In Risk Fraud Survey 2018 Noexp PDF

India Corporate Fraud
Perception Survey 2018

Edition III
For Private circulation only Forensic
India Corporate Fraud Perception Survey, Edition III
Contents
Section 1: The state of corporate fraud 06
Key findings: On fraud sentiment, top frauds experienced by respondents, reasons for
fraud, average fraud loss, profile of a fraudster, and commitment to tackling fraud 06
Insight #1: Bribery and Corruption prevention efforts need to focus on evolving risks 11
Insight #2: Who will the future fraudster be? 13
Section 2: The approach to fraud prevention, detection and response 14
Key findings: On fraud prevention efforts undertaken by respondents,

views on fostering an ethical mindset, use of technology in fraud
prevention and detection, and response to fraud 14
Insight #1: A new approach to adopting technology to mitigate fraud 21
Insight #2: Impact of IoT devices on fraud investigations 23
Insight #3: Considerations when going legal with a corporate fraud case 24
Section 3: The impact of anti-fraud regulation on corporate fraud 26
Key findings: Perceptions on the effectiveness of recent and

upcoming anti-fraud regulation, and challenges to compliance 26
Insight #1: Impact of regulatory interventions on anti-fraud efforts 28
Insight #2: Impact of the Insolvency and Bankruptcy Code (IBC) on fraud 30
Insight #3: Implications of the Personal Data Protection Bill 2018 on
fraud risk management efforts 32
The future of fraud – Insights on what to expect in the fraud landscape 34
Insight #1: Cybercrime – what’s new? 35

Insight #2: Fraud risk management 2.0 – what does the future look like? 36
Insight #3: Using bots for due diligence – Are we there yet? 38
Insight #4: Next generation monitoring systems – lessons from the development sector 39
Insight #5: Building the anti-fraud sentiment in entrepreneurship 41
Acknowledgements and About the survey 43
03
04
Introduction
Close to a decade after the largest financial Undoubtedly technology is helping
collapse in Indian corporate history, organisations better manage the risk of
organisations continue to be exposed to fraud. Bolstered by the outcomes they have
corporate fraud, misconduct, and non- seen over the last two years, organisations
compliance. In this decade, organisations are now investing in the next level of anti-
have experienced financial misstatement, fraud technologies that rely on machine
bribery and corruption, large-scale supply learning, artificial intelligence and robotic
chain leakages and grey marketing of process automation platforms (that enable
products, data theft due to large scale use of software robot devices or ‘bots’1).
hacking, ransomware attacks, and Technology has also perhaps made it easy
regulatory noncompliance. to identify and preserve evidence as we see
a rising number of organisations seeking
The quantum of frauds discovered over legal recourse to fraud.
the years in India and the associated
modus operandi continue to pose Unlike our past surveys, respondents also
challenges towards developing effective appeared to demonstrate rising optimism
anti-fraud strategies. While technology for regulatory measures taken by the
has enabled business processes, has government in preventing fraud. Although,
it perhaps complicated fraud risk there is skepticism on how strongly some
management efforts? Is today’s fraudster of these legislations may be enforced in
more emboldened than before? Can new the long run, recent successes such as the
legislations effectively curb fraudulent recoveries made through the IBC route for
practices? banks battling fraud and mismanagement
in their non-performing assets (NPAs),
Responses to the third edition of our are indicative that the government and
survey indicate that organisations appear corporates are willing to work together to
confident of tackling fraud and are making create an ethical business climate in the
the necessary investments to deploy country.
effective fraud risk mitigation strategies.
I hope you find this survey report useful
Organisations are increasingly recognising and relevant to your pursuits in building an
that fraud is not only a result of ethical enterprise.
macroeconomic trends such as diminishing
ethical values in society, but also of an
internal systemic/ cultural loophole that
can be plugged by stronger controls with
limited overrides. Resultantly, the impact
of investments made towards building a
better anti-fraud ecosystem appears to be
bearing fruit, with organisations being able
to estimate fraud losses more accurately
now than what they have indicated in
our past surveys. Further, respondents
indicated awareness of and significant
knowledge on the behavior of fraudsters Nikhil Bedi
and an optimism towards identifying Partner and Leader – Forensic
suspicious behaviors early on, with a view Financial Advisory, Deloitte India
to prevent fraud.
1
Bots rely on a set of commands that may tell them what tasks to perform. The first generation of bots
performed repetitive jobs with regular human intervention, whereas the current generation of bots are
undertaking work that is autonomous in nature and don’t need human intervention for long periods of time.
05
Section 1
The state of corporate fraud
Key Findings
About 58% of survey respondents
believe that incidents of fraud will
rise in the next two years.
58%
Yes
The top three reasons for fraud include (in that order): Lack of an efficient internal control/
compliance system, diminishing ethical values, and senior management override of controls
#1
#2
#3
#4
#5
#6
#7
Lack of an Diminishing Senior Inadequate due Unrealistic Technological Poorly enforced

efficient ethical values management diligence on targets/ advancements and code of conduct
internal control/ override of employees/third goals linked shift of business within the
compliance controls party associates to monetary to a virtual company
system compensations environment
resulting in limited
preventive controls
06
A majority of survey respondents indicated that their organisations had not experienced any fraud.
Among those that did experience fraud, misconduct, and noncompliance, the top three schemes
were: Vendor/customer/business partner favoritism, inventory pilferage, and diversion/theft of
funds.
Which of the following types of fraud/misconduct/malpractice has your organisation experienced in the last two years?
38%
33%
19%
18% 17%
14%
13%
10% 9%
8% 8%
5%
3% 3% 2%
My Inventory Bribery and Regulatory Data Leakage of eCommerce Fraud due to

organisation pilferage corruption non- theft or sensitive related frauds use of bots,
has not compliance breach information, artificial
experienced including intelligence
any fraud corporate
and related
espionage
technologies
Vendor/ Diversion/ Supply Internet Financial Counterfeiting Intellectual
customer/ theft of chain fraud and/or misreporting property
business funds Cyber fraud fraud
partner
favouritism
07
Procurement (30%), vendor selection (18%), and sales and marketing (15%) were identified as
processes most vulnerable to fraud.
Which process do you believe is the most vulnerable to fraud risks?
1% HR
1%
Customer
service
3%
Logistics and
transportation
3%
Facilities
management
5%
Supply chain
management
5%
Administration (including
licenses and liaison with
government agencies)
6%
8% 11% 18% 30%
Loan/Equity
financing activities Finance and Sales and Vendor/Partner Procurement
accounting, marketing selection and
7% including management
Information treasury
technology management
08
About 49% of respondents indicated losing more than INR 10 Lakhs (INR 1 Million) in fraud losses
in the recent past. A little more than a quarter of respondents indicated that they were unable to
quantify their fraud loss.
Over the last two years, what

do you feel has been the extent
of fraud loss suffered by your
organisation? 16% INR 10-100 mn (INR 1 Crore – 10 Crore)
26% INR 1-10 mn (INR 10 Lakhs – 1 Crore)
26% Less than INR 1 mn (INR 10 Lakhs)
7% Over INR 100 mn (INR 10 Crore)
26% Unable to quantify the fraud loss
Junior and middle management employees were identified as being most likely to commit fraud. The
primary motivation to commit fraud was identified as the ability of the fraudster to improve his/her
financial position (57%), and the confidence of not being caught in the act (23%). Hearteningly, the
majority of respondents (64%) believe that suspicious behaviors in employees can be identified early
on and dealt with appropriately to prevent fraud.
Who do you feel is most likely In your opinion, what is the primary motivation for a
to commit a fraud? fraudster to commit fraud?
3% Customer 57% Ability to improve his/her

4% Customer financial position
7% Others (e.g. hackers) 23% The confidence of not being
caught in the act
20%
Third party associates 5% The confidence of not being
including contractors, terminated should he/she
vendors, suppliers, be caught
agents, etc.
4% Thrill of doing something
forbidden
25%
4% Earning bragging rights
Senior management
within his/her community
(of peers, friends, etc.)
4% Revenge for being treated

unfairly by the organisation
42% 3% Others
Junior and middle
management
employees
09
Although the majority of respondents (50%) believed that their organisations had allocated adequate
budget to deal with fraud-related risks, they felt there wasn’t enough commitment from the business
community at large to address fraud.
In your opinion, do you think there is enough commitment from the business community at large to address fraud?
20%
44%
36% Yes
No
Don’t know/Unsure
4%
My organisation has allocated
more than adequate budget
15%
My organisation
14%
has allocated 46%
My organisation has
significantly less Yes, my organisation
allocated less than
than adequate has allocated
adequate budget 21%
budget adequate budget
Don’t know if the budget
allocated is adequate or not
Do you believe your organisation has allocated adequate budget and resources to deal with fraud-related risks?
Some questions allowed for respondents to provide multiple choices. For those questions, the total percentage will exceed 100%.
Our observations
Unlike the past two editions of the fraud undertaken several initiatives to improve have been adopted by corporates in
survey where there was pessimism India’s perception among the global the last three to four years in India. We
on the state of corporate fraud and its investor community and one of its focus believe better integration of data from
continued prevalence in the future (with areas is to reduce opportunities for fraud varied systems could help further limit
over 80% of past survey respondents and corruption. the possibility of such frauds in the
indicating fraud would persist), responses future. In addition, organisations need
to this edition of the fraud survey indicate Organisations are also increasingly to focus on better identification and
a rising confidence in organisations’ recognising that fraud is not only a result management of conflicting relationships.
abilities to manage fraud. This can of a macroeconomic trend of diminishing
possibly be attributed to the changing ethical values, but also of internal A significant trend indicated in this survey
fraud landscape and responses to fraud systemic loopholes that can be plugged appears to be the ability of respondent
by the regulatory ecosystem. by better controls and limited overrides. organisations to estimate fraud losses
As fraud schemes get sophisticated, more accurately than they have in
There is greater sensitivity to the they are aware that there needs to be our past surveys. Respondents also
reputational damage that corporate greater focus on preventive controls, appeared to have significant knowledge
fraud, misconduct, and noncompliance necessitating adequate investments in of the behaviour of fraudsters, and
can cause, thanks to actions taken these areas. optimism towards identifying suspicious
by regulatory bodies (in India and behaviours in employees with a view to
overseas) in the recent past – whether The top fraud schemes identified remain prevent fraud. All these factors point to
by introducing new anti-fraud and consistent with our past survey findings, a maturity in fraud prevention efforts
related legislations or through stronger despite the prevalence of automated that may likely be a result of investments
enforcement action on existing systems and additional controls to made towards building a better anti-fraud
provisions. The government too has manage the concerned fraud risks that ecosystem.
10
Insights
#1: Bribery and corruption prevention efforts need to focus on evolving risks
Bribery and corruption have been key to investigate and prosecute companies reduced opportunities for bribery
risks in developing countries such as worldwide. Thailand in 2016 established and corruption. In India, procurement
India. In the last few years however, it a Criminal Court for Corruption cases for government contracts has to be
appears that the perception about this that now covers all corruption cases undertaken under the General Financial
risk among organisations in India has involving individuals and the state3. Rules 2017, which lays out a transparent
reduced, as indicated by our survey Vietnam’s new penal code now includes bidding process based on financial and
respondents: Bribery and corruption bribery related charges and criminalises technical acumen. It also allows bids to be
no longer features in the top three private sector bribery4. In addition to uploaded on an e-procurement website
risks faced by corporates in India. The the legislative changes, coordination to ensure transparency.
perception may also be bolstered by the between regulators, government
fact that India’s ranking on the World agencies around the world, as well as The Indian government has taken
Bank’s Ease of Doing Business report international agencies such as the World other measures in the last few years to
2018 has significantly improved, making it Bank, has also led to regulatory action prevent corruption as well as reduce
the top ranked country in South Asia for in multiple jurisdictions along with the black money and increase the tax payer
the first time2. blacklisting of some entities across base. This includes constituting a special
jurisdictions, thereby impacting business investigation team to look into the black
Internationally as well as closer home prospects for companies5. As a reaction economy upon whose recommendations
in India, a number of stringent laws to these legislative changes, several the Black Money (Undisclosed Foreign
have been introduced in the last corporates have adopted anti-bribery Income and Assets) and Imposition of
decade that impose severe penalties and corruption control measures within Tax Act, 2015, was enacted. This move
on companies caught indulging in their organisations. was followed by the income declaration
bribery and corruption. Laws such as scheme in 2016 encouraging defaulters
the Prevention of Corruption Act 2018, Increasing digitisation of finance, anti- to report undisclosed income for
in India, the UK Bribery Act, and even money laundering restrictions, and reasonable financial penalties. Later that
the recent Sapin II law introduced in increasing transparency of procurement year the government enacted the Benami
France provide authorities with power processes around the world have also Transaction (Prohibition) Amendment Act,
2
https://economictimes.indiatimes.com/news/economy/indicators/ease-of-doing-business-india-jumps-23-notches-now-at-rank-77/articleshow/66445814.cms
3
Source: https://globalcompliancenews.com/anti-corruption/anti-corruption-in-thailand/#bookmark33
4
Source: https://www.tilleke.com/resources/anti-corruption-law-under-vietnam%E2%80%99s-new-penal-code
5
Source: https://www.financialexpress.com/industry/several-indian-companies-debarred-by-world-bank-in-2018-check-the-list-here/1336282/
11
2016, and announced demonetisation As the perceived risk from bribery and •• Undertake bribery risk assessment at
of select high value currency notes. The corruption falls, it becomes imperative least once a year.
Indian government has also pushed for corporates to regularly scrutinise
•• Undertake due diligence – pre-
for large-scale digitisation of financial their control measures and carry out
employment due diligence, third party
transactions paving the way for electronic periodic audits to identify evolving areas
due diligence in case of business
wallet companies and peer-to-peer of risk. With the pace of change in the
relationships and monitoring of political
money transfer platforms to operate in business and regulatory environment,
and charitable donations/ transactions.
the country. At the grassroots level, it organisations should continue to
instituted the Digital India programme remain vigilant. Some best practices to •• Segregate duties, rotation of auditors
for transfer of subsidies into beneficiary consider that are based on the recently and restrictive use of cash.
accounts. Further, the introduction of introduced ISO 37001:2016 (Anti-bribery
•• Establish a whistleblowing mechanism
the Goods and Services Tax (GST), select management systems) standard include
and commissioning independent
demonetisation of high value currency the following:
investigations into complaints received.
notes and Aadhaar adoption, were
•• Establish an anti-bribery policy,
measures undertaken by the government •• Ensure ongoing training and awareness
including a gifts policy. In our view,
to improve transparency and reduce campaigns for employees and business
a gifts policy needs to be labelled
dependence on cash6. All these measures partners.
separately, listing aspects as such as the
have contributed to India’s rise in the
value of gifts permissible and a register
Ease of Doing Business 2018 index and
for recording gifts received and sent.
tried to reduce bribery and corruption in
the country. •• Appoint an anti-bribery compliance
function with appropriate competence,
authority, and independence.
6
Source: https://timesofindia.indiatimes.com/business/india-business/three-key-reforms-improved-transparency-says-arun-jaitley/articleshow/61675105.cms
12
# 2: Who will the future fraudster be?

As innovation aids the development of •• Typically an employee or a connection •• Women are beginning to be identified
newer and more futuristic technologies, it of an employee of the organisation as fraudsters, although it is a negligible
also enables a perpetrator whose mission where the fraud is unearthed. proportion of the total population. As
is to exploit these technologies. they remain in the workforce longer,
•• Between the ages of 35-45 for frauds
they may not be exempt from the
such as vendor collusion, procurement
Fraudsters are increasingly becoming temptation of making a fast buck
fraud, falsification of reimbursement
more collaborative, more brazen, and through fraud.
claims etc., that is typically orchestrated
extremely creative in terms of their
from within an organisation; typically
intrusion techniques. We have seen Although fraud can present itself in
these employees are educated to at
fraudsters circumventing normal means myriad forms, the fraudster responsible
least a graduate level, know the system
of communication (such as instant for carrying out the act is still a human
working inside out and tend not to be
messaging platforms and email) and being motivated by behavioural factors.
involved in business decisions.
moving towards less known media (such Understanding the mindset of employees
as in-app chats which are chat features •• Between the ages of 21-35 for frauds and ensuring that they are challenged
within apps, games, eCommerce and such a phishing, vishing, man-in-the- and given enough opportunities to
social networking sites). We have also middle email spoofing etc., that is achieve their professional goals can
seen fraudsters walking through the typically orchestrated from outside significantly reduce the intentions to
‘front door’ of organisations unlike their an organisation and these fraudsters carry out fraud.
traditional modus operandi of looking for are technologically savvy but may not
backdoor access in hacking cases. have formal education, only a knack for
network manipulation.
Through all of this, it is clear that the
•• Junior and middle management
profile of a fraudster is no longer what
employees in employment with the
it used to be. A person sitting behind a
organisation for a period of 2-7 years.
desk exploring control loopholes out of
In cases where employees with larger
monotony or curiosity is a thing of the
employment durations are involved (say
past.
beyond 7 years), the quantum of fraud
loss can increase exponentially.
Based on our experience and our survey
results, below is a list of indicators of
what a future fraudster could be:
13
Section 2
The approach to fraud prevention,
detection, and response
Key Findings
Accountability for fraud: The majority of respondents said that the Board and CEO/ Managing Director
had a responsibility to prevent fraud, whereas fraud detection was the responsibility of internal and
external auditors. Fraud investigation was identified as the responsibility of the audit committee and
the board.
71% 69%
46%
41% 40% 37%
10% 8%
Prevention
62% 61%
37% 34% 33%

24%
10%
Detection
37%
28%
21% 21% 21% 20% 19% 17%
Investigation
8% 8%
5%
3% 3%
2%
1% 1%
Not applicable
Board Audit CEO/Managing Chief Financial Risk & Chief Internal External
Committee Director Officer Compliance Information auditors auditors
Head Security Officer
14
The top three measures taken to prevent fraud include: instituting periodic internal audit, taking
serious action and using that to set an example within the organisation, and asking independent
auditors to conduct audit regularly. Fraud risk management measures were reviewed differently by
different organisations, with 22% of respondents indicating they did so quarterly and 28% indicating
they did so annually. About 23% of respondents said they didn’t review their fraud risk measures
unless they encountered an incident.
What measures does your organisation adopt to prevent incidents of fraud?
78%
63%
54%
49% 48% 46%
39%
37% 35%
29%
24%
21%
Institute periodic Internal Audit Conducting an ongoing due diligence check (Third party/Senior
Management/Business associate, etc.)
Take serious action in case of incidents of fraud and use such instances
to set an example within the organisation to prevent future frauds Fraud risk assessment/monitoring of fraud control frameworks—
either manually or using technology such as fraud analytics and fraud
We have independent auditors who conduct periodic audits
management systems
Effective tone at the top, followed by implementing policies for fraud
Dedicated training programs for select teams/individuals to address
and consequence management, code of conduct, etc.
frauds to which organisations are generally most susceptible, such as
Periodic declarations from employees/management on compliance bribery and corruption, conflict of interest, procurement fraud, etc.
with laws and regulations
Engage third party forensic experts to assess our fraud risk
Conduct general fraud awareness trainings/workshops for all management frameworks at least once a year
employees
Dedicated fraud prevention unit that researches new frauds and
Periodic communication to employees on fraud and its repercussions communicates them to the fraud risk management teams
How often do you review your fraud risk management measures?
28% Annually
23% We don’t review our measures
unless we encounter an incident 10% Once every
6 months
22% Once a quarter

10% We review
our measures
subject to
regulatory
requirements
changing
7% Once a month
15
A majority of respondents (87%) said fostering an ethical Do you believe fostering an ethical
mindset among employees could prevent fraud in the long mindset among employees can
prevent fraud?
term. In line with this, the top three approaches taken to
improve the ethical culture within the organisation include: Yes
Instituting strong penalties for unethical behaviours, creating 87%
a platform to openly discuss ambiguous issues and identify
unethical behaviours, and developing training courses and
reading material, including case studies, on how ethical
behaviours apply in the corporate ecosystem.
Which of the following measures have you considered with an

aim to propagate and strengthen the ethical culture within your Don't
organisation? Know
No 8%
5%
98%
83%
72%
54%
45%
44%
8%
Instituting Creating a Developing Instituting a Undertaking Creating Others

strong platform to training courses mechanism to an ethics rewards and
penalties for openly discuss and reading monitor signs survey to recognitions
unethical ambiguous material, of unethical ascertain programs
behaviours issues and including case behaviour prevailing specifically
identify studies, on among employee validating
unethical how ethical employees sentiments ethical
behaviours behaviours apply towards fraud behaviours
in the corporate
ecosystem
16
Use of technology to mitigate fraud risks is on the rise with respondents identifying the following
most commonly used techniques/ tools to prevent fraud: reliance on control based reports generated
by the ERP system (54%), risk based approach for analytics (44%), and traditional statistical analysis
and data mining tools (41%).
To help continuously monitor controls, which of the following technologies/applications/approaches have you considered?
41% 43%
39%
29% 30%
Traditional statistical analysis and Identifying applicable fraud 18%
data mining tools scheme(s) and then monitoring them
using custom analytics tool
44%
Identifying incremental areas to 40%
33% 31%
27% Risk based approach for analytics 29%
monitor as well as refining existing
fraud schemes that are being
monitored
40% 43%
Use of case management system to 35% 28% 29%
25% In house development with
track control deficiencies identified
consultation from third parties/
by monitoring tool
experts
78%
54%
28%
Reliance on control based reports Corporate fraud analytics software
17% 12%
generated by the ERP system product purchased off the shelf 11%
Implemented Implementation in progress Not considering
There is increasing awareness of advanced technologies in fraud detection with around a fourth of
all respondents saying they had implemented or were implementing tools/ techniques such as voice
search and analysis, link analysis, social network analysis, sentiment analysis, data visualisation,
interactive dashboards, machine learning, robotic process automation and artificial intelligence.
81% 84% 83%
76% 77%
68% 70% 72%
66%
60%
57%
28%
26% 21% 23%
19% 18% 20%
17% 15% 13%
11% 12% 13% 11% 15%
6% 8% 7% 8% 9%
4% 4%
Artificial Robotic Machine Interactive Data Data Sentiment Concept Social Link Voice search
intelligence process learning dashboards cloud/Tag visualization analysis clustering network analysis and analysis
automation cloud analysis tools
Implemented Implementation in progress Not considering
17
Fraud is detected primarily through whistleblower hotlines, followed by an internal audit review.
About 59% of respondents indicated that fraud related observations were addressed immediately, by
way of commencing investigations – internally or assisted by third parties. All acts of suspected fraud
were treated with the same sense of urgency, irrespective of the potential financial and reputational
implications.
How are potential fraud incidents typically detected in How urgently are any high potential fraud
your organisation? related observations addressed?
It takes us more
5% than 6 months
Through anonymous
complaints received 4% Within
6 months
on our whistle
blower channels
Within
32%
1-2 months
Through the
grapevine/rumours
By
accident
By identified 59% Immediately
customer complaints
or escalations
Via an Internal
Via statutory
Audit review
audit
Using data analytics and

other technology tools
Upon identifying an instance of fraud, which of the following factors is likely to drive a stringent course of action in your
organisation?
42% 20% 16% 12% 7% 3%

Any act of fraud is Materiality– Reputational loss Whether the act Seniority of Whether the
dealt with in the potential value of caused to the has also resulted perpetrator in the act has also
same manner fraud/loss organisation as a in regulatory non- organisation affected external
result of the act compliance stakeholders
18
Once the fraud was ascertained, the fraudster was allowed to resign in lieu of filing a legal case in the
majority of cases (49%). However, a third of respondents indicated that they took legal action against
the fraudster. Further, existing controls were reviewed and updated/new policies were implemented
post the incident, 78% of respondents indicated. The fraud was communicated to the Board and
regulatory authorities (where applicable) as indicated by 35% of respondents.
In the area of ‘taking action on the fraudster(s) post investigation’, my organisation best responds as follows
Legal action is taken The fraudster is The fraudster is let The fraudster is suspended
against the fraudster. allowed to resign in lieu off with a warning, briefly with loss of pay, post
of filing a legal case. irrespective of the which s/he may be reinstated to
severity of fraud. their former position.
49%
33%
14%
4%
In the area of 11%

‘addressing controls’, The fraudster is replaced
my organisation best by another member of his
responds as follows team to handle operations
in that function/division
4%
No action is taken
6% to change controls.
79% After all fraud
Greater automation is sought
Existing controls are could be a one-off
to replace members of the
reviewed and updated/new occurrence
fraud prone function
policies are implemented
1%
Specific portions of work susceptible
to similar fraud are outsourced to
In the area of ‘Communication of action taken on fraud’, my contractors/third parties
organisation best responds as follows
27% 21% 35% 17%

Details of the fraud Details of the fraud and Details of the fraud and Details of the fraud
and corrective corrective action taken corrective action taken are not communicated
action taken is is communicated to is communicated to the within or outside the
communicated to employees, the Board, Board and regulatory organisation
all employees and regulatory authorities authorities (wherever
(wherever applicable) applicable)
19
Our observations
Technology is helping organisations to In the area of fraud response, there of fraud. While institutional measures
proactively manage the risk of fraud. appears to be a change in how the are necessary to impart education and
In the last two years, it appears that fraudster is dealt with. Bolstered by awareness among employees, it is also
organisations have implemented several regulatory reforms, more organisations essential that line managers create an
tools to assist them in monitoring appear to be seeking legal recourse to environment that is conducive for their
transactions and flagging off suspicious fraud. In such a situation, it is essential teams to raise concerns without fearing
entries. We believe these investments in to understand how to preserve evidence retaliation or bias. In our experience,
technology have been successful, thereby in a legally acceptable manner. In open discussions within teams on
prompting corporates to look at the next our experience, most internal fraud misconduct and malpractice, alongside
level of technologies for fraud prevention. prevention units and internal audit managers living and demonstrating
As the adoption of newer technologies teams prefer to work with third party ethical behaviors can accelerate the
by large organisations commences, we experts for this activity as well as for creation of an ethical enterprise.
expect some of these tools to become quantification of losses.
more affordable over time for mid-sized
organisations to also adopt. Alongside, There is also recognition among
this technology adoption, it is essential corporates of the fact that a change in
that investments be made in training of culture towards zero tolerance to fraud
resources to optimally utilise these tools. is essential to prevent future instances
20
Insights
#1: A new approach to adopting technology to mitigate fraud

The first wave of technology adoption thinking of how their existing technology if/then contracts, where unless the
by businesses was primarily in the areas deployments could be used in the context previous step of the process is complete,
leading to revenue enhancement, cost of fraud risk management. the next steps will not be initiated9.
optimisation and increased profitability. We believe a similar application would
Over time, some of these technologies Consider the case of Artificial Intelligence benefit supply chain functions wherein
were being re-used in a different context (AI) that is slowly becoming part of our digital payments can be withheld (in an
– for fraud prevention. everyday lives - using facial recognition escrow-like account) until the product
on social media, providing video- is marked as ‘shipped’ in the blockchain
Research suggests that use of Radio streaming recommendations, and IoT system. Further, block chain can also be
Frequency Identification (RFID) tags by devices integrated with other functions. used to ascertain the product quality,
retailers can significantly improve the Organisations with a large number of should it be extended to the original
efficiency of their supply chain operations customers (such as retail, banks, and producer. For example, if the producer
by ensuring product replenishments utilities) could use AI to build customer of organic rice (the farmer) is on a block
happen just in time, thereby saving profiles from disparate sources of data chain platform, as an end customer in
inventory costs7. However, RFID tags can and undertake targeted marketing, an urban super market purchasing this
also effectively be used to safeguard selling and customer service. They can rice, one can ascertain if the product is
against fraud by tracking pilferage, and also tweak this tool to gather information indeed organic and in which farm it was
noncompliance by tracking expiry dates on suspicious transactions and analyse produced, thereby eliminating fraud10.
on perishable products. Similarly, Big them. A large credit card company Incidentally, such a verification would
Data technology is now used by banks to currently uses AI in this capacity to make take a few seconds, unlike in a traditional
not only serve customers better but also fraud-detection efficient and even reduce supply chain set up where one can take
to analyse suspicious transactions. the high number of false-decline cases.8 several days to receive this information.
An analysis of our survey responses In the case of Blockchain, traditional These examples demonstrate that
indicates that Indian organisations may business functions can use smart technology can be effectively used to
need to embark on the second leg of contracts to nearly eliminate frauds prevent fraud. However, the outcomes
the technology adoption journey by re- related to payments by pre-creating of technology adoption are heavily
7
Source: https://www.rfidjournal.com/articles/view?7674
8
Source: https://www.forbes.com/sites/theyec/2018/06/04/artificial-intelligence-and-the-future-of-financial-fraud-detection/#482bc9e127a6
9
Source: https://www.forbes.com/sites/danielnewman/2018/04/17/3-ways-blockchain-can-help-combat-fraud/#5713b94692a4
10
Many readers may wonder that a similar task can be accomplished by RFID tags also. However, RFID entries on their own can be manipulated if the platform
used for data entry isn’t secure. Whereas on a block chain platform, the entries are secure and nearly impossible to edit. RFID entries can also be integrated into
a block chain network for greater security.
21
dependent on the underlying processes Such incidents can be prevented consequent management system should
and system design. In our view, this by inculcating a Forensic Software also be developed to respond to any
should be the primary consideration for Development Life Cycle (SDLC) fraud risks that may be discovered or in
organisations wanting to embrace new governance model from the start of response to any technology upgradation/
technology and/or re-use their existing technology adoption. Unlike traditional enhancements.
technology deployments. In the course software development, where testing of
of our work we have observed how controls was done by a technology team New technologies such as artificial
early-stage system design manipulations at the end of each stage of development, intelligence rely on constant learning
(inadvertent or otherwise) have the new approach relies on designing from other data sources, and response
diminished an organisation’s capabilities of the fraud controls at the time of patterns. This also means they can
to identify potential fraud. For instance, technology adoption and testing by emulate good and bad decisions taken
a recent wallet provider was unable to risk experts while the development is by organisations, imbibing the biases of
secure its systems to identity theft and in ongoing, thereby improving the chances those who programmed prior systems.
another case, a bank lost over INR 5 Crore of identifying loopholes and system Periodic checks by risk and technology
to fraud due to a loophole that didn’t design flaws early on. Particularly in professionals on the ‘state of technology’
link its core banking system to its wallet the case of new technology adoption, can help fraud risk management
service in real time11. such an approach has been found programs evolve more robustly in the
effective, considering there is no historic future.
view of past frauds. Further, a robust
11
Source: https://www.medianama.com/2017/07/223-bhim-upi-loopholes/
22
#2: Impact of IoT devices on fraud investigations
As the Internet of Things (IoT)12 evolves •• Phone calls Using this as evidence, the company was
and devices become more interconnect- By their very nature such devices able to file a case against the suspect
able (think of refrigerators or air can interact with many other devices and the goods were recovered from her
conditioners that can be controlled by connected in their periphery. In effect, accomplices’ residences a few days later.
a mobile application), they can present any of these devices can be misused Had the company relied on traditional
significant challenges and opportunities to perpetrate or aid an economic methods to investigate the fraud, chances
for fraud risk management professionals. or information crime. However, the are it wouldn’t have made much progress.
These are not limited to personal use traditional scope of investigations can We are also seeing a tremendous amount
devices but also large industrial grade be limited in its coverage of IoT devices, of focus on home based entertainment
machinery and systems. restricting itself to network devices devices and virtual assistants given
such as the router or the modem in the their ‘always on’ mode of operation.
Such devices tend to contain large office, thereby overlooking the wealth of Such devices, if legitimately accessed,
amounts of data that may have evidence available to nab the suspected can provide breakthrough evidence in
evidentiary value in a forensic fraudster. Consider the following fictitious many high profile fraud, misconduct and
investigation. These include databases, case which demonstrates this assertion. malpractice cases. Audio recordings from
log files, cache and media. The ‘smarter’ one such virtual assistant have been used
a device gets, the more data one can An employee of an eCommerce company as evidence in a murder case13.
recover from it, such as: was accused of breaking into the
•• Pictures corporate warehouse after working Despite the promising potential of IoT
•• Videos hours and stealing goods valued at devices, fraud investigators must be
•• Personal contacts approximately INR 5 million in one night. aware that these devices fall under the
•• Social media activity However, the company did not have a category of personal devices. Therefore,
CCTV monitoring facility nor any other as they are not corporate owned devices,
•• Locations and destinations (via
records of the suspect entering the under the terms of the Personal Data
navigation applications installed on the
premises. The suspect claimed to be Protection Bill, 2018, consent of the owner
phone)
at home, in her bed, when the alleged will be required to access them. In cases
•• Audio recordings
incident occurred. However, upon wherein law enforcement agencies (LEAs)
•• Interactions from various messaging
forensically analysing her fitness tracking are involved, this data can be requested
platforms
device, it was revealed that she took for directly by LEAs from the original
•• Sync information
approximately 2,000 steps between the equipment manufacturers (OEMs). Should
•• A list of other connected devices (e.g.,
time she said she had been in bed up until investigators be able to legally access
fitness tracker application connected to
the next morning when she claimed she such IoT devices, the data from these
a nutrition application)
had left her residence for work. Further, devices should be preserved by cloning
•• Web browsing behaviour and resulting the timeline data stored on her smart or imaging without tampering the original
data phone provided evidence of her location state for it to be legally acceptable as
•• Search history including results, and around the warehouse late in the night. evidence.
12
The Internet of Things is the network of physical devices, vehicles, home appliances, and other items embedded with electronics, software, sensors, actuators
and connectivity which enables these devices to connect, collect and exchange data. These devices can be remotely monitored and controlled.
13
Source: https://www.techrepublic.com/article/amazon-echo-murder-case-raises-iot-privacy-questions-for-enterprise-users/
23
#3: Considerations when going legal with a corporate fraud case

Traditionally Indian organisations have our survey indicates that this trend is To seek better outcomes from
been hesitant to pursue legal recourse now changing. We believe this may be the legal recourse to corporate fraud,
in case of fraud owing to the slow pace result of the slew of legislations passed organisations need to ensure that they
of the judicial system in India, high by the government in recent years and are adequately prepared to support the
litigation expenses, and the relatively efforts taken to resolve cases under them case they intend to file. Below are some
incommensurate penalties provided for in a time-bound manner (the Insolvency key considerations:
under the law. However, this edition of and Bankruptcy Code is a case in point).
01. Data including evidence should be 02. Conduct independent investigations and make a
forensically collected and secured detailed forensic report (including formally recorded
immediately to prevent tampering. statements of perpetrators) to help ascertain if it is
worth the effort to pursue the matter legally.
24
03. Identify the right legal forum for discussion such as a 04. If opting for a criminal case, an FIR should be filed
civil proceeding (under provisions of the Companies at the jurisdictional police station prior to filing a
Act, 2013) or criminal proceeding (under the Indian complaint in court. It should include details of the
Penal Code). fraud and perpetrators that will help the police
carry out their independent investigation and
provide evidence directly before the court.
As part of court proceedings, organisations filing cases may be required to produce expert witnesses who can testify on the veracity
of the evidence gathered and/or the computation of losses due to the fraud. It is therefore a good practice to seek independent
experts who can undertake investigations and act as expert witnesses.
25
Section 3
The impact of anti-fraud regulation
on corporate fraud
Key Findings
About 47% of respondents believe

that anti-fraud legislations
have been successful in curbing
incidents of fraud, misconduct,
and noncompliance. Yes
47%
No
33%
Don't know
20%
In line with that, the majority of respondents feel positively about legislations such as the Insolvency
and Bankruptcy Code (56%), Personal Data Protection Bill, 2018 (58%), Prevention of Corruption
(Amendment) Act, 2018 (58%), and Fugitive Economic Offenders Bill, 2018 (54%).
How effective do you feel some of the

following legislations (enacted and
proposed) will be in curbing fraud?
56% 58% 58% 54%
44% 42% 42% 46%
Insolvency Personal Prevention of Fugitive

and Data Corruption Economic
Bankruptcy Protection (Amendment) Offenders Bill,
Code Bill , 2018 Act, 2018 2018
Effective Not effective

26
Organisational concerns from new legislations appeared to be based on poor enforcement action in
the past.
What are your concerns around new legislation

from a fraud risk management perspective?
Poor enforcement
action 3%
59% Others
21%
Increased interaction with the
government, opening up new
areas of scrutiny
24%
Erosion of trust based
38% relationships with vendors and
Significant delays in processes business partners, since contractual
during the implementation obligations increase as a result
of additional controls to stay of complying with new clauses in
compliant with the legislation legislation
25%
31% Additional investments in data security and
fraud risk management
Increase in
compliance budget
Our observations
In recent years, India has passed at least insolvency resolutions in India by regulator and simplification of processes
five legislations specifically supporting conducting proceedings in a time bound may eventually be possible so as to
efforts towards preventing corporate manner alongside providing economically accommodate small and medium
fraud, malpractice, and misconduct. viable alternatives to resume stressed enterprises who may not have the
This is a sign that regulators are aware business. The code also prohibits certain resources available for compliance.
of the challenges faced by organisations parties from submitting a resolution plan In this regard, globally, regulators are
in curbing fraud and are determined in the case of defaults – willful defaulters, beginning to rely on technology for
to ensure business is conducted promoters/ management of companies better compliance at affordable costs.
ethically. The Prevention of Corruption with outstanding non-performing A report estimates that by 2023, close
(Amendment) Act, 2018 is now more debts and disqualified directors, among to 50 million KYC checks will be run
comprehensive and targets bribe givers others15. through artificial intelligence16, thereby
too, with the objective of ensuring that freeing up resources to focus on more
organisations work towards putting in While organisations may need to invest serious compliance tasks. In India
place adequate procedures designed to additionally towards putting in place large organisations already leverage
prevent bribery. The Fugitive Economic processes and ensure compliance technology for fraud risk management
Offenders Bill, 2018 is expected to with these regulations, we believe and compliance, and we believe with
deter individuals involved in fraud and these efforts will help better manage the growing presence of indigenous
other economic offences (valued at fraud risks in the long term and build technology providers, small to mid-size
Rs 100 Crore and above) from fleeing a culture of compliance. Some of the organisations will also be able to use
stressed the country to escape criminal teething issues experienced initially technology at an affordable price.
prosecution14. The IBC is improving are bound to be addressed by the
14
https://www.livemint.com/Companies/R4Bl7gZUwFgVjU25WNoiQP/Fugitive-Economic-Offenders-Bill-gets-presidents-assent.html
15
Source: http://www.prsindia.org/billtrack/the-insolvency-and-bankruptcy-code-amendment-bill-2017-5017/
16
Source: https://www.juniperresearch.com/resources/infographics/regtech-market-summary-key-takeaways
27
Insights
#1: The impact of regulatory interventions on anti-fraud efforts
Historically, malpractice and misconduct Consider the Prevention of Corruption Similarly in the context of the Personal
have been constituents in many (Amendment) Act, 2018 that now Data Protection Bill, 2018, concerns
businesses and economic functions in strengthens the anti-corruption laws over the adequacy of infrastructure to
India, often leading to fraud, and have by increasing the penal provisions for safeguard personal data, and utilisation
been condoned many times as the ‘only corrupt practices by organisations and of personal data in cases of contravention
way to conduct business’ in the country. associated third parties working in India. of law, are yet to be assuaged. The
Although this sentiment is undergoing While this will prompt organisations to regulators appear to be trying to find the
change due to the discovery of several introspect on the strengths of their anti- right balance between the need for data
large scale frauds in the last decade –in fraud framework, the answer to what localisation, and its cascading effect on
private and public sector enterprises constitutes ‘adequate procedures’ (as investment, and innovation. The Bill in
-regulatory intervention on fraud indicated in the Act) remains ambiguous. its current form may impede the Indian
has often been limited and therefore In such a scenario, companies could economy’s pace of progress (at least
only partially effective. It is therefore, consider adopting and implementing well- for the short term) by creating islands
not surprising that the recent slew of established and accepted proactive fraud of data and barring organisations from
regulatory changes is being met with prevention measures to safeguard their accessing global efficiencies, innovation,
a cocktail of cautious optimism and interests, while regulators work towards and technology (including best practices
disgruntled skepticism, as indicated by clarifying these finer aspects. in preventing cross border fraud and
our survey responses17. cybercrime)- The Bill may also impact
17
About 48% of survey respondents believe that anti-fraud legislations have been successful in curbing incidents of fraud, misconduct and noncompliance.
Further, when asked about concerns pertaining to new legislation, the majority of respondents indicated poor enforcement action and significant delays in
processes during the implementation of additional controls to stay compliant.
28
India’s evolution as a Global Capacity time taken to settle cases by the court, framework via regulatory interventions
Centre, with several large multinationals significant progress has been made in should not be discounted. Enforcement
having set up their process improvement the area of investigating into allegations of recent legislations such as significant
centres here over the last decade to of fraud under the Act. In the last three recoveries from loan defaulters under
facilitate efficient cross border data years the serious fraud investigations the Insolvency and Bankruptcy Code,
processing and analysis. A similar impact office (SFIO) conducted19 69 investigations recent actions such as probes against
is already being experienced in many covering a total of 620 entities that money laundering and fugitive economic
European countries, wherein five months allegedly violated the Companies Act., offenders under the Prevention of
after the implementation of the Global 2013. Additionally, 124 cases were Money Laundering Act, amendments to
Data Protection Regime (GDPR) several investigated by Regional Directors and the Companies Act to facilitate probing
organisations are indicating increasing Registrars of Companies. A total of into financial frauds, et al, are proving
costs while trying to comply with the 94 cases were disposed off by courts to be a step in the right direction. For a
guidelines, resulting in lower profits18. levying a total fine of close to Rs 67 Lakh country that has recently seen a plethora
(including compounding fee) and in one of headline-grabbing frauds and scams
Five years ago when the Companies case imprisonment of 16 months20. impacting various sectors, regulatory
Act, 2013, was enacted, its fraud related intervention is undeniably a welcome
clauses were considered a first in India. While the pace of fraud resolution may move.
Despite some skepticism on the penalties need to be accelerated, attempts to lay
and fines prescribed as well as the the foundation for a robust regulatory
18
Sources: http://en.finance.sia-partners.com/20180115/preparing-gdpr-why-you-need-ps15m-or-ps300-ps450-employee-average-implement-gdpr and
https://www.datanami.com/2018/09/12/were-months-into-gdpr-so-whats-next/
19
Source: http://www.mca.gov.in/MinistryV2/investigation+under+the+companies+act.html
20
Source: http://pib.nic.in/newsite/PrintRelease.aspx?relid=181631
29
#2: Impact of the Insolvency and Bankruptcy Code (IBC) on fraud
Two years post the commencement of Tribunal (NCLT) by the Reserve Bank of conspiracy23. We believe such moves
the IBC, there have been some success India (RBI) last year, suspected fraud was will bolster fraud risk management
stories, especially in the initial list of reported in nearly all cases. and reporting efforts at banks and
the ‘dirty dozen’ companies who were also improve collaboration between
referred to resolution proceedings, but The nature of fraudulent transactions forensic professionals and resolution
there is more that is awaited with bated in most of these cases followed similar professionals.
breath. This success is commendable patterns - siphoning of funds through
considering past efforts such as shell companies or letters of credit, Currently, forensic professionals are
strategic debt restructuring (SDR) and purchase of personal assets ( under called upon by the Resolution Professional
of sustainable structuring of stressed employees / relatives name) through (RP) under section 25 of the IBC that
assets (S4A) have been less successful company funds, transactions with related casts a duty on the RP to preserve and
in resolving such cases21. Interestingly, parties that are not at arms’ length protect the assets of the corporate debtor
several cases seeking resolution under and exceptional write-off in books to and file an application for avoidance of
the IBC also reported fraudulent camouflage fictitious receivables and transactions, if any, as per sections 43 to
transactions. assets. 51 of the IBC24, if such transactions were
preferential, undervalued, resulted in
As on September 2018, a total of 716 cases Following the arrest of a promoter in extortionate credit.
were seeking resolution under the IBC, connection with a similar case, the
of which 110 cases reported fraudulent Finance Ministry issued a warning to The intent of law makers to scrutinize
transactions worth over INR 400 billion22. public sector banks to identify potential corporate defaulters is more focused than
Further, of the big 12 cases that were fraud in all NPA accounts exceeding INR ever before as is clear from the various
referred to the National Company Law 50 crores or face charges of criminal legislations relating to stressed assets,
21
Source: https://www.livemint.com/Industry/VBtrj6OrvHtSXcT6CngFbP/Bankruptcy-code-is-key-to-solving-Indias-bad-loan-mess.html
22
Source: https://economictimes.indiatimes.com/news/economy/finance/fraud-cases-under-ibc-cross-rs-40000-crore/articleshow/66015840.cms
23
Source: https://economictimes.indiatimes.com/news/economy/policy/finance-ministry-asks-psu-bank-ceos-to-check-frauds-in-npas-or-face-penal-action/
articleshow/65502920.cms
24
Source: http://www.mca.gov.in/Ministry/pdf/TheInsolvencyandBankruptcyofIndia.pdf
30
both prior and post commencement of the internal control / audit reports of preserving the value of the Corporate
insolvency proceedings. Thus, it is only the Corporate Debtor that somehow get Debtor and has authority to access
natural for the corporate boardrooms, hidden under the carpet. information from various sources to
bankers and the resolution professionals validate and review the transactions of
•• Classification of an account as
to be more vigilant. The role and the preceding years. He must exercise
stressed asset – Bankers are privy
focus would vary keeping in mind the his powers to gather information
to significant financial information of
organisations’ progress into insolvency: from various utilities, bankers and
the Corporate Debtor (quarterly filing,
other sources and also take into
•• Prior to insolvency – As the early signs Service Organisation Control (SOC)
immediate custody the IT systems /
of a corporate moving into an IBC stage reports etc.) and have instruments
records database to avoid deletion
start to appear, the role of the Board of such as Asset Quality Reviews (AQR)
/ manipulation of sensitive data; the
Directors becomes critical. They need to and the more recent- advisory to
omission of which has appeared to be a
keep a watch out for any management initiate forensic audits - to keep a tab
major hindrance in carrying out forensic
decisions or activities resulting in on the operations of the Corporate
reviews.
significant cash outflow, modification Debtor. Banks need to use these
of accounts; manipulation / deletion more effectively and efficiently to
Fraud is a culmination of malafide intent
of records and official documents and identify instances of fund siphoning
and a control failure; while controlling an
senior management exit. Any or all of and fictitious assets (inventory) and
individual’s intent may be a herculean
these could be tell-tale signs of either receivables.
task, stakeholders must focus on
a fraud in making or an attempt to
•• Initiation of insolvency proceedings – tightening the noose to minimize the
cover the skeletons of the past. It is
Once the CIRP is invoked, the IRP / RP opportunity to exploit the gap.
interesting to note that a lot of early
is assigned with the responsibility of
indicators to fraud have been found in
31
#3: Implications of the Personal Data Protection Bill, 2018 on fraud risk
management
The Personal Data Protection Bill, 2018 data. It also lays emphasis on protection subject to the incidental personal use by
showcases India’s growing concern for of personal and sensitive data, including employees and therefore, it is likely that
data privacy. The objective of the Bill that of children. the user’s personal data could reside on
is broadly to protect the autonomy of such assets.
individuals by safeguarding their personal Most organisations today allow company
data and giving them the power to allow issued computers, laptops and other
or deny use of their personal information. IT assets (“Company’s IT Assets”) to be
The Bill covers diverse aspects of used by their employees for employment
data protection including collection, purposes. It is observed that such
processing, and analysis of personal Company’s IT Assets are sometimes
Some thoughts on the impact of the propositions made under the Bill as it stands currently in context of fraud risk
management/investigation:
Key aspects What this means from a fraud risk management/ investigation perspective
#1 Obtaining consent prior to accessing data: •• Consent on use of selected employee data would be necessary prior to an
A formal consent stating the purpose of data investigative/ fact finding exercise. Further, should third parties be carrying
collection, types of data required and the party out these activities on behalf of the organisation, the consent letter issued by
requesting for data access must be obtained. organisations and signed by employees must specifically disclose this.
Failure to do this may also attract penalties.
•• Employee data cannot be monitored as part of prevailing routine controls
in the organisation such as encryption, and data leakage prevention, among
other measures without consent. Even in cases where the organisation
explicitly prohibits personal usage of office owned systems, written consent
from employees is preferable as monitoring the actions of individuals may be
considered a privacy infringement.
#2 Limited employee personal data access Personal Data (PD) and sensitive personal data (SPD) on company owned
is permitted: Data access that can enable devices/servers/systems/ applications etc. such as bank statements, credit card
employment or termination of a data principal bills, insurance documentation, pay slips, Form 16s etc. cannot be disclosed to
by a data fiduciary and any activity relating to third parties as part of an independent verification/due diligence or fact finding
assessing the performance of the data principal exercise commissioned by the organisation without consent of the employee.
who is an employee of the data fiduciary is
permissible. However, use of data provided
for purposes other than intended will require
consent.
#3 Cross border data transfer and processing •• Investigations, fact finding reviews, and performance reviews among other
is not permitted unless approved by data activities for which personal data is being analyzed must be conducted within
protection authorities and the government. the jurisdictional boundaries of India subject to the applicable provisions of
the Bill. In case of outsourcing this to agencies outside India, approval from
the Data Authority and consent from the data principal/custodian would be
required again.
•• The employee’s personal data which is not critical as referred in the Bill, sought
by the organisation, such as educational qualifications cannot reside on a
server outside the country, without approval by the data protection authority.
32
Key aspects What this means from a fraud risk management/ investigation perspective
#4 Outsourcing of data processing must be Data fiduciaries (clients/employers) must have a valid contract with third party
governed by a clear and explicit agreement. data processors before engaging them for any services. These may involve any
Third party data processors will not initiate kind of data processing on behalf of data principal to the extent specifically
or commence personal data collection and permitted by the Bill. Data Processing by the third party data processor shall be
processing unless specifically permitted by the subject to the provisions of the Bill.
Bill and provided there is a valid contract.
#5 Collected personal data may have to be •• Data fiduciaries (clients/employers) will have to demonstrate adequate efforts
erased as per the data principal’s “right to be in case a data principal requests for his/her personal data to be erased. This
forgotten” can include
–– Physical documents stored with finance or HR teams; these will need to be
shredded or appropriately destroyed;
–– Forensic images of data principals’ company issued laptop/desktops as
acquired by a data processor; the entire forensic image will have to be
securely wiped and a report of the same will serve as evidence.
–– Personal data of data principals residing within system applications may also
be considered and therefore Data fiduciaries will be required to remove any
identified personal data as requested by the data principal.
While this Bill may finally allow individuals cases where a Bring Your Own Device to address this. Until then organisations
the right to own and manage their (BYOD) culture is encouraged and the would need to find an approach that
data and its use, it is likely to pose a lines between official work and personal strikes a fine balance between seeking
challenge for organisations attempting work are blurred. Perhaps the Bill needs data and maintaining employee trust.
to manage the risk of fraud through risk
assessments, investigations of non-
compliance/misconduct and on legal
proceedings, whether criminal or civil
where an individual’s data may have
been reviewed for the purpose of such
initiatives.
Most such activities are kept confidential,

and at times the individual suspect is
also not aware of the investigation taking
place in the background. This often
helps in keeping the knowledge of the
entire activity restricted to less than a
handful of people. Imagine a scenario
where a person is informed that they
are under investigation and the person
is found to be innocent at the end of the
exercise; the knowledge that they are
being investigated could result in loss of
morale and even trust and faith in the
organisation.
Currently, many organisations are toying

with the idea of seeking a blanket consent
from employees on access to data on
company provided assets. While this
may be suitable for some organisations,
others may find it limiting to seek such
consent from employees, especially in
33
The future of fraud – Insights

on what to expect in the
fraud landscape
34
Insights
#1: Cybercrime – What’s new?
The appearance of cybercrime potential “marks”. Using social media cloud environments, make greater use of
metamorphoses with each passing allows them to vastly extend their reach behavioural analytics, take advantage of
technological milestone as criminals to more people and decide who to attack. integrated threat intelligence capabilities,
alter their operating strategies, develop and most importantly, be designed with
new tools and techniques, and take With more than half the world’s customer experience in mind. While it is
advantage of changes in consumer and population using the internet and impossible to stop every fraud attack, it
business behaviour. While financial theft internet enabled devices, fraud- is possible to change how organisations
carried out via hacking, email spoofing prevention approaches now require detect and respond to them in order to
and phishing continues to be the most solutions that can extend to mobile and minimise the potential loss or damage.
common modus operandi, mobile
devices are now at the top of the list of
devices/medium which enable financial
theft due to their ease of physical access
as compared with data on a cloud or
information residing on physical servers
at data centres. Cybercriminals are also
jumping on the internet of things (IoT)
bandwagon by exploiting poor password
practices to take control of IoT devices for
malicious or criminal purposes.
For organisations, creating a cyber-

perimeter is the need of the hour.
Ransomware targeting corporate
employees can have a devastating
impact on the organisation’s intellectual
property and reputation at large.
Organisations are therefore now turning

to behaviour analytics technologies
to ensure authenticated users and
anonymous guests are interacting
with their websites or public interfaces
(such as apps etc.) in expected ways.
These technologies can identify unusual
patterns of behaviour across both
web and mobile applications – for
example distinguishing the bots that
can potentially cripple networks using
Disturbed Denial of Service (DDOS)
attacks from regular erroneous user
activity.
Further, many cybercriminals are turning

to social media to not only carry out
phishing attacks but also scope out
35
#2: Fraud risk management 2.0 – what does the future look like?
Over the last few years organisations in it is used to reduce efforts in file review perspective. In recent times, a lot of new
India have adopted technology in most processes. Machine learning can help technology adoption has inadvertently
of their business activities, including recognise complex patterns within facilitated fraud, because the internal
as part of their anti-fraud efforts. information (data, image, voice, video etc) fraud controls framework possibly did
While our previous survey in 201625 to predict, draw insights, and prescribe not keep up with the change in business
identified artificial intelligence, machine actions. Many banks currently use such process that came as a result of new
learning, robotics and blockchain as systems for invoice and check processing technology adoption.
technologies for the future, a quarter of and to identify anomalies. Blockchain
the respondents to this edition of the technology is considered extremely Innovative fraudsters have been using
fraud survey have indicated that they are capable of solving multiple problems techniques to analyse communication
already in the process of implementing by offering an ‘un-tamperable’ ledger of patterns to defraud, impersonate or
these technologies. In two years we have entries (transactions) and leading global to conduct spear phishing attacks to
leap frogged to the future! banks are trying to adopt blockchain for facilitate data leak, IP theft and beyond.
trade finance transactions. An IoT and GPS sensor hack can create
Robotics process automation (RPA) incorrect demand-supply situations
today is used to automate repeatable, While adoption of these technologies and price variation for an online cab
mundane, labour-intensive, and complex can definitely bring benefits to the aggregator leading to potential loss of
tasks that follows a defined path such as business, their impact also needs to be business because of unusual pricing.
sanctions screening processes, where assessed from a fraud risk management Virtual assistants that rely on voice
25
Source: https://www2.deloitte.com/in/en/pages/finance/articles/india-fraud-survey-edition-ii.html
36
commands can be misused to remotely 02. The organisation’s technology 04. The organisation’s technology
trigger other devices and processes, exposure: The convergence of adoption process maturity:
leading to undesirable outcomes, such IoT devices, machine learning and Many leading organisations tend
as leakage of confidential information innovative text mining methods to have established processes for
(e.g.: email bank account details to xyz@ have made it easy for fraudsters change control, production roll-out,
abc.com). RPA processes set out to make to identify areas of vulnerability risk assessment etc for relatively
certain ledger entries can be misused by within organisations. Businesses mature technologies that they use.
fraudsters post an internal review. For with internet facing, web based, However for new models, depending
instance, an RPA process incorporated data driven models can be misused on the maturity of the technology
to make adjustments to ledger entries to manipulate information and itself, levels of standardisation can
with a view to balance the books can mislead users. For example, multiple vary. Limited standardisation and
be misused to include fake entries to bots programmed to hedge a stock corresponding inadequate change
take money out from the system. Such can possibly create influence in control can lead to possible misuse
a process can be scheduled post the supply and demand, and therefore to facilitate fraud. For instance, in
internal review phase so that it doesn’t manipulate the pricing of a stock. We the context of machine learning, the
get detected in the normal course of an have also observed cases where fake model parameters of an online cab
audit. product reviews posted by bots have aggregator will be as critical as the
significantly increased the sales of the financial strategy document, and lack
Drones, voice recorders, video cameras product reviewed. of adequate processes/ controls to
can be used for stealing key business safeguard this information can lead
information from critical events. We 03. The organisation’s adoption to misuse and possible theft of the
believe, future fraud will rely on a of nascent technology: Most source code.
combination of devices and methods. organisations tend to adopt multiple
technologies for different processes, The fraud risk management function
To tackle future fraud, organisations need with each such technology being in will have to take into consideration the
to understand that the probability of a different stage of maturity. Often above aspects and ensure that relevant
being defrauded will increasingly depend when interconnected, the relative changes are made in their own processes
on the following aspects: immaturity of one technology when and internal controls. Organisations will
pitted against the maturity of another have to undertake comprehensive fraud
01. The organisation’s extent of can result in security gaps, exposing risk assessments to identify specific
technology adoption: Organisations the organisation to fraud. For fraud schemes and risks applicable due
with multiple processes that have example, data analytics and machine to adoption of new technologies, assess
been automated may be likely to learning are considered fairly mature their likelihood and significance, evaluate
have an increased risk of fraud technologies compared to blockchain existing fraud control activities, and
depending on the area and context of or script based automation. Unstable implement actions to mitigate residual
automation undertaken. For example, versions of tools or technologies can fraud risks. In this regard, we believe
the RPA process to check for customer lead to possible reverse engineering organisations need to attract and retain
emails and respond with an invoice and misuse. For example, an object professionals with a techno-functional
copy can be misused to facilitate data recognition model can be fooled by capability and can help develop these
leakage or IP theft if the fraudster certain minor changes in the video or controls. Further, regular employee
manages to replace an underlying image that can leads to unintended education and advisory on new frauds is
document that the robot will email outcomes. An image similarity necessary to create a climate of vigilance.
to a particular customer ID. In such algorithm deployed by an insurance Lastly, while technology can offer great
a case, in place of the invoice, the company to detect pre-existing opportunity to limit frauds if rightfully
customer may receive confidential damage, can be fooled by adjusting adopted and implemented, it cannot
information. Further, the customer the brightness of the picture, and can prevent fraud by its mere existence.
ID itself may be manipulated and significantly alter the decision making
information (on legitimate customers process.
or otherwise) can be leaked to third
parties.
37
#3: Using Bots for due diligence – Are we there yet?

As the world changes rapidly with statements, filtering of vendor master an opportunity for understanding the
technology at the epicenter of our lives - datasets and in recruitment screening. potential risks of deploying bots in due
whether we are eating, socializing, hiring, diligence work over time. Should the
networking etc - the impending question Further, by increasing their efficiency bots get smarter going forth, they would
is “When will artificial intelligence (AI) (at a fraction of the cost it takes to add become potential targets for fraudsters
disrupt knowledge services?” The answer additional human resources for the given the wealth of information they
to that is NOW. same task), bots can extract relevant would have access to. In such cases a
information faster. If bots can validate control mechanism would need to be
The Associated Press has been creating first level due diligence (via single record devised specific to certain sensitive due
automated corporate earnings reports based checks), the humans on the team diligence searches. Further, bots in the
since July 201426. In 2017, a large financial can focus on understanding how to future can be less objective, depending
services organisation used software address the anomalies detected. As on who is programming them and reflect
for document reviews, thereby saving fraud, misconduct and noncompliance the biases of their programmer. For
360,000 hours of effort27. We believe that continue to plague businesses and instance, if the programmer personally
bots will revolutionise the way forensic regulators increase their scrutiny, bots feels that certain adverse incidents are not
due diligence has been traditionally can help reduce the cost of compliance. important enough for reporting as part of
undertaken by taking away mundane the target’s due diligence documentation,
checks from humans, allowing them to Despite the obvious benefits, the he/she is likely to program the bot to
use their expertise for more complicated adoption of bots in the due diligence emulate similar sentiments. In such a case,
issues. space has not been widespread. This the organisation would at best get a fast
is because we are still far away from response to a due diligence query, but not
The main objective of forensic due a world where bots can provide a 360 an accurate one. Lastly, from a regulatory
diligence is to uncover inaccurate degree end to end solution without perspective, access for bots to certain
information and fraudulent business human intervention for contextualising databases remains a sensitive issue and
practices through misrepresentation information and correcting false in the case of misuse, the liability could
of facts. This means that data is often positives. Further, in case of disparate potentially fall upon the organisation to
triangulated and corroborated by cross data sets, the efficiency of bots can explain its actions and face potential legal
referencing with multiple data sources. AI slow down significantly and in India recourse.
powered bots can automatically review where digitization of records is far from
clusters of large data sets which are often adequate, this can pose a challenge in bot The debate on whether bots will replace
filled with inaccuracies and information adoption for due diligence work. humans has been ongoing for close to
asymmetry in significantly less time a decade. In the forensic due diligence
than humans, making them ideal for use Most organisations in India are working space we believe that the complexity of
in litigation checks, data translations, with first generation bots that have limited tasks involved would require bot-human
politically exposed persons (“PEP”) and capability to learn on their own and are collaboration, as opposed to a bot
sanctions checks, analysis of financial relatively easy to program. This presents takeover in the near future.
26
Source: https://www.qualtrics.com/blog/bots-and-your-research-job/
27
Source: https://www.bloomberg.com/news/articles/2017-02-28/jpmorgan-marshals-an-army-of-developers-to-automate-high-finance
38
#4: Next generation monitoring systems – Lessons from the developmental sector
In 2017, the Government of India, through India’s share of global aid has been Given the quantum of spends involved
the NITI Aayog, released its three year falling since 2013 and as of 2016, we and the past experience of running
action agenda document. The document received Rs 2575 Crore30 (approx. USD such programs in India, there is likely
specifically emphasised on the need 348 Million). Interestingly the majority to be a high degree of susceptibility to
for improvement of mechanisms for of aid for development work in India is mismanagement of funds and fraud.
third-party monitoring of government now coming from corporates as part of According to the United Nations,
programs to ensure periodical review their obligations under the Corporate between 1-5% of global aid is lost due to
of the progress and the impact of Social Responsibility (CSR) clause in the fraud33. More than the monetary loss, it
these programs28. The report also Companies Act, 201331. Over Rs 28,000 is the reputation of organisations that
mentioned how the government’s crore (approximately USD 3.8 Billion) is at stake in the absence of a robust
platform Pro-Active Governance and was spent by organisations over three monitoring and evaluation (M&E)
Timely Implementation (PRAGATI) had years (ending 2017) towards social system. In our experience, monitoring,
led to significant improvements in development initiatives32 in areas such evaluations and fraud risk management
monitoring and implementation of major as health (eradicating hunger/ poverty activities are primarily being undertaken
infrastructure projects. and malnutrition, creating access to safe by organisations’ internal teams, as is
drinking water), sanitation, education program implementation. However,
This comes at a time when the (for the differently-abled and livelihoods with large donors and corporate boards
developmental sector in India is creation), rural development, and gender pushing for robust and continuous
experiencing a paradigm shift in equality/ women empowerment. The monitoring given their past experience
how aid is sought and deployed, and Ministry of Corporate Affairs (MCA), where evaluation has too often been
how outcomes are reported. In 2016, Government of India, has repeatedly overpromised and under-delivered, we
international development financial stressed on the need for monitoring of see organisations more likely to engage
support in the form of grants, loans, these funds and has tasked corporates M&E specialists and to adopt technology
technical assistance, etc. reached a to ensure transparent reporting and enablement to optimise and enhance
global high of US$ 142.6 billion, an accounting of these CSR spends. return on investments from M&E.
increase of 8.9% from 201529. However,
28
Source: http://niti.gov.in/writereaddata/files/coop/IndiaActionPlan.pdf
29
Source: http://www.oecd.org/dac/development-aid-rises-again-in-2016-but-flows-to-poorest-countries-dip.htm
30
Source: https://www.deccanchronicle.com/nation/current-affairs/260818/india-got-rs-2575-crore-as-foreign-aid-in-2015-16.html
31
As per the law, eligible profitable companies have to shell out at least two per cent of their three-year average annual net profit towards CSR
activities and in case of non- expenditure, the same has to be explained to the Ministry of Corporate Affairs. Among other requirements, each eligible
company has to set up a CSR committee of its board. The latter would formulate the CSR policy as well as monitor its implementation. In case of
failure to spend the required amount in a particular fiscal, the same has to be mentioned in the board's report along with reasons.
32
Source: https://timesofindia.indiatimes.com/business/india-business/companies-spent-rs-28000-crore-towards-csr-works-in-nearly-3-years/
articleshow/62870701.cms
33
Source: https://www.telegraph.co.uk/news/2017/02/09/revealed-huge-rise-foreign-aid-fraud-officials-still-detect/
39
The new concept of ‘outcomes’ that international organisations are focusing on for their programs and projects has following
elements:
Baseline data Yardsticks Data collection Greater focus Systematic Captures Alignment
to describe for outcomes on inputs on perceptions reporting information with other
the problem against which and outputs of change with more on success actors: more
statement performance and how/ among qualitative and or failure of productively
or situation can be whether they stakeholders quantitative partnership learning at
before the objectively contribute information on strategies scale.
intervention measured towards the progress in achieving
begins achievement of outcomes desired
of strategic outcomes; and
outcomes
Source: United Nations Handbook on planning, monitoring, and evaluating, for development results
http://web.undp.org/evaluation/handbook/documents/english/pme-handbook.pdf
The recent spate of notices sent to large of time before monitoring efforts evolve outcomes and outputs are no longer
corporates for non-compliance with to a stage where it is conducted on a limited and endemic to program and
the CSR mandate and a few well known real-time basis through advanced data financial performance, and anti-fraud and
NGOs being issued FCRA and FEMA analytics techniques, ensuring the best anti-corruption are finding their way into
noncompliance related notices reiterates opportunity for course correction, where evaluation frameworks and matrices.
and underlines the need to enhance possible.
capacity and create systems to protect In India, the NITI Aayog has initiated the
organisations from internal and external As global development organisations practice of preparing an outcome budget
threats. move beyond the general understanding for all central government ministries and
of monitoring and evaluation departments, which will help in setting
In a survey we recently conducted in this from program and project based transparent targets for all programs as
sector, close to two-thirds of respondents measurements to outcome based well as impact evaluation and monitoring
said that they monitored their project measurement, the future in this space of government funded programs through
implementation activities on a monthly will eventually focus on creating an its attached office, the Development
basis or more frequently. In light of the integrated monitoring framework which Monitoring and Evaluation Office (DMEO).
fact that most monitoring activity now includes a risk identification strategy We expect to see corporates following
includes the need to mitigate fraud risk, across all stages of the project lifecycle suit very soon.
anti- bribery and corruption controls, and and leverages technology enabled tools
embezzlement, we believe it is a matter such as blockchain, IoT etc. Project
40
#5: Building the anti-fraud sentiment in entrepreneurship

2018 was a significant year for Indian
start-ups with eight companies joining
the ‘unicorn club’ (companies with a
valuation of USD 1 Billion or more)34.
This puts India behind only the US and
China in the number of unicorn start-
ups that exist in the world. While this
growth is a demonstration of sound
business practices and a clear vision
for marketplace development, it is also
a critical moment for founders and
business executives to take stock of
the culture and practices within the
organisation.
In our experience, when companies enter

the growth phase, aspects such as fraud
risk management, regulatory (and other)
compliance, and ethical conduct tend to
take a backseat to the growth ambitions
laid down by entrepreneurs. This often
means that such organisations can be
ill prepared to face incidents of fraud,
misconduct and noncompliance that
can severely dent their reputation and
jeopardise operations. There are many
examples of such cases in India in the last
decade, some of which are in the public
domain.
We believe entrepreneurs need to

look at founding ethical enterprises of
the future and need to seed a culture
of zero tolerance to fraud early on in
the organisation’s evolution. To do so,
they need to understand that fraud,
misconduct and noncompliance can
impact any business irrespective of
size, industry or nature of operations.
Therefore, unless the business is
rooted in ethical practices, its survival
may eventually come into question. At
the same time, given the constraints
entrepreneurs face, it may be challenging
to have formal programs that specifically
monitor ethical behavior or transactions
for fraud.
34
Source: https://economictimes.indiatimes.com/
small-biz/startups/newsbuzz/in-the-land-of-
unicorns/articleshow/64787658.cms
41
Below are a few suggestions that and periodically discuss how ethical such as talent acquisition, funding
entrepreneurs can consider in their behaviors will safe guard the future prospects and identifying customer
journey to creating an ethical anti-fraud of the business. For instance, many segments. These mentors can also
culture: founders tend to share emails with provide guidance on ethical behaviors
their teams about recent wins and and refer entrepreneurs to experts
01. Identify ethical dilemmas - Is that milestones. In the same email a who can help with putting together
business pitch realistic? How much line can be added reinforcing how effective anti-fraud policies.
of the job description would the these wins are a result of the ethical
candidate actually end up doing practices followed by the sales teams. 05. Document ethical practices and
in real life? Have you adequately create a policy – While start-ups are
disclosed business challenges to your 03. Take a stand against conflicts not mandated by law to have a code of
investors? Entrepreneurs can face of interest – In a small business conduct or ethics or anti-fraud policy,
several such questions in their line of personal relationships (and self- it is still recommended that they
work and be tempted to mis-sell their interest) can dominate judgement on formally document best practices
promise. It is therefore important to key decisions. Whether that means in this regard. Such documentation
identify several such areas and decide handing over select areas of business can be helpful in winning customers,
a course of action that is acceptable to to friends / relatives to manage or getting funding and eventually
all stakeholders without diluting the retaining certain areas with oneself, prepare the organisation for future
capabilities the organisation has. without objectively assessing if these regulatory obligations.
candidates are indeed the right fit for
02. Find a way to communicate ethical the job at hand. In our experience, we The entrepreneurship ecosystem remains
/ anti-fraud practices – Even in have seen promoters defraud lenders close knit despite the presence of global
larger organisations, the commitment and investors by systematically acting private equity and venture capital funds
to ethical practices is determined in their self-interest and putting the in India. While there is a market for
by how the senior management future of their companies in jeopardy. serial entrepreneurs, there isn’t one
“walks the talk”. Entrepreneurs can for serial defrauders or those engaging
demonstrate their commitment to 04. Seek external help to periodically in malpractice. Entrepreneurs who set
ethical practices by ensuring that they relook at your business’ ethical the ethical and anti-fraud benchmarks
allow for minimal (or no) overrides quotient – Most entrepreneurs have in their organisations are able to build
of key processes, encourage teams coaches and mentors who guide an ethical enterprise with a strong
to consult with their peers/ bosses them on making business decisions. foundation which augurs well for future
when faced with ethical dilemmas They also provide counsel on aspects growth and expansion.
42
Acknowledgements
We would like to thank the following Bhasin, Rahul Vallicha, Sharmila Communications teams at Deloitte India,
people whose efforts shaped this survey Pawaskar, Shruti Choudhury, and Sonal and the Quality and Risk team at Financial
report: Salvi. Advisory Services, Deloitte India, for
Ajay M.P., Amrutha Yeshwanth, Anindita supporting us with this document.
Singh, Aparna Gutpa, Archana Venkat, We would also like to thank the
Ashwin Korah, Darpan More, Karan Information Technology and Brand and
About the survey

This survey report has been developed decision makers in the finance, operation, all questions in the survey. Each statistic
on the basis of responses received to information technology, compliance, used in this report is derived from the
a questionnaire that we circulated to legal, internal audit and fraud risk number of responses to that question
leading CXOs across all major sectors and management areas. Close to 70% of and must not be considered consistent
organisations working in the area of fraud survey respondents identified themselves across the report. For multiple choice
risk management, as well as to working as belonging to organisations with over questions and priority based questions,
professionals, in August, September and Rs 250 crore turnover. the weighted average of responses for
October 2018. The survey saw a total of that question has been used to derive the
439 responses, of which two–thirds of The response rate to questions varies statistics.
respondents identified themselves as and not all respondents have answered
43
About Deloitte’s
Forensic practice
in India
Deloitte’s Forensic practice in India helps CFEs, forensic accountants, lawyers,
organisations protect their brand and investigative journalists, economists,
reputation through proactive advice on professionals with law enforcement
their exposure to fraud, corruption, non- experience, computer forensic and data
compliance, misconduct and other future analytics specialists and engineers, to
business risk issues. The practice also name a few, who bring in diverse skill sets
helps clients react quickly and confidently to the practice.
in a crisis, investigation or dispute
scenario. We use our global network, For more information, you may visit our
deep industry experience and advanced webpage here -
analytical technology to understand <https://www2.deloitte.com/in/en/pages/
and resolve/ deal with all such issues. finance/topics/forensic.html#>
The team comprises of CAs, MBAs,
44
45
Key contacts
Nikhil Bedi
Partner and Leader – Forensic
Financial Advisory
Deloitte India
+91 22 6185 5130
nikhilbedi@deloitte.com
Partners within Directors within

Deloitte Forensic’s practice in India Deloitte Forensic’s practice in India
Ajay Singh Amol Mhapankar Rohit Goel

ajaysingh@deloitte.com amhapankar@deloitte.com rogoel@deloitte.com
Amit Bansal Himanshu Arora Rohit Madan

amitbansal@deloitte.com himanshuarora@deloitte.com madanr@deloitte.com
Arjun Rajagopalan Kavita Nathaniel Sachin Yadav

rarjun@deloitte.com knathaniel@deloitte.com sachyadav@deloitte.com
Jayant Saran Nishkam Ojha Saurabh Khosla

jsaran@deloitte.com nojha@deloitte.com khoslas@deloitte.com
KV Karthik Rajesh Chawla Vivek Bhamodkar

kvkarthik@deloitte.com rajchawla@deloitte.com vbhamodkar@deloitte.com
Rajat Vig
rajatvig@deloitte.com
Sumit Makhija
sumitmakhija@deloitte.com
Wilfred Bradford
wbradford@deloitte.com
46
47
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK
private company limited by guarantee (“DTTL”), its network of member firms,
and their related entities. DTTL and each of its member firms are legally
separate and independent entities. DTTL (also referred to as “Deloitte Global”)
does not provide services to clients. Please see www.deloitte.com/about for a
more detailed description of DTTL and its member firms.
This material is prepared by Deloitte Touche Tohmatsu India LLP (DTTILLP).

This material (including any information contained in it) is intended to provide
general information on a particular subject(s) and is not an exhaustive
treatment of such subject(s) or a substitute to obtaining professional
services or advice. This material may contain information sourced from
publicly available information or other third party sources. DTTILLP does not
independently verify any such sources and is not responsible for any loss
whatsoever caused due to reliance placed on information sourced from such
sources. None of DTTILLP, Deloitte Touche Tohmatsu Limited, its member
firms, or their related entities (collectively, the “Deloitte Network”) is, by means
of this material, rendering any kind of investment, legal or other professional
advice or services. You should consult a relevant professional for these kind
of services. This material or information is not intended to be relied upon as
the sole basis for any decision which may affect you or your business. Before
making any decision or taking any action that might affect your personal
finances or business, you should consult a qualified professional adviser.
No entity in the Deloitte Network shall be responsible for any loss whatsoever
sustained by any person or entity by reason of access to, use of or reliance on,
this material. By using this material or any information contained in it, the user
accepts this entire notice and terms of use.
©2018 Deloitte Touche Tohmatsu India LLP. Member of Deloitte Touche

Tohmatsu Limited

In Risk Fraud Survey 2018 Noexp PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

In Risk Fraud Survey 2018 Noexp PDF

Uploaded by

Copyright:

Available Formats

India Corporate Fraud

Perception Survey 2018

Section 2: The approach to fraud prevention, detection and response 14

Key findings: On fraud prevention efforts undertaken by respondents,

Section 3: The impact of anti-fraud regulation on corporate fraud 26

Key findings: Perceptions on the effectiveness of recent and

The future of fraud – Insights on what to expect in the fraud landscape 34

Insight #1: Cybercrime – what’s new? 35

Acknowledgements and About the survey 43

Lack of an Diminishing Senior Inadequate due Unrealistic Technological Poorly enforced

My Inventory Bribery and Regulatory Data Leakage of eCommerce Fraud due to

Over the last two years, what

26% INR 1-10 mn (INR 10 Lakhs – 1 Crore)

26% Less than INR 1 mn (INR 10 Lakhs)

7% Over INR 100 mn (INR 10 Crore)

26% Unable to quantify the fraud loss

3% Customer 57% Ability to improve his/her

4% Revenge for being treated

# 2: Who will the future fraudster be?

37% 34% 33%

What measures does your organisation adopt to prevent incidents of fraud?

How often do you review your fraud risk management measures?

22% Once a quarter

Which of the following measures have you considered with an

Instituting Creating a Developing Instituting a Undertaking Creating Others

Implemented Implementation in progress Not considering

Implemented Implementation in progress Not considering

Using data analytics and

42% 20% 16% 12% 7% 3%

In the area of 11%

27% 21% 35% 17%

#1: A new approach to adopting technology to mitigate fraud

#2: Impact of IoT devices on fraud investigations

#3: Considerations when going legal with a corporate fraud case

About 47% of respondents believe

How effective do you feel some of the

44% 42% 42% 46%

Insolvency Personal Prevention of Fugitive

Effective Not effective

What are your concerns around new legislation

#2: Impact of the Insolvency and Bankruptcy Code (IBC) on fraud

Most such activities are kept confidential,

Currently, many organisations are toying

The future of fraud – Insights

For organisations, creating a cyber-

Organisations are therefore now turning

Further, many cybercriminals are turning

#3: Using Bots for due diligence – Are we there yet?

#5: Building the anti-fraud sentiment in entrepreneurship

In our experience, when companies enter

We believe entrepreneurs need to

About the survey

Partners within Directors within

Ajay Singh Amol Mhapankar Rohit Goel

Amit Bansal Himanshu Arora Rohit Madan

Arjun Rajagopalan Kavita Nathaniel Sachin Yadav

Jayant Saran Nishkam Ojha Saurabh Khosla

KV Karthik Rajesh Chawla Vivek Bhamodkar

This material is prepared by Deloitte Touche Tohmatsu India LLP (DTTILLP).

©2018 Deloitte Touche Tohmatsu India LLP. Member of Deloitte Touche

You might also like