Fraud Academy

There have been many different responses to the Bribery Act coming into force in the last year, ranging from local council bans on Christmas gifts to your bin men to increasing market exits from the more notoriously corrupt countries. The development last December of a new British Standard for 'adequate procedures' to prevent bribery may help some organisations deal with process issues but does not move the agenda very far forward in how best to influence an organisation’s ethical culture.

This new specification has a lot to commend it.

• BS 10500 ('the 2011 specification for an anti-bribery management system' to give its full title) was published last December after a period of consultation with experts ranging from the National Audit Office to the City of London Police and a number of commercial organisations. 
• Standards have a long and distinguished pedigree in business improvement and quality management, and can provide a reassuringly clear and stable framework for companies that don't know where to start in addressing complex cross-cutting issues like information security or fraud. 
• The methodical approach of standards can also be helpful in promoting consistency and coordination across project teams and supply chains, a particular issue for many companies given the Bribery Act's focus on overseas corruption and intermediaries. 
• Applied sensibly, BS 10500 can make a positive contribution alongside other standards for ethical sourcing and supply chain resilience. Certified companies still suffer from occasional problems in procurement (e.g. child labour in India, flooding in Thailand) but typically bounce back quicker and are better able to integrate the experience into risk management.

So what's the challenge? 

Firstly, the regulatory agenda is looking for more than just documented systems and process improvements. Public trust in business has rarely been as tentative or as fragile as now. There have been a succession of high-profile corporate scandals where elaborate control systems failed to prevent corporate failures – Enron and Lehman Brothers are just two that spring to mind but there are many others.

In this sceptical environment people may view self-certification as another form of corporate PR, and companies seeking a professional benchmark for their systems may want to consider independent assurance on how they have applied the specification in reality rather than in theory. 

A company that responds to press allegations with 'trust us, we've got a management system' is likely to be met with the question of “how do you know it is really working in practice?”

Secondly, there's a limit to what can be achieved by management systems alone.

• The British Standards Institute notes that "responsible organisations are increasingly seeing bribery prevention on a par with safety and quality control". However, this cuts both ways. Historical lessons from health and safety show that improvements quickly plateau after physical safeguards (e.g. handrails) and process interventions (e.g. a policy of hard hats for everyone on-site), leaving a persistent remainder of accidents due to the slippery 'human factor' (e.g. the foreman being in a hurry to get home to see the football). Our experience tells us that companies who want to move beyond this plateau are now looking to supplement their processes with practical and values-driven decision-making to enable day-to-day implementation of the policies and procedures, to embed compliance into the heart of the corporate culture – the ‘DNA’ of the company - and ‘business as usual’.
• Individual behaviour is one of the hardest risks to address through a traditional process-heavy approach. PwC is helping companies address these often overlooked behavioural risks, seeking to narrow the gap between what is said (“intended behaviour”), what is visible (“expressed behaviour”),and what is done (“actual behaviour”) by defining and embedding ethical values in company strategy and individual decision-making.

Finally, while applying the specification will help demonstrate that a company has established and implemented a suite of anti-bribery procedures, this is not the same thing as demonstrating 'adequate procedures' in compliance with the Bribery Act.

• The specification is heavily caveated and is effectively a checklist of what a company has in place. This can be useful for companies at that early stage of the compliance journey, especially for those struggling to standardise their approach across different corporate functions and territories. However, there are a number of other checklist guides that are already out there for free, such as the Transparency International guidance on best practice in adequate procedures. 
• The new specification has not received any formal endorsement from the UK authorities. 

So, probably best to take the new specification at face value, and accept the limitations of peer-to-peer benchmarking within a wider due diligence process. This specification also offers value for companies seeking another tool for vetting their suppliers and categorising risks - but don’t forget that certification will be one single indicator amongst others – with its limitations.

Those seeking to ensure adequate procedures to prevent bribery should consider taking the time and investment for an independent review of their anti-bribery regime, addressing the hard-to-reach issues of behavioural risk, corporate values and ethical decision-making, as well as the policies and procedures themselves.

The problem

“Dear Accounts Payable department,
Our bank details have changed to the following.  Please can you update your records.”

Although not new, the “change of supplier bank details” scam illustrated above is staging a comeback with large companies paying out large sums to the wrong people.  To avoid being the next victim, here are some simple precautions.

What to do

Check your procedure for dealing with these requests, some of which may be legitimate:

• Do you phone the supplier using a number taken from their website, ideally speaking to someone you know and have known for some time, to confirm the details of the change?
• Do you make a note of the call?
• Does the resulting change to the supplier master file require a senior level of dual authorisation, eg the same as for authorising a BACS payment run? Are changes made reviewed and validated subsequently? (Don’t imagine that an instruction to pay funds to an account with an inconsistent account name will be picked up by your bank – it’s the sort codes and account numbers which determine where the money goes.)

Watch out for the giveaways:

• Often the letter will include the invitation “in order to confirm this instruction, please call me on my direct dial number xxx” – this will be an unconnected rented line or accommodation office manned by the fraudsters;
• Similarly beware of supposedly confirmatory emails from almost identical email addresses, eg .com instead of .co.uk, or, pricewaterhousecooper instead of pricewaterhousecoopers which has been set up by the fraudster for that purpose;
• Does the letter or email contain any errors? – it’s surprising how many typos can often be found
• Is the letter marked urgent or accompanied by pressuring phone calls, warning of the consequences if the change is not made straightaway?

Warn your staff:

• Before sending these letters, the fraudsters will often make so called “pretext” calls to your company to try and get information which will then be used to increase their chances of success.  This includes asking for the names or direct telephone numbers of people in your accounts payable department, or the supplier reference number for a particular supplier; these calls may be prefaced by an innocuous call (eg asking to check the post code) through which the fraudster establishes in the mind of the victim that he or she does indeed work for the supplier; in this way, the next time they call they are more likely to be accepted as genuine;
• Is your clean desk policy working in practice? If not, this is a far easier way for the important information above to be gathered;
• Information is also gathered by fraudsters through Freedom of Information requests and via compulsory public sector disclosure requirements. Consider if you are disclosing more than you need to.

Finally, consider the “inside job”.  Is there anyone in your organisation who could create such a letter him/herself, and then arrange for a supplier’s bank details to be changed?  If so, that person probably has too much power.

The fraud above fails in 99% of cases, but when it works, it’s very lucrative.  Implementing the steps above will stop you being in the 1%.

As investigators we tend to be very good at keeping up with latest trends; indeed many of us remember when credit card fraud and internet scams were new. As with any new fraud scheme, it’s natural for us to adapt accordingly, responding with new controls, monitoring techniques, detection methods and so on.

But how many of us are truly aware of the fraud risks posed by the significant cyber threat? And for those who are, do they have the support of a cyber-savvy organisation and senior management?

The threat from cyber crime has increased dramatically for three important reasons. Firstly, the internet de-risks fraud for the perpetrators – they can be anywhere in the world and can easily mask their identity and location. Secondly, the internet has concentrated the targets. To do business today organisations have to be connected to the internet, thus all targets are conveniently concentrated in one place: cyber space. Thirdly, functional transferrable skills are concentrated and their development is encouraged. As if it wasn’t enough that cyber criminals became organised – hiring technical talent, implementing project management, performing quality reviews and so on – the virtual ethos has been augmented by physical concentrations, so called “Silicon Valleys” of cyber crime (see How a Remote Town in Romania Has Become Cybercrime Central, Wired Magazine, February 2011).

Cyber criminals are operating in a perfect storm of opportunity, and we as fraud professionals need to up our game to meet and exceed their capabilities, skills and motivation.

To do this we need to convince our organisations that cyber crime is not just an IT or information security issue. We need to understand the nature of the threats. Is the greater threat from outside attack or from IT-literate employees stealing intellectual property? Are we more likely to suffer a network breach or be a victim of social engineering? We need to ask and answer these questions, and then achieve a balance of preventive, detective and responsive/investigative efforts.

It’s not easy; we can’t just unplug from the internet or ban the use of new technology. The business needs of the organisation will demand quick adoption of new technology, development of mobile applications, connection of unsecured devices and more. As fraud investigators we need to develop complete awareness of the situation and an unprecedented agility to respond.

The stakes are high. Press reports indicate that data breaches can cost companies hundreds of millions of dollars. The frauds against the European emissions trading registries were worth about €45 million, and that doesn’t include impact of the spot trading market being shut down for a number of weeks.

Can you remember when it was rare to see headlines about events like these? How many have you seen this week?

To understand how cyber threats have increased in scale and sophistication – and the impact this can have on an organisation – the PwC Fraud Academy is hosting an event on 5 July 2011. Our information security team, cyber crime investigators and external guest speakers will discuss their views on cyber crime, the associated risks and methods for dealing with it.

For more information and to register for this event click here: http://www.pwc.co.uk/eng/events/southeast/london/050711-cyber-crime-is-your-organisation-a-target.html

Many thanks to Dr Sharon Leal, Senior Research Fellow in Psychology at Portsmouth University, who has contributed the following ‘guest blog’.  PwC Fraud Academy members will have the opportunity to learn more from Dr Leal about detecting liars, by attending the next PwC Fraud Academy event, in London on Wednesday 8 June 2011.  Please click on the link for further details and to register:
http://www.pwc.co.uk/eng/events/southeast/london/finding-where-the-truth-lies.html

Do your many years of experience in the field make you better at catching a liar than the average lay person? Sadly the chances are that they do not! Scientific research has demonstrated that most people grossly overestimate their ability to detect lies. In reality they are typically very bad at it; even professional lie catchers such as police officers and fraud investigators are barely above chance ….you’d get similar accuracy levels if you simply tossed a coin!

Why are people so bad at catching a liar? There are a number of reasons. Interview techniques are usually poor and the interviewers tend to look for completely the wrong verbal and non-verbal cues to detect deceit. Other reasons include a worrying tendency for the use of technological ‘toys’ that sound impressive but have no hard evidence to show that they work. An example of this is voice stress analysis. Indeed, the European consortium of Psychological Research for the Detection of Deception (E-PRODD www.eprodd.net), which consists of top scientific experts in the field of deception detection, warn against the use of this and other gadgets that have no scientific underpinning at all.

So can people improve their ability to detect lies? The answer is yes: by learning how to conduct better interviews and identifying the correct indicators of deceit. Both are achievable through using scientifically sound, evidence-based tools. As a result lie detection significantly improves!

Unlearning old habits and heuristics for lie detection is not easy, it takes thought and effort and of course an admission to yourself that you may have got it wrong in the past.  The benefits of more accurate lie detection far outweigh these costs though. Erroneous veracity judgements based on poor forensic techniques are not only morally wrong, they waste time, money and in some cases cost lives.

Bit of an odd title, isn’t it?  But in how many organisations does reality really line up with expectation?  What would the financial benefit be if we could make this happen?

In our upcoming breakfast briefing on May 4th, we discuss some of the advances in technology and analytics over the past couple of years which make it possible to make the most of the data in your existing ERP or finance systems in a real-time fashion to identify and track opportunities for cost savings, efficiency gains and better risk visibility and management.  We call this continuous transaction monitoring (CTM). 

In a series of three short blog posts, I'll give a brief summary of some points of view we’ll discuss next month, along with some research from our recent global studies and a cheat-sheet of what you need to be thinking about when considering a CTM project to ensure you get rapid, tangible benefits from it.

Chief Financial Officers and Heads of Internal Audit often have ‘wish lists’ along the lines of:

• “Our shared service centre is a streamlined function which processes all transactions correctly and we have no problem with duplicate payments”
• “Our financial controls and approval thresholds are set appropriately and working”
• “We have timely visibility of policy or control violations and changes to risk profiles”
• “Manual journals and bulk actions are valid and do not need significant manual review”
• “Our suppliers conform with delivery and invoicing timelines, we have suppliers appropriately categorised and know which of our third parties or agents are highest risk”

Does this resonate with parts of the ‘perfect world’ scenario for your organisation?

My own view is that there are compelling business cases for CTM, which has a huge amount to offer and is an effective way to streamline processes, reduce headcount, and eliminate root causes of errors and opportunities for fraud or misuse.  I look forward to explaining the reasons for this and hearing other people’s perspectives on May 4th.  I hope that you can join me.

To register your interest in this event please click the link below:

http://www.pwc.co.uk/eng/events/southeast/london/040511_transaction_monitoring.html

Part 2 

The section above set out some wish list scenarios for organisations.  The following often reflects reality more accurately based on what we typically see:

• “A significant number of corrections are required in the shared service centre, which are hard to isolate root causes for and prevent.  We think it’s a combination of 20 suppliers and 5 poorly performing staff but it’s difficult to find out.  Duplicate payments cost us several hundred thousand pounds every year.”
• “Our financial controls degrade over time and staff always find new ways of getting round controls.  Sometimes this is just to do their work.  Sometimes it’s for malicious purposes.”
• “With so many ERP or finance systems across the organisation, it is difficult to get visibility of whether policy is being followed or if, for example, there is inappropriate entertainment expenditure being incurred in Russia”
• “We create a lot of manual journals for corrections, adjustments etc.  This involves a lot of time and expense.  If problems were spotted in real time this could be avoided.”
• “We have no way to monitor high-risk payments being made to suppliers.  And no way of escalating these to the right people automatically.”

Our recent surveys show that addressing these issues and making the points above sound like the ones in our previous blog post is something that’s on the mind of CEOs and Heads of Internal Audit.

PwC’s 2011 ‘Global CEO Survey’ shows that CEOs have a renewed focus on innovation and technology to help reduce bottom line costs, improve top line margins and keep risk in check.  70% of respondents this year are investing in IT to reduce costs and become more efficient, with 54% specifically highlighting data analytics as a strategy for this.

Our 2011 ‘State of the Internal Audit Profession’ study shows that internal audit is focused on areas which support the CEO agenda, but highlights a lack of confidence about keeping pace to effectively address these topics.  This is a particular concern as internal audit transitions from financial controls oversight to advising on wider business and compliance risks, such as the Bribery Act.  Chief Audit Executives are unanimous in saying that risk lies in the speed in which advances happen now and the ever decreasing timeframe in which organisations must react. 

From our experiences, technology has definitely advanced to the point where it can help businesses improve their reaction times.  What are your thoughts?  Please come along to our May 4th event and share your experiences.

To register your interest in this event please click the link below:
http://www.pwc.co.uk/eng/events/southeast/london/040511_transaction_monitoring.html

Part 3

It’s no longer enough to identify issues as part of a light-touch year-end dive into some data.  Running basic red flag tests such as looking at weekend postings is quite limited both in terms of scope and the level of insight such tests provide.

Technology can now enable continuous, automated deep-dives into data from multiple systems, in multiple geographies.  It can feed you with information you need to know about, providing you with the ability to act before something becomes a big issue.

90% of the internal audit survey respondents (from our 2011 ‘State of the Internal Audit Profession’) have an increased focus on “new IT systems or process/control environments” and 82% state an increased focus on “process improvement/operational efficiency/cost reductions”.  We see CTM as an enabler for both internal audit and the wider organisation to meet these objectives.

Our goal with continuous transaction monitoring is to help clients embed analytics as part of their business processes, ensuring accurate information on performance, exceptions and root causes is getting to the right people in real time.  This enables businesses to more continuously tune business performance – driving better user or supplier behaviour, or helping correct processes or controls in your existing systems. This is in marked contrast to the traditional challenges faced by addressing “yesterday’s problem tomorrow”.

The application of real-time analytics should be:

• Intuitive enough to be used and understood by all business users.  It shouldn’t require a PhD in artificial intelligence to understand and results should reported back in the language of the business so they can be easily interpreted.
• Compatible with existing ERP finance systems, able to operate without manual intervention, be used and trusted by the business as a platform for valuable insights as part of normal business, not as a separate project.  Able to scale and adapt as your business grows or changes and designed specifically to operate continuously.
• Collaborative, providing an environment for users to engage jointly in the confirmation of issues and resolution of root causes.  Automatic routing, assignment and escalation of issues to minimise manual effort and free up staff for higher-value tasks.
• Aligned to strategic organisational objectives around efficiencies, cost reduction or risk identification and mitigation.  CTM should be considered a process rather than a project.

We believe that the technologies are now available to make these goals achievable, but we would like to hear your views and experiences.  Please do come along to the event and see how this works in practice.

http://www.pwc.co.uk/eng/events/southeast/london/040511_transaction_monitoring.html

Christmas is traditionally a time for present-giving and most people will be looking forward to giving and receiving lots of goodies from friends and families.  Some people will also be expecting to give and receive presents at work, and here I’m not talking about gifts to colleagues (which are great), but rather gifts to customers or presents from suppliers.

Both types of gifts (- the “friends and family” ones and the so called “corporate gifts”) appear similar – they are after all seasonal expressions of goodwill to people you know – but there are crucial differences.  The friends and family ones:

• are generally reciprocal, 
• are not given with an ulterior motive and, crucially, 
• are paid for personally by the giver. 

The same cannot be said of the corporate gifts which are usually one way, have an obvious motive and are claimed on expenses.

So, what’s wrong with the corporate gifts?  For me, just about everything:

• firstly, there’s a clue in the name – if the gifts are “corporate” they should go from one company to another company, not to that company’s employees, and certainly not to individual employees who happen to have buying power;
• secondly, there’s the motive – if you are trying to influence the recipient, surely that’s wrong?  And if you are not trying to influence the recipient, how is that an appropriate use of shareholders’ funds? 
• finally, gifts of all kinds will be an increasingly sensitive area once the Bribery Act comes into force.  As long ago as 1997, a Law Commission report examined the old question of corporate hospitality and concluded that if a company’s directors took a customer to a football match it was probably okay, but if they simply sent him “a ticket for the match with their compliments, it would be hard to resist the inference that this was primarily (if not exclusively) a bribe.”  Surely the same logic applies to Christmas gifts?

To avoid the risk, givers need to be sure their generosity is not misconstrued.  Receivers need to:

• have a gifts policy which is posted on the external website and enforced – say what is fine (eg branded biros, calendars and mousemats) and what isn’t (eg cash and cash equivalents, gifts delivered to home addresses etc); 
• remind/train all staff and inform all suppliers about the policy; gifts are to be discouraged unless clearly at odds with local culture;
• record all gifts in a register – those which breach the policy should be returned or given to charity

Sorry to be a Scrooge, but all in all, 2010 is a year for extreme caution.  Or as the song goes, “You had better be good for goodness sake!”

I would welcome any comments you have on this topic.

Edwin Harland

Click here to find out more about Edwin.

Click here if you would like email alerts when this blog is updated.

A Google search for the separate words “buy cheap degree without study” generates about 7,000,000 hits.  The sponsored links are for places like “Redding University” (sic) and “Hill University” where bachelors degrees can be obtained “in seven days” and “with no coursework” respectively for as little as $130.  Of course it’s fun to have a chuckle about the seductive claims, eg:

• Earn you a secured upper level job,
• Get you a well deserved promotion, and
• Boost your career potential.

but there is a serious point here too.  These sites exist because people use them, and people use them because they work.  A couple of years ago a well known international hotel chain was about to promote a longstanding existing employee to the main board.  Because of the seniority of the new position they screened him at the time and then found he didn’t have the degrees he claimed. He was allowed to resign.

Talking to clients who have suffered a fraud, they are usually confident that new employees in their organisations are screened but unsure of what this process actually involves.  My guess is that couple of written references is often as far as it goes.

When it comes to educational qualifications, few will contact the institution involved and very few will check that it is actually accredited.  And the very small number who go to the lengths of phoning the institution may not realise that some websites offer a “24/7 Credentials Verification service”. One client who suffered a £2m fraud found belatedly that the mobile numbers he had spoken to for references had both been answered by the fraudster himself.

Most fraud is committed by or with the involvement of employees.  Recruiting only honest employees is the obvious first step to prevent this.

I would welcome any comments you have on this topic.

Edwin Harland

Click here to find out more about Edwin.

Click here if you would like email alerts when this blog is updated.

We have created the blog as a forum to share views and knowledge and also to stimulate debate.  You will see a range of views expressed from different experts in PwC about fraud, corruption and business ethics issues.  Some of the blog entries will be about providing information to you, in others we may be asking for your views.  You will be able to respond directly to the author if you wish to do so.  We will not be publishing members' responses on the blog site at this stage, but should this change we will let you know in advance.