FRAUD RISK ASSESSMENT AS A CURRENT TOPIC IN BUSINESS SECURITY

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

RESEARCH

“FRAUD RISK ASSESSMENT AS A CURRENT TOPIC

IN BUSINESS SECURITY”

Moscow 2013

Page 2 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

President of the

Russia chapter of ACFE Sergey Martynov

During the last five years the Russia chapter of ACFE has worked hard to research and elaborate new methods of fraud risk assessment. This research, which was carried out with support of the company Ernst and Young (CIS) B.V., collected key information, necessary for the implementation of the elaborated method of fraud risk assessment.

Special consideration deserves the contribution into this research from the audit and consulting company Ernst and Young (CIS) B.V., the long-term partner of the Russia chapter of ACFE during more than five years. Many projects have been implemented, trainings carried out, and the professional qualification – business security professional, created for the first time in Russia, all thanks to the support and participation of our partner in all of our arrangements.

Partner Fraud Investigations and Dispute Services

EY, Russia and CIS Andrey Novikov

The effective fraud risk assessment on enterprises represents an important element of those measures, directed on fraud response.

The contemporary economic security departments of the enterprises should not only investigate the consequences of fraud actions, but also be capable to foresee and prevent them, attempting to reduce the economic losses up to a lower level.

By taking into account the importance of the prevention of excessive use and fraud on the earliest stage of their occurrence, the Russian chapter of ACFE with the support of the company Ernst and Young (CIS) B.V. has worked largely on the determination and assessment of fraud risk indicator weights, as well as elaborated an usage algorithm, enabling to obtain a qualitative fraud risk assessment in the investigated enterprise of process.

The uniqueness of the obtained results and their practical importance are

determined, first of all, by the fact, that they represent a product of creativity and

expert opinion of professionals, working in the field of economic security in Russia

and the CIS, and therefore might be used in the operating activity of enterprises.

CONTENTS

Introduction Page 4

Who and how applies the fraud risk assessment? Page 6

Fraud risk assessment methods Page 7

Research organization. List of fraud indicators Page 9

Application of indicators and final risk evaluation Page 21

Discussion of results Page 22

Page 3 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

INTRODUCTION

Any business is interested in the reduction of dead expenses and losses, and foremost of losses due to fraud of any form – fraud, wasteful spending, commercial bribery and other.

The detection of already conducted crimes, bringing to responsibility of guilty persons and indemnification are necessary functions of the business security system of any company. However, the most effective is the fraud prevention strategy on earlier stages, when the crime was not yet committed, and it is at its early stage or the potential criminal is only creating favorable conditions for its implementation. In this case the company has the possibility to avoid the expensive trials of criminal prosecution of the guilty employee and return the stolen property, and to preserve its business reputation in the eyes of investors and the society. According to the survey results of experts from the Russia chapter of ACFE, 73% of experts specified, that a guilty verdict was brought in less than 10% of cases of internal fraud investigation; from experience of 60% of experts, the guilty person has compensated for damages as a result of a fraud in less than 10% of cases. The survey results of one of the expert groups are defined below (the survey results of other groups are similar).

In how many cases from hundred of investigations a guilty verdict was passed by the court

to the guilty person?

73%

5%

14%

5% 5%

1 Less than 10%

2 From 10% to 20%

3 From 20% to 50%

4 From 50% and more 5 Other

Page 4 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

In how many cases from hundred of investigations the guilty person has compensated for caused damages?

Thus, detection and prevention of fraud on early stages enables to improve the efficiency of the fraud prevention system in the company in tens of times.

One of the methods of early detection of fraud is the fraud risk assessment. It enables to detect potential dangerous processes, transactions and employees in terms of fraud and other overheads. These “sensory” points enable to undertake proactive operations – establish additional control procedures, which reduce the possibility for committing frauds, make a personnel rotation or training, or perform a financial audit, in order to investigate the situation in details.

As any other method, this method has its advantages and disadvantages for the detection of “narrow” spots in the internal control system and its application scope.

One of the advantages of this method are low costs (in tens of times lower than during a full investigation). One of the disadvantages is the obtained risk assessment, which as any other assessment could not be considered as evidence of the fact of fraud. It is impossible to bring charges and to procure evidence on the base of a risk assessment, but it is possible to collect necessary information on spots, which require high attention from the management and control departments. The cause for a high fraud risk value might be not only fraud, but also different factors, leading to overheads, for example negligence, sabotage or absence of necessary staff qualification. Nevertheless, if a business process has a high fraud risk value, there are favorable conditions for a fraud in case of lack of reasonable control.

Many regulators (for example, FRC – Financial Reporting Council, leading regulator in Great Britain in audit) is currently paying special attention to the application of fraud risk assessment during the estimation of control procedures (Audit Quality Thematic Review: Fraud risks and Law and Regulations, January 2014).

60%

16% 16%

8% 0%

1 Less than 10%

2 From 10% to 20%

3 From 20% to 50%

4 From 50% and more 5 Other

Page 5 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

WHO AND HOW APPLIES THE FRAUD RISK ASSESSMENT?

Let us list several applications of fraud risk assessment in business.

A regular fraud risk assessment in departments and business processes of the company enables to run diagnostics of mostly exposed to fraud assets and processes. The management may use the fraud risk assessment for management decision making, in order to enhance the internal control system, train the personnel, take personnel decisions on fraud prevention. The control departments (internal audit, economic security, controlling and auditing service) are using the risk assessment during the creation of the working plan for a year, allocating more resources to auditing objects, having a high fraud risk value. Thus a risk-oriented approach is applied to the internal audit.

During the internal audit, the fraud risk assessment is a compulsive part of the audit procedures. Not all control procedures are elaborated with the aim to create interference to fraud. Many procedures are aimed on responsible performers and might be easily avoided by the perpetrator. That is why the estimation of the control procedure efficiency in a particular process involves the fraud risk assessment as an integral part of the general efficiency estimation.

The fraud risk assessment is used by the management and control departments of the company during internal investigations in those cases, when it is impossible to obtain evidence of crime. The legislation (Law of the Russian Federation “Law Enforcement Operations Act”) applies heavy restrictions for commercial companies on the use of methods, which are used during the investigation by the law enforcement authorities. That is why it is impossible to obtain evidence, forming the components of the crime (for example, evidence of intent in case of fraud). In this case the internal investigation is terminated not with the initiation of a criminal case, but with the creation of a conclusion on the fraud risk value. The risk assessment might be used by the management, in order to take management decisions on the improvement of the internal control system in a particular business process or department.

Nowadays the fraud risk assessment system is a compulsive component of the business security system of any big company.

Page 6 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

FRAUD RISK ASSESSMENT METHODS

A number of fraud risk assessment methods are known at the present time. Unfortunately none of these methods has become widely applied in practice, as all of them are based on subjective risk rate evaluation of the auditor. This means, that by using the same method to one research object, different auditors may reach different fraud risk values, depending on their professional experience and tolerance to the risk. That is why the task of creating a risk assessment method, which would less depend on the opinion of the auditor, is still of high priority.

The fraud risk assessment method, which is considered in this research, is based on the detection and assessment of fraud indicators. The revelation method of the concealed fact on its implicit evidence (in our case, “indicators”) is frequently used by analysts in different scope of activities, for example, in analytics and surveillance.

The fraud indicator is a fact, which is not be concealed or might be easily determined and which generally accompanies the act of fraud, but is not its direct evidence.

Implicitly, the indicator is close to the indirect evidence of a crime, i.e. to the fact, which might have other noncriminal versions except criminal ones.

For example, the lifestyle of the employee, which does not correspond with his earnings, is a typical fraud indicator, but could not be considered as an evidence, because there might be dozens of noncriminal explanations of the fact, wherefrom the employee has received these particular money assets (inheritance, lottery win etc).

There is a large number of indicators, used by professionals in practice, in order to detect fraud.

The presence of one and more fraud risk indicators is initial information for the professional for providing an enhanced fraud investigation of the process. The presence of several indicators at once testifies on an increased fraud risk.

In order to receive a quantitative fraud risk assessment on the base of indicators, it is necessary to fulfill the following tasks:

 To create a set of fraud indicators, which accompany the most frequently the cases of fraud in commercial organizations. It is evident, that the selection of indicators should be based on the experience of the professionals investigating fraud.

Page 7 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

 To determine the relative “weight” of each indicator. The case is that the fraud indicators are not equal according to their value (the connection level to the acts of fraud, ant not to other noncriminal explanations). Some indicators might have a larger weight, i.e. that their presence indicate about a high fraud risk; whereas other indicators not always might accompany fraud, as might be caused by other reasons. To what extent is one indicator more important than the others? It is evident, that the most objective estimation might give the experts.

 To elaborate the algorithm for calculation of the total risk value on the base of known values of the risk indicators and their weights.

Page 8 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

RESEARCH ORGANIZATION

We were deferring to experience of professionals, working in Russia and the CIS countries, which participated in trainings, meetings and conferences of the Russia chapter of ACFE and Ernst and Young (CIS) B.V. in 2013, when completing the indicated above tasks of our research. In general, more than 500 professionals, working in the field of investigations, internal audit, risk management and other fields of business security have participated in the research. We have enough evidence to consider the expert staff as competent: the participants of the arrangements are professionals in different areas of business security and investigation, and have a working experience of many years.

It is necessary to consider a number of factors, affecting the quality of the results, when taking into account the expert assessment:

 The experts should be independent. They should not be interested in getting particular results – beneficial or negative.

 The experts should be professionals and have practical experience in this field.

 We should provide the experts with the possibility of complete anonymity, in order to receive they true opinion, and not a “desirable” respond.

When fulfilling this research we have considered the following factors:

 First of all, only professionals who attended ACFE and Ernst and Young B.V. events, participated in the research.

 Secondly, the questions are composed in a way, that they can not be connected to a specific organization. For example, instead of a question “how much money did your organization lost due to fraud last year” we suggest a question “what is in your opinion the level of losses due to fraud in Russian companies”.

 Third, in order to provide anonymity of the experts, we have used the technology of intramural interactive voting from the Turningpoint company. It enables to show the question on the screen in the PowerPoint presentation, and the participants of the survey may voice their opinion with the aid of individual panels, by pressing the corresponding key for the answer. The participants have selected the panels from the basket at random before the voting has started, so there was no possibility to identify them.

Page 9 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

Several expert groups, including 30 to 100 persons, were questioned during the research. The results of each session were elaborated by means of professional statistic software, then the results of different groups were combined and averaged.

The main task, which was completed in each session, was the discussion of the list of indicators and their meanings, and then weights of different risk indicators were determined.

Ii is interesting to note, that the survey in different, independent from each other groups showed, that there is a high correlation between the values of the same risk indicators from different groups. For example, the first five and last five positions according to the importance, have taken in all groups the same indicators.

An average value was received for each indicator according to the ordinary scale from 1 to 5, where 1 means, that the indicator is poorly connected with the fraud risk, and 5 means that the indicator may directly (very often) accompany fraud.

A list of fraud indicators is shown below (except those, which in the opinion of the experts were considered as insignificant – these indicators are excepted from the list).

Indicator 1. Instability and crisis phenomena.

The influence of crisis phenomena on the fraud level in the company. The crisis phenomena include: the coming

reorganization and layoff, management change – everything, which creates the feeling of instability and economic insecurity of the employee.

Indicator 2. Business process type.

The influence of the business process type on the fraud level.

The traditional highly fraud risk-relevant processes include purchasing, capital construction and investments.

Indicator 3. Assessment periodicity.

The influence of the audits and fraud risk assessment frequency in departments (in the enterprise) on the fraud level: how often control departments provide audits in the enterprise – for example, once a year or once in three years.

Indicator 4. Low corporate culture level.

The influence of the company corporate culture’s development on the fraud level. A high corporate culture, the commitment of the personnel to the goals and values of the company is one of the factors, which reduce the fraud level.

Page 10 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

Indicator 5. The volume of material assets traded.

The more material assets (money, products etc.) are traded in the department or business process, the higher is the fraud risk.

Indicator 6. Presence of a fraud prevention program.

The influence of the presence of an effective working fraud prevention program in the company on the fraud level.

Indicator 7. Control procedure development level.

The influence of the control procedure development level in the company on the fraud level. The more attention the

company is paying to the development and improvement of the control procedure system, the lower in general is the fraud risk.

Indicator 8. Violation of the established order of operation procedures, which is explained by good cause, if favorable conditions for fraud are created as result of such violation.

Such situation occurs, when the control procedure is violated by the personnel, but there is no direct evidence of fraud and favorable conditions for fraud were created due to the violation of control procedures.

Indicator 9. Noncriminal explanations of caused damage, if it is not possible to verify such explanations.

The fact of causing damage to the company is detected, the responsible person provides noncriminal explanations of the cause for such damage (natural disaster, intrigues of competitors etc.), but it is impossible to verify the truthfulness of such explanations.

10. Contradictions in explanations or substitution of the explanations with others.

Repetitive change of explanation of the cause of damage or violations during the examination or investigation by the responsible person.

11. Absence of primary documentary evidence.

It emerged during the audit (investigation), that primary documentary evidence is absent.

12. Loss or deletion of documents and electronic files, which contain key information on questionable transactions.

It emerged during the audit (investigation), that the key documents or files are absent, lost (e.g. due to computer system failure) or deleted (for any reason).

Page 11 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

13. The operating personnel has access rights to change the archive files and records about the conducted transactions.

The personnel, responsible for the fulfillment and recording of the transaction, has the rights to change data on such transactions for the last period (for example, the accountant, working with the 1C program has the right to edit data for the past periods or to backdate some information).

14. Unreasonable delay in providing of requested documentation and access to electronic files.

During audit engagements unreasonable by real circumstances delay occurs in providing of documents or access to information systems.

15. File modification date does not correspond with the date, when the document should have been created.

For example, a file, created a year ago, has the modification date from yesterday.

16. The derived tables are not confirmed by primary documents.

Contradictions between the primary and derived documents.

17. Document copies instead of originals.

Copies of primary documents, for example, invoices, proforma invoices etc.

18. Inability of the management to demonstrate the interest in establishing the corresponding control level.

Usually in such cases the management announces, that fraud prevention is the work of the security department, internal audit etc.

19. Rapid staff turnover at the management/top- management level.

Frequent change of the top-management on key positions (director, financial director etc).

20. The behavior of the management, demonstrating dominance over the internal audit and other control departments.

Typical announcement: we are working here, and you (examiners) are only standing in the way.

21. Access limitation of the auditors to the personnel of the organization.

In particular, management demands to direct all queries and to receive information only from the department manager; they prohibit to interview the performers.

Page 12 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

22. Carrying out of transactions, which form does not correspond with their content.

For example, a sham contract on outsourcing services for providing personnel is being concluded, in order to compensate supposedly additional costs of the contractor.

23. Excessively high expectable key indicators of the management’s work.

When the key indicators of the management work efficiency are unreal to be fulfilled within current conditions.

24. The management pays inadequate attention to ethics, lack of communication with employees on ethic matters, not aggressive enough attitude towards the problem of fraud.

25. The management demonstrates increased inclination towards risk, unwillingness to estimate risks.

The typical argument of the manager in such case is: I am taking decisions and estimating risks on my own, I do not need an independent and formalized risk management.

26. Insufficient automatic inspection level of transactions.

Unreasonable refusal from the implementation of generally accepted means of automated transaction recording, for example manual business accounting, whereas in such cases usually the 1C program is used.

27. Large difference between the budget and factual data.

The data of the factual budget utilization is significantly (more than 15-20%) differing from the primary approved budget.

28. Discontent of the personnel with the salary level.

If the personnel of the enterprise (department) complains about the salary level and uses this as explanation (self-justification) for non-fulfillment of control procedures or its negligence.

29. Low personnel loyalty.

Low loyalty of the personnel to the tasks and goals of the company, considering the company as a temporal workplace, where the interests of the company and employees are contrary.

30. Creation of separate personnel groups by the manager.

Creation of informal groups of “entrusted” or “close”

employees to the manager, which have more power not because of the organizational structure of the company, but due to informal relations with the manager.

Page 13 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

31. Disorderly storage system of inventory holding, documents and electronic files.

Absence of a formal or informal established storage system of documents and files, impossibility to find documents and files without the help from a particular employee.

32. Remoteness of the manufacture from the top- management and control departments.

The geographic remoteness of the business location (industrial process site) from the top-management and control departments.

33. Graded approach to conducting control procedures.

Some control procedures are not fulfilled without justified reasons.

34. The value of personal possessions and the life style do not correspond with the income.

The expenses of the employee significantly exceed his officially declared income.

35. Sudden refusal of the personnel to cooperate during the audit engagement.

Employees, which have efficiently cooperated with the audit group previously, suddenly refuse to cooperate during the audit engagement. The attitude changes to a negative, information is being delayed or refused to be given.

36. Absence of an anonymous informing system (“hot line”) in the company.

The absence in the company of a “hot line”, in order to receive anonymous messages from employees about abuses, absence of relevant awareness about the work results of the “hot line”, lack of trust of the employees towards the intention of the company management to consider the messages essentially.

37. Unreasonable nonfulfillment of recommendations on corrective actions.

The management does not fulfill the recommendations without any reasons and does not take any measures on the correction of the identified shortages in the organization of the internal control system.

38. Long-term work of an employee on a key position without vacation.

A long-term work of an employee on one position without vacation and sick leaves, without temporary substitutions by other employees.

39. No punishment for detected violations.

The offending employees are not punished or are punished only formally (the punishment level does not correspond with the damage, caused to the company).

Page 14 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

40. Unreasonable excessive concentration of key authorities.

All key authorities of the business process are concentrated by one manager, delegation of authorities is unreasonably avoided.

41. The usage of calculated rates with an available automated recording system.

Upon availability of automated recording systems their resources are not used, or they often break down.

42. Determination of the raw material consumption by countdown.

The volume of raw materials and materials, used for the production of goods is determined by calculating from the volume of released production, and not on the base of the measuring of actually used volume.

43. Significant corrections of records and budget.

Significant corrections of records (budget) are held within a reporting period.

44. Disturbance and abnormal behavior during conversation within the audit engagement.

Typical verbal and nonverbal indicators of abnormal disturbance – tears, hysteria, anger etc.

45. Presence of personal pressure factors (loans, abuse etc.) Drug abuse, alcoholism, excessive gambling, close sibling connection to people, leading an asocial life, need for an expensive treatment, habit for a spendthrift life style.

46. Absence of a management KPI system.

The management is not familiar with key performance indicators.

47. Absence of the system for separation of powers and authorities.

The control procedures do not have the separation of authorities on decision taking and operation result recording, risk assessment.

48. Switching off the possibilities of control, provided by the automated systems.

Due to different reasons the control and measuring instruments and automation devices are switched off and are not recording the operation results. For example, the motor-truck scale is broken most of the time, or the record files with the results are deleted daily.

Page 15 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

Notices.

- Each indicator might be amended with more detailed description and examples – this is reasonable during the elaboration of methods of fraud risk assessment within a particular company, by taking into account the peculiarities of the business.

- Each company has its own tolerance level to fraud risk, wherefore the value of each indicator should be applied to a specific company and business direction. Our research specifies values, which are average values from all experts, participated in the research.

- All indicators might be separated into several groups, for example: behavioral (describing the behavior of the employees of the company during the examination and apart from it), organizational (how the control procedures and processes are organized), documentary (content and presence of documents and information on transactions), originally appropriate to a particular business process type etc.

Page 16 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

12. Loss or deletion of documents and electronic files, which contain key information on questionable

transactions 5.42

11. Absence of primary documentary evidence 5.03

34. The value of personal possessions and the life style do not correspond with the income 4.79

39. No punishment for detected violations 4.71

22. Carrying out of transactions, which form does not correspond with their content. 4.69 31. Disorderly storage system of inventory holdings, documents and electronic files 4.69

40. Unreasonable excessive concentration of key authorities 4.67

10. Contradictions in explanations or substitution of explanations with others 4.63

35. Sudden refusal of the personnel to cooperate during the audit engagement 4.60

13. Access rights to change the archive files and records about the conducted transactions 4.58

21. Access limitation of the auditors to the personnel of the organization 4.48

The result table of the risk indicator weight assessment, received during this research is indicated below.

7. Control procedure development level: does the control procedure development level influence on the fraud level

and to what extent 4.47

30. Creation of separate personnel groups by the manager 4.43

42. Determination of the raw material consumption by countdown 4.43

16. The derived tables are not confirmed by primary documents 4.40

26. Insufficient automatic inspection level of transactions 4.37

28. Discontent of the personnel with the salary level 4.37

8. Violation of the established order of operation procedures, which is explained by good cause, if favorable

conditions for the act of fraud are created as result of such violation. 4.36

5. The volume of material assets traded: does the volume of material assets traded in the department (process,

project etc.) influence on the fraud level and to what extent 4.33

48. Switching off the possibilities of control, provided by the automated systems 4.31

41. The usage of calculated rates with an available automated recording system 4.29

6. Presence of a fraud prevention program: does the presence of a fraud prevention program influence on the fraud

level and to what extent 4.26

32. Remoteness of the manufacture from the top-management and control departments 4.26

Page 18 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

45. Presence of personal pressure factors (loans, abuse etc.) 4.19

47. Absence of the system for separation of powers and authorities 4.18

19. High staff turnover of the top-management 4.17

15. File modification date does not correspond with the date, when the document should have been created 4.17

29. Low personnel loyalty 4.13

14. Unreasonable delay in providing of requested documentation and access to electronic files 4.11 20. The behavior, demonstrating dominance of the management over the internal audit and other control

departments 4.11

33. Graded approach to conducting control procedures 4.10

23. High expectable key indicators of the management’s work., unreal to be completed 4.01 24. The management pays inadequate attention to ethics, lack of communication with employees on ethic matters,

not aggressive enough attitude towards the problem of fraud 3.98

43. Significant corrections of records and budget 3.96

27. Large difference between the budget and factual data 3.96

9. Noncriminal explanations of caused damage, if it is not possible to verify such explanations 3.95

Page 19 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

37. Unreasonable nonfulfillment of recommendations on corrective actions. 3.87 18. Inability of the management to demonstrate the interest in establishing the corresponding control level 3.86

17. Document copies instead of originals 3.85

38. Long-term work of an employee on a key position without vacation 3.79

2. Business process type: does the business process type influence on the fraud level and to what extent 3.75 1. Instability and crisis phenomena: the influence of crisis phenomena on the fraud level in the company. The crisis

phenomena include: the coming reorganization and layoff, management change – everything, which creates the feeling of instability and economic insecurity of the employee

3.59

44. Disturbance and abnormal behavior during conversation within the audit engagements. 3.53 3. Assessment periodicity: does the examination and fraud risk assessment periodicity in the department (enterprise)

influence on the fraud level and to what extent 3.46

36. Absence of an anonymous informing system in the company 3.32

25. The management demonstrates increased inclination towards risk, unwillingness to estimate risks. 3.27

46. Absence of a KPI system 2.88

4. Corporate culture level: does the corporate culture level influence on the fraud level and to what extent 2.68

Page 20 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

APPLICATION OF INDICATORS AND FINAL RISK EVALUATION

In order to receive the final risk value an algorithm is needed. On the base of detected indicators it will enable to receive in each specific case the resulted value, reflecting the total fraud risk level in the investigated process (department, transaction etc).

When elaborating this algorithm, we suggest to found upon some empirically determined dependencies. First of all, it is the clustering rule, which exists in many techniques for the revelation of concealed information. It consists in the fact, that a single appearance of one indicator (in our case the risk indicator) is not considered as essential presence factor of the expected result. For example, during the investigation by means of the polygraph detector (lie detector), as significant are considered repeated reactions to the same questions.

Similarly, during interviewing as specified factors of lie are verbal and nonverbal indicators at the same time. The presence of a number (not one) of indirect evidences is considered as specified evidence of crime in criminal investigation.

In case of risk assessment on the base of fraud indicators, we consider as reasonable to use the rule of “three signals”. It consists in the fact, that three independent “yellow”

(according to the danger level) signals are sufficient to consider the risk as high. “Yellow signals” are in our case the fraud indicators. Thus, the presence of three and more indicators, belonging to different groups, is sufficient to estimate the fraud risk as high.

The second approach, which might be used in cases, when a quantitative value of the risk level is needed – for example, when comparing the risk level in several business processes, a logarithmic dependence is used, in order to select the more risk-relevant for estimation. Empirically most relevant mathematical model is the function, using the logarithm from the number of detected indicators and the weight sum of all detected risk indicators. A detailed justification of the particular formula is a topic for a separate research.

Page 21 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

DISCUSSION OF RESULTS

The presented results are an unique experience of a large number of professionals, working in the field of business security in Russia and the CIS. Certainly, this large research became possible only under support of the company Ernst and Young (CIS) B.V. A large quantity of information was collected, whereof only a small part was presented in this review. For example, it is interesting to analyze the deviation of the answers from experts to questions of the research. The first sight enables to conclude, that the experts are more consentient, estimating the documentary and organizational indicators of fraud, than regarding the verbal and behavioral indicators. The discrepancy in estimation by different expert groups of the same indicators is very interesting. It is possible, that it was caused by different business types, different corporate culture. We have also noticed the difference between the results, when the expert group involved employees of one company and the values, given by an assembled expert group.

All these results should be analyzed, as well as the indicator classification system and the calculation algorithm of the final risk value should be developed further.

The results, presented in our research, might be used for the elaboration of an own fraud risk assessment method of any company. We hope, that the professional community will actively participate in further development of the risk assessment method on the base of this approach.

On the base of the research results we have elaborated a product for fraud risk assessment, which is designated for application by the management and control departments. At the present time we are carrying out an operational test of the product and invite all professionals to take part in testing.

Page 22 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.

President of the

Russia chapter of ACFE Sergey Martynov

www.acfe-rus.org

Tel.: +7 (495) 728-76-10 info@acfe-rus.org

Partner Fraud Investigations and Dispute Services

EY, Russia and CIS Andrey Novikov

www.ey.com.ru

Tel.: +7 (495) 648-9618

Andrey.Novikov@ru.ey.com

Page 23 Research “Fraud risk assessment as a current topic in business security”

© Russia chapter of ACFE with support of Ernst and Young (CIS) B.V.