pwc.com.au/crimesurvey
Cybercrime:
Out of obscurity
and into reality
6th PwC Global
Economic Crime Survey
An Australian snapshot
of economic crime
March 2012
The era of cybercrime is well and truly
upon us. Cybercrime is now globally
ranked the fourth most common
form of economic crime. In Australia
it ranks second. Sixty-three percent
of respondents perceive the risk of
cybercrime to have increased over
the last 12 months.
Cybercrime: Out of obscurity and into reality
6th PwC Global Economic Crime Survey
Contents
04
Introduction
07
What types of
economic crime
are businesses
experiencing?
08
10
15
16
18
19
20
Cybercrime:
the emerging
economic crime
Finger on the trigger:
responding to fraud
Forward thinking:
will fraud continue
to rise?
Conclusion &
Demographics
Fraud in Australia:
how do we compare?
Finger on the pulse:
preventing and
detecting fraud
Contacts
6th PwC Global Economic Crime Survey March 2012
3
Global respondents include
private and
public
companies
3,877
respondents
78
countries
Introduction
I am pleased to present the Australian results
of PwC’s Global Economic Crime Survey 2011.
The PwC Global Economic Crime
Survey has been conducted every two
years since 1999 and in Australia since
2001. It is one of the largest and most
comprehensive surveys of its kind.
The global and Australian surveys
were last released in 2009.
Since the last survey the world has
experienced challenging economic
circumstances. Significant changes
in the economies across Europe and
the Americas have resulted in market
volatility and uncertainty. These
economic conditions have increased
both opportunities and incentives to
4
commit economic crime. Worryingly,
the 2011 survey shows Australia
experienced economic crime at a
greater rate than the global average.
Our 6th PwC Global Economic Crime
Survey has focused on the rising threat
of cybercrime. As businesses and
individuals increase their reliance on
technology, they become exposed to a
growing range of cybercrime threats.
Many businesses may not yet have
taken the time to consider whether they
have sound cyber security mechanisms
in place, but ignoring this risk could
endanger their operations.
6th PwC Global Economic Crime Survey March 2012
We would like to thank all of the
Australian participants in the 2011 survey.
We hope the information within this
report will provide valuable insight and
practical advice on how organisations can
continue their efforts to combat fraud and
other economic crimes.
Malcolm Shackell
Partner
Forensic Services
Fast facts for
Australian
organisations
47%
said their organisation
experienced economic
crime in the last 12 months
(up from 40% in 2009).
51%
of those reporting economic
crime experienced more
than 10 incidents in the last
12 months.
16%
said they suffered losses in
the last 12 months that were
in excess of AUD 5 million.
63%
said they perceive the risk of
cybercrime to have increased
over the last 12 months.
6th PwC Global Economic Crime Survey March 2012
5
Key findings
• 47% of Australian respondents
reported that their organisation had
experienced at least one instance of
economic crime in the last 12 months.
This compared to 34% globally and
31% in the Asia Pacific region. The
number of respondents who reported
instances of economic crime in
their organisation in Australia has
increased from 40% in 2009.
• Of those organisations that
experienced at least one instance of
economic crime, over 50% reported
that they suffered more than 10
occurrences. 14% of organisations were
subject to more than 1,000 incidents
of fraud in the last 12 months.
• More than 50% of Australian
respondents, who had experienced
economic crime in the last 12
months, reported their organisation
directly lost more than AUD 100,000
to economic crime during the last
12 months. 16% of organisations lost
more than AUD 5 million.
• The perception of the likelihood of an
organisation to experience economic
crime increased in 2011 compared
to 2009. For example: the perceived
likelihood of asset misappropriation
incidents increased from 31% in
2009 to 53% in 2011.
Cybercrime
• As business are making the most
of the upside of collaborative
technologies so are cybercriminals.
Australian public and private networks
are under threat from sophisticated
cyber attacks every day.
• Globally, respondents ranked
cybercrime as the fourth most
commonly experienced economic
crime. In Australia, respondents
ranked cybercrime second, just
behind asset misappropriation.
• The level of cybercrime experienced in
the last 12 months in Australia (30%)
is significantly higher than global
(23%) and Asia Pacific (22%) levels.
• Technology and globalisation are
making the world a smaller place for
fraudsters, however many Australian
organisations continue to take a
reactive, instead of a proactive,
approach to managing cybercrime.
46% of respondents said they did not
have, or are not aware of having, the
in-house capability to prevent and
detect cybercrime.
• The majority (54%) of economic
crimes committed in Australia in
the last 12 months were by internal
fraudsters. This is a significant
increase from the results of our 2009
survey (33%). Organisations should
focus on ensuring their internal
controls are significantly mature to
mitigate the risk of internal fraud.
Fraud going green
Sustainability fraud is fraud in relation to carbon credit trading
markets, sustainability offsets and other environmental claims.
Sustainability fraud is an emerging global trend. With the introduction
of the Clean Energy Legislative Package which includes the Clean
Energy Act 2011 on 8 November 2011 in Australia, sustainability fraud
is likely to be an emerging economic crime domestically in the next
few years.
Emerging and evolving markets such as carbon trading carry a higher risk
of fraud as legislation and regulatory guidelines are in their infancy and
explicit market rules have not yet been standardised. The expected rapid
growth in the green economy may attract the interest of fraudsters and
organisations should be aware of the future potential dangers in this area.
Organisations need to apply the same due diligence and rigour to green
projects as for other core business projects. The development of the
European carbon market has already brought to light a number of incidents
of fraud and other manipulative behaviour. Sustainability fraud may
expose organisations to significant reputational damage as environmental
awareness increases in media and public circles.
6
6th PwC Global Economic Crime Survey March 2012
What types of economic crime
are businesses experiencing?
Asset misappropriation is the
number one economic crime
experienced globally and in
Australia. As in previous years,
Australian organisations reported
a higher rate of economic crime
than global counterparts,
particularly in areas such
as asset misappropriation,
cybercrime and IP infringement.
Globally the top three economic crimes
experienced are asset misappropriation,
accounting fraud and bribery and
corruption. In Australia, the top
three economic crimes are asset
misappropriation, cybercrime and
bribery and corruption.
In previous surveys, Australia’s
experience with cybercrime was relatively
insignificant (and therefore was included
in “other” types of fraud). However, since
the 2009 survey the risk of cybercrime
has risen in line with increasing reliance
on new technologies such as smart
phones, tablets, social media and
cloud computing.
What types of economic crime have our respondents experienced
within the last 12 months?
2011
2009
Asset
misappropriation
86%
Cybercrime
– previously in other
Insider trading
Tax fraud
37%
Money laundering
13%
11%
IP infringement
Other
13%
Accounting
fraud
11%
Money laundering
Anti-competitive
behaviour
Bribery and
corruption
27%
Accounting
fraud
70%
Cybercrime
– previously in other
30%
Bribery and
corruption
Asset
misappropriation
IP infringement
11%
20%
Other
5%
Anti-competitive
behaviour
3%
Insider trading
3%
Tax fraud
3%
Espionage
Espionage
Sustainability fraud
– previously in other
Sustainability fraud
– previously in other
0%
20%
Global
40%
Asia Pacific
60%
Australia
80% 90%
7%
0%
20%
Global
40%
Asia Pacific
60%
80% 90%
Australia
6th PwC Global Economic Crime Survey March 2012
7
Fraud in Australia:
how do we compare?
In the last 12 months, more
Australian organisations reported
being victims of economic crime
than their regional or global
counterparts. This follows a similar
trend to the 2009 PwC Global
Economic Crime Survey. In 2011,
47% of Australian respondents
reported that their organisation
had experienced an economic crime
within the last 12 months. This
compares to 31% in the Asia Pacific
region and 34% globally. All regions
experienced an increase in reported
economic crime since 2009.
Age:
31-40 years (55%)
Gender:
Male (75%)
Qualifications:
High school
(40%)
More than 50% of the Australian
organisations that experienced economic
crime in the past 12 months reported
that they had suffered a loss of more
than AUD 100,000 to economic crime.
16% estimated that they lost more than
AUD 5 million to economic crime
in the previous 12 months, compared
to 7% globally and 8% in the Asia
Pacific region.
Position: Middle
management or
junior staff
member (90%)
Length
of service:
3-5 years
(40%)
CV of an average
Australian fraudster
An inside job
The share of economic crime incidents
committed by internal parties has
increased in Australia from 33% in
2009 to 54% in 2011. This escalation of
internal fraud highlights the importance
of maintaining an organisational focus
on preventative controls. Organisations
cannot rely solely on reactive fraud
measures. The “typical” internal fraud in
Australian organisations involves a longer
period of undiscovered deceptions, rather
than a single large fraudulent incident (as
is often the case with external fraud).
There is a limit to the influence
organisations have over external
fraudsters. However, internal fraud
can be significantly reduced by
organisational initiatives. Proactive
fraud prevention measures will help
organisations identify weaknesses in their
environment and reduce opportunities
for internal fraud. These measures
vary between organisations and may
include leadership messages about the
importance of appropriate standards of
ethical behaviour and demonstrating
this through consistent actions. In
addition organisations should consider
communicating their stance on fraudulent
behaviour, implementing transparent
performance and remuneration schemes,
using pre-employment and on-going
screening and, most importantly,
fostering a culture of fraud awareness.
Asset misappropriation
Asset misappropriation remains
globally, and in Australia, the most
commonly encountered economic
crime by organisations. Many of the
frauds experienced by organisations
fall into this category – including
employee expense fraud, fraudulent
invoicing, related payments and
inappropriate asset disposal.
This type of fraud often involves
high value cash or physical assets.
It is important for organisations to
review the way they mitigate the risks
associated with key assets.
8
Case study:
An operational manager of a large
manufacturing company had detailed
knowledge of the invoicing systems
which enabled them to create
fraudulent invoices inflating the
costs of regular supply of goods and
services from a third party. In addition
the employee had responsibility for
the management of asset disposal,
and had the ability to write down
stock to minimal value. This stock was
then sold on the secondary market for
a significant profit.
6th PwC Global Economic Crime Survey March 2012
Our work involved an in-depth
review of third party supplier invoices
to substantiate the charges and
compare these charges to industry
standards. A detailed reconstruction
of inventory records for the past 5
years was undertaken in conjunction
with forensic imaging of a number
of employee’s machines to recover
historic inventory management data.
The total estimated loss was in
the range of AUD 8 million. Legal
proceedings are currently underway
to recover this loss.
Has your organisation experienced economic crime in the last 12 months?
(Only yes responses shown)
2011
47%
2009
40%
0%
10%
20%
Global
30%
40%
Asia Pacific
50%
Australia
In financial terms, how much do you think your organisation may have lost
directly through incidents of economic crime in the last 12 months?
More than 1 billion AUD
100 million to 1 billion AUD
5 million to 100 million AUD
16%
100,001 to 5 million AUD
38%
Less than 100,000 AUD
Don’t know
0%
43%
3%
10%
Global
20%
Asia Pacific
30%
40%
50%
60%
Australia
Thinking about the most serious economic crime in the last 12 months,
who was the main perpetrator?
2011
2009
4%
46%
63%
33%
54%
6th PwC Global Economic Crime Survey March 2012
9
Cybercrime:
the emerging economic crime
Cybercrime ranks as the second
most reported economic crime in
Australia in the last 12 months.
In prior years, cybercrime was
so statistically insignificant
that results were combined with
‘other types of fraud’. So why has
cybercrime increased so markedly?
Globally, businesses and governments
are increasing their reliance on cyber
technologies such as cloud computing,
online banking and social networks.
In tandem, the rate of change for new
technology is increasing and organisations
are struggling to keep up with the risks of
introducing and using new technology.
Cyber activity has provided both a new
type of economic crime and new vectors
to facilitate existing economic crimes. In
Australia 63% of respondents said that
they perceive the risks of cybercrime to
have increased over the last 12 months.
As shown in the graph to the right, this is
significantly higher than both global and
territory counterparts.
Has your perception of the risks of cybercrime to your organisation changed
over the last 12 months?
57%
42%
Asia Pacific
4%
53%
5%
63%
Australia
0%
20%
34%
40%
Increased
60%
3%
80%
Remained the same
100%
Decreased
Location of greatest cybercrime threat to an organisation
Externally
60%
Both internally and externally
In Australia 60% of respondents see the
greatest risk of cybercrime coming from
outside their organisation compared
with only 46% globally. The recent
Australian media focus on external cyber
attacks may have increased this view.
However, cybercrime is no longer the
domain of young hackers; instead it is
committed by a multitude of offenders
with diverse motives:
• Insiders who have authorised access
and abuse this access for personal gain.
• Competitors seeking unfair advantage.
• Foreign governments committing
espionage for political or economic
gain.
• Trans-national criminal enterprises
stealing and/or extorting information
to generate income.
• Activists protesting organisational
actions or policies.
10
39%
Global
6th PwC Global Economic Crime Survey March 2012
Internally
Don’t know
0%
23%
9%
9%
10%
Global
20%
30%
Asia Pacific
40%
Australia
50%
60%
70%
Cybercrime – it’s complicated
There is a perception that the cyber
risks facing Australian businesses are
greater today than ever before. This
is partly because media attention
around recent high profile cases has
increased organisational awareness
of the threat. Cybercrime can be
defined in a number of different
ways. The following definition was
used in this survey:
“Cybercrime, also known as
computer crime, is an economic
crime committed using computers
and the internet. It includes
distributing viruses, illegally
downloading files, phishing and
pharming, and stealing personal
information like bank account
details. It is only a cybercrime if a
computer, or computers, and the
internet play a central role in the
crime, not an incidental one.”
As with traditional economic crime,
cybercrime can take many different
forms:
• Targeted emails sent to employees
in the public domain (for example
CEO or Investor Relations) with
attachments that contain hidden,
malicious software that allows
the attacker to steal intellectual
property.
• Executives have their laptops
removed from a hotel safe and
tampered with (including the
installation of malicious software
on the machine that accesses
hard drive data through cyber
networks).
• A disgruntled contractor steals
confidential information (such
as bank account details, payroll
information and pricing data)
through computer and internet
access to the company network
and uses information for personal
advantage.
• An insider deliberately installs
malicious software (for example
viruses or trojans) on to a
corporate computer network
to log keystrokes and steal
information.
Cybercrime, also known as
computer crime, is defined
as economic crime using a
computer and the internet
as the primary tool to
commit fraud.
• Websites are defaced or disrupted
by an attack on an organisation’s
computer network so the server
does not perform properly or
prevents legitimate website
visitors from accessing the site.
• Employees using social
networking and media sites for
both personal and professional
purposes share large amounts of
personal and private information
which is then used to identify
and target individuals within
companies for identity theft or
circumvention of security controls.
6th PwC Global Economic Crime Survey March 2012
11
Why worry?
When Australian organisations
were asked what impact of
cybercrime they were most
concerned about, 43% said
reputational damage, which
is significantly higher than the
number of people who were
concerned about actual financial
loss (24%).
One of the troubling features of this
emerging threat is that the impacts
associated with cybercrime are more
extensive than the bottom dollar.
In these uncertain economic times,
clients and customers place significant
reliance on the reputational strength
of the organisations with which they
deal. Reputational damage arising
from cybercrime outlasts the financial
impact and may considerably affect an
organisation’s client and customer base.
Some of the other characteristics that
make cybercrime dangerous include:
• Single event frauds – cybercrime
is often a single event crime, with
a potentially devastating one off
financial hit.
• Low risks and high rewards –
committing cybercrime is attractive
to many fraudsters, with the high
availability and decreasing costs
of technology lowering the set up
costs required to commit crime. In
addition, there may be fewer risks
when compared with frauds that
require a physical presence at the
target organisation.
• Anonymous perpetrators – the
technical knowledge of cybercrime
fraudsters means in many cases it
can be difficult for authorities to
identify the perpetrator or even the
location of the crime.
• Difficulty of recovery – cybercrime
is a global business with fraudsters
often located offshore. This makes
it difficult to arrest and prosecute
cybercriminals and – more
importantly – hinders efforts to
recover misappropriated funds.
…cybercrime is often a single event
crime, with a potentially devastating
one off financial hit.
What are the organisations surveyed most concerned about?
Reputational Damage
43%
Theft or loss of personal identifiable information
37%
IP Theft (Including Theft of Data)
29%
Service Disruption
28%
Actual Financial Loss
24%
Cost of Investigation and Damage Control
18%
Regulatory Risks
0%
15%
10%
Global
12
6th PwC Global Economic Crime Survey March 2012
20%
Asia Pacific
30%
40%
Australia
50%
Where has your USB been lately?
When working outside a secure office
environment, most employees are
aware of the need to protect sensitive
data contained in physical documents.
However with the increased portability
of confidential data on smart phones,
tablets and USB drives are we
being careful enough? Consider the
following questions:
• Where has your USB been?
• What wireless internet
connections have you used for
your company laptop and or smart
device? Were they all in the office,
or were some of them public
hotspots?
• How complex are your passwords?
Do you keep copies of your
passwords in secure locations?
• Who else has access to your
computer?
• Who have you provided your
personal information to?
Trans-national criminal enterprises
often maintain remote access
to target individuals and/or
corporations for six to 18 months
before they are detected. Therefore
it is imperative to focus efforts on
preventing the unfettered access in
the first place.
Case Study:
Targeting of executives
A recent cybercrime case targeted
senior executives of a large
multi-national organisation, who
routinely travelled to foreign
countries where the business had
offshore operations. The fraudsters
used sophisticated cybercrime
techniques as part of their campaign.
They produced a spoofed email from
a computer, compromised a website,
distributed malicious PDF documents
and other URL links, and downloaded
software to the victim company’s
network without its consent. The
malicious software gave super user
access to the company’s corporate
network.
Specialist forensic investigations
identified evidence of continuous
targeting for a significant period of
time. As a result of the investigation,
the infected machines were required
to be cleaned. The organisation has
since put further security controls in
place including forensic analysis of
machines before and after overseas
travel. In addition, senior executives
were educated about appropriate
security practices when travelling.
Are we prepared?
Organisations are aware and worried about
the potential consequences of cybercrime;
however many do not feel prepared.
on an ad-hoc basis, suggesting these
risks are reviewed only after an event
has occurred.
When asked who holds the ultimate
responsibility for managing an
organisation’s cybercrime risks 54%
of Australian respondents named the
Chief Information Officer or Chief
Security Officer. Only 23% specified
the CEO or the Board. In addition, only
44% of respondents reported that the
CEO and Board reviewed cyber-related
risks at least once a year. This indicates
that the current state of awareness of
cybercrime remains inconsistent. One in
five respondents said senior executives
never reviewed cybercrime risks or only
The increasing prevalence and far
reaching impact of cybercrime means
it is no longer just an issue for the IT
department alone. Senior management
and Boards must take a more holistic
approach to understanding their
exposure to and appetite for cyber risks.
More than 60% of Australian
respondents felt the risk of cybercrime
was growing. Although it was pleasing
to see that only a small proportion
(35%) of respondents had not received
any cyber security related awareness
training, only 37% had received face
to face training (instead of email
announcements, banners or posters).
Only 38% of respondents said they
had in-house capabilities to investigate
cybercrime. In many organisations,
having in-house capabilities will not
be feasible. Therefore it is important
for organisations to have the ability to
quickly access the expertise of forensic
technology investigators. This is one
element of an organisation’s preparation
for cybercrime risks. Organisations
should assess their preparedness to
ensure they have the controls in place to
respond proactively instead of reactively
to emerging threats.
6th PwC Global Economic Crime Survey March 2012
13
Protecting against
cybercrime
Many organisations simply do not know
where or how to start preparing for
these threats. Part of the problem is that
no one owns or controls the internet.
There is little governance, oversight or
regulatory power over its users. What’s
more, organised criminals have become
increasingly sophisticated in their
ability to exploit flaws in the way the
internet operates.
The pace of technology means that
organisations are constantly undergoing
business transformation to maintain a
leading edge. This exposes organisations
to unknown cyber threats through
constantly changing IT systems and
business processes. It is important
for organisations to have an overall
information security strategy that
addresses how they will approach the
three lines of defence for cybercrime:
prevention, detection and response.
The top ways to protect an organisation
against economic crime include:
• Tone from the top – having a
leadership team that ensures cyber
risks are a focus as the organisation
develops.
• Due diligence programs – to ensure
the organisation knows who it
engages with, including staff,
contractors, suppliers and agents.
• IT security framework – aligning IT
policies and programs and defining
the responsibilities of Internal Audit
and the board for maintaining
awareness of fraud.
• Regular fraud and cybercrime risk
assessments – to identify the inherent
risks present in an organisation and
ensure sufficient mitigating controls
are in place.
• Industry and environment
monitoring built into the security
function – to enable an organisation
to proactively develop responses to
current and growing cyber-risks.
• Incident response teams – which are
charged with tracking and assessing
cyber risks and dealing with an
incident as soon as it is identified.
• Education programs – to increase
situational awareness an
organisation should invest in cyber
skills to help inspire those people
with the relevant skills to keep the
business safe.
14
6th PwC Global Economic Crime Survey March 2012
On the front line with cyber security
Failure to respond immediately
to a cybercrime with resources
experienced in crisis management
and cyber investigative techniques
can result in significant financial
losses and irreparable damage to an
organisation’s reputation.
While critically important,
forensic investigative experience
is generally not a core competency
of leading global organisations.
Simply put, it is seldom practical
for most companies to maintain
the requisite forensic investigative
resources and technologies
necessary to effectively conduct
complex cyber investigations.
To gauge an organisation’s cyber
security expertise, some of the
questions that should be asked are:
• Is the threat of cybercrime on
the organisation’s risk register
and/or discussed?
• Does the organisation know the
number of security incidents
that occurred in the past year?
• Are executives’ machines
checked for tampering or
malicious software pre- and
post-travel to high-risk
countries?
• Does the organisation have
a security strategy and
governance approach that is
aligned with business strategy?
• Does the organisation have a
tested incident response plan
for cyber security issues?
Case Study:
The head of a small fast growing
client employed a number of senior
staff because they were ‘friends’
and felt they could be trusted. The
focus of the owner was on growing
the business, until one day it was
suddenly discovered that there was
no money in the bank accounts.
A review identified a series of
unauthorised ‘loans’ to senior staff
that were disguised as lease back
agreements, misuse of fuel cards
and other payments of personal
expenses. Three senior staff
resigned before the investigation
concluded.
As the investigation progressed,
significant unauthorised computer
activity in relation to internal
files was identified, leading to the
discovery of significant theft of IP.
It later transpired that the three
senior staff were trying to set up
a business in direct competition
with their former employer.
The issue was complicated because
management of the web portals
and e-mail systems had been
outsourced to a small web-design
company that were unable (or
unwilling) to respond quickly to
requests to block access.
Forward thinking:
will fraud continue to rise?
Since 2009, the perception of the
level of economic crime likely to
impact organisations in the future
has increased. A business only
becomes aware of a fraud when it
is uncovered, making it difficult for
many organisations to determine
their fraud risk exposure. But over
time, as more businesses mature in
their ability to detect fraud and as
more high profile cases appear in
the media, businesses will become
more aware of fraud as an issue.
Long standing fraud types such as asset
misappropriation, accounting fraud and
bribery and corruption remain high on
the list of economic crimes. However,
new risks such as cybercrime and
sustainability fraud are growing fast.
Which of these risks should be
the highest priority for organisations?
Fraud risks will vary from organisation
to organisation, however some
trends appear to be common. Asset
misappropriation is likely to remain
stable as the number one economic
crime affecting organisations.
Organisational controls over cash and
physical assets should remain a focus.
In Australia, organisations should
prioritise growing their capacity
to mitigate the risks presented by
economic crimes that appear to be on
the rise such as bribery and corruption,
cybercrime and sustainability fraud.
Thinking about the next 12 months, is it likely your organisation will
experience economic crime?
(Only yes responses shown)
2011
Sustainability fraud
– previously not included
Espionage
6%
3%
Anti-competitive behaviour
Insider trading
Tax fraud
10%
5%
3%
Money laundering
14%
IP infringement
24%
Cybercrime – previously
not included
43%
Bribery and corruption
23%
Accounting fraud
14%
Asset misappropriation
0%
2009
53%
10%
20%
Global
30%
40%
Asia Pacific
50%
60%
70%
80%
90%
70%
80%
90%
Australia
Sustainability fraud
– previously not included
Espionage
7%
Anti-competitive behaviour
11%
Insider trading
Tax fraud
11%
7%
Money laundering
16%
IP infringement
29%
Cybercrime – previously
not included
Bribery and corruption
21%
Accounting fraud
21%
Asset misappropriation
0%
31%
10%
Global
20%
30%
40%
Asia Pacific
50%
60%
Australia
6th PwC Global Economic Crime Survey March 2012
15
Finger on the pulse:
preventing and detecting fraud
Fraud detection is one of the
key elements in managing the
risk of fraud. The survey results
show that specific, targeted
fraud controls are the most
effective means of detecting
economic crime. In Australian
organisations 35% of fraud is
detected through a tip off, both by
internal and external sources and
through formalised whistleblower
programs (up from 30% in 2009).
Thinking about the most serious economic crime experienced,
how was the crime initially detected?
2011
Tip off (including whistle
blowing program)
Fraud risk management
22%
Suspicious transaction reporting
14%
Internal and external audit
11%
Others
This highlights the significant role
people play in detecting fraud.
Organisations should ensure their
detection programs use the power
of their staff through:
Corporate security (both IT
and physical security)
By accident
By law enforcement
• Staff fraud awareness and
training programs.
11%
3%
3%
3%
Rotation of personnel
• A whistleblower program that
staff trust.
Don’t know
0%
• Maintaining and promoting
fraud reporting channels.
Responses demonstrate the importance
of having fraud risk management
procedures in place. 35% of economic
crimes reported by respondents
were detected through fraud risk
management and targeted suspicious
transaction reporting systems, up from
27% in 2009. An integral part of fraud
risk management is formalised fraud
risk assessments. Pleasingly, 79% of
Australian respondents stated their
organisation had performed a fraud risk
assessment at least once or more often
in the last 12 months.
35%
10%
Global
20%
Asia Pacific
30%
40%
Australia
2009
Tip off (including whistle
blowing program)
30%
Fraud risk management
17%
Suspicious transaction reporting
10%
Internal and external audit
10%
Others
Corporate security (both IT
and physical security)
7%
By accident
10%
By law enforcement
7%
Rotation of personnel
10%
Don’t know
0%
10%
Global
16
6th PwC Global Economic Crime Survey March 2012
Asia Pacific
20%
Australia
30%
40%
Delving into data: suspicious transaction
reporting and targeted fraud data analytics
Suspicious transaction reporting is used to reduce the
risk of fraud and error occurring in financial systems by
identifying collusion between parties, errors in processing
(both unintentional and fraudulent) and ensuring obsolete
information is retired from systems.
The reliance of organisations on suspicious transaction
reporting has increased globally from 5% in 2009 to 18%
in 2011. A similar trend has been found in Australia with an
increase from 10% in 2009 to 14% in 2011. This observation
supports the benefits organisations gain from performing
analysis of their financial systems to identify conflicts of
interest and potential fraud.
Case study: data analytics – expense claim
Data analytics were used to review unusual expense claims
made by staff, including senior executives, by matching
expense claims to policy allowances. Several years’ worth of
data was analysed for suspicious transactions. These expense
items were then matched to supporting documentation,
and where required ‘show cause’ notifications were given to
staff. The analysis showed employees had breached policy
allowances on multiple occasions. A further review was
performed around the approval processes for expense claims
and found that senior executives were using peer review to
approve claims.
Case study: suspicious transaction analysis –
fraudulent invoices
Suspicious transaction analysis tests were performed on a
client’s financial systems to identify any employees sharing
bank account or address details with vendors. During this
review the analysis identified an employee who worked in the
accounts payable department who had the same address as
a vendor. Initially the vendor was identified as a legitimate
small business contracted by the client to perform cleaning
services. After further investigation of the transactions, it
was discovered invoices had been issued and paid after the
vendor’s contract had been terminated. The employee had
continued to generate invoices for this vendor and due to
their position within the accounts payable department, paid
themselves up to half a million in fraudulent payments. In
interviews with investigators, the employee admitted to the
fraud. The employee has since been dismissed and criminal
and legal proceedings commenced.
The human touch: whistleblower programs
and detailed fraud risk assessments
Employees in an organisation, particularly lower level
management, usually have a very detailed understanding of
day to day transactions. These people are often the first to
pick up on transactions or behaviours that seem inconsistent
and suspicious. However, bringing these insights to light
requires effective reporting mechanisms.
Case study: Whistleblower program
A call from a whistleblower was the key first step in what
turned out to be a complex investigation into fraud, corruption
and serious workplace misconduct. The whistleblower
provided fragmentary but vital information about the activities
of an executive working in an ASX200 listed organisation.
The information provided by the whistleblower was
subsequently verified through the evidence obtained from
the organisation and through interviews. The investigation
uncovered a longstanding scheme to defraud the organisation
by manipulating inventory and assets through a third-party
supplier. In addition, corruption, preferential dealings with
a range of suppliers, in the form of ‘kick-backs’ benefitting
the executive were uncovered. Having a whistleblower
hotline gave this organisation the channel to obtain crucial
information and a capacity to respond effectively.
Fraud risk assessments
Fraud risk assessments allow organisations to obtain a holistic
view of their exposure to fraud across a range of different sub
processes and functions. An effective and comprehensive fraud
risk assessment should:
• Identify potential fraud risks.
• Assess the likelihood and significance of risks occurring.
• Identify existing preventative and detective controls and
map them to the relevant fraud risks.
• Identify and evaluate residual fraud risks resulting from
ineffective or non-existent controls.
• Assign individual responsibility to manage and respond to
residual fraud risks.
6th PwC Global Economic Crime Survey March 2012
17
Finger on the trigger:
responding to fraud
Many organisations have a
plan in place to respond if an
economic crime is detected.
But once an incident has been
confirmed, organisations can
be reluctant to take further
action against employees.
Survey responses show that 94% of
Australian organisations informed
law enforcement of economic crimes
committed by external fraudsters.
Reporting to law enforcement drops to
50% of organisations when the incident
involves an internal fraudster. Overall,
incidents involving internal fraudsters
have lower external reporting rates, with
the most common action being dismissal.
This increases the risk that employees
who have been disciplined by one
employer, but not reported to authorities,
may go to work for another employer and
continue fraudulent behaviour.
Organisations should consider having a
holistic action plan in place to respond
to economic fraud, considering both
internal and external fraud incidents.
The actions taken against fraudsters
should be clearly outlined, and in the
case of an internal incident, be linked
to relevant Human Resources discipline
policies. This action plan should be
applied consistently to all incidents.
An organisation’s response to and
reporting of economic crime should
consider both their corporate and civil
responsibility.
Actions taken against fraudsters Internal fraudsters
Other
5%
Don’t know
Dismissal
60%
Transfer
Warning/reprimand
25%
Notified relevant
regulatory authorities
30%
Law enforcement informed
50%
Civil action was taken,
including recoveries
Did nothing
0%
35%
10%
10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Global
Asia Pacific
Australia
Actions taken against fraudsters External fraudsters
Other
6%
Don’t know
Cessation of the
businessrelationship
24%
Notified relevant
regulatory authorities
41%
Law enforcement informed
94%
Civil action was taken,
including recoveries
47%
Did nothing
0%
10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Global
18
6th PwC Global Economic Crime Survey March 2012
Asia Pacific
Australia
Conclusion
The PwC Global Economic Crime Survey 2011 has shown the ever
increasing impact of fraud from both a value and volume perspective.
Most significantly 2011 brought to focus the emergence of cybercrime.
Incidents of cybercrime have rapidly risen in Australia and many
organisations are struggling to stay one step ahead.
Particularly in the current environment, all Australian organisations
should consider the economic crime risks within their operations and their
capabilities to proactively mitigate these risks.
Demographics
3,877
respondents
%
79
78
34
The PwC Global Economic Crime
Survey 2011 interviewed 3,877
(2009: 3,037) respondents
across 78 countries (2009:
54). Seventy-nine Australian
companies contributed to the
research from some of the largest
organisations in the country.
Interviews were conducted with
representatives from various
functions including finance, audit,
legal, human resources, security,
risk and compliance and at the
CEO and board level. Of the total
number of respondents, 34% were
senior executives of their respective
organisations (2009: 25%), 34%
represented listed organisations
(2009: 44%) and 54% represented
organisations with more than 1,000
employees (2009: 34%).
countries
Australian
organisations
senior executives
Industries covered included
aerospace and defence, automotive,
chemicals, communication, energy,
utilities and mining, engineering
and construction, entertainment
and media, financial services,
government services/public services,
healthcare, insurance, industrial
manufacturing, pharmaceuticals,
retail and consumer, technology and
transportation and logistics.
Further information on the survey demographics
and definitions of economic crime can be found in
the Global Economic Crime publication online at
www.pwc.com/crimesurvey
6th PwC Global Economic Crime Survey March 2012
19
pwc.com.au/crimesurvey
For more information please contact:
Adelaide
Kim Cheater – Partner
+61 (8) 8218 7407
[email protected]
Melbourne
Steve Ingram – Partner
+61 (3) 8603 3676
[email protected]
Brisbane
David Harley – Principal
+61 (7) 3257 8307
[email protected]
Perth
Cameron Jones – Partner
+61 (8) 9238 3375
[email protected]
Canberra
Tony Grieves – Principal
+61 (2) 6271 9402
[email protected]
Sydney
Malcolm Shackell – Partner
+61 (2) 8266 2993
[email protected]
Melbourne
Michael Cerny – Partner
+61 (3) 8603 6866
[email protected]
Sydney
Cassandra Michie – Partner
+61 (2) 8266 2774
[email protected]
Liability is limited by the Accountant’s Scheme under the Professional Standards Act 1994 (NSW)
228729
© 2012 PricewaterhouseCoopers. All rights reserved. PwC refers to the Australian member firm, and may sometimes refer to the PwC network.
Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.