Managing Fraud

Theodorus Chresma HS, SEMay 17th 2014

PwC Global Crime Survey 2014

Managing Fraud

2

Survey respondents included 5,128 representatives from over 95 countries around the world

Managing Fraud

3

Audit and Corporate Governance

• Internal Audit Role• Corporate Governance• Other

Standard/Regulation

Fraud

• Fraud Definition• Fraud Triangle• Fraud Tree• Fraud Red Flags• Fraud Control• Whistleblower Practice

Computer Forensic and Data Analysis

• Assessing Fraud Risk in Audit Assignment

• Computer Forensic and Database Analysis

• Fraud Audit Report

In order to create the additional revenue recorded in PT A, the initial purchase of cloud computing equipment and VSAT peripherals by PT B was changed into several transactions with third party which subsequently revealed that PT A sold the cloud computing equipment to PT C and could recognize the revenue from this sales transaction.

AgendaCase Study ; Fraud Case

Other detection methods

By law enforcement

By accident

Whistle-blowing system

Tip-off (external)

Tip-off (internal)

Rotation of personnel

Corporate security

Suspicious transaction reporting

Fraud risk management

Internal audit

4%

3%

13%

7%

11%

16%

5%

5%

5%

14%

17%

14%

3%

6%

8%

14%

21%

3%

4%

4%

4%

19%

23%

0%

10%

3%

11%

17%

3%

4%

0%

3%

26%

Corporatecontrols

Corporate culture

Beyond the influence of

manage-ment

Fact

Internal Audit

Managing Fraud

4

Unfavorable Contract creation between PT A and PT B. The Director of PT A has changed several important points and there was unclear and unfavorable clauses has been added into contract.

Case Study ; Fraud Case

• An independent, objective assurance and consulting activity designed to add value and improve an organization's operations. (IPPF Std No 1000, interpretation 1000A1 & 1000C1).

• Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud (IPPF Std No 1210.A2).

• Helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

• Covers all the business operations and systems, financial, and other aspects of the organization.

Watchdog

Risk, Process, Assurance and Regulation Focus

Consulting Role and Business Value Driver Focus

Corporate Governance (OECD Principles) & Other Standard

Managing Fraud

5

There is an indication that (proven by email communication between Procurement PIC and Vendor) Procurement – Buyer PIC received an amount of money from Vendor

Case Study ; Fraud Case

• “Corporate governance is the system by which companies are directed and controlled….” Sir Adrian Cadbury, UK, 1992

Right of Shareholders Equitable Treatment

Role of Stakeholders

Procedures for complaints by employees concerning illegal (including corruption)

and unethical behavior.

Disclosure & Transparency

Responsibilities of the Board

• SOX Section 301 requires the Audit Committee of the Board of Commissioners of the Company to establish procedures for (i) the receipt, retention and treatment of complaints received by the Company regarding accounting, internal accounting controls or auditing matters.

• Anti-Bribery and Book and Records Provisions of the Foreign Corrupt Practices Act (“FCPA”).Under these laws, the Company and Company Employees may be subject to criminal liability if a Company Employee or an Associated Person, directly or indirectly, offers or pays, or authorizes payment of, Anything of Value in exchange for some improper advantage for the Company.

Fraud

Managing Fraud

6

There was discrepancy between the record of cash received byPIC at Regional Office with the cash deposited to theBank, during the period of 2011-2012. The total discrepancy is IDR XXX

Case Study ; Fraud Case

An intentional act by one or more individuals among management, those charged

with governance, employees, or third parties, involving the use of deception to

obtain an unjust or illegal advantage (ISA 240)

Any intentional act or omission designed to deceive others, resulting in the victim

suffering a loss and/or the perpetrator achieving a gain. (Managing the Business

Risk of Fraud: A Practical Guide, prepared by IIA, AICPA, and ACFE)

Fraud Triangle

Pressure

Perception of an immediate and un-sharable financial need or the desire to live a lavish lifestyle

Opportunity

Arises from weak controls or too much independence/ control given to a single individual

Rationalization

Bbelief that a crime has not been committed or is perceived to be justified and that the reward outweighs the risk

Fraud tree

Managing Fraud

7

Untimelydeposit of cash receipt in Regional Office, which cash receiptof 25 May 2012 was deposited in 16 July 2012 (after 35 working days).

Case Study ; Fraud Case

Bribery Cash Financial

FRAUD

CorruptionAsset

Misappropriation

Fraudulent Statement

Conflict of Interest

Illegal GratuitiesInventory and

Other Asset

Non-financial

* Source: Association of Certified Fraud Examiners (ACFE)

Economic Extortion

Fraudulent Disbursements

Fraud Red Flag Detection

Managing Fraud

8

During the period of Mr. X’s assignment from March 2010 to January 2012, amount of stamp duty deposit requested and cheque disbursed was higher than actual amount paid to Tax Office for several months by IDR 435,000,000. This amount is consists of IDR 70,000,000 during 2010; and IDR 365,000,000 during 2011.

Case Study ; Fraud Case

Finance and Accounting Procurement Payroll

• Unauthorized bank accounts • Sudden activity in a dormant

banking accounts • Discrepancies between bank

deposits and posting • Bank accounts that are not

reconciled on a timely basis

• Account balances significantly over or understated

• Unexplained pricing exceptions

• Presence of employee checks in petty cash for the employee in charge of petty cash

• Excessive on unjustified cash transactions

• Significant increase in expenditures

• Abnormal number of expense items, supplies, or reimbursement to employees

• Transactions not recorded completely, timely, or improperly recorded

• Transactions with inappropriate authorization

• Window Dressing

• Payments based on photocopied or “doctored” invoices

• Unusual billing addresses or arrangements; no physical address, post office box, missing street numbers, employee’s address

• Vendor payments sent to ineligible beneficiaries

• Errors, such as duplicate payments and miscalculations

• Payment to vendors who aren’t on approved vendor list

• Excessive payments to vendors, high volume of purchases from new vendors

• Purchases that bypass the normal procedures

• Sequential or near sequential invoices

• Overtime charged for employees who normally would not have overtime payments

• Inconsistent overtime hours for a cost center

• Budget variations for payroll by cost center

• Employees with few or no payroll deductions

• Ghost employees

Fraud Control (AS 8001)

Without an effective management strategy, a company is exposed to fraud risk for which the Board and management may be legally and financially liable. AS 8001 Standard provides an approach to controlling fraud and corruption risk.

Managing Fraud

9

After examining data from Mr. X’s (one of the Manager in PT A) computer. We noted that Mr. X owned a server to provide mobile application service. Refer to an Agreement between PT A and PT B, PT A will pay PT B amounting to Rp. 500/mobile money transaction service.

Case Study ; Fraud Case

Planning Prevention Detection Response

• Fraud and Corruption Control Planning

• Fraud and Corruption Control Resources

• Implementing Risk• Fraud Risk Database• Sr Management

Control the Fraud Risk

• Assessing Fraud Risk

• Communication and Awareness

• Fraud Detection Program

• Role of External Auditor in detection Fraud (through Management Letter)

• Reporting Suspected Incidents

• Whistleblower System

• Policies and Procedures

• Investigation• Disciplinary Action• Loss Recovery

Whistleblower Practice

Managing Fraud

10

PT A has lost 10 surveying system equipment. During the HSE inspection, the HSE office found 8 out of 10 surveying system on Mr.x office

Case Study ; Fraud Case

Structural Aspects Operational Aspects Continuous Treatment Aspects

• Develop Whistleblower report criteria to determine False, Non Serious and Proper Whistleblower report.

• Enhance Whistleblower Protection Policy which covers: Protection or Whistleblower Property, Personal and Family protection, Criminal Prosecution and Whistleblower Protection Unit.

• Developing rewards (short term and long term) for whistleblowing. - Short Term: Incentive/Bonus. - Long Term: Job Promotion

• Establish formal unit to handle Whistleblower Report. The Whistleblower Unit may consist two elements: 1. Whistleblower

Reporting System & Investigation Unit.

• Provide other Whistleblower reporting line. Email, intranet, internet, post, fax, direct communication to superior, direct tip-off and telephoning the company’s headquarter.

• Develop Whistleblower Reporting guidance on every Whistleblower Reporting line. The guidance consists of (but not limited to).

1. How to write Whistleblower Report systematically (What, Where, When, How, Who) on every whistleblower reporting line.

2. Intangible/Tangible loss that contributed to overall Company loss.

3. Type of violation (i.e., legal, accounting, ethical, employment) .

4. Description of claim and Identification of parties/departments and persons involved.

• An effective Whistleblower system requires effective communication from Top Management to maintain the employee’s awareness of Whistleblower system.

• Perform regular socialization of Whistleblower Reporting line/System & Reporting Mechanism & Policy/Procedure/Incentive/Awareness to all employee level in Indosat.

• Put “eye-catching” Whistleblower awareness, such as Posters in workplace, Code of Ethics, Newsletters.

• Perform benchmarking to evaluate effectiveness of Whistleblower reporting line in Indosat.

• Perform monitoring, review and evaluation over all Whistleblower reporting line through survey, review log, feedback.

Fraud Control (AS 8001) – Indosat Experience

Managing Fraud

11

Mr X who is Payrolll PIC has added working time hours of Mr Y (expat employee n PT A).

Case Study ; Fraud Case

Planning and Resourcing

• Fraud and Corruption Control Planning

• Fraud and Corruption Control resources (Forensic and Data Mining Audit Division)

Fraud Prevention

• Enhance Tone from The Top from Sr Management

• Enhance Internal Control (SOP, Policy, Segregation of Duties)

• Code of Ethics and Conflict of Interest Statement

• Employee Training over code of Ethics, Conflict of Interest, Fraud.

• Intensive Socialization

• Strong and Consistent consequences over Fraud Action

Fraud Detection

• Whistleblower Enhancement

• Data Analysis over Suspicious Transaction on Financial Statement

• Fraud Reporting to Management

FRAUD CONTROL

Forensic and Data Mining Audit Division

Integrated Audit collaboration with other

Audit Division

Assessing Fraud Risk in Audit Assignment – Indosat Experience

Managing Fraud

Internal Audit found several counterfeit check that was used to pay subcontractor

Case Study ; Fraud Case

Establish Fraud Risk Database

Fraud Scheme Red Flag/Symptom Detection Steps Controls to Review

Submitting false invoices

• Vendor has similar name but different address of a known legitimate company.

• * Invoices are "rubber stamp" approved by supervisor.

• * Purchase are of services (such as consulting) rather than goods or tangible assets.

• Analytic review is effective to detect large scale fraud..

• Review supporting documents - look for suspicious looking documents

• Review invoices for general consulting services.

• There should be an approved vendor list.

• All the vendors should be independently qualified (Not qualified per the purchasing agent).

• There must be proper segregation of duties

• Proper Authorization• The accounts

payable list of vendors must be periodically reviewed

• The vendor payments must be periodically reviewed (At least annually)

• There must be re control methods to check for duplicate invoices in place

Assessing Fraud Risk in Audit Assignment – Indosat Experience

Managing Fraud

While performing visit activity over Procurement Bidding process, internal audit found an invalid address.

Case Study ; Fraud Case

No Control Reff

Process Risk Fraud Risk Assessment

Control Associated with Risk

Testing Plan

1 PR.01.08.C4 CAPEX

Purchase Request

Invalid purchase process not in accordance with approved SC

Procurement of goods / services is unauthorized

Procurement PIC Created unnecessary PO

Procurement manager performs review and validation on completion of SC and its supporting documents (PID and budget approval from IC committee)

1. Obtain PID documentations (Proposal, RKS, RFP, Budget Case approved, etc.).2. Obtain budget and investment committee approvals.3. Verify SC, Budget Committee and Investment Committee approvals in accordance with LoA and authorized personnel.4. Verify BoQ and Unit Price in SC in accordance with Indosat' s needs as stated in Proposal/RKS and RFP.

Adding Fraud Risk Assessment on Audit Risk Control Matrix

Computer Forensic and Big Data Analysis

Managing Fraud

Internal Audit perform analysis over procurement transaction. Internal Audit found unfavorable bidding price submitted by vendor A.

Case Study ; Fraud Case

Fraudster

Data

• Computer Data• Office Email• Office Phone• Office Application

Investigative Audit

• Manual Procedure (Review SOP, Business Process, Transaction)

• Computer Forensic• Other Analysis

Fraud examination is a methodology for resolving fraud allegations from inception to disposition. More specifically, fraud examination involves obtaining evidence and taking statements, writing reports, testifying to findings, and assisting in the detection and prevention of fraud.

Guidance Computer Forensic Phase Do and Donts

• Digital evidence should not affect the data integrity.

• A Certified person• Computer Forensic is not

hacking (never use keystroke logger, spyware, hack password, unauthorized login)

• Data are relevant, legally obtained, properly defined and can be presented in court.

• Ensure the machine can be fully analyzed. Examine the machine, secure evidence, power down carefully, use additional system.

• Image Acquisition. (Copying data is not legal). Use imaging data.

• Keyword search (money, cake, transfer, etc)

• Using the analysis and designing report of Encase System, Imaging Report

Obtain new HDD to secure data Encrypt data Unplug from power supply,

remove battery carefully. Document all step Use Encase system× If computer is on, don’t turn it

of, unplug directly from power supply.

× Don’t enter anything, copying, cutting.

Investigation Audit Report

Managing Fraud

While performing ELC Testing on Finance Division (Payment Operation), Internal Audit noted that there is no segregation of duties in Payment Operation. One PIC handle payment and transaction record.

Case Study ; Fraud Case

Background and Objective

Scope of Review and Methodology

Summary of Investigation Results Recommendations

• The investigation was performed based on?

• Fraud Indication• Objective of

Investigation

• Procedures performed

• PIC Involved

• Testing Result• Summary of

Fraud/Findings

• Recommendation to prevent Fraud case in the future

The End

16

Thank You