purco higher education procurement conference 2012 minimising fraud and corruption threat steven powell cape town 26 october 2012

objectives? to provide an update regarding:  dramatic changes to the global anti-corruption regime including South Africa  the impact of the recession on fraud and corruption  fraud facts and theory including the profile of the fraudster  current trends and fraud modus operandi that pose a threat to business in SA  an explanation of the threat posed by electronic fraud  critical controls to proactively manage the electronic funds transfer (EFT) fraud risk  case studies

the UK Bribery Act the UKBA which came into effect on 1 July 2011 is the most dramatic change to the global corruption environment since the introduction of FCPA more than 20 years ago. companies that are listed in, do business with the UK or participate in JV’s, acquire or are acquired or merge with UK based entities will have to comply targets bribery and forces companies to self regulate by having robust anti-bribery processes and procedures strong anti bribery measures constitutes a defense against prosecution for isolated incidents Ministry of Justice has indicated six principles that companies should implement to escape liability

The UKBA The UK Bribery Act 2010 is a lot more thorough and repeals all previous UK statutory and common law provisions relating to bribery, replacing them with the crimes of –bribery, –being bribed, –the bribery of foreign public officials and importantly for SA organisations with links to the UK… –the introduction of a new strict liability corporate offence: “the failure of a commercial organisation to prevent bribery on its behalf” –reasonable and proportionate corporate hospitality is permitted –facilitation payments are criminalized

the UKBA The new Act is broad and applies to "ordinary residents in the UK” and “relevant commercial organisations” i.e. UK partnerships, UK incorporated companies as well as entities that “carry on business or part of a business in the UK” regardless of where they are incorporated or registered. It is important for applicable SA companies to understand that under this new Act they may be charged with the offence of failing to prevent bribery on their behalf through their business dealings and links with the UK. provides strict liability for “associated persons” who pay bribes on behalf of co – includes employees, agents, subsidiaries, and even subcontractors

more specifically the UKBA contains two general offences covering the offering, promising or giving of an advantage, and requesting, agreeing to receive or accepting of an advantage, covering both active and passive bribery and applies to individuals and corporate bodies in the UK and covers bribes using agents or intermediaries paid anywhere in the world the distinct offence of bribery of a foreign public official; the new offence of: failure by a commercial organisation to prevent a bribe being paid for or on its behalf (note that it may be a defence if the organisation has “adequate procedures” in place to prevent bribery based on a balance of probabilities standard, with consideration to the company’s size, type of industry it operates in, the risk of corruption in its markets and also how actively the business fosters a culture of compliance). divorce

the six principles - (what you have to do to have a defence) Proportionate procedures - A commercial organisation’s procedures to prevent bribery by persons associated with it are proportionate to the bribery risks it faces and to the nature, scale and complexity of the commercial organisation’s activities Top level commitment – Management tone will be critical. The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) should be committed to preventing bribery by persons associated with it Risk assessment - The commercial organisation assesses the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it

the six principles contd Due diligence - The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks. Communication (including training) - The commercial organisation seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the organisation through internal and external communication, including training, that is proportionate to the risks it faces. Monitoring and review - The commercial organisation monitors and reviews procedures designed to prevent bribery by persons associated with it and makes improvements where necessary.

the 2 most radical global anti-corruption enactments United States Foreign Corrupt Practices Act 1977 (FCPA) 2008 – 11 companies paid $890 million companies paid $644 million companies paid $1.8 billion (Siemens R1,4) 2011 – slow year - fifteen companies settled FCPA enforcement actions by paying a total of $ million United Kingdom Bribery Act 2010 (effective July 2011) set to follow US example - pre – UKBA, SFO setting huge fines – pre UKBA currently restructuring under new head – David Green QC it will take a few years for the SFO to get enforcement into gear first FCPA prosecutions only took place in 1995

the Prevention & Combating of Corrupt Activities Act (Act 12 of 2004) is the major anti-corruption initiative in SA: defines categories of corrupt activities creates reporting obligation if you know or suspect acts of corruption, fraud, theft, extortion, forgery & uttering prohibits cross border acts of corruption (extra territorial jurisdiction for SA courts) provides a black list for companies convicted of corruption The reporting obligation is set out in Section 34 – any person in a position of authority who knows, ought reasonably to have known, or suspects that an act of corruption, fraud, theft, extortion, forgery or uttering has been committed, where value exceeds R100,000.00, has to report to the SA Police Services failure to report is a criminal offence – max 10 years jail sentence

new definition of corruption  under the new act, any person who directly or indirectly gives or accepts or agrees or offers to give or accept any gratification from another person with the purpose of acting personally or influencing another person to act in a manner that amounts to an illegal, dishonest, or unauthorized action or an abuse of authority, a breach of trust, or a violation of a legal duty – is guilty of an act of corruption “gratification”  the term “gratification” has purposefully been very widely defined. it incorporates money, donations, indemnities, offers of employment, discharge of a debt, the granting of favours, rights or privileges, aid, votes, consent or benefits of any kind

the latest anti-corruption weapon in South Africa - Section 43 of the regulations to the companies act requires the establishment of a social and ethics committee applies to: every state owned company every listed public company any other company that has in two of the previous 5 years scored more than 500 points in relation to reg 26(2) score is determined by one point per average employee number, - one point per every R1 million in third party liability, - one point for every million in t/o and - one point for every person with direct/indirect beneficial interest in issued securities, and then for NPO’s – one point per member or per association that is a member

Section 43 of the 2011 regs to the Companies Act The Social and ethics committee of the company shall monitor the company’s progress and standing regarding: the implementation of the OECD recommendations on preventing corruption: –Not offer, promise or give undue pecuniary or other advantage to public officials or the employees of business partners. –Develop and adopt adequate internal controls, ethics and compliance programmes or measures for preventing and detecting bribery, developed on the basis of a risk assessment addressing the individual circumstances of an enterprise, in particular the bribery risks facing the enterprise (such as its geographical and industrial sector of operation) –Prohibit and discourage facilitation payments

recommendations contd Perform due diligence on agents and intermediaries Enhance the transparency of their activities in the fight against bribery, bribe solicitation and extortion Promote employee awareness of and compliance with company policies and internal controls, ethics and compliance programmes or measures against bribery, bribe solicitation and extortion not make political donations (non compliant entities face a million Rand penalty) The committee must also ensure companies adhere to UN Global compact principles – Principle 10 is reducing corruption

The impact of the recession on fraud & corruption financial distress = fraud risk  staff are financially distressed  spiralling debt and the inability to manage debts is a massive factor inducing fraud and corruption  implications of staff indebted to micro lenders  monitor the situation - how many garnishee orders are there on your payroll?  how many of your staff in finance are under pressure?  controls must be tighter than ever

the typical fraudster possesses the following attributes: capable, reliable, persuasive, charming, presentable & popular and is usually a trusted employee - mr fixit! more than 80% of all frauds involve employees, most of whom have more than 5 years of service TRUST REPLACES THE CONTROLS generally the profile is: –older than 30, higher percentage are male, stable family situation, above average education, first offender (look around) understanding the fraud risk – who is the fraudster in your organisation

Slide 18 the fraud recipe FRAUD RISK Incentive / pressure Attitude / rationalisation Opportunity !

fraud pressures  living beyond means  insecurity regarding tenure of position  trigger events  divorce  extra marital affairs  medical emergency  peer pressure  addictions - gambling, alcohol or drugs

opportunity poor control environment remote location shared passwords limited segregation of duties limited independent review high trust

examples of “rationalizations”  “it was just a loan I am going to pay it back”  “it was a spotters fee”  “it was just a commission”  “the company does not pay enough money for us to survive”  “the company has retrenched a lot of staff”  “i should have been promoted long ago”

white collar crime is escalating but the capacity on the part of the criminal justice process to address the problem is diminishing…. –investigations done poorly –dockets go missing –cases end up in the hands of weak and inexperienced prosecutors ENS solution –perform entire investigation, try secure confessions, focus on recovery, give the state a foolproof package – plea agreement –perform proactive anti fraud procedures

current fraud trends EFT fraud, internal and external poses a major threat syndicate activity has been problematic for our clients in retail –organized crime in DC’s –cloned credit card activity –gift voucher and refund abuse conflicts of interest procurement fraud & kickbacks to buyers ghost suppliers ghost employees, particularly in respect of labour broker staff increased incidents of theft of intellectual property by employees leaving and joining competitors

EFT fraud definition EFT fraud is essentially the diversion of funds from the organisation’s bank accounts to third parties, to whom those funds are not due, usually involving manipulation of the vendor payment system

electronic funds transfer fraud two methods creation of alternative vendor profile which is then selected to perform illicit transactions substitution of employee account and deletion whose problem is EFT fraud ? it is invariably an account holder problem, and usually not a bank problem it is usually facilitated by password abuse within the finance team spyware and collusion with bank officials must be excluded

case study 1 eft payment clerk  shaken not stirred – 007 steals R740k from a large retailer  position - eft payment clerk – earnings R10k fraud divorce weak controls

the black hole lost payment – software programmers showed our suspect how to manually override the system to ensure that payments reach the intended destination every time our suspect made a legitimate payment he knew he could steal by changing a text file on his c drive “I could not resist the temptation, the controls were so weak they deserved it testing thresholds

case study 2 – chief accountant R2 million in one year modus operandi – amendment of vendor banking account detail on vendor master file substituted account not own account (DRC) once illicit transaction concluded – amended vendor profile deleted and vendor banking info restored to original when routine audits are performed – all appears as it should where did the money go? –the local casino received R1,95 million out of the R2 million stolen

case study 3 - FD at packaging company R4.2 mil misappropriated R1,7 in one morning substitution and deletion vehicles, houses, timeshare (house search), gambling, overseas travel, holidays, private schooling, heart operation, property for family, vehicles for close friends safety deposit boxes? 3 million rand recovery via full co-operation which translated into mitigation for an effective 5 year jail term

case study 4 & 5 R3.2 million EFT’s 63 transactions over one weekend - syndicate involved –accounts frozen, R2.1 recovered –password abuse prevalent R4,2 million in Western Cape over 8 years –suspect placed personal stop orders (DSTV, Telkom cars and insurance on organisation account) –suspect paid for her house R1.3 million with EFT to lawyers –suspect overpaid suppliers and diverted reimbursement to her account

what should the company have picked up? eft clerk –the payments to a particular supplier whose profile was exploited was far over budget –routine audits testing payroll against the vendor master files would have identified the illicit profile chief accountant –password control was abused –cfo signed off batches of eft’s – if he just counted the transactions he would have noticed that there were more payments in the batch than the paperwork reflected –supplier payments were duplicate- a proper recon of each supplier against approved budget would have identified the overspend

key controls –vet vendors properly (address, history, bank account, expertise & infrastructure) –enforce tight control over changes to suppliers bank accounts – add management authorisation –audit changes to supplier banking info over the past year –interrogate the changes –verify with suppliers and banking institution

mitigating fraud risk: screen staff & suppliers  too many organizations employ individuals with criminal records – you can ask about and check prior criminal history when you appoint to positions of trust  too many of our suppliers don’t have the skills to do the work they sell to us – verify expertise and infrastructure declaration of interests coupled to regular screening is vital to identify  moonlighting  related party transactions (hidden)  ghost suppliers

the symptoms of fraudulent behavior the red flags or warning signals in respect of the corrupt employee are always present - make sure that you detect the obvious

fraud red flags  excessive lifestyle  gambling alcohol or drug problems  staff who constantly claim underpaid  close relationships with suppliers  sole suppliers - not shopping around  poor credit rating  poor communication and reports  indulging in affairs  not taking leave  refusal of promotion  excessive & unexplained overtime  criminal record

the tools to combat fraud  an effective fraud hotline  data mining  FRM - fraud risk management strategies  code of ethics/conduct  fraud awareness training  fraud risk measurement (focused approach)  fraud prevention and response plans  gift policies  proper enforcement of existing policies  zero tolerance policy

 get your anti-corruption measures in place, people will try bribe our staff  promote a strong ethics culture  minimize your risk with strong anti-fraud controls, don’t rely on trust  close down the gaps in the control environment - this is an ever moving target  do not rely only on controls - only as effective as the people enforcing them  the red flags are there, don’t ignore the symptoms  do not work in a vacuum - use the tools and technology  and the experts - CALL ENS conclusion ©2006 S Powell

Questions

thank you tel cell