Edition 1June 2014

Fraud and beyondA newsletter by EY’s Fraud Investigation & Dispute Services

04

08

14

Industry diariesSnapshot of recent news on fraud, bribery and corruption

Sector chronicles • Addressing the issue of stressed assets in

Indian banking system

• Battling corruption risks in the Indian life sciences industry

In focus ’

• Evolving face of cybercrime in India

• Transcending boundaries — harassment at the workplace

In this edition

Welcome to the first edition of Fraud and beyond, a newsletter from EY’s Fraud Investigation & Dispute Services.

Today, businesses operate in a highly competitive and challenging environment. With the potential of developed (but saturated) markets becoming limited, companies are steadily inching toward new, emerging and relatively high-risk economies to accelerate their growth. Keeping pace with these changes, India’s regulatory landscape has also been witnessing a steady evolution, with one of the most significant developments being the New Companies Act, 2013. As it has already come into effect from 1 April 2014, it is expected to have a far-reaching effect on organizations by its concerted effort to enhance the country’s business environment through implementation of robust corporate governance practices.

We have attempted to include all the relevant news, opinions, analyses and trends in this newsletter to demystify the complex innovations that are reshaping corporate India. The first section, “Industry diaries,” provides a snapshot of significant updates on fraud, bribery and corruption that made recent headlines. The next section, “Sector chronicles,” outlines the views of our seasoned anti-fraud professionals on areas including India’s stressed banking system and corruption risks in life sciences industry.

Our last section, “In focus” elaborates the impact, risks and evolution of cybercrime in the country. It also discusses the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal), Act 2013, which emphasises on the need for organizations to put in place preventive measures. These policies are vital for building an environment in which women in corporate India will feel safe.

I hope you enjoy reading this edition of Fraud and beyond. We look forward to your valuable feedback and suggestions to make this newsletter even more informative in the future.

Introduction

Arpinder Singh Partner and Head – India and Emerging Markets

Fraud Investigation & Dispute Services

4 | Fraud and beyond | Edition 1

Disgorgement clause to divert assets of fraudulent firms to investors’ funds1

The assets, property or funds of individuals or companies involved in fraudulent activities and cheating investors and shareholders will be redirected to the Investor Education and Protection Fund (IEPF) for disbursement to the affected individuals under new provisions called “disgorgement” in the New Companies Act, 2013.

According to Section 38, relating to disgorgement, all the financial gains or disposable securities of an individual or entity found guilty of being involved in illegal activities will be credited to the IEPF. Furthermore, the wealth of individual(s), including the key executives including the CEO, CFO, Company Secretary, MD and directors of such enterprises will also be redirected to the IEPF after suitable legal actions are initiated against them before the National Company Law Tribunal (NCLT)*.

*Please note, the National Company Law Tribunal (NCLT) is yet to be formed. The summary mentioned above is taken from the source as it is for your easy reference.

CBI to set up new sports fraud investigation unit2 The Central Bureau of Investigation (CBI) plans to create a new unit to investigate crimes related to sport. The new sports fraud investigation unit will be set up under the Special Crime Branch of the CBI. This decision was taken in the wake of recent allegations of match-fixing in sports, notably in cricket, which has a huge following in India.

SFIO to get more freedom3

The Serious Fraud Investigation Office (SFIO), which probes violations of Company Law, is soon likely to be empowered with a measure of financial and administrative autonomy. The Government’s decision to bestow increased powers on the agency is a direct consequence of the passage of the New Companies Act, 2013, which accords the SFIO a statutory status, and puts it at a par with other investigating agencies such as the National Investigation Agency (NIA), which was created in 2009 by an Act of Parliament.

SEBI overhauls corporate governance norms of listed companies4

Listed companies will now have to follow a stricter set of corporate governance norms, which require them to check excessive increases in executives’ salary packages, put in place whistle-blower policies and orderly succession plans, and have at least one woman director on their boards. The new corporate governance norms also seek to exclude “nominee directors” from the definition of independent directors.

In a major overhaul of corporate governance norms for listed companies and their top executives, the Securities and Exchange Board of India (SEBI) also cleared proposals requiring increased oversight of and by independent directors, more intense checks on all related party transactions involving promoters and directors, and limits on directorships and remuneration of board members. The new regulations will come into effect for all listed companies with effect from 1 October 2014.

Industry diariesSnapshot of recent news on fraud, bribery and corruption

1 “Disgorgement clause to divert assets of fraud firms to investor fund”, The Financial Express, 7 January 2014, via Factiva2 “CBI to set up a new sports fraud investigation unit”, Livemint, 15 January 2014, via Factiva. 3 “SFIO may get more freedom”, Livemint, 9 February 2014, via Factiva/.4 “SEBI overhauls corporate governance norms for listed companies”, The Statesman,13 February 2014, via Factiva.

5Fraud and beyond | Edition 1 |

India to penalize invasion of privacy-related offences in draft Bill5

The Government proposes to set up a Data Protection Authority (DPA), which will rule on issues relating to invasion of privacy and impose penalties on violations, to safeguard the privacy of individuals and define invasion of privacy-related offences,.

According to a draft Right to Privacy Bill, the Authority will “investigate any data security breach and issue appropriate orders to safeguard security interests of all affected data subjects in respect of any personal data that has or is likely to have been compromised by such breach.”

The Bill also proposes the creation of data controllers who will regulate and maintain confidentiality when dealing with personal data. Each data controller will appoint a privacy officer who will ensure security of such data.

Rising online fraud pushes banks to seek insurance cover6

Indian banks are increasingly seeking insurance cover against fraudulent online transactions, including those involving credit cards, as the rising use of plastic money and the ease of Internet transactions increases lenders’ exposure to incidences of data breach.

Insurance companies’ data indicate that large banks are seeking policies worth

INR 5 billion as protection against fraud, including online fraud, while mid-sized ones are opting for policies in the range of INR 2.5–3 billion.

More than 100% rise in cybercrime in 20137

In 2012, the Mumbai police registered 62 cases of fraud, which went up to 169 in 2013. On one hand, people are more aware of fraud and immediately contact the police if they receive any obscene SMSs or emails. On the other hand, crooks have also found new ways of committing fraud to earn easy money or take revenge. If the authorities are to be believed, these are the two reasons for which 95% of cybercrime is committed.

According to statistics provided by the Mumbai police, eight cases of credit card fraud and cheating were registered in 2012. This went up to 32 cases in 2013. Similarly, 12 cases of obscene emails, SMS or MMS were registered in 2012. This increased to 35 cases in 2013.

SEBI tightens regulations to check money-laundering and funding of terrorism8

SEBI has tightened its regulations in an attempt to prevent money laundering through the capital market. The market regulator has asked capital market entities to conduct detailed risk assessments of their clients, including those with links to countries facing

international sanctions. According to its circular, registered intermediaries should assess their risk to identify, evaluate and take effective measures to mitigate money laundering and terrorist-financing risk with respect to their clients.

Furthermore, the circular mandates that market intermediaries’ risk assessment should be documented, updated regularly and made available to competent authorities and self-regulating bodies. They are also required to appoint designated directors to ensure their compliance with the new norms. In the case of mutual funds, intermediaries’ compliance with the circular will be monitored by the boards of asset management companies and their trustees, and for other intermediaries, by their boards of directors. In the event of lapses, directors may face penal action taken by SEBI

Empowerment of investors and core focus enforcement areas: SEBI9

For the next fiscal, SEBI has broadly identified four core areas of new activities as its core target areas in 2014—15. These four categories include increasing investors’ awareness and education, enlarging the reach of investors and potential investors through regional and local offices, gauging manpower and capacity-building requirements, enforcing actions and raising standards of supervision and enforcement in the marketplace.

5 “India proposes to penalise invasion of privacy offences in draft bill”, The Economic Times, 18 February 2014, via Factiva.6 “Rising online fraud pushes banks to seek insurance cover”, The Economic Times, 4 March 2014, via Factiva.7 “More than 100% rise in cybercrimes in 2013”, DNA India, 9 March 2014, via Factiva.8 “SEBI tightens norms to check money laundering, terror funding”, The Hindu, 12 March 2014, via Factiva.9 “Investor empowerment, enforcement core focus areas: SEBI”, The Economic Times, 16 March 2014, via Factiva.

6 | Fraud and beyond | Edition 1

10 “SEBI to provide greater clarity to justify quantum of fines”, The Economic Times, 25 March 2014, via Factiva.11 “SEBI gets new software tools for fraud detection, probes”, The Financial Express, 6 April 2014, via Factiva12 “SEBI clamping down on illegal money pooling schemes”, Livemint, 10 April 2014, via Factiva.

These steps aim to increase the depth of the domestic capital market and also ring-fence investors from being involved in fraudulent activities.

SEBI to provide enhanced clarity and justify fines10 To ensure greater transparency, SEBI has begun providing additional clarity on its orders in order to justify penalties imposed for defaults and other violations. SEBI, which can levy penalties of up to INR 250 million or three times the amount of ill-begotten gains (whichever is higher), has decided that its adjudicating officers will clearly mention mitigating factors in their orders in order to justify the fines they impose for violation of SEBI’s regulations. This decision was taken as part of its effort to streamline interpretation of monetary penalty provisions under its security-related laws.

The opinions of the Attorney General on this issue were also taken into account. SEBI can impose penalties for failure to furnish information, fraudulent and unfair trade practices, and defaults. In most cases, the penalty is INR 100, 000 for each day of entities failing to furnish information on the practices mentioned above, subject to a maximum of INR 10 million. In the case of insider trading, the fine can go up to INR 250 million.

SEBI gets new software tools for fraud detection11 With an aim to beef up its capabilities to detect frauds and bring scamsters to book, SEBI is putting in place new software tools to help in its investigations and surveillance activities. The new tools would help the capital markets watchdog in keeping a close watch on possible manipulative activities in the stock markets by monitoring

suspicious trades as also by analysing the information available in the public domain such as on social media and other Internet platforms.

SEBI already has got a surveillance system, which generates alerts of suspicious trading activities every day. After following up on all these alerts on various automated parameters, selected alerts are taken for next-level analysis and therefore investigation and enforcement actions are carried out for necessary cases. The surveillance system also track media reports for information being shared among the investors and those are put under scanner that appear suspicious and in violation to the their regulations and model codes of conduct for various entities, including listed companies and market intermediaries.

SEBI clamping down on illegal money pooling schemes12 Capital markets watchdog SEBI is in process of cracking its whip soon on various illicit money-pooling schemes in West Bengal. The regulator is also exercising its new powers like collection of information from other regulators, government departments and even commercial enterprises such as telecom companies and banks. At the same time, SEBI is also looking into possible launch of recovery proceedings through attachment orders, among others.

The cases include illegal money pooling activities or Ponzi schemes floated in West Bengal, Assam and other eastern and northeastern states, among others. With more powers getting restored through re-promulgation of ordinance last month, Sebi is going ahead with prosecution and recovery proceedings in cases where wrongful activities had already been established and orders passed.

7Fraud and beyond | Edition 1 |

Cyber Swindlers Ahead of Banks to Target Your Cards13 Fraudsters are increasingly relying on ‘skimmers’ and ‘shoulder surfing’ methods. Cybercrimes on debit or credit card usage have more than doubled as fraudsters evolve new cloning methods to stay ahead of banks which are improving security features with chip and pin cards, according to preliminary industry data. The number of such crimes has increased by about 125% since a year ago, a senior official from the National Payments Corporation or NPCI, a settlement platform for epayments, told ET on condition of anonymity.

Domain regulators must probe frauds14 The RBI’s reported decision to carry out independent forensic audit of corporates declared fraudulent by banks is welcome. Similarly, all sectoral regulators should be tasked with preliminary investigation in their respective domains — such as SEBI for market manipulation. Dumping all investigation of fraud in diverse sectors of the economy on a single or common investigative agency without specialised knowledge of individual sectors would not be very productive.

FinMin directs banks to deal firmly with fraud, wilful default15 “As part of the strategy to contain bad debts, the Finance Ministry has directed all public sector banks to accord top

priority to cases of fraud and wilful default and take legal action against those responsible. Cases of fraud include providing wrong information, submission of fictitious documents and so on. Banks have to deal with all such cases firmly so that non-performing assets could be brought down.

DRI detects commercial fraud to the tune of over INR 31 billion16 Cases of commercial fraud, including trade based money laundering (TBML), to the tune of over INR 31billion have been detected by Directorate of Revenue Intelligence (DRI) in the last fiscal--2013-14. DRI, which acts as lead agency to check smuggling and commercial fraud, has detected 694 cases of commercial fraud involving customs duty. These cases are related to mis-declaration and under invoicing of imported and exported goods, misuse of government schemes to facilitate trade (like foreign or preferential trade agreement--FTA/PTA) and misuse of importer exporter code (IEC) and other exemptions to promote trade, and TBML, among others.

Sebi proposes new listing & disclosure requirement norms17 To enhance enforceability of various regulatory provisions by listed firms, SEBI has proposed new set of rules that would require greater disclosures by the companies and give more powers to stock exchange to check any non-

compliance. The proposed norms, to be called SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2014, would need to be followed by all listed companies, as also for listing of debentures, bonds and mutual funds on stock exchanges. The new rules would also include provisions related to the revised corporate governance framework such as requirement by companies to get shareholders’ approval for related party transactions, setting up a whistle blower mechanism, elaborate disclosures on pay packages and requirement of at least one woman director on company boards.

Whistleblowers Protection Act gets President’s approval18 President Pranab Mukherjee has given approval to the Whistleblowers Protection Act, 2011, that provides a mechanism for protecting the identity of people, who expose corruption in government, or irregularities by the public functionaries. The Act also provides for a system to encourage people to disclose information about corruption, or wilful misuse of power by the public servants, including ministers. As per the law, a person could make a public interest disclosure on corruption before a competent authority, which is currently the Central Vigilance Commission. The government, by notification, could also appoint any other body for receiving complaints about corruption. The Act, however, lays down punishment of up to two years in prison and a fine up to ` 30,000 for false or frivolous complaints.

13 “Cyber Swindlers Ahead of Banks to Target Your Cards”, The Economic Times, 11 April 2014, via Factiva14 “Domain regulators must probe frauds”, The Economic Times, 21 April 2014, via Factiva15 “FinMin directs banks to deal firmly with fraud, wilful default “, The Hindu, 27 April 2014, via Fcativa ctiva 16 “DRI detects commercial fraud to the tune of over Rs. 3,100 crore: report “, NDTV Profit, 30 April 2014, via Factiva 17 “Sebi proposes new listing & disclosure requirement norms”, The Financial Express, 6 May 2014, via Factiva18 “Whistleblowers Protection Act gets President’s approval”, New Indian Express, 14 May 2014, via Factiva

8 | Fraud and beyond | Edition 1

The issue of stressed assets in India’s banking system is one of the major concerns for the Regulator and the economy as a whole. The sector is probably at one of its most vulnerable phases in recent history due to the sudden spike in Non-Performing Assets (NPAs) over the last few quarters, enhanced scrutiny on reporting and monitoring of NPAs, and increased requirements for Corporate Debt Restructuring (CDRs).

The gross NPAs of listed banks have been rising consistently in the last two years from INR 1.32 trillion at the end of the March 2012 to INR 2.43 trillion at the end of December 201319.Although the reasons for this increase cannot be attributed to a single issue, the CDR Cell and Reserve Bank of India’s (RBI’s) perspective on the need for forensic audits to be conducted for every potential CDR throws light on their probable intent and the direction of their concern.

The value of fraudulent transactions reported by the banking sector has more than quadrupled from INR 20.38 billion in 2009–10 to INR 86.46 in 2012–1320. Frauds witnessed in the corporate lending sector are more often of high value. Would it then be prudent to say that this increase in fraudulent incidents is one of the key contributing factors for the rise of NPAs? If this is so, why does this occur? Is it due to internal lapses within the credit systems of banks or have the complexities of business increased to such an extent that it is difficult for enterprises to detect issues at an early stage? According to our recent experiences, we think it is a mix of both, in addition to systematic market risks that cannot be controlled.

Some of the reasons for increased NPAs in recent times:

1. Credit management systems of banks: More often than not, the root cause of all stressed asset/NPA/CDR cases can be traced back to lapses in banks’ initial customer due diligence, credit review mechanism and inefficiencies in their overall sanctioning process. Banks need to pay special attention to the source and quality of promoters’ contributions and be particularly aware when debt raised by a parent company is infused as equity in its subsidiaries.

2. End-use monitoring and focus on early warning signals: There are significant gaps in banks’ periodic reviews/audits to verify and monitor utilization of funds disbursed by them. In many cases, the mutual trust and relationship with a borrower can hamper an objective analysis of early warning signs. The RBI has recently communicated that banks need to create a new asset classification, Special Mention Accounts (SMAs), to identify early signs of stress in an account. SMA sub-classifications are based on quantifiable criteria rather than on the judgement of banks are expected to enhance transparency and accountability in their operations.

3. Utilization of technology: In most cases, banks do not have adequate systems in place to identify or classify NPAs. They generally have manual interventions and a weak control of their systems, which adversely affects the account classification status of their customers. With the spate of increasing NPAs in the country, the need for a refined fraud analytics solution is increasingly becoming a necessity for financial institutions to monitor “red flags” effectively.

19 Banks rush to offload bad loans to asset reconstruction firms, Livemint, 27 February 2014, via Factiva

20 “Frauds in the Banking Sector: Causes, Concerns and Cures”, Reserve Bank of India, 29 July 2013 2013

Sector chroniclesAddressing the issue of stressed assets in Indian banking system

9Fraud and beyond | Edition 1 |

Vikram is an Partner with EY’s Fraud Investigation & Dispute Services in India. He has worked on various assignments involving investigations, fraud risk assessments, vendor monitoring, AML compliance, transaction monitoring, etc.

Vikram is a qualified Chartered Accountant from ICAI and a member of the Association of Certified Fraud Examiners, USA.

The article is co-authored by Rajkumar Shriwastav, Director – Fraud Investigation & Dispute Services, EY and Ashwin Kumar, Director – Fraud Investigation & Dispute Services, EY.

About the Author

Vikram BabbarPartner

Fraud Investigation & Dispute Servicesvikram.babbar@in.ey.com

Addressing concerns

Some recent measures introduced by the RBI, such as the “Framework for Revitalising Distress Assets in Economy” and other measures including redressal for banks through the Securitization and Reconstruction of Financial Assets and Enforcement of Securities Act, 2002, (SARFAESI Act) and CDR address the issue in discussion, but most of these are more reactive than proactive.

Banks need to independently assess their systems and monitor their processes and review these from a forensic perspective to effectively address increasing complexities in their “borrowing” business. Additionally, forensic audit for NPA cases, to enhance the importance of effective end-use monitoring, has to necessarily form a part of the risk framework of every bank.

Forensic audit helps to uncover what may not necessarily be reported in books of accounts or in “flash” reports. Banks must be wary of CDR

requests and objectively assess the requirements and reasons for losses to prevent further investment in “loss” accounts.

Reviews of the operations of certain banks have given rise to growing concerns on how their inadequate systems to classify or identify NPAs can lead to disproportionate assessment of issues. Manual interventions and weakness in control systems can be mis-utilized to adversely affect the account classification status of customers.

The current situation warrants enhanced scrutiny of the overall mechanism for managing, monitoring and reporting stressed assets. However, the sector can definitely look at a slow but steady and long-term revival with stringent compliance with regulatory guidelines, a consistent focus on ensuring a strong fraud-control environment in credit-management systems, and appropriate investments in technology and efficient recovery mechanisms.

10 | Fraud and beyond | Edition 1

Globally, public procurement refers to purchase of goods or services by a government or a public sector organization and accounts for a considerable share of its public expenditure. Government institutions typically adopt the tendering process to put in place a transparent and efficient procurement system. In most cases, a tender is granted to the supplier that offers the lowest price or the best value for money. It is, therefore important that the procurement process is not affected by practices such as collusion, bid rigging, fraud and corruption.

Process of tendering in the life sciences sectorIn India, tenders are typically invited through the Open Tender Enquiry (OTE) and Limited Tender Enquiry (LTE) channels. In OTE, all eligible suppliers are free to apply for a tender, while in LTE, a pool of vendors is established for a particular commodity or service. It is the common practice of government departments to maintain a list of preferred empanelled or registered suppliers, based on technical and financial grounds.

Today, life sciences players are engaged in manufacturing, testing, selling and distributing medicines as well as medical equipment, and conducting clinical tests, diagnostics etc. For example, consider a public hospital that floats an OTE. Each tender often has a complicated tendering process, requirements, expectations and timelines, which are defined in the tender floater document. To understand these requirements, bidders engage exclusive agents who liaise with the purchasers to understand their requirements, and then use this information to create tender applications. They then mediate with the authorities to obtain timely feedback on status, and facilitate acceptance of the bidder’s tender application. In lieu of their services, agents receive an overriding commission (ORC).

Ideally, an ORC agent is supposed to conduct all tendering activities till the final stage. However, in the current scenario, all activities are undertaken by the suppliers, with agents only being used as a channel to make “inappropriate” payments to the purchaser. Typically ORC agents in India receive a commission ranging from 10% to 40% of the order value won. In contrast, the authorized dealers or distributors of life science companies generally receive 10% to 20% of the latter’s trade margins. Our recent investigation indicated possible use of excess funds by ORC agents to unduly influence tendering authorities in order to win tenders for companies.

Sector chroniclesBattling corruption risks in the Indian life sciences industry

11Fraud and beyond | Edition 1 |

Case study: Bribery in tendering processA public hospital “purchaser” invited an LTE from its chosen vendors for a medical product, “M.” One of the vendors, the “supplier” that manufactured the product “M,” sought to win this tender. The supplier engaged the ORC agent “ORCA” to liaise with the purchaser for a commission of 30% of the tender value.

M’s selling price was neither regulated nor bound under the maximum retail price requirement. Moreover, each M deal was at a contractual rate, which varied across transactions. For this particular tender floated, the supplier complied with the requirements for documentation, which ORCA submitted to the purchaser, quoting the price for supply of M at, for instance, USD 20 per unit. This price was quoted by the supplier with complete knowledge that the purchaser did not have a team that could validate this with market sources. For paper work, a copy of the reference order from another government hospital, “G,” was attached with the purchaser’s order for M in favor of the supplier at USD 20 per unit. Eventually, the tender was awarded to the supplier for a supply of M at USD 20 per unit.

It was thought that the purchaser’s officials could have received a significant part of the tender value of this deal as kickbacks. However, a simple reference check conducted on G would have revealed that a purchase order was awarded for supply of M to the supplier at USD 1.8 per unit and that the latter had forged a copy of G’s original purchase order to inflate the price to USD 20 per unit.

The cost gap per unit was used to accommodate a hefty commission of 30% for ORCA. The supplier’s accounting records only reflect the commission and not the illegitimate payment. The commission created in the hands of ORCA was appropriated by the purchaser’s officials, sales staff and management along with a slice for its other employees to insure their implicit connivance and silence.

Prevention over cureApart from extra legal implications and divergence of tax payers’ money, companies, in this case the supplier (mentioned above), become the targets of regulatory authorities, including the Department of Justice (DOJ), the Securities and Exchange Commission (SEC) and the Serious Fraud Office (SFO), for violation of FCPA, UKBA and local anti-bribery and corruption statutes.

The case study above, based on a much-focused-on experience, has been tweaked for illustration, and the possibility of its recurrence in the industry cannot be negated. What companies such as the supplier’s and public institutions inviting bids for considerable quantities can do to prevent this is to set up specially trained and independent in-house teams or engage independent third parties, which specialize in forensic due diligence.

12 | Fraud and beyond | Edition 1

13Fraud and beyond | Edition 1 |

They can undertake the following:

Suppliers can do the following:

• Undertake ex-ante due diligence of ORC agents

• Validate prices and quantities of high-value tenders of public institutions and compare these with purchase orders submitted to companies

• Verify that payments made to ORC agents are in line with terms agreed on

Purchasers can do the following:

• Obtain ex-ante confirmation on authenticity of reference order

Furthermore, a supplier can, before on-boarding an ORC agent, conduct a check to ensure that the latter’s remuneration is in line with the fair market value of the proposed services. Documenting in adequate detail the justification for engaging service providers and the exact scope of work to be undertaken by an ORC agent is also an appropriate method for establishing clarity of purpose and the remuneration amount agreed on. In addition, the supplier mandating the ORC agent to maintain an activity log for tasks performed and a routine audit of its utilization of ORC payments are likely to substantiate that the former engages in professional and ethical business practices.

The supplier can go further and reduce its reliance on service providers by establishing an in-house department to help it identify tenders and provide support on submission of tender applications, negotiations with tendering authorities, and later, on follow-up on payments from the purchaser.

While the supplier can adopt a reactive attitude in identifying and penalizing illegal payments, activities and people, perhaps a control-based preventive approach may be sufficient for demotivating and hindering individuals with a malicious intent to execute illegal acts. Demonstration of legal intent and a strong control framework will help to strengthen a company’s case and minimize resulting penalties levied by regulating bodies such as the DOJ and SEC for anti-corruption and violation of bribery laws.

Rajiv Joshi is a Partner with EY’s Fraud Investigation & Dispute Services in India.

He has worked on various assignments in the area of investigations, enterprise risk management, revenue assurance program and internal audit. He has forensic expertise in sectors such as Life Science, Real Estate, Private Equity, Retail, Insurance and IT/ITeS and has led various investigations across these sectors.

He is a Chartered Accountant. He is also a Certified Fraud Examiner, CISA and a Certified Internal Auditor.

About the Author

Rajiv JoshiPartner

Fraud Investigation & Dispute Servicesrajiv.joshi@in.ey.com

14 | Fraud and beyond | Edition 1

The advent of technology has brought about a revolution in the way we live. Our communications, work, recreation and even utilities have undergone a major change, and being powered by technology, now are faster, easier and more convenient.

However, just as in the case of brick and mortar institutions, the virtual environment has its own risks and challenges. The recent spate of cybercrimes in the country has brought this phenomenon to the attention of many organizations, which are now increasingly asking questions regarding the security aspects of technology.

What is cybercrime? It includes crimes or acts committed against the confidentiality, integrity and availability of computer data or systems. The most common cybercrimes include hacking and phishing, fraud, data theft, corporate espionage, denial of service and cyber-stalking.

Today, mitigation of cybercrime-related risks is critical with organizations realizing the importance of the way they are perceived. This stems from the fact that damage to a company’s reputation can result in its losing revenue or destruction of shareholder value. Furthermore, there is a growing awareness that internal threats, including disgruntled employees, also pose a significant risk to enterprises.

There is a major difference in the motivation, techniques and channels through which cyber criminals direct their attacks, compared to earlier. Cybercrime is no longer committed by a single individual for personal gain, but it is a well-organized system with various syndicates and organized frameworks. The desire to commit cybercrime is explained by the concept of a fraud triangle, in which motivation and opportunity (access to tools and methods) play an important role.

Parallel universe of cybercrime — the Dark Web

The concept of the Dark Web is gaining importance rapidly. The Dark Web, also known as the Deep Web, the Invisible Web and the Dark Net, comprises web pages and data that are beyond the reach of search engines. This includes in part abandoned and inactive web pages, but the bulk of data that lies within has been crafted to deliberately avoid detection in order to remain anonymous. It is the hidden side of the internet that allows users to chat online, share files, or read or set up websites with almost complete anonymity. This enables cyber-criminals to surf protected websites and services without leaving tell-tale tracks.

Unlike earlier, today’s cybercriminals do not openly brag about their triumphs. They are motivated by big wins and are constantly on the lookout for systems that store highly sensitive information in huge quantities. Moreover, attackers have become significantly mature and patient in conducting well-thought-out tactical attacks that may have taken them months intelligence gathering, initial planting and reconnaissance, concluded by the slow poison phase, where they exploit or tamper with a system to gain access to a constant source of information, which translates to a regular stream of revenue for them.

Dark web

96%

Surface web

4%

In focusEvolving face of cybercrime in India

15Fraud and beyond | Edition 1 |

Impact of cybercrime

The next question that comes to mind is, who does it affect? And the honest answer is YOU.

Whether you are a part of a company handling data or an individual using technology for official use, you could be the target of cybercriminals, and have probably been exposed already, directly or indirectly. You just do not know it yet.

Experts believe that there are two types of computer systems — ones that have been compromised and those that will be compromised.

Industry 2013 reports suggest that India reported an overall annual loss of USD 8 billion to cybercrime against the global annual loss of USD 110 billion. This constitutes India’s contribution to the world economy on a percentage basis21.

What are the specific risks of cybercrime for Indian businesses?

Insider fraud

Insiders pose the greatest threat, which is harder to detect than external attack. This includes compromised systems, devices of key employees and disgruntled ex-employees or vendors.

Corporate espionage

With the advent of social media, internet penetration and increased risks of bribery and corruption, corporate espionage is an easy option for cybercriminals.

Imagine a scenario where the top executives and management of a large corporation have “bugged” smartphones that send all voice calls, SMS, instant messenger messages and location-related details to prying cybercriminals who are ready to sell this information to its competitor. This is no longer a fictional possibility but a reality.

Data loss

The thought of the loss of the un-encrypted laptop of a key executive is enough to send shivers down the risk management and IT department of a corporate organization. However, the department maybe unaware of the fact that terabytes of company data may already be available in the open market for sale22.

21 ”India has 42 mn cyber crime victims every year”, Business Standard, 24 June 2013

22 EY Forensic Technology & Discovery Services conducted a study where used mobile phones and hard drives were bought from the resale market and basic forensic recovery revealed sensitive company and personal information, which could have easily been exploited by cybercriminals.

16 | Fraud and beyond | Edition 1

17Fraud and beyond | Edition 1 |

What can be done?Businesses should deploy “military” strategies to combat cybercrime. They should have systems and techniques in place to monitor in real time cyber threats, e.g., in the way they monitor physical movement through CCTVs.

Today, the concept of security is moving from merely ensuring the safety of devices to protection of data/information/intellectual property, with increased awareness of risk management and reputation-related costs.

In addition, governments around the world are increasingly focusing on protecting privacy rights and are creating new laws and regulations on how businesses should store, use and protect consumer-related information.

Unfortunately, the rate at which cybercrime (with support infrastructure and opportunities) is increasing, it seems it will keep continue on its destructive path. However, organizations would do well to remember that even with an increase in their technical sophistication, cybercriminals still rely on something that can be avoided —human error.

Amit is an Partner with EY’s Fraud Investigation & Dispute Services in India.

He specializes in forensic technology and Software License Compliance. Amit has worked on engagements involving IT frauds, cybercrime, software license compliance and data analytics.

Amit has an MBA in Information Systems and holds a Master’s degree in Information Technology from Virginia Tech, US. He is also a certified fraud examiner and auditor of information systems and holds certifications from Cisco, Microsoft, IBM and BEA Systems.

About the Author

Amit JajuPartner

Fraud Investigation & Dispute Servicesamit.jaju@in.ey.com

Corporate dynamics have undergone a significant transformation over the last decade. There has been an increased number of women stepping out of their homes and joining the workplace. Organizations are also focusing on fostering a holistic and gender-neutral environment through flexible policies. A multicultural environment and intense media scrutiny has however led to issues related to sexual harassment at the workplace coming under the spotlight. Therefore, there is an urgent need for companies to address this growing challenge and take suitable steps to protect the interests of their women employees.

Ubiquity of harassment at the workplace in IndiaA survey conducted in 2013 by the Centre for Transforming India, a non-profit organization, revealed low awareness levels among women employees about issues relating to sexual harassment at the workplace. The survey also discovered that many women employees were afraid to speak up about this, fearing professional victimization. To add to this, the cultural stigma associated with sexual harassment is immense in India and often leads to “no action” situations, with most cases going unreported.

It is a “Catch 22” situation. Organizations are looking to recruit more women executives, based on meritocracy, to enhance gender diversity. However, they are ill-equipped to deal with situations related to harassment at the workplace, be these minor or critical. Therefore, while establishment of a robust sexual harassment framework is seemingly a natural extension of sound gender-neutral policies, the actual situation leaves a lot to be desired. Moreover, organizations have policies covering complaints, but not many have hands-on experience to deal with such sensitive matters and comply with the new Sexual Harassment of

Women at Workplace (Prevention, Prohibition and Redressal), Act 2013.

The law of the land The Act, which received the President’s approval in April 2013 and was notified in December 2013, was a landmark move by the Indian Parliament to safeguard the interests of working women. It states that organizations with more than 10 employees are mandated to comply with its statutes and establish Internal Complaints Committees (ICCs) to investigate complaints related to sexual harassment. The Act also deems employers responsible for providing a safe working environment for women in offices and while travelling to work. Failure to perform these duties will attract heavy penalties.

Agents of changeThe new Act will be a key enabler for organizations to implement proactive measures to address cases of harassment at the workplace. It will also help them redefine their policies and inculcate a sense of ethics among all employees. India Inc. needs to adopt a “zero tolerance” policy toward sexual harassment. The establishment of Internal Complaints Committees (ICCs), awareness programs, internal workshops and whistleblowing frameworks in organizations will be critical for protecting women in hostile work environments. Enterprises also need to conduct orientation training on ICCs and course-correction sessions, and manage investigations diligently according to rules notified under the Act. In recent cases reported by the media, it is apparent that many organizations are not ready to manage “delicate” situations. Therefore, establishment of sexual harassment frameworks within organizations will be a catalyst and help them effectively address such cases and also safeguard their reputation.

In focusTranscending boundaries — harassment at the workplace

An organization’s primary focus needs to be on instilling a sense of confidence among its women employees so they can report incidents to its ICC without hesitation. Companies also need to explain what constitutes harassment to all their employees. However, this can be misused if relationships turn sour. According to HR professionals, frivolous or malicious complaints have witnessed an increase and it’s imperative to create awareness about the repercussions and penalties involved. For instance, the number of cases are filed post appraisal have seen a rise.

Looking aheadMany companies are unprepared to deal with actual cases of sexual harassment and conduct adequate and fair investigations in response to allegations of sexual harassment. They are also faced with the challenge of answering questions relating to whether organizations need to constitute ICCs at each office, whether sexual harassment committee members need to be trained and what action should they take if women do not report incidents as well as many others. With women-centric policies already in place, the next step for organizations is to ensure that they are ready to tackle complex situations as and when these arise. Needless to say, proactive preventive measures and policies will be vital for the creation of a holistic environment, which is safe for women in corporate India.

The article first appeared in The Times of India, in its 5 March 2014 issue.

Kanika is a Director with EY’s Fraud Investigation & Dispute Services in India. She specializes in dealing with issues of work place harassment and is part of the EY Internal Complaints Committee (ICC).

She has led several projects relating to workplace harassment, background research, FCPA, Anti-bribery and Corruption reviews for Mergers and Acquisitions, investigation relating to employee misconduct.

Kanika is a MBA and has over ten years of forensic experience. Her other areas of interest include compliance programs, Foreign Corrupt Practices Act (FCPA), U K Bribery Act, Ethics & Integrity Due Diligence, Forensic Due Diligence, Anti-Corruption Due Diligence, Anti-Fraud Advisory and Compliance Frameworks.

About the Author

Kanika BhutaniDirector

Fraud Investigation & Dispute Serviceskanika.bhutani@in.ey.com

Dealing with complex issues of fraud, regulatory compliance and business disputes can detract from your efforts to achieve your company’s potential. Enhanced management of fraud risk and compliance is a critical business priority — whatever the industry sector. With over 4500 fraud investigation and dispute professionals around the world, we will assemble the right multi-disciplinary and culturally aligned team to work with you and your legal advisors. In addition, we will provide you the benefit of our broad sector experience, our deep subject matter knowledge and the latest insights from our global activities.

FIDS India • Deep competencies: Our FIDS team has

specific domain knowledge along with wide industry experience.

• Forensic technology: We use sophisticated tools and established forensic techniques to provide requisite services to address individual client challenges.

• Global exposure: Our team members have been trained on international engagements and have had global exposure to fraud scenarios.

• Market intelligence: We have dedicated field professionals, who are specifically experienced and trained in corporate intelligence, and are capable of conducting extensive market intelligence and background studies on various subjects, industries, companies and people.

• Thought leadership: We serve a variety of leading clients, which gives us deep insight into a wide range of issues affecting our clients and business globally.

• Qualified professionals: We have a qualified and experienced mix of chartered accountants, certified fraud examiners, lawyers, CIAs, CISAs, engineers, MBAs and forensic computer professionals.

Our services • Anti-fraud and fraud risk assessment

• Fraud investigation

• Dispute advisory services

• Forensic technology and discovery services

• Regulatory compliance

• Forensic business intelligence

• Anti-bribery program

• Third-party due diligence

• Whistle-blowing services

• Competition and trade services

• Supply chain and compliance integrity

EY’s Fraud Investigation & Dispute Services

De-risking India Inc. to combat fraud and corruption

Forensic Outlook 2014

Dangerous worldPractical steps for global companiesto evaluate and address corruption risk

Emerging trends in arbitration in IndiaA study by Fraud Investigation & Dispute Services

Bribery and corruption: ground reality in IndiaA survey by EY’s Fraud Investigation & Dispute Services Practice

Our latest publications

Companies Act 2013 - what will be its impact on frauds in IndiaThe much-awaited Companies Act 2013, landmark legislation in India, could have a far-reaching effect on business by its concerted effort to create a better business environment with robust corporate governance standards. Through this point of view document, we take a close look at some important changes and developments in the country to help companies assess the impact of the new Act on frauds and develop a clear strategy on compliance and governance.

Forensic Outlook 2014The publication outlines key trends that companies can watch out for to address fraud risks of the new age workplace. Covering some game changing trends across the spectrum, the publication highlights the impact of the Companies Act 2013 and how it will fuel anti-fraud and anti-corruption practices, the evolving role of Independent Directors as custodians of ethics and the importance of due diligence in managing third party vendor relationships.

Dangerous World- Practical steps to evaluate and address corruption risksCorruption risk continues to be a significant concern for global companies. The UK authorities are currently proposing the use of deferred prosecution agreements, which could lead to an increase in cases brought under the UK Bribery Act. This publication provides suggestions for how large and midsize companies should go about evaluating their corruption risks and put a program in place to address these risks responsibly.

Emerging trends in arbitration in IndiaThe Indian economy has seen an increasing number of commercial disputes in recent times. Disputes in sectors including construction, energy, pharmaceutical, etc., are snowballing, and becoming more and more complicated. With an aims to understand the emerging trends in arbitration in India we interviewed leading Lawyers and General Counsels across different countries. This publication is the result of responses received from such eminent professionals and focusses on current arbitration scenario in India and the developing trends in the domain.

Bribery and Corruption: ground reality in IndiaToday bribery and corruption are undoubtedly the most frequently discussed topics in the global business domain. With this background, we conducted a survey on the theme “Bribery and Corruption - reality, awareness and perception’ to understand the impact of bribery and corruption in India. The survey publication focuses on key areas such as impact of bribery and corruption on India’s economy and foreign investments, awareness and enforcement of anti-graft laws and challenges faced by corporates in India.

Notes

EY officesAhmedabad2nd floor, Shivalik Ishaan Near C.N. VidhyalayaAmbawadiAhmedabad - 380 015Tel: + 91 79 6608 3800Fax: + 91 79 6608 3900

Bengaluru6th, 12th & 13th floor“UB City”, Canberra BlockNo.24 Vittal Mallya RoadBengaluru - 560 001Tel: + 91 80 4027 5000 + 91 80 6727 5000 Fax: + 91 80 2210 6000 (12th floor)Fax: + 91 80 2224 0695 (13th floor)

Chandigarh1st Floor, SCO: 166-167Sector 9-C, Madhya MargChandigarh - 160 009 Tel: + 91 172 671 7800Fax: + 91 172 671 7888

ChennaiTidel Park, 6th & 7th Floor A Block (Module 601,701-702)No.4, Rajiv Gandhi Salai, Taramani Chennai - 600113Tel: + 91 44 6654 8100 Fax: + 91 44 2254 0120

HyderabadOval Office, 18, iLabs CentreHitech City, MadhapurHyderabad - 500081Tel: + 91 40 6736 2000Fax: + 91 40 6736 2200

Kochi9th Floor, ABAD NucleusNH-49, Maradu POKochi - 682304Tel: + 91 484 304 4000 Fax: + 91 484 270 5393

Kolkata22 Camac Street3rd floor, Block ‘C’Kolkata - 700 016Tel: + 91 33 6615 3400Fax: + 91 33 2281 7750

Mumbai14th Floor, The Ruby29 Senapati Bapat MargDadar (W), Mumbai - 400028Tel: +91 22 6192 0000Fax: +91 22 6192 1000

5th Floor, Block B-2Nirlon Knowledge ParkOff. Western Express HighwayGoregaon (E)Mumbai - 400 063Tel: + 91 22 6192 0000Fax: + 91 22 6192 3000

NCRGolf View Corporate Tower BNear DLF Golf CourseSector 42Gurgaon - 122002Tel: + 91 124 464 4000Fax: + 91 124 464 4050

6th floor, Wing A & B,Worldmark 1, Aero cityOpp. Holiday Inn, Mahipalpur,New Delhi - 110037Tel: + 91 11 6671 8000Fax: + 91 11 6671 9999

4th & 5th Floor, Plot No 2B,Tower 2, Sector 126,NOIDA 201 304Gautam Budh Nagar, U.P. IndiaTel: + 91 120 671 7000Fax: + 91 120 671 7171

PuneC-401, 4th floor Panchshil Tech ParkYerwada (Near Don Bosco School)Pune - 411 006Tel: + 91 20 6603 6000Fax: + 91 20 6601 5900

We would like to hear your feedback and suggestions at forensic@in.ey.com

Contact us

Arpinder Singh Partner and Head – India and Emerging Markets + 91 12 4443 0330 arpinder.singh@in.ey.com

Sandeep Baldava Partner + 91 22 6192 0817 sandeep.baldava@in.ey.com

Vivek Aggarwal Partner + 91 12 4464 4551 vivek.aggarwal@in.ey.com

Mukul Shrivastava Partner + 91 22 6192 2777 mukul.shrivastava@in.ey.com

Anurag Kashyap Partner + 91 22 6192 0373 anurag.kashyap@in.ey.com

Rajiv Joshi Partner + 91 22 6192 1569 rajiv.joshi@in.ey.com

Yogen Vaidya Partner + 91 22 6192 2264 yogen.vaidya@in.ey.com

Dinesh Moudgil Partner + 91 22 6192 0584 dinesh.moudgil@in.ey.com

Jagdeep Singh Partner + 91 80 6727 5300 jagdeep.singh@in.ey.com

Amit Rahane Partner + 91 22 6192 3774 amit.rahane@in.ey.com

Vikram Babbar Partner + 91 22 6192 2155 vikram.babbar@in.ey.com

Amit Jaju Partner + 91 22 6192 0232 amit.jaju@in.ey.com

Harshavardhan Godugula Partner + 91 40 6736 2234 harshavardhan.g@in.ey.com

Ernst & Young LLPEY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Ernst & Young LLP is one of the Indian client serving member firms of EYGM Limited. For more information about our organization, please visit www.ey.com/in.

Ernst & Young LLP is a Limited Liability Partnership, registered under the Limited Liability Partnership Act, 2008 in India, having its registered office at 22 Camac Street, 3rd Floor, Block C, Kolkata - 700016

© 2017 Ernst & Young LLP. Published in India. All Rights Reserved.

EYIN1405-051 ED None

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst & Young LLP nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

PB

EY refers to the global organization, and/or one or more of the independent member firms of Ernst & Young Global Limited