Perspectives

Forensic Buzz - Archives

A Deloitte Forensic initiative to encourage discussion on corporate fraud, misconduct and noncompliance

Over the years, we at Deloitte Forensic have seen a rise in demand for information on preventing fraud, misconduct and non-compliance among corporates in India. This blog is our latest endeavor to share relevant news, information and opinions from forensic accounting experts and encourage conversation around mitigating corporate fraud, misconduct and noncompliance.

Explore Content

By Amit Bansal (Senior Director, Forensic- Financial Advisory) and Aakarsh Sharma (Deputy Manager, Forensic – Financial Advisory)

Key red flags indicative of corruption in the shipping industry

10 August 2015

Operating in international waters makes the shipping industry susceptible to a higher risk of fraud than other industries. We have observed that the most common types of fraud in the maritime industry involves bribery or corruption to gain long term contracts or to receive ongoing clearances (from customs officers/ surveyors) to facilitate business.

Increasing occurrences of fraud within the shipping and maritime industry in the past decade indicate that organizations possibly need to develop a robust fraud prevention strategy to counter instances of fraud. Below are some key red flags in the shipping industry:

  1. Under-invoicing – One of the common red flags is under invoicing. Typically, the purpose behind “under-invoicing” is to understate the declared value of the goods for local customs purpose to avoid customs duties and import taxes at the time of importation or to cover up illegal payments and kickbacks given to the customs officers/ maritime surveyors. The issue of under invoicing can be curbed by maintaining a record with respect to price and details of exporters of all such goods which are regularly shipped. The price at which goods are being shipped can be compared with the historical data to identify anomalies, if any.
  2. Illicit payment to gain contracts – Often shipping industries rely on third party/ agents to obtain regulatory clearance including certification post inspection. Often these agents use unfair means such as bribes to receive the necessary clearances. In order to tackle the issue of illicit payments, the company should perform adequate due diligence procedures to ensure no questionable vendors are on board.
  3. Bribery and corruption used to facilitate the transport of illegal/ contraband items – Another red flag in the shipping industry which exposes it to the risk of criminal indictment is the transport of items, declared illegal by a country’s laws. Officials are often bribed to gain clearances for such items. Performing thorough background checks of all the employees on board will ensure that they have a clean track record and have not been involved in any fraudulent activity in the past. Also, companies should have a whistleblowing mechanism in place to encourage employees to raise concerns on any malpractice.

Do you believe your organization has adequate fraud prevention mechanisms? Share your views by writing to inforensic@deloitte.com or on Twitter by following @deloitteindia.

Back to top

By Amit Bansal (Senior Director, Forensic) and Avinash Dadhich (Manager, Forensic)

How to cultivate a pro-active competition compliance culture in the shipping industry?

06 August 2015

Since 2009, the Competition Commission of India (CCI) has emerged as one of the key regulators which has exposed corporates to another risk domain that they need to proactively comply with. Over the past six years, the CCI has investigated 590 companies1for their anti-competitive behaviour and has imposed penalties worth INR 1, 24,742 (approximately US$ 2 billion)2 on 351 companies.

Considering CCI’s reach in terms of penalties for contravention and their pro-active regulatory approach, the Indian shipping industry should examine the wide-ranging consequences of recent CCI’s orders and assess how to comply with competition law.

Following are some of the best practices which can be adopted by the shipping industry to encourage a competition compliant culture in the sector:

  1. Representatives attending trade association meetings should register a written opposition to discussions regarding levying of restrictions on the business of members or competitors.
  2. Vertical agreements between ports and service providers (logistics companies, equipment providers etc.) should not have any anti-competitive clause without appropriate economic and business justifications.
  3. Vessel Sharing Agreements (VSAs) should not have any clause that pertains to sharing of business information, customers, fixing pricing etc.
  4. Representatives attending industry conferences should avoid revealing any confidential information as a part of their conversation. In case representatives get access to anti-competition related conversation, they are expected to report the same to the conference organizer as well as the management.
  5. Any discount offered on the services must be backed by adequate economic/ business rationale to justify its efficiency and business purpose.
  6. Shipping industry organizations must ensure adhering to ethical business practices while dealing with customers, vendors and port agents to avoid being under the scanner of CCI.

Have you undertaken a competition compliance review at your organization? What was your experience? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

-----------

1 Fair Play, The Quarterly Newsletter of Competition Commission of India, Volume 12: January-March 2015

2 Competition Commission of India looking into allocation of three coal blocks”, 21 April 2015, The Economic Times

Back to top

By Amit Bansal (Senior Director, Forensic) and Saurabh Verma (Deputy Manager, Forensic)

Complying with the US FCPA provision in the Maritime Industry

03 August 2015

Shipping companies can often become a trade bridge between several countries especially the USA and the rest of the world. Hence, it is important to understand that the provisions of the U.S Foreign Corrupt Practices Act (FCPA) are applicable to all the companies dealing in international trade.

Based on our experience, we believe that the shipping industry can resort to the following activities to keep its bribery and corruption risks at bay and thus minimize the exposure to FCPA risks.

  • Implement a comprehensive anti-bribery and corruption compliance program across the business
  • Review invoices, vertical agreements and procedures; periodically to assess their effectiveness
  • Periodical anti-bribery trainings for C-suite employees, business partners and third-parties that act on behalf of the company
  • Conduct due diligence on port agents
  • Set up a confidential whistleblowing mechanism to enable employees and other third parties to voice their concerns without any fear

Preparing for compliance with the FCPA will also help Indian organizations meet some of the requirements of the proposed Prevention of Corruption (Amendment) Bill, 2013.

Is your organization compliant with the FCPA regulations? Share your views by writing to inforensic@deloitte.com or on Twitter by following @deloitteindia.

Back to top

By Amit Bansal (Senior Director, Forensic) and Sravankumar Iyer (Assistant Manager, Forensic)

Building a fraud risk program in the shipping and maritime industry

30 July 2015

The shipping and ports industry plays a crucial role in contributing to the nation’s growth. Almost 95 percent of India’s trade volumes and 70 percent trade value are carried out through maritime transport. The shipping Industry is connected directly or indirectly to all industries and sectors, and as companies begin to venture into global markets, shipping becomes the lifeline of day to day operations.

A major concern for the shipping industry however is the rise in the number of frauds incidents, as highlighted by the Mumbai and Nhava Sheva Ship Agents Association (MANSA) at a recent event. Some of the prevalent frauds observed by us in the shipping industry include:

  1. Cargo and document frauds
  2. Bunkering frauds
  3. Chartering frauds
  4. Port agents related frauds
  5. Cyber frauds
  6. Fake licenses related fraud
  7. Recruitment fraud
  8. Information phishing

To tackle some of the above mentioned frauds it is important that organizations within the shipping sector look toward setting up a comprehensive fraud risk management program by:

  1. Implementing an anti-fraud policy – Organizations can foster an anti-fraud culture by having the right set of policies. In our experience, the code of conduct is an important document that can address fraud misconduct and unethical business practices within an organization by including clauses pertaining to fraud confidentiality, data security and misconduct. A code of conduct document can become a powerful aid in curbing instances of fraud.
  2. Using Business Intelligence – Carrying out an effective due diligence such as counter party due diligence, investigative due diligence, screening and red flag identification, political risk assessment etc. on the target company and third parties; can help shipping companies take better decisions on which partners/ vendors to engage with
  3. Establishing a whistleblowing hotline – Setting up a robust whistleblowing mechanism with multiple sources of access can help employees and multiple business partners report concerns pertaining to fraud misconduct and non-compliance in line with the provisions of the Companies Act, 2013. Shipping companies must also undertake prompt investigation into the concerns reported.
  4. Periodic investigation of third parties – Organizations should continuously monitor all the transactions involving third parties to identify requisite red flags..

Do you believe your organization has adequate mechanisms to monitor fraud risks? Share your views by writing to inforensic@deloitte.com or on Twitter by following @deloitteindia.

Back to top

By Sumit Makhija (Senior Director) and Gresha Katkoria (Deputy Manager)

Employee involvement is key to a successful Anti Bribery and Corruption Program

27 July 2015

In a global business environment, organizations are constantly expanding operations. A natural concomitant of this is operations in unknown territories and rise in cross border transactions, which can expose the company to fraud risks. Media coverage in the recent years has highlighted the risks of bribery and corruption, particularly in emerging economies, prompting organizations to safeguard their operations. This has led to the formulation of an anti-bribery and corruption compliance policy (ABC policy) in several organizations.

While it is important for organizations to put in place a policy to prevent bribery and corruption, the success of such a policy lies in making employees an inherent part of the implementation process. Deloitte (India) Survey titled “Public Perception of abc compliance program” released in 2014 indicates that limited employee involvement was a key hindrance in the effective functioning of ABC policy. Further, the report also mentioned that the prevailing business mindset towards bribery, unrealistic targets, lack of senior management commitment, limited communication were some of the key challenges that impacted the involvement of employees in the effective functioning of the ABC policy.

For successful implementation of an anti-bribery and corruption policy, it is important to ensure the following aspects:

  • Senior management support and commitment to the policy.
  • Periodic communication by the senior management to employees about various aspects of the ABC policy.
  • Training programs to help employees familiarize themselves with the ABC policy and acknowledge their understanding of the same.
  • Make employees aware of the various channels available to raise questions/concerns around bribery and corruption. Employees should have access to the team managing the organization’s ABC compliance program.
  • Recognize and reward ethical behavior by employees and encourage others to follow suit.

To achieve above mentioned objectives, it is important that the following mistakes are avoided while implementing the policy. The following glitches may snowball into big issues if left unattended:

  • Not having a nominated person/ Compliance Manager to drive the ABC program.
  • Inadequate senior management involvement in propagating  the ABC policy
  • Complexity in communication and limited use of informal channels such as events/peer group meetings to communicate the abc policy.

For the successful formulation and implementation of ABC policy, employees need to be given equal responsibility and accountability for compliance of the policy and participate in building an ethical culture at an organization.

Is your organization successfully engaging employees in the implementation of Anti Bribery and corruption policies? Share your views by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Back to top

By Sumit Makhija (Senior Director) and Gresha Katkoria (Deputy Manager)

Amendments in PoCA highlight the need for Third Party Due Diligence

23 July 2015

In the light of the proposed amendments in the Prevention of Corruption (Amendment) Bill, 2013; all aspects of passive bribery, including the solicitation and acceptance of bribe through intermediaries can be considered as an offence under the proposed bill.

Use of third parties for dealing with activities susceptible to bribery and corruption can no longer be used as an excuse for organizations to exempt themselves from the purview of the proposed bill. To ensure compliance by third parties, organizations need to carry out due diligence on the third parties who act on behalf of the organization. The diligence should not be seen as a one-time exercise, rather it should be an ongoing process carried out on third parties to ensure compliance. To avoid any lacunae while conducting a third party due diligence, organizations should focus on the following aspects:

  • Screening: Third parties should be screened at the time of on boarding as well as during the renewal stage by building an ongoing due diligence system. For this, a thorough understanding of their business operations, place of business from where they operate, and the areas where they operate; is of utmost importance.
  • Auditing: A meticulous assessment of the bribery and corruption risk associated with third parties should be done by knowing their past performance and track record. Wherever possible, A right to audit provision should be a part of the contract with the third party and this provision can enable organizations to check the level of compliance with anti-corruption laws and other contractual requirements.
  • Monitoring: There should be a mechanism to carry out regular monitoring of third-party activities by knowing their services and modus operandi. Further the organization should also be able to identify any instances where improper payments or favors have been extended by the third party on behalf of the organization.
  • Strict Financial Control: Basic internal financial controls surrounding high-risk activities are critical for protecting the organization from the risks of bribery and corruption involving –third parties. Hence, specific focus on payment authorizations and other transactional processes involving third parties needs to be scrutinized.

Do you believe you have an effective third party fraud risk management system in place? Share your views by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Back to top

By Sumit Makhija (Senior Director) and Gresha Katkoria (Deputy Manager)

Anti-Bribery and Corruption Compliance Policy: Are you doing it right?

20 July 2015

Under the proposed Prevention of Corruption (Amendment) Bill, 2013, organizations will undergo criminal proceedings if they are found guilty of bribing a public servant. This has prompted organizations to relook at their existing anti bribery and corruption policy to bring it at par with the requirements of the proposed changes in the Bill. A well constituted policy statement helps in ensuring legal compliance as well as upholding the ethical stand of the organization.

While drafting the anti-bribery and corruption policy, organizations should keep in mind the following aspects:

  • The policy should demonstrate the organization’s commitment to act professionally, fairly and with integrity in all its relationships and business dealings and along with a clear statement on zero tolerance towards bribery and corruption.
  • The policy should also provide information and guidance to employees and third parties working on behalf of the organizations on how to recognize and deal with bribery and corruption issues. 
  • The policy should set out a list of activities/ transactions that pose bribery/corruption risk for the organization and steps that can be taken to address such risks.
  • The policy should clearly state all activities unacceptable to the organization (including those carried by third parties/vendors etc.)
  • The policy should be responsive to future changes in ABC legislation and be updated on a timely basis. Further, efforts must be taken to ensure that employees are aware of the changes and comply with them.

Having a comprehensive anti-bribery and corruption compliance policy in place is the first step, towards creating an ethical enterprise. However, the policy itself can be ineffective unless implemented in spirit. To that effect, training programs should be undertaken for all employees of the organization, especially those working in the areas that are perceived to be at higher risk of corruption and bribery.

Further, there should also be a periodic review and amendment of the policy statement in line with the prevailing bribery and corruption risks.

Do you believe your anti bribery and corruption policy is in accordance with the proposed provisions of the PoCA (Amendment) Bill 2013? Share your views by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Back to top

By Sumit Makhija (Senior Director) and Gresha Katkoria (Deputy Manager)

How do you know if your fraud risk management program is effective?

16 July 2015

With the Companies Act, 2013, mandating the need for internal controls and measures that can prevent, detect and mitigate fraud, organizations are re-looking at their fraud risk management program. In their enthusiasm to align internal controls to detect fraud and comply with the provisions of the Act, organizations may tend to overlook the effectiveness of their measures. We have seen instances where companies have a robust fraud risk management program on paper but are unable to implement it see successfully.

So how can organizations assess the effectiveness of their fraud risk management programs? In our view, some of the below recommendations may be helpful.

  1. Establish a fraud risk management team – A dedicated team that periodically conducts reviews of systems and procedures to identify and assess fraud risks faced by the business is a good indicator of whether internal controls established are effective or not.  Some techniques that can be used to assess the effectiveness of internal controls include workshops, questionnaires, peer comparisons with other organizations, and spot audits. Over time, the fraud risk management team can use these techniques to identify controls that are no longer effective/ necessary and work towards replacing them. The fraud risk management team can also identify emerging fraud risks and proactively institute controls to mitigate such risks.
  2. Test the efficacy of reporting mechanisms - Further to the Companies Act, 2013, mandating the need for a vigil mechanism, several organizations have established a whistleblowing hotline. However, the effectiveness of a hotline can be ascertained by checking if employees use it regularly to report concerns. Absence of complaints can be indicative of an ineffective reporting mechanism – one that employees are either unaware of or are uncomfortable using.
  3. Undertake ethical internal reviews - According to a recent Deloitte Forensic report titled Implementing a robust fraud risk management program – 10 FAQsethical internal reviews are a possible means of assessing an organization’s culture in terms of its employees’ understanding of the code of business conduct/ ethics policy and analyzing employees’ perceptions, attitude and their ability to identify specific fraud vulnerabilities. Ethical internal reviews can be undertaken using a combination of qualitative techniques such as employee surveys, fraud awareness training programs, ethical dilemma workshops, and fraud vulnerability workshops.

Have you attempted to ascertain the effectiveness of your organization’s fraud risk management program? What methods did you employ? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

Back to top

By Sumit Makhija (Senior Director) and Karim Lakhani (Deputy Manager)

What is an ethical internal review and how should organizations go about conducting one?

13 July 2015

Ethics are a set of concepts and principles that guide us in determining what behavior helps or harms us, according to Richard William Paul and Linda Elder1, educational psychologists and critical thinking scholars. Organizations are no different.

The Institute of Global Ethics states that ethical practices form the heart of a strong organization. Ethical decision-making can promote employee morale, boost brand reputation, encourage loyalty in customers and employees, and improve an organization’s bottom line. Therefore understanding the level of ethical behavior within an organization can be useful to determine the organization’s preparedness to tackle fraud, misconduct and noncompliance. Ethical internal reviews are a tool to accomplish this.

According to a recent Deloitte Forensic report titled Implementing a robust fraud risk management program – 10 FAQsethical internal reviews are a possible means of assessing an organization’s culture in terms of its employees’ understanding of the code of business conduct/ ethics policy and analyzing employees’ perceptions, attitude and their ability to respond to ethical dilemmas.

The Deloitte Forensic report outlines the following ways in which ethical internal reviews can be conducted:

  1. Employee survey on organizational culture 
  2. Employee ethics and fraud awareness 
  3. Fraud awareness training program
  4. Ethical dilemma workshops
  5. Fraud Vulnerability Workshops

Unlike a regular audit, that is fact based and backed by records, ethical internal reviews can be subjective. Therefore, relying on multiple qualitative research techniques is necessary for a completing a comprehensive ethical internal review.

On the practical aspect of the review, let us understand how an ethical internal review is to be conducted. Is there a predefined structure or template that organizations can reference?

While there are no specific guidelines prescribed for conducting ethical internal review under the Companies Act, 2013, organizations can consider the following components to include as part of an ethical internal review.

  1. Review of code of ethics, training programs and other compliance policies.
  2. Collating and analyzing past instances breach of ethics through company records and archived online news resources. 
  3. Discussions with employees on their impressions of the company's commitment to ethics and experiences with respect to their co-worker’s seniors etc. demonstrating commitment to ethical business practices.

Have you undertaken an ethical internal review at your organization? What was your experience? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

 

------

1 Source: Paul, Richard; Elder, Linda (2006). The Miniature Guide to Understanding the Foundations of Ethical Reasoning. United States: Foundation for Critical Thinking Free Press. p. np. ISBN 0-944583-17-2.

Back to top

By Sumit Makhija (Senior Director) and Shruti Luthra (Senior Executive)

Can an enterprise risk management program substitute for a fraud risk management program?

09 July 2015

At a recent webinar organized by us, we were asked why an organization should undertake fraud risk management activities separately, when there was already an enterprise risk management program in place. In our experience, for many organizations in India, fraud is considered a type of enterprise risk that does not necessitate a separate scrutiny. However, fraud risks can be different from other enterprise wide risks and their implications can have the potential to stall business. Let us understand how.

Fraud is often considered a deliberate/ intentional act of deception, cheating or malice by the organization, whereas other enterprise risks such as financial risks, strategic risks, or operational risks can be dependent on external factors to a large extent. Therefore the impact of these other risks is perhaps limited to the financial health of the organization, compared to fraud that can impact reputation and the ability to conduct business itself, in addition to other financial impact.

In line with this, the objective of an enterprise risk management program is largely to safeguard the organization's capital and earnings, according to a recent Deloitte Forensic report titled Implementing a robust fraud risk management program – 10 FAQsA fraud risk management program on the other hand is specifically focused on mitigating the risk of fraud, misconduct and non-compliance. Therefore the manner in which an enterprise risk management program is undertaken is a different from how a fraud risk management program is undertaken.  Some of the fundamental differences, as observed by us, are described below.

Aspect

Enterprise Risk Management Program

Fraud Risk Management program

Undertaken by

Internal Audit teams / Corporate Governance teams

Fraud Risk Management team, comprising of members from Internal Audit, Forensic experts, Management Assurance, Legal, Risk and Compliance, and IT security teams

Key areas of focus

  • Undertake risk assessment to identify key risks affecting the organization
  • Analyze data to understand if there are errors
  • Develop a risk response strategy depending on the organization’s tolerance level to various risks
  • Undertake risk assessment to understand key fraud risks and the schemes – people and process specific – that can impact the organization now as well in the future.
  • Analyze data to understand if the errors discovered are deliberate acts of fraud
  • Ideally develop a fraud response plan to demonstrate zero tolerance to fraud


India has witnessed several large scale corporate frauds in the last decade despite the presence of enterprise risk management programs and associated internal controls. Perhaps this has led regulatory bodies and companies to believe that a more focused effort on fraud mitigation was necessary.  The Companies Act, 2013, mandates that companies specifically have a program that can prevent, detect and address fraud – not just enterprise wide risks. While a fraud risk management program can be a part of a larger enterprise wide risk management program, the principles used to assess fraud risks must be different from those used to assess other enterprise wide risks.

Do you have a fraud risk management program that is independently run compared to the enterprise risk management program? Have you seen benefits in this approach? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

Back to top

By Sumit Makhija (Senior Director) and Zubin Dastur (Manager)

Fraud risk management – Do you need it?

06 July 2015

The Companies Act, 2013 has placed the responsibility for preventing and detecting frauds and other irregularities on the Board of Directors. In the case of listed companies, Directors are also required to constitute an Audit Committee whose functions include evaluation of internal financial controls and risk management systems. However the Act has not clearly defined means and measures, to be undertaken by the Directors to ensure compliance with these requirements.

In the past, Directors and the Audit Committee have traditionally assigned the responsibility of internal financial controls to the Internal Audit team.  However today, reliance on Internal Audit teams alone to prevent and detect fraud is insufficient.  According to the Deloitte whitepaper titled Implementing a robust fraud risk management program – 10 FAQs, tackling fraud risks is different from addressing general enterprise wide risks.

The scope of a fraud risk management program includes not only providing fraud risk assessment and recommendations for enhancement of internal controls, but also continuous monitoring, review of high risk areas, as well as review of fraud investigations. To do this, a fraud risk management team relies on technologies and key investigation competencies, such as investigative interviewing skills, data analytics to detect red flags, market intelligence gathering skills and evidence handling skills which includes the use of forensic technology.

Some of the possible outcomes of a fraud risk management exercise can include:

  • Understanding gaps in the company’s fraud risk assessment and the assessment of associated internal controls
  • Knowledge of unidentified vulnerabilities or emerging fraud risks that may affect the company
  • Ascertaining the effectiveness of communication about fraud control, prevention and detection policies to employees
  • Robustness of a system for prompt and competent investigation of suspected or known cases of fraud or misconduct
  • Prevalence of an effective whistleblower mechanism and employee perceptions of the mechanism

Given the heightened focus on fraud mitigation by apex regulatory bodies, organizations can start their efforts by undertaking a fraud risk management exercise.

Has your organization undertaken a fraud risk management exercise? Share your experience and perceptions of fraud risk management programs by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Back to top

By Sumit Makhija (Senior Director) and Anshuk Megharikh (Assistant Manager)

Building internal financial controls to monitor third party relationships

02 July 2015

In our experience, working with third parties can significantly increase the risk of fraud. In a practical scenario, organizations are unlikely to have complete control over the activities of a third party, irrespective of the obligations of their contractual agreement. More so in an Indian context where attempting to control third party activities, by actions such as incorporating Right to Audit Clauses in vendor contracts, may be perceived as a breach of trust, damaging the business relationship itself.  How then can organizations mitigate the risk of fraud arising from third party relationships?

In these circumstances comprehensive due diligence exercises can be a useful tool to mitigate fraud risks arising from third parties, according to a recently released Deloitte Forensic document titled Building effective internal financial controls for better fraud risk management.

Knowledge is power, especially when it comes to managing fraud risks. An organization should strive to have all the available background information pertaining to a third party it is looking to enter into business with, including ultimate beneficial ownership, details of affiliates and associates, experience, competency and track records, presence of any related shell companies, etc. An organization must also have information about all its employees who have relationships with the proposed third party.

Adverse media or negative news is another type of information to track. Examples of negative news can include past instances of corruption and other unethical/illegal practices, political links, white collar crimes and insolvency issues.

With the introduction of the Companies Act, 2013, organizations have been forced to relook at their fraud risk management efforts. While we have seen some investment towards mitigating fraud risks arising from operational concerns, a lot more can be done specifically to mitigate the risk of fraud arising from third parties. In today’s world vendors and business partners are integral to the success and ambitions of an organization and due care must be taken to mitigate potential fraud risks in such relationships.

How do you mitigate fraud risks arising from third party relationships? What kind of due diligence do you undertake? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

Back to top

By Sumit Makhija (Senior Director) and Anshuk Megharikh (Assistant Manager)

Re-looking at Fraud Risk Assessment

29 June 2015

In our experience, we often see companies concerned about the effectiveness of their fraud risk management framework. Despite presence of internal controls, many organizations feel they are not adequately prepared to tackle the risk of fraud. The root of this issue can be found in how fraud risks are perceived and therefore assessed by the organization.

A recent Deloitte report titled Building effective internal financial controls for better fraud risk management, indicates that fraud is not on the top of senior management and the Board’s agenda, due to the perceived low value of fraud loss. Consequently, the Board itself tends to have limited understanding of what constitutes a fraud risk management program and how the corresponding internal financial controls need to be developed.

The Deloitte report outlines some of the key aspects overlooked by companies while conducting a fraud risk assessment.

  • Assessment of the types of fraud that can impact business – Organizations tend to view fraud as an unchanging risk and most fraud risk assessments include only better known fraud risks such as fraudulent financial reporting and loss of assets. Further, some of the red flags that can lead to fraud (such as management bias in selecting certain accounting principles, and bribe payments) tend to be ignored while assessing fraud risks.
  • Understanding how fraud is perpetrated – When hit by fraud, organizations tend to claim that they had little knowledge of any red flags. In our experience, while the signs of fraud are visible, organizations are unable to distinguish these from unintentional errors and act on it. For instance, certain organizational policies, such as pressure to meet financial targets, may inadvertently force employees to resort to fraud and malpractice.
  • Understanding fraud risks through third parties - Third party relationships tend to increase the risk of fraud such as procurement fraud, bribery and corruption, big rigging and IP theft. It is therefore imperative that organizations extend their fraud risk management programs to cover third parties. In our experience, this seldom happens, primarily due to the delicate nature of business relationships in India.

How often does your organization re-look at your fraud risk assessment framework? Have you made any significant changes to your fraud assessment in the last one year? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

Back to top

By Sumit Makhija (Senior Director) and Anshuk Megharikh (Assistant Manager)

Role of Forensic technology in developing robust internal financial controls

25 June 2015

Technology, if deployed appropriately, can help organizations identify and tackle frauds such as inventory theft, supply chain frauds, financial misstatement frauds, etc. Respondents to the Deloitte India Fraud survey released in 2014 identified 11 types of frauds that could be unearthed using forensic technology and data analytics.

While deploying a range of forensic technology and data analytics tools may become an onerous proposition for organizations, the recently released Deloitte Forensic document titled Building effective internal financial controls for better fraud risk managementoutlines some key aspects where existing technology controls can be re-aligned to detect and prevent fraud.

  1. Maintaining an audit trail: Maintenance of comprehensive logs of all activities undertaken by all business units can help amass a significant amount of information. Data analytics routines can be run on this data to identify gaps and red flags and also identify any indicators of individuals perpetrating malpractice or fraud.
  2. Automated Notifications in case of process overrides: Due to certain business pressures, almost all organizations allow for limited deviations from set processes to aid ease of doing business. However, it is extremely important to keep track of such deviations and ensure that this does not become the norm. As such, programming an organization’s systems to raise automated notifications (in case of any deviations) to designated stakeholders can go a long way in preventing the misuse of such systems.
  3. Data Protection: We are observing a steady increase in frauds involving data breaches/theft of intellectual property. Such data could be commercially sensitive, proprietary in nature or could be harmful when in the wrong hands. Therefore, ensuring the security of data is one of the most important steps an organization can take. Industry standard encryption of hard disks and either disabling of removable media or automatic encryption and tracking of removable media are imperative. Some leading organizations also place restrictions on emails and attachments to prevent sharing of sensitive data outside the organization.
  4. Proactive Monitoring: Running data analytics modules on internal/external communication and data from the payroll, accounts/finance and sales, can help identify potential red flags and proactively prevent fraud. Wherever possible a cross-departmental integration of data from systems, including ERP data, should be undertaken to run analytics routines. The advantage of data analytic programs is that they learn and adapt over time. Therefore, having a proactive modules running on a continuous basis can greatly assist an organization in detecting and preventing fraud.

Have you used data analytics to detect fraud? Accordingly, do you see any improvements in your fraud risk management efforts? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

Back to top

By Sumit Makhija (Senior Director) and Anshuk Megharikh (Assistant Manager)

Building a social control environment through better internal financial controls

22 June 2015

Leading organizations often undertake comprehensive fraud risk management programs to mitigate the risk of fraud. One of the key aspects of a fraud risk management program is to set up strong internal controls to deter employees and third parties from perpetrating fraud. However, absence of a social control environment within an organization – one that emphasizes implements and recognizes ethical business practices - can render several of these internal controls ineffective.

So, how can organizations build a social control environment?

The foundation of a strong social control environment lies in its code of conduct, according to the Deloitte Forensic document titled Building effective internal financial controls for better fraud risk management.

The code of conduct conveys to every employee, new or existing, the business standards that they are expected to adhere to while performing their day to day duties. A code of conduct must therefore reflect the values propagated by the organization. Relevant portions of the code must also apply to all third parties who are conducting business with (and on behalf of) the organization. In line with the organization’s growth and new fraud risks it can be exposed to, the code of conduct must be periodically reviewed.

In our experience, an effective code of conduct is one that is supplemented by an effective training and periodic awareness program. Leading organization tend to use a wide variety of mediums available (videos, social media, interactive events, blogs etc.) to familiarize employees and periodically update them about the code of conduct and the ethical business practices followed. Such training programs can also be used to build awareness around the impact of fraud on an organization.

Once a code of conduct is in place and training programs have been conducted, organizations can consider other measures to improve the social control environment including:

  • Developing an anti-fraud policy that clearly lists various protocols for reporting unethical behavior related to fraud, misconduct or fraudulent financial reporting.
  • Including ethical behavior as a component of the performance appraisal process
  • Undertaking internal reviews to monitor compliance with the code of conduct
  • Establishing a whistleblowing hotline that can encourage employees to report concerns regarding unethical behavior.

So how does your organization establish a social control environment? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

Back to top

By Sumit Makhija (Senior Director, Deloitte Forensic) and Rohit Goel (Director, Deloitte Forensic)

India Inc. must re-look at compliance programs to meet requirements of the proposed Prevention of Corruption Act (Amendment) Bill, 2013, provisions                                                

18 June 2015

The days when companies in India could cover up cases of bribery and corruption by passing them off as an individual acts may be short lived now. The Lok Sabha’s approval of the amendment of the Prevention of Corruption Act (Amendment), Bill, 2013, now makes corporates liable for acts of bribery by employees or other parties acting on their behalf. Specifically, one of the key amendments in the proposed Bill, requires commercial organisations to prevent persons associated with them from bribing a public servant.

We believe these amendments will change the corporate governance landscape for India Inc. in the future, starting with additional responsibility on organizations to put measures in place to prevent bribery by employees and third parties.

The amendments indicate the need to have adequate policies and procedures to prevent potential instances of bribery and corruption while conducting business, in line with the requirements laid down by global anti-corruption legislations such as the US FCPA, 1977 and the UK Bribery Act, 2010.  In the event of an instance of bribery by an organization coming to light, the only defense the organization would have would be the implementation of adequate policies and procedures to prevent bribery.  

Unfortunately many organizations continue to believe that corruption is the cost of doing business and therefore impossible to eradicate, particularly in developing countries like India. However, these sentiments are changing, particularly after the enactment of the Companies Act, 2013, that resulted in heightened awareness around fraud risk management, including bribery and corruption. The proposed amendment to bring commercial entities within the ambit of Prevention of Corruption Act (Amendment) Bill, 2013, and their increased liability is likely to change the way businesses perceive fraud and corruption in India.

It is therefore time for Indian organisations to start relooking at their compliance programs. In our experience, some of the leading measures adopted worldwide by companies to deter bribery and corruption include:

  • Board level commitment for zero-tolerance towards bribery and fostering an ethical culture which gives priority to compliance over the business. This is turn would require laying down policies and procedures to prevent bribery and effectively communicating these to various stake holders.
  • Assessing the nature and extent of potential bribery and corruption risks and implementing measures to mitigate such risks
  • Due diligence on third parties to identify potential adverse information before engaging with them. Further, use of continuous monitoring and review to identify areas of improvement is also an aspect that companies can consider.

These measures, in addition to being leading practices, are also considered as valid defense by regulators globally in case any potential case of bribery or corruption is identified in the organization. However, care must be taken to ensure that practical aspects of doing business are considered while drafting these policies, as we have observed many organizations struggling to effectively implement the requirements of anti-bribery regulations due to lack of practical approach.

In addition to having policies and procedures that deter bribery and corruption, companies must also ensure that employees are given practical guidance on how to deal with tricky situations and ethical dilemmas. A survey conducted by us in 2014 titled The public perception of anti-bribery and corruption compliance efforts, indicated that about 61 percent of survey respondents received information or guidance on bribery and corruption related issues from their organization. Only 45 percent of respondents were aware that their organization had a policy pertaining to bribery and corruption.

Some measures to sensitize employees to the risk of bribery and corruption include – having a dedicated cross functional team to discuss and drive anti-bribery initiatives, include evaluations on ethical practices as part of the larger performance appraisal process, and have scenario based class room training on such initiatives.

There is also a wider need for transformation in the mindset of people and businesses on the issue of combating bribery.  For now, compliance with the proposed provisions of the Prevention of Corruption Act (Amendment), 2013, will no longer be an option. The board of directors and senior management will have to prioritize the implementation of anti-bribery and corruption controls as part of the larger compliance framework to meet the expectation of the regulators. While Corporate India may see this as an additional cost of compliance, these initial efforts can go a long way in mitigating corruption in India.    

What efforts are you taking to comply with the proposed Prevention of Corruption Act (Amendment), Bill, 2013? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

Back to top

By Nikhil Bedi (Senior Director), Nitin Bidikar (Director) and Kedar Waykul (Deputy Manager)

Developing a robust compliance management system for the Pharma sector

15 June 2015

With every action across the life sciences value chain needing validation and approval to mitigate risk to human life, a proactive approach to fraud and compliance risk mitigation has been recommended by all stake holders from within and outside the industry. The recent Deloitte India life sciences sector survey recommends that organizations adopt a 360 degree approach to managing compliance and fraud risks. Such an approach should consist of the following key elements.

  1. Establishing quality policies – Organizations must endeavor to establish quality policies/ modules and regularly update them in line with current regulatory standards. Further, implementation of the established policies at each manufacturing site needs to be effectively and continually monitored by the internal compliance team.
  2. Effective training programs – Organizations can design a systematic training program to develop technical and investigative skills, as well as focus on the changing regulatory requirements. Further, specific training to understand aspects that can alter quality attributes and safety aspects, can be made mandatory for all employees. Certain training programs can also be extended to vendors and suppliers to ensure that they understand the importance of quality parameters.
  3. Zero tolerance to noncompliance - Organizations should imbibe a culture of zero tolerance for quality noncompliance, starting with senior management’s tone at the top. Efforts must be made to periodically communicate the organization’s stand to all employees, suppliers, vendors and counterparties.
  4. Ongoing investments in technology solutions for quality assurance and control programs to have better controls over data management. These measures, over time, will help organizations anticipate new data related requirements and better cope with regulatory changes.
  5. Continuous monitoring – An effective continuous monitoring program can determine the level of quality compliance across the life cycle of a product. Aided by digital tools, the system can also proactively identify gaps in controls or emerging areas of quality risk.

In addition to the above mentioned measures, proactive review of the quality compliance program with continuous oversight by external independent, unbiased experts can be a robust control measure for organizations to manage the regulatory obligations.

What are some of the best practices your organization has adopted for compliance management? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

Back to top

By Nikhil Bedi (Senior Director), Nitin Bidikar (Director) and Kedar Waykul (Deputy Manager)

Challenges in managing compliance in the life sciences sector                                                      

12 June 2015

The life sciences sector is subject to a number of regulations and guidelines stipulated by leading regulatory bodies such as the United States Food and Drug Administration (USFDA), UK’s Medicines and Healthcare products Regulatory Authority (MHRA), European Directorate for the Quality of Medicines (EDQM), and Australia’s Therapeutic Goods Administration (TGA). The sheer volume of compliance requirements can pose a challenge to organizations with relatively small teams of compliance professionals that rely on technology in a limited capacity.

These sentiments are reflected in the recently released Deloitte India Life sciences sector survey, where survey respondents have highlighted data management systems (48 percent), pharma quality systems (45 percent), investigation of anomalies (Corrective Actions Preventive Actions) (45 percent), and lack of trained resources to manage compliance (42 percent), as responsible for the challenges in compliance management.

From a technology standpoint, life sciences sector companies are so far not mandated by regulatory bodies to rely on electronic data to aid compliance. This has perhaps limited the pace of adoption of technology in the sector, and upgrades to existing data management and pharma quality systems have been slow. Further, there is limited clarity on how technology can be used to proactively monitor compliance. Unless the senior management understands the merits of using technology to improve compliance and makes strategic investments in this direction, data related challenges would remain.

On the talent front, the fast pace of growth in the sector has resulted in scarcity of talent at several levels and across functions within a life sciences enterprise. However, this scarcity is relatively higher in the compliance management function, due to frequently changing regulatory requirements and increasing number of approved facilities. For instance, in the last two years, most regulatory bodies have introduced new areas of scrutiny beyond just testing drug efficacy and now involve risk management and mitigation programs for R&D laboratories, manufacturing facilities and procurement functions. For compliance management professionals to familiarize themselves with these changes and become adequately trained in them requires time. In the interim, companies could be exposed to vulnerabilities arising from non-compliance. Creating a long term training program to keep industry professionals updated with much needed skills across functions in the Life sciences sector life cycle can help tackle the issue of talent shortage.

What are the challenges your organization has faced to manage global compliance obligations? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

Back to top

By Nikhil Bedi (Senior Director), Nitin Bidikar (Director) and Kedar Waykul (Deputy Manager)

GxP Non-compliance and contributing factors
10 June 2015

The recently released Deloitte India life sciences sector survey findings indicate that regulatory non-compliance is a serious challenge for organizations, hindering their growth. Considering the swift and severe action taken by regulatory bodies in recent times in the event of noncompliance (heavy penalties, import bans and business closure), it can be disheartening for organizations to deal with noncompliance.

The first step towards creating a robust compliance program lies in understanding what actions can be considered as noncompliant with regulations. Recent data from the FDA and EMA inspections have listed the following actions as noncompliant: inadequate controls over laboratory operations and analytical data management, deficiencies in failure investigations, lack of robustness in product formulation, poor facility and equipment design, inadequate/ not following written procedures, lack of control over computer systems and inadequate training programs. Disturbingly, some of the regulatory body reports also point to data integrity issues such as falsifying or destroying data.

What prompts organizations to harbor unethical business practices?

The Deloitte India life sciences survey reveals that the potential contributing factors for noncompliance in life sciences industry are:

  • Shortage of skilled staff in their risk and compliance teams (64 percent)
  • Lack of internal controls and compliance processes to proactively manage and mitigate the risk of non-compliance (61 percent)
  • Lack of a zero tolerance approach towards non-compliance (45 percent)
  • Poor product understanding due to inadequate development and inadequate characterization of raw materials (36 percent)
  • Inadequate due diligence (36 percent)
  • Poor fraud risk management systems (36 percent)
  • Unrealistic targets and goals (33 percent)

In our opinion, the above mentioned factors have existed for some time within the industry, but recent strong enforcement action by regulatory bodies has brought these issues to the forefront. Unless these issues are addressed, the specter of noncompliance will continue to haunt the sector.

What is your experience with the GxP compliance? Are any of the factors listed here applicable to your organization? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

Back to top

By Nikhil Bedi (Senior Director) and Ajit Nathaniel (Deputy Manager)

Do You Know Your Directors?
04 June 2015

Rules to improve corporate governance in India have seen a massive change in the past two years. Independent Directors (“IDs”), for instance, were seen as representing the interests of minority shareholders and ensuring effective corporate governance. In the past, however, the theoretical benefits of this oversight mechanism were not completely realized. The 2013 Companies Act changed this, greatly increasing the accountability of IDs associated with listed companies among other enterprises. Predictably, a wave of resignations by IDs ensued, leaving a large number of companies searching for personnel to fulfil this regulatory requirement. More recently, in the run-up to 1 April 2015 – the deadline to meet the quota for women directors on company boards - media reports suggested that despite promoters appointing their family and friends to comply with the regulations, hundreds of companies have been unable to meet this requirement and could be vulnerable to punitive action.

The spirit behind these new rules is laudable. Regulators are seeking to give minority shareholders a greater voice in company affairs through the ID mandate, while improving the participation of women in the business sphere through the compulsory quota for women directors. These regulations though, pose major challenges to companies that they apply to. A report revealed that a majority of Independent Directors were related to promoters, and some even lacked the industry experience or educational credentials to perform suitably in such a position. The new regulations expressly prohibit such an arrangement and hold companies responsible for performing adequate due diligence. Consequently, businesses now seek candidates that can add value, and are capable of the responsibilities of directorship. This is especially true of ID appointments.

Making such sensitive appointments from a short supply of qualified individuals requires particular diligence. Promoters must ensure that the candidate is free of the conflicts of interest specified in the Act. Additionally, the candidate’s credentials need to be evaluated objectively for the suitability in that specific role – particularly to identify requisite knowledge and experience. For businesses that are family-controlled, it is also important that the potential director’s personality, values, and temperament are consistent with the company’s culture. Additional areas of scrutiny are possible political or criminal connections and prior litigation – both of which could pose both a reputational and an operational risk to the company. Given these considerations, it is important for companies to engage a due diligence specialist to look into the antecedents of their potential directors.

Due diligence on Independent Directors typically comprises an in-depth review of financial and legal records to identify credit defaults and criminal or civil litigation. Additionally, research of regulatory information is performed to identify censure or sanctions by authorities. Media coverage of the target may be analyzed for an insight into the target’s public profile, business history, and connections. In most cases, this information is corroborated through relevant market enquiries. This exercise is invaluable to promoters and other stakeholders in making an informed decision on a prospective ID.

Do you have specific concerns around your director appointments? Tell us by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Back to top

By Rohit Mahajan (Senior Director) and Preeti Suresh (Assistant Manager)

Establishing a Cyber Threat risk governance program
01 June 2015

Incidents of cyber-crime and cyber espionage can increase an organization’s risk of fraud, intellectual property theft, network incapacitation and damage to brand and corporate reputation – all of which can have far reaching and expensive consequences.

In our experience, corporate India has a limited understanding of cyber threats, with only 14 percent of respondents to the Deloitte India Fraud Survey, released in 2014, indicating that they were aware of data loss/ leakages arising from hacking or hijacking of cloud based services. At senior management levels, this awareness can be even lower.  It would therefore be prudent if organizations can spend more time understanding cyber threats and developing specific measures to address them- starting with senior management.

A recent Deloitte Forensic document titled Cyber threats and the role of the Board in curbing it, lists a series of measures that the Board of Directors and senior management can take to tackle cyber threats.

Cyber threats and the role of the Board in curbing it

Are you aware of cyber threats to your organization? How are you safeguarding against these risks? Share your views by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Back to Top

By Jayant Saran (Senior Director), Veena Sharma (Director) and Karim Lakhani (Assistant Manager)

Handling disclosures from ex-employees or employees serving notice period

28 May 2015

Imagine this scenario – an employee has resigned from his job, and while discussing the reasons for the resignation, he/ she also discloses occurrence of possible wrongdoing within the organization. How would you react to this? Would you dismiss it as a grouse coming from a disgruntled employee? Or would you take action to ascertain the facts?

We have, in recent times observed several organizations grappling with this situation of disclosures made by ex-employees or employees serving notice period, and organizations are more often than not found to be in a dilemma as to how to manage such disclosures.

It may be possible that the complaints received from ex-employees or those serving the notice period are not genuine, and possibly a result of a long standing grudge/understanding with peers or managers. However it is important to note that complains received from such employees are often more vocal and provide more information without the fear of retaliation.

In our view, disclosures from ex-employees or employees serving notice period should be handled in a manner that is consistent with handling other disclosures. According to the Deloitte Forensic report titled Setting up a Whistleblowing Program – 10 FAQs, handling of such complaints or disclosures should be based on the severity of the case and the information provided. It is important to note that such employees are often more vocal when making disclosures and provide more information without the fear of retaliation. This also helps the company evaluate the impact of the complaint or disclosure, in terms of financial or other losses incurred and gaps in anti-fraud controls that led to the situation.

How do you handle disclosures from ex-employees or employees serving notice period? Do you have a different process to manage these complaints? Share your views by writing to inforensic@deloitte.com or on Twitter at @deloitteindia.

Back to top

By Rohit Mahajan (Senior Director) and Pooja Purohit (Deputy Manager)

Role of the Board in managing cyber threats
25 May 2015

A number of cyberattacks have garnered media attention in recent times. According to CERT-In, over 3 lakh Indian websites were hacked in 2013. In its annual internet security report of 2014, security software maker Symantec said India ranked third globally in the overall malicious cyber activities in 2013. More than 69 per cent of the targeted attacks in the country during the year were on large enterprises, while 66 per cent of email traffic at these companies was spam.

In addition to the direct costs that impact the company’s bottom line, the repercussions of cyber threats can range from loss of reputation, significant business disruptions, threat of litigation, and negative impact on the interests of shareholders, to name a few.

The rising magnitude of cyber fraud and related potential losses are forcing the Board of Directors and Audit Committee to respond to cyber threats. Whilst the Board members are not expected to be experts in the area, it is recommended that they have an understanding of cyber threats.

According to a recent whitepaper released by us titled Cyber threats and the role of the Board in curbing it,organizations can educate the Board on cyber threats by conducting mandatory training programs. It is also recommended to appoint a Chief Information Officer to create a clear chain of command to deal with a cyber incident. Further, help can be sought from external experts/ specialists to carry out recovery and remediation plans, implementation of an effective threat response system, and training of employees. Many companies engage external specialists to conduct annual reviews of security and privacy programs including incident response, breach notification, disaster recovery and back-up plans. Boards can direct their organizations to use these services, wherever necessary.

Robert Mueller, the Director of FBI once said, “There are only two types of companies – those that have been hacked and those that will be.” It is for the Board to decide how they wish to take the organization ahead in such challenging times.

Are your company’s Board members aware of cyber threats that can impact your organization? What measures have you taken to educate them and create awareness? Share your perspective by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Back to top

By KV Karthik (Senior Director, Deloitte Forensic)

Elements that should necessarily form a part of the Fraud Risk Management framework in a financial institution
21 May 2015

The key to any anti-fraud program is to have a framework in place that will not only prevent fraud but also be able to detect fraud incidents as soon as they occur and respond to them effectively. While the task of developing and maintaining such a robust enterprise wide anti-fraud program (with proactive monitoring components) can be daunting for any organization, some of the key features which should necessarily be a part of any organization’s fraud risk management program include:

  • Preventive Mechanism
    • Understanding roles and responsibilities
    • Ongoing fraud awareness program
    • Formal and well designed due diligence process
    • Periodic fraud risk assessment
  • Detective Mechanism
    • Reporting procedures
    • Whistleblower protection
    • Invest in Data Analytics
  • Response Mechanism
    • Investigation process
    • Corrective action
    • Communication
    • Continuous monitoring

An effective fraud risk management solution should ideally be able to help banks manage fraud risks in a manner consistent with regulatory requirements, as well as with the entity’s business needs and marketplace expectations.

According to the responses received in the Deloitte India Banking Fraud survey report, over 80 percent of the respondents find their current controls to be largely effective. Further, when questioned about the status of the implementation of the various anti-fraud programs, it was heartening to note that banks have progressed across several parameters compared to the last edition of our survey, taking cognizance of the impact of fraud on their organization.

Survey respondents have however highlighted that they face certain challenges in maintaining the efficiency of anti-fraud security controls at an enterprise-wide level, such as struggling to work across channels and/ or finding it difficult to integrate with applications/ tools (such as integrating online transactions and ATM transactions, and integration between retail banking, corporate banking and private banking transactions). It therefore came as no surprise when 83 percent of the respondents indicated that they plan to invest in enhancing or implementing certain anti-fraud measures especially in the area of fraud risk assessment, intelligence gathering mechanism and implementing forensic tools during an investigation process. These costs largely cover elements that fall within a fraud risk management framework, indicating that banks have realized that managing the risk of fraud is a continuous process that will need regular investment in order to meet current challenges as well as future fraud scenarios.

What according to you are vital to a fraud risk management framework for a bank? What areas do you feel need investment in the coming year? What methods can be adopted by a financial institution in order to prevent, detect and tackle fraud in an efficient manner? Share your views by contacting us at inforensic@deloitte.com or on Twitter at @deloitteindia.

Back to top

By KV Karthik (Senior Director, Deloitte Forensic)

The need and importance of detecting fraud in a holistic manner

18 May 2015

Although organizations can never eliminate the risk of fraud entirely, it is important to have controls that can effectively detect and prevent fraud. Efficient internal controls and data analytics can help identify frauds faster and thereby help banks limit the losses incurred. Some of the trends observed in the recently released Deloitte India Banking Fraud survey report indicate that frauds in the banking sector are most commonly detected either through customer complaints, an internal or external tip or during account audit/ reconciliation.

Typically, the fraud detection mechanism has an impact on the time taken to detect fraud and thereby the recovery of the fraud loss amount. In the Deloitte India Banking Fraud survey report, approximately 30 percent of the survey respondents indicated that it took them 6-24 months to detect fraud. Close to 22 percent said they could recover only up to 25 percent of the fraud loss amount which is an improvement from the previous survey result. These statistics indicate a move towards reliance on multiple channels, including technology based channels, to detect fraud.

In this context it is also interesting to note the use of whistleblowing channels by banks to detect fraud. According to Association of Certified Fraud Examiners’ 2014 Global Fraud Study, organizations with whistleblower hotlines experience frauds that are 41 percent less costly, and are able to detect frauds 50 percent faster compared to organizations that do not have such a channel. However, in our experience we have observed that Indian companies tend to approach whistleblowing with a ‘tick in the box’ mentality, which may result in ineffective and/ or poorly managed whistleblower programs.

The success of a whistleblowing program lies in its adoption by employees and third parties such as customers and business partners. For Indian banks operating across different geographies, it becomes paramount to invest in a robust whistleblowing program that is not confined to one language, limited operating hours and selectively accessible to certain employees (e.g. only mid-level employees). Further, banks must institutionalize training programs to encourage employees to blow the whistle when they see or hear anything suspicious or seemingly unethical.

Banks can also now look towards reshaping their fraud detection efforts using advanced analytics and related tools, software and applications in order to obtain a more efficient oversight. With banks facing heightened regulatory and public scrutiny in many countries, using advanced analytics to help identify potential fraud, committed by employees, customers, and third parties may be a strategic and operational imperative. Analytics has the potential to help banks refine the way they perform monitoring that will allow them to detect and identify potential fraud prior to the launch of a formal investigation/ inquiry.

Limited oversight is another such reason wherein loans may be processed based on insufficient documentation/ wrong valuation of collateral. With the increase in outsourcing related KYC, documentation support, verification, etc. – to third parties, it is very important that banks are able to develop a mechanism to ensure that there is no dilution in managerial oversight over these processes.

What according to you are the mechanisms used by a financial institution to detect fraud? How can this have an impact on the organization? Do you feel global financial institutions are able to detect and tackle fraud in a different manner? Share your views by contacting us at inforensic@deloitte.com or on Twitter at @deloitteindia.

Back to top

By Rohit Mahajan (Senior Director) and Prabhu Vijaykumar (Deputy Manager)

Understanding motivations behind cyber threats
14 May 2015

In less than two decades, the Internet has grown from being a curiosity to a necessity, helping businesses thrive. Not surprisingly, this growth has also been accompanied by a rise in cybercrime. Over 3 lakh business in India experienced cybercrime in some form in 2013. Over 800 million people were globally affected by cybercrime in 2014 and research studies peg the losses from cybercrime on an average to be over USD 400 billion.

Frauds typically occur when a motivated offender identifies an ineffectively guarded target. The motivations for committing corporate fraud usually include

  • Financial/ professional performance pressures
  • Aspiration for a quick rise in income / status
  • Easy access to confidential information / funds with little organizational supervision and/or absence of internal controls
  • Peer pressure to join collusive fraud schemes
  • The thrill of committing fraud

In our recently released white paper titled Cyber threats and the role of the Board in curbing it, we noted that the motivations for some cybercrime can be a little different from those of other kinds of fraud and crime. For instance, perpetrators of several large cybercrime incidents are organized groups of individuals (eg: hacker groups) whose motivations may be just a response to the “increasing corporatization of the world”, perceived by hackers as different from their ideology of a ‘free world’. In other instances, hacking of websites are driven by political beliefs and ideologies. Many hackers also indulge in cybercrime as a way to test/ challenge their own skills against the defenses put up by companies. The intention here is not to defraud companies but gain bragging rights among the hacker community by highlighting one’s prowess. Of course, data theft, access to financial information etc. continue to be motivators for some groups of cyber criminals.

Interestingly, the motivations for cybercrime are also supported by the prevailing attitude towards such incidents. For example, the anonymity provided by cyberspace decreases the sense of personal accountability on individuals, unlike the case in regular fraud and white collar crime where the perpetrator is identifiable.  Further, the tolerance to cybercrime in many countries is much more, with the public often brushing aside instances of cybercrime where there appears no damage to the victims. Also, limited legislation and punishment for cybercrime can prove to be an ineffective deterrent.

Organizations therefore, need to understand the motivations behind cybercrime and devise specific measures to prevent such incidents from happening.  It is also important to educate employees on the dangers of cyber threats and prevention techniques such as using strong passwords, securing one’s computer by using anti-virus software, protecting social media privacy, using secure web access, and following other security protocols.

The above discussed safeguards can make worries about reports made in bad faith an exception, rather than a norm.

What measures does your organization adopt to curb cyber threats and cyber fraud?  Share your feedback by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Back to top

By Jayant Saran (Senior Director) and Ankita Malik (Assistant Manager)

Positioning a whistleblower program within the organization
11 May 2015

Whistleblowing is increasingly recognized as a pivotal tool in the prevention and detection of fraud and malpractice. According to the Deloitte India survey report on whistleblowing, titled Lead by example: Making whistleblowing programs successful in corporate Indiaclose to 90 percent of survey respondents indicated that establishing whistleblowing hotlines could lead to better governance and reduction of fraud in organizations. Yet, the report noted that whistleblowing programs in India had so far been unsuccessful.

In our experience, one of the reasons for this limited success could be the way whistleblowing programs are positioned within organizations. For starters, the term whistleblowing has culturally negative connotations in India, with a whistleblower likened to a snitch or a mole. Hence choosing an appropriate name for a whistleblowing program is important.  Some of the common names used for whistleblowing programs include:

  • Tip Off: This name clearly indicates the purpose of the whistleblowing channel – i.e. to provide tip offs on suspicious activities/ incidents. However, it can also encourage anonymity among people providing tips.
  • Ethics hotline: Such a name takes away the stigma attached to whistleblowing and positions itself as a channel that reinforces ethical practices. Use of the term ‘hotline’ can signify urgency and hence prompt users to assess the importance of the issue prior to reporting it.
  • Integrity helpline: The term ‘helpline’ indicates a two way communication channel that users can seek to clarify any concerns they may have – irrespective of whether they are relevant or not. Such a name can be comforting to employees and help build trust for newly launched whistleblower programs, according to the Deloitte Forensic report on Setting up a Whistleblowing Program – 10 FAQs, In contrast, the term ‘hotline’ denotes urgency and the expectation that valid complaints will be reported, without the need for clarification or introspection. Use of the word ‘integrity’ lends a positive tone to the channel.
  • Employee protection/ concern policy:  By using the word ‘employee’, the program indicates that the intention is to safeguard employees from risky events that may harm their reputation. This name may work for a whistleblowing program that is only extended to employees, but not in cases where clients, vendors and business partners have access to the channel.
  • Speak Up policy:  This name is action driven and can encourage people to use the whistleblowing channel. However, since the name is quite generic, there needs to be constant employee communication around the kind of issues that can be reported via this policy/ program. Else, it is possible that people may mistake this for some other initiative in the organization.
  • Issue Resolution policy: The use of the words ‘issue resolution’ demonstrate the organization’s commitment towards addressing concerns reported via the whistleblowing channel. However, it may discourage people who may seek to share only tips and may not have lot of information to process this towards resolution.

While there are definitely several other factors that contribute towards making a whistleblower program success, its positioning remains a crucial factor. How a whistleblowing program is positioned can influence the culture of an organization, instill confidence in employees and promote trust in the whistleblowing program.

What is your organization’s whistleblower program called? Do you think it is an effective name? Let us know by writing to inforensic@deloitte.com or on @deloitteindia.

Back to top

By KV Karthik (Senior Director, Deloitte Forensic)

Fraud in the banking sector is on the rise and it is important to ‘reign’ it in

07 May, 2015

Since the developments in the 1990s, the entire banking products structure has undergone a major change. With de-regulation, increased competition and IT revolution providing ease and flexibility in operations to customers; banks are also evolving and trying to become one-stop financial supermarkets. However, fraud follows opportunity and attacks weaknesses in the system. It is therefore important to know the areas which are vulnerable to fraud before organizations start working towards controlling them.

Fraud occurs because there is a motivation and opportunity to commit fraud. Through our recent survey the Deloitte India Banking Fraud survey report, we have tried to further understand the root causes. why is there increase in fraud incidents? Is it because fraudsters are aware of the lacuna in the banks’ internal control systems? Is it because of negligence on the part of employees?

The respondents have attributed the increase in fraud incidents to the three following reasons:

  • Lack of oversight by line managers or senior management on deviations from existing processes/ controls
  • Business pressure to meet targets
  • Collusion between employees and external parties.

It is important for the senior management to realize that it is their responsibility to try and implement strategies in a manner that ensures compliance with laws and regulations on both a long-term and day-to-day basis. While banks can implement the best fraud controls, it cannot be a substitute to diligence as any loss resulting out of negligence has to be borne by the bank. As the bank employees are at the forefront of fighting fraud, it is important for the organization to make them aware of their obligations through training. Employees should be provided periodic training for their specific areas of operations, which also includes various applicable fraud scenarios, so that they can pre-empt fraud incidents. Another important fraud risk management principle is to provide a clear and consistent message through a credible disciplinary system. A well designed disciplinary process providing guidelines on sanctions based on the nature of the offence and its uniform and consistent application will go a long way in sending the right signal to both internal and external parties and help prevent/ reduce acts of negligence.

One of the important factors why fraud occurs is because the organizational system/ controls provide the fraudster with an opportunity to commit fraud. Within the banking sector, in our experience, some of the gaps that do get underestimated at times are

  • Lack of segregation of duties
  • Poor physical controls
  • Low priority areas, such as internal/ inter-branch accounts tend to be less frequently monitored for oversight or malpractice

Limited oversight is another such reason wherein loans may be processed based on insufficient documentation/ wrong valuation of collateral. With the increase in outsourcing related KYC, documentation support, verification, etc. – to third parties, it is very important that banks are able to develop a mechanism to ensure that there is no dilution in managerial oversight over these processes.

One of the other common reasons cited for increased fraud incidents is heightened pressure to meet/ exceed business targets. With employee compensation increasingly being tied to performance, it may therefore drive individuals to achieve overly optimistic results. Can business pressure to meet targets result in circumvention of controls?

Last but not least - Insider fraud, whether arising from coercion, collusion, or otherwise, are increasingly considered to be one of the most serious fraud threats faced by financial institutions. An aspirational work force can resort to unethical ways of meeting business targets, thereby putting the bank at risk to fraud and reputational damage.

In your view, what are some of the reasons that have contributed to the rise in fraud? What areas does the senior management need to further look at, in order to curb incidents of fraud? What specific processes do you feel make a bank more susceptible to fraud? Share your views by contacting us at inforensic@deloitte.com or on Twitter at @deloitteindia.

Back to top

By Jayant Saran (Senior Director), Veena Sharma (Director) and Puneet Grewal (Assistant Manager)

How should organizations deal with false complaints?
04 May 2015

Most organizations’ expectations from a whistleblowing program is that all whistleblower disclosures will be lawful and made in good faith (genuine). However, there are also worries about disclosures being made in bad faith or with malicious or unlawful intent (false).

We have observed that many companies experience a phase of high usage of their whistleblower channels, soon after the whistleblowing program is implemented, only to realize upon investigation that most allegations were false. Unfortunately, these false allegations consume the limited resources, an organization has to dedicate towards investigation of whistleblower cases. As investigations are handled by senior personnel and additionally reported to the Audit Committee, the cost of dealing with false allegations can be quite high.

The effectiveness of whistleblowing system cannot be undermined with worries about reports made in bad faith. So, how can organizations deal with false complaints effectively?

According to the Deloitte Forensic report titled Setting up a Whistleblowing Program – 10 FAQs, to discourage false allegations, organizations must build awareness amongst employees around the objective and purpose of using the whistleblowing program. The communication to employees must also emphasize on providing specific and credible information that supports concerns raised in order to enable the company to properly investigate the matter.

For this, the organizations can have a ‘checklist of information’ that will need to be provided by a whistleblower when reporting a concern and this requirement can be communicated through the whistleblower policy or awareness programs. An illustrative ‘checklist of information’ is given below:

  • Where did the incident take place?
  • Names of people involved?
  • Date and Time of incident?
  • Are there witnesses?
  • What is the proof and is it available?
  • Is there money involved?
  • Does this happen regularly?
  • Who else is involved?
  • Any other information

The above discussed safeguards can make worries about reports made in bad faith an exception, rather than a norm.

Further, organizations can also consider educating employees on how to make proper complaints by:

  • Conducting periodical trainings to create awareness on what constitutes improper conduct
  • Insisting that employees report only matters that they believe are substantially true
  • Discouraging false complaints or make false allegations to act out of personal gain. We have observed some organizations penalizing the reporting of false allegations.

The effectiveness of whistleblowing hotlines cannot be compromised by false complaints. With the above discussed safeguards, we believe organizations can successfully overcome the issue of false complaints.

Share your feedback by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Back to top

By Jayant Saran (Senior Director), Veena Sharma (Director) and Karim Lakhani (Assistant Manager)

Should whistleblower complaints be reported to the Audit Committee?
30 April 2015

“Would reporting whistleblowing complaints to the Audit Committee not be seen as a weakness of the organization’s internal controls? It would appear as an escalation showing the management in bad light,” said the Chief Risk Officer of a company we recently met.

Reporting whistleblower complaints to the Audit Committee can be a touchy subject for most legal counsel and risk management professionals, given the reaction it may evoke from the Audit Committee members. However, in our view, there are some advantages to reporting whistleblower complaints to the audit committee:

  • Ability to demonstrate the presence of a functional whistleblowing mechanism in the organization, thereby indicating compliance with regulatory requirements.
  • Seeking independent and unbiased perspective from the Audit Committee, thus ensuring whistleblower cases to be suitably resolved
  • Demonstrate mitigation steps taken by the organization, wherever gaps in antifraud controls are identified, through the investigation of whistleblower cases
  • Enable Audit Committee members to report concerns about unethical behavior, actual or suspected fraud or violation of the company’s code of conduct or ethics policy.

One of the duties of Independent Directors, as set forth in Schedule IV of the Companies act 2013 is to ascertain and ensure that the company has an adequate and functional vigil mechanism and to ensure that the interests of a person who uses such mechanism are not prejudicially affected on account of such use.

Therefore, it is advisable that the number and type of concerns reported through whistleblowing channels be reported to the Audit committee on a regular basis, along with its status of resolution.  According to the Deloitte Forensic report titled Setting up a Whistleblowing Program – 10 FAQs, such reporting should additionally provide details like, hierarchical levels of personnel involved, its impact (financial or other loss), etc., and corresponding action taken by the company.

Do you report whistleblower complaints to the Audit Committee? What is the reaction from the Audit Committee? Share your story by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Back to top

By KV Karthik (Senior Director, Deloitte Forensic)

Increasing fraud incidents demand for organizations to take charge and evaluate their efforts

27 April, 2015

While risks are inherent in the banking business, the risk of fraud is one that no bank would ideally like to deal with. But the reality is that frauds are on the rise which has been brought out in the Deloitte India Banking Fraud survey report, wherein 93 percent of the survey respondents indicated that fraud has grown over the last two years. What is interesting is that the percentage rise appears to have been more than what was envisioned by the banks in our previous edition in 2012. A majority of survey respondents (in the current edition) have indicated that they have experienced more than 50 fraud incidents in the retail banking segment in the last two years (average fraud loss of around INR 10 lakh per incident) and an average of 10 fraud incidents in the non-retail segment (average loss amount close to INR 2 crore per incident).

While most respondents have indicated an overall increase in frauds incidents across all banking segments, it comes as no surprise that the usual suspects i.e. retail banking has been identified as the major contributor to fraud, followed by corporate banking. In terms of specific areas, survey respondents highlighted ‘fraudulent documentation’ and ‘overvaluation/ absence of collateral’ as areas where incidents of fraud were most likely to occur within retail banking. Whereas, within corporate banking, ‘diversion of funds’ were identified as the biggest areas of concern.

The risk profile of different segments in banks within retail or corporate banking are different and therefore the approach required to control the risk of fraud in each segment needs to be customized for each bank and their processes applicable to that particular segment. Since retail needs to be process driven due to huge volume of transactions, it is recommended to employ a fraud analytics solution to detect anomalies or ‘red flags’ so as to detect any deviations which may not be suitable in the corporate banking environment. For corporate banking adequate due-diligence and close post disbursement monitoring are some measures which can help prevent or detect frauds. Depending on the process, each bank must decide on the control that is appropriate for them to mitigate the risks. By adopting a leading-practice approach to designing and implementing anti-fraud programs and controls, banks can reduce the risk of fraudulent activity.

Survey statistics have revealed that the frequency, volume and the gravity of instances of fraud has gone up over the past few years. Some of the recent fraud incidents in India reported by the media have shown that frauds not only undermine profits, operating efficiencies and reliability of services but can also have a severe impact on an organization’s reputation. In addition to potential fines levied by regulatory bodies, it can have a negative impact on employee morale and investor confidence, which the survey respondents have concurred with. Organizations are slowly realizing that the lack of crackdown in controlling frauds could create a culture of acceptability for this behavior within the organization leading to increased incidents or more sophisticated frauds in the future. By implementing appropriate controls and monitoring mechanisms, management will not only be able to limit frauds, but also set the tone for ethical behavior within the organization.

The challenge for banks however, is to develop a comprehensive Fraud risk management (FRM) framework which will help in preventing, detecting and responding to fraud. This should also include identifying, assessing and categorizing risks faced by the organization proactively and developing appropriate mechanisms to detect and respond to fraud. The key objectives of an effective, business-driven fraud risk management approach should encompass controls that help prevent the occurrence of fraud, detect fraud as and when it occurs and provides for an effective response mechanism to limit the consequences of fraud.

How and what steps do you feel organizations should take to manage incidents of fraud? Do you feel that your organization’s anti-fraud framework is effective? What can be done to enhance your organizations’ capabilities to identify ‘red flags’ proactively? Share your views by contacting us at inforensic@deloitte.com or on Twitter at @deloitteindia.

Back to top

By Jayant Saran (Senior Director), Veena Sharma (Director) and Dhruv Sengar (Executive)

Statutory mandates prompting the need for a whistle blower mechanism
24 April 2015

Is a whistleblowing program a ‘need to have’ or a ‘nice to have’ addition to the plethora of corporate governance and fraud risk management initiates undertaken by organizations?

Prior to the enactment of the Companies Act, 2013, the presence of a whistleblowing program (often as part of the larger corporate governance initiatives) was considered the hallmark of leading companies in India. The Deloitte Forensic whistleblowing survey report 2014, titled Lead by example: Making whistleblowing programs successful in corporate India, indicates that while 90 percent of survey respondents agreed that establishing a whistleblowing system could help reduce fraud, only 68 percent were actually equipped with such a system or policy.

In our experience, only large Indian companies with global operations had whistleblowing programs in place, partly due to the regulatory push from other geographies they were operating in. For instance, for Indian companies operating in the US, the Sarbanes Oxley Act, 2002, requires all companies listed in the US to have a whistle blowing system in place. In the UK, disclosures made in public interest are eligible for statutory protection under the Public Interest Disclosure Act 1998. The policy also covers potential infractions of the requirements in, or made under, the Financial Services and Markets Act 2000(including FSA Rules); the Pensions Act 2004, Proceeds of Crime Act 2002 or Bribery Act 2010.

With the enactment of the new Companies Act, 2013, and the SEBI’s revised corporate governance norms (Clause 49 of the Listing Agreement) for listed entities, organizations are now required to establish a functional whistle blowing mechanism and ensure adequate protection to whistleblowers. Further, the Rules (chapter 12) under the Companies Act, 2013, state that every listed company and the companies belonging to the following class or classes (irrespective of whether the unlisted entity is a public or a private company) shall establish a vigil mechanism for their directors and employees to report their genuine concerns or grievances-

  1. Companies which accept deposits from the public; and
  2. Companies which have borrowed money from banks and public financial institutions in excess of INR 50 crores

In case of subsidiaries of foreign companies in India (unlisted), it is understood that they would be usually governed by the parent company’s regulatory requirements that demand implementation of a whistleblowing mechanism across all subsidiaries.

These efforts have led to greater awareness amongst corporate India about the implications of fraud, non-compliance and misconduct, in the absence of effective fraud risk management practices. It has also resulted in whistleblowing programs being considered a ‘need to have’ initiative, as part of the larger fraud risk management framework.

Does your company have a functional whistleblower program that complies with regulatory requirements and also functions effectively? Let us know by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Back to top

By Jayant Saran (Senior Director), Veena Sharma (Director) and Tushar Hambir (Deputy Manager)

Extending a whistleblowing program to third parties
20 April 2015

In a perfect world, wrongdoing would not exist; employees would never compromise on ethics for petty gains. However, we do not live in a perfect world. Not a single day goes by when we do not stumble upon news of frauds and scams in the media. It would be safe to assume that for every publicly reported case of unethical practice or fraud, there would be several others that go unreported.

Fortunately, there are some individuals who are concerned when they become aware of any fraud, unlawful activity or wrongdoing occurring at their organizations, and want to report the matter. Apart from employees, these individuals could be external stakeholders consisting of vendors, customers or any business partner. Do such external stakeholders know who to speak to or what to do when they become aware of any fraud or unlawful activities?

According to the Deloitte Forensic report titled Setting up a Whistleblowing Program – 10 FAQs, while many companies have focused on providing a whistleblower reporting system just for employees, issues of significant importance are often highlighted by external stakeholders, such as vendors, suppliers, customers, etc. It is important to encourage external stakeholders to use the system to uncover issues, such as those of collusion and employee led frauds being detected that involve customers and other third parties.

Further, according to the Deloitte Forensic report titled Lead by example: Making whistleblowing programs successful in corporate India, published in 2014, around 84 percent of the respondents to the survey felt that it was essential to extend a company’s whistleblowing hotline to the associated third parties such as vendors and business partners.

It is important to encourage these other stakeholders to use the whistleblowing system to uncover issues such as those involving collusion between employees and third parties. Some examples of such collusion driven frauds include theft of goods, accepting kickbacks and bribes to overlook financial misreporting and/or non-compliance, conflict of interest in key relationships, and confidential data/ IP theft/ leakage.

Establishing a whistleblowing policy that provides a communication channel for third parties to express their concerns about questionable activities can help organizations effectively protect themselves from fraud risks.

Is your organization’s whistleblowing policy open to third parties? What challenges do you face in in doing this? Share your views by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Back to top

By Jayant Saran (Senior Director) and Ajit Nathaniel (Deputy Manager)

Cryptocurrencies use gaining momentum in India, but do we understand the associated fraud risks?

16 April, 2015

The Deloitte India Fraud Survey report, released in 2014, highlighted the indifference of most survey respondents to virtual currencies and cryptocurrencies such as bitcoin. However, the 16 per cent of respondents who believed that cryptocurrencies would gain traction in India may have the last laugh yet – since our report’s release, bitcoin particularly, is making quiet progress towards wider acceptance in India.

Recent reports suggest that at least one online retailer in the country currently accepts bitcoins, while a number of Indian entrepreneurs have established trading platforms and online wallets that support transactions in the cryptocurrency. Information on a popular website used for organizing group activities suggests that hundreds of bitcoin enthusiasts have formed active communities in several Indian cities. There is also a rise in the number of public events aimed at raising awareness on the cryptocurrency. For instance, the website of the Bitcoin Foundation, a US-based non-profit organization with a declared goal of “standardizing, protecting, and promoting,”bitcoin, even lists an Indian entity with similar goals.

Considering that India doesn’t yet have businesses that openly transact in bitcoin, it is apparent that most bitcoins held by Indian residents are viewed as a speculative investment rather than a means of value transfer. Nevertheless, the recent expansion in this industry underscores the importance of positioning for cryptocurrencies, from both a policy and a strategic perspective.

Regulatory authorities in India have demonstrated a penchant for retrospective action in the recent past - this should caution individuals and businesses against substantial exposure to virtual currencies until regulations pertaining to these are formulated. Preliminary reactions from the authorities have largely been cautionary in nature – warning users of potential violations of foreign exchange and anti-money laundering laws. Such advisories suggest that initial regulations on virtual currencies are likely to severely restrict or even prohibit their use. It appears that early market entrants such as Unocoin and Zebpay are proactively implementing Know Your Customer (“KYC”) measures similar to those used by banks – perhaps in a bid to mitigate the consequences that may ensue from regulatory restrictions.

Policy and regulatory issues aside, any business considering support for Bitcoins has several operational issues to contend with. Security is the most pressing of these, as bitcoins have been lost when the media they were stored on developed defects and became inaccessible. Theft has been an issue too, and has been cited by news sources such as Reuters as a key factor in the collapse of a major Asia-based trading platform in early 2014.

From a market perspective, the current volatility in Bitcoin prices poses a substantial exchange-rate risk.  Mitigating this will require a robust mark-to-market mechanism, an appropriate hedging strategy, and an asset ratio model that rapidly converts a portion of Bitcoin holdings to more stable assets. Transfer methods are a key consideration too – though there are several systems to store and transfer Bitcoins, wider acceptance will require a unifying platform that will allow people using the dozens of existing repositories to securely make payments.

In conclusion, though substantial challenges still exist, early adopters of Bitcoins could well take heart from Mahatma Gandhi’s words: “first they ignore you, then they laugh at you, then they fight you, then you win.”

Have you considered adopting bitcoins or other virtual currency as part of your corporate strategy? Do you think the risks from adopting virtual currencies may outweigh the benefits? Share your views by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Back to top

By Jayant Saran (Senior Director), Veena Sharma (Director) and Dipti Sahasrabuddhe (Deputy Manager)

Should anonymous disclosures be allowed via whistleblowing channels?
13 April 2015

About five years ago, one of the U.S. universities undertook a survey to study the perceived effects of anonymous whistleblowing, in light of the then recent amendment to the Sarbanes Oxley Act of 2002. The survey outcome indicated that the majority of audit committee members appeared less likely to take action on anonymous tips, than on non-anonymous ones and in some cases, they were motivated to ignore anonymous whistle-blowers because, if their claims were proved right, it could indicate that the committee failed to oversee the company’s activities satisfactorily.

Further, the report also noted that the primary reason for not prioritizing anonymous disclosures was the perceived difficulty in investigating such concerns reported, as more often than not, there are gaps in disclosures made and due to inability in contacting the whistleblower, as identity is unknown to gather additional information. It is for this similar reason that several Indian companies and the regulations in India also do not encourage whistleblowers to report anonymously. However, our experience indicates otherwise.

Anonymity can be a powerful tool in ensuring the success of a whistleblower mechanism. According to the Deloitte Forensic report on Setting up a Whistleblowing Program – 10 FAQs, allowing anonymity can help build confidence among users to report concerns. However, to ensure that frivolous or irrelevant issues are not reported via the whistleblowing channels, companies can encourage and insist users to provide specific and credible information that supports the complaint, such as – alleged perpetrator’s, location and type of incident, names of other personnel aware of the issue, specific evidences, amounts involved, etc.

A policy that reiterates the responsibilities of a whistleblower opting to report anonymously; in terms of providing specific and credible information related to concerns being reported can help improve the effectiveness of anonymous disclosures.

Does your organization allow whistleblowers to report anonymously? Why or why not? Let us know by writing to inforensic@deloitte.com or on Twitter@deloitteindia.

Back to top

By Jayant Saran (Senior Director), Veena Sharma (Director) and Devaki Naik (Executive)

What concerns should one report via a whistleblower helpline?
08 April 2015

“I work till late on most days while my colleague clocks in fewer hours. Yet he was promoted this year because my boss favored him over me. I feel demotivated.”
“My manager talks to me very rudely and does not explain my scope of work. He publicly derides me and this has impacted my self-esteem.”
“A colleague takes an entire carton of 30 tea bags from the vending machine area for his consumption and keeps it in his office drawer. I think this leads to shortage of tea bags by the end of the month, depriving others of tea.”

These are some examples of disclosures reported via whistleblowing channels in India. These issues may appear to be different from what the whistleblower channel was intended for. Concerns such as displeasure over compensation, incompatibility with co-workers, and dissatisfaction with nature of work or violation of smoking/alcohol policies are generally treated by companies as Human Resource (HR) issues and ideally NOT to be reported through whistleblowing channels. These concerns can be directly reported to the Senior Management or the Human Resources Team. The prevalence of such complaints indicates a possible lack of clarity amongst employees on what kind of issues can be reported via whistleblowing channels.

It is generally thought that whistleblower channels ideally ought to be used only for reporting those actions (or suspected actions) which may result in economic loss or damage to the reputation of the organization. The Deloitte Forensic report on Setting up a Whistleblowing Program – 10 FAQs, provides an illustrative list of concerns that can be reported via whistleblowing channels. Additionally, the Deloitte India Fraud Survey report, released in 2014, also highlights 11 specific fraud risks that can be reported using a whistleblowing channel.

Depending on the size and nature of business operations, an organization's communication and awareness program can build examples of wrongdoings that ought to be reported through whistleblowing channels. In addition, it is important to have resources trained to probe effectively to ensure that the underlying issue is not more complex that what is being reported.

What kind of concerns does your organization receive through whistleblowing channels? Share your views by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Back to top

By Rohit Mahajan (Senior Director), Veena Sharma (Director) and Amrutha Yeshwanth (Assistant Manager)

Does your fraud control policy really work?

2 April, 2015

When we meet people in a business context, we often ask them two questions – Do you have a fraud control policy? And how effective do you think it is? The answer to the first question gets a resounding ‘Yes’, whereas people usually hesitate to respond to the second question and end with “Not sure”.

In our experience, this situation can largely be attributed to the fact that most companies do not have a specific fraud control policy, but tend to leverage their existing policies instead, such as code of conduct/ ethics. As a result, there can be limited clarity on the protocols to use once a fraud occurs.

According to the recent Deloitte-BCCI whitepaper titled De-mystifying Fraud Risk Management, companies tend to deal with frauds on a case-to-case basis. It is imperative for Boards and senior management, therefore, to reach beyond the line of sight of existing policies and set up a dedicated fraud control policy.  

An effective fraud control policy is essential in ensuring that incidents of fraud do not fan into flames. Typically, a fraud control policy contains:

1.     An explicit definition of fraud and what actions, conduct or behavior constitutes fraud

2.     Identifies designated personnel responsible for the overall management of fraud incidents, within and outside the company (including managing the media, regulatory bodies and law enforcement agencies)

3.     Formal procedures that employees should follow, in case of suspected or known fraud

4.     Encouragement to employees to report concerns about unethical behavior, actual or suspected fraud or violation of the company’s code of business conduct and ethics policy

5.     A commitment that appropriate measures to deter fraud will be taken, and that instances of suspected or known fraud would be investigated, with suitable action taken against perpetrators

6.     A commitment that efforts will be made by the company to recover funds/ assets gained wrongfully by the fraudster and other involved parties.

So, does your organization have a fraud control policy? How effective do you think it is, now that you may be better aware of it? Share your views by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Back to top

By Rohit Mahajan (Senior Director), Veena Sharma (Director) and Anshuk Megharikh (Assistant Manager)

Dealing with Fraud in a Proactive Manner
26 March 2015

"Being proactive also is being reactive… but only ahead of time". Everyone is aware that the costs of investigation and losses arising due to fraud can be very expensive for organisations. In order to be one step ahead of the fraudster, organisations need to develop a robust fraud risk management (FRM) program to prevent, detect and investigate frauds.

According to a recent Deloitte-BCCI whitepaper titled De-mystifying fraud risk management,  the very first pillar of an effective FRM program is a comprehensive fraud risk assessment to identify pain points and emerging fraud risks. A major part of this assessment involves employees, who are most closely associated with the day-to-day operations of an organisation and are in the best position to identify potential fraud risks. Based on employee feedback and evaluation of business processes from the point of view of detecting fraud, an assessment can provide a Risk Rating that gives an indication of the robustness of the processes. For a preliminary self-assessment of your organization’s preparedness to tackle fraud, undertake your assessment here.

The second aspect to consider is the use of analytics. In the age of Big Data, forensic data analytics can serve as an extremely powerful tool in detecting fraud. It can be used to efficiently analyse daily transactions, financials, projections and employee and vendor records to identify unusual patterns and red flags that point towards fraudulent activity.

Finally, it is equally important to have comprehensive protocols established for investigations and relevant disciplinary actions put in place in order to respond to fraud incidents. An organisation must have designated personnel to coordinate an investigation and take any resultant disciplinary action against the employees involved.

Does your organisation have an effective FRM program in place? Are instances of fraud dealt with promptly by your organisation? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

Back to top

By Rohit Mahajan (Senior Director), and Rini Roy (Senior Executive)

Who is responsible for tackling fraud?
23 March 2015

The Deloitte India Fraud Survey 2014, findings indicated that organizations believed anti-fraud programs were the responsibility of one designated function alone, such as internal audit or compliance.  In reality, this is unlikely given the scope of activities managed as part of fraud risk management.

The Companies Act 2013 places oversight responsibility for fraud risk management on the Board and senior management.  Therefore, the Board needs to drive effective fraud risk management by encouraging the creation of an inter-departmental team of key representatives to address fraud risks on an ongoing basis, which should be periodically updated to the Board.

The inter-departmental team's responsibility would be to develop for the organization – the necessary design for fraud risk management program, the assessment of business and cultural risks across various businesses and geographies, develop fraud awareness training and communication strategies, build comprehensive databases for performing fraud risk assessment, evaluate the use for forensic data analytics and participate in critical investigations. These activities would be performed on an ongoing basis based on the fraud risks assessed and identified for the organization.

Our recently launched whitepaper on De-mystifying -fraud risk management outlines some of the aspects that the Board needs to ensure that the team does not face the following challenges that can impede its effectiveness:

  • Lack of clearly defined roles and responsibilities for each team member
  • Deficiency in knowledge sharing amongst team members
  • Lack of regular training for team members on specific risks, such as those arising from new technologies or business models

Does your organization have an inter-departmental team managing the fraud risks? What has your experience been with them? Share your views by writing to us at inforensic@deloitte.com or on Twitter by following @deloitteindia.

Back to top

By Rohit Mahajan (Senior Director), Veena Sharma (Director) and Akshay Kejriwal (Assistant Manager)

Board's Oversight on Ethical Business Conduct
19 March 2015

More often than not, an organization’s culture and ethics is only as good as its leaders. To create an organizational culture that promotes ethical business conduct, the members of the Board/ Audit Committee need to know whether the leaders of the organization really serve as role models for others.

For example, leaders may not be setting a strong or consistent "tone at the top" about acceptable and unacceptable behaviours. Or perhaps there isn’t enough attention paid to gaining 'buy-in' from the lines of businesses for new policies or processes. Or staff training and awareness efforts may be lacking. The effectiveness of processes to prevent and detect fraud or unethical behaviour depends on its execution, i.e., on individuals doing the right thing at the right time. Nurturing the right culture enables and drives these appropriate behaviors. In this context, the oversight role that the Board/ Audit Committee need to play is to ask the leaders to demonstrate, as to what is being done to establish and sustain an ethical culture within the organization, apart from just creating a written code of business conduct/ ethics policy.

As outlined in the recently released Deloitte-BCCI whitepaper on De-mystifying Fraud Risk Management, ethical audits can be initiated to monitor compliance with the code of conduct and ethics policy. Ethical audits can help identify:

  • Areas where the employee is not getting adequate training about the code of conduct.
  • Areas where senior management is overlooking suspected/ actual ethical breaches as a result of performance/ result pressures.
  • Any disconnect between the Board/ senior leadership’s stand on ethics, and the practices at various employee levels.

Some ways to identify areas for improvement may include, conducting employee ethics and fraud awareness surveys or ethical dilemma workshops to assess attitudes, awareness and willingness to comply with the code and report any violation of the company’s code, apart from identifying emerging issues.

What are the methods your organization uses to assess ethical behavior? How often do you carry out such assessment? Share your views by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

 

Back to top

By Jayant Saran (Senior Director) and Ajit Nathaniel (Deputy Manager)

Busting myths on whistleblowing programs
16 March 2015

Corporate scandals ruin companies, careers and long-treasured reputations. Affected companies face substantial problems in recovering, as they fail to attract and retain investors, talented employees, and clients. In most instances, it is not the company that is at fault - but one or more individuals - whose actions have a catastrophic impact on the organization and its stakeholders.

"The only thing needed for the triumph of evil, is for the good men to do nothing." - Edmund Burke

We often see situations where employees are unable to raise a flag on unethical or illegal activity in the absence of proper reporting channels.  Nearly 90 per cent of respondents to Deloitte Whistleblowing survey 2014 believed that a whistleblowing mechanism could reduce fraud and drive better governance - yet only 68 per cent of survey participants acknowledged that they had such a system in place. In the course of business, we encounter a number of common justifications from companies that lack a whistleblowing mechanism. These justifications do not hold up to scrutiny.

Senior executives in smaller companies tend to think that in their "everybody knows everybody" environment, fraud and malpractices are impossible, perhaps because the camaraderie within smaller teams keeps employees on the straight and narrow. Nothing could be further from the truth, as we have found that fraudsters often leverage personal connections and acquaintances in furthering their aims. Reflections such as "He never seemed like the type" or "Not in a hundred years would I ever think her capable of this", sadly, ring all too familiar.

"Facts do not cease to exist because they are ignored" – Aldous Huxley

Some managers opine that having a Whistleblower Policy is sufficient for regulatory compliance. While they may be right, having a policy in place merely for regulatory reasons defeats the spirit of such measures. After all, all such regulations are designed to protect companies, employees and shareholders from fraud.

Another common opinion is that a whistleblowing mechanism is unnecessary because employees are "empowered" to report suspicions to the management. This may be true, after all, a number of new-economy companies, especially in the internet and technology sectors have a flat corporate structure and a "no walls" philosophy. However, if the whistleblower's suspicions pertain to senior management personnel, the problems here are obvious. Additionally, what if these concerns occur to an external vendor or client? No matter how "open" a company's culture is, most whistleblowers will report wrongdoing only if they're absolutely certain that the complaint will be kept confidential and that they will be protected from retribution.

Executives at small and mid-size companies mistakenly believe that the cost of setting up a whistleblowing program is high. In engaging the services of an external specialist, smaller organizations can have a comprehensive and robust whistleblower program at the fraction of the cost of an in-house solution. Such solutions come with the added benefit of information barriers that further protect whistleblowers.

Do you have other reasons for not embracing a strong whistleblower policy? Tell us by writing to inforensic@deloitte.com or on Twitter @deloitteindia.

Back to top

By Jayant Saran (Senior Director) and Ajit Nathaniel (Deputy Manager)

BYOD Risks – How do you manage them?
12 March 2015

With the explosion in smartphone adoption since 2008, the number of manufacturers has ballooned, as has the choice of devices available. With the rising use of email and data services “on the go”, companies have been under pressure to permit users to employ devices of their choice. This principle, termed “Bring your Own Device”, or BYOD, comes with inherent risks.

While certain smartphones are manufactured with data security and enterprise systems in mind, it is not so with the majority of devices targeted at cost-conscious consumers. Phones running a popular open-source operating system, for instance, come from a variety of manufacturers. While some take due care to ensure that global safety standards are met, many phones permit users to install modified versions of the operating system firmware (“ROMs”). Some of these ROMs, designed by amateur programmers, may even contain malware or other security vulnerabilities. Even high-end devices come with risks – as evident from a recent incident involving the cloud storage system of a major smartphone manufacturer.

Additionally, most Smartphones require users to create an account that allows them to access various services. Receiving company email on a device that has a personal email account configured on it creates the possibility of intentionally or accidentally transmitting confidential data to unauthorized parties. A big question is the physical vulnerability of a phone itself - what are the steps that the company can take to prevent a leak of information from a lost or stolen phone?

Deloitte’s 2014 Fraud Survey suggests that Corporate India could do more to mitigate risks arising from technology systems. Telecommunications systems are crucial to business today, and demand proactive security policies capable of withstanding disruptive market events. Apart from an approval matrix for enabling access to company data from personal phones, a BYOD policy must list “approved devices” based on feedback from security specialists. Additionally, the use of enterprise-grade tools and procedures to minimize the risk from lost or stolen devices is essential.

So, do you allow your employees to BYOD? If so, how do you manage the associated risks? Share your views at inforensic@deloitte.com or on Twitter @deloitteindia.

Back to top

By Sumit Makhija (Senior Director, Deloitte Forensic) and Rohit Goel (Director, Deloitte Forensic)

Anti-bribery and corruption compliance should necessarily involve and focus on the employee
05 March 2015

One of the fundamental principles of compliance is the requirement to follow it in entirety – a partial/ semi state has no legal standing. In order to achieve the desired state of compliance, organizations require all their employees to behave ethically. This state of perfect compliance can only be achieved by the management once employees take it upon themselves as their responsibility, which can prove to be challenging at times.

Our experience as well as the responses received in a recently launched Deloitte India survey on Public Perceptions of Anti-bribery and Corruption Compliance Efforts demonstrate that employees face certain challenges towards compliance with anti-bribery regulations:

  • Lack of senior management commitment and support towards compliance can demotivate people to be compliant.
  • An aggressive business mindset and unrealistic performance targets imposed by the senior management can create immense pressure on employees pushing them to indulge in unethical behavior.
  • Compliance generally tends to be centered around a handful of people at the senior management level with an employee’s involvement at a minimum. This can result into a lack of accountability on employees since they fail to take ownership.
  • A ‘one size fits all' approach taken by organizations at times can make it difficult for employees to implement the policies and procedures e.g. implementing policies not practical to the business and the environment i.e. no gift policy, general code of conduct not in line with the organizational  values etc.

Compliance is a matter of self-discipline based on our personal values and ethics, ultimately determining how we behave in our personal lives and/ or take business decisions. In a corporate context, employees play a central role in implementing compliance effectively, provided we are able to stick to what is right rather than what is termed as being ‘beneficial’. Our experience has shown that the following steps can be taken by employees for compliance to be effective in the long run:

  • Employees need to assume responsibility and accountability for compliance in the organization and participate in building an ethical culture at an organization. E.g. employees should lead by example in difficult situations, popularize the importance of ethics both in their personal and professional lives, give priority to compliance over the business, appreciate the ethical behavior within their teams etc.    
  • Employees should take an active role in drafting anti-bribery policies and procedures which are easy and practical to implement.
  • An employee should be committed to propagating a ‘zero tolerance towards bribery’ irrespective of the cost involved. Employees should obtain guidance from the senior management or legal counsel when confronted with difficult situations during business transactions. 
  • The employee should be in a position to challenge the senior management if they believe that any behavior or action is not in line with the organizational philosophy of a corruption free environment. In turn, the senior management should create an appropriate environment that facilitates a transparent and open dialogue.

How and what steps do you feel should be taken to make employees feel more involved as well as to imbibe a culture of compliance? Share your views by contacting us at inforensic@deloitte.com or on Twitter at @deloitteindia.

 

Back to top

By Sumit Makhija (Senior Director, Deloitte Forensic) and Rohit Goel (Director, Deloitte Forensic)

A stringent regulatory environment creates the impetus towards eradicating bribery and corruption
27 February 2015

Globally regulators have become active in implementing and enforcing anti-corruption legislations to curb unethical behavior. Most countries now have their own anti-corruption focused laws/ statutes. India has a stringent legislation in the form of the Prevention of Corruption Act, 1988 that prevents corruption by public servants. Additionally, the Prevention of Bribery of Foreign Public Officials and Officials of Public International Organizations Bill, 2011 prohibits giving bribes by an Indian person or entity to foreign public officials, entailing imprisonment of up to seven years, among other penal provisions.

On the global front, the US Foreign Corrupt Practices Act, 1977 (FCPA) and the UK Bribery Act, 2010 are extremely unforgiving. FCPA prohibits US companies, companies listed on the US Stock Exchanges and US citizens from obtaining business or an unfair business advantage by bribing foreign officials; requiring companies to maintain accurate books and records as well as a system of internal controls designed to identify suspect payments.

The UK Bribery Act applies to UK companies as well as companies that conduct business in the UK and British citizens and persons residing in the UK, penalizing bribery and corruption offences committed both in the UK and abroad. One of the highlights of the Act is the introduction of an offence of failing to prevent bribery (including bribery by an associated person of the company). The only defense available to companies in this case, is to demonstrate that they had/ have ‘adequate procedures’ in place to prevent bribery.

Keeping these in mind, a fair amount of corporates have put together their internal compliance standards based on guidance provided by these anti-corruption legislations e.g. proportionate procedures, commitment to prevent bribery, regular and comprehensive risk assessments, adequate due diligence on third parties, effective communication of anti-bribery policies and strict monitoring.

However, many organizations believe that corruption is the cost of doing business and impossible to eradicate, particularly so in India. Though, sentiments have begun to change in the recent past with compliance having increasingly become a priority within the Board room as well as with employees. This also resonates in our survey on Public Perceptions of Anti-bribery and Corruption Compliance Efforts, where 71 percent of the respondents felt that organizations can eradicate bribery and corruption from their business.

Stricter enforcement by regulators under the PCA and increased awareness among the Indian corporate community in turn has raised the levels of compliance in the recent past. However, a vacuum still exists particularly in developing economies like India where organizations need to understand that compliance is an investment encouraging long term sustainability for the business rather than a mere ‘tick-in-the-box’ to fulfill regulatory obligations.

It is important for the senior management to lead by strongly reinforcing compliance as their top priority and propagating zero tolerance towards any form of unethical behavior. They should also clearly articulate the precedence of compliance over business with serious action being taken by organizations against unethical behavior. It is also essential for the management to provoke discussions in order to reiterate compliance as a value add to the business rather than a hindrance, which is generally the perception.

Compliance with anti-bribery legislations is key not only from a regulatory perspective but also, in order to grow the business e.g. investors favor businesses which are compliant, employees would rather work with ethical companies, customers and vendors prefer to associate with honest organizations etc.

As a first step therefore, anti-bribery and corruption compliance programs should necessarily involve employees in entirety so as to help them imbibe compliance in totality and in spirit. The senior management should make each and every employee responsible for compliance and inspire employees to take onus. What do you feel are the necessary steps in order to do so? Share your views by contacting us at inforensic@deloitte.com or on Twitter at @deloitteindia.

Back to top

Jayant Saran (Senior Director) and Sebastian Edassery (Director)

Leveraging technology to detect fraud
23 February 2015

The recent Deloitte India fraud survey report revealed an interesting statistic – Although IT controls/ data analytics was recognized as a key channel to detect and prevent fraud, the majority of companies seemed to have limited success in this area. In our experience, one of the reasons for this can be attributed to misalignment between IT controls and fraud risk management processes.

While companies are spending significant amount of time and resources in deploying IT systems, the real spend on associated fraud controls is relatively less. Companies generally believe that having an IT system would help in stopping fraud, however the ground reality is that IT systems can enable easier discovery of fraud, and therefore act as a preventive mechanism over time. Frauds are caused by humans and can still be perpetrated by bypassing IT controls. However, the right mechanism can point the company in the right direction to detect the fraud. For example, in case of splitting of invoices to stay below approval thresholds may not get prevented by an IT system, however an analysis of the information on the system can help you detect this.

Some of the following practical tips can help companies align existing IT controls with fraud risk management processes.

  1. Routine analysis of the audit trail of activities – Logs can be collected and maintained, primarily from a fraud risk management perspective rather than from a system diagnostic or troubleshooting perspective (as is the normal scenario). A multidisciplinary team with representatives from legal and compliance teams can work together to develop a robust log maintenance policy. Subsequently, analytics tools can be used to assess the data in these logs to identify unusual patterns and red flags.
  2. Generation of Automated notifications – Critical applications and monitoring tools can be configured to send automated notifications if triggered by an incident, such as a control override. The notification can be sent to individuals responsible for fraud risk management thereby minimizing delay in response time.
  3. Audio Visual monitoring – This involves video recording the premises and eventually integrating the video feed with ERP data to cross check details pertaining to transactions. Globally, it is believed that audio visual monitoring can improve the ‘perception of detection’ and make people cautious of their behavior. Real time analysis of such feed can help quicken the response time to mitigate fraud.
  4. Data Leakage Prevention (DLP) Software: Typically DLP software run on key word based routines, filtering out transactions containing specific keywords that could be indicative of potential fraud or red flags. However, these keywords are often left unchanged for several months and fraudsters eventually find a way to beat the system – such as encrypting messages to avoid well-known keywords, splitting the messages into smaller sizes so it will escape scrutiny etc. Companies need to periodically review and modify their DLP software settings to ensure that the system remains an effective safeguard against fraud/ intellectual property theft.

    The other challenge faced by companies is that while DLP systems continue to isolate documents and items, the sheer volume of messages and documents isolated could make reviewing these a daunting task.
  5. IT security for devices – With many companies allowing employees to use their own device (laptop/ smart phone/ tablet etc.) to work, it is important to leverage security tools like Bitlocker Encryption to ensure that data is protected in the event of theft of loss of the device.
  6. Remote monitoring - Remote connectivity is provided as a service to help employees access the network from outside the office premises. However, using digital forensic tools once can remotely monitor devices and systems for suspicious activities, without the knowledge of the user. This protects the user from potential hacking threats, as well as ensures that he/she cannot override controls to indulge in suspicious behavior.

Leading global organizations are also using Data Analytics methodologies to proactively gather and mine relevant data for patterns, discrepancies, and anomalies. The findings are then translated into insights that can allow a company to manage potential threats in real time as well as develop a proactive fraud detection environment.

How does your organization use IT controls / data analytics? Have you detected or prevented fraud using data analytics? Share your views by contacting us at inforensic@deloitte.com or on Twitter at @deloitteindia.

Back to top

Sumit Makhija, Senior Director, Deloitte Forensic (India) and Rohit Goel, Director, Deloitte Forensic (India)

Leveraging personal ethics to build a corruption-free organizational culture
16 February 2015

Personal ethics are the values, beliefs, and perspectives developed by individuals based on their upbringing, education and experiences. Personal ethics play a significant role while taking decisions in personal as well as professional life.

Personal ethics of employees has a direct correlation to the anti-bribery culture and values in their organizations. Employees with relatively low personal ethics can comprise their behavior when confronted with challenging situations, such as bribery and corruption, thereby negatively impacting the organization's culture. Whereas, employees with strong personal ethical standards tend to deal better with ethical dilemmas, such as situations involving bribery and corruption, and, in that process reinforce ethical behavior in the organization.

According to the Deloitte India survey on Public Perceptions of Anti-bribery and Corruption Compliance Efforts, around 80 percent of respondents indicated that they would refuse to pay a bribe since it was against their personal ethics. It can be inferred that organizations with such employees would have a lower threshold / zero tolerance towards bribery and corruption. Around 71 percent of survey respondents believed that bribery could be eradicated from business if employees and senior management follow ethical principles and demonstrate an anti-bribery culture.

Senior management therefore needs to leverage professionals with strong personal ethics to ensure that the tone set at the top (pertaining to zero tolerance) is cascaded to all levels of employees. In our experience, the following tips can help senior management to communicate ethical behavior to employees:

  • Institutionalizing a robust induction program for new joinees with a separate section on the organization’s ethics and values, and expected behaviors from the employee
  • Clear and periodic communication by senior management about zero tolerance to unethical behavior in all circumstances. Eg: The organization can afford non-performance but not non-compliance.
  • Make available dedicated training programs on anti-bribery compliance mechanisms such as whistleblower hotline, policies, anti-bribery controls, protections etc. to empower employees to act ethically
  • Senior management members should  recognize and appreciate ethical behavior demonstrated by employees and include these parameters as part of the performance evaluation system
  • Rigorous monitoring of business transactions to identify indicators of non-compliance
  • Stringent actions against unethical behavior to demonstrate zero tolerance such as. initiating criminal and civil cases against malpractice, heavy financial penalties, blacklisting etc.)

Ethics need to be reinforced periodically within organizations to foster a zero tolerance culture. What are the practices your organization uses to do this? Share your views by contacting us at inforensic@deloitte.com or on Twitter at @deloitteindia.

 

Back to top

By Nikhil Bedi (Senior Director) and Avanti Bhati (Senior Manager)

What kind of due diligence do you carry out?
10 February 2015

India has witnessed a number of frauds in the last two years, where investors have lost money, by not employing adequate due diligence checks and fraud risk mitigation practices in their investee companies. This has put the spotlight on the need for proactive due diligence while evaluating business relationships.

Traditionally, due diligence has been primarily utilized at the pre-investment stage by investors to help understand the integrity, reputation, authenticity, financial history, business practices as well as track record of the company/ counter-party they wish to transact with. It has also helped companies assess the various risks and identify political affiliations and credit history of their prospective business partners, particularly in cases where US/ Europe and other overseas-based companies may wish to set up offices in developing economies.

However, today with heightened sensitization to fraud risks, multinationals, domestic companies, financial institutions and banks, in addition to investors, are using due diligence practices in different ways to safeguard themselves from fraud. In our experience, some of the key areas where due diligence can protect investor interests include:

  1. Recruitment of C-Suite executives – According to the Deloitte India Fraud Survey report, senior management is perceived to be most likely to commit fraud. To mitigate this risk, companies are undertaking due diligence checks to understand the track record and reputation of the individual and ascertain the credentials and veracity of claims made by him/her. We are also seeing a rise in due diligence practices employed for screening independent directors prior to their appointment.
  2. Handling whistleblowing allegations – Due diligence techniques can be used to independently ascertain the allegations made through whistleblower tips/ reports.
  3. Litigation support – Due Diligence methodologies are undertaken to obtain information that can strengthen a law firm’s ongoing case and can also help to provide direction to the overall litigation strategy.
  4. Ascertaining bankruptcy and money laundering risks – Due diligence techniques can help identify red flags such as political affiliations, complex ownership patterns involving the family of the promoters, track record of past businesses set up the promoter, civil and criminal litigation, and trade sanctions on the company.
  5. Compliance with health and safety standards (at the workplace and for products manufactured) – Violations of health and safety standards can result in significant penalties by regulatory authorities. Due diligence practices can be used to gather information on any malpractice/ noncompliance at a site level.
  6. Counterparty Due Diligence – Ensuring counter-party compliance with regulatory provisions has remained a key challenge for Indian companies, particularly in the area of bribery and corruption. Conducting appropriate due diligence can help companies select the right business partners and create a sustainable and compliant counter-party ecosystem. Some of the checks that are typically being undertaken include checks on background information, ultimate beneficial ownership and affiliates, political affiliations, adverse media coverage, past litigation history, regulatory screening, credit history and financial position screening.

Does your organization use due diligence techniques in fraud risk management? Across what functions/ areas do you use due diligence? Share your views by reaching out to us at inforensic@deloitte.com or on Twitter at @deloitteindia.

Back to top

K.V. Karthik (Senior Director) and Anshuk Megharikh (Assistant Manager)

What role can non-financial businesses and professionals play in fighting money laundering?
02 February 2015

While the top business leaders of the world meet at Davos-Klosters this week to discuss the future of business and economy, very few may discuss Bangladesh’s stunning story in the fight against illicit trade and black money over the past few years.

Bangladesh has historically suffered from red-tape and corruption (it is estimated that the country has lost up to 3% of its annual GDP to corruption). However, with renewed focus on growth and development, the country decided to take simple measures such as digitisation of payment systems, cross-border cooperation for asset recovery and implementation of advice on anti-money laundering laws from resident World Bank advisors to fight black money and illicit trade. As a result, in a span of five years, Bangladesh was able to double its foreign direct investment (FDI) to $14.2billion, making it the seventh largest nation recipient of FDI. Additionally, simple improvements to the banking system have helped it treble its reserves from $6.5billion to $22billion. Correspondingly, there has been a reduction in poverty and the average life expectancy has risen to 70 years (4 years higher than any of its neighbouring countries).

What is remarkable in the Bangladesh story is that ordinary citizens and non-finance professionals played an active role in fighting black money – which is an aspect which a large country like India can learn from. The biggest challenge for India is the sheer volume of cash transactions in the economy. Further to the Mutual Evaluation of India by the FATF, India has made significant progress especially related to Designated Non-Financial Businesses and Professions (DNFBPs). The Prevention of Money Laundering Act (PMLA) has been amended to include real estate firms, casino’s and cash driven businesses including dealers in precious metals and stones. Hopefully with the inclusion of these DNFBPs under the ambit of PMLA, it is expected that transactions in these cash intensive sectors will be monitored and reported as they will be required to undertake:

  1. Customer identification and reporting of cash transactions
  2. Identifying suspicious activities and reporting red flags such as
  • customers insisting on anonymity or confidentiality
  • customer activities inconsistent with his/her declared business
  • clients making payments through different modes/channels or splitting payments to keep them below the reporting threshold
  • clients insisting on a complex structure for the transaction or payments

These measures, along with the Prime Minister’s Jan-Dhan Yojana, and the overall scrutiny on black money, should provide a significant fillip to India’s fight against money laundering.

Are you a reporting entity under PMLA? Do you need guidance on setting up or enhancing your AML framework? Reach out to us at inforensic@deloitte.com or follow us on Twitter @deloitteindia.

Back to top

Rohit Mahajan, Senior Director and Head, Deloitte Forensic (India) and Veena Sharma, Director, Deloitte Forensic (India)

Companies Act 2013 – Crafting a proactive fraud risk management strategy for compliance
27 January 2015

The Companies Act, 2013, is perceived as an important legislation that can help reduce fraud in the future. While corporate India has recognized certain provisions under the Act as effective deterrents to fraud, the overall approach to fraud risk management remains reactive.

Most companies tend to believe that if they haven’t had any major compliance problems in the past, why change their approach now?

The Deloitte India Fraud Survey highlights the changing fraud landscape and the associated risks it poses to companies who rely on dated controls for fraud mitigation and regulatory compliance. The fast pace of change, requires a proactive approach to dealing with fraud and compliance risks. Companies that are aware of the importance of ‘getting compliance right’, draw from cross-industry leading practices. They understand better how to use the right mix of internal and external resources to accomplish this.

The following leading practices can be considered to develop a proactive approach towards fraud risk mitigation.

The leading practice is to have an aligned and integrated approach to fraud risk management. Creating a fraud risk management committee comprising of risk and compliance professionals from different departments is a good start. Such a committee can draft a formal fraud control policy, as well as the associated roles and responsibilities for its members and senior management. Specifically, this committee can:

  1. Conduct periodic fraud risk assessment, including anti-corruption compliance assessment – An annual fraud risk assessment, covering all business units and functions of the company is a good practice followed by leading organizations. Further, greater scrutiny of functions with a susceptibility to bribery and corruption can be undertaken more frequently.
  2. Establish an effective whistleblowing mechanism – Organizations must aim to create a mechanism that is independent, transparent, maintains anonymity/ confidentiality of the whistleblower and provides him/her protection. Leading companies extend such a mechanism to third parties and business partners also to facilitate reporting actual or suspected fraud, unethical behavior or violation of the code of business conduct. Regular review of whistleblower complaints and their manner of resolution (an effective investigation process) can help identify fraud in its nascent stages.
  3. Manage an anti-fraud policy and associated sensitization initiatives – The code of conduct must be periodically updated to align with changing regulations and business dynamics. In parallel, employees across all levels must be trained to handle ethical dilemmas or potential fraud scenarios. The senior management must commit to set the right tone at the top and communicate zero tolerance to fraud.

What practices does your organization have to proactively manage fraud? Share your tips on with us at inforensic@deloitte.com or on Twitter @deloitteindia.

 

Back to top

Sumit Makhija, Senior Director, Deloitte Forensic (India) and Anshuk Megharikh, Assistant Manager, Deloitte Forensic (India)

Bribery and Corruption – The risk of Doing Business with Third Parties
06 January 2015

In 2014, the United States Department of Justice and Securities & Exchange Commission levied fines totalling almost $1.5 billion against ten companies for violating the Foreign Corrupt Practices, including violations by third parties of countries outside of the US as well. The sheer size of these fines and the global reach of enforcement authorities highlight the need to have robust anti-bribery and corruption (ABC) controls within organizations.

A majority of respondents to the Deloitte India Fraud Survey have indicated that their organizations are considering implementing a formal code of conduct and ethics policy with sections dedicated to ABC controls and trainings. These respondents also indicated that the greatest risk of bribery and corruption emanated from third parties. However, very few organizations appear to be investing in implementing ABC controls that also cover third parties. In our experience, one of the reasons for this could be the belief that addressing corruption by third parties, acting on behalf of the company, do not warrant specific policies and that internal controls applicable to employees were adequate to cover third parties also. Further, Indian companies also tend to believe that they have exempted themselves from the risk of bribery and corruption by transferring governmental interactions to agents/ third parties. Unfortunately, this is not the case, given that ABC legislations do not differentiate between the acts conducted by companies themselves and those by agents/ third parties acting on behalf of the company; along with the rise of prosecution on matters of corruption against companies in India.

To protect themselves, organizations should start with addressing the root cause of corrupt behaviour and implement a zero tolerance policy towards bribery and corruption covering not just employees but also agents/ third parties.

In our experience, we have seen that technology is a potent tool that can help in fighting bribery. Investment in technologies such as data analytics based monitoring tools can go a long way in mitigating the risk of bribery and corruption. Some of the classic red flags that can be quickly unearthed via technology to identify unethical practices by third parties are:

  • Use of multiple third parties for the same transaction
  • Back-dated contracts
  • Items such as “consultancy charges” or “incidental/ out of pocket expenses” on invoices, without supporting documentation
  • Unusually high payments made to counterparties
  • Mismatched expense claims

Does your organization’s ABC compliance programme cover third parties? To what extent do you use technology to identify potential cases of bribery and corruption within your organization? Reach out to us; we want to hear from you! Contact us on inforensic@deloitte.com or follow us @deloitteindia on Twitter.

Back to top

Rohit Mahajan, Senior Director and Head, Deloitte Forensic (India) and Anshuk Megharikh, Assistant Manager, Deloitte Forensic (India)

Traditional Frauds in a Modern India
30 December 2014

Over the last several years, we have seen that Corporate India has adopted global business models, with technology playing a huge part. One would think that this incorporation of technology would impact fraudsters and we would see a steady increase in technology based frauds.

However, as per the recently launched Deloitte India Fraud Survey, ‘traditional frauds’ such as bribery, regulatory non-compliance and asset misappropriation continue to dominate the fraud landscape in corporate India. While advanced technologies have streamlined frontline and back-end operations significantly, the same has not been applied to the fight against fraud. Organisations continue to fall prey to traditional frauds due to weak internal control environments. Basic operational controls against fraud such as comprehensive codes of conduct, Fraud Risk Management frameworks and real-time monitoring – both physical and IT based – are sorely lacking. Essentially, we have found that organisations simply have not done enough to ensure that their employees are dissuaded from indulging in unethical practices.

In our line of work, we often refer to the ‘Rule of Honesty’. In any organisation, roughly 10% of the employees will always remain honest, even when presented with an opportunity to commit fraud. Correspondingly, roughly 10% will always remain dishonest and will go out of their way to look for opportunities to commit fraud. The remaining 80% tend to sit on the fence – when an opportunity to commit fraud comes along, they may or may not take advantage of it. For this 80%, the tone at the top of the organisation is of particular importance. If the organisation itself is tolerant to fraud, the 80% will be tempted to commit fraud. In such situations, we see instances of asset misappropriation such as theft, pilferage, bribery and kickbacks.

If we want to take advantage of India’s projected growth story (‘acche din’) it is imperative that organisations put in place robust internal controls and review mechanisms to detect and prevent fraud and ensure that these internal controls are enforced effectively and uniformly.

Do you believe your organisation has the right framework in place to prevent fraud? Even if a fraud occurs, can your internal controls detect it before the organisation suffers financial or reputational damage? Reach out to us, we want to hear from you!

Contact us on inforensic@deloitte.com or follow us @deloitteindia on Twitter.

Back to top

Rohit Mahajan, Senior Director and Head, Deloitte Forensic (India) and Anshuk Megharikh, Assistant Manager, Deloitte Forensic (India)

Ethical Dilemmas – What should you do?
18 December 2014

Picture this: You are a senior management executive at an MNC and are trying to expand the operations of your company into a new country but have been unable to do so due to bureaucratic hurdles and red tape. If you are unable to expand before the end of the financial year, your job is on the line. You are approached by a well-known third party intermediary (TPI), who is said to operate in an ethically grey area. He offers to facilitate your expansion into said country and all you will have to do is pay his “consultancy charges”, without asking any awkward questions.

This is what we call an Ethical Dilemma.

Surprisingly, this is not an uncommon situation. Even more surprisingly, it is not uncommon for organisations to enter into business with such TPIs to act on behalf of the company in matters of expansion, sales, regulatory issues, etc. The expenses arising from such dealings are often booked as legitimate commissions and consultancy charges to avoid detection. These decisions are often taken at mid to senior level of management by people who may not always take into account the ramifications of contracting with dubious TPIs. More often than not, this can be attributed to a lack of familiarity with the organisation’s ethics policies.

As such, ‘the tone at the top’ is extremely important in ensuring the percolation of ethical values across an organisation. As per the ACFE, a poor tone at the top is a primary factor in 18% of all frauds resulting in a loss of $1mn or more.1 As per a recent survey on the perception of anti-bribery and corruption compliance conducted by us, 57% of respondents indicated that they did not receive any emails from senior management regarding the organisation’s position on corruption. Out of the 35% that indicated that they did, only 54% indicated that they read and understand such emails.

All of this serves to highlight the importance of effective training and familiarity with ethics policies. But once the training is imparted, how do you ensure your employees are applying the values in practical situations? How do ensure that a positive and ethical tone at the top is communicated across the organisation?

An effective solution is to organise Ethical Dilemma workshops on a regular basis. An Ethical Dilemma workshop is a good way to understand the tone at the top and to get a pulse of how ingrained your ethics policy/code of conduct is in your organisation and how consistent it is within the senior management. It helps sharpen ethical decision making skills and introduces applied ethics into the workplace.

An Ethical Dilemma Workshop generally covers:

  • Overview of applicable laws, regulations and perceptions concerning fraud and corruption
  • Fraud trends in the sector
  • Case studies
  • Scenarios built on the code of conduct/business ethics and practical situations
  • Overview of tools and technology being used to combat fraud and corruption

In what ways does your organisation address ethical dilemmas? Reach out to us and let us know! Contact us on inforensic@deloitte.com or follow us @deloitteindia on Twitter.

 

--------------------------

1 ACFE 2012 Global Fraud Survey

Back to top

Sumit Makhija, Senior Director, Deloitte Forensic (India) and Anshuk Megharikh, Assistant Manager, Deloitte Forensic (India)

Corruption in Corporate India
09 December 2014

Right from paying off an engineer to get your water or electricity connection in a timely manner to paying a tout to ensure that you (illegally) get your driver’s licence on your 18th birthday, bribery and corruption is accepted as an intrinsic part of our day to day lives.

We set out to gain a deeper understanding of the perception of bribery and corruption at an individual level in Corporate India and expected similar feedback. After all, India has generally ranked poorly on Transparency International’s Corruption Perception Index and is considered a very difficult place to do honest business.

Instead, the results were pleasantly surprising. The statistics clearly point towards a change in sentiment towards the issue of corruption amongst private sector employees. Surveys have indicated that one in every two Indians has paid a bribe while dealing with a public office188% of the respondents in our survey indicated that they would not feel comfortable working for a company that is perceived as indulging in corrupt practices. Further, a healthy 61% of the respondents indicated that they would not pay or indulge in other corrupt practices “to get the job done”, as it would be against their personal ethics.

71% of the respondents indicated that organisations in India can eradicate bribery/corruption from their business by ensuring that senior management follow and propagate ethical principles right from the management to the execution levels. This is particularly important, as over half the respondents were unaware or unsure about their organisations’ anti-bribery and corruption (ABC) policies. The biggest challenge in implementing ABC programmes is the mind-set that without bribery, business cannot be done.

Despite the challenges, one thing is clear – Corporate India is tired of the malaise of corruption and wants to look ahead. A few simple steps can go a long way in changing the culture of an organisation and ensuring zero tolerance towards unethical behaviour:

  • Defining clear and simple policies
  • Focus on zero tolerance culture
  • Effective trainings
  • Robust and friendly reporting mechanism
  • Employee participation

What are your thoughts on corruption in Corporate India? Do you think we can encourage honest business? Contact us on inforensic@deloitte.com or follow us @deloitteindia on Twitter.

 

---------------------------

1 A survey by Janaagrahaa Center for Citizenship and Democracy (http://indiatoday.intoday.in/story/bribery-in-india-bribe-republic-anti-corruption-bureau/1/291074.html)

Back to top

Rohit Mahajan, Senior Director and Head, Deloitte Forensic (India) and Anshuk Megharikh, Assistant Manager, Deloitte Forensic (India)

Corner stones of a whistleblowing programme
05 December 2014

Over the years we, at Deloitte Forensic, have seen a rise in demand for information on preventing fraud, misconduct and non-compliance among corporates in India. While we do launch thought leadership and organise knowledge sharing events at regular intervals, we realise that young professionals today seek information on social media.  In line with that, we have started this blog to bring you relevant news and opinions from forensic accounting experts. Please feel free to reach out for any questions, comments or opinions.

Recently, the US Securities and Exchange Commission (SEC) announced that it was awarding a foreign whistleblower $30mn for exposing an ongoing fraud within a company. The SEC has not identified the whistleblower or the case relating to this payout, demonstrating the strength of its whistleblower protection program.

In contrast, Indian legislation discourages anonymous whistleblower complaints and has no comparable whistleblower protection programme. This can be a big deterrant for people wanting to escalate cases of suspected malpractice, especially within corporate India.

Globally it is recognised that frauds are more likely to be detected by tips received from employees and third parties, than by any method and that companies with some form of a whistleblower hotline experienced frauds that were 41% less costly and detected 50% faster.

To increase the number of useful tips received, it is important that a potential whistleblower has confidence in the system that his/ her identity will be protected and they will not be subject to retaliation. Our survey on whisteblowing too highlights this.

The onus therefore is on companies to build a whistlewblower programme that guarantees safety of the whistleblower. Five cornerstones of such as program should include –

  1. Anonymity
  2. Confidentiality
  3. Access - multi channels, 24/7
  4. Multi language support
  5. Transparency on how complaints are treated.

What kind of a whistleblowing program does your company run? As an employee what are your thoughts on it? Look forward to hearing from you. Contact us on inforensic@deloitte.com or follow us @deloitteindia on Twitter.

Back to top

Explore Content

Did you find this useful?

Related topics