Big jump in US senior managers’ culpability in internal crimes, new PwC survey finds
More than one in three US organizations report having been the victim of economic crime and cybercrime has risen to become the second most reported kind of economic crime, according to PwC’s Global Economic Crime Survey 2016, whose US results were released on February 25.
Globally, nearly 6,300 respondents from 115 countries participated in the survey, 1,100 more than in the 2014 survey. While just 8 percent of respondents were from North America, the 328 participants from the US represented the highest response rate yet from the US. This is the eighth economic crime survey conducted by PwC since 2001 and overall increases in all kinds of economic crime have been noted since 2009.
That is likely due to more companies putting internal controls in place to detect bad behavior, says Didier Lavion, principal in PwC’s forensics services practice. In the US, instances of economic crime jumped from 35 percent to 45 percent between 2009 and 2011 and continued to rise before hitting a plateau in 2014. The latest results ‘show a marked decline’ in economic crime incidents to 38 percent of US respondents from 45 percent in 2014.
Although nearly half of the US organizations that participated in the survey expect to be hit by a cyber breach within the next 24 months, most say they are still not adequately prepared. Just over 50 percent of US companies have an active cyber incident response plan, and despite the need to engage leadership, only 40 percent of US boards request cyber readiness information more than once a year.
The PwC report, titled Adjusting the lens on economic crime: preparation brings opportunity back into focus, also shows economic crime outpacing preparedness by companies, with 57 percent of respondents reporting external actors as the main perpetrator, nearly double the 29 percent that point to internal culprits. Despite the magnitude of the problem, company detection efforts are lagging, with one in 10 having never carried out a fraud risk assessment.
The survey results show that cybercrime is one of the fastest-growing economic crimes since PwC’s last update, with 54 percent of organizations reporting being affected by it. Just over half of US firms have an active cyber incident response plan, while more than half (52 percent) don’t believe local and federal agencies have the skills or resources to investigate and prosecute these crimes.
Tone at the top continues to be a problem with one in 10 US organizations still having not yet established a formal compliance and ethics program and 18 percent of internal crimes being committed by members of senior management, versus 4 percent in the 2014 survey. Members of middle management are now responsible for 53 percent of internal crimes, the report shows.
In contrast, globally, the percentage of internal crimes attributable to senior management has fallen to 16 percent from 20 percent in 2014. PwC’s report notes that while it’s hard to tell whether the US figures reflect an actual change in the fraudster profile, accountability for fraud is rising up the company ranks. ‘Management is no longer shielded by the corporate entity and plausible deniability is no longer a viable defense from substantive fraudulent acts,’ the report says.
The extent of financial damage from economic crime is also increasing. More than 25 percent of US respondents experienced losses of between $100,000 and $1 million, while 13 percent suffered losses between $1 million and $5 million. On the higher end, 8 percent of those surveyed had losses between $5 million and $100 million and 3 percent reported losses in excess of $100 million.
Financial costs include not only actual fraud losses but also remediation costs and civil and criminal penalties. But these costs are often dwarfed by broader collateral damage that respondents are consistently noting, which range from business disruptions and remedial measures to investigative and preventative interventions, regulatory fines and legal fees. ‘These can have a significant impact on long-term business performance and, perhaps more critically, cause lasting damage to morale and reputation,’ the report says.
On the enforcement side, the US Justice Department has made clear its intention to go after individuals within companies who can be held accountable for fraud. Last September, the DoJ issued the Yates Memorandum, which ‘is making companies pursue dual track investigations to rack individuals involved’ in financial misconduct I order to receive cooperation credit from regulators, which can reduce their penalties, says Lavion. That has also prompted more executive sponsorship of compliance programs, although there remains a disconnect between the C-suite’s expectations and those of rank-and-file employees, he adds.
When it comes to internal monitoring of financial transactions, Lavion says the internal audit department should probably not be the main resource on which companies rely ‘because of their focus on operational audits. They don’t have the wherewithal to monitor this regularly.’ He believes continuous monitoring programs are likely to be the next wave, with cloud software enabling an expansion of capabilities similar to live anti-money laundering detection.
Brian Fox, a principal at PwC, notes a shift of focus among respondents from perimeter security to protection strategies geared to specific corporate assets such as intellectual property assets. The emergence of secure cloud storage for digital data holds the most promise for improving data security, he believes, given two key advantages it offers: opportunities to centralize data and an increase in computational power to analyze the data that companies store.
Technology, Lavion says, will hold the key to the convergence of cybercrime, fraud, anti-bribery and corruption and anti-money laundering efforts, and all of PwC’s financial services clients are now asking about this convergence.