Forensic Audit, Corporate Governance, and Trust: Key Insights

ICAB WEBINAR ON FORENSIC AUDIT AND CORPORATE GOVERNANCE: RESTORING TRUST AND TRANSPARENCY Presented by: Akhtar Sanjida Kasem FCA, FCMA, CFE Managing Partner, A. Qasem & Co., Chartered Accountants Dhaka, February 25, 2025

KEY ISSUES Forensic Audit Fraud and Corruption Corporate Governance Trust and Transparency These issues are inter-related in the current scenario, and are of utmost significance for professional accountants in our various roles as Board Members of various Companies, CXOs, and External / Internal Auditors. While the auditors perform forensic audits, their products are used by the Board, senior management, regulators, law enforcement agencies, and other stakeholders.

FUNDAMENTAL CONCEPTS Forensic" means "suitable for use in a court of law . Forensic Audit means the application of accounting and auditing methods to the tracking and collection of forensic evidence, usually for investigation and prosecution of criminal acts such as embezzlement or fraud. It specifically looks for financial misconduct, abusive or wasteful activity. Forensic audit involves examination of legalities by blending the techniques of propriety (VFM audit), regulatory and investigative and financial audits. Forensic Audit is targeted to investigate and detect Fraud and Corruption. Fraud is any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain. Fraud Risk Management Guide (COSO and ACFE) Corrupt Practice means the offering, giving, receiving, or soliciting, directly or indirectly, of any thing of value to influence the action of a public official in the procurement process or in contract execution. Occupational Fraud means the use of one s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization s resources or assets

CORPORATE GOVERNANCE- SIGNIFICANCE AND IMPACT CORPORATE GOVERNANCE, AUTHORED BY KAUSHIK DUTTA AND KHSHAMA V. KAUSHIK A good corporate governance regime is essential for effective use of corporate capital and can provide a long-term benefit to the business and its stakeholders. Effective governance based on corporate behaviour guided by experience and best practice transcends legal systems and national boundaries. According to OECD s Business Sector Advisory Group on Corporate Governance, the following four simple and essential principles should be promoted: Fairness: Ensures the protection of shareholder rights and the enforcement of contracts Transparency: Requires timely disclosure of adequate, clear and comparable information concerning corporate financial performance, corporate governance and mission Accountability: Concerns the role of the corporate board in providing independent board oversight of management performance and holding managers accountable to shareholders Responsibility: Means ensuring that corporations comply with other laws and regulations that reflect particular society s values Of course, no process can guarantee that fraud will not happen. However, what corporate governance attempts to do it firstly to .install stringent checks and balances, and secondly, to ensure that the effect of any such fraud which does occur is contained before blowing up in full scale.

ROLE OF THE BOARD IN PROMOTING TRUST AND TRANSPARENCY AND ENSURING A FRAUD-FREE ENVIRONMENT Set the Tone At The Top that defines the culture for the entire organization Design and implementation of a fraud risk management program Establish policies and procedures explaining how the Board provides oversight Define expectations about integrity and ethical values, transparency and accountability Seek feedback from senior management about the results of the fraud risk assessment, as well as incidents of fraud and suspected fraud Challenge the management and ask tough questions, where necessary Seek input from internal auditors, external independent auditors, specialists and legal counsel, and utilize these resources as needed to investigate any issues Assess the risk and incidents of management override of controls Consider and address fraud and corruption allegations related to senior management if they arise

SUMMARY OF FRAUD RISK MANAGEMENT COMPONENTS AND PRINCIPLES - THE FRAUD RISK MANAGEMENT GUIDE DEVELOPED FROM THE 2023 RESEARCH COMMISSIONED BY COSO AND CO- PUBLISHED BY ACFE (ITEMS 1 AND 4 ARE DIRECTLY RELATED TO CORPORATE GOVERNANCE) Fraud Risk Governance: It is an integral component of corporate governance and the internal control environment. Corporate governance addresses the manner in which the Board of Directors and management meet their respective obligations to achieve the organization s goals, including its fiduciary, reporting and legal responsibilities to stakeholders. The internal control environment creates the discipline that supports the assessment of risks to the achievement of the organization s goals. Fraud Risk Assessment: It is a dynamic and iterative process for identifying and assessing fraud risks relevant to the organization Fraud Control Activity: It is a specific procedure or process intended either to prevent fraud from occurring or to detect fraud quickly in the event that it occurs. Fraud investigation and corrective action: Control activities cannot provide absolute assurance against fraud. Hence, Those Charged With Governance (TCWG) ensure that the organization develops and implements a system for prompt, competent, and confidential review, investigation, and resolution of instances of allegations involving potential fraud and misconduct. Fraud Risk Management Monitoring Activities: This activity is used to ensure that each of the five principles of fraud risk management is present and functioning as designed and that the organization identifies needed changes in a timely manner.

STAKEHOLDERS OF THE FRAUD RISK MANAGEMENT PROGRAM Board of Directors and Audit Committee Senior Management Internal Audit External Independent Auditors Other Management Personnel Specialists Educators We may find professional accountants in all of the group above, albeit with different roles.

In applicable circumstances, a robust forensic audit is crucial to assist and promote corporate governance. Since forensic audit is undertaken to detect fraud and corruption, often on an international level, it is useful to have an idea of prevalence and dimensions of fraud and corruption, especially occupational fraud, in the global context. FRAUD AROUND THE WORLD

KEY STATISTICS FROM 2024 ACFE REPORT TO THE NATIONS The ACFE Report to the Nations 2024 on Occupational Fraud estimates that a typical organization loses 5% of its revenues to fraud each year, which amounts to roughly USD 3.1 Billion each year. How is Occupational Fraud initially detected: Tips: 43% Internal Audit: 14% Management Review: 13% Document examination: 6% Where do the Tips come from: Employees- 52% Customers 21% Anonymous- 15% Vendors- 11% Other- 9%

TO WHOM DID WHISTLEBLOWERS INITIALLY REPORT?

WHICH PARTIES WERE ALERTED TO THE FRAUD AFTER IT WAS DISCOVERED?

MOST PROMINENT ORGANIZATIONAL WEAKNESSES THAT CONTRIBUTE TO FRAUDS- 2024 ACFE REPORT TO THE NATIONS Lack of internal controls 32% Override of existing controls - 19%, Lack of Management Review -18% Lack of competent personnel in oversight roles 9% Poor Tone at the Top 8% Lack of Independent Checks/ Audits 5% Others- 4%

DIFFERENCE BETWEEN FRAUD AND INTERNAL CONTROL WEAKNESSES The fundamental difference between internal control weaknesses resulting in ERRORS, and weaknesses resulting in FRAUD, is INTENT. Due to this fraudulent intent, various improper acts are designed to: Misstate financial information 1) Misstate non-financial information 2) Misappropriate assets 3) Perpetrate illegal acts or corruption 4)

OCCUPATIONAL FRAUD AND ABUSE CLASSIFICATION SYSTEM (THE FRAUD TREE)

MAJOR TYPES OF FRAUD & CORRUPTION Financial Statements Fraud Procurement Fraud Asset Misappropriation Fraud Presolicitation phase Solicitation phase Evaluation phase Awarding Phase Execution phase Finalization phase Expenses Revenue Assets Liabilities Cash Inventory Tangibles Intangibles Off-Balance Sheet items Special Purpose Vehicles

HOW OFTEN DO FRAUDSTERS COMMIT MORE THAN ONE TYPE OF OCCUPATIONAL FRAUD - -2024 ACFE REPORT TO THE NATIONS Asset misappropriation only -51% Corruption only 10% Financial Statement Fraud only- 1% Asset misappropriation + Corruption -35% Asset misappropriation + Corruption + Financial Statement Fraud 2% Asset misappropriation + Financial Statement Fraud- 1% Corruption + Financial Statement Fraud <1%

HOW DO OCCUPATIONAL FRAUDSTERS CONCEAL THEIR SCHEMES (IN % OF CASES) 2024 ACFE REPORT TO THE NATIONS Created fraudulent physical documents Altered physical documents Created fraudulent electronic documents and files Altered electronic documents and files Destroyed or withheld physical documents Created fraudulent transactions in the accounting system 41 37 31 28 23 19 Deleted or withheld electronic documents and files Altered transactions in the accounting system Deleted or omitted transactions in accounting system 19 16 13 No concealment method Other Created fraudulent journal entries Forced or altered account reconciliations Forced or altered account balances in accounting system Altered journal entries Deleted or omitted journal entries 11 10 9 9 8 7 6

PERPETRATORS- MORE THAN HALF OF THE REPORTED CASES CAME FROM THESE FIVE DEPARTMENTS -2024 ACFE REPORT TO THE NATIONS Operations -14% Accounting -12% Sales -12% Customer Service-9% Executive/ Upper management -9% 84% of fraudsters displayed at lease one behavioral red flag

TOP 3 INTERNAL CONTROL WEAKNESSES BASED ON THE PERPETRATORS POSITION -2024 ACFE REPORT TO THE NATIONS EMPLOYEE Lack of Internal Controls 31% Override of existing controls 19% Lack of management review- 18% MANAGER Lack of Internal Controls 34% Override of existing controls 18% Lack of management review- 21% OWNER / EXECUTIVE Lack of Internal Controls 31% Override of existing controls 21% Poor Tone at the Top - 19%

FRAUD STIMULANTS AND RED FLAGS

WHAT LURKS BEHIND A FRAUDSTERS MIND?- THE FRAUD TRIANGLE Perceived Opportunity Perceived Pressure Rationalization

BEHAVIORAL RED FLAGS OF EMPLOYEES WHO MAY BE POTENTIAL FRAUDSTERS Living beyond one s means Unusually close association with vendor/customer Bullying or intimidation Irritability, suspiciousness or defensiveness Control Issues, unwillingness to share duties Recent family problems

RED FLAGS IN FINANCIAL STATEMENTS FRAUD Domination of management by a single person or small group without compensating controls Ineffective communication and enforcement of the entity s ethical standards Significant, unusual or highly complex transactions, especially towards the year-end Significant related party transactions not in ordinary course of business Recurring attempts by management to justify marginal or inappropriate accounting on the basis of materiality Inappropriately limit the auditor s access to information, operations and people Appointment of close relatives in fiduciary positions without proper justification and disclosure

RED FLAGS IN PROCUREMENT FRAUD Prefer Shopping and Direct Purchase over Tendering Inconsistencies in the selection and award decision process. Large works packages are split into smaller packages to discourage large contractors and favour less qualified small contractors Packages starting with low value to award smaller bidders, and then becoming much larger through cost escalations and repeat orders Split and re-group goods packages to favour suppliers, rather than authorised distributors or branded products Manual changes on original documents Inconsistencies in the dates of the documents or illogical sequence of dates.

PERFORMING A FORENSIC AUDIT

PURPOSE - IN CASE OF ALLEGED FRAUD Discover if there is a fraud Identify those involved Quantify the monetary amount of fraud Present findings to the client/court

DEFINING THE SCOPE AND THE DESIGN OF THE AUDIT What What is the purpose of this investigation? What is the allegation? What happened? What parties were involved (stakeholders)? What will the auditor need in order to look into the allegation (what resources)? What policies, procedures or laws were potentially breached? Why Why did this occur (systemic gaps or opportunities in the Fraud Triangle)? Why did the perpetrators in the case do what they did (motive or incentive in the Fraud Triangle)? Who Who is involved? Who should the auditors speak to (for interviewing)? Who is the auditors reporting to? Where Where did the event(s) occur (internal and external locations)? Where did the case emanate from (board-approved list for the year, whistleblower s portal, external request, etc.)? Where could the case end (internal disciplinary panel, regulator, media interest case or court case)? When When did the incident(s) occur? When was the allegation made? When is the report due (timeline, notes for mandates)? How How will the auditor conduct the investigation (methodology, procedures and investigative plan)? How will evidence be preserved? How will the auditor present the findings?

FRAUD RISK ASSESSMENT A fraud and corruption risk assessment is a process to help someone better understand an entity's fraud and corruption exposure, the associated risks and the strength of the existing controls. With reference to the COSO Framework, the over-arching objective of FRA is to reduce the incidence of fraudulent financial reporting by setting standards of internal control system. A fraud risk assessment is designed to address a company's vulnerabilities to internal and external fraud. The key approaches of FRA and anticipated outcomes of FRA are: Identify and evaluate fraud risk factors Schedule of fraud risk factors and sound knowledge of fraud risk environment Identify possible fraud schemes and scenarios- Catalogue of pervasive and specific fraud risks Analyse fraud risks and evaluate control design and implementation- Inherent risk rating of entity, and catalogue of existing controls, fraud control risk rating Evaluate fraud risk assessment results and prioritize residual fraud risks Residual risk rating and identification of fraud risk Risk treatment Fraud risk action plan and implementation plan with continuous monitoring and follow-up 1. 2. 3. 4. 5.

PERFORMING FRAUD RISK ASSESSMENT (FRA) OF A COMPANY Does your Company have formal and regularly scheduled procedures to perform FRA? 1. Are appropriate personnel involved in the FRA? 2. Are FRAs performed at all appropriate levels of the Company (e.g entity level, significant locations or business units, significant account balance, or major process level?) 3. Does your FRA include consideration of internal and external risk factors (e.g Covid-19 Pandemic, political unrest, global war, industry trend, pressures/incentives, rationalization or attitudes, and opportunities) 4. Does your FRA include the identification and evaluation of past occurrences and allegations of fraud and corruption within the entity and industry? Does it include the evaluations of unusual financial trends or relationships identified from analytical procedures and techniques? 5. Does your FRA consider the risk of management s override of controls? 6. Does management consider the type, likelihood, significance and pervasiveness of identified fraud and corruption risks? 7. Is the FRA updated periodically to include consideration of changes in assessed factors? 8. Does management assess the design and operating effectiveness of the FRA process? 9. 10. Does management adequately document the assessments and conclusions regarding the design and operative effectiveness of the FRA process?

RISK ASSESSMENT Risk Map The risk map is an initial identification of risks, their probability and consequences and will cover all areas - strategic risks, risks affecting the organization s image, financial risks, day-to-day operational risks, external hazards, and risks related to knowledge management, and others. The risk map will help to indicate areas where the level of control over risks might be increased or decreased. Risk Assessment This assessment should culminate with a rating of the procurement risks as Low, Medium, Substantial or High and is key in the determination of the supervision approach to be recommended. Risk Quantification Risk need to be quantified in two dimensions. The impact as well as the likelihood of the risk occurring needs to be assessed. If likelihood is high, and impact is low, it is a Medium risk. On the other hand if impact is high, and probability low, it is High priority. A remote chance of a catastrophe warrants more attention than a high chance of a hiccup.

Specimen- The Risk Heat Map High 4 8 16 12 Substantial 3 6 9 12 IMPACT Medium Low 2 6 8 4 Low 1 2 3 4 Low Medium Low Substantial High LIKELIHOOD

DETECTION TECHNIQUES Risk Analytical Review Sampling Assessment Documen t Review Physical Verification Interviews Third party evidence Newspaper and internet Photographs

CHALLENGES IN PERFORMING FORENSIC AUDIT Accountability and Commitment at the top Apprehension and negative mindset of the stakeholders Lack of technical capacity Lack of fundamental legal training Difficulties in obtaining, handling and presenting evidence Non-Availability of required information, e.g central database of enlisted and debarred contractors Non-Availability of sophisticated analysis techniques for handwriting, paper, printing etc. Lack of Auditor and witness protection

REPORT CONTENTS Transmittal Letter Executive Summary Setting the Scope & Limitations Approach and Methodology Findings /Observations Summary of Evidences Amount of loss How Fraudsters set up Fraud scheme and which controls were circumvented Recommend improvements of policies, control and compliance (if required) Conclusion Annexures

TIPS FOR WRITING A GOOD REPORT Know and define your reader and user. Mention restrictions on dissemination Disclaim responsibility for unauthorized sharing or dissemination Clearly state the scope and limitations Use transparent and simple language Prepare the report during or shortly after the examination, so as not to omit or distort important data Prepare a separate memorandum for each potential witness interviews List the memoranda in sequence of the interviews taken Be mindful that the information in the report may be disclosed in the media, to the public, adverse third parties or opposing legal counsel Deal with sensitive information with discretion Include only those matters relevant to your scope Maintain impartiality by including all relevant information and points of view Reconfirm the facts and ensure accuracy Use visual aids, graphs, diagrams and photographs at appropriate places Include a clear, unambiguous and self-explanatory conclusion

We are sharing some real experiences, without disclosing names of the persons and organisations involved. SHARING EXPERIENCES

CASE STUDY # 1 In a commercial bank, a fraud was initiated through activation of the dormant account and making a fake requisition form for issuing a new cheque book though the customer has unused cheque leaf of previously issued cheque book. This process of printing and raising a cheque book requisition, forging the signature of the account holder, and approving issuance of the new cheque book, were done by a syndicate of employees within the bank. The cheque book was kept in their custody. The account holders, mainly NRBs, were completely unaware of this. Subsequently funds were withdrawn from the customer account using the newly issued cheque leaf at several dates. The fraud was initiated through activation of the dormant account and activating internet banking for the accounts without having any customer application. Upon activation funds were transferred to another account.

CASE STUDY # 2 In a Merchant Bank in Bangladesh: Allowing investors to encash/realize their gain by depriving the negative equity investors. Allowing additional margin loan to negative equity investors Allowing margin loan facility to negative equity investors without charging Margin loan Interest. Allowing margin loan for purchasing Z-category shares. Inter-code buy and sale of shares were executed in different own code, company s own code to different investor code, and one investor code to another investor code. Unauthorized use of Trading workstations without having assigned RM from Merchant Bank.

CASE STUDY # 3 In a Securities House (Stock Broker) in Bangladesh: Embezzlement of funds through transfer to personal bank account of employee (Head of Accounts) using internet banking ID with Bank. Embezzlement of funds by allowing limit to personal BO code of employee against dishonored cheque without creating margin loan. Misappropriation of funds by allowing limit to 13 customer code against dishonored cheque and not presenting the cheques to bank for clearing. Misappropriation of customer cash receipts without depositing to company s Bank account. Significant difference was observed between bank book and bank statements.

CASE STUDY # 4 In a manufacturing company: Slow-moving raw materials were transferred to WIP in books only, without any physical process, to avoid 25% provisioning (when useful life exceeded 70%), thus to over-state profit. In a manufacturing plant with large warehouse, kickback was reportedly paid to a company employee by the warehouse owner, to allow him (the owner) to overstate the rental area to charge extra rent, and to allow misappropriation by pilferage of good stock as damaged stock and selling it in the grey market. In a manufacturing plant with large distribution network, a company employee reportedly received kickbacks from transport agency owners in exchange of giving favourable routes and higher number of trips. In an NGO, an entire list of beneficiaries was faked with false names, and consecutive phone numbers In another healthcare service provider, expenses were claimed from the donor on the basis of fake performance statistics.

CASE STUDY # 5 In a non-profit organization receiving foreign aid for refugees, the project claimed funds from the Donors by inflating food bills and faking pathological test bills. In another non-profit organization, bank statements were forged to insert fictitious expenses. In a school for under-privileged children living in slums, cost of educational expenses and family food packs were claimed during Covid-19 lockdown when schools were closed and families had moved back to the village In a non-profit organization , quotations were collected from different unrelated types of suppliers who did not sell the product to be purchased. In a manufacturing company, fake sales invoices were created at year-end to meet target and earn performance bonus. Instead of the typical practice of reversing these sales in the next quarter, the invoices were reported to have been realized by bringing in cash from employee PF funds.

CONCLUSION AND WAY FORWARD

FACTORS IMPACTING THE FUTURE OF ANTI-FRAUD AND ANTI-CORRUPTION ENVIRONMENT 1. Globalization: Challenges of dealing with markets around the world, divergent accounting systems, different regulatory environments, various types of governments, and varying degrees of governance and transparency 2. Changes in regulatory regime: Incrementally changing regulatory regime in various countries 3. Economic Pressures: Economic downtrend for an extended period 4. Technology: As companies rely more extensively on advanced technologies to operate their business, new opportunities for Fraud arise

WAY FORWARD Be aware of our responsibilities in different roles Board Member, CXO, External Auditor or Internal Auditor Develop professional expertise and capacity Be alert and attentive to red flags of fraud and corruption In the role of an auditor, perform the necessary detection and investigation, obtain and document results Communicate to the appropriate person/body Assist in undertaking necessary penal and remedial measures Always promote a culture of ethics, integrity and accountability