White Collar Crime Fraud Corruption Risks Survey Utica College Protiviti

Taking the Best Route
to Managing Fraud and

Corruption Risks
The Economic Crime and Justice Studies Department
at Utica College and Protiviti Scrutinize the State
of White-Collar Crime and the Frameworks Used to
Manage Fraud and Corruption Risks
TABLE OF CONTENTS
Introduction....................................................................................................... 1
Methodology...................................................................................................... 3
Fraud Risk Governance........................................................................................ 4
Fraud Risk Assessment....................................................................................... 8
Fraud Prevention Techniques............................................................................... 15
Fraud Detection Techniques................................................................................ 17
Corruption.......................................................................................................... 20
Reporting, Investigation and Corrective Action..................................................... 28
In Closing........................................................................................................... 32
Survey Demographics......................................................................................... 33
About Protiviti.................................................................................................... 36
About Utica College............................................................................................ 38
Taking the Best Route to Managing Fraud and Corruption Risks i

INTRODUCTION
“WHITE-COLLAR CRIME AND FRAUD ARE SIGNIFICANT RISKS TO SHAREHOLDERS

AND A LIABILITY TO ORGANIZATIONS. YET, MANY ORGANIZATIONS ARE NOT
INVESTING THE TIME AND RESOURCES TO GET IN FRONT OF THE RISK.”
– Scott Moritz, Managing Director, Protiviti
In September 2015, the U.S. Department of Justice (DOJ) put corporations on notice: When it
comes to corporate fraud, the DOJ’s top priority is not financial recovery, but rather bringing
the individuals responsible to justice. In a memorandum to federal prosecutors,1 Deputy Attorney
General Sally Quillian Yates called for a more aggressive stance on holding individuals accountable
for their crimes − and holding corporate officers and directors accountable for the environment
in which those crimes occurred. To ensure adherence to this call to action, the so-called “Yates
Memo” instructed prosecutors not to give corporate defendants cooperation credit unless they first
identify the individuals responsible for the illegal conduct and not just scapegoats. As Yates stated
in her public remarks about the memo: “We’re not going to be accepting a company’s cooperation
when they just offer up the vice president in charge of going to jail.”
Given the dynamic nature of white-collar crime and fraud, it isn’t surprising that the Yates Memo
is only the latest in a series of catalysts that prompted Protiviti and the Economic Crime and Justice
Studies Department at Utica College to conduct a comprehensive survey of white-collar crime and
the fraud risk management frameworks used to combat them.
Notable Findings
While there were a number of notable findings that emerged from our research, one thing seems
quite clear: The majority of organizations are not well positioned to conduct investigations. Many
organizations conducting investigations are under-resourced and are spending more time “putting
out fires” than focusing on fraud detection and applying a consistent investigative approach. The
majority of companies that are in this situation will very likely find it extremely difficult to identify
the responsible parties and receive meaningful cooperation credit for having done so.
1
“Individual Accountability for Corporate Wrongdoing,” DOJ memorandum, September 9, 2015: www.justice.gov/dag/
file/769036/download.
Taking the Best Route to Managing Fraud and Corruption Risks 1

Other notable findings that emerged from our research include the following, which we explore in
more detail throughout our report:
• Most companies are still reactive, rather than proactive, in managing fraud risk and respond-
ing to fraud and corruption once issues have been identified because they lack resources and
strategy. Overall, less than one in five respondents described their organization’s fraud risk strategy
as “well defined,” and a little over a third reported having a fraud detection program. Respondents
cited a lack of internal resources as the biggest challenge to proactive fraud risk management.
• Few companies are availing themselves of the tools and best practices for mitigating fraud risk.
For example, less than one in three large companies have implemented state-of-the-art forensic
data analysis, and the numbers are even lower among midsize and small organizations. These results
correspond with findings from Protiviti’s 2015 Internal Audit Capabilities and Needs Survey, which
listed data analysis and fraud monitoring as two of the top five internal audit priorities.2
• Third-party fraud and corruption risk is barely on the radar of most organizations. Less than
one in 10 respondents reported a high level of confidence in their organization’s vendor fraud and
corruption risk oversight. When this is considered alongside a recent finding in the Organisation for
Economic Co-operation and Development (OECD) Foreign Bribery Report, which found that 75
percent of bribes were paid by third parties, the gap between how much attention is being paid to
third parties in comparison to the potential risks they represent is alarming. This finding is consis-
tent with key findings of the 2015 Vendor Risk Management Benchmark Study from the Shared
Assessments Program and Protiviti, which noted a pervasive lack of maturity in vendor risk gover-
nance.3 Our findings also suggest that companies may be inviting trouble by not thoroughly vetting
acquisition prospects for indicators of corruption and fraud. Indeed, many of the white-collar crime
and corruption matters Protiviti is called upon to investigate are the result of fraud and corruption
schemes that were not detected during due diligence and continued for years after the deal had closed.
• Organizations without strong fraud detection and reporting programs face a higher risk
of damaging “whistleblower” disclosures. The lack of a strong fraud detection and prevention
culture – “tone at the top” – can create a vacuum in which some individuals may feel compelled,
either morally or for the financial remuneration of a whistleblower “bounty,” to report fraud directly
to regulators instead of trusting that their concerns will be fully and fairly investigated internally.
• The trend toward “consultative” internal audits must be weighed against the deterrent
effect of surprise audits. While surprise internal audits may run counter to the organization’s
culture, they can certainly have a deterrent effect when used in a targeted manner focused on
perceived problem areas or intransigent business units or geographies.
2
From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions, Protiviti, 2015:
www.protiviti.com/IAsurvey.
3
2015 Vendor Risk Management Benchmark Study, Protiviti and The Shared Assessments Program, 2015:
www.protiviti.com/vendor-risk.
2 Taking the Best Route to Managing Fraud and Corruption Risks

METHODOLOGY
Utica College and Protiviti partnered to conduct the White-Collar Crime and Fraud Risk Survey
in the second and third quarters of 2015. This global survey, conducted online, consisted of a series
of questions grouped into six categories:
• Fraud Risk Governance
• Fraud Risk Assessment
• Fraud Prevention Techniques
• Fraud Detection Techniques
• Corruption
• Reporting, Investigation and Corrective Action
Nearly 300 (n=272) executives and professionals − including board members, C-suite executives,
general counsel and chief audit executives − completed our online questionnaire. All respondents
are in a position to understand their organization’s fraud risk management capabilities. Survey
participants also were asked to provide demographic information about their titles and positions
and the nature, size and location of their businesses. We are very appreciative and grateful for the
time these individuals invested in our study.
All demographic information was provided voluntarily by our respondents.
Notes:
This report includes numerous breakdowns of the survey findings by company size, defined as follows:*
Company size:
Large = Companies with revenues of $10 billion or greater
Midsize = Companies with revenues between $100 million and $9.99 billion
Small = Companies with revenues less than $100 million
*Upon request, Protiviti can provide additional reporting in these broad categories.

FRAUD RISK GOVERNANCE
Key Observations
• While 92 percent of organizations reported having a formal and documented code of
conduct, few consider their fraud risk strategy to be well-defined.
• With regard to the challenges organizations face in managing fraud risk proactively,
a plurality (47 percent) of respondents cited the lack of internal resources. “Lack
of proactive fraud risk management” (37 percent) and “lack of a unified fraud risk
management strategy” (31 percent) were the next two highest responses.
• The fourth-highest reason (29 percent) for not having a well-defined risk strategy is
the belief that fraud and misconduct do not represent significant risks. Our experts
found this to be inconsistent with the widespread incidence of financial crime across
the spectrum of industries represented by the survey participants. This misconception
often plays out when companies are performing fraud risk assessments and at
roundtable discussions in which many executives state the belief that their overall
fraud risks are low − even those operating in particularly high-risk industries and
geographies. Without the perception that fraud represents at least some degree of risk,
companies whose executives have this mindset are not likely to allocate adequate
resources or take steps to strengthen their anti-fraud programs.
KEY FACT
Organizations with a formal and documented code of conduct
All
92%
97%
Large
94% 80%
Small
Midsize

Which of the following best describes your organization’s fraud risk strategy?
Large Midsize Small

companies companies companies
5 = Very well defined 38% 13% 14%

4 = Defined 23% 28% 30%
3 = Less defined 31% 40% 33%
2 = Reactive only 5% 11% 14%
1 = Undefined 3% 8% 9%
Which of the following challenges does your organization face in managing its fraud
risk proactively? (Multiple responses permitted.)
There is limited availability

of internal resources to 47%
address fraud risk.
We lack proactive fraud risk

management – our focus is
37%
on incident response when
allegations arise.
We lack a unified fraud risk

31%
management strategy.
Fraud and misconduct are

not considered high risks 29%
within the organization.
Proactive fraud risk

management is not a 26%
corporate priority.
We do not have a member of
senior management who is
designated with ownership 22%
and responsibility for fraud
risk management.
There is inadequate
funding for anti-fraud 15%
programs and initiatives.
Our organization has a

13%
“no fraud here” mentality.
Laws and regulations or
cultural norms in our
non-U.S. locations present 11%
unique challenges that we
have yet to address.
0% 10% 20% 30% 40% 50%

Commentary
Good governance is essential as regulators and shareholders demand more active management
of fraud risk. With the typical organization losing an estimated 5 percent of its annual revenue to
fraud,4 it is critical that organizations look past the traditional preventive measures (e.g., code of
conduct) and take a proactive approach toward removing the opportunity. The first step is setting
the right “tone at the top” – acknowledging that fraud risk is real; examining the specific fraud risks
that the company is facing or may face, including those that are nuanced to the company and its
industry; and creating and implementing a formal and unified fraud risk strategy.
Who in the ranks of senior management is designated with ownership and

responsibility for fraud risk management in your organization?
Chief financial officer 18%
Chief legal officer

13%
or general counsel
Internal audit director 13%
Chief risk officer 13%
Chief executive officer 10%
Chief security officer 2%
Other 12%
No senior management
professional is designated 14%
with ownership
Don’t know 5%
0% 5% 10% 15% 20%
4
Report to the Nations on Occupational Fraud and Abuse – 2014 Global Fraud Study, Association of Certified Fraud
Examiners, Inc., 2014: www.acfe.com/rttn/docs/2014-report-to-nations.pdf.

Which of the following groups in your organization provides active and defined
oversight of the organization’s fraud risk? (Multiple responses permitted.)
Audit committee 57%
C-level executive(s) 37%
Board of directors 31%
Risk management
29%
committee
No active and
13%
defined oversight
Other 8%
Don’t know 5%
0% 10% 20% 30% 40% 50% 60%
Does your organization have a formal and documented fraud control policy?
Large Midsize Small

Yes 56% 42% 33%

No 41% 53% 60%
Don’t know 3% 5% 7%

FRAUD RISK ASSESSMENT
Key Observations
• An effective fraud risk assessment process should be conducted in alignment with
the organization’s objectives and thoroughly consider potential vulnerabilities
arising from fraud and misconduct. Overall, less than half of respondents reported
that they conduct an annual fraud risk assessment, and a troubling one in four said
“never” or “don’t know.”
• A fraud risk assessment methodology should include one or more of the following
techniques in order to identify potential fraud risk: document review and analysis,
interviews with designated managers and process or control owners, electronic data
analysis, surveys, and facilitated brainstorming sessions and workshops. While a
majority of respondents said they review prior audits, complaints and assessments, less
than half (48 percent) conduct interviews. And only a little more than a third (36 percent)
use data analytics.
• Some companies consider a fraud risk assessment to be part of their SOX compliance
process. This narrow focus fails to address the systemic nature of fraud risk and instead
focuses on internal control over financial reporting, which is a mere fraction of an
organization’s overall fraud risk.
How often does your organization conduct a formal fraud risk assessment?
Large Midsize Small

Quarterly 0% 4% 3%
Annually 57% 51% 34%
As needed 13% 21% 24%
Never 17% 15% 21%
Don’t know 13% 9% 18%

Who within your organization is primarily responsible for conducting your fraud
risk assessment?
Internal audit 45%
Corporate compliance 10%
SOX compliance team 7%
General counsel/legal 5%
Other 18%
None of these 12%
Don’t know 3%
0% 10% 20% 30% 40% 50%
“ROUTINE STAFF-RELATED DISCIPLINARY MATTERS AND ROUTINE CASES ARE

DEALT WITH BY COMPLIANCE AND HUMAN RESOURCES TEAMS. MAJOR FRAUD
INVESTIGATIONS ARE REFERRED TO INTERNAL AUDIT, WHO HAVE BANKING, FRAUD
AND INTERNAL CONTROL SUBJECT-MATTER EXPERTS TO REVIEW SUCH CASES.”
– Chief Audit Executive, Midsize Financial Services Institution

Does your fraud risk assessment team include members from different departments?
47% 42% 11%
Yes No Don’t know
Which departments participate on the fraud risk assessment team?

(Multiple responses permitted.)
Base: “Yes” responses to above
Accounting/finance 82%
Internal audit 75%
Legal 68%
Operations 58%
Human resources 54%
Compliance 54%
Risk management 45%
Corporate security 29%
External consultants 14%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Which of the following does your company utilize as part of its fraud risk
assessment methodology? (Multiple responses permitted.)
Prior audits or other

reviews conducted at 61%
the company
Prior reported concerns

57%
and complaints
Previous fraud risk

50%
assessment results
Interviews 48%
Brainstorming sessions 40%
Data analytics 36%
Industry news 31%
Public information about

criminal, civil and
29%
regulatory cases
and complaints
Surveys 28%
Industry-accepted fraud
taxonomies, such as the
Association of Certified Fraud 19%
Examiners’ Occupational Fraud and
Abuse Classification System
Workshops 15%
Other 5%
Don’t know 12%
0% 10% 20% 30% 40% 50% 60% 70%

How is your organization’s fraud risk assessment process structured?
Large Midsize Small

Incorporated into
our internal audit 26% 31% 38%
planning process
Incorporated into
our enterprise risk
32% 22% 15%
management (ERM)
process
Incorporated into
our SOX compliance 12% 21% 8%
process
Stand-alone 12% 9% 10%
None of these 12% 12% 18%
Commentary
An effective fraud risk assessment is tailored to an organization’s industry and unique operations.
It should be performed on an annual basis and refreshed when a change in the internal or external
environment occurs, including such things as actual fraud or corruption incidents that have
occurred and subsequent efforts to apply the lessons learned.
Key components are risk objectives, identification, assessment of inherent and residual fraud risk
(measured by likelihood and significance), evaluation of anti-fraud controls and management’s risk
response. It is important to obtain this information from a variety of internal and external sources,
including data analysis and personal interviews.
“AN ORGANIZATION-WIDE FRAUD RISK ASSESSMENT HAS NOT BEEN PERFORMED

IN ABOUT 10 YEARS. THE LAST TIME ONE WAS PERFORMED WAS WHEN IT WAS
REQUIRED BY AN ELECTED OFFICIAL FOR ALL STATE AGENCIES.”
– Chief Audit Executive, Midsize Government Organization

Fraud Risk Assessment and Attorney-Client Privilege
As with any internal investigation, a fraud risk assessment may include sensitive matters that poten-
tially involve litigation or damage to a company’s reputation. There are often compelling reasons
for an organization’s assessment team to report to legal counsel. Some things to consider include:
• In the United States, conversations between an attorney and a client seeking legal advice are
considered “privileged and confidential” and “attorney-client privileged.” Once privilege is
established, the information shared between a client and attorney is largely protected from
disclosure to other parties.
• Attorney-client privilege allows companies and their lawyers to discuss findings and potential
solutions without fear of inappropriate disclosure of the privileged discussions and material.
If other providers, such as forensic accountants or investigators, participate in the fraud risk
assessment or an investigation, their work should be performed at the direction of lawyers so
that their findings are considered attorney work product and are privileged as well.
• It should be made clear that the risk assessment is being conducted to assist legal counsel
in providing legal advice. This includes marking materials as “Privileged and Confidential”
and informing interviewees of the legal purpose of the fraud risk assessment or investigation.
• Distribution of privileged materials must be limited. Company representatives must not be
allowed to discuss the review with anyone who is not involved in the project, so as not to inad-
vertently waive the privilege by sharing information outside of the attorney-client relationship.
• The attorney-client privilege varies widely outside of the United States. For any investigations,
fraud risk assessments or other projects that the client and counsel feel should be performed
under the privilege and involve foreign jurisdictions, the rules of those jurisdictions would apply.
Note that while attorney-client privilege generally applies to in-house counsel (at least in the United
States), internal lawyers serve in a dual business and legal capacity, and privilege could be challenged
on the grounds that discussions were of a business, and not a legal, nature.
Does your company conduct its fraud risk assessment under attorney-client privilege?
15% 59% 26%
Yes No Don’t know

While COSO 2013 Principle 8 requires consideration of four types of fraud, which one
of the following is of greatest concern to your organization?
20% 22% 12% 6%
Management Safeguarding of assets Corruption Fraudulent reporting

override of controls
31% 4% 5%
No one type is more None of these Other

concerning than the other
Does your organization have a fraud risk management (mitigation) program?
Large Midsize Small

Yes 47% 31% 29%

No 40% 57% 55%
Don’t know 13% 12% 16%
If YES: Who in your organization is responsible for the fraud risk management
(mitigation) program?
Large Midsize Small

Chief compliance
21% 29% 18%
officer
Chief audit
7% 27% 18%
executive
Chief financial
21% 12% 36%
officer
Other 43% 29% 27%

FRAUD PREVENTION TECHNIQUES
Key Observations
• Most respondents gave their organizations high marks for fraud prevention. Many
utilize “old school” basics, including a formal code of ethics, spending approval
limits and segregation of duties (SoD).
• Most conduct ethics and fraud awareness training, although overall, less than half do so
at least annually, which is the desired frequency.
Which of the following primary controls does your organization utilize to prevent fraud?
Large Midsize Small

Code of conduct/
100% 91% 76%
code of ethics
Authority or
93% 89% 82%
approval limits
Segregation of
93% 89% 71%
duties
Information
87% 88% 68%
technology controls
Employee
77% 83% 68%
background checks
Ethics or fraud risk
83% 59% 37%
awareness training
Competitive bidding 67% 56% 39%
Third-party due
63% 41% 24%
diligence
Other 7% 3% 5%

How often does your organization offer ethics and fraud awareness training?
New-hire orientation only 3% 13% 21%
On demand 7% 11% 17%
4%
Semiannually 8%
3%
Annually 18% 43% 60%
Less than annually 7% 11% 18%
Never 7% 15% 18%
6%
Don’t know 3%
7%
0% 10% 20% 30% 40% 50% 60%
Large companies Midsize companies Small companies
Commentary
Fraud prevention is the baseline of fraud risk management and has traditionally consisted of
simple controls designed to set an ethical and moral tone and limit the opportunity for fraud.
Such measures are a good start, but they need to be part of a comprehensive and ongoing fraud
risk management strategy that includes third-party due diligence, fraud auditing, brainstorming
sessions and data analytics.
“OUR COMPANY ACTUALLY REQUIRES THAT FRAUD OR ETHICS RELATED TRAINING

BE TAKEN ABOUT EVERY QUARTER ON AVERAGE, AND ATTENDANCE IS TRACKED.
TOPICS ARE REINFORCED AT LEAST ANNUALLY.”
– Chief Audit Executive, Large Professional Services

(Consulting, Technology and Outsourcing) Company

FRAUD DETECTION TECHNIQUES
Key Observations
• Tellingly, more than half of all organizations lack a fraud detection program (though
the numbers are better for large companies). It is one thing to have a program that is
not fully developed, but this suggests a majority of companies aren’t doing anything
proactive to look for fraud.
• While most respondents indicated that their companies have a telephone hotline,
website or electronic mailbox for employees to report fraud, only 13 percent regularly
conduct surprise audits at least annually. And relatively few organizations have evolved
to a point where they are using ongoing data analysis – the equivalent of a red-light
camera – to catch fraud in progress.
Does your organization have a fraud detection program?
Large Midsize Small

Yes 57% 35% 21%

No 27% 55% 68%
Don’t know 16% 10% 11%
Who in your organization is responsible for the fraud detection program?

Base: Organizations with a fraud detection program
Large Midsize Small

Chief audit
24% 45% 25%
executive
Chief compliance
18% 21% 25%
officer
Chief financial
18% 17% 13%
officer
Other 40% 13% 37%

Does your organization actively utilize forensic data analysis to identify potential red
flags and fraud indicators?
Yes, routinely. Fraud detection

programs have been written
and overlay systems. Exception
5% 13% 30%
reports are monitored by an
independent group, such as
internal audit.
Yes, periodically.
Management or internal
audit runs fraud detection
16% 24% 30%
programs at specific times,
such as at the start
of an audit.
Yes, on demand only.

Data is extracted manually
17% 21% 30%
from various systems
that are queried.
No, we do not utilize

data analysis to 10% 42% 50%
proactively detect fraud.
Don’t know. 4% 8%
0% 10% 20% 30% 40% 50%
How often does your organization conduct surprise audits within the organization?
7% 6% 39%
Quarterly Annually As needed
38% 10%
Never Don’t know

Which of the following procedures has your organization established for the submission
of concerns by employees about questionable accounting or auditing matters?
Large Midsize Small

Telephone hotline 93% 81% 47%

“Chain-of-command”
57% 53% 45%
reporting
Website 73% 47% 26%
Electronic mailbox 60% 34% 21%
Designated
30% 32% 29%
management
Designated board
17% 13% 13%
member
No formal reporting
0% 5% 16%
mechanism exists
Other 3% 5% 5%
Commentary
Fraud detection techniques look for fraud in progress. Consistent with our other findings, our
survey results suggest that most companies are putting forth minimal effort – relying on passive
tools like hotlines, websites and email reporting mechanisms, which provide a means for individuals
to report fraud – and not actively searching for fraud with surprise audits and ongoing or periodic
forensic data analysis.
This reactive stance is consistent with the results of Protiviti’s 2015 Finance Priorities Survey,5 which
ranked enterprise risk reporting significantly below profitability reporting and other operational and
revenue-generating priorities.
“SEVERAL YEARS AGO, INTERNAL AUDIT ATTEMPTED TO RELATE THE RESULTS OF A

FRAUD PREVENTION AND DETECTION SCOREBOARD. IT WAS NOT WELL RECEIVED
BY EXECUTIVE MANAGEMENT, AS THERE IS NO ‘REGULATION’ THAT REQUIRES OUR
INSTITUTION TO HAVE THE PRESCRIBED CONTROLS IN PLACE.”
– Audit Director, Midsize Healthcare Provider
5
The Rising Tide of Finance Challenges, Protiviti and the Financial Executives Research Foundation, 2015:
www.protiviti.com/en-US/Documents/Surveys/2015-Finance-Priorities-Survey-FERF-Protiviti.pdf.

CORRUPTION
Key Observations
• Third parties are widely considered to represent a disproportionate degree of corruption
risk to companies operating outside of the United States. The OECD recently published
the Foreign Bribery Report, a study of 427 corruption enforcement actions in countries
that are a party to the OECD Anti-Bribery Convention enacted in 1999.6 It found that in 75
percent of those cases, bribes were paid by third parties and not the officers or company
directors themselves. However, our survey found that most companies have a long way
to go when it comes to assessing and monitoring third-party corruption risk, with few
respondents giving their organizations a high confidence rating.
• More than a third of respondents (35 percent) indicated that they were not aware
of any due diligence being performed by their companies on intermediaries prior to
onboarding. And among those conducting due diligence investigations, most perform
only the most cursory Internet and government watchlist searches.
• An equal number of respondents (35 percent) were unaware of any efforts by their
company to identify foreign government agencies, state-owned companies, public
international organizations and private enterprises among their customers. However,
these efforts are a critical success factor for an effective anti-corruption compliance
program under the U.S. Foreign Corrupt Practices Act (FCPA). Without the ability to
readily distinguish between the different categories of customers, companies risk
operating “in the blind” as to which of their customers’ employees meet the definition
of a “foreign official.” These companies therefore risk unwittingly violating the FCPA.
• An effective anti-corruption program should also extend to hiring practices,
particularly when it comes to hiring employees or interns with ties to clients, foreign
governments or state-owned companies. Overall, only a third of respondents could
say that their organizations attempt to determine whether job candidates are family
members or associates of government officials who are in a position to influence
contract awards. Recent prosecutions of U.S. companies for targeting the children of
executives of Middle Eastern Sovereign Wealth Funds and ongoing investigations of
the hiring practices of numerous investment banks operating in China make it critically
important to determine whether candidates for employment or internships have
disclosed such ties and that the company has taken appropriate steps to ensure that
candidates are qualified. There should not be even the appearance of a quid pro quo.
6
OECD Foreign Bribery Report: An Analysis of the Crime of Bribery of Foreign Public Officials, 2014, OECD Publishing, Paris:
http://dx.doi.org/10.1787/9789264226616-en.

On a scale of 1 to 5, rate your level of confidence that the organization has
effective oversight of the external third parties retained in the United States
and/or outside the United States.
3.5 3.1
Large companies
Midsize companies
2.9
Small companies
Does your organization conduct due diligence on business intermediaries (e.g., agent,
distributor, consultant, subcontractor) prior to onboarding?
65% 17% 18%
Yes No Don’t know
Does your organization include communications from management that it

expects adherence to the standards as set out in the code of conduct and/or
anti-corruption policy?
77% 15% 8%
Yes No Don’t know

Does your organization have the ability to distinguish between foreign government
agencies, state-owned companies, public international organizations and private
enterprises among its customer base?
65% 12% 23%
Yes No Don’t know
Which of the following additional steps does your organization take in an effort to
mitigate the elevated risk associated with doing business with government agencies,
state-owned companies and/or public international organizations? (Multiple
responses permitted.)
Large Midsize Small

Pre-approval
requirements
before paying for 63% 44% 34%
gifts, meals or
entertainment
Enhanced contract
57% 41% 29%
provisions
Advanced anti-
corruption training 57% 27% 13%
for select personnel
Prohibitions
against hiring of
family members of 40% 26% 32%
employees of this
category of customer
Does your organization categorize third parties according to risk?

Large companies
57% 30% 13%
Yes No Don’t know

Midsize companies
22% 56% 22%
Yes No Don’t know
Small companies
24% 63% 13%
Yes No Don’t know
Does your organization perform any of the following? (Multiple responses permitted.)
Base: Organizations that categorize third parties according to risk.
Large Midsize Small

Assign risk based

upon a variety of 82% 67% 38%
factors
Perform escalating
levels of investiga-
tive due diligence 71% 45% 50%
based upon
assigned risk level
Perform
investigative 29% 27% 50%
research in-house
Focus on a single
high-risk category for
35% 27% 13%
third parties (such as
sales agents)
Perform the same
level of due diligence
or screening for all 18% 24% 13%
categories of third
parties

If your organization performs investigative due diligence, which activities are
included in this process? (Multiple responses permitted.)
Large Midsize Small

Check a variety
of watchlists
60% 38% 31%
(e.g., OFAC, PEPs,
debarments)
Perform Internet
40% 40% 39%
research
Check corporation
47% 30% 39%
registrations
Search public
47% 32% 25%
records
Search negative
33% 21% 14%
news in English
Perform site visits
33% 15% 14%
with photographs
Perform human
intelligence 23% 13% 11%
research
Search negative
news in applicable 10% 8% 8%
foreign languages
Don’t know 37% 23% 19%
None – No
investigative due
0% 18% 22%
diligence performed
in my organization
When acquiring a company, does your organization conduct a corruption risk

assessment during the acquisition due diligence process?
Large Midsize Small

Yes 47% 23% 25%

No 10% 26% 11%
Don’t know 43% 51% 64%

If your organization performs investigative due diligence, who performs the work
associated with this process? (Multiple responses permitted.)
Large Midsize Small

All investigative
work performed 40% 34% 31%
in-house
Watchlists, negative
media and Internet
37% 21% 25%
research performed
in-house
More
comprehensive
investigative work 20% 9% 8%
performed by
investigative firm
All investigative
3% 5% 3%
work outsourced
Other 0% 5% 6%
None – No
investigative due
0% 20% 22%
diligence performed
in my organization
Don’t know 37% 23% 25%
“THERE IS NO COMPANY-WIDE FRAUD RISK MANAGEMENT PROGRAM. THERE

ARE POCKETS OF PEOPLE THROUGHOUT THE ORGANIZATION WHO DEAL WITH
COMPLAINTS/INVESTIGATIONS (WHICH COULD BE FRAUD), AND ANTI-MONEY
LAUNDERING AND FRAUD INVESTIGATION TEAMS. IN ADDITION, INTERNAL AUDIT
INCLUDES A FRAUD RISK ASSESSMENT LIMITED TO THE SCOPE OF EACH AUDIT,
BUT THERE IS NO CENTRALIZED SYSTEM OR REPORTING REGARDING THE VARIOUS
DECENTRALIZED FRAUD RISK MANAGEMENT ACTIVITIES.”
– Audit Director, Large Financial Services Institution

Do your hiring practices include an examination as to whether candidates are family
members or associates of government officials?
Large Midsize Small

Yes 50% 31% 33%

No 17% 42% 36%
Don’t know 33% 27% 31%
Commentary
Momentum is building for stronger third-party anti-corruption programs, as regulators make it
clear that companies will no longer be able to “outsource” risk by handing it off to a contractor.
Regulators are becoming increasingly sophisticated in their understanding of how certain
organizations are identifying their high-risk business intermediaries. They are holding them to
heightened standards of care and are asking those not approaching their third parties in this way,
“Why not?”
Based on our survey findings, this is a real weakness for most companies. The DOJ and U.S.
Securities and Exchange Commission (SEC) have made their expectations clear: Corruption risk
assessment must evolve, and anti-corruption programs must be derived from a meaningful risk
assessment process in order to be truly effective.
Even those organizations that profess to be conducting vendor due diligence need to start asking
tough questions:
• How many existing relationships have we severed as a result of our anti-corruption program?
• How many prospective vendors have we rejected?
If there is not a single relationship severed or new relationship rejected, it invites regulators to
question the validity of these programs, regardless of how much the programs cost to administer.
“WITH THE COSO 2013 UPDATE, OUR COMPANY GAVE SOME ADDITIONAL THOUGHT
TO FRAUD RISK. IT’S NOT THAT WE WEREN’T THINKING ABOUT IT BEFORE; IT WAS
JUST ALWAYS EMBEDDED IN OUR SOX CONTROLS. THE UPDATE GAVE US A CHANCE
TO TAKE A FRESH LOOK AT THINGS AND PLUCK THOSE FRAUD CONTROLS TO
ENSURE WE WERE THINKING THROUGH ALL THE APPLICABLE SCENARIOS.”
– Audit Manager, Midsize Manufacturing Company

Hallmarks of an Effective FCPA Compliance Program
The DOJ and SEC have provided clear guidance for what they expect of companies when it
comes to complying with the FCPA. Their 10 “Hallmarks of an Effective Compliance Program”7
is essential reading for anyone responsible for overseeing a corporate anti-corruption program.
10 Hallmarks
• Commitment from Senior Management and a Clearly Articulated Policy Against
Corruption – Compliance begins with the board of directors and senior executives setting the
proper tone for the rest of the company.
• Code of Conduct and Compliance Policies and Procedures – A company’s code of conduct
is often the foundation upon which an effective compliance program is built. The most effective
codes are clear, concise and accessible to all employees and to those conducting business on the
company’s behalf.
• Oversight, Autonomy and Resources – In appraising a compliance program, the DOJ and
SEC look for one or more senior executives specifically assigned to oversight and provided
with resources and board access.
• Risk Assessment – Assessment and prioritization of risk are fundamental to developing a
strong compliance program. The DOJ and SEC have said they are likely to be more forgiving
of a company with a comprehensive, risk-based compliance program, even if that program does
not prevent an infraction in a low-risk area because greater attention and resources have been
devoted to a higher-risk area.
• Training and Continuing Advice – Compliance policies cannot work unless they are
effectively communicated throughout a company.
• Incentives and Disciplinary Measures – A compliance program should apply from the
boardroom to the supply room – no one should be beyond its reach.
• Third-Party Due Diligence and Payments – Third parties, including agents, consultants
and distributors, are commonly used to conceal the payment of bribes to foreign officials in
international business transactions. Risk-based due diligence will be considered by the DOJ
and SEC in assessing the effectiveness of a company’s compliance program.
• Confidential Reporting and Internal Investigations – In addition to confidential reporting
mechanisms, there should be an efficient, reliable and properly funded process for investigating
allegations and documenting the company’s response, including any disciplinary or reme-
diation measures.
• Continuous Improvement: Periodic Testing and Review – Effective compliance programs
evolve. Consequently, the DOJ and SEC evaluate whether companies regularly review and
improve their compliance programs to keep them from becoming stale.
• Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition
Integration – A company that does not perform adequate FCPA due diligence prior to a
merger or acquisition may face both legal and business risks.
7
FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act, Criminal Division of the DOJ and Enforcement Division
of the SEC, 2012: www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf.

REPORTING, INVESTIGATION AND CORRECTIVE ACTION
Key Observations
• Overall, insufficient management review and inadequate controls have accounted
for more than half of all fraud and misconduct investigated over the past three years.
Deliberate override of controls was the second-highest individually cited cause, after
insufficient management review.
• A substantial percentage of respondents said there have been no allegations of fraud
or misconduct investigated over the past three years. This raises questions about how
effective those organizations are at identifying fraud and whether this statistic is a true
picture of the absence of fraud or, rather, the inability to deter, detect, investigate and
report fraud and the absence of proactive efforts to identify fraud indicators.
Based on your personal knowledge, how many allegations of fraud or misconduct

have been received and investigated by your company in the past three years?
Large Midsize Small

More than 20
27% 11% 6%
investigations
Six to 20
17% 19% 8%
investigations
Five or fewer
7% 33% 25%
investigations
None that I am
3% 13% 39%
aware of
I’m not comfortable
disclosing this 17% 11% 3%
information
Unknown – I don’t
have visibility
into how many
29% 13% 19%
investigations
are conducted/
completed

For known fraud events or incidents of misconduct within your company, what was
the primary root cause or control breakdown that allowed the incident to occur?
Base: Organizations in which there have been allegations of fraud or misconduct that
have been investigated in the past three years.
Large Midsize Small

Insufficient
management review 15% 18% 47%
or approval
Deliberate override
35% 20% 0%
of internal controls
Inadequate internal
5% 21% 27%
controls
Inadequate SoD 10% 11% 20%
Collusion with third
25% 10% 0%
parties
Internal collusion 0% 6% 0%
Lack of qualified
personnel
performing tasks/ 5% 5% 0%
responsible for
controls
Undisclosed
0% 4% 0%
conflict(s) of interest
Other 5% 5% 6%
“OUR FRAUD RISK STRATEGY IS EVOLVING. WE HAVE A FRAUD RISK POLICY

AND A WHISTLEBLOWER PROTECTION POLICY. WE HAVE SOME PREVENTIVE
FRAUD MONITORING IN PLACE IN SOME RISK AREAS, BUT THE APPROACH IS
NOT A STRUCTURED BASIS FOR A FORMAL FRAUD RISK ASSESSMENT. THIS IS
NOW MANDATED BY THE BOARD, AND WE PLAN TO COMMENCE THIS SHORTLY.
MANAGEMENT BUY-IN IS LIMITED; IT IS MORE A COMPLIANCE TICK BOX APPROACH!”
– Chief Audit Executive, Midsize Financial Services Institution

What level of involvement does your organization’s audit committee have in the
investigation of alleged fraud or misconduct?
The audit committee chair

is informed of all allegations
involving accounting, auditing 36%
and internal control matters 20%
immediately upon receipt by 36%
the individual designated to
receive complaints.
On at least a quarterly basis,

the audit committee is
14% 33% 57%
informed of all allegations
being investigated.
The audit committee is only

informed about investigations 17%
7%
involving accounting, auditing 17%
and internal control matters.
Don’t know. 14% 16% 33%
0% 10% 20% 30% 40% 50% 60%
Commentary
Not every missing laptop requires the attention of the audit committee, but there should be a
mechanism for the investigation and reporting of suspected fraud and misconduct. There also
needs to be some kind of prioritization of when and why to escalate suspected misconduct to
a higher level of scrutiny to include categories of fraud and misconduct that would warrant
reporting to the audit committee.
More important, from a long-term value standpoint, is the ability to drill down to the root cause
and take corrective action. Many respondents cited inadequate internal controls as a leading cause
of fraud, along with insufficient management review. These responses aren’t surprising consider-
ing that most companies don’t seem to see fraud and misconduct as significant risks. Performing
investigations in such a way as to gather evidence, expose shortcomings in the control environment
and then apply the lessons learned are of critical importance to an organization’s ability to demon-
strate forward progress on its anti-fraud and anti-corruption programs. These efforts also can help
to lower the company’s exposure to these categories of risk over time.

A “no fraud here” mentality may also contribute to the high percentage of instances where the root
cause was determined to involve the deliberate override of internal controls. Such overrides don’t
always involve malfeasance; they are sometimes a matter of misplaced expediency. But they are
also indicative of a lax governance structure and a culture in which fraud can flourish because the
rules are not enforced and insiders inclined to commit acts of fraud or bribery see very little risk
of getting caught. Even a person who circumvents controls out of expediency and is not personally
liable for fraud could certainly garner the attention of law enforcement under the Yates Memo and
its mandate that companies identify responsible parties in order to receive cooperation credit.
KEY FACT
Most common corrective actions taken by companies at the
conclusion of an investigation:
Disciplinary action
27%
23%
Termination
“INTERNAL AUDIT FACES CHALLENGES IN ASSISTING THE ORGANIZATION TOWARD

MORE MATURITY IN FRAUD RISK GOVERNANCE BECAUSE OF THE “DOESN’T/WON’T
HAPPEN HERE” MINDSET. BECAUSE OF THIS, ANY PROJECTS DIRECTLY FOCUSED
ON FRAUD RISK, SUCH AS CHAMPIONING AN INSTITUTION-WIDE FRAUD RISK
ASSESSMENT, WOULD MOST LIKELY BE VIEWED AS NOT ADDING VALUE RELATIVE
TO OTHER PROJECTS AND PRIORITIES FOR INTERNAL AUDIT.”
– Chief Audit Executive, Midsize Government Organization

IN CLOSING
Companies tend to be under-resourced when it comes to financial crime investigation, fraud detec-
tion and reporting. Leadership is focused on growing revenue and delivering shareholder value.
Nobody wants to believe that the company is losing significant revenue to fraud. Nor are companies
inclined to freely expend unbudgeted monies to pursue investigations to their logical conclusions
and then remediate the deficiencies in the control environment that the investigation may have
exposed. And certainly, organizations don’t want to spend precious resources managing risks they
don’t consider legitimate.
Yet regulators and prosecutors are holding corporate executives and directors individually account-
able not only for acts of fraud or bribery they may have committed, but also increasingly for acts they
didn’t take clear action to prevent. Such pressures are raising the bar for fraud risk management and
anti-corruption compliance.
An organization’s ability to effectively manage and mitigate fraud and corruption risk begins
with the abandonment of the “no fraud here” mindset and an acknowledgement that fraud
and corruption don’t just happen to others. In fact, the law of averages suggests that fraud and
corruption risk exists in every organization to varying degrees. The conclusion that there’s “no
fraud here” is more likely a repudiation of the program’s efficacy and organizational tone than it
is a reflection of reality. A truly effective program engages all levels and departments in preven-
tion and detection. It is also aligned with a strong executive tone at the top, where the refrain
“there is no fraud here” is replaced with “not on my watch.”

SURVEY DEMOGRAPHICS
We surveyed nearly 300 top senior executives, board members, audit directors and risk manag-
ers from a cross-section of industries. The following charts show the breakdown regarding the
survey respondents and their companies.
Position (Title/Role)
Chief Audit Executive 24%
Audit Director 19%
Audit Manager 16%
Chief Financial Officer 7%
Corporate Controller 6%
Chief Risk Officer 4%
Chief Compliance Officer 3%
Board Member/Audit Committee Member 3%
Business Unit Control Leader 2%
Corporate Security Director 1%
General Counsel 1%
Chief Executive Officer 1%
Chief Information Officer 1%
Chief Operating Officer 1%
Chief Security Officer 1%
Other 10%

Industry
Financial Services 18%
Manufacturing 12%
Education 6%
Energy 6%
Government 6%
Technology 6%
Healthcare – Provider 5%
CPA/Public Accounting/Consulting Firm 4%
Insurance (excluding Healthcare – Payer) 4%
Real Estate 4%
Services 4%
Retail 4%
Distribution 3%
Not-for-Profit 3%
Utilities 3%
Life Sciences/Biotechnology 3%
Media 3%
Healthcare – Payer 2%
Hospitality 2%
Telecommunications 1%
Other 1%
Size of Organization (by gross annual revenue in U.S. dollars)
$20 billion or greater 8%
$10 billion to $19.99 billion 8%
$500 million to $999.99 million 15%
$100 million to $499.99 million 19%
Less than $100 million 16%

Type of Organization
Public 49%
Private 24%
Not-for-profit 10%
Government (U.S.) 6%
Educational institution 5%
Government (non-U.S.) 2%
Public international organization 1%
Private, but planning an IPO within the next 12 months 1%
Other 2%
Organization Headquarters
North America 82%
Europe 6%
Asia-Pacific 4%
Middle East 3%
Latin America 2%
Africa 2%
India 1%

ABOUT PROTIVITI
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in
finance, technology, operations, governance, risk and internal audit, and has served more than 60
percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. Protiviti and our inde-
pendently owned Member Firms serve clients through a network of more than 70 locations in over
20 countries. We also work with smaller, growing companies, including those looking to go public,
as well as with government agencies.
Named one of the 2015 Fortune 100 Best Companies to Work For®, Protiviti is a wholly owned
subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P
500 index.
About Our Investigations and Fraud Risk Management Practice

Protiviti’s Investigations and Fraud Risk Management consultants help organizations build a solid
infrastructure for evaluating, mitigating, investigating, reporting and monitoring their risk of fraud,
corruption and misconduct.
Understanding organizational vulnerabilities and establishing an appropriate framework to iden-
tify and respond to them are essential in today’s global marketplace, as regulators are demanding
more active management and investigation for a wide range of risks, including financial crime,
fraud and corruption.
Our Investigations and Fraud Risk Management professionals assist organizations with building
sustainable anti-corruption, investigative and fraud risk assessment processes and developing anti-
fraud, anti-corruption and investigative programs and controls to meet fiduciary and regulatory
responsibilities. We support organizations in their efforts to identify, triage, investigate, report and
monitor a wide array of risks at every level – from the performance of risk assessments, program
design or remediation, risk governance, and employee training to audits of anti-corruption, fraud,
and investigation programs and processes.
Our team’s unique blend of anti-corruption, fraud risk management and investigative subject-
matter expertise can quickly identify program shortcomings and remediate your critically important
programs. We also have extensive experience in undertaking investigations of suspected violations of
those programs by leveraging investigative, forensic accounting and technology disciplines across
our global footprint to provide our clients with the experience and local resources necessary to
gather the facts to make informed business decisions.

PROTIVITI INVESTIGATIONS AND FRAUD RISK MANAGEMENT
PRACTICE CONTACTS
Brian Christensen Scott Moritz

Executive Vice President, Global Lead, Investigations
Global Internal Audit and Fraud Risk Management
+1.602.273.8020 +1.212.603.8356
brian.christensen@protiviti.com scott.moritz@protiviti.com
UNITED STATES BRAZIL MEXICO

Kelly Flagg Raul Silva Roberto Abad
+1.212.603.5416 +55.11.2198.4200 +52.55.5342.9100
kelly.flagg@protiviti.com raul.silva@protivitiglobal.com.br roberto.abad@protivitiglobal.com.mx
James Gallo CANADA MIDDLE EAST

+1.212.603.8320 Ram Balakrishnan Manoj Kabra
james.gallo@protiviti.com +1.647.288.8525 +965.2295.7700
ram.balakrishnan@protiviti.com manoj.kabra@protivitiglobal.com.kw
James Gibson
+1.312.476.6423 CHINA (HONG KONG AND THE NETHERLANDS
james.gibson@protiviti.com MAINLAND CHINA) Jaap Gerkes
Albert Lee +31.6.1131.0156
+852.2238.0499 jaap.gerkes@protiviti.nl
Peter Grupe
albert.lee@protiviti.com
+1.212.399.8613
peter.grupe@protiviti.com FRANCE SINGAPORE
Bernard Drui Sidney Lim
Robert Hennigan +33.1.42.96.22.77 +65.6220.6066
+1.646.428.8231 b.drui@protiviti.fr sidney.lim@protiviti.com
robert.hennigan@protiviti.com
GERMANY SOUTH AFRICA
Pamela Verick Michael Klinger Fana Manana
+1.703.338.2322 +49.69.963.768.155 +27.11.231.0600
pam.verick@protiviti.com michael.klinger@protiviti.de fanam@sng.za.com
Diane Walker INDIA UNITED KINGDOM

+1.212.603.8388 Subrata Bagchi Lindsay Dart
diane.walker@protiviti.com +91.98.6631.4842 +44.207.389.0448
subrata.bagchi@protivitiglobal.in lindsay.dart@protiviti.co.uk
AUSTRALIA ITALY
Mark Harrison Alberto Carnevale
+61.2.6113.3900 +39.02.6550.6301
mark.harrison@protiviti.com.au alberto.carnevale@protiviti.it
BELGIUM JAPAN
Jaap Gerkes Yasumi Taniguchi
+31.6.1131.0156 +81.3.5219.6600
jaap.gerkes@protiviti.nl yasumi.taniguchi@protiviti.jp

ABOUT UTICA COLLEGE
Utica College, founded in 1946, is a comprehensive private institution offering bachelor’s,

master’s and doctoral degree programs. The college, located in upstate central New York,
approximately 90 miles west of Albany and 50 miles east of Syracuse, currently enrolls over 4,400
students in 44 undergraduate majors, 30 minors, 21 graduate programs and a number of pre-
professional and special programs.
About Utica College’s Economic Crime and Justice Studies Department

Utica College’s Economic Crime and Justice Studies (ECJS) Department offers a suite of programs
at the undergraduate and graduate levels, as well as two research centers and the Economic Crime
and Cybersecurity Institute (ECCI).
Our faculty is truly interdisciplinary, and faculty members have worked at private financial services
companies, state law enforcement agencies, local courts and government agencies, and have
founded their own companies. At the undergraduate level, we educate our students to be inves-
tigators – whether the evidence they are reviewing is fingerprints, numbers on a spreadsheet
or digital code. We have an innovative curriculum consisting of three programs: criminal justice,
economic crime investigation and cybersecurity. Students are grounded in a liberal arts core along
with criminology and relevant law classes. Specialty classes, rigorous writing expectations and a
capstone internship are defining features of our programs. At the graduate level, we train students
in the latest best practices to manage the security of economic and digital information.
Our ECCI is a unique organization of professionals and academics that provides thought
leadership on economic crime and cybersecurity issues faced by business and government. We
have two research centers that examine the latest trends in identity theft, economic fraud and
cybercrime. The Center for Identity Management and Information Protection (CIMIP) is a
research collaborative dedicated to furthering a national research agenda on identity management,
information sharing and data protection. Founded in June 2006, its ultimate goal is to impact
policy, regulation and legislation, working toward a more secure homeland. The Northeast
Cybersecurity and Forensics Center (NCFC) is a partnership of academic, government and private
sector resources that collaborate to provide cutting-edge research, development and service in the
fields of digital forensics and cybersecurity.
Contacts
Donald Rebovich, Ph.D. Ray Philo
+1.315.792.3231 +1.315.223.2483
drebovi@utica.edu rphilo@utica.edu

© 2016 Utica College. All rights reserved. Protiviti is not licensed or registered as a public
accounting firm and does not issue opinions on financial
statements or offer attestation services.
www.protiviti.com
© 2016 Protiviti Inc.

An Equal Opportunity Employer M/F/Disability/Veteran.
PRO-0116-101083

White Collar Crime Fraud Corruption Risks Survey Utica College Protiviti

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

White Collar Crime Fraud Corruption Risks Survey Utica College Protiviti

Uploaded by

Copyright:

Available Formats

Taking the Best Route

to Managing Fraud and

Fraud Risk Governance........................................................................................ 4

Fraud Risk Assessment....................................................................................... 8

Fraud Prevention Techniques............................................................................... 15

Fraud Detection Techniques................................................................................ 17

Reporting, Investigation and Corrective Action..................................................... 28

About Utica College............................................................................................ 38

Taking the Best Route to Managing Fraud and Corruption Risks i

“WHITE-COLLAR CRIME AND FRAUD ARE SIGNIFICANT RISKS TO SHAREHOLDERS

– Scott Moritz, Managing Director, Protiviti

Taking the Best Route to Managing Fraud and Corruption Risks 1

2 Taking the Best Route to Managing Fraud and Corruption Risks

Taking the Best Route to Managing Fraud and Corruption Risks 3

4 Taking the Best Route to Managing Fraud and Corruption Risks

Large Midsize Small

5 = Very well defined 38% 13% 14%

There is limited availability

We lack proactive fraud risk

We lack a unified fraud risk

Fraud and misconduct are

Proactive fraud risk

Our organization has a

Taking the Best Route to Managing Fraud and Corruption Risks 5

Who in the ranks of senior management is designated with ownership and

Chief financial officer 18%

Chief legal officer

Internal audit director 13%

Chief risk officer 13%

Chief executive officer 10%

Chief security officer 2%

0% 5% 10% 15% 20%

6 Taking the Best Route to Managing Fraud and Corruption Risks

Audit committee 57%

C-level executive(s) 37%

Board of directors 31%

0% 10% 20% 30% 40% 50% 60%

Large Midsize Small

Yes 56% 42% 33%

Taking the Best Route to Managing Fraud and Corruption Risks 7

Large Midsize Small

8 Taking the Best Route to Managing Fraud and Corruption Risks

Internal audit 45%

Corporate compliance 10%

SOX compliance team 7%

None of these 12%

0% 10% 20% 30% 40% 50%

“ROUTINE STAFF-RELATED DISCIPLINARY MATTERS AND ROUTINE CASES ARE

– Chief Audit Executive, Midsize Financial Services Institution

Taking the Best Route to Managing Fraud and Corruption Risks 9

47% 42% 11%

Yes No Don’t know

Which departments participate on the fraud risk assessment team?

Internal audit 75%

Human resources 54%

Risk management 45%

Corporate security 29%

External consultants 14%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

10 Taking the Best Route to Managing Fraud and Corruption Risks

Prior audits or other

Prior reported concerns

Previous fraud risk