Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Employees And Fraud Risks - UiTM Masters in Accounting Special Lecture


Published on

Published in: Business
  • Lot of information is there. Presentation is good and people should aware of scam or fraud. Thanks
    Are you sure you want to  Yes  No
    Your message goes here
  • Great Presentation. You're extremely right. Fraud Risks . We've started to notice these types of scam on the site.
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Employees And Fraud Risks - UiTM Masters in Accounting Special Lecture

  1. 1. EMPLOYEES AND FRAUD RISKS CNI’s Journey, Mistakes, and Lessons Learned Kenny Ong CNI Holdings Berhad
  2. 2. Contents: <ul><li>Case Study </li></ul><ul><li>Formula for Risk in CNI </li></ul><ul><li>Defining Risk Mitigation </li></ul><ul><li>Reducing Fraud risk Probabilities </li></ul><ul><li>Decreasing the Impact </li></ul><ul><li>Successful Risk Management programs </li></ul><ul><li>Researchable fraud areas </li></ul>
  3. 3. This was what happened… <ul><li>Fraud Case Studies: </li></ul><ul><li>Lost Tickets </li></ul><ul><li>Over claims </li></ul><ul><li>Undercutting </li></ul><ul><li>F/L-Leader pact </li></ul><ul><li>Swiss cash </li></ul>
  4. 4. Intro and Background Different Business, Different Frauds
  5. 5. Intro: CNI <ul><li>18 years old </li></ul><ul><li>Core Business: MLM </li></ul><ul><li>Others: Contract Manufacturing, Export/Trading, eCommerce </li></ul><ul><li>Malaysia, Singapore, Brunei, Indonesia, India, China, Hong Kong, Philippines, Italy, Taiwan </li></ul><ul><li>Staff force: ± 500 </li></ul><ul><li>Distributors: 250,000 </li></ul><ul><li>Products: Consumer Goods and Services </li></ul>
  6. 6. Intro: CNI
  7. 7. Intro: CNI <ul><li>CNI’s Business Model background </li></ul>Factory CNIE DC SP Leaders Customers
  8. 8. A. Risk Mitigation in CNI No Business, No Risks.
  9. 9. No Business, No Risks. <ul><li>Ironically, our success is the cause of risk </li></ul><ul><li>More success, more money, more fraud </li></ul><ul><li>Easiest way to reduce fraud is to reduce business </li></ul><ul><li>Don’t laugh. This is what most FAC and HR people do, unintentionally </li></ul>
  10. 10. Fraud Risk Mitigation? (1/2) <ul><li>We follow standard Fraud definitions: </li></ul><ul><li>What is Fraud? </li></ul><ul><li>Someone is Lying </li></ul><ul><li>Someone is Benefiting </li></ul><ul><li>Both Conditions must be met in order to be considered Fraud. </li></ul>
  11. 11. Fraud Risk Mitigation? (2/2) <ul><li>We follow standard Fraud definitions: </li></ul><ul><li>Risk = Likelihood x Impact </li></ul><ul><li>Risk Mitigation = </li></ul><ul><li>↓ Likelihood, or </li></ul><ul><li>↓ Impact </li></ul>
  12. 12. Def: “Likelihood” 5% likely to happen, hasn’t occurred within last 5 years 1. Very Low 20% likely to happen, has occurred within last 5 years 2. Low 50% likely to happen, has occurred within last 24 months 3. Medium 75% likely to happen, has occurred within last 12 months 4. High 99% likely to happen, has occurred within last 12 months 5. Very high Definition Likelihood
  13. 13. Def: “Impact” 0-4K 0-2K 0-5K 0-10K 1. Insignificant 5K-20K 3K-10K 6K-25K 11K-100K 2. Minor 21K-40K 11K-20K 26K-50K 101K-500K 3. Moderate 41K-60K 21K-30K 51K-100K 501K-1M 4. Serious >60K >30K >100K >1.0M 5. Very Serious Sub C Sub C Sub B Sub A Impact
  14. 14. CNI Risk Categories <ul><li>Four Categories of Risk in CNI: </li></ul><ul><li>Operational Risk </li></ul><ul><li>Compliance Risk </li></ul><ul><li>Financial Risk </li></ul><ul><li>Strategic Risk </li></ul>
  15. 15. How CNI Implemented Risk Management <ul><li>Concept for BOD Approval (please refer to slides Risk and Crisis Management - CNI BOD presentation v3.ppt ) </li></ul><ul><li>Implementation Plan (please refer to slides FRAMEWORK PRESENTATION.ppt ) </li></ul>
  16. 16. Examples of CNI Risks and Calculations <ul><li>Please refer to Handouts </li></ul>
  17. 17. Examples of Fraud Mitigation Actions: Fraud Risks
  18. 18. Where are the Fraud Risks? <ul><li>Industry </li></ul>Management Staff Frontline Suppliers/Vendors Retail Front
  19. 19. Industry Risks <ul><li>Get-Rich-Quick Schemes (Skim Cepat Kaya) </li></ul><ul><li>Direct Selling myths </li></ul><ul><li>Bad Hats </li></ul><ul><li>Imposters </li></ul><ul><li>Products on Shelves </li></ul>These Fraud risks affect all Direct Selling organizations but cannot be controlled by us. Only in joint efforts by drafting & pushing new regulations
  20. 20. Real Fraud, Real Risks <ul><li>DC Fraud </li></ul><ul><li>Staff Fraud </li></ul><ul><li>Management Fraud </li></ul><ul><li>Distributor </li></ul><ul><li>DC Assistant </li></ul><ul><li>SP </li></ul><ul><li>Payroll </li></ul><ul><li>Undercutting </li></ul><ul><li>Purchasing </li></ul><ul><li>Credit Card </li></ul><ul><li>Ghost Staff </li></ul><ul><li>Ghost Distributor </li></ul><ul><li>Financial Reporting </li></ul><ul><li>Theft </li></ul><ul><li>F/L </li></ul><ul><li>eCommerce </li></ul><ul><li>Tickets </li></ul><ul><li>Share manipulation </li></ul>
  21. 21. B. Reducing Fraud risk Probabilities Prevent. Deter. Kill.
  22. 22. Fraud Root Causes <ul><li>Policy problem </li></ul><ul><li>People problem </li></ul><ul><li>Unavoidable problem </li></ul>
  23. 23. Risk Mitigation Strategies Culture Mitigation Identified Fraud Risks Structure Resources Leadership Person
  24. 24. Alignment: Framework <ul><li>Org Structure </li></ul><ul><li>Job Design – C.Fraud.O. </li></ul><ul><li>Policies & procedures </li></ul><ul><li>Governance, Internal Controls </li></ul><ul><li>Management Systems, SOPs </li></ul><ul><li>Central </li></ul><ul><li>Special Task Force </li></ul><ul><li>Internal Audit, Surprise Audit, Regular Audit (Surveillance) </li></ul><ul><li>Levels of Authority, Power Balancing* </li></ul>Structure
  25. 25. *Power Balancing <ul><li>Propose </li></ul><ul><li>Approve </li></ul><ul><li>Execute </li></ul><ul><li>Monitor </li></ul>BOD Set 1 BOD Set 2 Approval/Verification
  26. 26. Alignment: Framework <ul><li>Tools </li></ul><ul><li>ICT Systems </li></ul><ul><li>Rules detection </li></ul><ul><li>Whistle Blower </li></ul><ul><li>PED </li></ul><ul><li>Profiling/Assessment Tools </li></ul><ul><li>Budget for Investigation, Litigation </li></ul>Resources
  27. 27. Strategy: Framework <ul><li>PED </li></ul><ul><li>Involuntary Role Modeling </li></ul><ul><li>Personal accountability and Commitment </li></ul><ul><li>10 Ants Values </li></ul><ul><li>Watch out: Current people promoted to Key Positions </li></ul><ul><li>Promotional criteria </li></ul>Leadership
  28. 28. Alignment: Framework <ul><li>New Employee Background checks </li></ul><ul><li>Willingness to Punish </li></ul><ul><li>Root Cause Analysis (Mager & Pipe) </li></ul><ul><li>Rotation </li></ul><ul><li>PED </li></ul><ul><li>Fraud Detection & Analysis Competency </li></ul><ul><li>High Risk Jobs </li></ul><ul><li>IT breaches through Frontline </li></ul>Person
  29. 29. The Four Desperates 1. Desperate Competition 2. Desperate Consumer 3. Desperate Achievers 4. Desperate Changes
  30. 30. <ul><li>PED </li></ul>
  31. 31. Possible General Root Causes for Fraud <ul><li>&quot;Everyone does it.&quot; </li></ul><ul><li>&quot;It was small potatoes.&quot; </li></ul><ul><li>&quot;They had it coming.&quot; – the revenge syndrome </li></ul><ul><li>&quot;I had it coming.&quot; – the equity syndrome </li></ul>
  32. 32. GENERAL STRATEGIES AND POLICIES <ul><li>B1. Classification of Behaviors </li></ul><ul><ul><li>B1.1 Disrespectful Workplace Behavior </li></ul></ul><ul><ul><li>B1.2 Progressive Discipline </li></ul></ul><ul><ul><li>B1.3 Zero Tolerance </li></ul></ul>
  33. 33. GENERAL STRATEGIES AND POLICIES <ul><li>B2. Recruitment and Selection </li></ul><ul><li>B3. Exit </li></ul><ul><li>B4. Employee Assistance Program </li></ul><ul><li>B5. Anonymous Hotline </li></ul><ul><li>B6. Communication and Feedback </li></ul><ul><li>B7. Training and Education </li></ul><ul><li>B8. Formal Complaint and Grievance </li></ul>
  34. 34. GENERAL STRATEGIES AND POLICIES <ul><li>B9 Leadership </li></ul><ul><ul><li>1. Leaders act as role models whether consciously or unconsciously </li></ul></ul><ul><ul><li>2. Leaders determine the working environment </li></ul></ul>
  35. 35. GENERAL STRATEGIES AND POLICIES <ul><li>B9 Leadership </li></ul><ul><ul><li>1. Educate </li></ul></ul><ul><ul><li>2. Involve </li></ul></ul><ul><ul><li>3. Teach </li></ul></ul><ul><ul><li>4. Eliminate </li></ul></ul>
  36. 36. SPECIFIC STRATEGIES AND POLICIES <ul><li>C1. Theft and Fraud – Root Causes </li></ul><ul><ul><li>Profile: 68.6% - no prior criminal record, Aged 26-40 years old, Annual income between RM15k-RM30k, 2-5 yrs of service </li></ul></ul><ul><ul><li>Struggling financially or large purchases </li></ul></ul><ul><ul><ul><li>difficult time in their lives </li></ul></ul></ul><ul><ul><ul><li>gets out of hand </li></ul></ul></ul><ul><ul><li>Merger and acquisition or reorganization activity. </li></ul></ul><ul><ul><ul><li>‘ I don’t have a career here’ attitude. </li></ul></ul></ul>
  37. 37. SPECIFIC STRATEGIES AND POLICIES <ul><li>C1. Theft and Fraud - Prevention </li></ul><ul><ul><li>Background checks </li></ul></ul><ul><ul><li>Duties segregated </li></ul></ul><ul><ul><li>Anonymous hotline </li></ul></ul><ul><ul><li>Share the wealth </li></ul></ul><ul><ul><li>Communicate successes </li></ul></ul><ul><ul><li>Make a big noise when discovered </li></ul></ul><ul><ul><li>Video surveillance equipment </li></ul></ul>
  38. 38. SPECIFIC STRATEGIES AND POLICIES <ul><li>C2. Violation of confidentiality or security of company information - Prevention </li></ul><ul><ul><li>a. ICT Security Policies* </li></ul></ul><ul><ul><li>b. Ownership of Intellectual Property </li></ul></ul><ul><ul><li>c. Inside Information and Trading of CNI shares </li></ul></ul>
  39. 39. *ICT Security and Fraud (1/3) <ul><li>Biggest ICT risks to CNI </li></ul><ul><li>Security – All matters relating to the ‘coming-in’ and ‘going-out’ of all systems and information </li></ul><ul><li>Backup - including Storage of critical and non-critical information and Disaster Recovery </li></ul><ul><li>Continuity – Availability of systems and information at a 24x7x365 standard </li></ul>
  40. 40. *ICT Security and Fraud (2/3) <ul><li>The following are threats faced by CNI from ‘inside’ the company: </li></ul><ul><li>Current Employees, </li></ul><ul><li>On-site Contractors, </li></ul><ul><li>Former Employees, </li></ul><ul><li>Vendors/Suppliers, </li></ul><ul><li>Strategic Partners, and </li></ul><ul><li>OEMs </li></ul>
  41. 41. *ICT Security and Fraud (3/3) <ul><li>Web browsing and Internet Access </li></ul><ul><li>Username and passwords </li></ul><ul><li>Instant Messaging </li></ul><ul><li>E-Mail </li></ul><ul><li>File access permissions </li></ul><ul><li>Backups </li></ul><ul><li>Crisis management, Disaster recovery and Business Continuity </li></ul><ul><li>Physical </li></ul><ul><li>PCs and laptops </li></ul><ul><li>Remote access </li></ul><ul><li>Servers, routers, and switches </li></ul><ul><li>Internet / external network </li></ul><ul><li>Wireless </li></ul><ul><li>PDA and cell phone </li></ul><ul><li>Documentation and change management </li></ul>ICT Security, Backup, and Continuity Strategies 2005-2008:
  42. 42. C. Decreasing the Impact We failed. Now what?
  43. 43. Why Impact? <ul><li>Escaped prevention </li></ul><ul><ul><li>Policy or Procedure </li></ul></ul><ul><ul><li>Performance </li></ul></ul><ul><li>Cannot reduce likelihood - unavoidable </li></ul>
  44. 44. Levels of Impact (Fraud) <ul><li>small impact </li></ul><ul><li>BIG impact </li></ul><ul><li>Tangible </li></ul><ul><ul><li>Monetary Loss (>1,000,000) inc. capital, share price </li></ul></ul><ul><ul><li>Locality </li></ul></ul><ul><li>Intangible </li></ul><ul><ul><li>Reputation, Image </li></ul></ul><ul><ul><li>Competitiveness </li></ul></ul><ul><ul><li>Consumer confidence </li></ul></ul>
  45. 45. small Impact <ul><li>Escaped prevention </li></ul><ul><ul><li>Policy or Procedure </li></ul></ul><ul><ul><li>Performance </li></ul></ul><ul><li>Cannot reduce likelihood - unavoidable </li></ul><ul><li>CAR/PAR </li></ul><ul><li>Mager & Pipe </li></ul><ul><li>Study Trends </li></ul><ul><li>PAR </li></ul>
  46. 46. Real Fraud, Real Risks <ul><li>DC Fraud </li></ul><ul><li>Staff Fraud </li></ul><ul><li>Management Fraud </li></ul><ul><li>Distributor </li></ul><ul><li>DC Assistant </li></ul><ul><li>SP </li></ul><ul><li>Payroll </li></ul><ul><li>Undercutting </li></ul><ul><li>Purchasing </li></ul><ul><li>Credit Card </li></ul><ul><li>Ghost Staff </li></ul><ul><li>Ghost Distributor </li></ul><ul><li>Financial Reporting </li></ul><ul><li>Theft </li></ul><ul><li>F/L </li></ul><ul><li>eCommerce </li></ul><ul><li>Tickets </li></ul><ul><li>Share manipulation </li></ul>
  47. 47. Real Fraud, Real Risks <ul><li>DC Fraud </li></ul><ul><li>Staff Fraud </li></ul><ul><li>Management Fraud </li></ul><ul><li>Distributor </li></ul><ul><li>DC Assistant </li></ul><ul><li>SP </li></ul><ul><li>Payroll </li></ul><ul><li>Undercutting </li></ul><ul><li>Purchasing </li></ul><ul><li>Credit Card </li></ul><ul><li>Ghost Staff </li></ul><ul><li>Ghost Distributor </li></ul><ul><li>Financial Reporting </li></ul><ul><li>Theft </li></ul><ul><li>F/L </li></ul><ul><li>eCommerce </li></ul><ul><li>Tickets </li></ul><ul><li>Share manipulation </li></ul>
  48. 48. Investigation: Principles <ul><li>Preserve Evidence = documents, computers, laptops, voicemails, emails, phone logs, security camera tapes etc. </li></ul><ul><li>Focused on Facts </li></ul><ul><li>Avoid (or try to avoid) legal exposure e.g. defamation, unlawful dismissal etc. </li></ul><ul><li>Verdict/Punishment only after investigation is complete and results obtained </li></ul><ul><li>Precedence </li></ul><ul><li>Limit number of people </li></ul><ul><li>Involve Professionals/Third Party whenever possible </li></ul>
  49. 49. Investigation: Process 5. Public Disclosure 6. CAR/PAR 4. Management Decision External Legal 2. Investigating Office (I/O) External P.I. 1. Case Tip Off 3. Internal Inquiry Independent Panel
  50. 50. BIG Impact <ul><li>Crisis Management Plan </li></ul><ul><li>Crisis Communications Plan </li></ul>
  51. 51. Crisis Management Plan Logistics & Info Systems Communications Process Owner: [dept. accountable] Policy and Planning After (profiting and learning) During (sound crisis management) Before (readiness for crisis) Crisis: Business Function
  52. 52. Crisis Communication Plan <ul><li>Crisis Communication Team (to determine small or BIG for communications purposes) </li></ul><ul><li>Crisis Media Plan </li></ul><ul><ul><li>Media Management </li></ul></ul><ul><ul><li>Media Centre </li></ul></ul><ul><ul><li>Crisis Spokesperson & Interview </li></ul></ul><ul><ul><li>Press Release </li></ul></ul>
  53. 53. <ul><li>No case study from CNI on Crisis Communications arising from Fraud </li></ul><ul><li>Not yet happened (fingers crossed) </li></ul>
  54. 54. D. Tracking and Reporting
  55. 55. <ul><li>“ Asking the people responsible for preventing a problem if there is a problem is like delivering lettuce by rabbit&quot; </li></ul><ul><li>Norman Augustine </li></ul><ul><li>CEO & Chairman, Lockheed Martin </li></ul>
  56. 56. Tracking: Who? How? <ul><li>Centralized monitoring: trends, patterns, flag unusual, symptoms </li></ul><ul><li>Regular reporting </li></ul><ul><li>BSC, KPI and PMS embedded </li></ul><ul><li>RWC – RMC </li></ul><ul><li>Industry comparison </li></ul><ul><li>IAD, MSD, RD, SDD </li></ul>
  57. 57. E. New Fraud Risks We need help.
  58. 58. New Fraud Opportunities: CNI <ul><li>Change in Business Model: Inexperienced </li></ul><ul><li>eCommerce </li></ul><ul><li>Partner Merchants </li></ul><ul><li>Franchise </li></ul><ul><li>Conventional retail </li></ul><ul><li>M&A Targets </li></ul>
  59. 59. eCommerce Frauds Account Takeover Pharming Counterfeit Advances Phishing Application Lost/Stolen Credit Cards eCom Frauds?
  60. 60. Latest Fraud topics: General <ul><li>Whistle Blowing compensation: tied to $$ amount of fraud exposed </li></ul><ul><li>New US law -> Not allowed to sue Accountants, Auditors, Lawyers. What implications? </li></ul><ul><li>Credit Crunch = Tighter Cash Flow = More desperate people = more Fraud? </li></ul><ul><li>Sub-prime crisis + Société Générale = Transparency, Disclosure, Relationship Transparency </li></ul>
  61. 61. Fraud: Research Options? <ul><li>Profile of a Fraudster in Malaysia </li></ul><ul><li>New Fraud Risks in the 21 st century business environment </li></ul><ul><li>Internet, eCommerce, and ICT related Fraud risks and prevention </li></ul><ul><li>Company Culture and its influence on Fraud Risks </li></ul><ul><li>HR practices that can decrease Fraud in a company </li></ul>
  62. 62. Risk Management: Research Options? <ul><li>New Strategic Risks faced by businesses </li></ul><ul><li>Embedding Risk Management into Strategic Planning </li></ul><ul><li>New Risks in the 21 st century business environment </li></ul><ul><li>Risk Management in Small and Medium sized companies in Malaysia </li></ul><ul><li>The role of Risk Management in Mergers & Acquisitions </li></ul>
  63. 63. End Points
  64. 64. Dangers of Direct Incentives <ul><li>lessen internal motivation, </li></ul><ul><li>switch to mercenary mode, </li></ul><ul><li>do something and do not do something else, </li></ul><ul><li>easier for competitors to recruit, </li></ul><ul><li>lessen teamwork & helpful culture, </li></ul><ul><li>less and less impact for same value, </li></ul><ul><li>mockery of base salary and employment contract, </li></ul><ul><li>rebellion from non-incentivised staff, </li></ul><ul><li>end up incentivising everyone for everything?, </li></ul><ul><li>bribe and fraud culture, </li></ul>
  65. 65. Mistakes and Lessons Learned <ul><li>Price to Pay for Fraud/Risk Mitigation => Business Flexibility </li></ul><ul><li>Control vs. Growth </li></ul><ul><li>Rules vs. Humanity/Motivation </li></ul><ul><li>Not tackling the root cause i.e. Motive + Opportunity i.e. Humans </li></ul><ul><li>Focus on FAC vs. Sales/Marketing => who has control? </li></ul><ul><li>Relationship Role vs. Enforcement Role e.g. SDD/Ticketing, FTF vs. RD </li></ul>
  66. 66. In the end… <ul><li>Great Wall of China </li></ul><ul><ul><li>humans are the weakest link </li></ul></ul><ul><ul><li>bad treatment of staff will lead to weak link i.e. easier to bribe, easier to con, etc; </li></ul></ul><ul><ul><li>bad treatment examples: insulting, lose face, broken promises, no dignity, public criticism, restructure without communication </li></ul></ul>
  67. 67. Thank You. soft copy of slides: