profiling the fraudster - openthinking day
Post on 12-May-2015
376 Views
Preview:
DESCRIPTION
TRANSCRIPT
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Simon PadgettDirectorForensic Services
simon.padgett@protivitiglobal.ae
Dubai. September, 2012
…..its all about
people
Profiling the Fraudster
Open Thinking Day
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
E&Y Fraud Survey – Key Findings
In the last year :
2 in 3 had been defrauded
1 in 10 had more than 50 frauds
82% were committed by employees
Half of the employees had over 5 years service
A quarter had more than 10 years service
A third of the frauds were by management
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.2
The first face is one of systems or controls
The other face is the human element
The two faces of fraud:
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.3
COSO identifies 5 components, which when integrated
and operating in all business units, will help establish an
effective internal control framework:
1. Control Environment
2. Risk Assessment
3. Control activities
4. Information and Communication
5. Monitoring
COSO
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.4
Organizations first identify risks and prioritize them by
assessing the impact and likelihood of an inherent risk.
A key differentiator between Internal Controls and Anti Fraud
Controls is the Human Element inherent in the decision to
defraud. Failure to assess the Human Element can cause frauds
to happen in organizations that otherwise seem to have a robust
and comprehensive internal control framework.
So, why do people commit fraud?
Fraud Risk Assessment
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.5
One of the best theories on why people commit fraud was given by
Donald Cressey in his book “Other People’s Money”
Cressey stated that Fraud occurs when an individual :
•Has a non sharable financial problem.
•Perceives an opportunity to resolve the situation.
•Has the ability to rationalize his misdeeds even before committing
them.
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.6
In other words for an individual to commit fraud, he may be
under pressure from a financial problem which the
individual perceives cannot be solved through other
means. These problems often manifest themselves into
behavioral patterns or red flags, which if spotted in time,
could prevent a fraud from happening.
The ACFE 2010 Report to the Nations, states that the most
commonly cited behavioral red flags were perpetrators
living beyond their apparent means or experiencing
financial difficulties at the time of the fraud.
Pressure
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.7
Even if an individual has the motive, he cannot perpetrate the
fraud unless presented with an opportunity. Opportunities
could arise due to a number of factors within the organization
such as high turnover of management in key roles, lack of
segregation of duties or a complex organization structure.
Opportunity
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.8
Rationalisation
Rationalisation of the act is the last element in
understanding why people commit fraud. Most people
believe themselves as good and need to convince
themselves that their actions were justified.
Some of these justifications are:
• I was going to pay it back
• Everybody does it
• I am not hurting anyone
• I was helping my family
• This is nothing compared to what xyz did.
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.9
To sum up, when this individual under pressure is presented
with an opportunity and is able to rationalize his planned
actions, fraud occurs. This hypothesis is better known as the
Fraud Triangle.
FRAUD
The Fraud Triangle
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.10
To be able to effectively analyse and prioritize fraud risks, organizations
should evaluate the Human Element in the fraud risk. This can be achieved
by applying the principles of the Fraud Triangle to the traditional risk
assessment criteria of Impact and Likelihood.
Traditional Risk Assessment Criteria
Fraud Risk Assessment Criteria IMPACT OPPORTUNITY SITUATIONAL
PRESSURE ATTITUDE OR
PERSONAL
INTEGRITY
FRAUD RISK PRIORITY
IMPACT LIKELIHOOD INHERENT RISK
RATING
The Human Elements
Fraud Risk Assessment
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.11
For example in an organization where an individual
performs a number of key controls – if this
individual’s personal integrity and values are high,
the chances of fraud happening is significantly
lower than when the individual’s personal integrity
is low. Understanding the people who manage key
internal controls in an organization, their values
and attitude could go a long way in minimizing the
incidence of fraud and help build effective anti-
fraud deterrents within an organization.
Key Controls and Personal Integrity
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.12
It is important for organizations to consider the human element while managing
fraud risks. An Anti-Fraud Program that considers the human element may
include the following fundamental controls:
•Establish a Code of Ethics.
•Develop Fraud Policies.
• Invest in a communication and training program on fraud and
corporate fraud policies for all employees.
•Ensure proper segregation of duties for key activities and functions.
•Set up appropriate recruitment procedures to select the right
candidates.
•Set up policies for rotation of staff duties and forced vacations.
•Know your key fraud risks and controls. Monitor them regularly.
•Set up a whistle blower hotline.
•Sound recruitment policies and psychometric testing.
•Develop a Fraud Risk Assessment process.
Anti-Fraud Program
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.13
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.14
1. Edwin H. Sutherland
First defined “white-collar crime” in 1939
– Criminal acts of corporations
– Individuals in corporate capacity
Theory of differential association
– Crime is not genetic
– Learned from intimate personal groups
– These groups teach "definitions" (including skills, motivations, attitudes,
and rationalizations) either favourable or unfavourable to the violation of
the law. Criminal behaviour results when one is exposed to an excess of
definitions favourable to the violation of the law over unfavourable
definitions.
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.15
2. Harvey Cardwell
Wrote a book in 1960 on the logic and language of auditing for fraud.
Found there are primarily 3 principal factors that contribute to
employees beginning to steal:
– The want for money - (early or late in life and the temporary urgent need)
“Years of honest service” become meaningless when presented with time
pressure.
– Aggrieved – stealing after years of honest work apparently when hopes
have faded, when honesty & effort have failed to produce the expected
measure of success. Deterrents of prior years are weakened by extreme
frustration.
– The ability to steal – has been deterred by fear of detection but experience
brings increased ability & self-confidence
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.16
3. Gottfredson & Hirschi’s general theory of
crime - 1990
Assume that individuals choose the behavior that they wish to
perform rationally. They will weigh the potential pleasure of
performing a behavior against the potential pain of the behavior.
When a behavior is judged to be more pleasurable than painful, an
individual is likely to perform the behavior.
Central to this decision is low self-control.
How much crime occurs will depend in part on how much crime
circumstances allow.
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.17
4. Richard C. Hollinger
Hollinger-Clark study (1983)
Surveyed 10,000 workers:
1/3 had committed some form of fraud.
Many stole because of job dissatisfaction.
Employee perception of detection is important.
Employee-thieves exhibit other deviances
– Sloppy work, sick leave abuses, etc.
Increased security & controls may hurt, not deter.
Management should be sensitive to employee’s attitudes.
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.18
5. Donald R. Cressey
Other Peoples Money
A criminologist who studied embezzlers
Why people become “trust violators”
Developed the Fraud Triangle in 1953
Cressey’s three learning principles
1) Non-shareable financial problem.
2) Perception that occupational situation can resolve the problem.
3) Ability to Rationalize the act(s).
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.19
The Fraud Triangle:
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.20
Fraud Risk Model
Attitude/
rationalization
Opportunity
Incentive/
pressure
High Risk
Medium
Risk
“…the auditor cannot assume that the inability to observe one or two of these conditions means there is no risk…”
“the auditor should not assume that all 3 conditions must be evident before concluding that there are identified risks.”
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.21
6. The triangle extended: the fraud diamond - Wolfe &
Hermanson - 2004Pressure
capability
opportunity
rationalisation
Position/function
The Human brain
Confidence/ego
Cultural issues
Coercion skills
Effective lying
Immunity to stress
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.22
The three parts of perceived
opportunity……
1. To commit fraud
2. To conceal fraud
3. To avoid punishment
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.2
3
pressure/rationalisation
capability
identify opportunity act
upon it;
will I be
caught?No
commit
fraud
Yes
don’t
do it
maybe
caught not
punisheddo it
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.24
Iceberg Theory of Dishonesty
Overt Aspects
- Hierarchy
- Financial resources
- Goals of the organisation
- Skills and abilities of
personnel
- Technological state
- Performances stds
- Efficiency measurements
Covert Aspects
- Attitudes
- Feelings (fear,
anger, etc)
- Values
- Norms
- Interaction
- Supportiveness
- Satisfaction
Structural
Considerations
Behaviourial
Considerations
Waterline
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.25
Characteristics of a Fraudster
College educated, white Male. ¾ of frauds are committed by
men. Higher median loss (US$85,000 for men, US$ 48,000 for
women).
Intelligent. The challenge of “secure systems” overcomes
boredom.
Egotistical. Feel worth more than their position.
Inquisitive. Curious as to computer vulnerability.
Risk takers. Not afraid to fail. Fails to consider consequences.
Rule breakers. Likes shortcuts. Justifies infractions of laws.
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.26
Characteristics of a Fraudster, continued
Hard Workers. In early, out late, no vacations.
Excessive overtime
Immune from stress.
Financial pressure. Medical fees, bad marriage,
gambling.
Married.
Management.
Disgruntled. Feels abused, not promoted, underpaid.
Big Spender. Living beyond means.
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.27
Characteristics of a Fraudster, continued
Sudden large purchases
Close relationships with suppliers/customers.
Don’t like people reviewing work
Unable to relax
Often display drastic behavioral changes
Need turns to greed.
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.28
Changes in Behaviour
Sudden large purchases. House, Car, Jewellery
Brags about purchases
Carry large amounts of cash
Fending off creditors
Borrows money from co-workers
Moody, Irritable
Defensive attitude to questioning
Territorial over responsibilities
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.29
Changes in Behaviour, continued
Workaholic
Mentions financial/family problems
Exhibits signs of addiction. Absenteeism, looks ill
Decrease in productivity
Spending excessive time with vendors/suppliers
Nervous
“Minor” infringements
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.30
Characteristics of a Victim Organisation
Most costly abuses in organizations of less than 100 employees.
Where fraud is not perceived a risk
Management ignore irregularities
Morale is low
High employee turnover
Lack of training
Rapid increase in revenues and profits
Strong, egotistical leader
Profit is the ultimate goal, to be reached no matter what
Salary structure tied to profit
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.31
ACFE Report to the Nations
on Occupational Fraud
The latest report, for 2010, was compiled from 1,843 cases and
covered cases from 106 nations.
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.32
Victims of Occupational Fraud
The 2010 Report provides some information on the types of businesses
that were victims of occupational frauds. The highs and lows are as
follows:
% of cases Median
loss
High Banking
and finance
16.6% Mining US$ 1
million
Low Mining 0.7% Education US$ 71k
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.33
Profiling by Fraudster Position in Organisation This is explained on the basis that more senior people in management levels and
executive positions have a greater opportunity to commit and hide larger frauds.
This is a common theme throughout the remainder of the profiles.
The study also found that lower level employees committed more frauds in number
than management level, and about twice as many frauds as executives - probably
because there are many more lower level employees that executives.
Employee Management Owner/Executive
39.7% 37.1% 23.3%
$70,000 $150,000 $834,000
42.1% 41.0% 16.9%
$80,000 $200,000 $723,000
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.34
Profiling by Job Description in Organisation
% of cases Median loss
Highs Accounting 22%Upper
Management$829,000
Lows Internal Audit 0.2% Internal Audit $13,000
The greatest number of cases are committed by people with the
accounting area of the business, as these employees will have
the knowledge of how to commit and hide the fraud and access
to the records to do so. The largest median losses were
incurred by frauds committed by people within the legal
department.
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.35
Profiling by Fraudster GenderOver the past surveys, the rate of fraud between the
genders began to equalize in number. This was
superficially explained by the trend of women getting
closer to equality in the work place (in numbers and
positions)Male Female
Percentage 2008 59.1 40.9
Median Loss 2008 250,000 110,000
Percentage 2010 66.7 33.3
Median Loss 2010 232,000 100,000
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.36
Profiling by Fraudster Age
Under
2526 to 30 31 to 40 41 to 50 51 to 60 over 60
% 5.9% 10.7% 34.2% 32% 15.1% 2%
Median losses increase with the age of employees.
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.37
Profiling by Educational Standard
High SchoolSome Tertiary
EducationTertiary Education Post Graduate
Percentage 2008 54.7% 34.4% 10.9%
Median Loss 2008 $150,000 $210,000 $550,000
Percentage 2010 28.8% 17.1% 38% 14%
Median Loss 2010 $100,000 $136,000 $234,000 $300,000
Smarter people - smarter frauds?
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.38
© 2012 Protiviti Member Firm (Middle East) Consultancy
CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.39
top related