Australia - PwC

pwc.com.au/crimesurvey

Cybercrime: Out of obscurity and into reality 6th PwC Global Economic Crime Survey An Australian snapshot of economic crime March 2012

The era of cybercrime is well and truly upon us. Cybercrime is now globally ranked the fourth most common form of economic crime. In Australia it ranks second. Sixty-three percent of respondents perceive the risk of cybercrime to have increased over the last 12 months.

Cybercrime: Out of obscurity and into reality 6th PwC Global Economic Crime Survey

Contents

04

07

08

10

15

16

18

19

20

Introduction

Cybercrime: the emerging economic crime

Finger on the trigger: responding to fraud

What types of economic crime are businesses experiencing?

Forward thinking: will fraud continue to rise?

Conclusion & Demographics

Fraud in Australia: how do we compare?

Finger on the pulse: preventing and detecting fraud

Contacts

6th PwC Global Economic Crime Survey March 2012

3

Global respondents include

private and public companies

3,877 respondents

78 countries

Introduction I am pleased to present the Australian results of PwC’s Global Economic Crime Survey 2011.

The PwC Global Economic Crime Survey has been conducted every two years since 1999 and in Australia since 2001. It is one of the largest and most comprehensive surveys of its kind. The global and Australian surveys were last released in 2009. Since the last survey the world has experienced challenging economic circumstances. Significant changes in the economies across Europe and the Americas have resulted in market volatility and uncertainty. These economic conditions have increased both opportunities and incentives to

4

commit economic crime. Worryingly, the 2011 survey shows Australia experienced economic crime at a greater rate than the global average. Our 6th PwC Global Economic Crime Survey has focused on the rising threat of cybercrime. As businesses and individuals increase their reliance on technology, they become exposed to a growing range of cybercrime threats. Many businesses may not yet have taken the time to consider whether they have sound cyber security mechanisms in place, but ignoring this risk could endanger their operations.


We would like to thank all of the Australian participants in the 2011 survey. We hope the information within this report will provide valuable insight and practical advice on how organisations can continue their efforts to combat fraud and other economic crimes.

Malcolm Shackell Partner Forensic Services

Fast facts for Australian organisations

47% said their organisation experienced economic crime in the last 12 months (up from 40% in 2009).

51% of those reporting economic crime experienced more than 10 incidents in the last 12 months.

16% said they suffered losses in the last 12 months that were in excess of AUD 5 million.

63% said they perceive the risk of cybercrime to have increased over the last 12 months.


5

Key findings • 47% of Australian respondents reported that their organisation had experienced at least one instance of economic crime in the last 12 months. This compared to 34% globally and 31% in the Asia Pacific region. The number of respondents who reported instances of economic crime in their organisation in Australia has increased from 40% in 2009. • Of those organisations that experienced at least one instance of economic crime, over 50% reported that they suffered more than 10 occurrences. 14% of organisations were subject to more than 1,000 incidents of fraud in the last 12 months. • More than 50% of Australian respondents, who had experienced economic crime in the last 12 months, reported their organisation directly lost more than AUD 100,000 to economic crime during the last 12 months. 16% of organisations lost more than AUD 5 million. • The perception of the likelihood of an organisation to experience economic crime increased in 2011 compared to 2009. For example: the perceived likelihood of asset misappropriation incidents increased from 31% in 2009 to 53% in 2011.

Cybercrime • As business are making the most of the upside of collaborative technologies so are cybercriminals. Australian public and private networks are under threat from sophisticated cyber attacks every day. • Globally, respondents ranked cybercrime as the fourth most commonly experienced economic crime. In Australia, respondents ranked cybercrime second, just behind asset misappropriation. • The level of cybercrime experienced in the last 12 months in Australia (30%) is significantly higher than global (23%) and Asia Pacific (22%) levels. • Technology and globalisation are making the world a smaller place for fraudsters, however many Australian organisations continue to take a reactive, instead of a proactive, approach to managing cybercrime. 46% of respondents said they did not have, or are not aware of having, the in-house capability to prevent and detect cybercrime.

• The majority (54%) of economic crimes committed in Australia in the last 12 months were by internal fraudsters. This is a significant increase from the results of our 2009 survey (33%). Organisations should focus on ensuring their internal controls are significantly mature to mitigate the risk of internal fraud.

Fraud going green Sustainability fraud is fraud in relation to carbon credit trading markets, sustainability offsets and other environmental claims. Sustainability fraud is an emerging global trend. With the introduction of the Clean Energy Legislative Package which includes the Clean Energy Act 2011 on 8 November 2011 in Australia, sustainability fraud is likely to be an emerging economic crime domestically in the next few years. Emerging and evolving markets such as carbon trading carry a higher risk of fraud as legislation and regulatory guidelines are in their infancy and explicit market rules have not yet been standardised. The expected rapid growth in the green economy may attract the interest of fraudsters and organisations should be aware of the future potential dangers in this area. Organisations need to apply the same due diligence and rigour to green projects as for other core business projects. The development of the European carbon market has already brought to light a number of incidents of fraud and other manipulative behaviour. Sustainability fraud may expose organisations to significant reputational damage as environmental awareness increases in media and public circles.

6


What types of economic crime are businesses experiencing? Asset misappropriation is the number one economic crime experienced globally and in Australia. As in previous years, Australian organisations reported a higher rate of economic crime than global counterparts, particularly in areas such as asset misappropriation, cybercrime and IP infringement.

Globally the top three economic crimes experienced are asset misappropriation, accounting fraud and bribery and corruption. In Australia, the top three economic crimes are asset misappropriation, cybercrime and bribery and corruption. In previous surveys, Australia’s experience with cybercrime was relatively insignificant (and therefore was included in “other” types of fraud). However, since the 2009 survey the risk of cybercrime has risen in line with increasing reliance on new technologies such as smart phones, tablets, social media and cloud computing.

What types of economic crime have our respondents experienced within the last 12 months? 2011

2009

Asset misappropriation

86%

Cybercrime – previously in other

Insider trading

Tax fraud

37%

Money laundering

13%

11%

IP infringement Other

13%

Accounting fraud

11%

Money laundering

Anti-competitive behaviour

Bribery and corruption

27%

Accounting fraud

70%

Cybercrime – previously in other

30%



IP infringement

11%

20%

Other 5%


3%

Insider trading 3%

Tax fraud

3%

Espionage

Espionage

Sustainability fraud – previously in other

Sustainability fraud – previously in other

0%

20% Global

40% Asia Pacific

60% Australia

80% 90%

7%

0%

20% Global

40% Asia Pacific

60%

80% 90%

Australia


7

Fraud in Australia: how do we compare? In the last 12 months, more Australian organisations reported being victims of economic crime than their regional or global counterparts. This follows a similar trend to the 2009 PwC Global Economic Crime Survey. In 2011, 47% of Australian respondents reported that their organisation had experienced an economic crime within the last 12 months. This compares to 31% in the Asia Pacific region and 34% globally. All regions experienced an increase in reported economic crime since 2009.

Age: 31-40 years (55%) Gender: Male (75%)

Qualifications: High school (40%)

More than 50% of the Australian organisations that experienced economic crime in the past 12 months reported that they had suffered a loss of more than AUD 100,000 to economic crime. 16% estimated that they lost more than AUD 5 million to economic crime in the previous 12 months, compared to 7% globally and 8% in the Asia Pacific region.

Position: Middle management or junior staff member (90%)

Length of service: 3-5 years (40%)

CV of an average Australian fraudster

An inside job The share of economic crime incidents committed by internal parties has increased in Australia from 33% in 2009 to 54% in 2011. This escalation of internal fraud highlights the importance of maintaining an organisational focus on preventative controls. Organisations cannot rely solely on reactive fraud measures. The “typical” internal fraud in Australian organisations involves a longer period of undiscovered deceptions, rather than a single large fraudulent incident (as is often the case with external fraud). There is a limit to the influence organisations have over external fraudsters. However, internal fraud can be significantly reduced by organisational initiatives. Proactive fraud prevention measures will help organisations identify weaknesses in their environment and reduce opportunities for internal fraud. These measures vary between organisations and may include leadership messages about the importance of appropriate standards of ethical behaviour and demonstrating this through consistent actions. In addition organisations should consider communicating their stance on fraudulent behaviour, implementing transparent performance and remuneration schemes, using pre-employment and on-going screening and, most importantly, fostering a culture of fraud awareness.

Asset misappropriation Asset misappropriation remains globally, and in Australia, the most commonly encountered economic crime by organisations. Many of the frauds experienced by organisations fall into this category – including employee expense fraud, fraudulent invoicing, related payments and inappropriate asset disposal. This type of fraud often involves high value cash or physical assets. It is important for organisations to review the way they mitigate the risks associated with key assets.

8

Case study: An operational manager of a large manufacturing company had detailed knowledge of the invoicing systems which enabled them to create fraudulent invoices inflating the costs of regular supply of goods and services from a third party. In addition the employee had responsibility for the management of asset disposal, and had the ability to write down stock to minimal value. This stock was then sold on the secondary market for a significant profit.


Our work involved an in-depth review of third party supplier invoices to substantiate the charges and compare these charges to industry standards. A detailed reconstruction of inventory records for the past 5 years was undertaken in conjunction with forensic imaging of a number of employee’s machines to recover historic inventory management data. The total estimated loss was in the range of AUD 8 million. Legal proceedings are currently underway to recover this loss.

Has your organisation experienced economic crime in the last 12 months? (Only yes responses shown)

2011 47% 2009 40%

0%

10%

20% Global

30%

40%

Asia Pacific

50%

Australia

In financial terms, how much do you think your organisation may have lost directly through incidents of economic crime in the last 12 months?

More than 1 billion AUD

100 million to 1 billion AUD

5 million to 100 million AUD 16% 100,001 to 5 million AUD

38%

Less than 100,000 AUD

Don’t know

0%

43%

3%

10% Global

20% Asia Pacific

30%

40%

50%

60%

Australia

Thinking about the most serious economic crime in the last 12 months, who was the main perpetrator? 2011

2009 4%

46%

63%

33% 54%


9

Cybercrime: the emerging economic crime Cybercrime ranks as the second most reported economic crime in Australia in the last 12 months. In prior years, cybercrime was so statistically insignificant that results were combined with ‘other types of fraud’. So why has cybercrime increased so markedly? Globally, businesses and governments are increasing their reliance on cyber technologies such as cloud computing, online banking and social networks. In tandem, the rate of change for new technology is increasing and organisations are struggling to keep up with the risks of introducing and using new technology. Cyber activity has provided both a new type of economic crime and new vectors to facilitate existing economic crimes. In Australia 63% of respondents said that they perceive the risks of cybercrime to have increased over the last 12 months. As shown in the graph to the right, this is significantly higher than both global and territory counterparts.

Has your perception of the risks of cybercrime to your organisation changed over the last 12 months?

57%

42%

Asia Pacific

4%

53%

5%

63%

Australia

0%

20%

34%

40% Increased

60%

3%

80%

Remained the same

100%

Decreased

Location of greatest cybercrime threat to an organisation

Externally

60%

Both internally and externally

In Australia 60% of respondents see the greatest risk of cybercrime coming from outside their organisation compared with only 46% globally. The recent Australian media focus on external cyber attacks may have increased this view. However, cybercrime is no longer the domain of young hackers; instead it is committed by a multitude of offenders with diverse motives: • Insiders who have authorised access and abuse this access for personal gain. • Competitors seeking unfair advantage. • Foreign governments committing espionage for political or economic gain. • Trans-national criminal enterprises stealing and/or extorting information to generate income. • Activists protesting organisational actions or policies.

10

39%

Global


Internally

Don’t know

0%

23%

9%

9%

10% Global

20%

30%

Asia Pacific

40% Australia

50%

60%

70%

Cybercrime – it’s complicated There is a perception that the cyber risks facing Australian businesses are greater today than ever before. This is partly because media attention around recent high profile cases has increased organisational awareness of the threat. Cybercrime can be defined in a number of different ways. The following definition was used in this survey: “Cybercrime, also known as computer crime, is an economic crime committed using computers and the internet. It includes distributing viruses, illegally downloading files, phishing and pharming, and stealing personal information like bank account details. It is only a cybercrime if a computer, or computers, and the internet play a central role in the crime, not an incidental one.”

As with traditional economic crime, cybercrime can take many different forms: • Targeted emails sent to employees in the public domain (for example CEO or Investor Relations) with attachments that contain hidden, malicious software that allows the attacker to steal intellectual property. • Executives have their laptops removed from a hotel safe and tampered with (including the installation of malicious software on the machine that accesses hard drive data through cyber networks). • A disgruntled contractor steals confidential information (such as bank account details, payroll information and pricing data) through computer and internet access to the company network and uses information for personal advantage. • An insider deliberately installs malicious software (for example viruses or trojans) on to a corporate computer network to log keystrokes and steal information.

Cybercrime, also known as computer crime, is defined as economic crime using a computer and the internet as the primary tool to commit fraud.

• Websites are defaced or disrupted by an attack on an organisation’s computer network so the server does not perform properly or prevents legitimate website visitors from accessing the site. • Employees using social networking and media sites for both personal and professional purposes share large amounts of personal and private information which is then used to identify and target individuals within companies for identity theft or circumvention of security controls.


11

Why worry? When Australian organisations were asked what impact of cybercrime they were most concerned about, 43% said reputational damage, which is significantly higher than the number of people who were concerned about actual financial loss (24%). One of the troubling features of this emerging threat is that the impacts associated with cybercrime are more extensive than the bottom dollar. In these uncertain economic times, clients and customers place significant reliance on the reputational strength of the organisations with which they deal. Reputational damage arising from cybercrime outlasts the financial impact and may considerably affect an organisation’s client and customer base.

Some of the other characteristics that make cybercrime dangerous include: • Single event frauds – cybercrime is often a single event crime, with a potentially devastating one off financial hit. • Low risks and high rewards – committing cybercrime is attractive to many fraudsters, with the high availability and decreasing costs of technology lowering the set up costs required to commit crime. In addition, there may be fewer risks when compared with frauds that require a physical presence at the target organisation. • Anonymous perpetrators – the technical knowledge of cybercrime fraudsters means in many cases it can be difficult for authorities to identify the perpetrator or even the location of the crime. • Difficulty of recovery – cybercrime is a global business with fraudsters often located offshore. This makes it difficult to arrest and prosecute cybercriminals and – more importantly – hinders efforts to recover misappropriated funds.

…cybercrime is often a single event crime, with a potentially devastating one off financial hit.

What are the organisations surveyed most concerned about?

Reputational Damage

43%

Theft or loss of personal identifiable information

37%

IP Theft (Including Theft of Data)

29%

Service Disruption

28%

Actual Financial Loss

24%

Cost of Investigation and Damage Control

18%

Regulatory Risks

0%

15%

10% Global

12


20% Asia Pacific

30%

40%

Australia

50%

Where has your USB been lately? When working outside a secure office environment, most employees are aware of the need to protect sensitive data contained in physical documents. However with the increased portability of confidential data on smart phones, tablets and USB drives are we being careful enough? Consider the following questions: • Where has your USB been? • What wireless internet connections have you used for your company laptop and or smart device? Were they all in the office, or were some of them public hotspots? • How complex are your passwords? Do you keep copies of your passwords in secure locations? • Who else has access to your computer? • Who have you provided your personal information to? Trans-national criminal enterprises often maintain remote access to target individuals and/or corporations for six to 18 months before they are detected. Therefore it is imperative to focus efforts on preventing the unfettered access in the first place.

Case Study: Targeting of executives A recent cybercrime case targeted senior executives of a large multi-national organisation, who routinely travelled to foreign countries where the business had offshore operations. The fraudsters used sophisticated cybercrime techniques as part of their campaign. They produced a spoofed email from a computer, compromised a website, distributed malicious PDF documents and other URL links, and downloaded software to the victim company’s network without its consent. The malicious software gave super user access to the company’s corporate network. Specialist forensic investigations identified evidence of continuous targeting for a significant period of time. As a result of the investigation, the infected machines were required to be cleaned. The organisation has since put further security controls in place including forensic analysis of machines before and after overseas travel. In addition, senior executives were educated about appropriate security practices when travelling.

Are we prepared? Organisations are aware and worried about the potential consequences of cybercrime; however many do not feel prepared.

on an ad-hoc basis, suggesting these risks are reviewed only after an event has occurred.

When asked who holds the ultimate responsibility for managing an organisation’s cybercrime risks 54% of Australian respondents named the Chief Information Officer or Chief Security Officer. Only 23% specified the CEO or the Board. In addition, only 44% of respondents reported that the CEO and Board reviewed cyber-related risks at least once a year. This indicates that the current state of awareness of cybercrime remains inconsistent. One in five respondents said senior executives never reviewed cybercrime risks or only

The increasing prevalence and far reaching impact of cybercrime means it is no longer just an issue for the IT department alone. Senior management and Boards must take a more holistic approach to understanding their exposure to and appetite for cyber risks. More than 60% of Australian respondents felt the risk of cybercrime was growing. Although it was pleasing to see that only a small proportion (35%) of respondents had not received any cyber security related awareness training, only 37% had received face

to face training (instead of email announcements, banners or posters). Only 38% of respondents said they had in-house capabilities to investigate cybercrime. In many organisations, having in-house capabilities will not be feasible. Therefore it is important for organisations to have the ability to quickly access the expertise of forensic technology investigators. This is one element of an organisation’s preparation for cybercrime risks. Organisations should assess their preparedness to ensure they have the controls in place to respond proactively instead of reactively to emerging threats.


13

Protecting against cybercrime Many organisations simply do not know where or how to start preparing for these threats. Part of the problem is that no one owns or controls the internet. There is little governance, oversight or regulatory power over its users. What’s more, organised criminals have become increasingly sophisticated in their ability to exploit flaws in the way the internet operates. The pace of technology means that organisations are constantly undergoing business transformation to maintain a leading edge. This exposes organisations to unknown cyber threats through constantly changing IT systems and business processes. It is important for organisations to have an overall information security strategy that addresses how they will approach the three lines of defence for cybercrime: prevention, detection and response. The top ways to protect an organisation against economic crime include: • Tone from the top – having a leadership team that ensures cyber risks are a focus as the organisation develops. • Due diligence programs – to ensure the organisation knows who it engages with, including staff, contractors, suppliers and agents. • IT security framework – aligning IT policies and programs and defining the responsibilities of Internal Audit and the board for maintaining awareness of fraud. • Regular fraud and cybercrime risk assessments – to identify the inherent risks present in an organisation and ensure sufficient mitigating controls are in place. • Industry and environment monitoring built into the security function – to enable an organisation to proactively develop responses to current and growing cyber-risks. • Incident response teams – which are charged with tracking and assessing cyber risks and dealing with an incident as soon as it is identified. • Education programs – to increase situational awareness an organisation should invest in cyber skills to help inspire those people with the relevant skills to keep the business safe.

14


On the front line with cyber security Failure to respond immediately to a cybercrime with resources experienced in crisis management and cyber investigative techniques can result in significant financial losses and irreparable damage to an organisation’s reputation. While critically important, forensic investigative experience is generally not a core competency of leading global organisations. Simply put, it is seldom practical for most companies to maintain the requisite forensic investigative resources and technologies necessary to effectively conduct complex cyber investigations. To gauge an organisation’s cyber security expertise, some of the questions that should be asked are: • Is the threat of cybercrime on the organisation’s risk register and/or discussed? • Does the organisation know the number of security incidents that occurred in the past year? • Are executives’ machines checked for tampering or malicious software pre- and post-travel to high-risk countries? • Does the organisation have a security strategy and governance approach that is aligned with business strategy? • Does the organisation have a tested incident response plan for cyber security issues?

Case Study: The head of a small fast growing client employed a number of senior staff because they were ‘friends’ and felt they could be trusted. The focus of the owner was on growing the business, until one day it was suddenly discovered that there was no money in the bank accounts. A review identified a series of unauthorised ‘loans’ to senior staff that were disguised as lease back agreements, misuse of fuel cards and other payments of personal expenses. Three senior staff resigned before the investigation concluded. As the investigation progressed, significant unauthorised computer activity in relation to internal files was identified, leading to the discovery of significant theft of IP. It later transpired that the three senior staff were trying to set up a business in direct competition with their former employer. The issue was complicated because management of the web portals and e-mail systems had been outsourced to a small web-design company that were unable (or unwilling) to respond quickly to requests to block access.

Forward thinking: will fraud continue to rise? Since 2009, the perception of the level of economic crime likely to impact organisations in the future has increased. A business only becomes aware of a fraud when it is uncovered, making it difficult for many organisations to determine their fraud risk exposure. But over time, as more businesses mature in their ability to detect fraud and as more high profile cases appear in the media, businesses will become more aware of fraud as an issue. Long standing fraud types such as asset misappropriation, accounting fraud and bribery and corruption remain high on the list of economic crimes. However, new risks such as cybercrime and sustainability fraud are growing fast. Which of these risks should be the highest priority for organisations? Fraud risks will vary from organisation to organisation, however some trends appear to be common. Asset misappropriation is likely to remain stable as the number one economic crime affecting organisations. Organisational controls over cash and physical assets should remain a focus. In Australia, organisations should prioritise growing their capacity to mitigate the risks presented by economic crimes that appear to be on the rise such as bribery and corruption, cybercrime and sustainability fraud.

Thinking about the next 12 months, is it likely your organisation will experience economic crime? (Only yes responses shown)

2011 Sustainability fraud – previously not included Espionage

6% 3%

Anti-competitive behaviour Insider trading Tax fraud

10% 5% 3%

Money laundering

14%

IP infringement

24%

Cybercrime – previously not included

43%


23%

Accounting fraud

14%


0%

2009

53%

10%

20%

Global

30%

40%

Asia Pacific

50%

60%

70%

80%

90%

70%

80%

90%

Australia

Sustainability fraud – previously not included Espionage

7%


11%

Insider trading Tax fraud

11% 7%

Money laundering

16%

IP infringement

29%

Cybercrime – previously not included Bribery and corruption

21%

Accounting fraud

21%


0%

31%

10% Global

20%

30%

40%

Asia Pacific

50%

60%

Australia


15

Finger on the pulse: preventing and detecting fraud Fraud detection is one of the key elements in managing the risk of fraud. The survey results show that specific, targeted fraud controls are the most effective means of detecting economic crime. In Australian organisations 35% of fraud is detected through a tip off, both by internal and external sources and through formalised whistleblower programs (up from 30% in 2009).

Thinking about the most serious economic crime experienced, how was the crime initially detected? 2011 Tip off (including whistle blowing program) Fraud risk management

22%

Suspicious transaction reporting

14%

Internal and external audit

11%

Others

This highlights the significant role people play in detecting fraud. Organisations should ensure their detection programs use the power of their staff through:

Corporate security (both IT and physical security) By accident

By law enforcement

• Staff fraud awareness and training programs.

11%

3%

3%

3%

Rotation of personnel

• A whistleblower program that staff trust.

Don’t know

0%

• Maintaining and promoting fraud reporting channels. Responses demonstrate the importance of having fraud risk management procedures in place. 35% of economic crimes reported by respondents were detected through fraud risk management and targeted suspicious transaction reporting systems, up from 27% in 2009. An integral part of fraud risk management is formalised fraud risk assessments. Pleasingly, 79% of Australian respondents stated their organisation had performed a fraud risk assessment at least once or more often in the last 12 months.

35%

10% Global

20%

Asia Pacific

30%

40%

Australia

2009 Tip off (including whistle blowing program)

30%

Fraud risk management

17%

Suspicious transaction reporting

10%

Internal and external audit

10%

Others Corporate security (both IT and physical security)

7%

By accident

10%

By law enforcement

7%

Rotation of personnel

10%

Don’t know

0%

10% Global

16


Asia Pacific

20% Australia

30%

40%

Delving into data: suspicious transaction reporting and targeted fraud data analytics Suspicious transaction reporting is used to reduce the risk of fraud and error occurring in financial systems by identifying collusion between parties, errors in processing (both unintentional and fraudulent) and ensuring obsolete information is retired from systems. The reliance of organisations on suspicious transaction reporting has increased globally from 5% in 2009 to 18% in 2011. A similar trend has been found in Australia with an increase from 10% in 2009 to 14% in 2011. This observation supports the benefits organisations gain from performing analysis of their financial systems to identify conflicts of interest and potential fraud. Case study: data analytics – expense claim Data analytics were used to review unusual expense claims made by staff, including senior executives, by matching expense claims to policy allowances. Several years’ worth of data was analysed for suspicious transactions. These expense items were then matched to supporting documentation, and where required ‘show cause’ notifications were given to staff. The analysis showed employees had breached policy allowances on multiple occasions. A further review was

performed around the approval processes for expense claims and found that senior executives were using peer review to approve claims. Case study: suspicious transaction analysis – fraudulent invoices Suspicious transaction analysis tests were performed on a client’s financial systems to identify any employees sharing bank account or address details with vendors. During this review the analysis identified an employee who worked in the accounts payable department who had the same address as a vendor. Initially the vendor was identified as a legitimate small business contracted by the client to perform cleaning services. After further investigation of the transactions, it was discovered invoices had been issued and paid after the vendor’s contract had been terminated. The employee had continued to generate invoices for this vendor and due to their position within the accounts payable department, paid themselves up to half a million in fraudulent payments. In interviews with investigators, the employee admitted to the fraud. The employee has since been dismissed and criminal and legal proceedings commenced.

The human touch: whistleblower programs and detailed fraud risk assessments Employees in an organisation, particularly lower level management, usually have a very detailed understanding of day to day transactions. These people are often the first to pick up on transactions or behaviours that seem inconsistent and suspicious. However, bringing these insights to light requires effective reporting mechanisms. Case study: Whistleblower program A call from a whistleblower was the key first step in what turned out to be a complex investigation into fraud, corruption and serious workplace misconduct. The whistleblower provided fragmentary but vital information about the activities of an executive working in an ASX200 listed organisation. The information provided by the whistleblower was subsequently verified through the evidence obtained from the organisation and through interviews. The investigation uncovered a longstanding scheme to defraud the organisation by manipulating inventory and assets through a third-party supplier. In addition, corruption, preferential dealings with a range of suppliers, in the form of ‘kick-backs’ benefitting

the executive were uncovered. Having a whistleblower hotline gave this organisation the channel to obtain crucial information and a capacity to respond effectively. Fraud risk assessments Fraud risk assessments allow organisations to obtain a holistic view of their exposure to fraud across a range of different sub processes and functions. An effective and comprehensive fraud risk assessment should: • Identify potential fraud risks. • Assess the likelihood and significance of risks occurring. • Identify existing preventative and detective controls and map them to the relevant fraud risks. • Identify and evaluate residual fraud risks resulting from ineffective or non-existent controls. • Assign individual responsibility to manage and respond to residual fraud risks.


17

Finger on the trigger: responding to fraud Many organisations have a plan in place to respond if an economic crime is detected. But once an incident has been confirmed, organisations can be reluctant to take further action against employees. Survey responses show that 94% of Australian organisations informed law enforcement of economic crimes committed by external fraudsters. Reporting to law enforcement drops to 50% of organisations when the incident involves an internal fraudster. Overall, incidents involving internal fraudsters have lower external reporting rates, with the most common action being dismissal. This increases the risk that employees who have been disciplined by one employer, but not reported to authorities, may go to work for another employer and continue fraudulent behaviour. Organisations should consider having a holistic action plan in place to respond to economic fraud, considering both internal and external fraud incidents. The actions taken against fraudsters should be clearly outlined, and in the case of an internal incident, be linked to relevant Human Resources discipline policies. This action plan should be applied consistently to all incidents. An organisation’s response to and reporting of economic crime should consider both their corporate and civil responsibility.

Actions taken against fraudsters Internal fraudsters

Other

5%

Don’t know Dismissal

60%

Transfer Warning/reprimand

25%

Notified relevant regulatory authorities

30%

Law enforcement informed

50%

Civil action was taken, including recoveries Did nothing

0%

35% 10%

10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Global

Asia Pacific

Australia

Actions taken against fraudsters External fraudsters

Other

6%

Don’t know Cessation of the businessrelationship

24%

Notified relevant regulatory authorities

41%

Law enforcement informed

94%

Civil action was taken, including recoveries

47%

Did nothing

0%

10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Global

18


Asia Pacific

Australia

Conclusion The PwC Global Economic Crime Survey 2011 has shown the ever increasing impact of fraud from both a value and volume perspective. Most significantly 2011 brought to focus the emergence of cybercrime. Incidents of cybercrime have rapidly risen in Australia and many organisations are struggling to stay one step ahead. Particularly in the current environment, all Australian organisations should consider the economic crime risks within their operations and their capabilities to proactively mitigate these risks.

Demographics

3,877 respondents

% 79 78 34

The PwC Global Economic Crime Survey 2011 interviewed 3,877 (2009: 3,037) respondents across 78 countries (2009: 54). Seventy-nine Australian companies contributed to the research from some of the largest organisations in the country. Interviews were conducted with representatives from various functions including finance, audit, legal, human resources, security, risk and compliance and at the CEO and board level. Of the total number of respondents, 34% were senior executives of their respective organisations (2009: 25%), 34% represented listed organisations (2009: 44%) and 54% represented organisations with more than 1,000 employees (2009: 34%).

countries

Australian organisations

senior executives

Industries covered included aerospace and defence, automotive, chemicals, communication, energy, utilities and mining, engineering and construction, entertainment and media, financial services, government services/public services, healthcare, insurance, industrial manufacturing, pharmaceuticals, retail and consumer, technology and transportation and logistics.

Further information on the survey demographics and definitions of economic crime can be found in the Global Economic Crime publication online at www.pwc.com/crimesurvey


19

pwc.com.au/crimesurvey

For more information please contact: Adelaide Kim Cheater – Partner +61 (8) 8218 7407 [email protected]

Melbourne Steve Ingram – Partner +61 (3) 8603 3676 [email protected]

Brisbane David Harley – Principal +61 (7) 3257 8307 [email protected]

Perth Cameron Jones – Partner +61 (8) 9238 3375 [email protected]

Canberra Tony Grieves – Principal +61 (2) 6271 9402 [email protected]

Sydney Malcolm Shackell – Partner +61 (2) 8266 2993 [email protected]

Melbourne Michael Cerny – Partner +61 (3) 8603 6866 [email protected]

Sydney Cassandra Michie – Partner +61 (2) 8266 2774 [email protected]

Liability is limited by the Accountant’s Scheme under the Professional Standards Act 1994 (NSW)

228729

© 2012 PricewaterhouseCoopers. All rights reserved. PwC refers to the Australian member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.