Indian firms ill-equipped to mitigate fraud

NEW DELHI--Fraudsters in India are increasingly targeting corporate data and moving away from physical assets, as they realize knowledge has become more valuable to businesses today.

KPMG unveiled findings from its India Fraud Survey 2012 on Monday which identified cybercrime, intellectual property (IP) fraud--including counterfeiting and piracy--and identity theft as frauds of the future. Such crimes rely on technology and allow fraudsters to work in groups to leverage their full strength, making companies across various industries vulnerable. This underlines a shift in the fraud landscape with criminals increasingly targeting organizational knowledge such as data and software code, rather than physical assets, the survey revealed.

Corporate India's unwillingness to see fraud as a strategic risk poses a grave threat to firms as they start experiencing frauds of the future

- Rohit Mahajan, KPMG India

"Over the last decade, knowledge has emerged as a key organizational asset," Rohit Mahajan, partner and co-head of forensic services, KPMG India, said at a media conference held here Monday. "It is only natural fraudsters will target these assets as they are much more valuable to companies today."

He added technology was changing the fraud landscape and challenging the boundaries of fraud risk management. "By misusing technology, even relatively simple frauds like those in procurement, can become sophisticated and difficult to detect. The frameworks which were sufficient to mitigate simple frauds are no longer effective against," Mahajan said.

More alarming, the KPMG survey uncovered that 70 percent of companies had no effective mechanism to tackle these frauds. The online study polled 293 C-level executives across industries, including financial services, real estate and infrastructure, travel tourism and leisure, and healthcare, from companies with an annual turnover of INR 5 billion to INR 10 billion (US$91.29 million to US$182.59 million).

Tech frauds factored into costs
India has seen an increase in reported cybercrime cases. In 2011, a total of 1,791 and 422 cybercrime cases were registered under the Information Technology Act 2000 and Indian Penal Code, respectively, compared to just 217 and 328 in 2007.

The KPMG survey also noted 38 percent of respondents had experienced cybercrime in the past year. Highlighting the unpreparedness of Indian companies to tackle future fraud, it said nearly 78 percent were unaware of the risks associated with IP infringement, counterfeiting or software piracy.

"Fraud is perceived as an inevitable cost of business," Richard Rekhy, CEO of KPMG India, said at the briefing. Some 71 percent felt fraud of any type was an inevitable cost of doing business, implying that fraud mitigation and risk management ranked low on their board level agenda, he said.

And while over 80 percent respondents had policies on accessing external Web sites and social media from their corporate network, 40 percent said their companies did not have specific guidelines on the kind of information that could be shared on social media. Around 53 percent said they had experienced identity theft, including password sharing, social engineering or malwares, and yet did not have any company policy to mitigate these incidences.

"Corporate India's unwillingness to see fraud as a strategic risk poses a grave threat to firms as they start experiencing frauds of the future," Mahajan said.

According to the study, there was high reliance on internal mechanisms such as general process controls and compliance frameworks to detect and prevent fraud. And while whistleblower hotlines were identified as an efficient method to uncover fraud or misconduct within an organization, only 50 percent of respondents said they had established such a hotline.

"Companies need to be aware of the various possible modus operandi, perpetrators, and gaps in internal controls. Only then can they develop an effective risk mitigation framework," Mahajan said.

High tolerance to bribery, corruption
According to the survey, 83 percent of respondents perceived bribery and corruption as a major concern, followed by e-commerce and other cyber-related frauds at 71 percent, and diversion and theft of funds or goods at 65 percent.

These findings differed from the previous survey conducted in 2010 where diversion and theft of funds or goods was identified as the most common fraud, followed by bribery and corruption, and cyber-related frauds.

The Indian business community also appeared reluctant to discuss bribery and corruption. Close to 70 percent of respondents said they faced no significant threat from it.

Around 72 percent said their company had a mechanism to address bribery and corruption, however, few respondents chose to answer questions pertaining to such a mechanism, indicating high levels of tolerance to bribery and corruption.

"Tolerance to bribery and corruption reflects poorly on the company's business practices, efficiency, and overall maturity in the industry as it questions the company's capabilities to operate in a level-playing field alongside competition," the KPMG survey noted.

Financial services, and information and entertainment were identified as sectors most prone to frauds due to their high dependence on technology, large transactional data in electronic form, as well as confidential information they held.

The survey rated procurement, sales, and distribution and inventory as the most vulnerable processes within an organization. These processes were characterized by large number of stakeholders, multiple touch-points, and increasingly complex processes involving a significant proportion of an organization's funds. Additionally, these processes involved a high degree of interaction with external stakeholders such as vendors and customers, where collusion could override certain internal controls, KPMG said.

According to Rekhy, India's proposed Companies Bill 2011 is a key legislation. If enacted, it is likely to prompt companies to consider establishing a fraud risk management policy. The Bill places onus on independent directors to ascertain and ensure the company has an adequate and functional vigil mechanism.

Swati Prasad is a freelance IT writer based in India.