You are on page 1of 54

CEB Audit Leadership Council

A COLLECTION OF FRAUD SCHEMES


Selected Strategies for Effective
Fraud Prevention and Detection

Use This Document to:


Improve auditors fraud risk awareness using a collection of real schemes;
Strengthen auditors awareness of sample data analytics tests that can aid fraud detection;
Educate management on potential fraud schemes and the impact of control weaknesses; and
Inform the audit committee about the types of fraud risk your company is facing.

CEB AUDIT LEADERSHIP COUNCIL


Senior Directors
Sonia Nordberg
Friso van der Oord
Senior Analyst
Ruth Shaikh
Analyst
Anubhav Arora

CONTENT PUBLISHING SOLUTIONS


Print Designer
Alison Heasley
Contributing Designers
Varun Kumar
Nikhil Maira
Christie Parrish
Cameron Pizarro
Editor
A. Kate Harsh

CONFIDENTIALITY AND INTELLECTUAL PROPERTY

LEGAL CAVEAT

These materials have been prepared by CEB for the exclusive


and individual use of our member companies. These
materials contain valuable condential and proprietary
information belonging to CEB and they may not be shared
with any third party (including independent contractors and
consultants) without the prior approval of CEB. CEB retains
any and all intellectual property rights in these materials
and requires retention of the copyright mark on all pages
reproduced.

CEB is not able to guarantee the accuracy of the information


or analysis contained in these materials. Furthermore, CEB
is not engaged in rendering legal, accounting, or any other
professional services. CEB specically disclaims liability for
any damages, claims or losses that may arise from a) any
errors or omissions in these materials, whether caused by
CEB or its sources, or b) reliance upon any recommendation
made by CEB.

CONTENTS
*0.+ 10%+*
!"%*%*#.1
.!* /%*.1
.1 $!)!/
//!0 %/,,.+,.%0%+*
Abusing the Corporate Travel Booking System
Expensing Gift Cards for Personal Use
Misusing a Purchasing Card
Altering Payroll Records
Manipulating Purchase Orders
Pocketing Maintenance Fees
Accidental Overpayments
Cashing in on Weak Controls
Stealing Incentives
Profiting from Land Purchases
Falsifying Recruiter Fees
Profiting from Weak Inventory Controls
Falsifying Shipping Labels
Falsifying Productivity Figures
Abusing Supplier Accounts
Manipulating the Benefits System
Using Company Resources for a Side Business
CEB Support
Data Analytics Test
$%. .05.1
Falsifying Bank Details
Favoring One Supplier
Travel Ponzi Scheme
Misusing Third-Party Services
Colluding Vendors
Abusing Oversight Responsibilities
CEB Support
Data Analytics Test

Note: If you have any questions, or would like to learn more about how CEB can help you on the topic of fraud,
please contact Ruth Shaikh.

+*"(%0/+" *0!.!/0
Circumventing Human Resource Controls
Inappropriate Hiring Practices
Keeping Business in the Family
Employee-Owned Supplier
CEB Support
Data Analytics Test
*"+.)0%+*!1.%05* 5!..1
Theft of Client Identities
Theft of Corporate Identities
Circumventing IT Access Controls
Abusing Weak Security Controls
Purchasing Employee Log-In Credentials
Sophisticated Phishing Attacks
CEB Support
Data Analytics Test
+..1,0%+** .%!.5
Using Middlemen to Bribe Officials
Improperly Using Training and Education Funds
Bribing Officials to Avoid Scrutiny
Hiding Bribes as Charitable Donations
Manipulating the Public Tender Process
Bribing Officials for Operational Ease
Taking Bribes for Securing Business Deals
CEB Support
Data Analytics Test


%0%+*(1,,+.0

INTRODUCTION
Helping prevent and detect fraud has always been central to audits value proposition
and mandate. In a 2012 CEB poll, fraud was listed as one of the top challenges for
CAEs and their teams, with 48% expressing the need to improve fraud prevention and
detection capabilities. Although most of those surveyed reported that overall levels
of fraud are not rising, the nancial cost of fraud is still signicant. The Association
of Certied Fraud Examiners (ACFEs) 2012 Report to the Nations1 shows that the
average organization loses 5% of its revenues to fraud, suggesting that even small
improvements in fraud mitigation strategies will likely have a signicant impact.
Although overall levels are stable, two areas are causing increasing concern among
CAEs: IT and cyber fraud, and corruption and bribery. Continuing international
expansion and stricter regulatory scrutiny are driving IT and cyber fraud risk, while
the proliferation of technology systems is increasing corruption and bribery risk.
Frauds dynamic nature means that, even when overall levels are stable, it is
important to closely monitor changes in the fraud risk environment. To accelerate the
effectiveness of your fraud risk management, we have gathered almost 40 specic
examples of small and large fraud schemes that occurred in member companies and
detailed how they have adapted existing controls and introduced new controls to
prevent and detect fraud. You can use this information to update your audit plans,
alter existing fraud risk management approaches, train your audit staff, and build a
strong case for the importance of fraud risk management with key stakeholders.
We have organized the fraud schemes shared in this document into ve commonly
experienced categories:

Asset Misappropriation
The taking or use of goods, services, money, or benets by any person,
either internal or external to the victim organization, without due payment

Third-Party Fraud
Any fraud committed solely by a third party or committed by a third party
in collusion with another party who may be internal or external to the victim
organization

Conicts of Interest
Situations where employee decisions and actions are inuenced by personal
interests

Information Security and Cyber Fraud


Any fraud involving the misappropriation of information, systems access, or
the unauthorized use or manipulation of information networks for personal
gain or nancialor otherloss of the victim organization

Corruption and Bribery


The use or offer of the use of money or power to inuence another partys
actions to perform unauthorized tasks in some unauthorized manner to
benet personal or organizational interests

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

Although information security and corruption are the most pressing types of fraud,
asset misappropriation is still the most common. We uncovered many unique scenarios
that members of our CEB network have experienced, and we have learned about a
number of fraud schemes committed by, and between, third parties. As companies
increasingly rely on third parties, they are more exposed to fraud committed by
contractors and vendors. Although conicts of interest fraud has changed little over
the yearsand is primarily the result of inappropriate inuence of personal interests
our interviews demonstrated that it is still an area of concern and can be rather
costly. Lastly, international expansion raises concerns over bribery and corruption, but
different business cultures and often weaker control environments can contribute to
fraud in all these areas.
Financial Statement Fraud
We excluded nancial statement fraud in this report. Audit teams have become
more effective at managing this risk in response to recent crises and regulatory
requirements, such as Sarbanes-Oxley.
Methodology
We conducted this research primarily through interviews with over 50 CAEs and fraud
auditors from across the CEB network. We also used primary and secondary data to
illustrate the trends we identied and to add detail to each of the categories under
which these fraud schemes fall.
We present the nancial cost of these schemes in US dollars. Company pseudonyms
were arbitrarily designated. Each section begins with Company A, although Company
A in one section is not necessarily the same organization as Company A in another
section.
We have excluded more widely reported fraud schemes committed both by and
against companies. Extensive media coverage has already made details on such
frauds easily available.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

DEFINING FRAUD
Different professional groups and associations have many denitions of fraud.
The denitions used by individual companies vary, as they are inuenced by audit
committee concern and the nature of fraud risk exposure to that organization.
Organizational denitions range from a narrow focus on nancial statement fraud to
much broader denitions that encompass all activities involving theft and deception.
The examples below, from professional associations and investigatory groups, are
quite broad.
Any illegal act characterized by deceit, concealment, or violation of trust.
These acts are not dependent upon the threat of violence or physical force.
Frauds are perpetrated by parties and organizations to obtain money,
property, or services; to avoid payment or loss of services; or to secure
personal or business advantage.
Institute of Internal Auditors
Any intentional or deliberate act to deprive another of property or money by
guile, deception, or other unfair means
Association of Certied Fraud Examiners
Put simply, fraud is an act of deception intended for personal gain or to
cause a loss to another party.
United Kingdoms Serious Fraud Office
The intentional perversion of the truth for the purpose of inducing another
person or other entity in reliance upon it to part with something of value or
to surrender a legal right. Fraudulent conversion and obtaining of money
or property by false pretenses. Condence games and bad checks, except
forgeries and counterfeiting, are included.
Federal Bureau of Investigation
Through our interviews, we learned that organizations are broadening their denitions
of fraud. For example, theft of data and intellectual property is increasingly recognized
as being a type of fraud.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

TRENDS IN FRAUD
Stable Levels of Fraud
Fraud does not appear to be on the rise. The vast majority of members we interviewed
felt that fraud levels have remained at, even with the recent economic downturn.
Interviewees explained that there is heightened awareness about fraud and improved
communication and training on expectations, misconduct, and the use of whistleblower hotlines. Despite an increase in whistleblower activitydriven by better
educationthe actual number of fraud incidents has not increased dramatically.
CEB research shows that, between 2011 and 2012, the number of employees who
observed misconduct only increased by 1.6%.2 Despite these stable levels, many of
those we interviewed felt there was a stronger focus on fraud, partly from their audit
committees. Most felt this focus was driven by high-prole fraud cases being reported
in the news.
Two Main Drivers of Fraud
CAEs highlighted two particular trends driving fraud. First, increasing technological
complexity creates new opportunities for committing fraud but can also make it
more difficult to prevent and detect certain frauds. For example, the proliferation of
technology systems often leads to poor systems integration, which can be exploited to
steal or manipulate information without being detected, as the presence and strength
of controls varies between systems. As some interviewees expressed, the perception
of anonymity afforded by technology may also reduce the feeling of wrong-doing
among fraudsters. Second, the continued worsening of economic prospects puts
nancial pressure on people, which motivates fraud. Continuing redundancies
also lessen loyalty to organizations and help fraudsters justify their actions, while
weakening the control environment.
Information Security and Cyber Frauds Are Most Concerning
As a result of the aforementioned increase in technological complexity, CAEs are
acutely concerned about information security and cyber fraud. The potentially high
impactboth nancial and reputationalof information security fraud or cyber attacks,
as well as the more technical nature of the area, make this one of the biggest areas of
concern for organizations. In addition to the loss of condential personal information,
organizations are concerned about the theft of intellectual property. Of particular
concern is that intellectual property loss may not be noticed immediately. Another
risk factor is poor systems integration, where information controls are inconsistent
between multiple systems, and les can be manipulated more discreetly on one local
system without affecting information on other systems; this helps fraudsters evade
detection.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

TRENDS IN FRAUD (CONTINUED)


Asset Misappropriation Is Most Common
Of the ve fraud scheme categories, asset misappropriation is by far the most
common. This category is the broadest, with fraud being committed in different
areas: travel and expenses, payroll, accounts payable, and inventory, among others.
Although misappropriation of assets is the most common fraud scheme, research
from the ACFEs 2012 Report to the Nations3 shows that this type of fraud is also the
least costly. As such, misappropriation of assets, despite being so common, is not the
fraud area most concerning to the majority of those we interviewed.
Controls Exist, but Oversight Is Poor
Most of the fraud schemes shared in this report were not the result of a lack of controls
but of existing controls being circumvented. Lax management oversight and poor
segregation of duties make it easier for fraud to be committed and can delay detection.
This issue demonstrates the importance of continuing fraud education, with emphasis
on how various processes help prevent and detect fraud. It is particularly relevant when
management oversight is a primary control, such as with expense report approvals.
Poorly segregated duties are a good indicator of fraud risk, and many of the fraud
schemes in this report were committed by control owners, who were not subject to
segregated duties. Several interviewees feel that poor segregation of duties particularly
affects operations where staffing is lean, in more remote areas, or where staffing has
been cut, as these situations make it harder to segregate duties between different
employees.
Importance of Employee Education and Tone at the Top
As already mentioned, our interviewees reported an increasing number of calls to
reporting hotlines. Many of the schemes written in this report were uncovered when
someone noticed something suspicious and reported it. To strengthen fraud awareness
training, more companies are increasing the regularity of trainingincluding adding
anonymous, real-life scenarios to trainingand providing fraud training as part of
new employee orientation. The increase in hotline reporting shows that educational
efforts are working. Despite this, CEB research shows that of those employees who
think they have observed fraud, 18% do not report it,4 demonstrating the need for
continued efforts to inform employees and encourage speaking up. A strong tone at
the top is equally important. Our interviewees who felt their organizations leadership
has a strong understanding and commitment to risk managementincluding fraud
riskemphasized the importance of 1) educating staff on the severity of fraud and
2) applying strong, consistent standards to fraud investigations and punishments for

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

TRENDS IN FRAUD (CONTINUED)


those found committing fraud. As well as acting as a deterrent, this approach can
encourage speaking up. However, although 85% of CAEs report that their companies
have a strong tone at the top, only 59% report they have a strong tone at the middle,5
demonstrating that this tone at the top often does not trickle down. CEB research
shows that 69% of misconduct allegations are received by frontline managers, yet
only 55% of these managers feel comfortable addressing employee concerns,6 making
it all the more critical to strengthen tone at the middle while advancing a culture that
has zero tolerance to fraud.
Frauds with No Personal Benet
Companies are uncovering more and more instances of employees manipulating
numbersbe they sales gures, performance measures, or similar datato prevent
management from focusing on their performance. Although this fraud does not
provide any direct nancial benet to the perpetrators, it can indirectly contribute to
bonus payments or promotions and diminishes data integrity for the company.
Inconsistent, Undened Role for Audit in Fraud Investigations
Among interviewed companies, few have a formally written policy that outlines
Internal Audits role in fraud investigations. For the most part, internal audit teams
tend to 1) get involved in cases requiring some degree of forensic investigation and to
2) provide support on control improvements after the fraud is discarded. The majority
of interviewees explained that Internal Audits role in fraud investigations is often made
on an ad hoc basis in discussion with other parties such as Legal, Human Resources,
Compliance, or Security. A smaller number of interviewees explained that their audit
teams are involved with the investigations for every fraud accusation.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

FRAUD SCHEMES
Review a collection of fraud schemes that have been
perpetrated against your peers in the past 1224 months.

Asset Misappropriation
Third-Party Fraud
Conicts of Interest
Information Security and Cyber Fraud
Corruption and Bribery

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

ASSET
MISAPPROPRIATION

ASSET MISAPPROPRIATION
Of the dozens of fraud schemes and scenarios we collected, the majority of fraudulent
acts and stories shared by the membership were some form of asset misappropriation.
Although asset misappropriation frauds usually have lower losses than other fraud
categories (e.g., nancial statement fraud, corruption and bribery), the incidents in this
section are mostly of higher dollar value and exclude more commonly experienced travel
and expense, overtime, and time card fraud. Interestingly, we have shared a scheme that
relates to the misappropriation of information assets, which demonstrates the need to
take a broader approach to how we dene and protect different types of assets.

THIRD-PARTY
FRAUD

Figure 1: ACFE 2012 Report to the Nations


Frequency and Median Loss for Misappropriation, Corruption, and Financial
Statement Fraud
$1,000,000

100%

88%
$750,000

Frequency

33%

Median Loss

$500,000

50%

CONFLICTS
OF INTEREST

75%

$250,000

25%

8%
INFORMATION SECURITY
AND CYBER FRAUD

$0

en

n
Fi
na
nc
ia
lS
ta
te

rr
up
tio
Co

ss

et

isa

pp
ro
p

ria

tio

0%



Source: Association of Certied Fraud Examiners, Report to the Nations on Occupational Fraud and Abuse, 2012, http://www.
acfe.com/uploadedFiles/ACFE_Website/Content/rttn/2012-report-to-nations.pdf.

For most of the fraudulent acts shared in this category, preventive controls were in place to
CORRUPTION
AND BRIBERY

thwart would-be fraudsters. Unfortunately perpetrators found a way to circumvent controls


and take advantage of the company. In many cases, supervisors and managers placed too
much trust in seemingly ethical employees, and these managers didnt fulll their control
obligations. In several other instances, fraudsters took advantage of unsegregated duties
many times in new markets that were located further from headquarters and that faced
more resource constraints (with potentially too few employees in particular locations to
segregate duties).

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

ABUSING THE CORPORATE TRAVEL BOOKING SYSTEM


ASSET
MISAPPROPRIATION

Company A uses a ghost card system for travel booking purposes. It has
experienced two separate incidents of employees booking ights through the
central system, as well as employees buying the same ights with their corporate
credit cards and expensing them.
Discovery:

The employees project managers noticed these frauds when


they looked through the project budget and expenses.

Duration:

Two separate incidents

Control Updates:

Variations:

THIRD-PARTY
FRAUD

Cost:

Company A arranged for the travel agency to provide the


accounting group a monthly report of tickets purchased via
the ghost card. The group matches details to expense reports
to prevent double recording of expenses and ensure no
duplication of charges reimbursed.
Company A ensured audit logs and other security features in
the travel expense management software are used more often
to detect anomalies in expenditure patterns.

CONFLICTS
OF INTEREST

Travel booking systems can also be abused when tickets are


++'! 100$!*0$!0.%,%/*!((! *0$%//%010%+*/+)!
!),(+5!!/$2!.!0%*! 0$!%#$0/%*/0! +"*!((%*#0$!)
and used them for personal trips.

INFORMATION SECURITY
AND CYBER FRAUD

EXPENSING GIFT CARDS FOR PERSONAL USE


Company B uncovered a fraud in which an employee would purchase gift cards
from airlines. These cards are available in small increments (around $25) and can
be bought at airline kiosks inside airports. These purchases show up on credit card
statements as payments to the relevant airline. One employee would purchase
these cards for personal use and expense them as payments for baggage.
Company Bs nance group uncovered this fraud after it
conducted a budget analysis.

Duration:

At least one year

Cost:

Control Updates:

+),*5 % *+0%),(!)!*0*!3+*0.+(//0$%/3/1#$0
fairly quickly with existing controls. Its existing controls use
an assessment of forecast spend versus actual spend. Each
department is responsible for monitoring forecast versus
01(/,!* !2!.5)+*0$!*/1.%*#(.#!2.%*!/.!-1%'(5
noticed.

CORRUPTION
AND BRIBERY

Discovery:

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

MISUSING A PURCHASING CARD


ASSET
MISAPPROPRIATION

A senior employee at one of Company Cs operational sites was using a purchasing


card to buy personal items. During an audit, the items purchased could not be
found because the perpetrator had taken them home. A few days after inquiring
after the whereabouts of the goods, the auditor found that the items had been
replaced, as the perpetrator brought them back to the site to try to prevent the
auditors further investigation. The employee had used the purchasing card to buy
Christmas presents for his family.
This fraud was uncovered during a site audit. The CAE
had requested auditors to look beyond purchasing card
reconciliations and check whether the goods purchased were
on site.

Duration:

One month

Cost:

Control Updates:

Company C updated its purchasing card policy to state that


cardholders cannot approve their own transactions.

THIRD-PARTY
FRAUD

Discovery:

ALTERING PAYROLL RECORDS


CONFLICTS
OF INTEREST

Discovery:

INFORMATION SECURITY
AND CYBER FRAUD

One employee at Company D had access to the payroll le sent to the bank for
wage payments. She added untaken vacation time payment records for employees
leaving the company. Then she switched the bank account details for those
payments to her account or the accounts of her friends or family. Her changes were
not visible in the HR management system, as she only changed the payment le. In
2006, she was laid off, and the following January the scheme was discovered and
reported to police. Employees then learned about the fraud from a local newspaper
that had picked up the story from the police stations daily record. To address
employee concerns about the fraud, Company D bought all employees fraud
insurance for one year.
This scheme was discovered when a former employee received
a tax form showing he received more money than he
actually did.
~ One year

Cost:

$!+/0+"0$!01(".1 3/$!0+0(%*(1 %*#


%*2!/0%#0%+** /1/!-1!*0%*/1.*!"+.!),(+5!!/3/

Control Updates:

CORRUPTION
AND BRIBERY

Duration:

Company D segregated the duties between the HR


management and payroll management systems.
Company D ensured that the le sent to the bank can no
longer be edited and does not sit on the companys systems
for longer than a second.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

10

MANIPULATING PURCHASE ORDERS


ASSET
MISAPPROPRIATION

Company E uses a building supplies company for various projects. One staff
member ordered supplies for his projects and was responsible for lling out
purchase requisitions. He would skip sections on the order forms, and then pass
them to his supervisor, who would approve the orders without considering the
blank lines. Before taking the form to Procurement, the employee would ll in the
blank lines and order goods for his own purpose. Because the supplies company
has a collection facility, the goods did not have to be delivered to the company.
The employee was using the goods to build his holiday home.
The employees manager noticed this fraud when comparing
purchase requisitions and orders.

Duration:

~ Six months

Cost:

Company E has not yet calculated the loss.

Control Updates:

THIRD-PARTY
FRAUD

Discovery:

Company E removed the option for employees to use the


collection facility provided by the supplies company.
Company E requires managers to give purchase requisitions
directly to the purchasing team rather than giving the forms
back to the requestors.

CONFLICTS
OF INTEREST

POCKETING MAINTENANCE FEES

Discovery:

Company F discovered this fraud when it received a phone


inquiry from the complex owners association asking why it had
not been invoiced for the costs.

Duration:

~ Two years

Control Updates:

CORRUPTION
AND BRIBERY

Cost:

INFORMATION SECURITY
AND CYBER FRAUD

Company F owns an apartment for temporary staff accommodation. It shares


property maintenance responsibility with the apartment complex owners
association. Company F had agreed to maintain the grounds, for which it received
money from the complex owners association. The employee for Company F who
was responsible for coordinating grounds maintenance deposited the money into
her own account, instead of depositing it into the companys account. Because
of the unique nature of this arrangement, there was no proper control in place to
account for the money.

To ensure similar situations were not prevalent in the


+.#*%60%+*+),*5+* 10! *!*0!.,.%/!3% !
review to identify any nonstandard practices involving cash
collections and distribution.
Company F veried that all cash collection and disbursement
processes had proper segregation of duties and were
managed within standard systems and controls.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

11

ACCIDENTAL OVERPAYMENTS
ASSET
MISAPPROPRIATION

An employee in Company Gs accounts payable department was diverting money


into her personal bank account. She would overpay vendors and suppliers, making
intentional mistakes that could easily be explained as being accidental. For
example, instead of paying $801, she would pay $8,001. She then contacted the
payees, explaining that a mistake had been made and requested they repay the
excess amount. She provided her personal bank details for the repayments.
Hotline tip

Duration:

~ Six months

Cost:

Control Updates:

Company G implemented more detective review controls on


payments made.

THIRD-PARTY
FRAUD

Discovery:

CASHING IN ON WEAK CONTROLS

$%/".1 3/ %/+2!.! 3$!*0$!+1*0)*#!..!0%.!


and the replacement started working with the clients and
discussing invoicing.

Duration:

Three to four years

Cost:

+),*5.!%)1./! %0/(%!*0

Control Updates:

Company H ensures that invoices are now sent directly from


the invoicing group to the client and account managers can no
longer edit them.

INFORMATION SECURITY
AND CYBER FRAUD

Discovery:

CONFLICTS
OF INTEREST

Company H has specic operations that use cash more commonly than checks
or money wiring. In one case, an account manager received a centrally generated
invoice for a client and then doctored it to inate the amount due. The client would
receive the invoice and pay the account manager directly in cash. The account
manager would keep the excess amount that had been added to the invoice and
pay the rest to Company H.

CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

12

STEALING INCENTIVES
ASSET
MISAPPROPRIATION

Company I used Visa gift cards at promotional events as incentives for new
customers. The employee who was responsible for obtaining and storing these
cards would steal some, take them to the bank, and exchange them for cash. Each
time the individual cashed the cards, the bank would make a note of the employee
and the company that had issued the gift card.
Discovery:

A bank employee noticed that a large number of the gift cards


issued by Company I were being cashed by the same individual.

Duration:

)+*0$/

Control Updates:

THIRD-PARTY
FRAUD

Cost:

Company I instituted a report of gift cards purchased


0$!*1)!. +((.)+1*0* 1/%*!//,1.,+/!/+0$!
manager could match the budgeted amount with the actual
amount of gift cards purchased.
Company I now requires two individuals to sign off on the
,1.$/!* %0%/(/++*/% !.%*# +%*#353%0$#%"0
cards.

CONFLICTS
OF INTEREST

PROFITING FROM LAND PURCHASES

Discovery:

Hotline tip

Duration:

One transaction

Cost:

This cost is unknown as it is hard to calculate how much was lost


as a result of inated prices.

Control Updates:

Company J no longer buys land that was purchased within the


last year.

INFORMATION SECURITY
AND CYBER FRAUD

Company J regularly purchases land for development. The company uncovered a


fraud in which employees would use their knowledge of the areas and plots of land
that Company J was interested in purchasing. The employees would then have an
acquaintance buy that piece of land and sell it to Company J for an inated price,
splitting the prots between the employee and the acquaintance.

CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

13

FALSIFYING RECRUITER FEES


ASSET
MISAPPROPRIATION

An employee at Company K was the budget controller for one business unit and
could also authorize payment of recruiting fees. He set up a fake record for a
recruitment agent, putting his own bank details in the record for fee payment.
When new staff (not sourced through a recruiting agency) were hired, he would
falsify records and pay out a recruitment fee to himself.
The scheme was discovered when the employees replacement
asked a staff member which agency had hired them. The
staff member explained that they had not come through a
.!.1%0)!*0#!*53$%$,.+),0! +*!.*/0+3$5
recruiter fee had been paid for that employee.

Duration:

~ One year

Cost:

Control Updates:

Company K no longer allows budget controllers to authorize


expenses.

THIRD-PARTY
FRAUD

Discovery:

CONFLICTS
OF INTEREST

PROFITING FROM WEAK INVENTORY CONTROLS

Discovery:

Every member of the internal audit team was to receive a new


(,0+,((1003+,!+,(!.!!%2! 0$!)2!*01((50$!
sent some staff to the IT team to request the laptops. These
1 %0+.//30$00$! 0!)3/%* %/..53%0$%*2!*0+.5
everywhere. This sight sparked concern and prompted an
investigation.

Duration:

)+*0$/

Cost:

Control Updates:

Company L introduced an inventory control system to keep


track of hardware.
Company L clearly established that IT was responsible for
0.'%*#0$!3$!.!+10/+"(,0+,/.0$!.0$*0$%/!%*#
the businesss responsibility.

CORRUPTION
AND BRIBERY

INFORMATION SECURITY
AND CYBER FRAUD

Company L uses a vendor to supply laptops to staff on three-year leases. Within


Company L, a central IT team receives the laptops, installs all necessary software,
and passes them to the departments that requested them. However, because there
was no system for tracking the laptops, an employee in the central IT team was
stealing some of them. He ran his own business out of his garage repairing and
reconditioning laptops and would use the stolen laptops for parts.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

14

FALSIFYING SHIPPING LABELS


ASSET
MISAPPROPRIATION

Company M uses SAP as one of its systems. It purchased additional software boltons with complementary features from another supplier. However, the bolt-ons
security was not great, and Company M had no control over their conguration.
As such, there were no preventative controls and weak detective controls in place.
A warehouse employee exploited various weaknesses in the bolt-on systems to
manually print shipping labels.

Hotline tip

Duration:

0(!/003+5!./.!+. /3!.!+*(5'!,0"+.03+5!./
so it was not possible to track it further.

Cost:

,0+

Control Updates:

+),*5 %),(!)!*0!  !0!0%2!+*0.+(.!-1%.%*#


management to review a log of all manually created labels on
a daily basis.
All manually created labels that have had the address
changed are specically agged in the log.
Company M created another log to identify when multiple
labels are created using the same reference number.

INFORMATION SECURITY
AND CYBER FRAUD

CONFLICTS
OF INTEREST

Discovery:

THIRD-PARTY
FRAUD

Ordinarily, SAP creates a shipping label automatically when it receives an order.


The employee made a small purchase to get an SAP reference number and used
that to manually create labels. The employee then found that multiple labels could
be printed per reference number and began using other customers reference
numbers to create labels, without affecting those orders. The employee then used
fake SAP reference numbers, which the system also allowed. The employee would
create surplus shipping labels and then manually change the delivery address. He
would then take inventory and have it delivered to his mothers house, as though
it were a regular order. The employee then sold the stock online through eBay and
Craigslist. Part of the loss was recovered by Company M, although the total loss
was equivalent to two 40-ton trailers worth of product.

CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

15

FALSIFYING PRODUCTIVITY FIGURES


ASSET
MISAPPROPRIATION

Discovery:

Analysis of productivity numbers made this particular


%/0.%10%+*!*0!./0* +10. %*.%(50$!*1)!./3+1(
/$+3/+)! !#.!!+"%),.+2!)!*0+2!.0%)!+3!2!./
0$!/!*1)!./3!.!!%*#4! 0$!5.!)%*! "%.(5/0! 5

Duration:

~ One year

Cost:

$!+/0+"!40.(+.3/+10)%((%+*

Control Updates:

Company N implemented more regular monitoring of


productivity ratios across all distribution sites.
Company N instituted periodic review of manipulated carton
output to identify excessive adjustments by any individual or
if adjustments reduce/cease when they are on annual leave.

CONFLICTS
OF INTEREST

THIRD-PARTY
FRAUD

Company N has a number of distribution centers, each with productivity targets


relating to the amount of produce they ship in and out in a given period. The
manager of one distribution center would manipulate the carton output gures
to justify the need for additional labor that was not required. This process was
possible as the systems have to be manually editable to account for differences
in unit measurement between products (e.g., 30 units per carton, 60 kg per
carton). An investigation revealed that the distribution center manager was taking
kickbacks from the contract workers to guarantee them work shifts. The shifts
were very lucrative, and each worker would pay about $2,300 to guarantee that
work. This involved collusion with shift managers and business analysts to ensure
anomalies in productivity ratios were not highlighted.

INFORMATION SECURITY
AND CYBER FRAUD

ABUSING SUPPLIER ACCOUNTS


A business unit of Company Q opened a shipping account with the local postal
service. The account was used for genuine business purposes on two occasions,
after which it lay dormant. A few months later, a member of the public contacted
Company Q, as he received a package from them containing a money order.
Company Q found that the order had been forged and discovered a further 140
similar cases. None of the money orders had been cashed, and the shipping
service refunded all of the money Company Q had lost as a result of fraudulent use
on their account. Company Q suspects these mailings were likely meant to test
whether controls were in place.
A member of the public contacted Company Q upon receiving a
package from them containing a money order.

Duration:

One month

Cost:

No money was lost.

Control Updates:

CORRUPTION
AND BRIBERY

Discovery:

Company Q placed account ownership with business units.


+),*5%*/0%010! .!2%!3+"/$%,,%*#.!!%,0/3$%$
could be part of a continuous auditing approach of payee
address and shipping logs from provider.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

16

MANIPULATING THE BENEFITS SYSTEM


ASSET
MISAPPROPRIATION

An HR employee at Company P was responsible for managing benet payments.


She manipulated the system to increase her own payments, taking advantage
of poor segregation of duties. She added funds from the meal ticket and food
voucher systems, unauthorized overtime, transport, and pension benets. While
manipulating the system, she also caused a number of operational and calculation
errors, causing Company P to lose further.
Hotline tip

Duration:

Five months

Cost:

$!!),(+5!!/0+(!3+.0$+" %0%+*(!*!0/$!
operational and calculation mistakes made by the employee
3$%(!+))%00%*#0$%/".1 +/0+),*5"1.0$!.

Control Updates:

Company P implemented automated segregation of duties


controls.

THIRD-PARTY
FRAUD

Discovery:

USING COMPANY RESOURCES FOR A SIDE BUSINESS

Hotline tip

Duration:

~ Eight months

Cost:

0$%/%*(1 !/0$!+/0+")0!.%(/* +*0.0+./

Control Updates:

Company Q now requires all purchase orders involving


contractors to have a clear statement of work before being
initiated.
The company revisited and reinforced controls over the
removal of materials or stock from company inventory.
The company revised the reporting relationship for project
teams to provide local supervision.
The company counseled those employees on the peripheral
of the event on their obligations to identify fraud under the
companys code of conduct.

CORRUPTION
AND BRIBERY

INFORMATION SECURITY
AND CYBER FRAUD

Discovery:

CONFLICTS
OF INTEREST

Company Q experienced a fraud in one of its international locations. A project lead


was running a private business from a lab he had access to. The lab was in a secure
area of the building and subject to limited oversight. In addition, the employees
supervisor was located at a different facility. The employee diverted internally
manufactured products and materials and subsequently directed employees and
contractors to assemble products for sale by his private business. It was later
discovered that he attended trade shows during working hours to market his
products and even had boxes in his lab marked with his businesss name. He would
manipulate records to make it appear as though the contractors were working on
previously approved projects that he was overseeing for Company Q. The local
culture was very hierarchical, and although other employees were aware of what
he was doing, they did not speak up. After investigating, some of these employees
were terminated, and others were disciplined.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

17

ASSET
MISAPPROPRIATION

CEB SUPPORT
The following steps and activities can help monitor and mitigate risks of asset
misappropriation:
Ensure robust operating controls and adequate monitoring are in place for
relevant processes such as payroll, accounts payable, accounts receivable,
travel and entertainment, and inventory management.
Check that duties are appropriately segregated for key processes.

THIRD-PARTY
FRAUD

Use automated methods for tracking physical assets (inventory, office supplies,
etc.) and ensuring accountability for oversight of these.
See our topic center on Transaction Processing for auditing tools, templates, and
best practices for managing nancial transactions such as payroll, accounts payable,
accounts receivable, travel and entertainment, and nancial closing, consolidation,
and reporting processes.
Also see our topic center on Inventory Management for more tools, templates, and

CONFLICTS
OF INTEREST

best practices.

INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

18

ASSET
MISAPPROPRIATION

DATA ANALYTICS TESTS


Purchasing

Run a list of standard industrial codes or vendor names, to identify unusual activity
on P-cards.
Look for invoice or purchase order quantities that do not match goods received
records.
Search for split purchase orders and payments that circumvent approval limits.
Accounts Payable

THIRD-PARTY
FRAUD

Search payment history for duplicate payments.


Identify improper warranty calculations.
Review records for unusual rebates, discounts, and write-offs.
Look for invoice numbers sequenced unusually close within a given time period.
Compare bank codes and account numbers from accounts payable with payroll.
Inventory and Stock Control
Monitor costs greater than sale price.
Check for unusually high returns, shortages, write-offs, scrappage,

CONFLICTS
OF INTEREST

and damaged items.


Compare delivery addresses with employee addresses.
Search for unusually high inventory levels and low turnover rates.
Payroll
Search for ascending/descending social security numbers or other personal tax
identiers.
Check for terminated employees with remaining PTO balance.

INFORMATION SECURITY
AND CYBER FRAUD

Search for payments to employees who have left the organization.


Monitor pay records for unusual levels of pay rises, bonuses, and overtime
payments.
Review records for employees with obviously made-up names (e.g., Mickey
Mouse).
Search records for duplicate employee names, addresses, and telephone numbers.
Travel and Expenses
Review employees user rights to ensure authorized approval status.
Look for expense claims exceeding specied allowance thresholds.

CORRUPTION
AND BRIBERY

Match expense claims against the approved merchant table.


Compare expense types for excessive number of claims per day.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

19

ASSET
MISAPPROPRIATION

THIRD-PARTY FRAUD
As organizations rely on growing and increasingly complex third-party networks, they
expose themselves to more related risks and fraud, such as kickbacks for contracts
and contractor theft. In 2012, 12% of companies were affected by vendor, supplier, or
procurement fraud. Of the companies affected by multi-perpetrator fraud, 43% reported
the perpetrators were suppliers, and 37% reported they were vendors.8 Its not surprising
that many of our interviewees expressed concern about the risk posed by third parties
and the opportunities for collusion between third parties and employees. The schemes
covered here vary from smaller scale frauds committed by individuals from third parties

THIRD-PARTY
FRAUD

to larger scale frauds involving collusion between vendors.


Figure 2 shows the geographies in which respondents to an EIU/Kroll fraud survey
reported at least one vendor, supplier, and procurement fraud in the past 12 months.

Figure 2: Percentage of Organizations per Region or Country Suffering


at Least One Third PartyRelated Fraud in the Past 12 Months

CONFLICTS
OF INTEREST

20%

India

19%

Colombia

19%

Latin America

16%

Indonesia

16%
0%

15%

INFORMATION SECURITY
AND CYBER FRAUD

Mexico

30%
CORRUPTION
AND BRIBERY

Source: Kroll Advisory Solutions, Global Fraud Report: Economist Intelligence Unit Survey Results, 20122013,
http://www.krolladvisory.com/library/KRL_FraudReport2012-13.pdf.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

20

FALSIFYING BANK DETAILS


ASSET
MISAPPROPRIATION

A representative from a vendor fraudulently instructed Company As accounts


payable department to change the bank details to which payments were sent.
After Company A updated the accounting system with these new bank details, it
made a series of payments to the fraudulent bank account.
The contractor informed Company A that he had not been paid
"+.0$!,.!2%+1/)+*0$/%((%*#/3$%$(! 0+*%*2!/0%#0%+*
and disclosure about the fraudulent bank account set up by the
vendor.

Duration:

Two months

Cost:

Control Updates:

Company A instituted additional controls that require it to


perform an independent conrmation with the vendor whenever
payment details are changed.

THIRD-PARTY
FRAUD

Discovery:

FAVORING ONE SUPPLIER


CONFLICTS
OF INTEREST

)!)!.+"0$!,1(%/!*00%,0+(+()*#!.3$+
passed it along to HR and then to Internal Audit.

Duration:

Two years

Cost:

Because Company B could not tell whether the work being


+*!0+%0/2!$%(!/3//+(10!(51**!!//.5%03/$. 0+
determine how much money it lost. Assuming all the work was
(!#%0%)0!* ((0$!2.5%*#/1,,(%!./$ +),!0%0%2!.0!/
the company would not have suffered signicant additional
costs. The bigger issue was the employees actions (acceptance
+".%!/3$%$+*0.2!*! 0$!+),*5/0* . /+"
Business Conduct and was dishonest and unethical.

Control Updates:

CORRUPTION
AND BRIBERY

Discovery:

INFORMATION SECURITY
AND CYBER FRAUD

Company B has a number of drivers who work in the eld, conducting various
services and supporting distribution. Each driver has a eet card, which is used
to pay for fuel and repairs from preapproved vendors. One vendor was paying
an employee to send a larger portion of the work to his garage. Although the
vendor was legitimate, it was also paying a bribe to an employee of Company B.
The vendors work was reviewed, and while some of the jobs seem to have
taken slightly longer than normal, it was not possible to prove its work had been
unnecessary.

Company B requested that the procurement department


,.+2% !0.!* *(5/%/"+.0$!/1,,(%!./%*(1 %*#!!0
/1,,(%!.//,.0+"0$!.!#1(.2!* +.)%*0!**!5(!
(which includes an evaluation of each supplier).
Company B now requires the eet maintenance manager to
direct maintenance work to approved vendors and the eet
manager to approve the expense.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

21

TRAVEL PONZI SCHEME


ASSET
MISAPPROPRIATION

An expatriate employee of Company C experienced issues with


the travel agent and alerted the appropriate corporate function.

Duration:

0+)+*0$/

Cost:

Control Updates:

Company C now requires any of its business entities that do not


use the centrally approved travel vendor to provide a reason
why and identify their compensating controls.

CONFLICTS
OF INTEREST

Discovery:

THIRD-PARTY
FRAUD

Company C recommended that all business units use a global travel agent for
all employee travel and hotel stays. The company allowed one business unit
to keep its local provider. This local travel agent was paid for booking various
services, such as ights, hotels, and transfers. If an employees plans changed and
these arrangements had to be cancelled, the travel agent did not quickly or fully
reimburse the company. Company employees would request reimbursement, but
the agent would give various excuses for the delays, including blaming the airlines
or hotels. When employees were reimbursed, it was not always the correct amount.
During the investigation, Company C learned that there were more than 10 other
corporate clients who were experiencing the same issues. The travel agent had
misappropriated client funds and was taking refunds from one client to pay the
refunds of other clients. Company C severed its business with the travel agent and
referred the matter to local law enforcement.

MISUSING THIRD-PARTY SERVICES

Internal anonymous allegation

Duration:

A number of years

Cost:

2!.

Control Updates:

Company D updated its controls relating to third-party


+*0.0+./!4,!*/!/* .!!%,0+"/!.2%!/

CORRUPTION
AND BRIBERY

Discovery:

INFORMATION SECURITY
AND CYBER FRAUD

One individual at Company D was working with a contract manufacturer at an


operational site. This employee had the contractor purchase gift cards and use
them to recognize the contractors employees for good work. The contractor would
then charge back the cost of the cards to Company D, and the individual making
the request would approve these expenses. This scheme started out fairly small
but got bigger. Some of the cards may have genuinely been used for recognition,
although that is hard to tell. The Company D individual and contract manufacturer
individuals were terminated.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

22

COLLUDING VENDORS
ASSET
MISAPPROPRIATION

1.%*#0$!% %*#,.+!//+*!+"0$!/1,,(%!./((!#! 0$0


*!),(+5!!0+),*53/#%2!*.%!3$%$,.+),0!
Company Es investigation.

Duration:

+),*5+1( *+0,.+2!+((1/%+*%*0$%//!/+%0**+0
estimate duration.

Cost:

+/03/$. 0+ !0!.)%*!#%2!*0$!*01.!+"0$!/$!)!

Variations:

Some vendors insist on using certain suppliers to support their


3+.' *0$!/!%*/0*!/"1(('#.+1* $!'/$+1( !
done to ensure no conict of interest.

Control Updates:

+),*5 ! '#.+1* $!'/+*2!* +./%*(1 %*#


check with the local security exchange commission.

CONFLICTS
OF INTEREST

Discovery:

THIRD-PARTY
FRAUD

Company E discovered potential collusion between specic vendors during the


RFP process. Upon investigating the RFP process, the company found that, in
some regions, it always received bids from the same two or three contractors. It
would also see the same types of bids with very high and very low quotations.
Company E suspected that the bidders were colluding with each other: one
would win the bid and then use the others for supplies. Company E went outside
its regular process and sent RFPs to companies outside the immediate regions
in which it had projects. It then saw the types of bids it received changing with
a range of vendor types such as construction, engineering, and design rms. A
number of similar cases have been raised in the same regions in which Company E
suspected these collusions. Company E could not, however, prove the fraud.

INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

23

ABUSING OVERSIGHT RESPONSIBILITIES


ASSET
MISAPPROPRIATION

Company F worked with a contractor who was physically in charge of all


purchasing cards at this location, as well as the reconciliation work. Sign off for
the Purchasing Card reconciliation statement occurred at a central office, and an
employee there noticed some questionable items being purchased. He notied
Internal Audit, and it did a full review. Internal Audit worked with the security
department on the investigation, and they found that the contractor had not
performed a background check on the employee. When a check was performed, it
found two previous incidents of nancial fraud at other companies.
An employee noticed questionable transactions when signing
off on reconciliations.

Duration:

)+*0$/

Cost:

Control Updates:

*)+*0$(5/%/+),*5*+3.!-1%.!/. $+( !./0+


Sign and date card statements verifying their review of
$.#!/
Verify that all receipts are attached to the statement and
0$0.!!%,0/.!%0!)%6!
Record the business purpose and description of purchases.
Company F requires management to review expenditures
monthly.
Company F requires that a nancial supervisor review spend
reports quarterly to ensure compliance to the purchasing card
policy.

CONFLICTS
OF INTEREST

THIRD-PARTY
FRAUD

Discovery:

INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

24

ASSET
MISAPPROPRIATION

CEB SUPPORT
The following steps and activities can help monitor and mitigate third-party risks:
Ensure clear, consistent supplier selection processes and that operational
standards and conduct to be enforced are clear.
Conduct early due diligence on the nancial health of third parties and their
other relationships and interests.
Utilize right to audit clauses in your contracts with third parties, enabling

THIRD-PARTY
FRAUD

you to provide assurance on the control environments of critical vendors,


suppliers, and contractors.
Be prepared to handle adverse events, and develop process steps and
contingency plans for managing supplier-related issues.
Conduct (or request third parties to conduct) background checks on key
third-party employees.
For further support, see our Third Parties Management Internal Control

CONFLICTS
OF INTEREST

Questionnaire Builder.
Also see a member-donated Third Parties Guideline Work Program.

INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

25

ASSET
MISAPPROPRIATION

DATA ANALYTICS TESTS


Sample Data Analytics Tests

Review the vendor master list for missing or invalid information, such as invalid tax
identiers, or elds left blank or with null values.
Compare vendor telephone numbers with company and employee telephone
numbers.
Review vendor addresses against an employee address list.
Look for PO box addresses.
Check creation dates of invoices, looking for weekends and public holidays.

THIRD-PARTY
FRAUD

Cross-reference payee bank details of previous transactions.

CONFLICTS
OF INTEREST
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

26

CONFLICTS OF INTEREST
ASSET
MISAPPROPRIATION

As many of our interviewees expressed, conicts of interest pose a persistent (albeit


mostly low) level of fraud risk. Nonetheless, it is important to minimize incidents of
conicting interests, as they can damage reputation and cause nancial loss. Among
our interviewees, one of the most common conicts of interest involves an employee
with nancial or family interests in another entity, such as a customer or vendor. These
situations can lead to excessive payment for potentially lower-quality or unnecessary
services, either for an organization or its clients. Existing third-party relationships can
suffer if they perceive the vendor selection process to be unfair.
Many of our interviewees stressed how hard it is to quantify nancial loss resulting from

THIRD-PARTY
FRAUD

conicts of interest. For example, where family and friends are hired to provide services,
it is not always possible to determine if the services provided were actually required or
if they could have been completed more cost-effectively or to a higher standard by a
different provider.
Many of our interviewees stressed the importance of educating employees in emerging
markets to help prevent conicts of interest. In many countries, employees may be
unaware that conicts of interest are forbidden, may be unclear when conicts of interest
occur, or may simply believe that they are doing the right thing by using services from

CONFLICTS
OF INTEREST

people they already know and trust. A clear, well-communicated code of conduct and
third-party selection policy followed by training can help address this issue.
Figure 3 shows the regions reporting the highest levels of loss to conicts of interest fraud.

30%

25%

INFORMATION SECURITY
AND CYBER FRAUD

Figure 3: Percentage of Organizations per Region or Country Suffering at


Least One Conicts of Interest-Related Fraud in the Past 12 Months

23%
16%

15%

14%

USA

Gulf Arab
States

Canada

15%

0%
Africa

Brazil



CORRUPTION
AND BRIBERY

Source: Source: Kroll Advisory Solutions, Global Fraud Report: Economist Intelligence Unit Survey Results, 20122013,
http://www.krolladvisory.com/library/KRL_FraudReport2012-13.pdf.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

27

ASSET
MISAPPROPRIATION

CIRCUMVENTING HUMAN RESOURCE CONTROLS

An employee submitted a hotline tip that she was being asked


to submit fabricated expense reports. Interviews began to
.!2!(+0$!.,.+1.!)!*0%//1!/,+*"1.0$!.%*2!/0%#0%+*0$!
company discovered other policy breaches relating to HR and
accounting.

Duration:

0+5!./

Cost:

0+)%((%+*0$%/)+1*03/*!40.,+(0%+*) !5
the forensic accountants based on an analysis of invoices and
expense claims.

Control Updates:

Company A reviewed and improved various controls for


)*#!)!*0* +2!./%#$0.+1.!)!*0* !4,!*/!
processing.
The company established more connection and oversight
from central business support hubs to provide independent
.!2%!3/* ,,.+2(/.!(0%2!0+.+1.!)!*0*
+1*0%*#+.!4),(!%/*+3%*2+(2! %*(($%.%*#
!%/%+*/* 0$!+),*5$.#! 0$!!*0.(,.+1.!)!*0
hub with establishing and leading a more formal vendor due
%(%#!*!/!(!0%+** /!01,,.+!//+*0$!+1*0

INFORMATION SECURITY
AND CYBER FRAUD

CONFLICTS
OF INTEREST

Discovery:

THIRD-PARTY
FRAUD

Company A has account executives (AEs) responsible for running client accounts.
As a company policy, AEs always need to involve the centralized support
teams (such as HR, Accounting, and Procurement) and follow clear policies
and procedures when hiring new employees and procuring goods and services
on behalf of clients. However, a tenured and well-respected AE was making
these decisions unilaterally without involving the centralized business support
teams. The AE would hire friends and family to work for the client. He would
also manipulate staff expense reports as a means of paying them unapproved
bonuses. For example, the AE would reimburse the team administrative assistant
for mileage costs, despite the administrative assistant having no reason to drive
for business purposes. Apart from the expenses, other damages might exist, as
the services provided could have cost less or been higher quality. Because no
evidence suggested the AE took personal benet, it was difficult to prosecute
them. The AE commented that the account was managed as if it were the AEs
own business.

CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

28

INAPPROPRIATE HIRING PRACTICES


ASSET
MISAPPROPRIATION

Discovery:

Two company employees reported their suspicions to the


ethics department.

Duration:

0+)+*0$/

Cost:

The investigation did not note a dollar loss since the work
was done.

Control Updates:

Company B retrained relevant employee team(s) on the


ethics policy.
The company revised its indirect procurement process to
allow more transparency of marketing service vendors.

CONFLICTS
OF INTEREST

THIRD-PARTY
FRAUD

An employee at Company B identied a vendor who could provide the company


with fulllment and printing services. The vendor, who was also the employees
personal friend, could not handle the workload and hired the employees wife
to help. On occasion, the employee also helped his wife with the work. The wife
was paid a signicant fee for her work. This situation was not disclosed to the
employees manager or to the ethics department, despite being a conict of
interest for personal gain. In addition, the employee developed a unique name and
marketing idea, which the employees wife trademarked. Company B convinced
the wife to release the trademark back to them. The review did not detect that
the company was overcharged for the services rendered. The employee was
terminated.

KEEPING BUSINESS IN THE FAMILY


INFORMATION SECURITY
AND CYBER FRAUD

Company C uncovered an incident in which an employees family member was


being paid to provide travel agent services. The travel agent received higher
commissions for his work than would ordinarily be allowed. Company C has
experienced a number of these types of conicts of interest, and often these
suppliers are overpaid for their work.
Through a routine audit of the division

Duration:

Several years

Cost:

0+)%((%+*

Control Updates:

Company C no longer solely sources goods/services and


ensures there are multiple levels of approval.

CORRUPTION
AND BRIBERY

Discovery:

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

29

EMPLOYEE-OWNED SUPPLIER
ASSET
MISAPPROPRIATION

Three employees from Company D set up their own supply company. They knew
that certain services were required at Company D and chose to capitalize on this
opportunity. While supplying Company D, one of the coowners of the supply
company was processing the invoices. Because the invoices were purposely being
maintained at a level that did not exceed this individuals approval authority level,
they never went any higher in the organization for approval. Company D could
not prove fraud because it received the services it paid for. However, it was able to
prove that employees violated the companys Standards of Business Conduct. The
awarding of this supplies contract had not gone through an official RFP process.
A hotline tip

Duration:

About two years

Cost:

N/A

Control Updates:

Company D implemented a new procurement process


of mandatory background checks using the government
registry of businesses and validation that vendors are not also
employees.
Company D also runs these background checks and
validations when contracts are up for renewal.
Company D created a team responsible for making decisions
regarding awarding of contracts.
Company D elaborated on the standards of business conduct
* .!2),! %0/0.%*%*#,.+#.).!2%+1/(5!),(+5!!/
read through the code of conduct once a year with their
supervisors. Now they have an annual online training module
that includes a test each person has to take and pass with at
(!/0

CONFLICTS
OF INTEREST

THIRD-PARTY
FRAUD

Discovery:

INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

30

ASSET
MISAPPROPRIATION

CEB SUPPORT
The following steps will help you establish a strong conict of interest policy:
Clearly dene the types of activities, interests, and relationships that constitute
a real or perceived conict of interest. Successful conicts of interest policies
address specic industry and geographical considerations, while emphasizing
what is required of employees, including approval and reporting obligations.
Use examples and realistic scenarios. Train your employees to recognize how
conicts of interest materialize, and provide clear guidance to effectively avoid

THIRD-PARTY
FRAUD

and report these situations.


See Johnson & Johnsons Purchasing Code of Conduct, which touches on conicts of
interest for employees involved in purchasing.
Also see guidance on creating Effective Procurement Codes of Conduct, which provides
considerations for embedding conict of interest concerns in the procurement code
of conduct.

CONFLICTS
OF INTEREST
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

31

ASSET
MISAPPROPRIATION

DATA ANALYTICS TESTS


Check the vendor and employee master le for vendor addresses that match
employee addresses.
Compare employee bank payment information to the accounts payable vendor le.
Compare the vendor master le to the HR benets le for matching names or
contact details of employee dependents or employee beneciaries.

THIRD-PARTY
FRAUD
CONFLICTS
OF INTEREST
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

32

ASSET
MISAPPROPRIATION

INFORMATION SECURITY
AND CYBER FRAUD
Although benchmarking indicates that misappropriation of assets is the most prevalent
form of fraud, our interviewees expressed that IT-related fraud poses the greatest threat
and uncertainty. The potential reputational impact of this fraud and the complexity of
technology systems make it harder to assess and monitor risks.
Some members expressed concern about external threats of cybercrime (e.g., from foreign
governments or competitors accessing intellectual property or customer data). However,

THIRD-PARTY
FRAUD

many were more concerned about internal, employee-driven cyber fraud. Research shows
that 71% of chief information security officers identify staff as being the greatest threat
to data security.10 Further research shows that in the past 12 months, organizations have
experienced an average of 55 employee-related fraudulent acts in the IT and information
security areas. These incidents include accessing private customer data or using a
colleagues credentials to gain access rights or bypass segregation of duty controls.11
CEB research shows that, in the second quarter of 2013, risk managers felt that cyber
security risk increased in terms of both likelihood and impact.12 Despite the increased risk

CONFLICTS
OF INTEREST

and concern, only 20% of organizations feel effective at stopping these attacks.13

Figure 4: Increase in Perceived Likelihood and Impact of Cyber


Security Risk

INFORMATION SECURITY
AND CYBER FRAUD

60%

Relative Percent Increase from

55%

Q1 2013

39%
30%

Likelihood

Impact
CORRUPTION
AND BRIBERY

0%

Likelihood

Impact

Source: CEB Analysis.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

33

ASSET
MISAPPROPRIATION

Figure 5 shows the average cost of rectifying damage caused by a cyber attack in
various geographies.

Figure 5: Average Cost of a Cyber Attack, in Millions of US Dollars


$10

$8.9

THIRD-PARTY
FRAUD

$5.9
$5.1

$5

$3.3

$3.2

Australia

United
Kingdom

$0
Germany

Japan

CONFLICTS
OF INTEREST

United
States

Source: Ellen Messmer, Cyber Attacks in U.S. Cost and Average $8.9 Million Annually to Clean up, Says Study, CIO,
8 October 2012, http://www.cio.com/article/718246/Cyberattacks_in_U.S._Cost_an_Average_8.9_Million_
Annually_to_Clean_Up_Study_Says?taxonomyId=3191.

The nancial cost is not the only impact of cyber attacks. Respondents to a survey
from the Poneman Institute also cite the loss of intellectual property, a decline in
productivity, lost revenue, and reputational damage as some of the other negative
impacts of a cyber attack or intrusion.14

INFORMATION SECURITY
AND CYBER FRAUD

During our interviews, members expressed particular concern about organizations


being unaware of hacking and data theft incidents. For example, organizations may
only become aware of intellecutual property fraud when competitors release products
using the stolen intellectual property, causing victim organizations to lose years of
work and millions of investment dollars.
Another signicant concern raised during our interviews is the impact of uncoordinated
access rights to multiple systems. Although limited access rights to an individual
system might prevent data misuse, one employees combined access rights to a
number of systems may actually create an opportunity for fraud. Because aggregate

CORRUPTION
AND BRIBERY

levels of system access can be greater than an organization would ideally allow, they
need to take a broader approach to assessing access controls.
Further complicating the issue of building strong IT controls is the fact that preventive
IT controls can hinder productivity, particularly where organizations move toward
ever leaner and more agile operations. As such, many organizationsin a bid to allow
greater exibilityrely more on detective controls than preventative controls. When
organizations move away from preventative controls to aid productivity, they must
ensure strong detective controls are in place.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

34

THEFT OF CLIENT IDENTITIES


ASSET
MISAPPROPRIATION

An IT employee at Company A had access to a database of personally identiable


information for one of Company As clients. He would access the information and
send it to friends outside the company who used it to apply for credit cards.
Some of the victims received letters about credit cards they had
not applied for. The connection was made that their information
$ !!*0'!*".+)3+.',(! 0/!3$%$%*01.*3/
linked back to Company A.

Duration:

~Three months

Cost:

Company A did not lose any money but could have lost a
multimillion dollar account.

Control Updates:

THIRD-PARTY
FRAUD

Discovery:

CONFLICTS
OF INTEREST

Company A instituted stronger access controls and more


monitoring of who has access to personally identiable
information.
Company A introduced a system-generated report that is
created on a regular basis and shows who has access to
sensitive information and how often they access it. These
reports create an audit trail that can be reviewed regularly
and are automatically sent to a senior manager.

INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

35

THEFT OF CORPORATE IDENTITIES


ASSET
MISAPPROPRIATION

Company B experienced an external Internet fraud. An organized criminal


group created replicas of their website using very similar web addresses and
screenshots of Company Bs website. The group used these sites to create a mask
of credibility. Then, posing as senior executives from Company B, the fraudsters
approached smaller suppliers and enquired about purchasing high-end products
on credit. The fraudsters arranged to have the products posted to decoy
locations in Company Bs home country. A person at the decoy location would
then be paid a fee to repost the goods to the fraudsters, who were not in the
same country.

Duration:

It was hard to establish how long the scheme had been going
+**! %/+2!.! %00++' 5/0+0'! +3*0$!
websites.

Cost:

!1/!+),*53/*+00$!,.%).52%0%)%0$/*+0"!(0
*5**%((+//+3!2!.0$!/$!)!.!0!/0$!,+0!*0%("+.
reputational damage.

Control Updates:

CONFLICTS
OF INTEREST

One of the suppliers called Company B to verify the credit card


details they had been given. The card was not associated with
Company B.

THIRD-PARTY
FRAUD

Discovery:

INFORMATION SECURITY
AND CYBER FRAUD

Company B increased the legal teams web monitoring for


replicas of Company Bs website.
Company B sought to reduce the risk of personal
identication theft of the C-suite. This investigation
!)+*/0.0! $+3,1(%%0%/"+.!4),(!3%0$/%#*01.!/
being available on annual reports and other personal
%*"+.)0%+*2%((!%*,1(%(%*#/!##!,.%+.3+.'
!4,!.%!*! !)%$%/0+.5

CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

36

CIRCUMVENTING IT ACCESS CONTROLS


ASSET
MISAPPROPRIATION

Company C requires staff to use authentication keys as part of a multilevel


security process for accessing company networks. These keys generate codes
that change every 30 seconds. An employee at Company C had administrative
rights over the authentication system, whereby she could issue temporary keys
for those who had forgotten theirs at home, as well as reset the codes they
generated. She would abuse these rights by submitting expense reports and then
immediately assigning a temporary code to her manager and using this to log in
to his computer and approve these reports.
Managerial oversight picked up on expense reports being
submitted for a staff member who had no need to submit them.

Duration:

Less than one year

Cost:

+.!0$*

Control Updates:

THIRD-PARTY
FRAUD

Discovery:

CONFLICTS
OF INTEREST

Company C removed administrative rights to reset codes.


Company C decided that if an employee forgets his or her
10$!*0%0%+*'!5$!+./$!**+0!#%2!*0!),+..5
one and will have to return home to get it.
Company C made plans to implement a new system that uses
a different type of encryption.

ABUSING WEAK SECURITY CONTROLS

When Company D sent correspondence to customers


+*.)%*#$*#!/) !+*0$!%.+1*0/0$!1/0+)!./0+(
the company they had not requested such changes.

Duration:

A few months

Cost:

Control Updates:

CORRUPTION
AND BRIBERY

Discovery:

INFORMATION SECURITY
AND CYBER FRAUD

Company D provides online accounts for its customers. Due to a weakness in


some of Company Ds security processes, someone managed to gain access
to this customer data. These weaknesses allowed external fraudsters to gain
access to customer service representatives over the phone and secure account
passwords using just a few pieces of personal information they found. For
example, the fraudsters might have addresses, dates of birth, or personal tax
numbers. They would then call the customer service lines with this information
and have the customer service representative reset passwords while they were on
the phone. Once they had access to the accounts, the fraudsters would use this
access to gain goods and services from Company D.

Company D no longer allows passwords to be changed over


the phone.
The company now only contacts customers using previously
provided e-mail or home addresses to allow password
changes.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

37

PURCHASING EMPLOYEE LOG-IN CREDENTIALS


ASSET
MISAPPROPRIATION

A group of current and former contract employees working for Company E were
purchasing the network log-in credentials of current and/or departing Company
E employees. The group would solicit active customers of Company J with offers
to reduce their monthly bills in exchange for cash payments. Once the customers
made the cash payments, the group utilized the compromised IDs to access the
customers account prole and adjust it to reduce their monthly fees.
Company Es revenue assurance team initially discovered
unusual patterns of data activity caused by the aforementioned
/$!)!/$+3!2!.0$!/$!)!3/.+'!*+,!*5*
employee solicited by the group. The employee informed
+),*5//!1.%05+.#*%60%+*3$+%*2!/0%#0! *
determined that certain operator log-in credentials had
signicantly more patterns of unusual activity than others. These
were the log-in credentials that had been purchased.

Duration:

~ One year

Cost:

)%((%+*%*.!2!*1!(+//

Control Updates:

+),*50%#$0!*! 1/!.!//+*0.+(/!/,!%((5"+.
departing employees.
Company E enhanced analytical reporting.
The company deleted older or expired billing rates from the
network.

CONFLICTS
OF INTEREST

THIRD-PARTY
FRAUD

Discovery:

SOPHISTICATED PHISHING ATTACKS

IT identied both instances while monitoring server activity.


%0$0$!/,))%*# *+0%! /%#*%*0%*.!/!%*0%2%05
3%0$0$!2%.1/ *+0%! 0$!/!.2!.(!*)!/$ !!*
changed. IT linked both back to the phishing e-mails when the
senior executives reported issues with their PCs and a potential
(.#!.%//1!3$%$(! 0+0$! %/+2!.5+",.%+.0%+*/0$0)5
have allowed access to Company Fs systems.

Duration:

Two individual instances

Cost:

+**%(+. 0(+//+1.! +3!2!.%03/%*+*2!*%!*0


and time consuming for IT to rectify issues with the networks.

Control Updates:

Company F increased focus on staff cyber risk awareness.

CORRUPTION
AND BRIBERY

Discovery:

INFORMATION SECURITY
AND CYBER FRAUD

Two senior executives at Company F received phishing e-mails, which appeared


to come from a trusted source in the IT department. The e-mails asked for user
names and passwords. On two separate occasions, different recipients provided
this information. With that information, the fraudsters ooded Company Fs
networks with spam, resulting in a central server needing to be taken down and
restored. On the other occasion, they introduced a virus into a central drive, and
although nothing was stolen, all of the le names were changed, making them
useless. It took an entire weekend for the IT team to restore network access and
the le names. Although this did not lead to a direct theft, it demonstrated a
signicant weakness that can aggravate fraud risk.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

38

ASSET
MISAPPROPRIATION

CEB SUPPORT
Consider the following steps to ensure your organization has a strong information security program in place:
Conduct an extensive information risk assessment to support effective
identication, evaluation, and communication of IT and security-related risks.
Provide tools and information to help stakeholders, such as project managers,
run local risk assessments.

THIRD-PARTY
FRAUD

Work closely with Information Security to understand what risks they see,
and coordinate efforts and resources where necessary. Educate staff on key
policies and behavioral expectations for IT and information risk.
Continually educate staff about the dangers of phishing schemes and the risks
of mobile devices, data privacy, and cloud computing.
Closely monitor the changing information security environment, including risks
posed by ever-changing areas such as social networking and mobile devices.

CONFLICTS
OF INTEREST

Update policies to t the changing risk environment.


Listen to the replay of our webinar on Audits Response to IT Security Risks 2012.
In the audit reference center, we house a sub-module that provides material on
auditing IT security and risk management. Specically, the sub-module provides
the following resources:

INFORMATION SECURITY
AND CYBER FRAUD

ICQ Builder Tool: Information Security


Network Security Risk and Control Catalog
IT General ControlsUser Access Management
Audit Plan Hot Spots Resource Center

CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

39

15

ASSET
MISAPPROPRIATION

DATA ANALYTICS TESTS


Monitor networks for access from unusual locations.

Monitor network access for higher than expected levels of activity at unusual
times, such as public holidays or weekends.
Look for unusually large amounts of proprietary information being downloaded or
e-mailed.
Monitor unusual activity, such as excessive access, for users with security
administration capabilities.

THIRD-PARTY
FRAUD
CONFLICTS
OF INTEREST
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

40

ASSET
MISAPPROPRIATION

CORRUPTION AND BRIBERY


Corruption and bribery continue to pose a signicant risk, with 39% of respondents in a
recent Ernst & Young survey reporting that bribery or corrupt practices occur frequently
in their countries.16 The majority of those we interviewed feel that bribery and corruption
are more prevalent in emerging markets. A recent CEB survey supports this, showing that
employees are more likely to observe improper payments in emerging markets (Figure 6
below). Nonetheless, such fraud can occur in more mature business environments and not
just in emerging markets. When bribes are actively encouraged by senior management,
the reputational risk and nancial penalties are much higher.

THIRD-PARTY
FRAUD

Regulators have heightened their focus on improper payments to government officials


across jurisdictions. With convictions on the rise and penalties increasing, this type of
fraud risk deserves considerable attention. Unlike most other fraud, it involves the
collusion between a company insider who brokers a payoff and an outsider who receives
the payment.

Figure 6: Percentage of Employees Who Observed or May Have Observed


Improper Payments17
CONFLICTS
OF INTEREST

16%

15.5%

10.6%
7.4%

8%

4.2%

Australia and
Oceania

Europe

North
America

n = 13,735.

n = 94,681.

INFORMATION SECURITY
AND CYBER FRAUD

4.4%

3.4%

0%
Asia

n = 11,109.

Middle East
and Africa

Central and
South
America

n = 1,556.

n = 4,792.



n = 2,358.

Source: CEB analysis.

CORRUPTION
AND BRIBERY

Corruption and bribery violations not only lead to huge operational and nancial losses
but also signicantly damage company reputation and brand value. The penalties in such
cases may be in the form of nes, the suspension of operating licenses, and even prison
sentences for individuals involved. The ACFEs 2012 Report to the Nations shows that
organizations in Asia reported a median loss of $250,000, and those in Africa reported a
median loss of $350,000 as the result of corruption.18

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

41

ASSET
MISAPPROPRIATION

A quick breakdown of corruption cases by industry shows that out of the reported fraud
cases from organizations in the mining, utilities, and oil and gas industries, 50% or more
involved some form of corruption (Figure 7).

Figure 7: Percentage of Cases Involving Corruption Out of Total Fraud


Cases by Industry (as reported to ACFE)

THIRD-PARTY
FRAUD

80%

77.8%
58.3%
50.0% 47.4%

42.9%

40.0% 37.0%

40%

36.2%

36.1%

35.1%
CONFLICTS
OF INTEREST

Tra
n

Pu

bli

sin
me
n

ta

nd

ou
an

ort
sp

an
ing
Ba
nk

Go
ve
rn

ial
nc
dF
ina

dW
are
h

Se

rvi

le
Tra
d
sa
ho
le

nd
y, a
str

Ag
ric
ult
u

INFORMATION SECURITY
AND CYBER FRAUD

re,
Fo
re

ce
s

g
Fis

hin

Es
tat
e
Re

al

gy
Te
ch
n

olo

s
Oi

la

nd

Ga

tie
s
Ut
ili

Mi

nin

0%



Source: Association of Certied Fraud Examiners, Report to the Nations on Occupational Fraud and Abuse, 2012, http://www.
acfe.com/uploadedFiles/ACFE_Website/Content/rttn/2012-report-to-nations.pdf.

As we heard from many of our interviews, a number of factors can contribute to corruption
and bribery frauds:
CORRUPTION
AND BRIBERY

Weak anti-corruption and anti-bribery policies,


Lack of anti-corruption compliance and control mechanisms,
Weak due diligence procedures related to the third parties, and
Inability to understand and address cultural differences.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

42

USING MIDDLEMEN TO BRIBE OFFICIALS


ASSET
MISAPPROPRIATION

External enforcement agencies investigated and


discovered this scheme.

Duration:

A number of years

Cost:

The money lost cannot be quantied as the real loss


relates to the companys reputation and its ability to
win or bid on future contracts.

Control Updates:

CONFLICTS
OF INTEREST

Discovery:

THIRD-PARTY
FRAUD

Company A caught senior executives funneling money out of the company and
paying bribes to help secure contracts. These kickbacks were paid to people in
authority, such as politicians and union officials, through middlemen, who were
designated as suppliers. These suppliers were paid for services rendered, but they
were intangible services, so it was hard to track what Company A had received.
These middlemen would take a cut of the payment and then pass on the rest to the
identied recipients. Some of the middlemen were also designated as consultants.
One of the senior executives circumvented an internal control by falsifying
documentation, which is used to conrm the legitimacy of consultants that are
used by Company A. Other senior executives signed these documents without
questioning what they were being told.

Company A now sources all consultants and vendors.


Company A revised its code of ethics.
The company also implemented ethics training.

IMPROPERLY USING TRAINING AND EDUCATION FUNDS

An internal investigation uncovered this fraud. Company B


self-reported to the Securities and Exchange Commission.

Duration:

~ Eight years

Cost:

+),*5,% )%((%+*,!*(05"+.2%+(0%*#0$!
* * %0%+*(,!*(05+")%((%+*0+(+(.!#1(0+.

Control Updates:

Company B updated internal control standards for


+),(%*!++''!!,%*#* %*0!.*(+*0.+(/

CORRUPTION
AND BRIBERY

Discovery:

INFORMATION SECURITY
AND CYBER FRAUD

A subsidiary of Company B misused funds that were intended to provide training


and education to a local, government-owned insurance company. A large portion
of these funds were used to reimburse officials from the government insurance
company for non-training-related expenses, including travel with spouses to
overseas tourist destinations. Other uses could not be determined from the
records of Company B, but the expenses provided no clear business purpose.

Source: The United States Department of Justice.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

43

BRIBING OFFICIALS TO AVOID SCRUTINY


ASSET
MISAPPROPRIATION

Representatives of Company C made improper payments to two government


inspectors. The government inspectors were responsible for reviewing two
operating plants owned by Company C to ensure they adhered to local health
and safety laws. Payments were initially made to the inspectors wives, who were
listed on Company Cs payroll even though they did not provide any services to
Company C. Later, the wives were removed from the payroll, and payments were
made directly to the inspectors for fake services. Although officials at Company
C knew about these payments, it took two years for its counsel to advise them to
cease payments.
An internal investigation uncovered this fraud. Company C
voluntarily disclosed this to the Securities and Exchange
Commission.

Duration:

~ Two years

Cost:

.%!/,% )+1*0! 0++),*5,% ,!*(05


+")%((%+*

Control Updates:

Company C updated its internal controls relating to payments.

THIRD-PARTY
FRAUD

Discovery:

CONFLICTS
OF INTEREST

Source: The United States Department of Justice.

HIDING BRIBES AS CHARITABLE DONATIONS

Company management and their counterparts in another


region expressed concern. The company sent someone to do
-1%''#.+1* $!'3$%$.!2!(! 0$!*01.!+"0$!
payment.

Duration:

)+*0$/

Cost:

Control Updates:

Company D decided that all donation proposals have to be


approved by the head office rather than local management.
They now use Sponsorium to record and track sponsorships
and donations.

CORRUPTION
AND BRIBERY

Discovery:

INFORMATION SECURITY
AND CYBER FRAUD

Company D was dealing with government officials in a foreign country while


working on bids for contracts. One government official requested that CompanyD
donate to a specic charity. After the company made the payment, it learned that
the government officials wife was on the board of the charity. Although the FCPA
does not prohibit charitable donations, the pretense of charity cannot be used as
a means of funneling inappropriate payments.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

44

MANIPULATING THE PUBLIC TENDER PROCESS


ASSET
MISAPPROPRIATION

Company E became aware of this misconduct


when local officials conducted searches of three
of Company Es offices and arrested two Company
E employees. Company E self-reported its internal
investigation to the SEC and the Department of
Justice.

Duration:

~ Eight years

Cost:

+),*5#.!! 0+,5 %/#+.#!)!*0+"


* ,.!&1 #)!*0%*0!.!/0+"0+0$!*%0!
States Treasury.

Control Updates:

Company E established strict due diligence procedures


.!(0! 0+0$!.!0!*0%+*+"0$%. ,.0%!/"+.)(%6!
* !*0.(%6! %0/+*0.0 )%*%/0.0%+*/5/0!)
!*$*! %0/+*0.0.!2%!3,.+!//* !/0(%/$!
a broad-based verication process related to contract
payments.
The company signicantly revised its global business
principles policies and continually revises the policies
to keep them current and relevant.

INFORMATION SECURITY
AND CYBER FRAUD

CONFLICTS
OF INTEREST

Discovery:

THIRD-PARTY
FRAUD

Representatives of one of Company Es subsidiaries made improper payments to


foreign officials of various government health care facilities. The payments were
made to increase the likelihood that public tenders for the sale of equipment
would be awarded to the company. Company E would submit the technical
specications of its equipment to officials drafting tenders, who then incorporated
these specications into contracts as being requirements. Incorporating the
specications of Company Es equipment in the tenders requirements greatly
increased Company Es chance of being awarded the bids. In addition, some of the
health care officials involved in the arrangements with Company E also decided
whom to award the tenders, and when Company E was awarded the contracts,
employees of Company Es subsidiary paid the officials the improper payments.

Company E introduced and enhanced an anticorruption training program that includes a


certication process and a variety of training
applications to reach broadly and effectively.

Source: SEC Enforcement Actions.

CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

45

BRIBING OFFICIALS FOR OPERATIONAL EASE


ASSET
MISAPPROPRIATION

Company Fs subsidiary paid bribes to government and customs officials to


ensure smooth importation of company products in a foreign country. The
purpose of the bribespaid through its customs brokerwas to import the
products without the necessary paperwork, avoid inspection of prohibited
products, and avoid inspection by customs officials. Once the scheme was
discovered, Company F self-disclosed the facts to the relevant authorities.
Company F discovered this problem after it put in place
an enhanced compliance program and began training its
employees.

Duration:

~ Four years

Cost:

+),*5#.!! 0+,5%* %/#+.#!)!*0*


%*,.!&1 #)!*0%*0!.!/0 1.%*#/!00(!)!*03%0$0$!
SEC.

Control Updates:

THIRD-PARTY
FRAUD

Discovery:

CONFLICTS
OF INTEREST

Company F implemented new compliance training.


It strengthened internal controls and procedures for thirdparty due diligence.
It then conducted a risk assessment of its major operations
worldwide to identify any other compliance problems.

Source: SEC Enforcement Actions.

TAKING BRIBES FOR SECURING BUSINESS DEALS


INFORMATION SECURITY
AND CYBER FRAUD

Company G used a third-party supplier that had a steering committee to review


market needs and business opportunities. One of Company Gs employees
requested to be on the third-partys steering committee. Since the vendor was a
large supplier of Company G, senior management approved the request. Every
time Company G used the supplier, the employee on the steering committee got
3% of the contract value as a kickback.
The vendor company was small and was soon bought out by a
large corporation. When the larger corporationalso a supplier
+"+),*5 % 0$!%. 1! %(%#!*!0$!5"+1* 0$!.%!*
notied them.

Duration:

)+*0$/

Cost:

Control Updates:

Company G no longer allows employees to participate on


supplier steering committees.

CORRUPTION
AND BRIBERY

Discovery:

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

46

ASSET
MISAPPROPRIATION

CEB SUPPORT
Organizations need to take a strong stand on anti-bribery and anti-corruption
compliance and be particularly mindful of risks in international divisions,
Procurement, and Operations. The following steps will help you establish and
implement an effective anti-corruption program:
Understand regulatory requirements, recent enforcement decisions, the
relative riskiness of your operations, and corporate culture to maximize the
consistency and effectiveness of your anti-corruption program.

THIRD-PARTY
FRAUD

Educate staff on bribery and corruption by contextualizing the risk. For


example, ensure training covers common corruption and bribery scenarios
they may come across.
Tailor your policy, training approach, and communication materials to maximize
impact in local business units.
Ensure employees understand their responsibilities in relation to the
organizations code of conduct.

CONFLICTS
OF INTEREST

Reinforce the anti-corruption message by maintaining strong and consistent


disciplinary action for perpetrators and those who are complicit through their
silence.
See our Comply with Anti-Corruption Mandates topic center to help you:
Understand regulatory requirements,

INFORMATION SECURITY
AND CYBER FRAUD

Create employee training to combat corruption and bribery,


Audit for compliance with anti-corruption mandate, and
Assess third-party risk and perform due diligence.

CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

47

ASSET
MISAPPROPRIATION

DATA ANALYTICS TESTS


Sample Data Analytics Tests
Check for particularly large payments to consultants and/or intermediaries or
payments that are just below the dual signature threshold or are made on the last
day of the quarter, tax year, etc.
Review manual transactions posted to donations and gifts accounts, sundry
accounts, commissions accounts, lobbying accounts, and other expense ledgers.
Compare the list of vendors to whom payments have been made to an external
list of prohibited vendors by matching tax number, address, and names.

THIRD-PARTY
FRAUD

View payments by country, then use Transparency Internationals ratings (per the
Corruption Perception Index) to conrm that the vendor and the service or good
are valid.
Analyze expense reports and vendor payments for buzzwords such as gift,
donation, and others.

CONFLICTS
OF INTEREST
INFORMATION SECURITY
AND CYBER FRAUD
CORRUPTION
AND BRIBERY

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

48

END NOTES
1. Association of Certied Fraud Examiners, Report to the Nations on Occupational
Fraud and Abuse, 2012, http://www.acfe.com/uploadedFiles/ACFE_Website/Content/
rttn/2012-report-to-nations.pdf.
2. CEB 2013 RiskClarity Quarterly, https://audit.executiveboard.com/Members/Popup/
Download.aspx?cid=101217380. In this CEB survey, misconduct includes but is not
limited to fraud, conicts of interest, inappropriate giving or receiving of gifts, improper
payments, data privacy violations, and stealing company property.
3. Association of Certied Fraud Examiners, Report to the Nations on Occupational
Fraud and Abuse, 2012, http://www.acfe.com/uploadedFiles/ACFE_Website/Content/
rttn/2012-report-to-nations.pdf.
4. CEB 2013 RiskClarity Quarterly, https://audit.executiveboard.com/Members/Popup/
Download.aspx?cid=101217380.
5. CEB 2013 Managing Effective Relationships with the Business Auditee Survey.
6. CEB, Unlocking Information Traps 2.0, 2011
7. Please see this link for more examples of data analytics tests in these areas: https://audit.
executiveboard.com/Members/Popup/Download.aspx?cid=100107464&scAuth=true.
8. Kroll Advisory Services, Global Fraud Report, 2012/2013, http://www.krolladvisory.com/
library/KRL_FraudReport2012-13.pdf
9. Please see this link for more examples of data analytics tests in these areas: https://audit.
executiveboard.com/Members/Popup/Download.aspx?cid=100107464&scAuth=true.
10. Antony Savvas, Internal Staff Still Pose the BiggestSecurity Risk, Computer
World, 9 October 2012, http://www.computerworlduk.com/news/security/3360651/
internal-staff-still-pose-thebiggest11. The Ponemon Institute, The Risk of Insider Fraud, February 2013, http://www.attachmate.
com/assets/Ponemon_2012_Report.pdf.
12. CEB Q2 2013 Emerging Risks Report, https://audit.executiveboard.com/Members/
Popup/Download.aspx?cid=101217380.
13. The Ponemon Institute, Big Data Analytics in Cyber Defense, February 2013, http://
www.ponemon.org/local/upload/le/Big_Data_Analytics_in_Cyber_Defense_V12.pdf.
14. The Ponemon Institute, Big Data Analytics in Cyber Defense, February 2013, http://
www.ponemon.org/local/upload/le/Big_Data_Analytics_in_Cyber_Defense_V12.pdf.
15. Please see this link for more examples of data analytics tests in these areas: https://audit.
executiveboard.com/Members/Popup/Download.aspx?cid=100107464&scAuth=true.
16. Ernst & Young, 12th Global Fraud Survey, 2012, http://www.ey.com/Publication/
vwLUAssets/Global-Fraud-Survey-a-place-for-integrity-12th-Global-FraudSurvey/$FILE/EY-12th-GLOBAL-FRAUD-SURVEY.pdf.
17. Employees were asked if they had observed a violation of law or company policy in the
past 12 months. This data includes employees who responded yes or not sure/dont
know.
18. Association of Certied Fraud Examiners, Report to the Nations on Occupational
Fraud and Abuse, 2012, http://www.acfe.com/uploadedFiles/ACFE_Website/Content/
rttn/2012-report-to-nations.pdf.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

49

ADDITIONAL CEB SUPPORT


Below are key steps for managing fraud risk with links to CEBs fraud support.
Conduct a fraud risk assessment. Then use our fraud risk database to understand how
different frauds may manifest themselves within the business and what red ags to
look out for.
Provide fraud awareness training for the internal audit department to educate and
create awareness about fraud in the organization. Research suggests that organizations
can decrease their exposure to fraud by as much as 50% if they successfully create
awareness about fraud and fraud-related policies.
The presentation covers various aspects of fraud, including:
Fraud Risk Assessment
Foreign Corrupt Practices Act (FCPA)
Fraud Prevention
Fraud Detection
Fraud Reporting
The purpose of this presentation is to help the internal audit department spread
awareness about fraud and decrease the probability of fraud occurring.
Ensure compliance with anti-corruption mandates, and provide staff training to
improve awareness at all levels of the organization.
Use our online fraud training resources to complete self-paced learning and enhance
your skills and business acumen. The curricula provide users with a series of audiovisual
lessons covering a range of topic areas. Many courses offer self-study continuing
education credits.

ADR6402913SYN
2013 The Corporate Executive Board Company. All Rights Reserved.

50