Managing Fraud

Theodorus
Chresma HS, SE
May 17th 2014

Managing Fraud
PwC Global Crime Survey 2014
Survey respondents included 5,128 representatives from
over 95 countries around the world

Managing Fraud
Case Study ;
Fraud Case
In order to create the
additional revenue
recorded in PT A, the
initial purchase of
cloud computing
equipment and VSAT
peripherals by PT B
was changed into
several transactions
with third party which
subsequently revealed
that PT A sold the
cloud computing
equipment to PT C
and could recognize
the revenue from this
sales transaction.

Agenda
Audit and Corporate
Governance
Internal Audit Role
Corporate Governance
Other
Standard/Regulation

Fact

Fraud Definition
Fraud Triangle
Fraud Tree
Fraud Red Flags
Fraud Control
Whistleblower Practice

Internal audit
Fraud risk management

0%
Suspicious transaction reporting

Corporate security
Rotation of personnel

3%
4%

Corporate
controls

5%
5%
3%
3%
5%
4%
4%

17%

11%

16%

21%

14%
11%

3%

By accident
Other detection methods

26%

4%

Tip-off (external)

0%
By law enforcement

Assessing Fraud Risk

in Audit Assignment
Computer Forensic and
Database Analysis
Fraud Audit Report

19%
17%
14%

Tip-off (internal)
Whistle-blow ing system

Computer Forensic and

Data Analysis

Fraud

8%
7%
6%

10%

Beyond the
influence of
management

13%

3%

3%
4%

14%

Corporate
culture

23%

Managing Fraud
Case Study ;
Fraud Case

Internal Audit

Unfavorable Contract
creation between PT A
and PT B. The
Director of PT A has
changed several
important points and
there was unclear and
unfavorable clauses
has been added into
contract.

Watchdog

Risk,
Process,
Assurance
and
Regulation
Focus

Consulting
Role and
Business
Value
Driver
Focus

An independent, objective assurance and consulting activity designed to add value

and improve an organization's operations. (IPPF Std No 1000, interpretation 1000A1
& 1000C1).
Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the
manner in which it is managed by the organization, but are not expected to have the
expertise of a person whose primary responsibility is detecting and investigating
fraud (IPPF Std No 1210.A2).
Helps an organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control,
and governance processes.
Covers all the business operations and systems, financial, and other aspects of the
organization.
4

Managing Fraud
Case Study ;
Fraud Case
There is an indication
that (proven by email
communication
between Procurement
PIC and Vendor)
Procurement Buyer
PIC received an
amount of money from
Vendor

Corporate Governance (OECD Principles) & Other Standard

Corporate governance is the system by which companies are directed and

controlled. Sir Adrian Cadbury, UK, 1992

Equitable Treatment

Right of Shareholders
Responsibilities of the
Board
Role of Stakeholders
Procedures for complaints by
employees concerning illegal (including
corruption) and unethical behavior.

Disclosure & Transparency

SOX Section 301 requires the Audit Committee of the Board of Commissioners of the
Company to establish procedures for (i) the receipt, retention and treatment of
complaints received by the Company regarding accounting, internal accounting
controls or auditing matters.
Anti-Bribery and Book and Records Provisions of the Foreign Corrupt Practices Act
(FCPA).Under these laws, the Company and Company Employees may be subject
to criminal liability if a Company Employee or an Associated Person, directly or
indirectly, offers or pays, or authorizes payment of, Anything of Value in exchange for
some improper advantage for the Company.
5

Managing Fraud
Case Study ;
Fraud Case
There was
discrepancy between
the record of cash
received by
PIC at Regional
Office with the cash
deposited to the
Bank, during the
period of 2011-2012.
The total discrepancy
is IDR XXX

Fraud
An intentional act by one or more individuals among management, those charged
with governance, employees, or third parties, involving the use of deception to
obtain an unjust or illegal advantage (ISA 240)
Any intentional act or omission designed to deceive others, resulting in the victim
suffering a loss and/or the perpetrator achieving a gain. (Managing the Business
Risk of Fraud: A Practical Guide, prepared by IIA, AICPA, and ACFE)

Fraud Triangle
Pressure
Perception of an immediate and unsharable financial need or the desire
to live a lavish lifestyle

Rationalization
Bbelief that a crime has not been
committed or is perceived to be
justified and that the reward
outweighs the risk

Opportunity
Arises from weak controls or too
much independence/ control given
to a single individual
6

Managing Fraud
Case Study ;
Fraud Case

Fraud tree

Untimely
deposit of cash receipt
in Regional Office,
which cash receipt
of 25 May 2012 was
deposited in 16 July
2012 (after 35 working
days).

FRAUD
FRAUD

Corruption
Corruption

Asset
Asset
Misappropriation
Misappropriation

Fraudulent
Fraudulent
Statement
Statement

Bribery
Bribery

Cash
Cash

Financial
Financial

Conflict
Conflict of
of Interest
Interest

Fraudulent
Fraudulent
Disbursements
Disbursements

Non-financial
Non-financial

Illegal
Illegal Gratuities
Gratuities

Inventory
Inventory and
and
Other
Other Asset
Asset

Economic
Economic Extortion
Extortion
* Source: Association of Certified Fraud Examiners (ACFE)

Managing Fraud
Case Study ;
Fraud Case
During the period of
Mr. Xs assignment
from March 2010 to
January 2012, amount
of stamp duty deposit
requested and cheque
disbursed was higher
than actual amount
paid to Tax Office for
several months by IDR
435,000,000. This
amount is consists of
IDR 70,000,000 during
2010; and IDR
365,000,000 during
2011.

Fraud Red Flag Detection

Finance and Accounting
Unauthorized bank accounts
Sudden activity in a dormant
banking accounts
Discrepancies between bank
deposits and posting
Bank accounts that are not
reconciled on a timely basis
Account balances
significantly over or
understated
Unexplained pricing
exceptions
Presence of employee
checks in petty cash for the
employee in charge of petty
cash
Excessive on unjustified
cash transactions
Significant increase in
expenditures
Abnormal number of expense
items, supplies, or
reimbursement to employees
Transactions not recorded
completely, timely, or
improperly recorded
Transactions with
inappropriate authorization
Window Dressing

Procurement

Payments based on
photocopied or
doctored invoices
Unusual billing addresses
or arrangements; no
physical address, post office
box, missing street
numbers, employees
address
Vendor payments sent to
ineligible beneficiaries
Errors, such as duplicate
payments and
miscalculations
Payment to vendors who
arent on approved vendor
list
Excessive payments to
vendors, high volume of
purchases from new
vendors
Purchases that bypass the
normal procedures
Sequential or near
sequential invoices

Payroll

Overtime charged for

employees who normally
would not have overtime
payments
Inconsistent overtime hours
for a cost center
Budget variations for payroll
by cost center
Employees with few or no
payroll deductions
Ghost employees

Managing Fraud
Case Study ;
Fraud Case
After examining data
from Mr. Xs (one of
the Manager in PT A)
computer. We noted
that Mr. X owned a
server to provide
mobile application
service. Refer to an
Agreement between
PT A and PT B, PT A
will pay PT B
amounting to Rp.
500/mobile money
transaction service.

Fraud Control (AS 8001)

Without an effective management strategy, a company is exposed to fraud risk for which
the Board and management may be legally and financially liable. AS 8001 Standard
provides an approach to controlling fraud and corruption risk.
Planning
Fraud and
Corruption Control
Planning
Fraud and
Corruption Control
Resources

Prevention

Detection

Implementing Risk
Fraud Risk Database
Sr Management
Control the Fraud
Risk
Assessing Fraud
Risk
Communication and
Awareness

Fraud Detection
Program
Role of External
Auditor in detection
Fraud (through
Management Letter)
Reporting Suspected
Incidents
Whistleblower
System

Response
Policies and
Procedures
Investigation
Disciplinary Action
Loss Recovery

Managing Fraud
Case Study ;
Fraud Case
PT A has lost 10
surveying system
equipment. During the
HSE inspection, the
HSE office found 8 out
of 10 surveying
system on Mr.x office

Whistleblower Practice
Structural Aspects

Develop Whistleblower
report criteria to
determine False, Non
Serious and Proper
Whistleblower report.
Enhance Whistleblower
Protection Policy which
covers: Protection or
Whistleblower Property,
Personal and Family
protection, Criminal
Prosecution and
Whistleblower Protection
Unit.
Developing rewards
(short term and long
term) for
whistleblowing.
- Short Term:
Incentive/Bonus.
- Long Term: Job
Promotion
Establish formal unit to
handle Whistleblower
Report. The
Whistleblower Unit may
consist two elements:
1. Whistleblower
Reporting System
& Investigation

Operational Aspects
Provide other
Whistleblower reporting
line. Email, intranet,
internet, post, fax, direct
communication to
superior, direct tip-off and
telephoning the
companys headquarter.
Develop Whistleblower
Reporting guidance on
every Whistleblower
Reporting line. The
guidance consists of (but
not limited to).
1. How to write
Whistleblower
Report
systematically
(What, Where,
When, How, Who)
on every
whistleblower
reporting line.
2. Intangible/Tangible
loss that
contributed to
overall Company
loss.
3. Type of violation
(i.e., legal,

Continuous Treatment
Aspects

An effective
Whistleblower system
requires effective
communication from Top
Management to maintain
the employees
awareness of
Whistleblower system.
Perform regular
socialization of
Whistleblower Reporting
line/System & Reporting
Mechanism &
Policy/Procedure/Incentiv
e/Awareness to all
employee level in
Indosat.
Put eye-catching
Whistleblower
awareness, such as
Posters in workplace,
Code of Ethics,
Newsletters.
Perform benchmarking
to evaluate
effectiveness of
Whistleblower reporting
line in Indosat.
10
Perform monitoring,
review and evaluation

Managing Fraud
Case Study ;
Fraud Case

Fraud Control (AS 8001) Indosat Experience

Planning and Resourcing

Mr X who is Payrolll
PIC has added
working time hours of
Mr Y (expat employee
n PT A).

Fraud and Corruption Control Planning

Fraud and Corruption Control resources
(Forensic and Data Mining Audit Division)

Forensic and Data Mining

Audit Division

Fraud Prevention
Enhance Tone from The Top from Sr
Management
Enhance Internal Control (SOP, Policy,
Segregation of Duties)
Code of Ethics and Conflict of Interest
Statement

FRAUD CONTROL

Employee Training over code of Ethics,

Conflict of Interest, Fraud.
Integrated Audit
collaboration with other
Audit Division

Intensive Socialization
Strong and Consistent consequences
over Fraud Action
Fraud Detection
Whistleblower Enhancement
Data Analysis over Suspicious
Transaction on Financial Statement
Fraud Reporting to Management

11

Managing Fraud
Case Study ;
Fraud Case
Internal Audit found
several counterfeit
check that was used
to pay subcontractor

Assessing Fraud Risk in Audit Assignment Indosat Experience

Establish Fraud Risk Database
Fraud Scheme

Red Flag/Symptom

Submitting false
invoices

Vendor has similar

name but different
address of a known
legitimate company.
* Invoices are "rubber
stamp" approved by
supervisor.
* Purchase are of
services (such as
consulting) rather than
goods or tangible
assets.

Detection Steps

Analytic review is
effective to detect
large scale fraud..
Review supporting
documents - look
for suspicious
looking documents
Review invoices for
general consulting
services.

Controls to Review
There should be an
approved vendor list.
All the vendors
should be
independently
qualified (Not
qualified per the
purchasing agent).
There must be
proper segregation
of duties
Proper Authorization
The accounts
payable list of
vendors must be
periodically reviewed
The vendor
payments must be
periodically reviewed
(At least annually)
There must be re
control methods to
check for duplicate
invoices in place

Managing Fraud
Case Study ;
Fraud Case
While performing visit
activity over
Procurement Bidding
process, internal audit
found an invalid
address.

Assessing Fraud Risk in Audit Assignment Indosat Experience

Adding Fraud Risk Assessment on Audit Risk Control Matrix
No

Control
Reff

Process

Risk

Fraud Risk
Assessment

Control
Associated
with Risk

Testing Plan

PR.01.
08.C4
CAPE
X

Purchase
Request

Invalid purchase
process not in
accordance with
approved SC

Procurement
PIC Created
unnecessary
PO

Procurement
manager
performs
review and
validation on
completion of
SC and its
supporting
documents
(PID and
budget
approval from
IC committee)

1. Obtain PID
documentations
(Proposal, RKS,
RFP, Budget Case
approved, etc.).
2. Obtain budget
and investment
committee
approvals.
3. Verify SC, Budget
Committee and
Investment
Committee
approvals in
accordance with
LoA and authorized
personnel.
4. Verify BoQ and
Unit Price in SC in
accordance with
Indosat' s needs as
stated in
Proposal/RKS and
RFP.

Procurement of
goods / services
is unauthorized

Managing Fraud
Case Study ;
Fraud Case

Computer Forensic and Big Data Analysis

Internal Audit perform

analysis over
procurement
transaction. Internal
Audit found
unfavorable bidding
price submitted by
vendor A.

Data

Computer Data
Office Email
Office Phone
Office Application

Investigative Audit
Manual Procedure
(Review SOP, Business
Process, Transaction)
Computer Forensic
Other Analysis

Fraudster
Fraud examination is a methodology for resolving fraud allegations from inception to disposition. More
specifically, fraud examination involves obtaining evidence and taking statements, writing reports, testifying to
findings, and assisting in the detection and prevention of fraud.
Guidance

Computer Forensic Phase

Do and Donts

Ensure the machine can be

fully analyzed. Examine the
machine, secure evidence,
power down carefully, use
additional system.
Image Acquisition. (Copying
data is not legal). Use imaging
data.
Keyword search (money, cake,
transfer, etc)
Using the analysis and
designing report of Encase
System, Imaging Report

Obtain new HDD to secure data

Encrypt data
Unplug from power supply,
remove battery carefully.
Document all step
Use Encase system
If computer is on, dont turn it
of, unplug directly from power
supply.
Dont enter anything, copying,
cutting.

Digital evidence should not

affect the data integrity.
A Certified person
Computer Forensic is not
hacking (never use keystroke
logger, spyware, hack
password, unauthorized login)
Data are relevant, legally
obtained, properly defined
and can be presented in
court.

Managing Fraud
Case Study ;
Fraud Case
While performing ELC
Testing on Finance
Division (Payment
Operation), Internal
Audit noted that there
is no segregation of
duties in Payment
Operation. One PIC
handle payment and
transaction record.

Investigation Audit Report

Background and
Objective
The investigation
was performed
based on?
Fraud Indication
Objective of
Investigation

Scope of Review
and Methodology

Procedures
performed
PIC Involved

Summary of
Investigation Results

Testing Result
Summary of
Fraud/Findings

The End

Recommendations

Recommendation
to prevent Fraud
case in the future

Thank You

16