Fraud Risks & Controls in the Financial Sector*

Transcription

1 March 2009 Fraud Risks & Controls in the Financial Sector* *connectedthinking

2 Foreword

3 Purchase IT Staff Finance F-Scan Security Administrative Organisation & Internal control Management Production Ethics & Integrity Financial Crime is a prominent issue that financial institutions need to tackle with great care. It is known to be more prevalent in the financial sector than in any other: in our last Global Economic Crime Survey (2007), the insurance sector was the most frequent victim (57% of insurance respondents had suffered fraud in the last two years), closely followed by the other Financial Services (46%), whilst the overall average was 43%. The current economic crisis also impacts fraud risk management as many financial institutions are currently launching cost reduction plans (sometimes involving reduction of staff), potentially resulting in weakening of the control environment as controls will be performed by less experienced staff or, in the worst, not performed anymore. Moreover, back-office staff is currently facing significant increases in workload on issuing valuations statistics due to the difficult economic environment, leading to decreased focus on the execution of controls that are there to mitigate fraud risk. Finally, the closing down of certain activities within financial institutions could impact the incentive to commit fraud for those who will leave the company in the near future. Therefore, whilst the legal environment and regulators have obviously pushed the Financial Sector in the right direction, it is now time to take the lead in protecting your earnings and your reputation in these troubled times. In this respect, the PwC Forensic Team, together with our Financial Sector specialists, has designed a dedicated Top 10 service offering to support you in the timely detection and efficient prevention of your fraud risk.

4 Prevention

5 Prevention Fraud scan Realise the quick wins Our F-Scan is a competitive sector-oriented benchmarking solution aimed at assessing the fraud vulnerability of your business. Within a week, we assess your key risk areas against best practice for institutions of a similar size. We focus on fraud considerations made by management in order to detect fraud risks and weaknesses within your organisation. The outcome includes a targeted and cost-effective action plan. Identification of fraud warning signs Fraud warning signs identified or fraud risky business Decision wether fraud scan is required Selection by management of at least 4 domains to be included in fraud scan Determination of company characteristics Completion of question list on company characteristics Remittance of question list to PwC Forensic team Execution of fraud scan on site Interviews with key management based on selected risk domains The scan is executed by members of PwC Forensic team Analysis of results At least 4 risk zones are analysed Score by risk zone and category Reporting Findings Recommendations Urgent actions

6 Prevention Fraud Internal Controls Matrix Know where you are today Best practice indicates that the key elements of an anti-fraud program are prevention and timely detection of fraud and misconduct. Such objectives can be reached through strong and effective internal controls. Your existing anti-fraud control environment can be assessed based on an internationally accepted control framework (COBIT, COSO, etc.). Existing policies and procedures tackling fraud risk will be examined to understand which component of your control framework (control environment, risk assessment, control activities, etc.) they do address. The matrix derived from this exercise (see example below) will help you identify components of your control framework that are not addressed by your existing control environment (in our example, Fraud Risk Assessment in light blue). An action plan will then be drafted to progressively fill in the gaps. Internal Controls Components Control Environment Document Type Title Entity scope when specified Ethical Conduct, Legal and Compliance Risk Operational risk Management Accountability (Oversight) x x Audit Committee (Oversight) x x Board Policies Bank Admission Policy Bank Sponsorship Policy Conflicts of Interest - Board Policy All All All All All Type of document Board Policy Board policy Board Policy Board Policy Board Policy Date janv-09 janv-09 mars-09 juin-09 nov-08 Code of conduct / Ethics x x Ethics hotline Hiring and Promotion Procedures Investigation/ Remediation Fraud related policies x x Process for assessing risk Fraud Risk Assessment Fraud considered Likelihood and significance of fraud Level within organization Risk of management override Asset Management Investment process Funds allocation Back Office Control Activities In-/Outsourcing No fraud related document identified for this sub-process. Credit Commitments x x x Documentation x Reconciliation Signature Refinancing Payment x x x

7 Prevention Fraud Risk Map Visualize the risks of your activities The Fraud Risk Map presents the fraud risk assessment of a series of your activities (to be selected by you) against various fraud types selected by PwC as being potentially relevant to the activities under scrutiny. The map links the activities to the different fraud types with a coloured cell (green, yellow, red). Based on this visual, you will have an overview of uncovered risks per activity and per fraud types: vertical and horizontal trends will appear. This tool helps to identify those processes where specific fraud prevention should be performed in order to lower the risk. Activity / Department Access Management Fraud Type Computer Fraud IT Manipulations Property Damage/ Computer Sabotage/ Alteration of Data Misuse of Insider Information Misuse of Information Betrayal of Company Secrets Breach of Postal Confidentiality intern extern intern extern intern extern intern extern extern User ID account management User registration x user password management x x password use x log-on procedures x x user identification and authentication x x x x password management system x x x x Terminal Time-out x x x x Logical access management Business requirements for access control and sensitive system isolation x x x x privilege management x x Re-certification of user access rights x Logical security incident review and reporting Monitoring system access and use Reporting of Security incidents Reporting pre-project feasibility analysis x x x x Project delivery Project Development Initiation project delivery/requirements Project delivery/design x x Project delivery/development x x x x Project delivery/test x x x x Deploy (operational ready) Post-project warranty evaluation

8 Prevention Fraud Heat Map Capture the human factor Products Context Competition Administration Psychology Governance Fraud Risk Management is a multi-faceted concern that seems very hard to embody into one single approach. The Fraud Heat Map completes our set of approaches and produces a contextual view that is essential when talking about fraud(s). Indeed, fraud is often the consequence of many disruptions and/or temptations and, consequently, context is important. The purpose of our Fraud Heat Map is hence to crystallise into one visual all these elements that may contribute to a weakening of the context in which one person/a number of people operate and as such, represent potential opportunities to perpetrate fraud. IT Opportunity Behaviour Our level of analysis is the individual who is ultimately the triggering factor. The outcome of such an analysis is expected to be based both on facts and perceptions/intuitions, and the visual outcome should allow you to better anticipate fraudulent behaviours and thus reinforce controls where needed. Fraudulent behaviour consists of three conditions generally present where fraud occurs. They are summarized in the well-known Fraud Triangle. The link between those elements and the organisation is perfectly reflected in the Heat Map highlighting the key risk areas in a practical manner. Fraud Triangle Good for the company Others do it No alternative employment opportunity No visible harm Rationalisation Belief systems / boundary systems can break the triangle Fraud Diagnostic / Interactive control systems can break the triangle Pressure Market pressure Incentive comp. Impossible targets Opportunity Weak Internal controls Powerless internal Audit Auditor complacent Analysts go along Need internal controls to break the triangle

9 An example: Financial Markets Trading Activities Trading activities are an interesting example because they encompasses many elements that expose the financial sector to risk. It is a highly competitive environment that is particularly results-driven, which places the trader under constant pressure. The complexity of the products and of the process makes it more difficult to detect prohibited activities and facilitates opportunities for fraud. In most rogue trading cases, the traders were either acting as they were because they felt trapped in the losses made or were seeing their fraudulent activity as something good for the company because of the gains generated. To identify the High Risks Zones in the organisation, many questions need to be raised: - Are the IT systems secured (password and system access management etc.)? - What processes have been automated, and what operations require manual intervention by the operator? - Is the administration checking whether traders take all their holidays and for at least 10 consecutive days? - Are some adequate control procedures such as timely confirmation in place? - What controls are in place to detect abnormal behaviour? - What is the risk awareness of the supervisors? - Etc. Encompassing all the these elements in one framework, the Heat Map enables management to identify the areas at risk directly and to act accordingly. The approach developed with the Heat Map is complementary to the ones tackling the matter from the human angle.

10 Prevention Background checks Know who you are dealing with Reputation is critical within the Financial Services Sector. Therefore, hiring reliable management and building up relationships with sound clients, suppliers and partners are of the utmost importance. The lack of correct background information creates both reputation and business risks. As gathering the necessary and complete information at short notice appears to be challenging in practice, we can provide you with a background investigation of the reliability and reputation of these potential business relations. Our Open Source Intelligence Centre has access to a variety of sources of financial and other kinds of information. We are experts in informationgathering procedures and will provide you with the key information you need to know. Being well-informed enables you to better manage your reputation and business risks. Customised training Get your people aware of fraud risk On a regular basis, clients ask us to design fraud awareness training covering their specific needs. It goes from the simple off-the-shelf fraud awareness training session to the most sophisticated training package derived from a Fraud Risks Assessment exercise performed over a few weeks, with the input of our client s top management and specialised staff. Occasionally, we design specific supporting documentation that our clients can use internally to train their staff or as guidance to refer to on a daily basis. Fraud Risk Management Manual - Table of Content Chapter 1 Introduction Chapter 2 Existing Fraud Management Framework Chapter 3 Typology of possible Fraud types Chapter 4 Initial Fraud Risk Assessment Chapter 5 Elements of Fraud Auditing Chapter 6 Proposed Fraud Risk Auditing Model Chapter 7 What to do when Fraud is suspected

11

12 Detection

13 Detection Forensic Technology Benefit from the latest forensic technologies Forensic Technology incorporates cutting-edge technology in fraud examinations. While business becomes increasingly dependent on Information Technology, and information and knowledge is progressively stored electronically, fraud is often buried in massive amounts of digital data. Forensic Technology can help capture, secure and deal with substantial volumes of information, identify which systems and personnel are critical, and recover hidden or lost data. Furthermore, it provides the tools and knowledge to analyse this data and fit the results into meaningful fraud assessment reports. Below are some examples of the way we use Forensic Technology. One of the business areas often affected by fraud is Procurement. By using Data Analysis (DA) and Data Mining (DM), any indicators, trends or hidden patterns relating to Procurement Fraud can be uncovered from the financial system. The DA and DM reports will be customised to the business and IT environment and specific fraud risks of the company. Security concerns related to applications and databases containing critical data have to be proactively addressed to mitigate considerable fraud risk. The current user access management procedures will be mapped against the key objectives and industry best practice standards in order to identify gaps and areas for improvement. If any significant fraud risk is uncovered in the access management review, more in-depth investigation can be performed into actual access management, such as reviewing and analysing outliers of access to critical information, trend analysis (peaks in manual entries), subsequent transactions made by the same user (e.g. invoice booked and paid by the same person) etc. Financial institutions are confronted with large amounts of supporting data, both paper and electronic. Paper documents are scanned and archived resulting in a significant workload to manually review them and/or to maintain data quality. E-Discovery techniques now combine paper files and any digital information into document management allowing efficient data quality reviews. Insurance companies can be confronted with enormous amounts of claims or litigations (e.g. due to natural disaster or class actions). At PwC, we have the expertise to assist you with document management for large-scale, multiparty, multi-jurisdictional litigations or claims. Moreover, our team can provide you with advice and assistance in the management and prioritisation of these claims. We bring together experts and specialists in claims, forensic investigation, forensic technology services and other relevant disciplines, combining the technical skills, industry knowledge and geographical coverage to investigate, analyse, prioritise and resolve complex and massive amounts of claims.

14 Detection Fraud Due Diligence Set the scene Business is ever-changing and the organisational frameworks are moving targets. Mergers, acquisitions and employee turnover have become a part of our way of life. We know that the new challenges you are willing to take are often very exciting but, in the end, can you say you have a full comfort when taking over a target or taking up a new role in your company? Could there be any concealed risks present? Indeed, whilst long-term strategies can be designed with hindsight, you are immediately exposed to key risks in the day-to-day business. Short-term exposure can considerably damage your image and ruin your ambitions for the future. The recent nature of your involvement will not believe us prevent the deterioration of your reputation. Life is unfair! To assist you in assessing such risks, we have elaborated, in a joint effort of our forensic and financial risk experts, a methodology and checklist that can help you set the scene in a fast and efficient way. We are happy to tailor investigations to best suit your needs and expectations. More than others, we know how easily you can be exposed to civil or even criminal liability!

15

16 Investigation

17 Investigation Fraud Incidence Plan An action plan when fraud has been detected Whatever the type of fraud, whoever the perpetrator, any form of fraud raises a number of questions and issues for management; issues and questions they have probably never dealt with before. Our specialists are highly-trained and discreet. They are used to operating in sensitive circumstances, and their range of skills and methodologies allows them to discover information that is often outside the scope of normal accounting or auditing procedures. Assistance may include sorting out evidence for prosecution. We support management to allow them to carry on with the day-to-day business, and avoid them having to spend valuable time dealing with matters that may distract them and put their business in an even worse position. Asset Tracing and Recovery Get back what you were defrauded Financial institutions are often confronted with significant losses on credit or insurance files due to misconduct or even sometimes fraud by the client. Our Asset Tracing and Recovery service is designed to answer the questions you have in the aftermath: What went wrong? Where is the money/asset now and how can we get it back? Who is responsible? Which controls failed? What steps need to be taken? These questions will be answered with a combination of investigation and highly refined asset recovery skills drawing on the PwC expertise and advanced Forensic Technology. Such an investigation is the starting point for the recovery of stolen assets. Our ability to unravel complex international fraud schemes may result in such assets being identified, frozen and then recovered.

18 Foreword Contact Place foreword for your publication here at 10.5/12pt. Place Rudy foreword Hoskens for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place Director foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place Dispute foreword Analysis for your & publication Investigations here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. +32 (0) rudy.hoskens@pwc.be Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword Cécile for Louchard your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Senior Manager Place foreword for your publication here at 10.5/12pt. Place Dispute foreword Analysis for your & publication Investigations here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place +32 foreword (0) for your 44 24publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place cecile.louchard@pwc.be foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Author s signature

19 Foreword Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Place foreword for your publication here at 10.5/12pt. Author s signature

20 PricewaterhouseCoopers. All rights reserved. PricewaterhouseCoopers refers to the network of member firmsof PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity. *connectedthinking is a trademark of PricewaterhouseCoopers. The firms of the PricewaterhouseCoopers global network ( provide industry-focused assurance, tax andadvisory services to build public trust and enhance value for clients and their stakeholders. More than 155,000 people in 153countries across our network share their thinking, experience and solutions to develop fresh perspectives and practical advice.