Download - Managing Fraud
Managing Fraud
Theodorus Chresma HS, SEMay 17th 2014
PwC Global Crime Survey 2014
Managing Fraud
2
Survey respondents included 5,128 representatives from over 95 countries around the world
Managing Fraud
3
Audit and Corporate Governance
• Internal Audit Role• Corporate Governance• Other
Standard/Regulation
Fraud
• Fraud Definition• Fraud Triangle• Fraud Tree• Fraud Red Flags• Fraud Control• Whistleblower Practice
Computer Forensic and Data Analysis
• Assessing Fraud Risk in Audit Assignment
• Computer Forensic and Database Analysis
• Fraud Audit Report
In order to create the additional revenue recorded in PT A, the initial purchase of cloud computing equipment and VSAT peripherals by PT B was changed into several transactions with third party which subsequently revealed that PT A sold the cloud computing equipment to PT C and could recognize the revenue from this sales transaction.
AgendaCase Study ; Fraud Case
Other detection methods
By law enforcement
By accident
Whistle-blowing system
Tip-off (external)
Tip-off (internal)
Rotation of personnel
Corporate security
Suspicious transaction reporting
Fraud risk management
Internal audit
4%
3%
13%
7%
11%
16%
5%
5%
5%
14%
17%
14%
3%
6%
8%
14%
21%
3%
4%
4%
4%
19%
23%
0%
10%
3%
11%
17%
3%
4%
0%
3%
26%
Corporatecontrols
Corporate culture
Beyond the influence of
manage-ment
Fact
Internal Audit
Managing Fraud
4
Unfavorable Contract creation between PT A and PT B. The Director of PT A has changed several important points and there was unclear and unfavorable clauses has been added into contract.
Case Study ; Fraud Case
• An independent, objective assurance and consulting activity designed to add value and improve an organization's operations. (IPPF Std No 1000, interpretation 1000A1 & 1000C1).
• Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud (IPPF Std No 1210.A2).
• Helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
• Covers all the business operations and systems, financial, and other aspects of the organization.
Watchdog
Risk, Process, Assurance and Regulation Focus
Consulting Role and Business Value Driver Focus
Corporate Governance (OECD Principles) & Other Standard
Managing Fraud
5
There is an indication that (proven by email communication between Procurement PIC and Vendor) Procurement – Buyer PIC received an amount of money from Vendor
Case Study ; Fraud Case
• “Corporate governance is the system by which companies are directed and controlled….” Sir Adrian Cadbury, UK, 1992
Right of Shareholders Equitable Treatment
Role of Stakeholders
Procedures for complaints by employees concerning illegal (including corruption)
and unethical behavior.
Disclosure & Transparency
Responsibilities of the Board
• SOX Section 301 requires the Audit Committee of the Board of Commissioners of the Company to establish procedures for (i) the receipt, retention and treatment of complaints received by the Company regarding accounting, internal accounting controls or auditing matters.
• Anti-Bribery and Book and Records Provisions of the Foreign Corrupt Practices Act (“FCPA”).Under these laws, the Company and Company Employees may be subject to criminal liability if a Company Employee or an Associated Person, directly or indirectly, offers or pays, or authorizes payment of, Anything of Value in exchange for some improper advantage for the Company.
Fraud
Managing Fraud
6
There was discrepancy between the record of cash received byPIC at Regional Office with the cash deposited to theBank, during the period of 2011-2012. The total discrepancy is IDR XXX
Case Study ; Fraud Case
An intentional act by one or more individuals among management, those charged
with governance, employees, or third parties, involving the use of deception to
obtain an unjust or illegal advantage (ISA 240)
Any intentional act or omission designed to deceive others, resulting in the victim
suffering a loss and/or the perpetrator achieving a gain. (Managing the Business
Risk of Fraud: A Practical Guide, prepared by IIA, AICPA, and ACFE)
Fraud Triangle
Pressure
Perception of an immediate and un-sharable financial need or the desire to live a lavish lifestyle
Opportunity
Arises from weak controls or too much independence/ control given to a single individual
Rationalization
Bbelief that a crime has not been committed or is perceived to be justified and that the reward outweighs the risk
Fraud tree
Managing Fraud
7
Untimelydeposit of cash receipt in Regional Office, which cash receiptof 25 May 2012 was deposited in 16 July 2012 (after 35 working days).
Case Study ; Fraud Case
Bribery Cash Financial
FRAUD
CorruptionAsset
Misappropriation
Fraudulent Statement
Conflict of Interest
Illegal GratuitiesInventory and
Other Asset
Non-financial
* Source: Association of Certified Fraud Examiners (ACFE)
Economic Extortion
Fraudulent Disbursements
Fraud Red Flag Detection
Managing Fraud
8
During the period of Mr. X’s assignment from March 2010 to January 2012, amount of stamp duty deposit requested and cheque disbursed was higher than actual amount paid to Tax Office for several months by IDR 435,000,000. This amount is consists of IDR 70,000,000 during 2010; and IDR 365,000,000 during 2011.
Case Study ; Fraud Case
Finance and Accounting Procurement Payroll
• Unauthorized bank accounts • Sudden activity in a dormant
banking accounts • Discrepancies between bank
deposits and posting • Bank accounts that are not
reconciled on a timely basis
• Account balances significantly over or understated
• Unexplained pricing exceptions
• Presence of employee checks in petty cash for the employee in charge of petty cash
• Excessive on unjustified cash transactions
• Significant increase in expenditures
• Abnormal number of expense items, supplies, or reimbursement to employees
• Transactions not recorded completely, timely, or improperly recorded
• Transactions with inappropriate authorization
• Window Dressing
• Payments based on photocopied or “doctored” invoices
• Unusual billing addresses or arrangements; no physical address, post office box, missing street numbers, employee’s address
• Vendor payments sent to ineligible beneficiaries
• Errors, such as duplicate payments and miscalculations
• Payment to vendors who aren’t on approved vendor list
• Excessive payments to vendors, high volume of purchases from new vendors
• Purchases that bypass the normal procedures
• Sequential or near sequential invoices
• Overtime charged for employees who normally would not have overtime payments
• Inconsistent overtime hours for a cost center
• Budget variations for payroll by cost center
• Employees with few or no payroll deductions
• Ghost employees
Fraud Control (AS 8001)
Without an effective management strategy, a company is exposed to fraud risk for which the Board and management may be legally and financially liable. AS 8001 Standard provides an approach to controlling fraud and corruption risk.
Managing Fraud
9
After examining data from Mr. X’s (one of the Manager in PT A) computer. We noted that Mr. X owned a server to provide mobile application service. Refer to an Agreement between PT A and PT B, PT A will pay PT B amounting to Rp. 500/mobile money transaction service.
Case Study ; Fraud Case
Planning Prevention Detection Response
• Fraud and Corruption Control Planning
• Fraud and Corruption Control Resources
• Implementing Risk• Fraud Risk Database• Sr Management
Control the Fraud Risk
• Assessing Fraud Risk
• Communication and Awareness
• Fraud Detection Program
• Role of External Auditor in detection Fraud (through Management Letter)
• Reporting Suspected Incidents
• Whistleblower System
• Policies and Procedures
• Investigation• Disciplinary Action• Loss Recovery
Whistleblower Practice
Managing Fraud
10
PT A has lost 10 surveying system equipment. During the HSE inspection, the HSE office found 8 out of 10 surveying system on Mr.x office
Case Study ; Fraud Case
Structural Aspects Operational Aspects Continuous Treatment Aspects
• Develop Whistleblower report criteria to determine False, Non Serious and Proper Whistleblower report.
• Enhance Whistleblower Protection Policy which covers: Protection or Whistleblower Property, Personal and Family protection, Criminal Prosecution and Whistleblower Protection Unit.
• Developing rewards (short term and long term) for whistleblowing. - Short Term: Incentive/Bonus. - Long Term: Job Promotion
• Establish formal unit to handle Whistleblower Report. The Whistleblower Unit may consist two elements: 1. Whistleblower
Reporting System & Investigation Unit.
• Provide other Whistleblower reporting line. Email, intranet, internet, post, fax, direct communication to superior, direct tip-off and telephoning the company’s headquarter.
• Develop Whistleblower Reporting guidance on every Whistleblower Reporting line. The guidance consists of (but not limited to).
1. How to write Whistleblower Report systematically (What, Where, When, How, Who) on every whistleblower reporting line.
2. Intangible/Tangible loss that contributed to overall Company loss.
3. Type of violation (i.e., legal, accounting, ethical, employment) .
4. Description of claim and Identification of parties/departments and persons involved.
• An effective Whistleblower system requires effective communication from Top Management to maintain the employee’s awareness of Whistleblower system.
• Perform regular socialization of Whistleblower Reporting line/System & Reporting Mechanism & Policy/Procedure/Incentive/Awareness to all employee level in Indosat.
• Put “eye-catching” Whistleblower awareness, such as Posters in workplace, Code of Ethics, Newsletters.
• Perform benchmarking to evaluate effectiveness of Whistleblower reporting line in Indosat.
• Perform monitoring, review and evaluation over all Whistleblower reporting line through survey, review log, feedback.
Fraud Control (AS 8001) – Indosat Experience
Managing Fraud
11
Mr X who is Payrolll PIC has added working time hours of Mr Y (expat employee n PT A).
Case Study ; Fraud Case
Planning and Resourcing
• Fraud and Corruption Control Planning
• Fraud and Corruption Control resources (Forensic and Data Mining Audit Division)
Fraud Prevention
• Enhance Tone from The Top from Sr Management
• Enhance Internal Control (SOP, Policy, Segregation of Duties)
• Code of Ethics and Conflict of Interest Statement
• Employee Training over code of Ethics, Conflict of Interest, Fraud.
• Intensive Socialization
• Strong and Consistent consequences over Fraud Action
Fraud Detection
• Whistleblower Enhancement
• Data Analysis over Suspicious Transaction on Financial Statement
• Fraud Reporting to Management
FRAUD CONTROL
Forensic and Data Mining Audit Division
Integrated Audit collaboration with other
Audit Division
Assessing Fraud Risk in Audit Assignment – Indosat Experience
Managing Fraud
Internal Audit found several counterfeit check that was used to pay subcontractor
Case Study ; Fraud Case
Establish Fraud Risk Database
Fraud Scheme Red Flag/Symptom Detection Steps Controls to Review
Submitting false invoices
• Vendor has similar name but different address of a known legitimate company.
• * Invoices are "rubber stamp" approved by supervisor.
• * Purchase are of services (such as consulting) rather than goods or tangible assets.
• Analytic review is effective to detect large scale fraud..
• Review supporting documents - look for suspicious looking documents
• Review invoices for general consulting services.
• There should be an approved vendor list.
• All the vendors should be independently qualified (Not qualified per the purchasing agent).
• There must be proper segregation of duties
• Proper Authorization• The accounts
payable list of vendors must be periodically reviewed
• The vendor payments must be periodically reviewed (At least annually)
• There must be re control methods to check for duplicate invoices in place
Assessing Fraud Risk in Audit Assignment – Indosat Experience
Managing Fraud
While performing visit activity over Procurement Bidding process, internal audit found an invalid address.
Case Study ; Fraud Case
No Control Reff
Process Risk Fraud Risk Assessment
Control Associated with Risk
Testing Plan
1 PR.01.08.C4 CAPEX
Purchase Request
Invalid purchase process not in accordance with approved SC
Procurement of goods / services is unauthorized
Procurement PIC Created unnecessary PO
Procurement manager performs review and validation on completion of SC and its supporting documents (PID and budget approval from IC committee)
1. Obtain PID documentations (Proposal, RKS, RFP, Budget Case approved, etc.).2. Obtain budget and investment committee approvals.3. Verify SC, Budget Committee and Investment Committee approvals in accordance with LoA and authorized personnel.4. Verify BoQ and Unit Price in SC in accordance with Indosat' s needs as stated in Proposal/RKS and RFP.
Adding Fraud Risk Assessment on Audit Risk Control Matrix
Computer Forensic and Big Data Analysis
Managing Fraud
Internal Audit perform analysis over procurement transaction. Internal Audit found unfavorable bidding price submitted by vendor A.
Case Study ; Fraud Case
Fraudster
Data
• Computer Data• Office Email• Office Phone• Office Application
Investigative Audit
• Manual Procedure (Review SOP, Business Process, Transaction)
• Computer Forensic• Other Analysis
Fraud examination is a methodology for resolving fraud allegations from inception to disposition. More specifically, fraud examination involves obtaining evidence and taking statements, writing reports, testifying to findings, and assisting in the detection and prevention of fraud.
Guidance Computer Forensic Phase Do and Donts
• Digital evidence should not affect the data integrity.
• A Certified person• Computer Forensic is not
hacking (never use keystroke logger, spyware, hack password, unauthorized login)
• Data are relevant, legally obtained, properly defined and can be presented in court.
• Ensure the machine can be fully analyzed. Examine the machine, secure evidence, power down carefully, use additional system.
• Image Acquisition. (Copying data is not legal). Use imaging data.
• Keyword search (money, cake, transfer, etc)
• Using the analysis and designing report of Encase System, Imaging Report
Obtain new HDD to secure data Encrypt data Unplug from power supply,
remove battery carefully. Document all step Use Encase system× If computer is on, don’t turn it
of, unplug directly from power supply.
× Don’t enter anything, copying, cutting.
Investigation Audit Report
Managing Fraud
While performing ELC Testing on Finance Division (Payment Operation), Internal Audit noted that there is no segregation of duties in Payment Operation. One PIC handle payment and transaction record.
Case Study ; Fraud Case
Background and Objective
Scope of Review and Methodology
Summary of Investigation Results Recommendations
• The investigation was performed based on?
• Fraud Indication• Objective of
Investigation
• Procedures performed
• PIC Involved
• Testing Result• Summary of
Fraud/Findings
• Recommendation to prevent Fraud case in the future
The End
16
Thank You