SlideShare a Scribd company logo

MGI Fraud Report 2017

S
Steve Greene

The MGI Fraud Review 2017 summarizes significant fraud cases in Australia, highlighting the rise of cyber fraud, with 90% of businesses targeted by email fraud and a notable increase in identity theft. Key case studies include credit card fraud involving misappropriation by a CEO, business email compromise, payroll fraud through duplicate entries, and supplier fraud due to inadequate verification processes. The document emphasizes the need for robust internal controls and training to mitigate fraud risks across all sectors.

Business
1 of 12
1
2
3
4
5
6
7
8
9
10
11
12
A Review of Actual Fraud Cases in 2017 FRAUD REVIEW
Contents Introduction 3 Fraud Snapshot 4 Case Studies Outlook for 2018 9 Summary 10 Credit Card Fraud 5 Business Email Compromise Fraud 6 Payroll Fraud 7 Supplier Fraud 8 2MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017
3 Fraud costs Australian businesses hundreds of thousands of dollars every year, and these are just the instances that have been detected. Fraud can occur in any organisation, no matter what size, industry or sector. Fraud has been uncovered in the public and private sectors, in for-profit and not-for-profit entities, and in small, medium and large enterprises. MGI’s audit division helps its clients deter and detect fraud by staying abreast of current fraud cases in Australia. MGI works with clients to implement controls and safeguards to reduce the risk of fraud. This fraud update is a summary of fraud cases uncovered by MGI Audit & Assurance and other exposed fraud cases in Australia during 2017. This update identifies the key factors that permitted the fraud to occur and provides recommendations to reduce the risks of these types of fraud in your business. Stephen Greene Director – Audit & Assurance MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017 Introduction
Fraud Snapshot 4MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017 Change to the following stats: 1)Cyber crime and Online scamming of businesses is up 30% in 2017 2) 90% of Australian business have been targeted by email fraud in 2017 (2016: 78%), with 54% using 'spoof' email domain names. 3) More than a quarter of all Australians (27%) have been a victim of identity theft in 2017 (2016: 21%) 4) 72% of small and medium sized businesses do not believe cyber fraud is a considerable risk to their organisation 5) 36% of all frauds in Australia are carried out by the organisation's own management. 6) 40% of frauds in Australia take place over a 5 year period - detection is taking too long. 30% 90% 27% 40% The increase in cyber crime and online scamming in 2017 versus 2016. Australian businesses targeted by email fraud in 2017, with 54% using ‘spoof’ email domain names. The proportion of Australians that have been a victim of identity theft in 2017. Fraud in Australia takes place over a five-year period – detection is taking too long. 72% 36% Small and medium sized business that do not believe that cyber fraud is a considerable risk to their business. Frauds in Australia carried out by an organisation’s own management.
Case Studies | Credit Card Fraud 5 Background • Involved the President of a large community- based organisation. • The president made multiple personal purchases on his corporate credit card, including holidays, payment of his personal mortgage and payment of family members’ monthly phone bills. • The total cost of personal expenditure on the corporate credit card was in excess of $475,000 over six years. • It is reported that the President’s credit card statement was only queried once in an 11-year tenure. • The internal accountant was in charge of reviewing the President’s credit card transactions, but was unlikely to question transactions given the power held. How did this fraud occur? • No internal controls implemented within a high fraud risk area. • The second reviewer of the President’s corporate card was in a management position rather than another Board position (e.g. the Treasurer, member of the Finance Sub- Committee, etc.) MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017 • Limited review of the profit or loss statement expense codes against budget, given that these expenses would have been recognised in one or more expense codes each year. Frequency of the fraud risk • The fraud occurred continuously across a six-year period. How did this fraud get detected? • A change in the CEO prompted a forensic audit into the expenditure of the organisation. Whilst the CEO was sacked by the Board, the investigation uncovered sufficient evidence for an independent review to be conducted. How to reduce this fraud risk? • Document and implement a credit card policy, clearly stating out the permitted uses and limits of each credit card holder. • Ensure a detailed review of all credit card expenses is performed by an appropriate member of staff. For senior management credit cards, it is essential that the reviewer is of a sufficient seniority to be in a position to question any anomalies. • Ensure all expenses are scrutinised against budget, and any variances are investigated.
Case Studies | Business Email Compromise Fraud 6 Background • Business Email Compromise (BEC) fraud is one of today’s greatest cyber threats. • Involved a large private company CFO. • Fraudsters took on the role of the CEO by hacking the company’s email account and reviewing typical requests for payment made by the CEO to the CFO. • Fraudsters created a fake chain of emails between the CEO and the Board, appearing to approve the transfer of funds to a nominated bank account for a deposit on new machinery. • The CFO made the transfer as the email requested to the fraudulent bank account. • While a control had been implemented for the CFO to require a second authoriser in bank transfers, the finance manager was on leave and left their online bank details and passwords with the CFO (their immediate line manager). • This was not covered by the company’s insurance, and the amount paid was lost by the Company. How did this fraud occur? • Email requests accepted at face value. • No secondary communication set up confirming bank transfer requests. • Dual authorisation control of bank payments/ transfers was not followed. Frequency of the fraud risk • According to the latest statistics on BEC fraud, 90% of all Australian businesses have experienced BEC attempts in 2017. How did this fraud get detected? • The payment of the deposit was highlighted in the monthly finance meeting with the Finance Sub- Committee and noted that it was bogus. • The fraud was therefore only detected after the event occurred, without the chance of the company recovering the amount paid. How to reduce this fraud risk? • All bank payments and transfers should pass through the standard accounts payable procedures, ensuring documentation is available to support all bank transactions. • In the event that miscellaneous bank transfers are permitted (by senior management or an owner), a secondary communication check should be provided prior to approval, e.g. an email request should be followed-up by a telephone call. • Dual signatory control on all bank payments should be followed at all times, with pre-approved limits for each level of authority approved by the Board. • IT controls are implemented, such as Domain- based Message Authentication, Reporting and Conformance (DMARC) software, highlighting potential fraudulent attempts of your email systems. MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017
Related fraud cases • In addition to duplicate employees, fictitious employees being set up in the system is also a risk (particularly for businesses with a large number of employees). Spot-checks by a secondary reviewer back to employee files will reduce this risk. Case Studies | Payroll Fraud 7 Background • Involved the payroll clerk of a large private business.The payroll clerk had been with the organisation for more than fifteen years. • The payroll clerk had full autonomy to run payroll transactions, change pay rates, add new employees and transact leave entitlements. • The clerk set up duplicate employees in the payroll system with the exact names of current employees at the time (e.g. two John Smiths). • The bank account details of one of the names were legitimate. However, the second duplicate employee’s salary would be paid into the payroll clerk’s personal bank account. • While final pay-run checks were performed by senior management, this was an overall reasonableness review and not line-by-line, as the business had over 80 employees. How did this fraud occur? • Over-reliance of trust placed on one payroll clerk to perform all payroll transactions. • Payroll clerk continued to perform payroll duties remotely, even when on annual leave (at the clerk’s request). Frequency of the fraud risk • This fraud occurred on multiple pay-runs over multiple years until detected. • While this fraud is internal, it is likely that this fraud would continue to occur until detected, or until the employee left the organisation. How did this fraud get detected? • Computer Assisted Audit Techniques (CAATS) recognised duplicate payroll names in the payroll audit trail. How to reduce this fraud risk? • Ensure segregation of duties within payroll processes. • Implement spot-checks of individual pay-runs, ensuring a sample of employee details are vouched back to their employee file (including pay rates, bank account details, etc.). • Request that final pay-run reports to be reviewed by management are printed in alphabetical order to highlight duplicate employees more easily. MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017
Case Studies | Supplier Fraud 8 Background • Involved a small-to-medium enterprise (SME). • A request was received via email posing as one of the business’ suppliers notifying them that they had changed bank account details. • The bogus email received from the supplier matched the exact email logos, footers, disclaimers etc. of the supplier’s actual email tag (that the accounts clerk was familiar with). • The accounts clerk changed the supplier’s bank details in their system without any additional checks or processes, and the company made a number of payments to the fraudulent bank account. Frequency of the Fraud Risk • This fraud instance resulted in four payments made to a fraudulent bank account over the space of two weeks. • This external fraud risk is likely to continue to occur until detected. How did this fraud occur? • No secondary controls were implemented for supplier bank account amendments. • Email requests from associates were accepted on face value. How did this fraud get detected? • The company’s bank notified them that the new bank account of the supplier was high risk and to confirm the transaction with the supplier. • Upon a secondary check was performed with the supplier, it was found that the bank account request was fake. How to reduce this fraud risk? • Ensure controls are implemented within the accounts payable process for changes to supplier details, especially bank account amendments. • If requests are received via email (no matter how legitimate the may appear), confirm the request with a telephone call to the supplier contact. • If requests are received via telephone, request that an email/letter is sent to confirm authenticity. • Regularly reconcile accounts payable ledgers with supplier statements to investigate any discrepancies. MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017
Outlook for 2018 | Cyber Fraud on the Rise 9 Education and Training Most employees of small and medium-sized business are acutely unaware of the risks that may unfold if they open a fake speeding ticket invoice attachment from the Australian Police or fake energy bill from Origin. Providing basic training to your staff on the types of common cyber fraud out there will be money well spent in protecting your business from this ever-increasing risk. Detection and Prevention Detecting cyber fraud and implementing controls to prevent future attacks is essential in the war against cyber fraudsters. Detecting cyber fraud starts with implementing and documenting detailed internal financial and accounting controls. Remaining vigilant and questioning all variations to your internal policies will highlight that bogus request from a supplier to change bank details, or the email request to transfer money to a designated account. In addition, your IT policies and procedures must have standard controls such as regular penetration tests, sophisticated user passwords and phishing detection software to detect any cyber breaches. IT controls should also cover preventative measures, such as sufficient and up to date virus and firewall software. MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017 While the rates of cyber fraud are already alarmingly high, the Australian Government estimates that all types of cyber fraud will continue to rise, and become the “new norm”. Especially at risk are small and medium-sized business according to the Reserve Bank’s Cyber Security Chief, who believes fraudsters are turning their attention to “easier prey” at the smaller end of town. Smaller businesses are less likely to take cyber fraud risks as seriously as larger listed organisations, and therefore likely to have weaker preventative controls against common cyber fraud techniques such as email phishing, ransomware and identity theft to name but a few. While cyber fraud attempts are now unfortunately inevitable for most Australian businesses as we move into 2018, it is essential that all organisations understand the risks of cyber fraud and plan accordingly. The key areas we advise our clients to consider with regards to cyber fraud are as follows:
Outlook for 2018 | Cyber Fraud on the Rise 10 Disaster Recovery If the first two areas fail, then having sufficient disaster recovery systems is essential to reduce business disruption and loss of data. For example, if back ups are being taken to a cloud server every 15 minutes and an employee accidentally opens a phishing email with a ransomware attachment, the business can be up and running on the back up version within the hour with only minimal loss of data. Disaster recovery is, therefore, the final line of defence in an ever-increasing cyber fraud environment. MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017 Key tips when reviewing your disaster recovery systems: Ensure your disaster recovery system is documented in a jargon-free policy that all the Principles of the business can understand and follow. If your IT Manager is on a beach in Florida when a cyber fraud event occurs, there needs to be a second option. Ensure your data back ups occur regularly. Having backs ups only occurring once a day still leaves your business open to business disruption in the event of an attack. We recommend back ups should be taken as regular as possible to reduce this risk. Test your disaster recovery process! We recommend testing a full system recovery at least annually. If you have external IT providers, ensure they are testing this and providing confirmation reports on the success of the restoration regularly.
Summary 11 The level of sophistication of current day fraud requires boards and management to improve their internal controls and ensure their organisations are well placed to deter and detect fraud. Fraud can occur in any organisation, no matter what size, industry or sector. Fraud has been uncovered in the public and private sectors, in for-profit and not-for-profit entities, and in small, medium and large enterprises. Our recent experiences with fraud has highlighted IT risk as the fastest growing fraud risk for organisations, due to the increasing reliance on information technology, paperless financial systems and cloud-based software. This increasing reliance has also increased the fraud opportunities to target businesses whose IT controls have not been upgraded to match their usage. It is essential that your organisation implements and documents sufficient internal controls to prevent and detect all potential types of fraud that may impact your business. This starts by having experienced auditors assisting your organisation to highlight all potential fraud risks. Speak to one of our team today about our free IT Cyber Fraud Healthcheck, which will uncover any potential weaknesses to your current cyber fraud controls and recommendations for improvement. MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017
Get in touch 12MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017 Graeme Kent Director – Audit and Assurance Mobile 0414 828 812 Email gkent@mgisq.com.au Stephen Greene Director – Audit and Assurance Mobile 0426 510 812 Email sgreene@mgisq.com.au This publication contains general information only and MGI Audit and Assurance is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your organisation. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. MGI Audit and Assurance shall not be responsible for any loss sustained by any person who relies on this publication.

More Related Content

PPTX
2016 MSCPA Fraud Conference Presentation
Ron Steinkamp
 
PPTX
Simple Training for Information Security and Payment Fraud
Evan Francen
 
PPTX
2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...
Ron Steinkamp
 
PDF
Payroll Fraud by Andrew Firth, Forensic Accountant
Rushmore Forensic
 
PDF
The State of Corporate Fraud, Survey 2018
aakash malhotra
 
PDF
Findings from India Fraud Survey 2012: Fraud and Corporate Governance - Chang...
EY
 
PDF
Forensic line - fraud prevention and detection tool
Haládik Consulting, s.r.o.
 
PDF
Economic-Crime-Thailand-PwC-Consulting
ittimol weeramongkolkul
 
2016 MSCPA Fraud Conference Presentation
Ron Steinkamp
 
Simple Training for Information Security and Payment Fraud
Evan Francen
 
2016 - Fraud Detection & Prevention with Internal Controls (Updated for 2016 ...
Ron Steinkamp
 
Payroll Fraud by Andrew Firth, Forensic Accountant
Rushmore Forensic
 
The State of Corporate Fraud, Survey 2018
aakash malhotra
 
Findings from India Fraud Survey 2012: Fraud and Corporate Governance - Chang...
EY
 
Forensic line - fraud prevention and detection tool
Haládik Consulting, s.r.o.
 
Economic-Crime-Thailand-PwC-Consulting
ittimol weeramongkolkul
 

What's hot (20)

PPT
Presentation on fraud prevention, detection & control
Dominic Sroda Korkoryi
 
PPTX
Fraud Risk and Control
WeaverCPAs
 
PPTX
Q1 2016 Fraud Detection, Prevention & Risk Management
Ron Steinkamp
 
PPTX
Fraud principles1
Sevisa Isufaj
 
PPTX
Occupational Fraud The Facts and How to Protect Your Organization Webinar_FIN...
Ron Steinkamp
 
PDF
Fraud & Risk Management - A Guide to Good Practice
Arianto Muditomo
 
PDF
Financial Crime Compliance at Standard Chartered
TEDxMongKok
 
PDF
Fraud Awareness
Pamela Mantone
 
PPTX
Causes, Effects and Management of Fraud: A Study with reference to Indian Ban...
central university of rajasthan
 
PDF
How to Use Data Analytics to Detect Fixed Asset and Inventory Fraud
FraudBusters
 
PPT
Fraud And Internal Controls Linked In April 2011
John Hall, CPA - Keynote Speaker Consultant
 
PPSX
Fraud Risk
F a h a d Z a f a r (Bradford MBA)
 
PDF
Internal Control Issues in Fraud Cases
DecosimoCPAs
 
PPTX
Bank Fraud & Data Forensics
whbrown5
 
PPTX
Fraud Awareness
Yogi Schulz
 
PDF
Fraud Prevention
Gerald Johnson
 
PDF
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
FraudBusters
 
PPT
W:\Scott & Baldwin\Marketing\Business Leadership Seminars\September 2008\...
Scott & Baldwin CPAs
 
PPT
Fight Fraud with Employee Fraud Training
Case IQ
 
PDF
Financial crime anti-money laundering - bovill briefing
Bovill
 
Presentation on fraud prevention, detection & control
Dominic Sroda Korkoryi
 
Fraud Risk and Control
WeaverCPAs
 
Q1 2016 Fraud Detection, Prevention & Risk Management
Ron Steinkamp
 
Fraud principles1
Sevisa Isufaj
 
Occupational Fraud The Facts and How to Protect Your Organization Webinar_FIN...
Ron Steinkamp
 
Fraud & Risk Management - A Guide to Good Practice
Arianto Muditomo
 
Financial Crime Compliance at Standard Chartered
TEDxMongKok
 
Fraud Awareness
Pamela Mantone
 
Causes, Effects and Management of Fraud: A Study with reference to Indian Ban...
central university of rajasthan
 
How to Use Data Analytics to Detect Fixed Asset and Inventory Fraud
FraudBusters
 
Fraud And Internal Controls Linked In April 2011
John Hall, CPA - Keynote Speaker Consultant
 
Fraud Risk
F a h a d Z a f a r (Bradford MBA)
 
Internal Control Issues in Fraud Cases
DecosimoCPAs
 
Bank Fraud & Data Forensics
whbrown5
 
Fraud Awareness
Yogi Schulz
 
Fraud Prevention
Gerald Johnson
 
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
FraudBusters
 
W:\Scott & Baldwin\Marketing\Business Leadership Seminars\September 2008\...
Scott & Baldwin CPAs
 
Fight Fraud with Employee Fraud Training
Case IQ
 
Financial crime anti-money laundering - bovill briefing
Bovill
 

Similar to MGI Fraud Report 2017 (20)

PDF
Be prepared to deal with fraud for web
Katie Farrow
 
PDF
Fraud Prevention, Detection and Investigation in the Payday Advance Industry
DecosimoCPAs
 
PPTX
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Case IQ
 
PPTX
McKonly & Asbury Webinar - Fraud Not If, But When
McKonly & Asbury, LLP
 
PPT
CPE Event: Business Fraud
FindGreatPeople
 
PPTX
fraud-controlin applications-and789.pptx
hanningtonwamala1
 
PDF
Preventing Nonprofit Banking Fraud and the Tools You Can Use!
tomciolkosz
 
PDF
FHRBOC Preventing NFP Banking Fraud
tomciolkosz
 
PDF
Fraud Awareness Guide for Businesses
Shred Station
 
PDF
How to Prevent and Detect Fraud in Your Organization
Gross, Mendelsohn & Associates
 
PPTX
2012 777 The Seven Blind Spots in Business and How to Prevent Them
Smith Family Business Initiative at Cornell
 
PDF
Taking a Closer Look - Assessing Risk of Fraud in the Payday Advance Industry
DecosimoCPAs
 
PPT
Combating Fraud : Putting in Place an Effective Audit System to Detect and Pr...
Pairat Srivilairit
 
PPT
Cdic 2009 fraud audit pairat 4
Pairat Srivilairit
 
PDF
Red Flags You’re Missing: How Manufacturers Can Detect and Prevent Employee F...
Gross, Mendelsohn & Associates
 
PPTX
Fraud Prevention for Small Businesses and Non-Profits
Bond Beebe Accountants & Advisors
 
PPSX
Fraud Risk Awareness
Adnan Khuram Hayat
 
PPTX
Internal Control And Fraud 11-19-10
Ed Tobias
 
PDF
Annual Fraud Update
DecosimoCPAs
 
PPT
Tips for Recognizing Fraud
Dennis L. Thompson, CPA, CFE
 
Be prepared to deal with fraud for web
Katie Farrow
 
Fraud Prevention, Detection and Investigation in the Payday Advance Industry
DecosimoCPAs
 
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Case IQ
 
McKonly & Asbury Webinar - Fraud Not If, But When
McKonly & Asbury, LLP
 
CPE Event: Business Fraud
FindGreatPeople
 
fraud-controlin applications-and789.pptx
hanningtonwamala1
 
Preventing Nonprofit Banking Fraud and the Tools You Can Use!
tomciolkosz
 
FHRBOC Preventing NFP Banking Fraud
tomciolkosz
 
Fraud Awareness Guide for Businesses
Shred Station
 
How to Prevent and Detect Fraud in Your Organization
Gross, Mendelsohn & Associates
 
2012 777 The Seven Blind Spots in Business and How to Prevent Them
Smith Family Business Initiative at Cornell
 
Taking a Closer Look - Assessing Risk of Fraud in the Payday Advance Industry
DecosimoCPAs
 
Combating Fraud : Putting in Place an Effective Audit System to Detect and Pr...
Pairat Srivilairit
 
Cdic 2009 fraud audit pairat 4
Pairat Srivilairit
 
Red Flags You’re Missing: How Manufacturers Can Detect and Prevent Employee F...
Gross, Mendelsohn & Associates
 
Fraud Prevention for Small Businesses and Non-Profits
Bond Beebe Accountants & Advisors
 
Fraud Risk Awareness
Adnan Khuram Hayat
 
Internal Control And Fraud 11-19-10
Ed Tobias
 
Annual Fraud Update
DecosimoCPAs
 
Tips for Recognizing Fraud
Dennis L. Thompson, CPA, CFE
 

Recently uploaded (20)

PPTX
Dragon_Fruit_Cultivation_in Nepal ppt.pptx
UmeshTimilsina1
 
PDF
Laughter Yoga Basic Learning Workshop Manual
yeechensee
 
PPTX
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
DOCX
unit 1 COST ACCOUNTING AND COST SHEET
MANJU N
 
PDF
Traveri Digital Marketing Seminar 2025 by Corey and Jessica Perlman
Corey Perlman, Social Media Speaker and Consultant
 
PPT
Data mining for business intelligence ch04 sharda
salmaalsaeed3
 
PPT
Chapter four Project-Preparation material
argachewbochena1
 
PDF
DOC-20250806-WA0002._20250806_112011_0000.pdf
dhanusriss08
 
PDF
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
thaoonguyenn2311
 
PDF
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Dr. Enrique Segura Ense Group
 
PDF
How to Get Funding for Your Trucking Business
Jake Thornhill
 
PDF
Power and position in leadershipDOC-20250808-WA0011..pdf
meghavinikumar2006
 
PDF
Katrina Stoneking: Shaking Up the Alcohol Beverage Industry
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
DOCX
Euro SEO Services 1st 3 General Updates.docx
AmirNazir49
 
PDF
A Brief Introduction About Julia Allison
Julia Allison
 
PDF
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
PPTX
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
PPTX
HR Introduction Slide (1).pptx on hr intro
suhanidwivedi227
 
PDF
kom-180-proposal-for-a-directive-amending-directive-2014-45-eu-and-directive-...
nlusch08
 
PDF
Reconciliation AND MEMORANDUM RECONCILATION
MANJU N
 
Dragon_Fruit_Cultivation_in Nepal ppt.pptx
UmeshTimilsina1
 
Laughter Yoga Basic Learning Workshop Manual
yeechensee
 
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
unit 1 COST ACCOUNTING AND COST SHEET
MANJU N
 
Traveri Digital Marketing Seminar 2025 by Corey and Jessica Perlman
Corey Perlman, Social Media Speaker and Consultant
 
Data mining for business intelligence ch04 sharda
salmaalsaeed3
 
Chapter four Project-Preparation material
argachewbochena1
 
DOC-20250806-WA0002._20250806_112011_0000.pdf
dhanusriss08
 
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
thaoonguyenn2311
 
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Dr. Enrique Segura Ense Group
 
How to Get Funding for Your Trucking Business
Jake Thornhill
 
Power and position in leadershipDOC-20250808-WA0011..pdf
meghavinikumar2006
 
Katrina Stoneking: Shaking Up the Alcohol Beverage Industry
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
Euro SEO Services 1st 3 General Updates.docx
AmirNazir49
 
A Brief Introduction About Julia Allison
Julia Allison
 
WRN_Investor_Presentation_August 2025.pdf
cmagee4
 
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
HR Introduction Slide (1).pptx on hr intro
suhanidwivedi227
 
kom-180-proposal-for-a-directive-amending-directive-2014-45-eu-and-directive-...
nlusch08
 
Reconciliation AND MEMORANDUM RECONCILATION
MANJU N
 

MGI Fraud Report 2017

  • 1. A Review of Actual Fraud Cases in 2017 FRAUD REVIEW
  • 2. Contents Introduction 3 Fraud Snapshot 4 Case Studies Outlook for 2018 9 Summary 10 Credit Card Fraud 5 Business Email Compromise Fraud 6 Payroll Fraud 7 Supplier Fraud 8 2MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017
  • 3. 3 Fraud costs Australian businesses hundreds of thousands of dollars every year, and these are just the instances that have been detected. Fraud can occur in any organisation, no matter what size, industry or sector. Fraud has been uncovered in the public and private sectors, in for-profit and not-for-profit entities, and in small, medium and large enterprises. MGI’s audit division helps its clients deter and detect fraud by staying abreast of current fraud cases in Australia. MGI works with clients to implement controls and safeguards to reduce the risk of fraud. This fraud update is a summary of fraud cases uncovered by MGI Audit & Assurance and other exposed fraud cases in Australia during 2017. This update identifies the key factors that permitted the fraud to occur and provides recommendations to reduce the risks of these types of fraud in your business. Stephen Greene Director – Audit & Assurance MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017 Introduction
  • 4. Fraud Snapshot 4MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017 Change to the following stats: 1)Cyber crime and Online scamming of businesses is up 30% in 2017 2) 90% of Australian business have been targeted by email fraud in 2017 (2016: 78%), with 54% using 'spoof' email domain names. 3) More than a quarter of all Australians (27%) have been a victim of identity theft in 2017 (2016: 21%) 4) 72% of small and medium sized businesses do not believe cyber fraud is a considerable risk to their organisation 5) 36% of all frauds in Australia are carried out by the organisation's own management. 6) 40% of frauds in Australia take place over a 5 year period - detection is taking too long. 30% 90% 27% 40% The increase in cyber crime and online scamming in 2017 versus 2016. Australian businesses targeted by email fraud in 2017, with 54% using ‘spoof’ email domain names. The proportion of Australians that have been a victim of identity theft in 2017. Fraud in Australia takes place over a five-year period – detection is taking too long. 72% 36% Small and medium sized business that do not believe that cyber fraud is a considerable risk to their business. Frauds in Australia carried out by an organisation’s own management.
  • 5. Case Studies | Credit Card Fraud 5 Background • Involved the President of a large community- based organisation. • The president made multiple personal purchases on his corporate credit card, including holidays, payment of his personal mortgage and payment of family members’ monthly phone bills. • The total cost of personal expenditure on the corporate credit card was in excess of $475,000 over six years. • It is reported that the President’s credit card statement was only queried once in an 11-year tenure. • The internal accountant was in charge of reviewing the President’s credit card transactions, but was unlikely to question transactions given the power held. How did this fraud occur? • No internal controls implemented within a high fraud risk area. • The second reviewer of the President’s corporate card was in a management position rather than another Board position (e.g. the Treasurer, member of the Finance Sub- Committee, etc.) MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017 • Limited review of the profit or loss statement expense codes against budget, given that these expenses would have been recognised in one or more expense codes each year. Frequency of the fraud risk • The fraud occurred continuously across a six-year period. How did this fraud get detected? • A change in the CEO prompted a forensic audit into the expenditure of the organisation. Whilst the CEO was sacked by the Board, the investigation uncovered sufficient evidence for an independent review to be conducted. How to reduce this fraud risk? • Document and implement a credit card policy, clearly stating out the permitted uses and limits of each credit card holder. • Ensure a detailed review of all credit card expenses is performed by an appropriate member of staff. For senior management credit cards, it is essential that the reviewer is of a sufficient seniority to be in a position to question any anomalies. • Ensure all expenses are scrutinised against budget, and any variances are investigated.
  • 6. Case Studies | Business Email Compromise Fraud 6 Background • Business Email Compromise (BEC) fraud is one of today’s greatest cyber threats. • Involved a large private company CFO. • Fraudsters took on the role of the CEO by hacking the company’s email account and reviewing typical requests for payment made by the CEO to the CFO. • Fraudsters created a fake chain of emails between the CEO and the Board, appearing to approve the transfer of funds to a nominated bank account for a deposit on new machinery. • The CFO made the transfer as the email requested to the fraudulent bank account. • While a control had been implemented for the CFO to require a second authoriser in bank transfers, the finance manager was on leave and left their online bank details and passwords with the CFO (their immediate line manager). • This was not covered by the company’s insurance, and the amount paid was lost by the Company. How did this fraud occur? • Email requests accepted at face value. • No secondary communication set up confirming bank transfer requests. • Dual authorisation control of bank payments/ transfers was not followed. Frequency of the fraud risk • According to the latest statistics on BEC fraud, 90% of all Australian businesses have experienced BEC attempts in 2017. How did this fraud get detected? • The payment of the deposit was highlighted in the monthly finance meeting with the Finance Sub- Committee and noted that it was bogus. • The fraud was therefore only detected after the event occurred, without the chance of the company recovering the amount paid. How to reduce this fraud risk? • All bank payments and transfers should pass through the standard accounts payable procedures, ensuring documentation is available to support all bank transactions. • In the event that miscellaneous bank transfers are permitted (by senior management or an owner), a secondary communication check should be provided prior to approval, e.g. an email request should be followed-up by a telephone call. • Dual signatory control on all bank payments should be followed at all times, with pre-approved limits for each level of authority approved by the Board. • IT controls are implemented, such as Domain- based Message Authentication, Reporting and Conformance (DMARC) software, highlighting potential fraudulent attempts of your email systems. MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017
  • 7. Related fraud cases • In addition to duplicate employees, fictitious employees being set up in the system is also a risk (particularly for businesses with a large number of employees). Spot-checks by a secondary reviewer back to employee files will reduce this risk. Case Studies | Payroll Fraud 7 Background • Involved the payroll clerk of a large private business.The payroll clerk had been with the organisation for more than fifteen years. • The payroll clerk had full autonomy to run payroll transactions, change pay rates, add new employees and transact leave entitlements. • The clerk set up duplicate employees in the payroll system with the exact names of current employees at the time (e.g. two John Smiths). • The bank account details of one of the names were legitimate. However, the second duplicate employee’s salary would be paid into the payroll clerk’s personal bank account. • While final pay-run checks were performed by senior management, this was an overall reasonableness review and not line-by-line, as the business had over 80 employees. How did this fraud occur? • Over-reliance of trust placed on one payroll clerk to perform all payroll transactions. • Payroll clerk continued to perform payroll duties remotely, even when on annual leave (at the clerk’s request). Frequency of the fraud risk • This fraud occurred on multiple pay-runs over multiple years until detected. • While this fraud is internal, it is likely that this fraud would continue to occur until detected, or until the employee left the organisation. How did this fraud get detected? • Computer Assisted Audit Techniques (CAATS) recognised duplicate payroll names in the payroll audit trail. How to reduce this fraud risk? • Ensure segregation of duties within payroll processes. • Implement spot-checks of individual pay-runs, ensuring a sample of employee details are vouched back to their employee file (including pay rates, bank account details, etc.). • Request that final pay-run reports to be reviewed by management are printed in alphabetical order to highlight duplicate employees more easily. MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017
  • 8. Case Studies | Supplier Fraud 8 Background • Involved a small-to-medium enterprise (SME). • A request was received via email posing as one of the business’ suppliers notifying them that they had changed bank account details. • The bogus email received from the supplier matched the exact email logos, footers, disclaimers etc. of the supplier’s actual email tag (that the accounts clerk was familiar with). • The accounts clerk changed the supplier’s bank details in their system without any additional checks or processes, and the company made a number of payments to the fraudulent bank account. Frequency of the Fraud Risk • This fraud instance resulted in four payments made to a fraudulent bank account over the space of two weeks. • This external fraud risk is likely to continue to occur until detected. How did this fraud occur? • No secondary controls were implemented for supplier bank account amendments. • Email requests from associates were accepted on face value. How did this fraud get detected? • The company’s bank notified them that the new bank account of the supplier was high risk and to confirm the transaction with the supplier. • Upon a secondary check was performed with the supplier, it was found that the bank account request was fake. How to reduce this fraud risk? • Ensure controls are implemented within the accounts payable process for changes to supplier details, especially bank account amendments. • If requests are received via email (no matter how legitimate the may appear), confirm the request with a telephone call to the supplier contact. • If requests are received via telephone, request that an email/letter is sent to confirm authenticity. • Regularly reconcile accounts payable ledgers with supplier statements to investigate any discrepancies. MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017
  • 9. Outlook for 2018 | Cyber Fraud on the Rise 9 Education and Training Most employees of small and medium-sized business are acutely unaware of the risks that may unfold if they open a fake speeding ticket invoice attachment from the Australian Police or fake energy bill from Origin. Providing basic training to your staff on the types of common cyber fraud out there will be money well spent in protecting your business from this ever-increasing risk. Detection and Prevention Detecting cyber fraud and implementing controls to prevent future attacks is essential in the war against cyber fraudsters. Detecting cyber fraud starts with implementing and documenting detailed internal financial and accounting controls. Remaining vigilant and questioning all variations to your internal policies will highlight that bogus request from a supplier to change bank details, or the email request to transfer money to a designated account. In addition, your IT policies and procedures must have standard controls such as regular penetration tests, sophisticated user passwords and phishing detection software to detect any cyber breaches. IT controls should also cover preventative measures, such as sufficient and up to date virus and firewall software. MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017 While the rates of cyber fraud are already alarmingly high, the Australian Government estimates that all types of cyber fraud will continue to rise, and become the “new norm”. Especially at risk are small and medium-sized business according to the Reserve Bank’s Cyber Security Chief, who believes fraudsters are turning their attention to “easier prey” at the smaller end of town. Smaller businesses are less likely to take cyber fraud risks as seriously as larger listed organisations, and therefore likely to have weaker preventative controls against common cyber fraud techniques such as email phishing, ransomware and identity theft to name but a few. While cyber fraud attempts are now unfortunately inevitable for most Australian businesses as we move into 2018, it is essential that all organisations understand the risks of cyber fraud and plan accordingly. The key areas we advise our clients to consider with regards to cyber fraud are as follows:
  • 10. Outlook for 2018 | Cyber Fraud on the Rise 10 Disaster Recovery If the first two areas fail, then having sufficient disaster recovery systems is essential to reduce business disruption and loss of data. For example, if back ups are being taken to a cloud server every 15 minutes and an employee accidentally opens a phishing email with a ransomware attachment, the business can be up and running on the back up version within the hour with only minimal loss of data. Disaster recovery is, therefore, the final line of defence in an ever-increasing cyber fraud environment. MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017 Key tips when reviewing your disaster recovery systems: Ensure your disaster recovery system is documented in a jargon-free policy that all the Principles of the business can understand and follow. If your IT Manager is on a beach in Florida when a cyber fraud event occurs, there needs to be a second option. Ensure your data back ups occur regularly. Having backs ups only occurring once a day still leaves your business open to business disruption in the event of an attack. We recommend back ups should be taken as regular as possible to reduce this risk. Test your disaster recovery process! We recommend testing a full system recovery at least annually. If you have external IT providers, ensure they are testing this and providing confirmation reports on the success of the restoration regularly.
  • 11. Summary 11 The level of sophistication of current day fraud requires boards and management to improve their internal controls and ensure their organisations are well placed to deter and detect fraud. Fraud can occur in any organisation, no matter what size, industry or sector. Fraud has been uncovered in the public and private sectors, in for-profit and not-for-profit entities, and in small, medium and large enterprises. Our recent experiences with fraud has highlighted IT risk as the fastest growing fraud risk for organisations, due to the increasing reliance on information technology, paperless financial systems and cloud-based software. This increasing reliance has also increased the fraud opportunities to target businesses whose IT controls have not been upgraded to match their usage. It is essential that your organisation implements and documents sufficient internal controls to prevent and detect all potential types of fraud that may impact your business. This starts by having experienced auditors assisting your organisation to highlight all potential fraud risks. Speak to one of our team today about our free IT Cyber Fraud Healthcheck, which will uncover any potential weaknesses to your current cyber fraud controls and recommendations for improvement. MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017
  • 12. Get in touch 12MGI Fraud Review 2017 | A Review of Actual Fraud Cases in 2017 Graeme Kent Director – Audit and Assurance Mobile 0414 828 812 Email gkent@mgisq.com.au Stephen Greene Director – Audit and Assurance Mobile 0426 510 812 Email sgreene@mgisq.com.au This publication contains general information only and MGI Audit and Assurance is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your organisation. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. MGI Audit and Assurance shall not be responsible for any loss sustained by any person who relies on this publication.