Fraud and corporate governance:

Changing paradigm in India

Findings from India Fraud Survey 2012

Page 2

A report based on India fraud survey 2012

► What lies beneath

► Fraud scenario in India — ground reality ► Cost of fraud — more than monetary

► Discovery of fraud — methodical and accidental

► Current practices — inconsistent with globally accepted norms

► Growing greed — profile of a fraudster

► Areas of concern ► Data and information theft – managing insider threat

► Management’s overriding controls

► Bribery and corruption – the perpetual challenge

► Changing regulatory landscape

► Tools for fighting fraud ► Role of technology

► Whistle-blowing

► Fraud response plan

► Third party due diligence

► Independent directors — a strong influence

What lies beneath

Page 4

Some statistics

1. ―Global Peace Index,‖ Institute for Economics & Peace, 2011, p. 8

2. “2010 Report to the Nations,” Association of Certified Fraud Examiners (ACFE), 2010

3. “Doing business in a more transparent world: Economic profile India,” World Bank and International Finance Corporation report,2012

4. ―Corruption Perceptions Index 2011,‖ Transparency International, December 2011

A typical organization loses 5% of its annual

revenue to fraud. This figure translates to a

potential global fraud loss of more than

$2.9 trillion

India is ranked at 132 out of 183 countries

on Doing Business Index, which is lowest

among BRIC countries

India's political stability

rating is weak and

therefore a risk to

development projects.

India is ranked 135

among 153 companies

on Global Peace Index

Corruption perception index – India ranked low at 95 out of 183 countries

Page 5

Changing scenario: increasing awareness

From your understanding of recent scams and large-scale corporate fraud, which of the following options have

most significantly contributed to the detection of fraud? ?

According to more than three-fourths of the respondents, the incidence of fraud has

increased in the country in this last one year. But the fact that around two-thirds of the

respondents said that scams and corporate frauds were unearthed because of legislations

such as the Right to Information Act (RTI) and Public Interest Litigation (PIL) speaks volumes

about public awareness in India.

68% 61%

54%

25%

0%

10%

20%

30%

40%

50%

60%

70%

80%

Whistleblowing

Legislations such as the Right to Information Act and PIL

Independent media

Public driven initiatives

Multiple Answers Allowed

Fraud scenario in India — ground reality

Page 7

Increasing incidence of fraud

Do you believe the incidence of fraud has increased in the last one year in your industry? ?

Nearly three out of five respondents revealed that their companies had been subjected to fraud

during this last one year. In addition to industries such as banking, Non Banking Financial

Companies (NBFC), real estate and telecommunications, which are generally perceived as being

highly fraud prone, around 50% of the respondents from infrastructure, IT/ITeS and consumer

product companies also indicated that fraud incidents have increased in their segments.

85%

67% 60%

50% 50% 50%

0%

25%

50%

75%

100%

Banking & NBFC

Real estate

Telecom Infra IT/ITES Consumer products

Yes

Page 8

Changing paradigm

Internal

Controls

Internal and External

Pressure

Pressure on earnings

Layoffs are increasing,

stock prices are

declining, credit crisis

and other external

factors are increasing

Opportunity to

Commit Fraud

Influence of Technology

As business processes

such as accounting,

procurement etc. are

moving to IT systems, and

slowly to cloud computing

so are the related frauds

Pressure

Opportunity

Rationalization

Less focus on corporate

governance/ethics

With Increased pressure

and decreased internal

controls – People will

explore more opportunities

to commit fraud

Page 9

Top five fraud risks

Which of the following types of fraud do you believe could pose the biggest risk to your industry? ?

1. Data or information theft and IP infringement

2. Bribery and corruption

3. Fraud by senior management and conflict of interest

4. Vendor fraud or kickbacks

5. Regulatory non-compliance

20%

15%

13% 12%

10%

9%

9%

4% 3%

3% 2%

Data and information theft, IP infringement

Bribery and corruption

Vendor fraud, kickback

Fraud committed by senior management

Regulatory non-compliance

Accounting fraud

Procurement fraud, favoritism

Money laundering

Asset misappropriation

Management conflict of interest

Others

Page 10

Cost of fraud- more than monetary

How would you rank the following six forms of collateral damage (actual or potential) stemming from fraud? ?

Loss of reputation emerged as the biggest and severest collateral damage caused by fraud.

For companies, public perception can have a dramatic impact on their business. According to

more than three-fourth of the respondents, loss of reputation is the most serious collateral

damage (actual or potential) stemming from fraud.

5.27

3.66 3.36 3.27 3.03 2.41

0

1

2

3

4

5

6

Damage to reputation of brand

Damage to external business relations

Monetary loss

Decline in employee morale

Strained relations with regulators

Negative impact on share price

Page 11

Discovery of fraud – methodical or accidental

Has your company experienced any incident of fraud in the last one year? If yes, which one of the following

methods of detection were employed? ?

Only 14% of the respondents attributed detection of fraud to automated surveillance systems.

It seems counter-intuitive that we still detect most cases of fraud by being tipped off or by

accident, even with advancement in technology and heightened regulatory activity.

62%

41% 34%

14% 12% 9% 5% 7%

0%

10%

20%

30%

40%

50%

60%

70%

Method employed in the company for detection of fraud

Whistleblowing mechanism

Internal audit/Corporate security

Proactive fraud risk management

Automated detection/Surveillance systems

Rotation of duties/personnel

External audit

By accident

Others

Multiple Answers Allowed

Page 12

Weak anti-fraud measures

Does your company have any of the following anti-fraud measures in place? ?

Reliance on internal and external audit, and code of conduct is high

Or

Companies still using internal/statutory audit to detect fraud

93 91 90

71 69 67 59

7 9 10

29 31 33 41

0%

25%

50%

75%

100%

Internal Auditing

External Auditing

Code of conduct

Vendor/ Third-Party due

diligence

Whistleblower Mechanism

Anti-bribery/ corruption and ethics training

Proactive fraud risk management

No

Yes

Page 13

Lack of action against the fraud perpetrator

― Companies are generally interested in

recovering the defrauded money rather than

getting the culprit punished under the law of

the land as it is not legally binding on them.

Section 39 of the Code of Criminal

Procedure, 1968, imposes no legal binding

on any person to report cases of economic

offences under the IPC, such as theft,

dishonest misappropriation of property,

criminal breach of trust, cheating and

dishonestly inducing the delivery of property,

forgery for the purpose of cheating, using as

genuine a forged document and other

offences of corruption and bribery, to the

police. ‖

According to most survey respondents, “He is an internal employee of a company, who is in

his 30s and is far from retirement. He is in the middle management cadre, working in the

procurement or sales department.”

Page 14

Changing profile of a fraudster Managing insider threat

Companies are reluctant to take legal recourse against employees responsible for committing

fraud. Only 35% of the respondents said that their companies take legal

action against any employee responsible for committing fraud.

Some possible reasons:

►Lifestyle not commensurate with income

►Young people more tech-savvy, and tend to

use their knowledge for fraud vulnerabilities

► Lack of controls in rapidly growing

organizations, and fraud over-looked as cost of

doing business

►For faster career growth and image projection

in a sluggish economy

►Employee handling multiple responsibilities,

esp. conflicting

►Employee being a star performer in financial

targets but not in compliance

►Compensation is linked to short term

performance

►Low morale and motivation among employees

Areas of concern

Page 16

Technology frauds: a changing world

Source: Technology frauds: a changing world, Ernst & Young, 2011

― 74% of the respondents strongly perceive

IT fraud as a serious risk for the

organization ‖ ― One-third of the respondents were

unaware of the IT Act 2000 and its

amendments. We also observed minimal

awareness of the Indian Evidence Act and

the new data privacy law. ‖

― An alarming number of respondents (61%)

revealed that their companies rely on

basic spreadsheet software for IT fraud

investigations ‖ ― 31% of the survey respondents are aware

that IT data breach investigation and its

prevention gets covered in the overall

compliance audits in a company ‖

Page 17

Management overriding controls Pressure on earnings

According to 15% of the respondents, management conflict of interest poses the highest fraud risk.

Inability to achieve the projected level

Management over-ride of Controls

Mis-statement of Financials

On achieving projected levels

Management over-ride of Controls

Diversion of Funds

Overstatement

of

Assets

Understatement

of

Liabilities

Inflation

of

Income

Inflation of

Expenses/

Deferral

Project unrealistic

CAGR & future

cash flows

Bribery and corruption – the perpetual

challenge

Page 19

Increased awareness of local laws, but low awareness of global ones

Are you familiar with the following acts or regulations? ?

After the recent scams, there seems to be an increased awareness of anti-graft laws, and nearly

three-fourth of the respondents indicated that they were aware of anti-corruption legislation in

India — the Prevention of Corruption Act. However, although three-fourth of the respondents

represented MNCs, less than half of them were aware of important anti-graft legislation such as

the US FCPA and the UK Bribery Act, both of which have extraterritorial reach.

70%

49%

35% 32%

0%

10%

20%

30%

40%

50%

60%

70%

80%

Prevention of Corruption Act

Foreign Corrupt Practices Act (FCPA)

UK Bribery Act (UKBA)

OECD regulations

Multiple Answers Allowed

Page 20

What corporate think about bribery and

corruption risk?

Cash seems to be the most popular mode of

paying bribes.

Around 33% of the respondents

said that lack of an effective

regulatory and compliance

mechanism, and weak law

enforcement are equally

responsible for facilitating

corruption.

Perceptions

and ground

realities

Kickbacks to win or retain business

To get routine approvals from

government agencies

Influence people in making favorable

decisions

Nearly 40% of the respondents indicated that the

inherent nature of the industries in which their

companies operated was responsible for

facilitating corruption; 34% respondents said that

it was due to the ―weak tone at the top.‖

Continuing bribery and corruption

risk

Changing regulatory scenario

Page 22

Changing Indian Regulations*

Regulator/ Law Salient features

The Public Interest Disclosure (Protection

of Informers) Bill, 2010

• Expected to encourage disclosure of information in public interest, but the private sector is

excluded

• Provides limited protection to whistleblower

• Investigation not time bound

The Prevention of Bribery of Foreign

Public Officials (FPO) and Officials of Public

International Organizations (OPIO) Bill

2011 (India’s FCPA equivalent)

• Criminalizes acceptance or solicitation of bribes by FPOs and OPIOs

• Criminalizes offers or promises to give bribes to FPOs and OPIOs for obtaining or retaining

business

The Prevention of Corruption Amendment

Act, 2011

(proposed amendment to the PCA, 1988)

• Includes new sections that empower the Act to deal separately the offence of violating the norms

of the Constitution, for using undue influence on public servants, misusing official powers and

causing loss to the government exchequer

• Empowered to seize, attach and confiscate the property of convicted persons, who have

amassed ill-gotten money

Companies Bill 2011 • Serious Fraud Investigation Office (SFIO): has powers to probe companies suspected of fraud

• SFIO’s report filed in a court for framing charges to be equivalent to a police report under the

Code of Criminal Procedure, 1973

• To have the power to arrest persons for suspected fraud; SFIO to coordinate its operations with

those of other investigating agencies such as the Central Bureau Of Investigation or Enforcement

Directorate

Data privacy laws • To prevent use or gathering of personal information without the knowledge of the concerned

persons

• To protect personal information, financial information such as bank accounts, credit or debit card

or other payment instrument details

The Competition Act

• Anti-competitive agreements

• Abuse of dominant position.

• Regulation relating to combination * This information is intended to only provide a general outline of the subjects covered. It should neither be regarded as comprehensive nor sufficient for making

decisions, nor should it be used in place of professional advice.

Tools for fighting fraud

Page 24

Proactive fraud risk management Role of technology

Is your company familiar with any of the following fraud-prevention/detection tools? ?

Less than 50% of the respondents are aware of fraud-prevention and detection tools

46% 43%

34%

26%

38%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50% Software for continuous monitoring of business transactions

IT-based tools for retrospective identification of fraudulent payments or other abusive activity

Software for continuous monitoring of business communications (i.e., key words within emails to addresses external to the company)

IT-based tools for identification of unethical behavior based on social network analysis

Cannot say

Multiple Answers Allowed

Page 25

Whistle-blowing What makes whistle-blowing ineffective in Indian companies?

Nearly 50% of the respondents representing Indian companies revealed that their organizations

do not have a whistle-blowing mechanism, while 75% of the respondents from Indian MNCs

claime to have one.

Absence of a telephone (hotline) as reporting medium Less than 50% of the respondents reported that their companies have a telephone (hotline)

for whistle-blowing.

Operating hotline internally Around 90% of the respondents, who reported that their companies had a whistle-blowing

mechanism, revealed that these hotlines are operated internally.

Lack of awareness 71% of the respondents said that only 10% of the complaints received through the

mechanism require further investigation.

Page 26

Fraud response plan

Which of the following, if any, apply to your company's response to the first reporting of a possible case of fraud,

bribery or corrupt practice? ?

According to 63% of the respondents, their companies have well-defined roles within their

internal audit, compliance, risk and legal functions in the event of investigations, and 55%

said that their companies had in place a clear procedure for reporting incidents, but

only 32% have documented response plans.

63% 55%

46% 44%

32%

16%

7% 0%

10%

20%

30%

40%

50%

60%

70%

We have well-defined roles for different groups such as internal audit, compliance, risk and legal in any investigation.

We have a clear process for reporting incidents.

We have a clear process for determining consistent disciplinary outcomes of investigations.

We have a clear process for conducting root-cause analysis to understand how an incident occurred.

We have a documented response plan that involves those parts of the business with the requisite skills to handle an investigation

Cannot say

None of the above

Multiple Answers Allowed

Page 27

Third-party due diligence

Does your company conduct background checks on third-parties (vendors, consultants and suppliers, for

example) it engages? ?

Nearly two-third of the respondents said that their companies conduct due diligence on

ethics and integrity for third parties. This positively reinforces the fact that globalization and

the regulatory “push” is driving companies to proactively manage their fraud risk.

68%

32% Yes

No

Thank You

Arpinder Singh

Partner and National Director

Direct: +91-22-6192 0160

Email: arpinder.singh@in.ey.com

About Ernst & Young

Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 141,000 people are united by our shared values and an unwavering commitment to

quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.

Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company

limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com

© 2011 Ernst & Young Pvt. Ltd. Published in India. All Rights Reserved.

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed

research or the exercise of professional judgment. Neither Ernst & Young Pvt. Ltd. nor any other member of the global Ernst & Young organization can accept any responsibility for loss

occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

Ernst & Young Pvt. Ltd.

Assurance | Tax | Transactions | Advisory