An analysis of responses to Deloitte Forensic India's Fraud Risk Score self-assessment tool.
Corporate India's efforts in the area of fraud risk management are undergoing a change. This can be attributed in part to greater awareness about the repercussions of fraud as well as enforcement of recent legislations, such as the Companies Act, 2013 and the Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations 2015, which mandate companies to have adequate measures to mitigate fraud.
To ascertain how companies were responding to these legislative measures as well as dynamic business changes, we launched a unique web-based initiative in December 2014 – a self-assessment tool (SA tool) that organizations could use to determine their levels of preparedness to tackle fraud, misconduct, and noncompliance. At the end of the assessment, users were given a 'Fraud Risk Score' indicating their preparedness levels, alongside potential areas of improvement, which could be used by them for course correction.
250 C-Level Risk and Compliance professionals undertook the self-assessment in the twelve months succeeding the launch. An analysis of the responses highlight several interesting trends.
While corporate India is becoming more proactive about preventing fraud, enforcement of anti-fraud measures within organizations needs to improve. For example, almost 47 percent of the users who responded to the SA tool indicated that they were still unable to enforce the code of conduct, as employees were not mandated to sign it. Similarly, while companies have invested in technology, such as ERP (Enterprise Resource Planning) platforms and data analytics tools to automate processes and centrally manage them, we observed that over 50 percent of the SA tool users, i.e., those who responded to the SA tool were yet to deploy such technology for fraud risk management measures, restricting themselves to business analysis for now. Further, despite the Companies Act, 2013 mandating the need for a vigil mechanism, around 30 percent of the SA tool users indicated that their organizations did not have a whistleblowing mechanism in place.
Lastly, in the procurement function, a majority of the SA tool users indicated 'mandatory registration of vendors' and 'maintaining comprehensive master data on vendors' as the primary measures taken to prevent fraud. However, only 38 percent highlighted that they reviewed the vendor master data periodically to weed out inactive vendors and only 6 percent of the SA tool users indicated that they performed forensic data analytics on the vendor master data. Further, 49 percent indicated that they did not conduct any due diligence on their vendors.
In the area of fraud response, around 60 percent of the users who responded to the SA tool indicated that they were unaware of the presence of a fraud response plan to guide the organization in case any incident arises. With fraud reporting by Auditors mandated as per the Companies Act, 2013, and the recent notification by the Ministry of Corporate Affairs (MCA) prescribing a monetary threshold of INR 1 crore and above for reporting individual cases of fraud to the central government1, it has become imperative for organizations to establish a fraud response plan.
As the Companies Act, 2013 continues to evolve and provide timely guidance to organizations on aspects of fraud risk management, we expect to see a more structured approach and greater effort from corporate India towards proactively improving their preparedness to tackle fraud. We hope you find this report useful in your efforts to mitigate fraud, noncompliance and misconduct.
Measures taken to prevent fraud:
- 86% of the SA tool users indicated that they had a written code of conduct for employees, but only 53% highlighted that employees were required to sign it annually.
- 75% of the SA tool users have identified people within their organizations who can resolve employee queries on ethical dilemmas and guide them on understanding the code of conduct better.
- 57% of the SA tool users indicated that their organizations did not conduct independent fraud risk assessment of key functions and processes every two years.
- Majority of the SA tool users indicated 'mandatory registration of vendors' and 'maintaining a comprehensive master data on vendors' as the primary measures taken to prevent fraud. Only 38% of the SA tool users highlighted that they reviewed their vendor master data periodically to weed out inactive vendors. However, only 6% of the SA tool users indicated that they performed forensic data analytics on their vendor master data to help analyze the data for potential anomalies.
- Only 51% of the SA tool users indicated conducting due diligence on all vendors. Further, only 30% highlighted that they conducted due diligence on key vendors once a year.
Measures taken to detect fraud:
- Around 37% of the SA tool users indicated that over 75% of their processes were automated and integrated via an ERP system, and managed centrally. Around 19% of the SA tool users indicated that their level of automation was between 50% and 75% and that ERP systems were used to run most processes, alongside the use of data analytics.
- Around 30% of the SA tool users highlighted that they did not have a whistleblower hotline to detect fraud. Another 59% indicated that they had whistleblowing hotlines managed internally.
- SA tool users were divided on the use of data analytics to identify suspicious transactions and other red flags, with 48% saying 'Yes' and 47% saying 'No'.
- Around 54% of the SA tool users indicated that they were able to detect less than 2 instances of fraud in the last financial year.
Measures taken to respond to fraud:
- Close to 60% of the SA tool users indicated that they did not know whether their organizations had a formally documented fraud response plan.
- Among those who responded in the affirmative to having a fraud response plan, the following three components were identified as key aspects in the plan: having an effective system that can receive, manage and track allegations (51%); assigning of the matter to the appropriate and independent party for investigation in accordance with established roles and responsibilities (45%); execution of the actual investigation steps based upon existing guidelines, policies, and procedures that follow well-designed protocols and legal guidance, as appropriate (45%).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.