To fight fraud, which should you trust more: human instinct or machine logic?

By

Stefan Heissner

EY EMEIA Forensic & Integrity Services Leader

Former criminal police detective and consultant. Focused on fighting fraud and corruption. Helps create value by doing the right things in the right way.

7 minute read 10 Jun 2019
Related topics Assurance Assurance Audit Risk

Unethical behavior and high levels of mistrust are key characteristics of today’s workforce in EMEIA. But there are new ways to fight back.

Today’s businesses are operating in an uncertain economic environment. Popular discontent with globalization, political instability and slower growth in emerging markets is placing pressure on companies as they seek alternative ways to meet ambitious revenue targets.

At the same time, business conduct is under greater scrutiny than ever. Significant public demand for businesses to be held to account through greater transparency and accountability is being led by the G20, the Organisation for Economic Co-operation and Development (OECD) and the World Bank.

Against this backdrop,  EY EMEIA Fraud Survey 2017 — in which we polled 4,100 individuals from 41 countries in the region — found significant support for the strong stance taken by regulators, particularly among respondents in emerging markets.

Regulation

77%

of EY survey respondents are supportive of new initiatives to hold individual executives to account for misconduct.

Yet our results also indicate that unethical behavior and high levels of mistrust are key characteristics of today’s workforce, particularly among executives. For instance, 1 in 3 board directors and senior managers could justify offering cash payments to win or retain business, and about 1 in 8 would be prepared to provide false information to management to improve their own careers or pay.

In an increasingly digital and automated business environment where your employees can either justify unethical behavior or are hesitant to come forward, companies should leverage new technologies and machine logic to identify and detect misconduct. Here’s how.

surveillance camera on rooftop
(Chapter breaker)
1

Chapter 1

Monitoring data to understand employee behavior

While many see the need for such steps, employee expectations on privacy pose a hurdle.

Critical digital and physical assets are at greater risk of theft, damage and manipulation by insiders than ever before. Increased global connectivity means that anyone with access to company data, anywhere in the world, can exploit weaknesses in data security. Often, these are trusted employees who have been permitted access to, or have knowledge of, critical data sources.

Never before have governments cooperated so extensively in combating bribery and corruption and imposing legal sanctions against fraud. As a further complicating factor, anti-corruption and anti-trust regulations are becoming entwined, increasing the complexity and difficulty of compliance. Threats posed by insiders are difficult to detect without gathering and analyzing data from a variety of sources. By focusing on behavioral patterns such as anomalies in employee work hours, attempts to access restricted work areas and the use of unauthorized external storage devices, companies can identify individuals who may pose a higher risk to the business.

Once risk ratings have been established, organizations can then consider, based on the new information, whether to place high-risk groups under further review. Despite the need to collect such data, EY survey identified a source of tension:

  • 75% of EY survey respondents say their companies should monitor data sources such as emails, telephone calls or messaging services.
  • Yet 89% would consider monitoring these data sources as a violation of their privacy.

Insider threats

65%

of respondents consider monitoring their emails a violation of their privacy.

Companies should bridge this gap by raising awareness of the importance of collecting such data and of the potential consequences if company data is leaked or stolen. The financial, reputational and regulatory impact of having an organization’s critical assets stolen or damaged can be catastrophic, as evidenced by significant news coverage on data leaks in recent years.

Employees need to understand that companies can only protect themselves from such exposure by embedding an integrated insider threat program into their business that is capable of protecting their most critical assets from insider risk.

Whistle on a dark surface
(Chapter breaker)
2

Chapter 2

Whistleblowing — why confidence is an important factor

If employees choose to report concerns only to external parties, it may make the situation more complicated for companies to manage.

Whistleblowing regulation and legislation are becoming increasingly prevalent across the globe, driven in part by the demand for greater transparency. The trend toward encouraging individuals to blow the whistle is further fueled by the multimillion-dollar awards made to whistleblowers by the U.S. Securities and Exchange Commission.

EY survey has identified three important findings relating to whistleblowing:

1. There are rising levels of concern about unethical behavior among employees.
2. Awareness of whistleblowing hotlines is low, and the pressure on employees not to report concerns is substantial.
3. A significant number of respondents indicate they would report concerns externally irrespective of the response to any internal report they had made.

Unethical conduct

52%

of respondents have had information or concerns about misconduct in their company. And almost half of respondents have considered resigning over unethical conduct.

Suspicions of misconduct not only poses a threat to talent retention, but also indicates that the workforce may hold important information that companies could use to identify and detect misconduct.

Even when employees want to report, they may not know how. EY survey has found that only 21% of people are aware of a whistleblowing hotline within their company. And even when regulations require it — for instance, by the Financial Conduct Authority in the UK — whistleblowing appears to not be effectively embedded.

There is all too often a disgruntled former employee who is more than happy to talk to the SFO.
Hannah von Dadelszen
Joint Head of Fraud, UK Serious Fraud Office (SFO)

While awareness of internal reporting mechanisms is low, 73% of respondents would consider providing information about potential fraud, bribery and corruption in their business to an external third party.

The majority of EY survey respondents would only do so if no action was taken after reporting internally; however, 15% of respondents would report regardless of their company’s response. Further, a significant majority of those who would report information externally said they would go directly to a law enforcement agency or regulator.

In light of this, businesses need to consider how best to establish their whistleblowing helplines and other arrangements to ensure they capture any vital intelligence about misconduct known by their employees. This will enable organizations to react quickly, to address incidents and issues, and to prepare for any potential response from regulators or reports in the media.

Close up of a fence cutter
(Chapter breaker)
3

Chapter 3

Cyber breach response management

Responses between top management and more junior employees reflect a chasm that can have serious consequences.

Companies continue to face the threat of cyber attacks by various actors, including sovereign states, organized crime and terrorist groups. In the key growth-target regions of India and Africa, 72% and 58% of respondents respectively, considered cyber attacks to pose a high risk to companies similar to their own. Overall, almost half of those interviewed shared this view.

Given the broad-based recognition of the problem, it is therefore unsurprising that 59% of our respondents believed that their company should have a Cyber Breach Response Program (CBRP) in place.

Respondents to EY survey indicated, however, that awareness of such programs differs starkly between senior executives and more junior employees. While over half of all board directors and senior managers feel that their company has a CBRP in place, only 1 in 3 of other employees believed that their company had such a program.

If employees do not know how to escalate their concerns, issues that appear minor or localized may be left unreported. This may prevent the company from taking appropriate action to assess, investigate and respond in the event of a potential incident, impacting a company’s ability to reduce the extent of the damage incurred.

Close up of a fence cutter
(Chapter breaker)
4

Chapter 4

The way forward

Businesses are operating in an increasingly uncertain world driven by a period of rapid political, regulatory and economic change.

To respond to these challenges, companies need to go beyond minimum compliance requirements and develop programs that motivate all of their employees to do the right thing.

This includes establishing a training and awareness program that encourages those employees with concerns over unethical conduct to come forward. This should be reinforced by an effective risk management process that utilizes technology and machine logic to identify and mitigate external threats, such as those posed by potential business relationships or from cyber attacks.

EY EMEIA Fraud Survey 2017

The EY EMEIA Fraud Survey 2017 contains insights from business leaders on the risks and challenges organizations face in fighting fraud and corruption in an era of significant technological advances.

Download

Summary

Geopolitical, economic and social changes mean that traditional compliance frameworks may be based on assumptions that are no longer valid. Information is the key to mitigating the risks, and businesses should maximize the value they get from their data. This can be achieved by embracing the opportunities arising from an increasingly disrupted world.

About this article

By

Stefan Heissner

EY EMEIA Forensic & Integrity Services Leader

Former criminal police detective and consultant. Focused on fighting fraud and corruption. Helps create value by doing the right things in the right way.

Related topics Assurance Assurance Audit Risk