Interpreting the Energy Risks from EY s 2016 Global Fraud Survey

Transcription

1 Interpreting the Energy Risks from EY s 2016 Global Fraud Survey SCCE Utilities & Energy Compliance and Ethics Conference Washington D.C Global Fraud Survey - Approach Between October 2015 and January 2016, our researchers the global market research agency Ipsos MORI conducted 2,825 interviews in the local language with senior decision-makers in a sample of the largest companies in 62 countries and territories. The polling sample was designed to elicit the views of executives with responsibility for tackling fraud, mainly CFOs, CCOs, general counsel and heads of internal audit. Source: Page 1 Key Risk Areas Unethical Behavior Almost half of respondents could justify inappropriate conduct in an economic downturn to meet financial targets. Risk of Cyber Crime Many respondents do not view the risk of cyber crime as high, or do not feel that their organizations have dedicated the right amount of resources. High Risk Third Parties Respondents are performing less due diligence even as regulatory and enforcement bodies are increasing their focus on 3 rd parties. Lack of Data Analytics, Fraud Risk Management and Awareness Nearly half of respondents haven t invested enough in Data Analytics, and nearly two thirds feel as if there management are not aware of the benefits of fraud data analytics. Whistleblowing Whistle-blower hotlines alone are not adequate to help employees report concerns. Employees do not feel comfortable or trust coming forward. Increasing Bribery and Corruption: The willingness to engage in unethical conduct, high risk third parties, weak fraud risk management programs, employees less willing to come forward and increased government focus. Page 2 1

2 Unethical Unethical Behavior Behavior: Page 3 Unethical Unethical Behavior Behavior: Page 4 Unethical Unethical Behavior Behavior: Energy Concerns and Implications Board members and senior management should be aware that regulators are increasingly focused on individual misconduct. There appears to be an increased risk, given the economic downturn in the energy sector, that some management may be more willing to: Manipulate financial numbers in order to achieve financial targets and goals, Deploy revenue or expense recognition schemes to meet financial targets, Engage in increased bribery and corruption activities in order to deliver new wins Organizational culture and goals may be too unrealistic given the current economic environment. The result is that some employees may feel obligated to do whatever it takes to win a deal or hit a target. Page 5 2

3 Unethical Risk Behavior of Cyber Crime: Page 6 Unethical Risk Behavior of Cyber Crime: Energy Concerns and Implications Does the organization know where all of its critical and sensitive information is located? If not, this could pose a serious cyber concern. EY is seeing an increase in information governance assessments due to cyber risk concerns and the need to recognize the significant cost savings of reducing the organization s digital footprint. EY is also seeing an increase in insider threat assessments to determine which employees represent the most significant risk as far as attack vector, who has access to critical information, or who is more likely to become and internal threat actor? We are also seeing an uptick in the development of Cyber Breach Response Programs. Specifically, are there areas of the organization that could interrupt the operability of the rest of the organization if they are struck? And does the organization have the right internal and external partners engaged to detect and mitigate a cyber concern in real-time. Page 7 Lack of Data Analytics, Fraud Risk Management and Unethical Awareness: Behavior Page 8 3

4 Lack of Data Analytics, Fraud Risk Management and Unethical Awareness: Behavior October 2016 COSO issues the Fraud Risk Management Guideline to meet the expectations of Principle 8 of the COSO ERM Framework 1. Establishment of a Fraud Risk Management Program 2. Performs comprehensive fraud risk assessments 3. Selects, develops and deploys preventative and detective fraud control data analytics activities 4. Investigation program and protocols 5. Ongoing evaluations and corrective action of the overall program Page 9 Lack of Data Analytics, Fraud Risk Management and Unethical Awareness: Behavior Energy Concerns and Implications Regulators are using increasingly sophisticated tools to analyze data and identify trends to highlight potential fraud. There is a much higher standard and expectation now (at least for COSO ERM Framework organizations) to do more to detect, prevent, and investigate fraud and corruption using data analytics. External auditors can utilize the new COSO Fraud Risk Management guidelines to assess the entity s implementation of Principle 8 of the COSO ERM Framework. Deficiencies could result in a negative external audit finding. Page 10 Unethical Whistleblowing: Behavior Page 11 4

5 Unethical Whistleblowing: Behavior 1. Employees don t understand the system 2. Inadequate resources and poor program design 3. Lack of personalization of an employee s concern 4. Improper handling and lack of training 5. Management is involved in the hotline 6. Too many reporting mechanisms 7. Too much emphasis on credible complaints 8. Obstacles of negative incidents and retaliation 9. Inconsistent outcomes 10. Actions speaking louder than words Source: Page 12 Unethical Whistleblowing: Behavior Energy Concerns and Implications Organizations should consider assessing each component of the program to determine if it helps to create a Trusted hotline program. Page 13 Unethical High Behavior Risk Third Parties: Page 14 5

6 Unethical High Behavior Risk Third Parties: Page 15 Unethical High Behavior Risk Third Parties: Energy Concerns and Implications Current third party due diligence activities may provide little to no protection from anonymous companies and bad actors. All aspects of an energy companies operations are susceptible to anonymous shell company risks. The propensity for unethical conduct by manage coupled with anonymous companies significantly increases bribery and corruption risks in the energy sector. Page 16 Unethical Increasing Behavior Bribery and Corruption Risks: Page 17 6

7 Increasing Bribery and Corruption Risks: Energy Unethical Concerns Behavior and Implications Increasing focus, regulations, guidance and expectations for organizations to be doing more in detecting and preventing corruption. International Standards Organization is the first certifiable and testable antibribery program. Sets clear anti-bribery expectations on management engagement and accountability, internal controls, training, monitoring, data analytics, investigation protocols, etc. Will put more pressure on senior management and reduce the ability to say we didn t know or we thought we were doing enough has been publically supported by several government agencies including the SEC and DOJ. Page 18 Increasing Bribery and Corruption Risks: Energy Unethical Concerns Behavior and Implications Current controls, processes and systems are falling behind in preventing and detecting bribery and corruption. Red flag testing, audit procedures and even data analytical approaches, in many instances, have not been updated to change with the changes in ABAC risks and requirements. Compliance, ABAC and Due Diligence fatigue is setting in. Many management and compliance professionals believe that their bribery and corruption risks are fully mitigated. In some instances, organizations are even scaling back detection and monitoring capabilities because they have not identified any issues. Industry pressures and corporate cultures are two of the primary overriding forces that are weakening and defeating traditional ABAC controls, especially in the energy sector. Page 19 Best Practices and Takeaways Compliance Execute a comprehensive anti-corruption compliance program that incorporates FDA and tailored bribery and corruption training Cyber crime Develop a cyber breach response plan that brings all parts of the business together in a centralized response structure Anti-corruption due diligence Undertake robust anti-corruption due diligence on third parties, before entering into a business relationship Fraud Risk Management Programs Is your organization performing robust and repetitive fraud risk assessments, deploying forensic data analytics (FDA), properly investigating and mitigating fraud risks and monitoring the overall program Whistleblowing Establish clear whistleblowing channels and policies that not only raise awareness of reporting mechanisms, but encourage employees to report misconduct Finance Adequately resource compliance and investigations functions, so that they can proactively engage before regulatory action Page 20 7

8 Interpreting the Energy Risks from EY s 2016 Global Fraud Survey SCCE Utilities & Energy Compliance and Ethics Conference Washington D.C. Ryan C. Hubbs CFE, CIA, CCEP, PHR, CCSA Senior Manager Fraud Investigation & Dispute Services Direct Tel: Direct Fax: Mobile: Ryan.Hubbs@ey.com 8