Академический Документы
Профессиональный Документы
Культура Документы
LEGAL CAVEAT
CONTENTS
*0.+ 10%+*
!"%*%*#.1
.!* /%*.1
.1 $!)!/
//!0
%/,,.+,.%0%+*
Abusing the Corporate Travel Booking System
Expensing Gift Cards for Personal Use
Misusing a Purchasing Card
Altering Payroll Records
Manipulating Purchase Orders
Pocketing Maintenance Fees
Accidental Overpayments
Cashing in on Weak Controls
Stealing Incentives
Profiting from Land Purchases
Falsifying Recruiter Fees
Profiting from Weak Inventory Controls
Falsifying Shipping Labels
Falsifying Productivity Figures
Abusing Supplier Accounts
Manipulating the Benefits System
Using Company Resources for a Side Business
CEB Support
Data Analytics Test
$%. .05.1
Falsifying Bank Details
Favoring One Supplier
Travel Ponzi Scheme
Misusing Third-Party Services
Colluding Vendors
Abusing Oversight Responsibilities
CEB Support
Data Analytics Test
Note: If you have any questions, or would like to learn more about how CEB can help you on the topic of fraud,
please contact Ruth Shaikh.
+*"(%0/+" *0!.!/0
Circumventing Human Resource Controls
Inappropriate Hiring Practices
Keeping Business in the Family
Employee-Owned Supplier
CEB Support
Data Analytics Test
*"+.)0%+*!1.%05* 5!..1
Theft of Client Identities
Theft of Corporate Identities
Circumventing IT Access Controls
Abusing Weak Security Controls
Purchasing Employee Log-In Credentials
Sophisticated Phishing Attacks
CEB Support
Data Analytics Test
+..1,0%+** .%!.5
Using Middlemen to Bribe Officials
Improperly Using Training and Education Funds
Bribing Officials to Avoid Scrutiny
Hiding Bribes as Charitable Donations
Manipulating the Public Tender Process
Bribing Officials for Operational Ease
Taking Bribes for Securing Business Deals
CEB Support
Data Analytics Test
%0%+*(1,,+.0
INTRODUCTION
Helping prevent and detect fraud has always been central to audits value proposition
and mandate. In a 2012 CEB poll, fraud was listed as one of the top challenges for
CAEs and their teams, with 48% expressing the need to improve fraud prevention and
detection capabilities. Although most of those surveyed reported that overall levels
of fraud are not rising, the nancial cost of fraud is still signicant. The Association
of Certied Fraud Examiners (ACFEs) 2012 Report to the Nations1 shows that the
average organization loses 5% of its revenues to fraud, suggesting that even small
improvements in fraud mitigation strategies will likely have a signicant impact.
Although overall levels are stable, two areas are causing increasing concern among
CAEs: IT and cyber fraud, and corruption and bribery. Continuing international
expansion and stricter regulatory scrutiny are driving IT and cyber fraud risk, while
the proliferation of technology systems is increasing corruption and bribery risk.
Frauds dynamic nature means that, even when overall levels are stable, it is
important to closely monitor changes in the fraud risk environment. To accelerate the
effectiveness of your fraud risk management, we have gathered almost 40 specic
examples of small and large fraud schemes that occurred in member companies and
detailed how they have adapted existing controls and introduced new controls to
prevent and detect fraud. You can use this information to update your audit plans,
alter existing fraud risk management approaches, train your audit staff, and build a
strong case for the importance of fraud risk management with key stakeholders.
We have organized the fraud schemes shared in this document into ve commonly
experienced categories:
Asset Misappropriation
The taking or use of goods, services, money, or benets by any person,
either internal or external to the victim organization, without due payment
Third-Party Fraud
Any fraud committed solely by a third party or committed by a third party
in collusion with another party who may be internal or external to the victim
organization
Conicts of Interest
Situations where employee decisions and actions are inuenced by personal
interests
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
Although information security and corruption are the most pressing types of fraud,
asset misappropriation is still the most common. We uncovered many unique scenarios
that members of our CEB network have experienced, and we have learned about a
number of fraud schemes committed by, and between, third parties. As companies
increasingly rely on third parties, they are more exposed to fraud committed by
contractors and vendors. Although conicts of interest fraud has changed little over
the yearsand is primarily the result of inappropriate inuence of personal interests
our interviews demonstrated that it is still an area of concern and can be rather
costly. Lastly, international expansion raises concerns over bribery and corruption, but
different business cultures and often weaker control environments can contribute to
fraud in all these areas.
Financial Statement Fraud
We excluded nancial statement fraud in this report. Audit teams have become
more effective at managing this risk in response to recent crises and regulatory
requirements, such as Sarbanes-Oxley.
Methodology
We conducted this research primarily through interviews with over 50 CAEs and fraud
auditors from across the CEB network. We also used primary and secondary data to
illustrate the trends we identied and to add detail to each of the categories under
which these fraud schemes fall.
We present the nancial cost of these schemes in US dollars. Company pseudonyms
were arbitrarily designated. Each section begins with Company A, although Company
A in one section is not necessarily the same organization as Company A in another
section.
We have excluded more widely reported fraud schemes committed both by and
against companies. Extensive media coverage has already made details on such
frauds easily available.
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
DEFINING FRAUD
Different professional groups and associations have many denitions of fraud.
The denitions used by individual companies vary, as they are inuenced by audit
committee concern and the nature of fraud risk exposure to that organization.
Organizational denitions range from a narrow focus on nancial statement fraud to
much broader denitions that encompass all activities involving theft and deception.
The examples below, from professional associations and investigatory groups, are
quite broad.
Any illegal act characterized by deceit, concealment, or violation of trust.
These acts are not dependent upon the threat of violence or physical force.
Frauds are perpetrated by parties and organizations to obtain money,
property, or services; to avoid payment or loss of services; or to secure
personal or business advantage.
Institute of Internal Auditors
Any intentional or deliberate act to deprive another of property or money by
guile, deception, or other unfair means
Association of Certied Fraud Examiners
Put simply, fraud is an act of deception intended for personal gain or to
cause a loss to another party.
United Kingdoms Serious Fraud Office
The intentional perversion of the truth for the purpose of inducing another
person or other entity in reliance upon it to part with something of value or
to surrender a legal right. Fraudulent conversion and obtaining of money
or property by false pretenses. Condence games and bad checks, except
forgeries and counterfeiting, are included.
Federal Bureau of Investigation
Through our interviews, we learned that organizations are broadening their denitions
of fraud. For example, theft of data and intellectual property is increasingly recognized
as being a type of fraud.
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
TRENDS IN FRAUD
Stable Levels of Fraud
Fraud does not appear to be on the rise. The vast majority of members we interviewed
felt that fraud levels have remained at, even with the recent economic downturn.
Interviewees explained that there is heightened awareness about fraud and improved
communication and training on expectations, misconduct, and the use of whistleblower hotlines. Despite an increase in whistleblower activitydriven by better
educationthe actual number of fraud incidents has not increased dramatically.
CEB research shows that, between 2011 and 2012, the number of employees who
observed misconduct only increased by 1.6%.2 Despite these stable levels, many of
those we interviewed felt there was a stronger focus on fraud, partly from their audit
committees. Most felt this focus was driven by high-prole fraud cases being reported
in the news.
Two Main Drivers of Fraud
CAEs highlighted two particular trends driving fraud. First, increasing technological
complexity creates new opportunities for committing fraud but can also make it
more difficult to prevent and detect certain frauds. For example, the proliferation of
technology systems often leads to poor systems integration, which can be exploited to
steal or manipulate information without being detected, as the presence and strength
of controls varies between systems. As some interviewees expressed, the perception
of anonymity afforded by technology may also reduce the feeling of wrong-doing
among fraudsters. Second, the continued worsening of economic prospects puts
nancial pressure on people, which motivates fraud. Continuing redundancies
also lessen loyalty to organizations and help fraudsters justify their actions, while
weakening the control environment.
Information Security and Cyber Frauds Are Most Concerning
As a result of the aforementioned increase in technological complexity, CAEs are
acutely concerned about information security and cyber fraud. The potentially high
impactboth nancial and reputationalof information security fraud or cyber attacks,
as well as the more technical nature of the area, make this one of the biggest areas of
concern for organizations. In addition to the loss of condential personal information,
organizations are concerned about the theft of intellectual property. Of particular
concern is that intellectual property loss may not be noticed immediately. Another
risk factor is poor systems integration, where information controls are inconsistent
between multiple systems, and les can be manipulated more discreetly on one local
system without affecting information on other systems; this helps fraudsters evade
detection.
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
FRAUD SCHEMES
Review a collection of fraud schemes that have been
perpetrated against your peers in the past 1224 months.
Asset Misappropriation
Third-Party Fraud
Conicts of Interest
Information Security and Cyber Fraud
Corruption and Bribery
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
ASSET
MISAPPROPRIATION
ASSET MISAPPROPRIATION
Of the dozens of fraud schemes and scenarios we collected, the majority of fraudulent
acts and stories shared by the membership were some form of asset misappropriation.
Although asset misappropriation frauds usually have lower losses than other fraud
categories (e.g., nancial statement fraud, corruption and bribery), the incidents in this
section are mostly of higher dollar value and exclude more commonly experienced travel
and expense, overtime, and time card fraud. Interestingly, we have shared a scheme that
relates to the misappropriation of information assets, which demonstrates the need to
take a broader approach to how we dene and protect different types of assets.
THIRD-PARTY
FRAUD
100%
88%
$750,000
Frequency
33%
Median Loss
$500,000
50%
CONFLICTS
OF INTEREST
75%
$250,000
25%
8%
INFORMATION SECURITY
AND CYBER FRAUD
$0
en
n
Fi
na
nc
ia
lS
ta
te
rr
up
tio
Co
ss
et
isa
pp
ro
p
ria
tio
0%
Source: Association of Certied Fraud Examiners, Report to the Nations on Occupational Fraud and Abuse, 2012, http://www.
acfe.com/uploadedFiles/ACFE_Website/Content/rttn/2012-report-to-nations.pdf.
For most of the fraudulent acts shared in this category, preventive controls were in place to
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
Company A uses a ghost card system for travel booking purposes. It has
experienced two separate incidents of employees booking ights through the
central system, as well as employees buying the same ights with their corporate
credit cards and expensing them.
Discovery:
Duration:
Control Updates:
Variations:
THIRD-PARTY
FRAUD
Cost:
CONFLICTS
OF INTEREST
INFORMATION SECURITY
AND CYBER FRAUD
Duration:
Cost:
Control Updates:
+),*5 % *+0%),(!)!*0*!3+*0.+(//0$%/3/1#$0
fairly quickly with existing controls. Its existing controls use
an assessment of forecast spend versus actual spend. Each
department is responsible for monitoring forecast versus
01(/,!* !2!.5)+*0$!*/1.%*#(.#!2.%*!/.!-1%'(5
noticed.
CORRUPTION
AND BRIBERY
Discovery:
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
Duration:
One month
Cost:
Control Updates:
THIRD-PARTY
FRAUD
Discovery:
Discovery:
INFORMATION SECURITY
AND CYBER FRAUD
One employee at Company D had access to the payroll le sent to the bank for
wage payments. She added untaken vacation time payment records for employees
leaving the company. Then she switched the bank account details for those
payments to her account or the accounts of her friends or family. Her changes were
not visible in the HR management system, as she only changed the payment le. In
2006, she was laid off, and the following January the scheme was discovered and
reported to police. Employees then learned about the fraud from a local newspaper
that had picked up the story from the police stations daily record. To address
employee concerns about the fraud, Company D bought all employees fraud
insurance for one year.
This scheme was discovered when a former employee received
a tax form showing he received more money than he
actually did.
~ One year
Cost:
Control Updates:
CORRUPTION
AND BRIBERY
Duration:
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
10
Company E uses a building supplies company for various projects. One staff
member ordered supplies for his projects and was responsible for lling out
purchase requisitions. He would skip sections on the order forms, and then pass
them to his supervisor, who would approve the orders without considering the
blank lines. Before taking the form to Procurement, the employee would ll in the
blank lines and order goods for his own purpose. Because the supplies company
has a collection facility, the goods did not have to be delivered to the company.
The employee was using the goods to build his holiday home.
The employees manager noticed this fraud when comparing
purchase requisitions and orders.
Duration:
~ Six months
Cost:
Control Updates:
THIRD-PARTY
FRAUD
Discovery:
CONFLICTS
OF INTEREST
Discovery:
Duration:
~ Two years
Control Updates:
CORRUPTION
AND BRIBERY
Cost:
INFORMATION SECURITY
AND CYBER FRAUD
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
11
ACCIDENTAL OVERPAYMENTS
ASSET
MISAPPROPRIATION
Duration:
~ Six months
Cost:
Control Updates:
THIRD-PARTY
FRAUD
Discovery:
Duration:
Cost:
+),*5.!%)1./! %0/(%!*0
Control Updates:
INFORMATION SECURITY
AND CYBER FRAUD
Discovery:
CONFLICTS
OF INTEREST
Company H has specic operations that use cash more commonly than checks
or money wiring. In one case, an account manager received a centrally generated
invoice for a client and then doctored it to inate the amount due. The client would
receive the invoice and pay the account manager directly in cash. The account
manager would keep the excess amount that had been added to the invoice and
pay the rest to Company H.
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
12
STEALING INCENTIVES
ASSET
MISAPPROPRIATION
Company I used Visa gift cards at promotional events as incentives for new
customers. The employee who was responsible for obtaining and storing these
cards would steal some, take them to the bank, and exchange them for cash. Each
time the individual cashed the cards, the bank would make a note of the employee
and the company that had issued the gift card.
Discovery:
Duration:
)+*0$/
Control Updates:
THIRD-PARTY
FRAUD
Cost:
CONFLICTS
OF INTEREST
Discovery:
Hotline tip
Duration:
One transaction
Cost:
Control Updates:
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
13
An employee at Company K was the budget controller for one business unit and
could also authorize payment of recruiting fees. He set up a fake record for a
recruitment agent, putting his own bank details in the record for fee payment.
When new staff (not sourced through a recruiting agency) were hired, he would
falsify records and pay out a recruitment fee to himself.
The scheme was discovered when the employees replacement
asked a staff member which agency had hired them. The
staff member explained that they had not come through a
.!.1%0)!*0#!*53$%$,.+),0! +*!.*/0+3$5
recruiter fee had been paid for that employee.
Duration:
~ One year
Cost:
Control Updates:
THIRD-PARTY
FRAUD
Discovery:
CONFLICTS
OF INTEREST
Discovery:
Duration:
)+*0$/
Cost:
Control Updates:
CORRUPTION
AND BRIBERY
INFORMATION SECURITY
AND CYBER FRAUD
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
14
Company M uses SAP as one of its systems. It purchased additional software boltons with complementary features from another supplier. However, the bolt-ons
security was not great, and Company M had no control over their conguration.
As such, there were no preventative controls and weak detective controls in place.
A warehouse employee exploited various weaknesses in the bolt-on systems to
manually print shipping labels.
Hotline tip
Duration:
0(!/003+5!./.!+. /3!.!+*(5'!,0"+.03+5!./
so it was not possible to track it further.
Cost:
,0+
Control Updates:
INFORMATION SECURITY
AND CYBER FRAUD
CONFLICTS
OF INTEREST
Discovery:
THIRD-PARTY
FRAUD
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
15
Discovery:
Duration:
~ One year
Cost:
$!+/0+"!40.(+.3/+10)%((%+*
Control Updates:
CONFLICTS
OF INTEREST
THIRD-PARTY
FRAUD
INFORMATION SECURITY
AND CYBER FRAUD
Duration:
One month
Cost:
Control Updates:
CORRUPTION
AND BRIBERY
Discovery:
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
16
Duration:
Five months
Cost:
$!!),(+5!!/0+(!3+.0$+" %0%+*(!*!0/$!
operational and calculation mistakes made by the employee
3$%(!+))%00%*#0$%/".1 +/0+),*5"1.0$!.
Control Updates:
THIRD-PARTY
FRAUD
Discovery:
Hotline tip
Duration:
~ Eight months
Cost:
Control Updates:
CORRUPTION
AND BRIBERY
INFORMATION SECURITY
AND CYBER FRAUD
Discovery:
CONFLICTS
OF INTEREST
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
17
ASSET
MISAPPROPRIATION
CEB SUPPORT
The following steps and activities can help monitor and mitigate risks of asset
misappropriation:
Ensure robust operating controls and adequate monitoring are in place for
relevant processes such as payroll, accounts payable, accounts receivable,
travel and entertainment, and inventory management.
Check that duties are appropriately segregated for key processes.
THIRD-PARTY
FRAUD
Use automated methods for tracking physical assets (inventory, office supplies,
etc.) and ensuring accountability for oversight of these.
See our topic center on Transaction Processing for auditing tools, templates, and
best practices for managing nancial transactions such as payroll, accounts payable,
accounts receivable, travel and entertainment, and nancial closing, consolidation,
and reporting processes.
Also see our topic center on Inventory Management for more tools, templates, and
CONFLICTS
OF INTEREST
best practices.
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
18
ASSET
MISAPPROPRIATION
Run a list of standard industrial codes or vendor names, to identify unusual activity
on P-cards.
Look for invoice or purchase order quantities that do not match goods received
records.
Search for split purchase orders and payments that circumvent approval limits.
Accounts Payable
THIRD-PARTY
FRAUD
CONFLICTS
OF INTEREST
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
19
ASSET
MISAPPROPRIATION
THIRD-PARTY FRAUD
As organizations rely on growing and increasingly complex third-party networks, they
expose themselves to more related risks and fraud, such as kickbacks for contracts
and contractor theft. In 2012, 12% of companies were affected by vendor, supplier, or
procurement fraud. Of the companies affected by multi-perpetrator fraud, 43% reported
the perpetrators were suppliers, and 37% reported they were vendors.8 Its not surprising
that many of our interviewees expressed concern about the risk posed by third parties
and the opportunities for collusion between third parties and employees. The schemes
covered here vary from smaller scale frauds committed by individuals from third parties
THIRD-PARTY
FRAUD
CONFLICTS
OF INTEREST
20%
India
19%
Colombia
19%
Latin America
16%
Indonesia
16%
0%
15%
INFORMATION SECURITY
AND CYBER FRAUD
Mexico
30%
CORRUPTION
AND BRIBERY
Source: Kroll Advisory Solutions, Global Fraud Report: Economist Intelligence Unit Survey Results, 20122013,
http://www.krolladvisory.com/library/KRL_FraudReport2012-13.pdf.
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
20
Duration:
Two months
Cost:
Control Updates:
THIRD-PARTY
FRAUD
Discovery:
)!)!.+"0$!,1(%/!*00%,0+(+()*#!.3$+
passed it along to HR and then to Internal Audit.
Duration:
Two years
Cost:
Control Updates:
CORRUPTION
AND BRIBERY
Discovery:
INFORMATION SECURITY
AND CYBER FRAUD
Company B has a number of drivers who work in the eld, conducting various
services and supporting distribution. Each driver has a eet card, which is used
to pay for fuel and repairs from preapproved vendors. One vendor was paying
an employee to send a larger portion of the work to his garage. Although the
vendor was legitimate, it was also paying a bribe to an employee of Company B.
The vendors work was reviewed, and while some of the jobs seem to have
taken slightly longer than normal, it was not possible to prove its work had been
unnecessary.
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
21
Duration:
0+)+*0$/
Cost:
Control Updates:
CONFLICTS
OF INTEREST
Discovery:
THIRD-PARTY
FRAUD
Company C recommended that all business units use a global travel agent for
all employee travel and hotel stays. The company allowed one business unit
to keep its local provider. This local travel agent was paid for booking various
services, such as ights, hotels, and transfers. If an employees plans changed and
these arrangements had to be cancelled, the travel agent did not quickly or fully
reimburse the company. Company employees would request reimbursement, but
the agent would give various excuses for the delays, including blaming the airlines
or hotels. When employees were reimbursed, it was not always the correct amount.
During the investigation, Company C learned that there were more than 10 other
corporate clients who were experiencing the same issues. The travel agent had
misappropriated client funds and was taking refunds from one client to pay the
refunds of other clients. Company C severed its business with the travel agent and
referred the matter to local law enforcement.
Duration:
A number of years
Cost:
2!.
Control Updates:
CORRUPTION
AND BRIBERY
Discovery:
INFORMATION SECURITY
AND CYBER FRAUD
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
22
COLLUDING VENDORS
ASSET
MISAPPROPRIATION
Duration:
+),*5+1( *+0,.+2!+((1/%+*%*0$%//!/+%0**+0
estimate duration.
Cost:
+/03/$. 0+ !0!.)%*!#%2!*0$!*01.!+"0$!/$!)!
Variations:
Control Updates:
CONFLICTS
OF INTEREST
Discovery:
THIRD-PARTY
FRAUD
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
23
Duration:
)+*0$/
Cost:
Control Updates:
CONFLICTS
OF INTEREST
THIRD-PARTY
FRAUD
Discovery:
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
24
ASSET
MISAPPROPRIATION
CEB SUPPORT
The following steps and activities can help monitor and mitigate third-party risks:
Ensure clear, consistent supplier selection processes and that operational
standards and conduct to be enforced are clear.
Conduct early due diligence on the nancial health of third parties and their
other relationships and interests.
Utilize right to audit clauses in your contracts with third parties, enabling
THIRD-PARTY
FRAUD
CONFLICTS
OF INTEREST
Questionnaire Builder.
Also see a member-donated Third Parties Guideline Work Program.
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
25
ASSET
MISAPPROPRIATION
Review the vendor master list for missing or invalid information, such as invalid tax
identiers, or elds left blank or with null values.
Compare vendor telephone numbers with company and employee telephone
numbers.
Review vendor addresses against an employee address list.
Look for PO box addresses.
Check creation dates of invoices, looking for weekends and public holidays.
THIRD-PARTY
FRAUD
CONFLICTS
OF INTEREST
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
26
CONFLICTS OF INTEREST
ASSET
MISAPPROPRIATION
THIRD-PARTY
FRAUD
conicts of interest. For example, where family and friends are hired to provide services,
it is not always possible to determine if the services provided were actually required or
if they could have been completed more cost-effectively or to a higher standard by a
different provider.
Many of our interviewees stressed the importance of educating employees in emerging
markets to help prevent conicts of interest. In many countries, employees may be
unaware that conicts of interest are forbidden, may be unclear when conicts of interest
occur, or may simply believe that they are doing the right thing by using services from
CONFLICTS
OF INTEREST
people they already know and trust. A clear, well-communicated code of conduct and
third-party selection policy followed by training can help address this issue.
Figure 3 shows the regions reporting the highest levels of loss to conicts of interest fraud.
30%
25%
INFORMATION SECURITY
AND CYBER FRAUD
23%
16%
15%
14%
USA
Gulf Arab
States
Canada
15%
0%
Africa
Brazil
CORRUPTION
AND BRIBERY
Source: Source: Kroll Advisory Solutions, Global Fraud Report: Economist Intelligence Unit Survey Results, 20122013,
http://www.krolladvisory.com/library/KRL_FraudReport2012-13.pdf.
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
27
ASSET
MISAPPROPRIATION
Duration:
0+5!./
Cost:
0+)%((%+*0$%/)+1*03/*!40.,+(0%+*) !5
the forensic accountants based on an analysis of invoices and
expense claims.
Control Updates:
INFORMATION SECURITY
AND CYBER FRAUD
CONFLICTS
OF INTEREST
Discovery:
THIRD-PARTY
FRAUD
Company A has account executives (AEs) responsible for running client accounts.
As a company policy, AEs always need to involve the centralized support
teams (such as HR, Accounting, and Procurement) and follow clear policies
and procedures when hiring new employees and procuring goods and services
on behalf of clients. However, a tenured and well-respected AE was making
these decisions unilaterally without involving the centralized business support
teams. The AE would hire friends and family to work for the client. He would
also manipulate staff expense reports as a means of paying them unapproved
bonuses. For example, the AE would reimburse the team administrative assistant
for mileage costs, despite the administrative assistant having no reason to drive
for business purposes. Apart from the expenses, other damages might exist, as
the services provided could have cost less or been higher quality. Because no
evidence suggested the AE took personal benet, it was difficult to prosecute
them. The AE commented that the account was managed as if it were the AEs
own business.
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
28
Discovery:
Duration:
0+)+*0$/
Cost:
The investigation did not note a dollar loss since the work
was done.
Control Updates:
CONFLICTS
OF INTEREST
THIRD-PARTY
FRAUD
Duration:
Several years
Cost:
0+)%((%+*
Control Updates:
CORRUPTION
AND BRIBERY
Discovery:
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
29
EMPLOYEE-OWNED SUPPLIER
ASSET
MISAPPROPRIATION
Three employees from Company D set up their own supply company. They knew
that certain services were required at Company D and chose to capitalize on this
opportunity. While supplying Company D, one of the coowners of the supply
company was processing the invoices. Because the invoices were purposely being
maintained at a level that did not exceed this individuals approval authority level,
they never went any higher in the organization for approval. Company D could
not prove fraud because it received the services it paid for. However, it was able to
prove that employees violated the companys Standards of Business Conduct. The
awarding of this supplies contract had not gone through an official RFP process.
A hotline tip
Duration:
Cost:
N/A
Control Updates:
CONFLICTS
OF INTEREST
THIRD-PARTY
FRAUD
Discovery:
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
30
ASSET
MISAPPROPRIATION
CEB SUPPORT
The following steps will help you establish a strong conict of interest policy:
Clearly dene the types of activities, interests, and relationships that constitute
a real or perceived conict of interest. Successful conicts of interest policies
address specic industry and geographical considerations, while emphasizing
what is required of employees, including approval and reporting obligations.
Use examples and realistic scenarios. Train your employees to recognize how
conicts of interest materialize, and provide clear guidance to effectively avoid
THIRD-PARTY
FRAUD
CONFLICTS
OF INTEREST
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
31
ASSET
MISAPPROPRIATION
THIRD-PARTY
FRAUD
CONFLICTS
OF INTEREST
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
32
ASSET
MISAPPROPRIATION
INFORMATION SECURITY
AND CYBER FRAUD
Although benchmarking indicates that misappropriation of assets is the most prevalent
form of fraud, our interviewees expressed that IT-related fraud poses the greatest threat
and uncertainty. The potential reputational impact of this fraud and the complexity of
technology systems make it harder to assess and monitor risks.
Some members expressed concern about external threats of cybercrime (e.g., from foreign
governments or competitors accessing intellectual property or customer data). However,
THIRD-PARTY
FRAUD
many were more concerned about internal, employee-driven cyber fraud. Research shows
that 71% of chief information security officers identify staff as being the greatest threat
to data security.10 Further research shows that in the past 12 months, organizations have
experienced an average of 55 employee-related fraudulent acts in the IT and information
security areas. These incidents include accessing private customer data or using a
colleagues credentials to gain access rights or bypass segregation of duty controls.11
CEB research shows that, in the second quarter of 2013, risk managers felt that cyber
security risk increased in terms of both likelihood and impact.12 Despite the increased risk
CONFLICTS
OF INTEREST
and concern, only 20% of organizations feel effective at stopping these attacks.13
INFORMATION SECURITY
AND CYBER FRAUD
60%
55%
Q1 2013
39%
30%
Likelihood
Impact
CORRUPTION
AND BRIBERY
0%
Likelihood
Impact
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
33
ASSET
MISAPPROPRIATION
Figure 5 shows the average cost of rectifying damage caused by a cyber attack in
various geographies.
$8.9
THIRD-PARTY
FRAUD
$5.9
$5.1
$5
$3.3
$3.2
Australia
United
Kingdom
$0
Germany
Japan
CONFLICTS
OF INTEREST
United
States
Source: Ellen Messmer, Cyber Attacks in U.S. Cost and Average $8.9 Million Annually to Clean up, Says Study, CIO,
8 October 2012, http://www.cio.com/article/718246/Cyberattacks_in_U.S._Cost_an_Average_8.9_Million_
Annually_to_Clean_Up_Study_Says?taxonomyId=3191.
The nancial cost is not the only impact of cyber attacks. Respondents to a survey
from the Poneman Institute also cite the loss of intellectual property, a decline in
productivity, lost revenue, and reputational damage as some of the other negative
impacts of a cyber attack or intrusion.14
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY
levels of system access can be greater than an organization would ideally allow, they
need to take a broader approach to assessing access controls.
Further complicating the issue of building strong IT controls is the fact that preventive
IT controls can hinder productivity, particularly where organizations move toward
ever leaner and more agile operations. As such, many organizationsin a bid to allow
greater exibilityrely more on detective controls than preventative controls. When
organizations move away from preventative controls to aid productivity, they must
ensure strong detective controls are in place.
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
34
Duration:
~Three months
Cost:
Company A did not lose any money but could have lost a
multimillion dollar account.
Control Updates:
THIRD-PARTY
FRAUD
Discovery:
CONFLICTS
OF INTEREST
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
35
Duration:
It was hard to establish how long the scheme had been going
+**! %/+2!.! %00++' 5/0+0'! +3*0$!
websites.
Cost:
!1/!+),*53/*+00$!,.%).52%0%)%0$/*+0"!(0
*5**%((+//+3!2!.0$!/$!)!.!0!/0$!,+0!*0%("+.
reputational damage.
Control Updates:
CONFLICTS
OF INTEREST
THIRD-PARTY
FRAUD
Discovery:
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
36
Duration:
Cost:
+.!0$*
Control Updates:
THIRD-PARTY
FRAUD
Discovery:
CONFLICTS
OF INTEREST
Duration:
A few months
Cost:
Control Updates:
CORRUPTION
AND BRIBERY
Discovery:
INFORMATION SECURITY
AND CYBER FRAUD
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
37
A group of current and former contract employees working for Company E were
purchasing the network log-in credentials of current and/or departing Company
E employees. The group would solicit active customers of Company J with offers
to reduce their monthly bills in exchange for cash payments. Once the customers
made the cash payments, the group utilized the compromised IDs to access the
customers account prole and adjust it to reduce their monthly fees.
Company Es revenue assurance team initially discovered
unusual patterns of data activity caused by the aforementioned
/$!)!/$+3!2!.0$!/$!)!3/.+'!*+,!*5*
employee solicited by the group. The employee informed
+),*5//!1.%05+.#*%60%+*3$+%*2!/0%#0! *
determined that certain operator log-in credentials had
signicantly more patterns of unusual activity than others. These
were the log-in credentials that had been purchased.
Duration:
~ One year
Cost:
)%((%+*%*.!2!*1!(+//
Control Updates:
+),*50%#$0!*! 1/!.!//+*0.+(/!/,!%((5"+.
departing employees.
Company E enhanced analytical reporting.
The company deleted older or expired billing rates from the
network.
CONFLICTS
OF INTEREST
THIRD-PARTY
FRAUD
Discovery:
Duration:
Cost:
Control Updates:
CORRUPTION
AND BRIBERY
Discovery:
INFORMATION SECURITY
AND CYBER FRAUD
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
38
ASSET
MISAPPROPRIATION
CEB SUPPORT
Consider the following steps to ensure your organization has a strong information security program in place:
Conduct an extensive information risk assessment to support effective
identication, evaluation, and communication of IT and security-related risks.
Provide tools and information to help stakeholders, such as project managers,
run local risk assessments.
THIRD-PARTY
FRAUD
Work closely with Information Security to understand what risks they see,
and coordinate efforts and resources where necessary. Educate staff on key
policies and behavioral expectations for IT and information risk.
Continually educate staff about the dangers of phishing schemes and the risks
of mobile devices, data privacy, and cloud computing.
Closely monitor the changing information security environment, including risks
posed by ever-changing areas such as social networking and mobile devices.
CONFLICTS
OF INTEREST
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
39
15
ASSET
MISAPPROPRIATION
Monitor network access for higher than expected levels of activity at unusual
times, such as public holidays or weekends.
Look for unusually large amounts of proprietary information being downloaded or
e-mailed.
Monitor unusual activity, such as excessive access, for users with security
administration capabilities.
THIRD-PARTY
FRAUD
CONFLICTS
OF INTEREST
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
40
ASSET
MISAPPROPRIATION
THIRD-PARTY
FRAUD
16%
15.5%
10.6%
7.4%
8%
4.2%
Australia and
Oceania
Europe
North
America
n = 13,735.
n = 94,681.
INFORMATION SECURITY
AND CYBER FRAUD
4.4%
3.4%
0%
Asia
n = 11,109.
Middle East
and Africa
Central and
South
America
n = 1,556.
n = 4,792.
n = 2,358.
CORRUPTION
AND BRIBERY
Corruption and bribery violations not only lead to huge operational and nancial losses
but also signicantly damage company reputation and brand value. The penalties in such
cases may be in the form of nes, the suspension of operating licenses, and even prison
sentences for individuals involved. The ACFEs 2012 Report to the Nations shows that
organizations in Asia reported a median loss of $250,000, and those in Africa reported a
median loss of $350,000 as the result of corruption.18
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
41
ASSET
MISAPPROPRIATION
A quick breakdown of corruption cases by industry shows that out of the reported fraud
cases from organizations in the mining, utilities, and oil and gas industries, 50% or more
involved some form of corruption (Figure 7).
THIRD-PARTY
FRAUD
80%
77.8%
58.3%
50.0% 47.4%
42.9%
40.0% 37.0%
40%
36.2%
36.1%
35.1%
CONFLICTS
OF INTEREST
Tra
n
Pu
bli
sin
me
n
ta
nd
ou
an
ort
sp
an
ing
Ba
nk
Go
ve
rn
ial
nc
dF
ina
dW
are
h
Se
rvi
le
Tra
d
sa
ho
le
nd
y, a
str
Ag
ric
ult
u
INFORMATION SECURITY
AND CYBER FRAUD
re,
Fo
re
ce
s
g
Fis
hin
Es
tat
e
Re
al
gy
Te
ch
n
olo
s
Oi
la
nd
Ga
tie
s
Ut
ili
Mi
nin
0%
Source: Association of Certied Fraud Examiners, Report to the Nations on Occupational Fraud and Abuse, 2012, http://www.
acfe.com/uploadedFiles/ACFE_Website/Content/rttn/2012-report-to-nations.pdf.
As we heard from many of our interviews, a number of factors can contribute to corruption
and bribery frauds:
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
42
Duration:
A number of years
Cost:
Control Updates:
CONFLICTS
OF INTEREST
Discovery:
THIRD-PARTY
FRAUD
Company A caught senior executives funneling money out of the company and
paying bribes to help secure contracts. These kickbacks were paid to people in
authority, such as politicians and union officials, through middlemen, who were
designated as suppliers. These suppliers were paid for services rendered, but they
were intangible services, so it was hard to track what Company A had received.
These middlemen would take a cut of the payment and then pass on the rest to the
identied recipients. Some of the middlemen were also designated as consultants.
One of the senior executives circumvented an internal control by falsifying
documentation, which is used to conrm the legitimacy of consultants that are
used by Company A. Other senior executives signed these documents without
questioning what they were being told.
Duration:
~ Eight years
Cost:
+),*5,% )%((%+*,!*(05"+.2%+(0%*#0$!
* * %0%+*(,!*(05+")%((%+*0+(+(.!#1(0+.
Control Updates:
CORRUPTION
AND BRIBERY
Discovery:
INFORMATION SECURITY
AND CYBER FRAUD
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
43
Duration:
~ Two years
Cost:
Control Updates:
THIRD-PARTY
FRAUD
Discovery:
CONFLICTS
OF INTEREST
Duration:
)+*0$/
Cost:
Control Updates:
CORRUPTION
AND BRIBERY
Discovery:
INFORMATION SECURITY
AND CYBER FRAUD
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
44
Duration:
~ Eight years
Cost:
Control Updates:
INFORMATION SECURITY
AND CYBER FRAUD
CONFLICTS
OF INTEREST
Discovery:
THIRD-PARTY
FRAUD
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
45
Duration:
~ Four years
Cost:
Control Updates:
THIRD-PARTY
FRAUD
Discovery:
CONFLICTS
OF INTEREST
Duration:
)+*0$/
Cost:
Control Updates:
CORRUPTION
AND BRIBERY
Discovery:
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
46
ASSET
MISAPPROPRIATION
CEB SUPPORT
Organizations need to take a strong stand on anti-bribery and anti-corruption
compliance and be particularly mindful of risks in international divisions,
Procurement, and Operations. The following steps will help you establish and
implement an effective anti-corruption program:
Understand regulatory requirements, recent enforcement decisions, the
relative riskiness of your operations, and corporate culture to maximize the
consistency and effectiveness of your anti-corruption program.
THIRD-PARTY
FRAUD
CONFLICTS
OF INTEREST
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
47
ASSET
MISAPPROPRIATION
THIRD-PARTY
FRAUD
View payments by country, then use Transparency Internationals ratings (per the
Corruption Perception Index) to conrm that the vendor and the service or good
are valid.
Analyze expense reports and vendor payments for buzzwords such as gift,
donation, and others.
CONFLICTS
OF INTEREST
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
48
END NOTES
1. Association of Certied Fraud Examiners, Report to the Nations on Occupational
Fraud and Abuse, 2012, http://www.acfe.com/uploadedFiles/ACFE_Website/Content/
rttn/2012-report-to-nations.pdf.
2. CEB 2013 RiskClarity Quarterly, https://audit.executiveboard.com/Members/Popup/
Download.aspx?cid=101217380. In this CEB survey, misconduct includes but is not
limited to fraud, conicts of interest, inappropriate giving or receiving of gifts, improper
payments, data privacy violations, and stealing company property.
3. Association of Certied Fraud Examiners, Report to the Nations on Occupational
Fraud and Abuse, 2012, http://www.acfe.com/uploadedFiles/ACFE_Website/Content/
rttn/2012-report-to-nations.pdf.
4. CEB 2013 RiskClarity Quarterly, https://audit.executiveboard.com/Members/Popup/
Download.aspx?cid=101217380.
5. CEB 2013 Managing Effective Relationships with the Business Auditee Survey.
6. CEB, Unlocking Information Traps 2.0, 2011
7. Please see this link for more examples of data analytics tests in these areas: https://audit.
executiveboard.com/Members/Popup/Download.aspx?cid=100107464&scAuth=true.
8. Kroll Advisory Services, Global Fraud Report, 2012/2013, http://www.krolladvisory.com/
library/KRL_FraudReport2012-13.pdf
9. Please see this link for more examples of data analytics tests in these areas: https://audit.
executiveboard.com/Members/Popup/Download.aspx?cid=100107464&scAuth=true.
10. Antony Savvas, Internal Staff Still Pose the BiggestSecurity Risk, Computer
World, 9 October 2012, http://www.computerworlduk.com/news/security/3360651/
internal-staff-still-pose-thebiggest11. The Ponemon Institute, The Risk of Insider Fraud, February 2013, http://www.attachmate.
com/assets/Ponemon_2012_Report.pdf.
12. CEB Q2 2013 Emerging Risks Report, https://audit.executiveboard.com/Members/
Popup/Download.aspx?cid=101217380.
13. The Ponemon Institute, Big Data Analytics in Cyber Defense, February 2013, http://
www.ponemon.org/local/upload/le/Big_Data_Analytics_in_Cyber_Defense_V12.pdf.
14. The Ponemon Institute, Big Data Analytics in Cyber Defense, February 2013, http://
www.ponemon.org/local/upload/le/Big_Data_Analytics_in_Cyber_Defense_V12.pdf.
15. Please see this link for more examples of data analytics tests in these areas: https://audit.
executiveboard.com/Members/Popup/Download.aspx?cid=100107464&scAuth=true.
16. Ernst & Young, 12th Global Fraud Survey, 2012, http://www.ey.com/Publication/
vwLUAssets/Global-Fraud-Survey-a-place-for-integrity-12th-Global-FraudSurvey/$FILE/EY-12th-GLOBAL-FRAUD-SURVEY.pdf.
17. Employees were asked if they had observed a violation of law or company policy in the
past 12 months. This data includes employees who responded yes or not sure/dont
know.
18. Association of Certied Fraud Examiners, Report to the Nations on Occupational
Fraud and Abuse, 2012, http://www.acfe.com/uploadedFiles/ACFE_Website/Content/
rttn/2012-report-to-nations.pdf.
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
49
ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.
50