectives.

A fraud risk assessment generally includes five key steps: 1. Identify relevant fraud risk factors. 2. Identify potential fraud schemes and prioritize them based on risk. 3. Map existing controls to potential fraud schemes and identify gaps. 4. Test operating effectiveness of fraud

prevention and detection controls. 5. Document and report the fraud risk assessment4.

ConclusionAlthough organizations do not like dealing with fraud, proper fraud risk management makes good business sense and can help protect organizational value. Companies cannot avoid fraud altogether but they can work to identify it early and reduce any harm it may cause. A proactive approach to managing fraud risk is the best way for organizations to do that. When fraud risk is properly managed and responded to in a company, it sends a very positive message to stakeholders and regulators about how fraud is not tolerated. Finally, we shouldn’t forget the important role that internal auditors carry out in supporting the fraud risk management process; a role expected by stakeholders and required by the IIA Standards.

References: 1. Responding to Fraud Risk: Exploring Where Internal Auditing Stands,

The Institute of Internal Auditors Research Foundation, 2015 2. Managing the Business Risk of Fraud: A Practical Guide, The Institute of

Internal Auditors, 20083. Risk Management Practices and the Role of Internal Audit, The UAE

Internal Auditors Association, 2015 4. Practice Guide: Internal Auditing and Fraud, The Institute of Internal

Auditors, 2009.

TO COMMENT on the article,EMAIL the author at [email protected] Risk Management

NABIL AL OUF, CIA, CFE, CRMA, CRBA is Group Head of Internal Audit at Dragon Oil Holdings.

Principle 5• A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to inves-tigation and correc-tive action should be used to help ensure potential fraud is addressed appropriately and timely.

Principle 4• Detection tech-

niques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized

Principle 3• Prevention

techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization

Principle 2• Fraud risk

exposure should be assessed pe-riodically by the organization to identify specific potential schemes and events that the organization needs to mitigate.

Principle 1• As part of an

organization’s gov-ernance, a fraud risk management program should be in place, in-cluding a written policy to convey the expectations of the board and senior manage-ment regarding managing fraud risk.


Conversations with Colleagues

BY FARAH ARAJ

An experienced business leader and

advocate ofanti-corruption talks about fraud risk and

the role of internal auditing

Dr. Khalid Al-Faddagh

In an exclusive interview, Internal Auditor - Middle East spoke to Khalid Al-Faddagh, Ph.D., who is a retired Chief Audit Executive (CAE) and a former CEO and a member of several boards. Dr. Khalid has over 30 years of experience in various roles in the oil & gas industry.

Most recently, he served as the Executive Director of Internal Auditing at Saudi Aramco where he led a team of over 150 internal audit professionals.


Interview

Dr. Khalid also served as a board member in several joint ventures in Saudi Arabia, the Philippines and Japan. In the Philippines, he served as the President and CEO of one of the largest listed oil refining and marketing companies in the country.

In an exclusive interview, Internal Auditor - Middle East spoke to Khalid Al-Faddagh, Ph.D., who is a retired Chief Audit Executive (CAE) and a former CEO and a member of several boards. Dr. Khalid has over 30 years of experience in various roles in the oil & gas industry. Most recently, he served as the Executive Director of Internal Auditing at Saudi Aramco where he led a team of over 150 internal audit professionals. Dr. Khaled also served as a board member in several joint ventures in Saudi Arabia, the Philippines and Japan. In the Philippines, he served as the President and CEO of one of the largest listed oil refining and marketing companies in the country.

Dr. Khalid is an avid advocate of anti-corruption efforts in the Middle East and recently co-chaired both the 4th and 5th Middle East Anti-Corruption Summits. Furthermore, Dr. Khalid is a supporter of the Institute of Internal Auditors (IIA) and is also a recent recipient of the UAE Internal Audit Association’s regional “Lifetime Achievement Award”.

Internal Auditor - Middle East conducted a telephone interview with Dr. Khalid Al-Faddagh.

In the Middle East, do you think executive management & boards are giving adequate attention to fraud risk, including anti-corruption?

If we take a look at the data published by Transparency International1, there is not a single country in the world which can claim to be fraud free. This includes the Middle East which, on average, does not score well on the Corruption Perceptions Index2. However the attention given to fraud risk varies from one company to the other depending on the maturity and corporate culture. Forward thinking companies have boards and executive management that actively oversee and manage fraud risk.

It would quite surprising if major corporations in the Middle East didn’t include fraud risk as one of the top 5 risks they are facing. Fraud is a reality that we cannot deny in the Middle East and it needs to be adequately addressed if companies want to create shareholders value and attract capital.

What should be the role of internal auditing in the detection and prevention of fraud?

We need to think about fraud risk management as a process. There are shared responsibilities in this process amongst internal audit, management and second line functions. The role of internal audit and the extent of involvement in the fraud risk management process would depend on how internal audit is positioned in the company. This role can be to solely or jointly carry out investigations or, instead, outsource fraud investigations and focus on providing the overall assurance.

When it comes to detection, I believe internal audit bears a higher portion of responsibility than it has for the prevention of fraud. The IIA Standards require that internal auditors be able to evaluate how fraud risk is being management and

to identify fraud red flags. Chief Audit Executives cannot really say they have no responsibility in the detection of fraud even when there is a specialized fraud investigation team not part of the internal audit department.

In terms of prevention, I believe that management has the higher responsibly being the first line of defense and responsible for internal controls, including anti-corruption controls. Internal audit role will be to assess the effectiveness

of the process and conduct root causes analysis on how and why fraud occurred. In addition, they may conduct awareness sessions or facilitate fraud risk assessments.

How would you respond to those who say, “Where were the internal auditors?” when fraud occurs?

I would reply “Where was management? Where was the second line of defense?”. In such cases management failed to do its job. When internal auditors carry an audit of a particular area, they focus on the high risks. If fraud is one of those high risks, then the particular controls are audited. This means that internal auditors do not always cover fraud in their audits and it is up to management to ensure that internal controls are functioning adequately. The Chief Audit Executive has an important role to play when it comes to making management aware of internal auditor’s role and responsibility in these areas.

Similarly, when we look into fraud discovery, studies show that the prime source is usually through hotlines. Therefore, management needs to foster a culture of openness and embrace non-retaliation. When an employee gets fired for reporting a red flag, the message

is “don’t report fraud”. In such cases, the statement “where were the internal auditors?” is not even relevant.

How important are fraud certifications (E.g. Certified Fraud Examiner) are for internal auditors?

We need to differentiate between general internal auditors and internal auditors who are fraud specialists or investigators. In my opinion, all fraud specialists and investigators must be certified. I would

“Fraud is a risk like any other business risk. Responding to this risk requires a coordinated effort between management, second line functions and internal audit.”


InterviewTO COMMENT on the article,EMAIL the author at [email protected]

not hire one who is not certified! For the general or mainstream internal auditors, I’m not too concerned about fraud certifications. There are a variety of other risks that they need to audit and I would not want to distract them away from these risks to focus on fraud certifications. Mainstream auditors should not play the role of investigators; however, they need to have the skills to identify the red flags related to fraud, and hand over such observations to the investigators.

When internal audit departments are responsible for investigations, they need to have the appropriate skills and certifications. For example, in smaller audit functions or functions which do not have separate investigation teams, it would help to have certain mainstream auditor certified..

So where would internal auditors get the skills to identify fraud red flags?

Fraud is a risk like any other business risk. Specialized training can improve the competencies of internal auditors in order to deal with such risk. However, this alone would not be sufficient for internal auditors to understand fraud red flags and potential schemes. One of the most important things that Chief Audit Executives need to do it to utilize the lessons learned from fraud cases, and use them to improve the effectiveness of internal auditors and the internal audit process. This can be done by creating a smart and searchable database that includes all fraud incidents which have happened over the years. From there, you can analyze trends and gain useful insights into fraud hotspots and the related circumstances. You can zoom into the details of who is committing fraud, what age, what were the

circumstances that made the employee become a fraudster. You basically analyze each fraud case based on the elements of the fraud triangle.

Such findings can be sued to sharpen internal auditors skills in identifying red flags and the potential fraud schemes. Chief Audit Executives need to work smart and know where to direct internal audit efforts.

If you have to name the single most important element in an anti-corruption program, what would it be?

It would most certainly be the tone at the top! There has to be a strategic commitment at the highest levels to enact changes in behavior and ensure enforcement across the country or a corporation a whole. Take for example, Singapore, which was one of the bottom five countries in terms of corruption perceptions 40 years ago. Today, it is one of the “cleanest” countries in the world. This was the result of the strategic commitment and the tone set by Singapore’s leadership.

The same concept applies corporations. You need to have a strong policy, proper enforcement and make sure that no one is above such a policy. If those in leadership positions, including a CEOs clearly communicate that fraud will not be tolerated, and enforce the appropriate

punishment, then this tone will send a very strong and positive message across the organization.

Any final advice to Chief Audit Executives on responding to fraud risk?

CAEs need to shield the audit team and the investigators from “Corporate Politics”, demonstrate independence and objectivity and ensure that he/she and his team adhere to the highest ethical standards. There are valuable lessons learned that can be gained through smart data mining on fraud cases which CAEs need to initiate and champion.

References:

1. http://www.transparency.org/research/cpi/

2. http://blog.transparency.org/2014/12/03/middle-east-and-north-africa-a-region-in-turmoil

INTERNAL AUDITOR - MIDDLE EAST 15 APRIL 2016

Raise the Red Flag - English

16 INTERNAL AUDITOR - MIDDLE EAST JUNE 2016

BY GARY BAUER

Data Analytics

Proactive Data Analytics is one of the principal tools in fraud detection and prevention. The ACFE1 2014 Report to the Nations found it to be one of the most effective anti-fraud

controls.

Of the 18 Anti-Fraud Controls selected by the ACFE, Proactive Data Monitoring/Analysis was found to be the most effective at limiting the duration and cost of fraud schemes. Victim organizations with this control experienced losses of 60% lesser value and schemes 50% shorter in duration than organizations that did not.

Fraud Detection and Data Analytics

CAEs in the Middle East are increasingly expressing interest in deploying Data Analytics to detect fraud and irregularity. Popular audit software contains basic Data Analytics tests, and many CAEs are keen to explore how these can be developed and tailored.

Data Analytics

I set out in this article some of the considerations for CAEs wishing to embark on a Data Analytics program, including what it involves, the data that can be used, the types of tests to be run, how to interpret the test results, who should do the work, and some of the problems and pitfalls in running a Data Analytics program.

Data Analytics’ benefits in fraud detection are known to many CAEs. Data Analytics does not rely on sampling (and fraud in general does not lend itself to easy extrapolation across data populations), and can be easily redeployed, or even deployed on a continuous basis.

Data Analytics is also useful in fraud prevention. Simply knowing that Internal Audit is running a series of tests designed to identify fraud and irregularity will surely dampen the enthusiasm of potential fraudsters.

What is ‘Data Analytics and Fraud Detection’?We talk here of a set of tests that can deployed across company data, designed to detect irregularity which can be indicative of fraud. It is important to realize that the tests themselves do not show fraud, only indicators. Exceptions generated by tests must be investigated to determine whether the underlying transaction is fraudulent, or whether there is some other explanation.

It is important, when dealing with stakeholders, that this difference is clearly and consistently articulated. A basic set of Data Analytics tests will generate a lot of exceptions. Most of these exceptions will not be fraud.

We talk here of Data Analytics on ‘structured’ data. Structured data is simply data that is stored in fixed fields. Data from an ERP will almost always be structured data. Unstructured data can include photos, graphics, webpages, email, PDFs, PPTs and word data. Semi-structured data is a hybrid of the two and includes tags that are attached to unstructured data, for

example keywords that are tagged onto photos and metadata attached to word documents.

For the most part, CAEs will be interested in starting a Data Analytics program based on deploying tests on structured data. Forensic investigations focus a lot on unstructured information; however, Data Analytics involves analysis, not investigation. The advantage of starting with Data Analytics on structured data is that the outcomes are easily understood and accepted by stakeholders and the tests almost always yield interesting results, irrespective of whether they turn out to be fraud or not.

Types of testsCAEs have the option of a suite of over 100 tests in areas such as Procure-to-Pay, Order-to-Cash, Finance, Human Resources (including Payroll) and Bidding & Contracting. Many of these tests include basic tests that internal audit may already run and which are embedded in popular auditing software. Others are more complicated. The two or three word test description (for example, ‘Vendors Paid Early’) will often indicate the utility of the test. CAEs may also be aware of tests involving Benford’s Law, which – assuming an adequate population – can yield more fraud-focused results.

Tests can be broken down into a number of broad types:

* Tests that are run on a single set of data – such as transactional invoice data from the ERP.

* Tests that are run on a combination of data sets from the same platform – such as vendor master and transactional data from the ERP.

* Tests that are run on a combination of data sets from different platforms – such as vendor master data and third party vendor data.

Knowing what type of test you are running will be useful in preparing you for the

volume and extent of exceptions detected. Tests that are run on data from different data sources face a higher risk of yielding exceptions that are due to data quality rather than being genuine exceptions to be examined. Extra care needs to be taken when reviewing results that rely on matching text (such as names of vendors).

Entity data to be usedMost entities will run tests on their ERP data. CAEs should give thought to other ‘stand-alone’ data that might be captured within the organization but not fed into the ERP. This can include databases that Functions use for their work, but which have little to do with the financial records. Examples include HR data, such as candidate applications, test results, offers and rankings. Other examples might exist in procurement, particularly around vendor and bidder acceptance and onboarding, while Logistics and Supply Chain may keep data about vehicle movements and staff rosters. Internal audit should have an appreciation of the databases that Functions maintain in their day-to-day work.

Third party dataData Analytics can be very interesting when third party data is used in conjunction with ERP data. Third party data in this sense includes corporate registry and business directory information and the like. Third party data can show legal and beneficial owners of vendors and customers and contain useful information such as date of establishment, turnover and profit, addresses and other important identifiers.

Of course, in the Middle East, there is a paucity of this information, and what is available can be difficult to compile in a readily-usable format. One solution to this – and which could be a recommendation coming out of a Data Analytics exercise – is for the company itself to start compiling



TO COMMENT on the article,EMAIL the author at [email protected] Data Analytics

this information at the vendor take-on process or remediate its vendor database over time.

Interpreting the resultsData Analytics tests generate a lot of exceptions, particularly if a few years of data is analysed.

The first level of review should focus on whether the test results make sense, or whether they are the result of problems while executing tests, or poor data quality.

Once satisfied that the results are genuine exceptions, the review should focus on what to look into, particularly for tests with a large number of exceptions. Different tests will generate different volumes of results. A test matching employee phone numbers with vendor phone numbers should hopefully yield few results; whereas a test designed to highlight missing information in the vendor master file will inevitably generate a long list of exceptions.

Where should this analysis start? Unless a stakeholder has imposed a constraint on how the data is to be analysed, you are free to set your own practical criteria for determining the exceptions to be investigated.

Bear in mind that potentially all of your exceptions could involve fraud – it is highly unlikely they will; however, you won’t know until you’ve looked into them.

It can be useful to prepare a summary sheet of vendors that appear in a number of transactions, containing data on overall spending per vendor, their location and the type of expenditure. From this, it can be seen which vendors appear in which tests. Tests can also be weighted, so for example

an exception with a ‘split invoice test’ is worth more than an exception with a ‘large quarterly change test’.

First line, second line or third line?Who should look at the exceptions? CAEs may, on one hand, wish to keep control of the process, particularly in the early stages; while on the other, not wish to reassign existing resources to manage the program.

One approach could be that internal audit starts and refines the program (including investigating select results) and ensures that it is meeting expectations, and then moves to a stage where it conducts the tests and sends select exceptions back to the first line for follow up.

Problems and pitfallsThere are a handful of problems that CAEs should be aware of in embarking on a Data Analytics exercise.

In order to gain management buy-in, CAEs may wish to first focus on straightforward tests against structured data. This is likely to yield less confusing, more easily understood results in a shorter timeframe. From there, efforts can potentially be made on semi- and unstructured data.

Finding the data within the organization can also present problems. The data in the ERP is probably relatively straightforward, but data kept and maintained by functions (outside of the ERP) can also be useful. Often finding the owners of data, and gaining their acceptance for its use, can present problems.

Data feeds must also be organised. There are a couple of methods for this and care should be taken that underlying data is not

altered in the process.

Data quality could well be the chief problem faced. Broadly, the data used will not have been prepared for the purpose of running specific queries to identify anomalies. However, it may still be useful, or at least adequate. Data may be missing fields, may not have been fully completed, may be outdated, or it may have been overwritten with no historical data or audit trail of changes. This will be important to know when running tests and interpreting results. For example, a test to detect ‘payments made to bank accounts not assigned to vendors’ may yield a great number of exceptions if historical information on bank accounts is not kept.

Finally, it is vital to understand the data that is captured in each field. For example, whether the ‘invoice date’ is the date of the invoice as per the vendor, the date it was approved or the date it was input to the ERP. Without knowing this, your understanding of what a test reveals and what it actually reveals will be two separate things.

ConclusionData Analytics is a proven tool in fraud detection and prevention programs and has captured the attention of CAEs in the region. A Data Analytics program can be deployed in several stages, focusing on early quick wins from structured data, mindful of data availability and quality. The effort required to interpret results should not be underestimated.

1 Association of Certified Fraud Examiners

GARY BAUER is Managing Director and Re-gional Head of Forensic Services for Protiviti in the Middle East.

Data Analytics is also useful in fraud prevention. Simply knowing that Internal Audit is running a series of tests designed to identify fraud and irregularity will surely dampen the enthusiasm of potential fraudsters


Hotlines

BY ROBIN SINGH

Whistle-blower is a term that is most dreaded by all concerned, but in hindsight it has a lot of benefits for everybody. Fraud is an ongoing activity and sometimes it comes to notice after many years. It is an activity that is deleterious not only to the health of a company but also to the society we live in. In the long run thus whistle-blowing is an activity that can not only cut down on fraud, but in the overall scenario is a help to society. One of the methods is setting up a whistle-blowing hotline with an option for anonymous reporting.

WHAT ARE THE 2 MAJOR IMPLEMENTATION MISTAKES?Assuming it’s about the money.

Studies have shown that a majority of whistle-blowers don’t do it for pecuniary benefit; but for genuine well-being of the company. Hence companies which do not listen to internal complaints due to assuming the motives are not genuine, lose the benefit of information provided by a whistle-blower and the call rates drops dramatically and so does the faith in the company.

Not investing in a third-party hotline.

Using an internal system will place the reporter, the alleged, the information and the issue / concern at high risks, simply because administrators and the super users will always have access to the information. Bottom line is everyone has friends! The purpose of anonymity, in substance, is to put in practice a system that prevents an individual and the associated elements from coming to any harm (e.g. retaliation, etc.). Thus, going with a third party provider is the best solution.

WHAT ARE SOME OF THE COMMON PITFALLS FROM THE TIME A CASE IS REPORTED TO THE TIME OF THE FINAL REPORT IS RELEASED?1. Does having zero calls in a company’s hotline convey lesser risk?

One of the key cornerstone of success for a function like Ethics and Compliance, lies on the back of the whistle-blowing hotline’s success. Fewer calls could also mean that

people are afraid to report because of management’s reaction toward them or because people do not have faith in the system or just because of poor marketing.

How do you avoid this?The Ethics and Compliance function should expand its horizon to build efficient pipeline of interaction, information collection points and input beyond the hotline such that the information lands at the desk of a Compliance Officer.

2. Thinking that employees will always willingly report suspected fraud and/or misconduct.

Many employees are apt to let matters rest and not make a report in the belief that that a report may well lead to some adverse action against them.

How do you avoid this?One of the cardinal principles of this entire scenario is to ensure that employees who are whistle-blowers are not going to face any sanctions against anyone in the hierarchy. In other words an employee

Effective Whistle-blowing Hotlines

Hotline pitfalls and solutions from the implementation stage to the commencement of an investigation.


HotlinesTO COMMENT on the article,EMAIL the author at [email protected]

must have the confidence that not only will his identity be respected. This can be best done by establishing whistle-blower protection program in the whistle-blowing policy which speaks about sanctions against any staff or a senior management involved in retaliation towards a whistle-blower.

3. Should you treat anonymous reports as unreliable?

This is a double-edged sword. Anonymous reports are to protect employees and in no way delegitimize the report. An employee’s information (not his /her name) is critical to the success of an investigation.

How do you avoid this?One important aspect of whistle-blowing is to ensure that vindictive reporting is not only ignored but the person involved cautioned against for the same. The ability to distinguish between valid and vindictive claim / allegation is an important part of the zig-saw puzzle.

“Effective hotlines are the best way to detect fraud”4. Confusing between vindictive and genuine complaints

The department must be able to differentiate between the two. Failure to do this can lead to diminishing confidence of the employees in management and functions like Ethics and Compliance.

How do you avoid this?It is advisable to have an initial information check An initial information check always helps, e.g. if an employees named look at the personal file, review declarations, speak to his/her manager in confidence, etc.. The cardinal principle of jurisprudence “Innocent until proved guilty” should be the guiding tenet.

5. Information versus integrity / honesty.

Not being able to show a correct picture to a non-anonymous whistle-blower can lead to a collapse of the entire governance structure. Don’t keep a whistle-blower in

the darkness of being able to protect his identity when you can’t.

How do you avoid this?Key pillar of a governance structure is accountability with its nucleus being integrity. Non-anonymous Whistle-blowers should be made aware that if the case goes for prosecution and the authorities seek details for indictment, then his /her name would have to be disclosed.

However, if a personnel from the management such as board of director or the CXO makes any attempt to identify the whistle-blower, the Ethics and Compliance function must make it a point to say “STOP”. The biggest problem is, if it is not written it is not true, so put it in the policy.

6. Identify the essence of an investigation.

The aim of an investigation is not to focus on a single employee but take in the entire gamut of the case and identify who all are involved. The key is to identify, interpret and resolve various scenarios arising from the allegation.

How do you avoid this?Consider creating a linked analysis and though job descriptions of the alleged (whom you have received direct evidence about) and try to see whom all can be encompassed. A wide horizon, reference to previous complaints, advice from Legal Counsel is essential while evaluating the case / report (not the person!)

7. Who should control the interview?

Letting the witness or reporter lead the interview can greatly twist the facts and the scope of an investigation.

How do you avoid this?Determine the objective of the interview; Define guidelines (A one-pager) to define boundaries in an admission seeking or Information gathering interviews. Make it a point to have a clear picture of the case and identify the role of the cogs (confidants and others) in the larger picture of the crime. Unless you are able to join all the dots with appropriate and adequate evidence the alleged is “INNOCENT”.

8. Confidentiality and protecting alleged / suspect unless proven guilty.

Information leaks are pretty common between Chinese walls during an investigation. An unexpected / negligent leak, before a conclusion, can ruin the reputation of the accused.

How do you avoid this?No promises should be made to any of the parties. In a conflict of Interests case, an information leak can be damaging to a person’s reputation, specially “In case” it turns out that a perceived conflict does not exist. Place a comprehensive chapter in Compliance Program Manual on Investigation, the methodology, basis for disclosing information, etc. to safeguard a compliance officer / investigator and their rights. Lately, with the issuance of the Yates Memo in the United States, it is clear that governments are defining mechanisms to hold individuals accountable for a corporate wrong doing, which was never the case earlier. This can go to the extent of prosecuting a person administering a compliance program.

ConclusionA hotline is single most important contact of Compliance officer with all the employees. The analysis of the data and the types of concerns recorded give a tremendous insight into what is happening within the organization, what are the pain points and what type of support is needed at the bottom of the organizational pyramid. It is imperative that a compliance officer never stops employees from reporting other side concerns (such as regulatory reporting, etc.) but at the same time it should not stretch out to the spectrum of useless concerns. Thus, mature management across the world are naming it as “Helpline” rather than just “Hotline”. Useless concerns can dilute the analysis, final outcome and impair the management’s sight to take diligent decisions. Keep an eye on the same.

Lastly, For a Ethics / Compliance or a Fraud Examiner, the buck doesn’t stop with the implementation of the hotline but the core work starts after the implementation of the hotline

ROBIN SINGH, MSc.– LAW, MBA, MIT, CFE, CFAP is Senior Ethics / Fraud Control Officer at Abu Dhabi Health Services Company (SEHA).


Overview

Economic crime continues to evolve, leading to added risk, increased regulatory compliance demands and burdens on businesses. This increasingly complicated landscape creates challenges for organisations seeking to balance resources and growth. Although not universally

defined, economic crime is taken to consist of crimes impacting organisations such as Fraud, Bribery & Corruption, Anti Money laundering, Cybercrime and Market Abuse.

PwC’s newly published Middle East Economic Crime survey shows that economic crime remains a persistent threat to the region with a rise in the number of businesses reporting economic crime

compared to the date of our last survey two years ago. Over a quarter of respondents (26%) reported economic crime, up from 21% of respondents in 2014.

The damage caused by economic crime

The financial impact – a changing picture

Adjusting the Lens on Economic Crime in the Arab world

Leading Practices

BY JAMES TEBBS


The financial impact of economic crime on local organisations remained significant, with the latest results showing the cost to be even higher than those reported globally in the same categories.

In the Middle East, 35% of organisations that had suffered economic crime estimated a financial impact of between USD 100,000 and USD 5,000,000 in value in the prior 24 months - down from 51% in 2014. Over the same period, 9% (up from 6% in 2014) of respondents suffered total losses valued at between USD5,000,000 and USD100,000,000 whilst 1% (down from 6% in 2014) suffered losses exceeding USD100 million. The value of the losses identified by respondents continues to highlight the extent and significance of economic crime.

What about the non-financial impact of economic crime?

The collateral damage from economic crime is wide-ranging and affects different organisations in different ways. Damage to employee morale was the number one collateral impact affecting an organisation as a result of economic crime according to the 2016 survey. This, coupled with more traditional ‘commercial’ effects (such as weakened business relations, a damaged brand or reputation and greater regulatory scrutiny) impacts an organisation’s productivity and ability to generate revenues. Whilst this is difficult to quantify, it is clear that both the financial and non-financial costs of economic crime are significant.

Perpetrators of economic crime attack organisations from multiple angles in multiple ways. Whilst firms should implement robust fraud prevention controls and procedures across the full suite of business activities, how does a firm know which areas they should prioritise?

Recent economic crime trends – what’s hot right now

The 2016 economic crime survey indicates that reported incidences of economic crime increased from 2014 though the most significant forms of economic crimes remained the same.

Asset misappropriation remains the number one type of fraud encountered by

organisations in the Middle East, suffered by 61% of respondents who had suffered economic crime (down from 71% in 2014). This is unsurprising as the theft of assets often requires minimal technology and sophistication – it is hard to see a time in the near future where simple theft is not a significant problem.

Cybercrime was the second most reported economic crime in the region affecting 30% of organisations (down from 37%) in the region. Respondents perceive the greatest threat of cybercrime coming from outside their organisation - yet 66% of respondents did not have a cyber-incident response plan in place.

Procurement fraud featured as the third most significant type of economic crime experienced in the Middle East as reported by 25% of respondents who had suffered some form of economic crime (down from 33% in 2014).

Bribery and corruption remains a significant threat in the Middle East in spite of improvements to the Transparency International Corruption Perception Index ratings for a number of Middle East countries. In the region, 33% of respondents expect to experience bribery or corruption in the next 2 years.

In addition, the survey revealed that over 20% of respondents were not aware of the existence of a formal ethics and compliance programme within their organisations thus raising the effectiveness of their tone at the top approach. Over three quarters of organisations rely on internal audit to ensure the effectiveness of such programmes.

So where to look? Regrettably the survey shows that a significant proportion (33% of respondents) suffered fraud at the hands of their own employees.

Combating economic crime – get smarter, get innovative

Regular risk assessments allow an organisation to assess, understand and mitigate exposure to economic crimes. But the survey highlights two key issues in the region. Firstly, the region is far below the global average as regards organisations taking steps to protect themselves from economic

crime (just over 50% of respondents from our survey had performed a risk assessment in the last 24 months). We must continue to ask the obvious question here: If no risk assessment is conducted how can you be sure that your controls are targeting the real problem? And if controls are notdesigned properly how do you know whatyou have been able to prevent?

Secondly, fraudsters are getting smarter and using more sophisticated methods to bypass internal controls, but not all organisations have responded appropriately.

We look here at two methods which we see used with increasing effectiveness to combat economic crime.

1. Corporate intelligence – gathering and analysing information that can help your organisation make strategic and well-informed decisions

Wouldn’t it be useful to know the credibility of your business partners before conducting transactions with them? Many organisations don’t conduct even basic due diligence procedures. Three levels of due diligence can be performed:

1) Online research

Online research of a range of sources provides access to information on relatively straightforward issues, such as company registrations, or to uncover any allegations of illegal or unethical business practices. We use around 10,000 international media sources to perform targeted searches of the internet and social media, in English and local languages. The process need not be costly, and can reveal extensive information available in the public domain.

2) Full public record research

This is a more detailed search mechanism, accessing corporate filings (including archived versions), court and bankruptcy records and performing archive searches of relevant off-line media publications. This method provides a comprehensive overview of an individual’s or organisation’s reputation and highlights market integrity issues/risks relating to corruption and other economic crime.

Leading Practices


3) Human source enquiries

In addition to the two levels above, corporate intelligence professionals have access to human sources across the world. This allows access to real-time, on the ground information which can supplement and support the information obtained from online searches and may identify material adverse information not readily available in the public domain.

Performing adequate due diligence up-front lowers the risk of third parties defrauding your organisation and reduces the chance of your organisation engaging in unethical activities with these business partners. Doing your homework can help you protect your organisation from the outset.

2. Data Analytics – identify the pattern, minimise the impact

Organisations have vast banks of valuable financial and non-financial data. They use this data to create forecasts, identify possible areas for expansion and to make strategic decisions to help the organisation grow.

Potential economic crime trends can be identified from this data. Are travel and subsistence claims unusually high? Do more employees have access to critical systems than you expected? Are duplicate payments being made to suppliers?

Conducting data analytics need not be time consuming or expensive. Searches can be targeted, parameter driven and, to an extent, automated. This makes data analytics a fantastic tool for organisations to use to fight economic crime, as it identifies ‘red flag’ indicators in data sets quickly.

Cybercrime – the emerging threat

Cyber crime is the fastest growing, most sophisticated fraud threat affecting organisations across all industries. The most commonly occurring cyber threats in this region are to applications; systems and networks, but mobile devices, removable

storage devices and data held by third parties are also at risk.

The most dangerous aspect of cyber attacks is the speed at which they are carried out. Organisations may suffer significant financial, data or other losses before realising that an attack is in progress and are not always sure how to respond to this threat. So what are some of the key considerations your company should have in place to protect itself from the developing threat?

Crown Jewels Analysis

This involves identifying your organisation’s highest risk IT assets from a cyber threat perspective, as these are likely to be the most attractive target for cyber attackers. Once you have identified the assets, you need to benchmark your controls in place. This can be done by running simulations on your key assets to evaluate their cyber readiness and resilience against attacks. It is also worth checking whether any of the high risk assets have been compromised or experienced recent attacks, as this will demonstrate the speed at which you may need to take responsive action.

Breach Indicator Assessment

Conducting a breach indicator assessment will allow you to identify compromised hosts and assets. It can illustrate the areas of your information technology infrastructure that are most likely to be breached. We help our clients by monitoring network traffic to detect threat attempts, analyse endpoints and servers and extract breach indicators and evidence of what has and what might happen in the future.

Cyber Incident Response

Whilst preventative methods are great at mitigating risks, companies need to have a back-up plan. Having an incident response plan is like having a first aid kit in your

home which you may never have to use but, when you do, you’re glad it’s there. The best protection in the world is not always enough and responding quickly can limit the damage an attack may cause.

There are two types of businesses: those who know they have been attacked and those who don’t. For the former, the key information that the firm generally wants to know is what data has been stolen and which systems have been compromised. With the latter, ignorance may be bliss in the short term, but provides no defence against the losses that can follow.

Organisations should ensure they protect their systems before a cyber attack happens – and just with any other type of risk, proper risk assessment drives effective controls.

A look to the future

What does this all mean for organisations in the Middle East? The main message readers should take away is to remain on the front foot. Economic crime continues to be a major issue in the Middle East and will not disappear any time soon. Organisations need to reassess continually whether their systems and controls have been adapted accordingly.

Taking simple steps such as conducting risk assessments on an annual basis can play a key role in protecting your organisation and will help you understand the key threats facing your organisation in today’s world.

Going one step further and using some of the more innovative and cutting edge tools discussed in this article will allow you to develop a robust mechanism which will protect your organisation from economic crime.

Being proactive is the best advice we can share. Understand what risks your organisation is exposed to and put in place adequate controls and procedures to mitigate the risks.

JAMES TEBBS, CA, is the regional head of financial crime for PwC in the Middle East.

Leading Practices

Fraudsters are getting smarter and using more sophisticated methods to bypass internal controls

Construction Fraud

BY STEPHEN CROWE


A high-risk fraud environment is typified by heightened pressure and opportunity. When these factors are considered on an industry basis, the Construction sector rates highly, particularly in the procurement cycle. From award to execution, employees and external parties (agents, suppliers, and competitors) have significant opportunities to commit procurement fraud.

In the Middle East, these risks are heightened by region-wide growth, an influx of government funded infrastructure projects, and the prevalence of cash dealings.

The absence of properly structured and executed fraud controls in high margin construction projects acts as a vacuum into which fraud opportunity, and persons susceptible to the temptations that these opportunities present, are drawn together. In the below case studies, you will see that the simplest of controls would have prevented the fraud, or at the very least detected it much earlier.

Case Study #1 “A major power plant project was victim to a significant fraud comprising of a number of managers who received large cash payments and gifts from colluding vendors to award lucrative supply contracts. Some of these same Managers went on to establish companies through proxies to act as agents in the supply of a wide range of materials to the Plant. The syndicated nature of this scheme meant that the cross-check mechanisms in their processes were circumvented. The fraud took place progressively over a period of years. By the time a whistleblower came forward, the quantified leakage exceeded 2m. USD, and involved 285 material item types. The investigation discovered that there was no active price checking outside of provided bids or existing supply contracts, and that

an examination of vendor registrations and human resource files would have identified the suspicious links between suppliers and employees.”

Case Study #2 “Following allegations of misconduct involving the General Manager of a regionally-based Construction company, an investigation revealed a significant discrepancy between the quantity of high-value scrap materials that were removed from a number of construction sites, and the payments received by the construction company for the scrap volumes. The General Manager was found to have directed the sale of these materials for his own personal benefit. The schemes employed included the allocation of usable materials as scrap; sale of scrap below market value; and general theft and diversion of scrap and consumable materials. The position of the individual allowed for the circumvention of internal controls, including diversion of staff from their normal role; and placing undue pressure on site security personnel to effect the movement of materials from the sites without documentation, or with documentation that was not verified to the contents of the trucks. Calculated losses exceeded 1m. USD, however the true impact is likely to have been significantly larger.“

Numbers do not tell the full storyThat last point in the above study is something that readers will see in many cases of procurement fraud. Quite understandable, as these activities are mostly identified ‘after the fact’ through investigations and post-construction audits. Full quantification of loss is a significant exercise, and rarely do companies wish to invest further funds to put a true number to the loss when they have already weeded out the

offending people and practices. Only in circumstances where there is a reasonable chance of recovery from the offending parties would such a detailed quantification be palatable.

Procurement Integrity AwarenessRegionally, much is being done to address the specter of fraud, bribery, and corruption. Recent efforts in Oman, Saudi Arabia, and the UAE have placed companies on notice that the ‘old’ ways of cornering business through under-the-table inducements are no longer acceptable. The recent spotlight has been on tendering and awarding. There are of course many other areas throughout the four stage procurement cycle where fraud and misconduct can occur. The below table (Table 1) lists some of the fraud risks at each stage of the cycle, aligned against where that risk resides.

Fraud, in all its guises, has at its center a breach of trust. In a project environment, trust is essential due to the segmented expertise that each party brings to the table. Accordingly, it is critical to ensure that the trust awarded is based on substance, and subjected to some level of verification and cross checking.

Prevention is better than the cureThe most common of sayings, it is however a resounding truth with procurement fraud. Too often construction companies have been caught out with an ‘eyes on the prize’ mentality, and neglect the core planning processes that may identify questions that need asking of other parties in the project; and ensuring that the supply chain policies and procedures clear, transparent, and properly segregated.

Whilst the risk of procurement fraud can never be fully eliminated, companies can implement controls to mitigate the

Preventing Procurement Fraudin Construction


TO COMMENT on the article,EMAIL the author at [email protected] Construction Fraud

Improper Performance Bond Waiver Exclusion of qualified vendors

Phantom vendors False invoices Invoice mark-up / alteration Redirection of delivery

Theft of inventory Fraudulent or improper inventory capitalization Inventory write off (lost, obsolete, scrap)

Inaccurate / falsified forecast of raw materials, or spare parts Theft of raw materials, finished goods or scrap Personal use of inventory or assets

Conflict of interest Improper agreement to apply variation orders post-award Bribery of government employees

Technical scope manipulation Bribery / kickbacks Collusion with Third Party advisors

Unnecessary / excess orders

Bribes from subcontractor Invoices for goods not received

Collusion with transporters Improper release of retentions Payroll - irregular compensation payments Bribery of government employees

Collusion / Supplier Cartel - Bid rotation and complimentary bidding) Phantom bidding

Defective Pricing Leakage of Confidential Bid Information / Tender

Bribery of third party False or misstated invoices Overstatement of business experience

Suppliers misrepresenting their financial, technical or ethical position

Bribery of subcontractors Inflated or fictitious invoices Short shipments

Product Substitution Invoices for goods not received

Unqualified consultants Misrepresentation of technical capability and / or capacity by suppliers / vendors

Procurement Inventory Execution Awarding

Employee only

Employee & External Party

External Party: Supplier / Competitor

likelihood of such risks occurring, and help detect them earlier to reduce the impact to the project, and to the company. Consider the following checklist for preventing procurement fraud:

1. Due Diligence and background checks on partners / master contractors / sub-contractors. At a minimum, you should have confidence on the following factors:-

a. Capabilities to contracted tasks.

b. Financial stability and ultimate beneficiaries of payments.

c. Reputation in the market.

2. Overt stance on fraud, bribery & corruption: -

a. Fraud Risk Management framework.

b. ‘No bribes’ policy.

c. Business Code of Conduct, with

specific conflict of interest and gifts & entertainment provisions.

d. Whistleblowing facility.

e. Fraud Response Plan.

f. Ethics and Fraud Awareness training for your staff.

g. Supplier Code of Conduct for your suppliers, and their sub-contractors.

h. Rotation policy on high risk parties (eg, buyers).

i. ‘No Bribery’ clause in all supplier agreements.

j. Right to audit clauses in all supplier agreements.

k. Debarment policy to exclude suppliers and contractors that have participated in any illegal or unethical activities.

3. Independent oversight to test and

challenge your supply chain procedures and processes:

a. Internal audit reviews

b. Data mining to look for hidden red flags.

The dynamic nature of construction projects should compel continual vigilance throughout the life of the project to procurement fraud risk. Never lose sight of the fact that efficiency and performance issues can at times be indicators that a party is not being true and trustworthy in their responsibilities to the project. If your processes and challenge points to your processes are robust, your chances of weeding out the fraudsters from the merely incompetent are greatly enhanced.

STEPHEN CROWE is a Director in the forensic division for the Middle East region of Deloitte Corporate Finance Limited.

Table 1: Construction Procurement Integrity Risk Matrix


Innovation

BY PORUS PAVRI EDITED BY ASEM ALNASER

AD Space DeloitteEnglish


Human Resources TO COMMENT on the article,EMAIL the author at [email protected]

Working in the Middle East can be a very rewarding experience. It can also be a very frustrating one, especially for someone who has attempted to conduct a fraud investigation here. Varying and outdated laws, different cultures, a large expatriate community and a lack of understanding on how to conduct an investigation are some of the issues that one has to overcome.

The LawTo start with, one cannot group any two Middle East countries together (even within the Gulf Cooperation Council) as the laws vary. One needs to familiarize himself with the law in the country. A good starting point would be the laws surrounding document retention along with laws on evidence (handling and submission), interview rules, and rules on written statements.

Evidence submission is a key aspect for one to understand. Electronic evidence has only recently been accepted in most courts in the Middle East with new laws being continuously drafted. This could mean that scanned copies of invoices, emails, and social media evidence might not be admissible as evidence in a court of law and/or there might be strict rules regarding their submission. Understanding the right laws around evidence and having a proper document retention strategy to support the case is instrumental to its success.

Interviews and the associated written statements are part and parcel of any investigation. Whether legal representation is required during interviews or at the time written statements are given , you need to make sure you follow the law.

It requires a lot of compliance to ensure a legally correct submission to the court.

“Owners want internal audit to carry out investigations in a short time span”

CultureInternal Audit and Fraud investigations are two very different things. If one is working for a family run business, the approach to fraud investigations might very well be “just have internal audit look at it”. This can be problematic as most auditors do not know the laws pertaining to investigations, interview techniques, or case management. If one works for a company that has the Internal audit department handle its investigations, my advice would be to train them in fraud techniques, certify them, and never the less try to hire an experienced investigator for the department.

Secondly, understanding the culture of your organization is key to your success, and it is especially true in the GCC. Owners here tend to want investigations to be done in a very short time span, which if not handled properly, can lead to mistakes in the investigation process.

TrainingI have undergone various training sessions on fraud techniques, but very few address Middle East issues. An example is handling anonymous written statements and ways to analyze their content when dealing with non native English speakers. As an expatriate working in the Middle East, you are dealing with a variety of cultures. English is not the first language. As a result, spelling mistakes, punctuation errors, handwriting, and looking for word emphasis makes analysis of the statement difficult as it could be attributed to lack of English skills or to other reasons.

While there are more aspects to be aware of in any fraud investigation, whether in the Middle East or elsewhere, it is important to take into account the specific complexities of your region to ensure a successful investigation.

A Glimpse at FraudInvestigations in the Middle East

MUSTAFA ZACOUR, CFE, CIA is an Ethics and Compliance Officer at Shell in the Middle East.

BY MUSTAFA zACOUR


Fostering Fundamentals

BY MOHAMAD NASSAR

Even though it has been around for many years, the Fraud Triangle is still the best way to explain why fraud occurs and is also a great way to help prevent fraud

When looking at the word ‘fraud’ within a professional and personal capacity, we instantly attach this to a number of negative connotations, at time brushing it off as just another word. However, the reality is that fraud occurs in every country, touches everyone and constantly surrounds us during our daily live – every second of every day, someone, somewhere is being exposed to some form of fraud.

The increasing business complexities, strict regulations, and the growing financial and political risks are only a number of reasons why fraud is on the rise. According to statistics, key organizations are said to lose approximately 5% of their revenue to fraudulent crimes every year 1. But the question is, can we do anything about it? Why are we losing sight of this? Is the cost of preventing fraud worth more than our reputation?

Before we look into this, let’s first understand the triggers that are associated with the occurrence of Fraud. A clear and

basic framework designed by Donald R. Cressey addresses the reasoning behind an individuals’ decision to commit fraud. The three key elements of the triangle are:

1. Rationalization: Justification of dishonest actions

2. Pressure: Motivation or incentive to commit fraud

3. Opportunity: The method by which fraud can be committed (i.e. ability to carry out the misappropriation of cash or organizational assets)

The Fraud Triangle


RationalizationThe common phrases used by most fraudsters to justify their white collar crime are “it doesn’t look like what it seems”, “I just did what they were doing, isn’t this acceptable” or “I didn’t even mean to do it”. Many employees feel that they are responsible for the growth of the company, they get tasked with ensuring the business continues to perform and as a result some expect monetary recognition. However, when this desire isn’t fulfilled, they look at other means to compensate the reward without ‘knowingly’ believing they have crossed the boundaries. This is just one simple example of how occupational fraud is rationalised by the perpetrator. Rationalisation is something that is difficult to control, as every individual has different reasoning to behave when handling the surrounding circumstances.

PressureMost of the times, employees face different kinds of pressure whether in their workplace or personal lives. The great desire to advance quickly, the desire to be seen as successful, to be recognized by their management for instance - all of these circumstances may impel individuals to commit fraud. Commonly, the typical fraud starts when an individual is involved in uncontrollable financial debts and feels unable to reveal his situation to others to seek for help. In addition to situation of personal or work related pressure fraud can also occur in what some of us perceive as minimum pressure – the need to want more; committing a crime and not getting caught creates an increased appetite to reoffend. This in turn, causes increased pilfering and results in a financial loss for the business including loss of reputation in some extreme cases.

OpportunityIn many cases, the fraud starts when the perpetrators recognize a way to exploit their authority and power within an organization and find a way to deceive other employees, management and others around them. Many fraudsters

are under the impression that their thorough knowledge of internal controls and organization procedures would significantly minimize the risk of being caught.

These three critical elements must be simultaneously present for fraud to occur. Therefore, this triangle can be fragmented by removing one of these elements and thus minimising its likelihood of occurrence.

It is very important to highlight that opportunity is key, as it is the only element within the control of organizations. Opportunities to commit fraud can be reduced through strong and comprehensive internal controls but unfortunately they can never be fully eliminated since internal control systems have inherent limitations and provide only reasonable and not absolute assurance.

This leads us to the question, what can an organization do to minimize fraud besides establishing an adequate internal control system? The answer can be summarized in one sentence: by creating a corporate culture which provides a healthy environment to prevent and detect fraud. When the right healthy culture is in place, the internal controls are rendered secondary.

The board can make a vivid change in the corporate culture by creating change to shape and tailor the control environment. The actions and the tone at the top can motivate everyone in the organization to adopt a positive attitude and behave in a way that prevents fraud or at least detects it at an early stage. Culture is an aspect of corporate governance that is often ignored until there is a crisis. This, combined with a lack of clarity as to who has primary responsibility for driving, developing and nurturing organisational culture leaves a significant opportunity.

In correlation to this, the executive management plays a vital role in preventing, detecting and deterring fraud by establishing sound internal control policies, designing a comprehensive set of internal controls and implementing fraud management tools like whistle

blowing to encourage employees within the organisation to look out for and report potential fraudulent activities within the workplace – thus creating increased channels to expose the crime.

Alongside this, the role of the Human Resources department is key in aiding fraud prevention. Pre-employment background screening is crucial as it reveals the true identity of the employee and verifies the information provided in their resume. This process helps the organization to minimize the risk of hiring fraudsters and white collar criminals.

The UAE is being targeted by international criminals using increasingly sophisticated methods to defraud companies and investors, especially given the rapid growth in key sectors which creates additional opportunities for fraudsters. This is further evidenced with key authorities in the UAE, such as the Dubai Financial Services Authority issuing alerts to warn firms registered within their free zones of various scams and imposters 2.

Fraud prevention and detection is not only the responsibility of a single department or function. In fact, everyone in the organization is responsible to maintain and create a corporate culture that is free from unethical practices. Fraud is a serious offence which can cause not only financial loss, but can leave an even bigger negative impact on a company’s reputation. Therefore, fraud needs to be managed and should be discussed at board level, given that many times the perpetrator may be closer to the business than often thought.

References:

1. Report to the Nations, Association of Certified Fraud Examiners, Access on 26 July via https://www.acfe.com/uploadedFiles/ACFE_Website/Content/rttn/2012-report-to-nations.pdf

2. Fraud alerts sounded by DFSA with scams on the rise in UAE, Accessed on 23 March via http://www.thenational.ae/business/banking/fraud-alerts-sounded-by-dfsa-with-scams-on-the-rise-in-uae

MOHAMAD NASSAR CPA, CIA, CCSA is Partner at Grant Thornton UAE and leadsBusiness Risk Services.

Fostering Fundamentals TO COMMENT on the article,EMAIL the author at [email protected]

20 and data analytics - internal auditor...fraud detection and data analytics bolstering anti-fraud...

Documents