Fraud Indicators and Red Flags

@ComplianceWeek | #CW2017

Pekka Dare Director, Training Education & Development - ICT

Jose TabuenaChief Privacy Officer – UT Southwestern Medical

Center

@ComplianceWeek | #CW2017

According to KPMG a typical fraudster is:• between the ages of 36 and 55 (69%)

• predominantly male (79%), with the proportion of women 17%, up from 13% in 2010

• a threat from within (65% are employed by the company)

• holds an executive or director level position (35%)

• employed in the organization for at least six years (38%)

• 3X as likely to be regarded as friendly as not with only 18% described as autocratic

• esteemed, describing themselves as well-respected in their organization

• likely to have colluded with others (62%, down just slightly from 70% in 2013)

• motivated by personal gain (60%), greed (36%) and the sense of ‘because I can’ (27%)

The Perpetrators

Fraud Control Process

1. Risk assessments

2. Fraud Awareness programs

3. Reducing opportunities

4. Internal controls• Automated systems

• Physical security and access controls

5. Developing an anti-fraud culture

6. Information security

The Risk Management Cycle

Identify risk

Assess

Impact of risk

Control &

reduce risk

Consistently

review

Risk Management Process

§Establish risk management group

§ Identify risk areas

§Understand/assess scale of risk

§Develop a risk response strategy

§ Implement and monitor

§Review and refine process

Fraud Awareness Programs

§Reference to fraud risk assessment and controls

§Company/sector specific

§Who? Reality is every employee within the organisation presents a possible risk

§Practical application

§ Followed up to include developing trends

Reducing Opportunities

§Developing an anti-fraud culture

§Effective controls increase perception of detection• Segregation of incompatible duties

• Sound authorisation and documentation processes

• Independent checks

• People controls

Internal Controls

§Automated systems

§Physical security and access controls

Identifying Red Flags

Role of the 1st Line of Defence in spotting red flags

• Red flags are always present – but not recognized or not acted on

• Always take action to investigate, even if it seems minor

• But, sometimes an error is just an error – have an open mind

Role of the 2nd Line of Defence in spotting red flags

• Compliance ongoing monitoring of controls

• Providing advice

• Facilitating risk management activities

Travel and Entertainment Red Flags

• Claims for T&E that never materialized

• Flights in first class when more modest means were available, in violation of company policy

• Claims for meals or entertainment in excess of per diem

Auditing Travel and Entertainment Expenses Using IDEA, 2007

14

PayrollHRExpenseDisburs.

AccountsPayable

P-Card

AccountsRec.

Vendors

Address Verification

Benford's Law

Duplicate Payments

Management Reporting

Unexpected Relationships

Internal Controls

Shared Elements Testing

High Risk Focus

SSN testing

Overpayments

Manual & Special Payments

Client-customized Testing

External Data Verification

EMPLOYEE Scores

Scoring Algorithms

CUSTOMER Scores

VENDOR Scores

Proactive Approaches: Data Analysis

• Tests: • Identify vendors and employees with common SSN and Tax ID #s• Identify vendors and employees with common bank account #s • Identify vendors and employees with common addresses

Commonalities Between Employees and Vendors

Employee Name Vendor Name SS No.Tax ID

Vendor Bank A/C

Employee Bank A/C

Vendor Address

Employee Address

Roe, Jane Montvale Plumbing 1 1 2 2Thomas, Betty Hillstreet Electric 1 1 2 2 3 3Stewart, Jon Daily Report 1 1Colbert, Stephen Pundit Report 1 1 2 2Coyote, Wile E. Acme Supplies 1 1Murphy, Heather United Circuits 1 1Brownie, Michael Emergency Management 1 1 2 2Ball, LaVar Little Baller 1 1 2 2Murray, Sophia Polar Enterprises 1 1 2 2 3 3Utonium, Professor Powerpuff Security 1 1

Information Security

• Data theft and the misuse of data are biggest enablers of fraud

• Top 5 Risks• Data protection regulation

• Mobile working

• BYOD

• Data breaches

• Data proliferation

ID Theft

Behavioural Profiles

• How many behavioural characteristics can you think of that would suggest high risk of fraud?

Incentive Programs

• Incentive programs for management are the norm and also common for the rank and file.

• Despite incentive programs and the potential risks being so common, the compliance team typically does not have a role in reviewing it to identify and mitigate risk prior to implementation.

• 52% never review: SCCE/HCCA Survey, April 2017

COSO Control Environment Testing

Principle 5. The organization holds individuals accountable for internal control responsibilities in the pursuit of objectives.

Points of focus for audit (3rd Line of Defence):• Enforces accountability through structures, authorities, and

responsibilities

• Establishes performance measures, incentives, and rewards

• Evaluates performance measures, incentives, and rewards for ongoing relevance

• Considers excessive pressures

• Evaluates performances and rewards or disciplines individuals

Fraud Typologies

• Examine your allocated example of fraud detailed

• Compare and contrast the various vulnerabilities and failure of controls.

• Could each one occur in your organisation; if not, why not?

@ComplianceWeek | #CW2017

Fraud Case Studies

UK: Internal bank fraud £245m HBOS manager jailed over £245m loans scam

• Used relationship with bank to bully business owners and strip them of assets

• Judge “[you] sold your soul, for sex, for luxury trips with and without your wife – for bling and for swag!

• Red flags?

• victims ignored when trying to report what was going on

• one offender had £2m superyacht

• jewellery, luxury hotel stays, business-class flights

Case 1: HBOS Scam

Case 2: BP Oil Spill Fraud Case

US: BP Oil Spill Fraud Case – 2 convicted

• Made up fake clients to sue BP

• List compiled of 40,000 people who wanted to sue BP

• Significant errors: Included names of the dead, people whonever gave permission for representation and even a dog’sname!

• Fraudsters passed the information up the chain to law firm

• Supposed to be paid from a $2.3 billion fund BP set aside tocompensate fishermen

Case 3: China and $7.6bn Fraud

• Involves P2P lender Ezubao concocting fake projects to attract investment

• 26 people charged with fraud - including top executives of Ezubao’s parent company

• Televised confession when principal suspect said Ezubao was "a typical Ponzi scheme"

• Largely unregulated peer-to-peer lending sector

@ComplianceWeek | #CW2017