india fraud survey 2012

8/13/2019 India Fraud Survey 2012

1/96 2012 KPMG, an Indian Registered Partnership and a member rm of the KPMG network of independent member rms afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

INVESTIGATIFINANCIAL REPOMONEY LAUNDEIP THEFT PIRACYNON-COMPLIANIDENTITY THEFTBRIBERY NDIA

R CYBER RAUD CRIME SURVEY

PHISHING 012CORPORATE FRA



1

74

2

8

pg1

pg59

pg5 pg19

pg2Introduction

Similar trends,different manifestations Sector perspectives onemerging frauds in India

Section 1:At their wits end - organisations

overwhelmed tackling fraud

Section 2:Brushing bribery andcorruption under the carpet

Foreword

CONTENTSTABLE OF



5 63

9

pg27

pg85

pg3

pg89

Section 3:Emerging Fraud Risks the ugly truth3a. Cyber Crime robbing organisations blind

3b. IP Fraud, Counterfeiting and Piracy the White elephant in the room

3b. Identity theft Mitigation frameworkswet behind the ears

Profileof respondents

Key findings

Aboutthe survey



INTRODUCTIONIndia has been amongst the fastest growing economies in the worldin the last decade. It has remained relatively unaffected by the globaleconomic crisis, thanks to strong fundamentals of the economic policy.However, despite this situation the condence of international investorsand domestic entrepreneurs has been low in the last two years, thanks

to the various scams that have come to light during this period. The needfor improving governance and ethical culture across public and privatesector companies has never been felt as acutely as is being felt now. Thisresounding sentiment is echoed in the KPMG India Fraud Survey 2012.

While there is greater awareness of fraud and misconduct amongcorporate India, the associated risks need to be considered at a strategiclevel. Investments need to be prioritised to build a sustainable ecosystemthat can mitigate frauds efciently, including frauds of the future. TheKPMG India Fraud Survey 2012 has highlighted the emergence of newerforms of fraud and reliance on technology to perpetrate them. Cyber crime,Intellectual property (IP) fraud, piracy and counterfeiting, and identity thefthave been identied as the key fraud risks of the future. Many respondentswere aware of these frauds but had limited knowledge of the ways inwhich these frauds manifest themselves or how organisations could tacklethem.

With the sophistication of fraud, companies need to take a long termview of fraud risk management and adopt comprehensive frameworksto mitigate fraud. As organisations strive to create a high performanceculture, they must back these efforts by creating strong controls, pro-activesupervision through use of technology and independent monitoring of keyperformance parameters to create deterrence for misbehavior.

While one cannot deny the challenges in fraud prevention and detectionfrom external factors such as regulation/ law enforcement, oneshould realise that change comes from within. Some companies havedemonstrated this by showing that business can be done in India ethically.

We wish to thank all our survey respondents who took time to respondto the survey and helped us derive the corporate sentiment on emergingfrauds. Your views will help the industry in understanding the fraudlandscape we face. We hope all of you nd the survey interesting andthought provoking. Do let us know your views by writing to us or ourcolleagues.

ROHIT MAHAJAN Partner and Co-Head

Forensic ServicesKPMG in India

DINESH ANAND Partner and Co-Head

Forensic ServicesKPMG in India

1 | KPMG India fraud survey 2012



FOREWORDThe global economy has faced considerable headwindsever since the sub-prime crisis in US lead to the downfall ofLehman Brothers. The resultant economic uncertainty, frailtyof sovereign nances, volatile commodity prices, risingunemployment and falling consumer demand have createdunparalled pressure on corporate performance across the globe.These crises have exposed the weaknesses of the governancestructures at some of the major corporations which were untilthen considered progressive. One of the key fallouts of thissituation has been the renement of what corporates haveconsidered 'acceptable behavior' in conducting business.

While the recently reported high prole incidents of fraudsacross the globe indicate the depth to which the malaise offraud and corruption has spread, the relatively swift action byregulators and governments indicates the willingness to takeaction against the wrong-doers. While the enforcement actionin India is not swift and decisive enough in comparison to ourglobal counterparts, we are still striving to make that changeand small steps in that direction have already been taken. Thedeveloped nations themselves took over two to three decadesto reach the state of stringent enforcement currently prevalentin those geographies. India cannot afford to take a similar timeto improve its enforcement and shall need to move much moreswiftly towards stringent enforcement. This is imperative asIndia has a key role to play in the global economic revival andany disruption in the Indian economic growth is likely to have aglobal impact.

In this context, there is little doubt that even the fraud landscapeis undergoing a considerable change with both incidences andmagnitude of frauds witnessing a marked increase. Increasingly,

frauds are becoming all pervasive encompassing multiplelocations, involving various stakeholders with increasinglycomplicated modus operandi adopted by the perpetrators.Corporates now have increased responsibility to ght thisrising menace and improve the governance structure andethical standards in business practices. Thus, reports/ surveyssuch as this one can help companies bridge any gaps in theirgovernance and risk management frameworks.

Time and again, KPMG has led the way and highlighted some ofthe best practices that should be adopted to mitigate fraudulentactivities. The KPMG India Fraud Survey report 2012 discussescorporate fraud at a macro/regulatory level as well as a micro/

control environment level. It highlights the urgent need foraction on both these fronts and suggests actionable measuresthat can greatly help regulatory bodies and corporate leadersto ght the fraud menace and enhance Indias investmentattractiveness.

KPMG India fraud survey 2012 | 2




Source KPMG India Fraud Survey 2012

Key Findings

FRAUD AWARENESS

EMERGING FRAUDS ARE

INCIDENCE OF FRAUD

RESPONDENTSEXPERIENCED FRAUD

Cyber crime

Sectors affectedTypes of frauds heard/ experienced

IP theft, Counterfeiting and piracy Identity theft

RESPONDENTS BELIEVE FRAUDS HAVE BECOMEMORE SOPHISTICATED

RESPONDENTS BELIEVE

FRAUDS IS AN INEVITABLECOST OF DOING BUSINESS

55%100%0%0%

0% 100%

100% 94%

71%

www

53%

83%33% 17% 14% 14%

71%65%

38% 34%

Bribery andCorruption

Financialservices

Information &Entertainment

Real estate andinfrastructure

Industrialmarkets

Cybercrime

Diversionof assetsM

m

m

m

M

w

m

m

m

w

M

M

w





FRAUD DETECTION AND RESPONSE

People most susceptible to commit fraud

Most effective ways to detect fraud

Response to fraud

Vendor/AgentsSenior management

Non-Managerial employee

Processes most vulnerable to fraud

Procurement

Inventory

Sales anddistribution

Whistleblower

hotlineInternal

audit

DataAnalytics

85% Internal Investigation

85% 72% 69%

72% Modication of controls 69% Disciplinary action

2 0 1 2 K P M G

, a n

I n d i a n

R e g

i s t e r e

d P a r

t n e r s

h i p a n

d a m e m

b e r

r m

o f t h e

K P M G n e

t w o r k o

f i n d e p e n

d e n

t m e m

b e r

r m s a f

l i a t e d w

i t h K P M G I n t e r n a t

i o n a l

C o o p e r a t

i v e

( K P M G I n t e r n a t

i o n a l

) , a

S w

i s s e n

t i t y

. A l l r i g

h t s r e s e r v e

d .



Section

At their wits end -organisations overwhelmedtackling fraud

01


2012 KPMG, an Indian Registered Partnership and a member rm of the KPMG network of independent member rms afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.



If many were shocked when the Satyamfraud - estimated at USD 2-3 billion -was discovered, the most recent fraudthat has been uncovered, the LIBORmanipulation (estimated at several

hundred billion dollars), has left manygasping for breath. What stands outamongst the publicly reported frauds inthe recent past is the sheer magnitudeand the complexity involved. This clearlyindicates that more organisations appearto be succumbing to the pressure ofperforming in an increasingly uncertainglobal economic environment alongsidegrowing stakeholder expectations. Therising cost pressures, changing riskperceptions and regulatory activism isredening the contours of acceptableethical behavior.

Our fraud survey echoes some of thesesentiments and also provides insights intosome of the newer experiences of fraudwitnessed by some of the organisationsin corporate India. As we see theemergence of this newer face of fraud,corporate India continues grappling toght the rising menace.

The last few years haveseen increased number offrauds reported in Indiaas well as globally. FromSatyam, Adidas-Reebok,the Commonwealth Gamesand OnMobile in Indiato LIBOR manipulation,securities trading, over-ridinginternational sanctions onthe global front, we haveseen some of the moresophisticated and large

frauds coming to light. Withreports indicating that asmuch as 5 percent of annualrevenues could be lost tofraud 1, organisations todayare required to be morecognizant of the damage thatfraud can do.

1 2012 ACFE Global Fraud Study, Report to the Nations on Occupational Fraud and Abuse




Corporate India dubsrising fraud as inevitablecost of businessNotwithstanding the number of media reports onfraud, the last two years have seen a substantial

increase in the incidence of fraud. Close to 55 percentof respondents indicated that their organisationsexperienced fraud in the last two years vis--vis 45percent in the 2010 edition of our fraud survey.

This increase can be attributed to several aspects. Theongoing economic slowdown for one puts pressureon individuals to perform and tempts them to commitfraud. It is also in a downturn that frauds are mostlikely to be discovered (even though perpetrated muchearlier), as that is when managements increase theirscrutiny in a bid to protect margins and prots. Thirdly,greater awareness of fraud and its impact can resultin companies becoming more sensitive to noticingfrauds, which otherwise tend to go unnoticed or aredeliberately overlooked.

However, it is surprising to note that 71 percent of therespondents think of fraud as an inevitable cost of doingbusiness.

This includes 80 percent of respondents who statedthat they had experienced fraud in the last two years.Indian companies outnumbered multinational rms inthis view.

This is dangerous as it could lead to organisationshaving a tolerant approach towards fraud andsubsequently not investing enough in the appropriatefraud risk management controls and framework. It alsotranslates into a culture of merely reacting to fraud andnot proactively taking steps to mitigate it.

In such a scenario the onus would be on regulatorybodies to ensure that rms follow a robust fraud riskmanagement framework, failing which they wouldface stringent action. This has been the case with most

regulated industries such as nancial services.

55%

71%

Have experienced frauds inthe last two years

Fraud remains an inevitable costof doing business




Fraud becoming moresophisticated

Our survey responses indicate that bribery and corruption(83 percent) is perceived to be a major concern followed by

e-commerce & other cyber related frauds (71 percent) anddiversion/theft of funds or goods (65 percent). The ndingsdiffer from our previous survey where diversion/theft of fundsor goods was identied as the most common fraud followed bybribery and corruption and cyber related frauds.

This awareness can be attributed to the increased mediacoverage of such frauds. A case in point is the recentlyunearthed sophisticated bank fraud that originated in Italyand spread globally, initiating the transfer of almost USD 78million from around 60 nancial institutions 2. Perpetratorsattacked the computers of wealthy individuals and carried outthese fraudulent transactions from their bank accounts. Thesetransactions were hidden by an additional layer of malwareto delay discovery. The malware circumvented the two-stageauthentication and other fraud prevention and detectionmethods employed by the banks. The manner in which thefraudsters had beaten the complex banking controls pointstowards the rising sophistication of fraud.

2 Sophisticated bank fraud attempted to steal at least $78 million, Ars Technica, 27 June 2012

Please refer to Section 2: Briberyand Corruption Corporate India

reluctant to tackle bribery andcorruption on page 19 for furtherdetails

Please refer to Section 3A: CyberCrime silently permeating throughorganisations on page 37 for furtherdetails


In todays day and age technology has become a mainstay forall industries, irrespective of sector or size. Our experienceindicates that even fraudsters are becoming technology savvyand are nding newer ways of perpetrating frauds. In the past,technology driven frauds were reported to have much lower

incidence compared to frauds of a conventional nature suchas diversion/ theft of goods. However, today there is increasedawareness about technology led frauds.



Types of frauds heard / read / experienced(Multiple choice)

Bribery and Corruption(including kickbacks)

Financial statement fraud

Internal reporting(example: MIS reports related fraud)

e-Commerce, internet andCyber related fraud

Regulatory non-compliance

Intellectual Property Fraud(counterfeiting, piracy)

Diversion/theft of funds or goods(through false invoicing, fake claims, pilferage)

Money laundering

Others


83% 71% 65%

59% 53% 47%

44% 40% 34%




The perception levels for frauds like money laundering (47%), internal reportingrelated frauds (44%) and intellectual property fraud (40%) too are signicantlyhigher (compared to our 2010 survey). These frauds today rely on technology toincrease their impact.

For instance, money laundering is no longer a risk limited to the banking industry.Thanks to widespread misuse of technology to launder/ circulate money, sectorslike insurance and mutual funds also provide conditions for such activities to beperpetrated. Consequently, regulators have extended anti-money launderingcontrols to cover insurance and mutual funds sectors. Recently, the Registrar ofCompanies was asked to probe the involvement of 13 companies in these sectorsover allegations of money laundering and money circulation.

In case of intellectual property (IP) theft/fraud, technology is a convenient andinexpensive channel to execute fraud. A single email can transfer condential IP tounauthorised parties without raising any suspicions or violating any internal controls.Theft or fraud of IP is extremely difcult to track as the original information remainson the computer of the creator. It is also difcult to indicate what truly constitutesIP as most of the data gathered is still in an early stage with unknown potential.In such a case, parts of the data can be easily obtained and sent to unauthorisedparties such as competitors. What this can do is speed up the go-to-market strategyof a competitor.

For many years now, MIS related frauds (internal reporting) have featuredamong the top ve business concerns. With increased adoption oftechnology, although rudimentary controls are established, fraudsters cancleverly manipulate data such as sales commissions (mainly percentagegures), expenses (forged bills) and assets to ensure that results areconsistent with expectations, while still siphoning off money.

Understanding the modus operandi of the frauds mentioned above anddetecting them is not easy, and 94 percent of our respondents agreed thatfrauds had become sophisticated in the last two years. Investigators too are

constantly challenged by the sophistication of frauds.

A case in point is the the Telecom industry that has had its share of lossesdue to sophisticated technology aided frauds. Globally, telecom frauds areestimated to cost the industry USD 40 billion, 3 despite signicant effortsmade by operators and their software/ hardware vendors to limit theft.Operators' billing systems and network vulnerabilities are always the keytarget areas for most fraudsters who exploit any weaknesses in these areas.We have successfully investigated multiple frauds by analysing data on socialmedia where such information can often be found.

Thus, type of fraud and its degree of sophistication tend to be sectoral innature. Certain technology intensive sectors such as nancial services and IT

or ITES are more vulnerable to cyber related frauds, whereas, sectors suchas real estate and infrastructure are more prone to conventional frauds suchas bribery and corruption and diversion of funds/ goods.

3 Heavy Reading Service Provider IT Insider report

Please refer to Section3B: Rampant IP Fraud,Counterfeiting and Piracyin industry, yet corporatesgrapple to understandbusiness impact on page43 for further details

94%

Frauds have become moresophisticated in the last twoyears




Financial services sector faces themaximumthreat of fraudFinancial services and informationand entertainment sectors have beenidentied as most vulnerable to fraud byrespondents.

Interestingly, both sectors identied areheavy users of technology implying thatwhile technology can be a great facilitatorfor the business, it can also offer anequally potent platform for committingfrauds like cybercrime, phishing and datatheft.

Despite having a strong regulator, thenancial services sector has emergedas the most susceptible sector to fraud.Possible misuse of technology in thebanking sector includes use of bankingaccess for overpayments to vendors/ self bank account, sharing of potential

condential information and misuseof companys technology resourcesfor unauthorised activities includingconicting business relationship.Additionally, providing services on mobileand social media platforms with limitedknowledge of the security requirements,

poses threats to customers as well asnancial institutions.

In case of the information andentertainment sector, despite functioningas global entities and complying withstringent foreign legislations, theyhave been identied as the secondmost fraudulent sector in India. Thus,organisations need to be more proactiveand adopt a zero tolerance approachtowards fraud risk management

Please refer to Similar trends, yetdifferent manifestations - Sectorperspectives on emerging frauds inIndia on page 59 for further details



33% 17%

14%

14%

10%

5%

7%

Financial ServicesInformation andEntertainment

IndustrialMarkets

Real Estate andInfrastructure

TelecomConsumermarkets

Others(Healthcare

& SocialSector)

Sectors perceived as most vulnerable to fraud



Procurement function continues tobe most vulnerable to fraudWhile incidences of newer types offrauds are on the rise, from a processperspective they continue to be targetedtowards the same business processes.Not surprisingly, 72 percent of oursurvey respondents have agreed withsuch a perception. It is thus important tounderstand the operational characteristicsof each sector to identify functionsvulnerable at a sectoral level.

Our survey respondents have ratedprocurement, sales and distributionand inventory as the most vulnerableprocesses within an organisation. Theseareas being characterised by large numberof stakeholders, multiple touch points,increasingly complex processes involvinga signicant proportion of organisations

funds, it is not surprising to see thisnding. Additionally, these processesinvolve a high degree of interaction withexternal stakeholders like vendors andcustomers where collusion can overridecertain internal controls.

Despite the widespreadacknowledgement of the vulnerabilityof these processes, organisations havefailed to implement basic controls. Duediligence of vendors before selection,involvement of representatives frommultiple departments in the vendorselection process, and adequatesegregation of duties and controls overaccess rights, are some of the controlswhich may help organisations in managingthese risks better.

Process perceived as most vulnerable to fraud risks (Ranks are based on total score. Rank 1 indicates most vulnerable Process)



Procurement

Sales and Distribution

Inventory

Finance/Payments

Administration

Treasury

HR

0102

0304

05

06

07



543Management

employees(Senior managersand above)

Non-

Managementemployees(Managers and

below)

Business

Associate

Customer

2

Companies undermine threat posedby the enemy withinIn our experience, employees are often central to frauds as they either perpetrate thefraud or assist an external team to do so. Hence, the larger threat of fraud lies withinan organisation itself. However, most organisations tend to ignore or merely warnrespective employees upon discovery of small value frauds (such as faking personal billsor fudging of expense reports). Therefore, when employees collude with external partiesto commit fraud (such as processing fake invoices submitted by vendors), organisationsoften tend to blame external parties rst and not employees. This could be a possible

reason for our survey respondents to have ranked vendors/agents as the most likely tocommit fraud against an organisation.

Among employees, senior management is considered the most susceptible tocommitting fraud by virtue of their ability to override existing controls. According to theACFE 2012 Global Fraud Study, the position held by the fraudster within an organisationis directly related to the loss incurred on account of the fraud committed. Losses causedby senior management were approximately three times higher than the value of fraudloss due to managers; managers in turn caused losses approximately three times higherthan junior employees.

In such circumstances it becomes imperative for organisations to provide a safe, robustchannel for employees to report suspicions of malpractice. It is also important that anorganisations Board comprise of individuals with utmost integrity who would engagethemselves with the management. The Board needs to take a lead by setting the tone atthe top and facilitate a zero tolerance approach towards fraud.

Who is most susceptible to commit fraud? (Ranks are based on total score. Rank 1 indicates most susceptible people)



Vendors/Agents

1



Employees more confident usingwhistle blower hotlines to reportfraudNumerous fraud surveys have indicatedthat internal stakeholders are highlysusceptible to committing fraud. However,these surveys have also indicated thatmost frauds are unearthed from tips

or complaints by sources internal to anorganisation 4. This fact is reiterated inour survey with respondents identifyingwhistleblower hotlines as the mosteffective way to detect fraud.

An effective mechanism providing comfortto the complainant that their identitywould remain anonymous and that theinformation disclosed would be handledin a safe and condential manner haveresulted in a number of fraud relatedissues being reported on such channels. It

has been observed that such hotlines alsobecome preventive tools over a period oftime.

Most multinational companies havewhistleblower hot lines as mandatedby regulators in their home countries.However, we have seen an increasein the number of Indian businesshouses opting for such hotlines. BothIndian and multinational companies arereviewing their business code of conduct,whistleblower policies and putting in place

committees, rather than individuals, toreceive such complaints and to act onthem. Complaints received are trackedand the progress on each complaint isdiscussed in committee meetings.

The critical success factors for awhistleblower hotline include anindependent, anonymous and condentialmechanism that is easy to access. This,backed by a well dened and structured

committee empowered to act oncomplaints received can help buildwhistleblower condence in the entiremechanism.

Besides whistleblower hotlines, surveyrespondents have also highlighteddata analytics as one of the effectiveways to detect fraud. Consideringmost companies today deal with vastand complex data, real time analyticsand dashboard tools can be adopted tohighlight any red-ags and capture any

deviation from the routine, which couldbe an indication of a fraud. These toolsare very effective in detecting fraud at aninitial stage.

However, in our experience we haveobserved that, barring few organisations,not many make use of the data availableto them on their Enterprise ResourcePlanning (ERP) systems.

Apart from technology, it is also importantto ensure having basic controls in place,especially those highlighted in the internalaudit (IA) reviews, if one has to preventfraud. For instance, lack of control inaccess logs reported in IA review, ifnot corrected, could result in severalchallenges.

4 43% of all frauds are detected by tip - ACFE 2012 Global Fraud Survey




Mode of detection of fraud (Ranks are based on total score. Rank 1 indicates most effective way)

Whistle-blower/ethics hotline Anonymous call/letter/tip off

Internal audit reviewBusiness partners/vendors/third party complaints

Data analytics Statutory audit

IT controls By accident

Global surveys by organisations like the ACFE have highlighted that presence of formalmanagement reviews, employee support programmes and hotlines is inversely relatedto the extent of nancial losses suffered due to fraud. Organisations lacking these

controls experienced a signicantly higher level of fraud loss.Our survey ndings highlighted that external audits of nancial statements the mostcommonly implemented control among the victim organisations showed the leastimpact on mitigating fraud risk.

When one looks at the relationship between the presence of a preventive control andthe duration of the fraud, the perpetrators perception of detection plays a vital role. Theduration of frauds is considerably reduced when the perpetrators perceive that robustdetection mechanisms are in place. Specically, organisations that utilise job rotation andmandatory vacation policies, rewards for whistle-blowers and surprise audits detect theirfrauds more than twice as quickly as organisations lacking such controls 5. As a result,the incidence of fraud among such companies is low as fraudsters feel the likelihood ofthem being caught is high.

5 2012 ACFE Global Fraud Study, Report to the Nations on Occupational Fraud and Abuse



1 5

2 6

3 7

4 8



Washing dirty linen in privateOne of the ways to keep fraudsters at bay is to have a robust investigation and fraudrecovery mechanism. Most of corporate India tends to carry out its investigationsinternally, as indicated by 85 percent of our survey respondents. In our experience, aninternal investigation has several challenges.

Possible bias of the investigator as the suspect may be a known person Possibility of retaliation Availability of trained resources Lack of technological and other expertise to effectively gather evidence Lack of knowledge to handle sensitive issues

Actions taken upon detection of frauds (Multiple choices)

Fraud Survey

2012 2010

The fraud was investigated internally 4 4

Implemented new or changed existing controls 5 6

Wrongdoers were disciplined / action taken against the vendor 5 5Internal communication on the unearthed fraud and corrective action 6 7

Legal action taken against the fraudster 7 7An external agency was hired to investigate the fraud 7 7Voluntary disclosure and reporting to the concerned regulatory authority 7 0

No action taken 0 0



4 indicates >=80%; 5 indicates >=60% and =40% and =20% and



There is also little or no legal action takenin most internally investigated cases,with 69 percent of respondents optingfor disciplinary action. This is becauseorganisations are in a hurry to dismissthe fraudsters as quickly as they canto contain losses. Also, the inherentcomplexities (and delays) in our judicialsystem make it costly to pursue legalaction, notwithstanding the potential lossof reputation.

For instance, Section 405 of the IndianPenal Code, which deals with criminalbreach of trust, makes it mandatory toprove that the accused had a dishonestintent to misappropriate and the actionresulted in a loss for the organisation.It becomes difcult for investigatorsto focus on adequate and admissibleevidence to demonstrate the fraudbeyond reasonable doubt.

Further, quantifying losses becomesa challenge partially due to thesophistication of frauds and non-

availability of adequate information and/orresources. Many a times, organisationsare not condent about how close theirestimate is to the actual loss. For instance,as part of the procurement function howdoes one decide when the company hasstarted paying higher price for an item?Which invoices were at a higher priceand who were the favoured vendors?What if the price of the item was drivenby the underlying commodity prices likeoil price or steel price which are volatile?Not surprisingly, over a quarter of survey

respondents said they were unable toquantify the extent of monetary lossessuffered due to fraud.

Challenges in quantifying losses, alongwith little legal re-course, may result inlimited recovery of the amount lost dueto fraud. Of all the respondents whoinvestigated frauds internally, 58 percentrecovered less than a quarter of theestimated losses due to fraud.


Amount recovered from the fraud loss


NilRecovery

Less than25 percent

Between26 and 50percent

Morethan 50percent

Full -100

percent

10%12%20%

27%31%



CONCLUSIONMiles to go before CorporateIndia sees fraud as astrategic risk A closer review of the responses clearly indicates that although

there is an increased awareness about fraud, corporate Indiais still hesitant to accept it as a strategic risk. It continues tobe viewed as an operational risk and hence the mitigationstrategies tend to be more generic rather specialist. This couldbe one of the key reasons for under-investment in creation of anecosystem promoting a culture of ethics and integrity. Further,increased performance pressure both on employees as well asorganisations in the current economic environment and risingaspirations have a leading role to play in the increased occurrenceof fraud in most organisations. The pressure to perform in thecurrent economic environment has never been higher and it is afact that one needs to work much harder to get the same results.

The survey responses point out that today organisationsare faced not only with the risk of traditional frauds but alsosubstantial risks from emerging frauds. Organisations need toadopt more robust fraud risk management measures in order tomitigate the rising risk of emerging frauds. A strong technologyenabled platform to provide early warning signs; adoption ofethical code of conduct amongst employees and all stakeholders;technology driven controls and a robust whistleblowermechanism are some of the ways in which organisations canmitigate the risk of fraud.

While we are seeing more and more organisations showingwillingness to adopt comprehensive fraud prevention strategies,

these attempts continue to be half-hearted on account of under-investment from respective organisations. In this regard, theproposed Companies Bill 2011 is a key legislation. If enacted, itis likely to prompt companies to think about having a fraud riskmanagement policy in place. The Bill places onus on independentdirectors to ascertain and ensure that the company has anadequate and functional vigil mechanism. This in turn may resultin companies considering controls around accounting proceduresand mechanisms to prevent and detect fraud, includingundertaking a formal fraud risk assessment. The most signicantaspect of the Bill is the proposed stringent penalties for thoseperpetrating fraudulent activities. While the enactment of the Billmay happen in due course, it would be important for companiesto start earlier and not wait for the regulatory push. Fraudprevention is to be treated like a journey and not a destination.




Section

Brushing bribery andcorruption under the carpet

02





Bribery and corruption poses a very real andsignicant risk to companies. Tolerance tobribery and corruption reects poorly on thecompanys business practices, efciency andoverall maturity in the industry as it questions

the companys capabilities to operate in a levelplaying eld alongside competition.

In the previous edition of our fraud survey in2010, one-third of respondents stated thatorganisations paid bribes to win and retainbusiness. Additionally, respondents to our 2011Survey on Bribery and Corruption unanimouslyagreed that corruption skewed the levelplaying eld and attracted organisations withlesser capabilities to execute projects, therebyendangering the health of such projects.Respondents also felt that bribery could

negatively impact the performance of stockmarkets by increasing volatility and preventinstitutional investors from making long terminvestments.

Globally, corruption is considered an unfairmeans to win over competition and reectsunethical business practices and low levelsof business innovation. Countries such as theUS and the UK have stringent enforcementof regulations (US Foreign Corrupt PracticesAct (FCPA) and UK Bribery Act respectively) todeter companies from indulging in bribery andcorruption. Some of these legislations extendtheir jurisdictions to entities in other countriesthat do business with their home-grown rms.Hence, penalties for non-compliance can includelarge payouts, ban on operating business inhome countries, and reputational loss thatimpacts future business prospects.

It is well known that briberyand corruption has beena concern for the Indianeconomy for many decades.Although, the last few yearshave seen publicised effortsby some corporates andthe Government to createawareness about the illeffects of this malaise anddiscourage it, the industryby and large remainsreluctant to discuss this

issue. Our survey reiteratesthis, as about 34 percent ofrespondents did not shareperspectives on bribery andcorruption. Of the remaining,54 percent indicated thatbribery and corruption didnot pose a signicant riskto their organisation. Ourexperience says otherwise.

Why companiesshould be concerned




To operate in such a milieu, multinational companies have developed basic controls anda continuous monitoring mechanism to check bribery and corruption across all theiroperating geographies. Such rms have demonstrated that it is possible to do businesswithout paying bribes. Close to 56 percent of our survey respondents representingmultinational rms support this view. In contrast only 44 percent of respondentsrepresenting Indian rms subscribed to this view. The chart below represents otherdiffering views on bribery and corruption provided by respondents.

Some of these views could stem from the fact that certainindustries are more tolerant of bribery and corruption than others.


Differing views on bribery and corruption

Business can be done in India withoutpaying bribes 50%

We have faced a bribery and corruptionissue within the organisation 55%

Bribery and corruption pose a signicantrisk to organisations 71%


Companies headquarteredin India

Companies headquarteredoutside IndiaOverall view

of which

of which

of which

44% 56%

44% 56%

44%56%

Yes 50%

Yes 55%

Yes 71%

No 50%

No 45%

No 29%



KPMG VIEW Manifestations of briberyand corruptionHow does one identify a bribe? While the basic risk of a potential bribe payment exists inevery company, there are variations in how this payment gets accounted for/ is justiedin the books.

Our experience indicates that possible bribes are mainly payments made (through thirdparties and in some instances employees) to or intended to be made to public ofcials.Various modes of payment are adopted based on specic business and risk scenarios.An indicative analysis of manifestations of bribery and corruption, and associatedchallenges in detecting them is given below.

Manifestationsof bribery andcorruption

Monetary payment through3rd party

Monetary payment throughemployee Non monetary inuence

Nature ofinstances

Consultant payments High commission

payments Inated procurement/

service cost

Appointing ex-Government employee as

liaison ofcer Inconsistent perquisites

for senior managementpersonnel

Appointing relatives ofGovernment employees

Unauthorised supportduring elections/ publicevents of the publicofcial

How they areaccounted

Consultancy/ Services /Commission charges

General Expenses Employee Compensation

Not Applicable

Why theydon't getdetected

Absence of needassessment conductedfor all service contracts

Lack of due diligence andmonitoring mechanism

Lack of anti corruptionclauses in commercialcontracts

Limited monitoringmechanism and periodicreviews on trends/inconsistencies

No known mechanismto monitor employeebehavior

A recent investigation conducted by us in 2012 helped identify loop holes that canbe used by employees to defraud organisations. Our client received a whistleblowercomplaint alleging that the Director of Procurement had received kickbacks from aparticular vendor associated with a governmental enterprise. The review of documents,emails, les etc. revealed no inconsistencies whatsoever. Further an asset and lifestylecheck too did not reveal any discrepancies. Finally, through market intelligence, weidentied that the car being used by the wife of Director of Procurement was registeredin the name of the vendors son. Such instances can signicantly dent the reputation oforganisations.




External factors threaten to derailmitigation efforts by companiesMitigating corruption is a collective effort by industry and governments and countriesacross the world are adopting similar mechanisms. One such aspect involves stricterenforcement of anti-bribery and corruption laws by regulators through increasedprosecution. Over the last two years various regulators (DOJ or SEC of US and SFOof UK) have increased prosecution by extending the scope of their anti-bribery andcorruption laws to cover corporates that fail to establish sufcient internal controls toprevent instances of bribery and corruption.

Lack of such enforcement measures can dilute the impact of anti-bribery and corruptioncompliance programmes and our survey respondents felt this was true in case of India.Respondents felt they were challenged in their efforts to mitigate bribery and corruptiondue to external factors such as weak law enforcement in the country and lack ofeffective regulatory and compliance mechanisms.

Top Five Factors Facilitating Bribery and Corruption(Ranks are based on the total score. Rank 1 indicates most facilitating factor)

Weak law enforcement

Lack of effective regulatory andcompliance mechanism

Considered as acceptable behaviour

Inherent nature of the industry in whichthe organisation operates

Poor internal policies, procedures andadministration



12

34

5



While these challenges exist, recent efforts by the Governmentof India including attempts to introduce specic regulation,focussed efforts to swiftly clear court cases on corruption fast,and enhancing the responsibility of Lokayuktas, demonstratethe intent to address this issue. Other supporting legislationspending with the parliament include the Prevention of CorruptionAct (amendment) Bill (2008), the Whistleblower Protection Bill(2010) and Prevention of Bribery of Foreign Public Ofcials Bill(2011). These proposed Bills are key to bringing India on par withcountries like the UK and US that have already enforced acts toprevent corruption related crimes.

While regulations can help corporate India overcome certainrisks, it is also essential that organisations proactively attempt tocounter corruption.

To tackle bribery and corruption organisations need to identify itas a key business concern and set up specic mechanisms toaddress risks from bribery and corruption. Around 72 percent ofsurvey respondents said their organisation had a mechanism toaddress bribery and corruption, however, only few respondentschose to answer questions pertaining to such a mechanism. Thiscould mean two things - that respondents were unaware of themechanism as they had no experience of using it; or that theirorganisation, did not have an operational mechanism. Either waythis is an indicator of moderate organisational tolerance to briberyand corruption.

Among those who elaborated on their anti-bribery and corruptionframework, most respondents said that their organisationshad a code of conduct specifying guidelines on payments andaccepting gifts. Few had a holistic programme that includedthird-party reviews, due-diligence reviews and global compliancemonitoring, among other aspects. The chart below details theprevention and detection mechanisms adopted by companies.


Prevention and detection framework for Bribery and CorruptionDegree of

Implementation

Mechanism to report instances of bribery and corruption 5

Anti-corruption Compliance Programme 6

US Foreign Corrupt Practices Act / UK Bribery Act Compliance Programme 7

Code of conduct containing guidelines on payment/acceptence of gifts andhospitality 5

Third party due diligence / reviews on anti-bribery corruption compliance 7





Going beyond thepaperwork of complianceIn the wake of anti-corruption regulations across the globe, oneshould realise that the risk of corruption extends beyond onesorganisation to third parties such as business partners, vendors,suppliers and others. Additionally, increased stakeholder scrutinyis affecting the way companies view corruption. Stakeholdersnow expect organisations to go beyond the paperwork ofcompliance (such as establishing a code of conduct and

introducing periodic awareness/training sessions) to ensureeffectiveness of anti-bribery measures. An example is strictadherence to the code of conduct with no exceptions.

Clearly, existing measures adopted by corporates are insufcientto comprehensively address the risks of bribery and corruptionand organisations need to do more. Some measures thatorganisations can include in their compliance programmes are asfollows:

Drawing up a comprehensive code of conduct communicatingthe organisations zero tolerance attitude to corruption

Imbibing the Integrity Pact (a Transparency International

initiative) to ght corruption in private contracting andprocurement and agreement to participate in ExtractiveIndustries Transparency Initiative (EITI) (if applicable).

A structured whistle blowing mechanism to report potentialbribery / corruption issues

A comprehensive and periodic risk assessment mechanismalongside a concurrent monitoring mechanism, including thirdparty audits with specic reference to corruption related risks

Develop and train employees and third parties periodicallyon the compliance requirements and consequences of noncompliance




Section

Emerging Fraud Risks the ugly truth

03





Over the last decade knowledge has emergedas a key organisational asset and it isincreasingly being targeted by fraudsters.Our survey respondents rated cyber crime(53 percent), Intellectual Property fraud,including Counterfeiting and Piracy (38percent) and Identity theft (34 percent) as thetop fraud concerns for the future. We believethis is due to the proliferation of knowledgeas a key organisational asset. All threefrauds identied by respondents target suchorganisational knowledge. Companies musthence identify their sensitive information

assets, classify them appropriately based onvulnerability and put in place the necessaryprotection measures to prevent such frauds.

Top emerging fraud risks

Cyber crime is the big daddyof all emerging frauds


Identity theft

IP, Counterfeiting and piracy

Cyber crime

12

3



Cyber crimeCyber crime comprises any form of crime where either the tool orthe target of the crime is a computer or a computer network.

Cyber crime is fast becoming a popular way of defrauding bothindividuals and entities. No business or individual with an onlinepresence can be considered as completely secure. Perpetratorstypically either attempt to steal money, or more seriouslysensitive data from target companies. In some instances, cyberattacks are also aimed at disrupting vital operations and criticalfunctions in target organisations, leading to not just nancial loss,but also loss of customer condence and market reputation.

At the lower end of the spectrum, many of us have receivedemails that appear to have been sent by our respective banksor from authorities like the Reserve Bank of India (RBI) or theIncome Tax department. These emails often contain urgentrequests to validate or share our internet banking usernamesand passwords. In some instances, these emails may containinstructions to transfer some money to a certain account. Oneis threatened with closure of bank accounts or other legal actionin case of non-compliance with the instructions mentioned.This type of communication is classied as Phishing and is acommon type of cyber crime.

Over 70 percent of our survey respondents indicated they

had heard or experienced cyber crime of this nature. Of late,fraudsters have also started targeting cell phones and handhelddevices through SMSs (called Smishing 6) and voicemails (calledVishing7). According to statistics from the National Crime RecordsBureau, cyber crime cases in India have increased eight-foldbetween 2007 and 2011, prompting authorities like the RBIto issue advisory to customers cautioning them against suchincidents.

In more serious instances, such emails carry malware that allowsthe attacker to gain access to and compromise not just thecomputer, but at times, the companys network as a whole.

6 Phishing through SMS 7 Phishing through voice mails




Intellectual property fraud, counterfeiting and piracyWe are a knowledge economy where intangible assets (intellectual property, R&Dcapital, brand equity, etc) constitute a signicant proportion of a rms total assets. Astudy by The Conference Board 8, a public interest business research and insights rm,of 633 US-based research and development intensive companies revealed that bookvalue now comprises only a small proportion of a companys market value 9. Specically,intellectual property such as inventions, trademarks, industrial designs, geographicindications of source and copyrighted material can comprise a signicant portion ofintangible assets and therefore market value. The study quotes the example of thepharmaceutical sector where for some companies as much as two-thirds of their marketvalue comprised of intangible assets.

This being the case, any theft or counterfeit of intellectual property could adverselyaffect companies. A recent World Customs Organisation 10 report 11 highlighted that,globally, in 2011 over 25,500 cases were reported involving the seizure of more than143 million counterfeit and/or pirated articles. The study further indicated an increasein counterfeits of pharmaceutical products, and mobile phones and their accessories.In India counterfeits could comprise as much as 50 percent of all products one uses.It is therefore not surprising to note that 38 percent of our survey respondents havehighlighted intellectual property fraud, counterfeiting and piracy as areas of concern inthe future.

Identity theft

Identity theft is committed by accessing personally identiable information of individuals/entities without their permission with the objective to misuse this information and gainundeserving benets.

One of the primary reasons for growth in identity theft has been the proliferation ofthe Internet. In India, the number of internet users has grown from 7 million in 2001to over 98 million by 2011 12 and is expected to reach the 300 million mark by 2015 13.However, controls and regulation aimed at protecting privacy have not kept pace withthis growth. Fraudsters are making use of these gaps in controls to target individualsand organisations and misuse condential data. According to the Norton CybercrimeReport 2011, four out of ve online adults in India were victims of identity theft in 2011 14.Considering that many employees in the corporate work force use their ofce laptop/ computer for personal transactions (such as online banking, shopping, payment of

bills etc), identity theft can compromise not just their private information, but also thecompanies they work for.

8 Intangible Capital and the Market to Book Valuepuzzle, Charles Hulton and Janet Hao, TheConference Board, June 2008

9 Issues in Intangibles Measuring What Counts,The Conference Board, Winter 2012

10 The World Customs Organisation (WCO) is anintergovernmental organisation representingcollective thinking of customs organisation ofseveral countries

11 WCO Customs and IPR Report 2011, The WorldCustoms Organisation, July 2012

12 Economic Intelligence Unit database

13 Indian internet industry sees 300m users by2015, The Times of India, 31 December 2011

14 Cyber crime: Beware of ID theft, The EconomicTimes, 27 Januar y, 2012




Majority of the sectors rate cybercrime as top risk A sector-wise heat map of emerging frauds reveals that nearly two-thirds of the industrysegments rated cyber crime as the top most concern for their organisation, while nearlyhalf of them rated IP fraud, counterfeiting and piracy as the second most importantconcern. Not surprisingly, respondents from consumer markets and telecom industriesrated IP fraud, counterfeiting and piracy higher than other industry-respondents.

Overall real estate and infrastructure, nancial services, and defence emerged assectors that respondents felt were most prone to cyber crime. This could be due to theperception of these industries being susceptible to fraud at large, including well knownfrauds such as procurement, siphoning of funds etc.

Sector Heat Map of Emerging Frauds


Industries Cyber CrimeIP fraud,counterfeiting andpiracy

Identity theft

Consumer markets

Financial services

Healthcare

Industrial markets

Information andentertainment

Real Estate &infrastructure

Social sector

Telecom

Travel, tourism andleisure

High Risk Low Risk




Taking the fight to the finish Combating fraud

Two approaches better than oneMost organisations are relying on internal initiatives to keepthemselves abreast of emerging fraud trends. While 82 percentof the respondent organisations are challenging businessprocesses to unearth gaps in existing controls, another 55

percent are forming an internal team to research on emergingfrauds and communicating them within the organisation.

There is high reliance on internal mechanisms to detect andprevent emerging frauds. This is evident from the fact that stepssuch as whistle-blower mechanism and a framework to monitorcompliance of companys code of conduct have been either fullyor partially implemented by the respondents in our survey.

A limited number of respondent organisations are relying onexternal initiatives such as regulatory circulars or hiring third-partyexperts to conduct awareness programmes. In our experience,internal teams are limited in their skill-sets and experience.Hence, to have a more robust preventive framework, an optimal

mix of internal and external initiatives would be benecial.

Measures taken to familiarise with emerging frauds (multiple choice)



Challengingbusiness processeson a regular basisaiming to unearthgaps in controls

Forming an internalteam that researcheson new frauds and

communicates that tothe organisation

Relying onregulatory circulars/

communiqu toget familiar withemerging fraud

Asking thirdparty experts to

conduct awarenessprogrammes

82%

55% 46% 38%



One-size-fits-all risk managementframeworks fail to address emergingfraudsA preventive framework cannot be developed through a one-size-ts-all approach. Itwould differ based on the size of the organisation and the sector in which it operates. Amajority of companies, irrespective of size and sector, tend to rely on general processcontrols and compliance frameworks as a method of combating even emerging frauds.To create a robust framework one needs to look beyond these measures, such as

comprehensive information security measures, protection of personal information,physical security measures, and robust access protocols, along with periodic reviews.Large organisations, specically those in the nancial services sector would be betteroff with a dedicated fraud control unit that uses data analytics extensively to createan effective preventive mechanism. Companies in the IT/ITES sector can rely on theprocess of employee/third-party due diligence.

Analysis of survey responses by sorting them based on the industries representedsuggests that the nancial services industry appears to be ahead of the pack, with morethan half of the respondents indicating that they have established a dedicated fraudinvestigation unit and a process for conducting employee/third-party due diligence.This sector deals with extensive transactional volumes which requires more focussedtechnology based assessments that enable key red ag identication.


Emerging Fraud Risk Management MechanismDegree of

Implementation

Introduce process-specic fraud controls 6

Employees and third party stakeholder due diligence 6

Implement a whistleblower mechanism/fraud reporting hotline 6Establish a framework to monitor and ensure compliance ofthe companys Code of Conduct / Code of Ethics 6

Conduct fraud awareness trainings by third party experts 7

Set up a dedicated/separate fraud investigation unit 7

Forensic audit by third party 7





Data analytics is globally acknowledged as an important tool to help detect fraudand non-compliance across organisations. While respondents realise its value andare inclined to implement it, the majority said their organisations had not yet fullyimplemented it. Currently respondents use data analytics only for common fraudssuch as those around procurement. They would however, need to tailor data analytics

solutions to tackle emerging frauds.


Processes where Data Analytics is UtilizedDegree of

Implementation

Receivables and collections 6

Sales and distribution 7

Vendor and payments 6

Payroll and re-imbursements 6

Time and physical access controls 6

Emails and external communications 6





KPMG ViewMaking technology work for youThe merits of implementing a technology based framework to prevent,detect and mitigate fraud risks have been widely acknowledged. However,most organisations hesitate to implement newer technology tools to trackanomalies across their processes and data. This may be because they areunsure of the benets of adding yet another tool to the existing labyrinth ofsoftware. Investments in any new fraud detection tool may also take a backseat due to IT expenditure being focused on business rather than controls.

Can companies do better with the software / tools they already have? Yes.In our experience companies often tend to underutilise the scope andeffectiveness of their existing enterprise software. Some simple measuresthat organisations can take to use their existing technology better are asfollows.





1. Aligning the MIS

2. Leveraging the ERP system

3. Comparisons with other data sources

Management Information Systems capture a wealth of data and offer variousoptions to present this data in the form of reports. Most organisations arelimited in their ability to analyse this data or present them in a manner that ismore relevant to their fraud risk management strategy.

Currently the ERP systems used in most organisations are operated by alimited set of people primarily for book-keeping purposes. However, the scopeof an ERP is much more than that. In our engagements we have often seen

companies rely heavily on ofine data in worksheets and other documents.This makes detection of red ags complex as ofine data is not integrated withother data in the organisation, requiring manual verication.

Aside from the ERP, organisations have a lot of other tools that work on datato generate meaningful information. These differ from the data in the MISand should be periodically cross checked to detect any gaps/ anomalies /duplicates. Gaps may indicate potential fraud.



Section

Cyber Crime robbingorganisations blind03

A

Cyber crime incidents are on the rise across the worldand India is no exception to this trend. As per NortonsCybercrime Report 2011, cyber crime cost the globaleconomy (in both direct damage and lost productivitytime) USD 388 billion in 2011. India is estimated to havedamages of USD 7.6 billion (INR 341 billion) due to cybercrime in 2011. The high cost of cyber crime is a directresult of the number of people defrauded by it. NortonsCybercrime Report mentions that close to 30 millionpeople were affected by cyber crime in 2011 in India asagainst 431 million globally.

India has seen an increase in the number of cyber crimecases led. In 2011, a total of 1,791 and 422 cyber crimecases were registered under the Information TechnologyAct, 2000 and the Indian Penal Code respectively, asopposed to 217 and 328 in 2007 15 . In keeping with thisdata, around 38 percent of our survey respondents saidthey had experienced cyber crime in the last one year.

15 Crime in India, National Crime Records Bureau, June 2012




Over a third of respondentshave experienced cybercrimeWhen asked who they felt perpetrated cyber crime, 44 percentof respondents indicated that employees were responsiblefor perpetrating cyber crime, while 40 percent said externalparties were the perpetrators. It is interesting to note that morerespondents rated the enemy within higher than externalperpetrators.

Although our survey did not specically delve into aspectssuch as the prole of cyber crime perpetrators, based onour experience it would be fair to conclude that the averageperpetrator would be in the age group of 18 -30 years.

This is also reiterated in the data available with the National CrimeRecord Bureau, where 58.6 percent of the 1184 people arrestedunder the Information Technology Act, 2000 and 42.1 percent ofthe 446 people arrested under the Indian Penal Code in 2011 forperpetrating acts relating to cyber crime were in the age group of18-30 years.

Who is responsible for perpetrating the majority of cyber incidents in your organisation?



Employee/peopeinternal to theorganisation

External parties We have notidentified the source

of such incidents

Vendos orsuppliers

44% 40% 29% 18%



Customer Data theft giving firmssleepless nightsCyber crime can manifest itself in many ways. Respondents were most familiar aboutdata theft (80 percent), network Intrusions/hacking (76 percent) and virus/malware (76percent) as ways cyber crime could affect their organisations, possibly because of themedia coverage of such issues. These concerns appear to be in line with global trends,where hacking (81 percent) and malware (69 percent) continue to remain the mostcommon manifestations of cyber crime.

Further, respondents across sectors placed customer data at the top while listing keyhigh-risk targets of an electronic attack. While sensitivity towards customer data isnaturally high, other key information assets such as personally identiable information,access information etc. should also be viewed as equally high-risk targets. A recentundercover investigation by a media agency highlighted the sale of sensitive personaldata of overseas customers by certain call center employees. According to the report,the data on offer included condential account details from major nancial institutions,transaction details and computer IP addresses among other things . Such data couldpotentially be worth millions of dollars. Worse, it could bring businesses to a grindinghalt, if customers came to know of such practices.

Ways in which Cyber Crime can affect organisations (Multiple Choice)

16 Data thefts threaten all Indian call centres,MarketingWeek, 20 March 2012



Data theft Network Insrusion/Hacking Virus and malware

Defacement ofcompany website

Malicious emails andsmear campaigns

80%

60% 42%

76% 76%



Similar news items about online stores and web portals being compromised have become common. At times,organisations are not even aware that their networks have been compromised and that data or information mayhave been stolen.

Such instances highlight that it is not sufcient to look at just the technical aspects of cyber crime. One mustalso realise that human intervensions play a big role in committing cyber crime. Organisations should thereforego beyond plugging IT vulnerabilities to include a holistic policy that covers employees also. For instance,there can be policies discouraging sharing of login/password information and these should be stringentlyenforced. Additionally, companies should have provisions to safeguard personal information, adopt robustoverall information security measures, and conduct periodic reviews of process controls to ensure any gaps areidentied early on and plugged.

Cyber Crime Risk Heat Map



Top ve IT vulnerabilities

12

3

4

5

Connection to and from the internet

Applications hosted on the web

E-mail records

Maintainance acess to systems fromcontractors/ third parties

Mobile data devices

Assets at Risk Degree of Risk

Customer data

Intellectual property

Company information e.g. Legal / Financial information

Business sensitive information e.g. Prot and Loss gures

Personal identiable information of employeesLogin/password information


High Risk Low Risk



Hunting an elephant with awater pistolA study conducted by Ponemon Institute inpartnership with Symantec revealed that Indianorganisations spent an average of INR 53.5 millionto remediate a data breach . This shows how costlya reactive approach to cyber crime can be. However,preventing cyber crime is difcult due to thetechnological complexities involved and the fact that

a large population needs to be controlled includingcustomers or other connected service providers, whomay be careless or ignorant about the effects.

Further, preventing, tackling and mitigating cybercrime incidents are seen as the responsibility of theinformation security team, as indicated by 91 percentof respondents. This is challenging as the informationmade available to such teams (for investigationor establishing preventive mechanisms) is ofteninternal company data and not the vulnerabilitiesor information access patterns of customers or

business partners (classied as third party data).Therefore utilising limited data for investigatingbreaches does not help get an accurate picture ofthe gaps in the control systems. Also specic skillsare required to investigate cyber incidents. In ourexperience, however, most internal informationsecurity teams use IT administrators and network

security professionals to investigate cyber attacks something they are not trained to handle.

An IT incident response policy primarily focuses onidentifying the root cause of an incident and restoringoperational capability at the earliest. However, cybercrime related incidents have to be dealt in a mannerwhich involves forensic technology methods withemphasis on evidence preservation and quarantineprocedures. Organisations would have to take adifferent approach to this including using differentskill sets, tools, and procedures.


Prevention and Detection Framework for Cyber CrimeDegree of

Implementation

Ability to trace access logs for various critical systems 5

Control over access to personal email accounts/external Websites 4

Ability to log all external websites accessed by employees from the companysnetwork 5

Control of spam/malicious emails through appropriate lters 4

Utilisation of advanced encryption on ofce laptops 5

Existence of periodic review of IT security policies 4

Existence of cyber incidence response policy 6





Awareness will help companiesequip themselves betterOrganisations can create awareness about cyber crime by setting the tone at thetop. Boards have a duciary duty of safeguarding not only the physical assets of thecompany, but also information assets. If Boards have an obligation to ensure that thecorporate ofce/plant is secured, they also have an obligation to ensure that the digitaldoor is locked.

In late 2011, the SEC issued guidelines that require public companies to disclosesecurity events if they materially affect the entitys products, services, relationships,or competitive conditions or if they would make an investment in the company that isviewed as risky because of some of these reasons.

In line with this, Boards were asked to ensure that information risk management wasintegrated into an entitys enterprise risk management strategy.

Across the globe, governments too are prioritising cyber security as both a nationalsecurity and economic security issue. The US federal government is ramping up itscyber security workforce and forecasts spending USD13.3 billion on cyber securityinitiatives by 2015 18. India too has initiated action in this regard with the proposedpolicy for national cyber infrastructure protection. The policy envisages establishmentof sectoral Computer Emergency Response Team (CERT) to respond quickly toprotect critical assets such as power distribution networks, air trafc controls,

trafc networks, etc. It also envisages creation of the National Critical InformationInfrastructure Protection Centre (NCIPC) for ensuring protection of critical informationand communication assets. 19 This could spur companies to look at creating similarprogramme at a company level for their data protection.

At an organisational level, companies can start by setting a clear policy on informationassets, including what they are, how an employee must use them, who do they belongto and what happens in case those assets are lost or compromised. Another aspectis conducting regular training programmes. Workshops as well as e-learning modulescan be made available to employees to help them identify potential cyber crimerelated risks/ scenarios. Trainings can also be conducted by experts to drive home theimportance of preventing cyber crime.

It is in the interest of companies to have an incident response plan, which denes aclear set of steps to be taken by the organisation in the event of a security breach.

Lastly, organisations must set up a separate specialist team with prior experience ofhandling cyber breaches, to handle their cyber security and conduct investigations intoany breaches. Alternatively, they can also hire specialist agencies to do this for them.

18 2012: Year of war against cyber crime, The Economic Times, 16 February 201219 India to add muscle to its cyber arsenal, The Times of India, 11 June 2012




Section

IP Fraud, Counterfeiting andPiracy the white elephant inthe room03

B

Intellectual property fraud, counterfeiting and piracyare rampant in India. Counterfeit and pirated goods inIndia are estimated to be worth over USD 5 billion, 20 according to the Havoscope Global Market Index.Various reports suggest that this type of fraud is onlyincreasing, thanks to the enormous prots it offersin return for a small upfront investment and littleother business risks. Additionally, the low penaltyand prosecution levels in India for IP fraud providelittle or no deterrence against further infringements 21 .While companies seem to be aware of piracy andcounterfeiting, there is little understanding of how suchpractices can impact their business.

20 Fighting the crime of the 21st century, World Trademark Review, April/May 201221 Special 301 Report, Ofce of the United States Trade Representative, 2012




43%21%

19% 14%

3%None

IP infringment,including datathefts underreporting oflicenses /fees

Counterfeitingand piracy All the said

frauds

Frauds experienced in the last 12 months?

It is therefore not surprising to nd that nearly 78 percent of survey respondents wereunaware of the risks of IP infringement/counterfeiting/piracy. Among those who wereaware, a majority of respondents (57 percent) indicated that they had experienced IPinfringement or counterfeiting/piracy in the last one year. Of these, two-thirds indicatedthat they had faced between 1 to 10 such fraud incidents, underscoring that this type offraud is quite widespread.

Of the respondents who were aware of such risks, around 77 percent said that such

a fraud could adversely affect the brand/reputation of their organisation. Around 46percent of respondents estimated the direct monetary loss on account of IP fraud,counterfeiting and piracy to be a little over INR 20 million. In our experience losses aresignicantly higher, and respondents choice in this case may be an indication that theyare unaware of how to estimate losses from this type of fraud.



Parallelsupplychain



Respondents considered the source of such fraudulent activitiesas primarily internal as they rated employees over competitionas parties who pose maximum threat of IP fraud. This is incontrast to our 2010 survey where the respondents had rated

competition over employees as posing the maximum threat.

How much do you think organisations can lose directly through incidences of IPinfringement, counterfeiting/piracy?



more thanINR 20,000,000

46%

less thanINR 5,000,000

33%

INR 5,000,000 toINR 20,000,000

21%



Low awareness ofrisk assessment andmitigation procedures

Only a little over a third of the respondents indicated that theyperformed an annual risk assessment for IP infringement alongwith a market survey and supply chain analysis to addresscounterfeiting and piracy issues. Nearly half of the other

respondents were either unaware of such an assessment orbelieved it was not performed in their organisation.

Frequency of performing a risk assessment to address counterfeiting and piracy issues



Do not performor arenot aware of annual

risk assessment for IPinfringement

46%

Monthly

Quarterly

Every

india fraud survey 2012

Documents