The Hindu Business Line : `Anti-fraud policy needed'

Formal anti-fraud policies distinct from data security policies must be implemented in companies, according to the Ernst and Young 9th Global Fraud Survey - Fraud Risk in Emerging Markets. The policies must also be communicated effectively to employees, the survey said. It found that over 70 per cent of respondents did not provide their employees adequate training to understand and implement anti-fraud policies.

While the internal controls adopted by companies include data security related compliances and policies, they do not address fraud specifically. However, over 90 per cent of the 586 global respondents felt that internal controls and audits were sufficient to determine and prevent fraud.

Anti-fraud policies guide employees through issues such as payments, commission fees, gifts and conflicts of interest and include issues related to data security and reporting of fraud itself.

Most data sensitive organisations have security certifications. Information Technology Enabled Services (ITES) and Business Process Outsourcing (BPO) organisations in India, for instance, may follow ISO 270001 that list 123 security related controls. These are further classified into physical security (like UPS devices, routers and firewalls) and logical security (that limits data access within the hierarchy of an organisation), says Mr N. Nataraj, Chief Information Officer, Aztec Software and Technology Services.

Security and policy

Security does cover some areas of fraud such as information leakage. Most ITES employees in India are not permitted to carry a pen, paper or mobile phone to their desks. Internet and e-mail facilities are blocked so as to prevent information leakage outside office.

But what if confidential data about any client was revealed to another client and the employee responsible excused himself by saying, "The person was passing by when I had the data on my computer. He just peeped in. I did not show him the data"? This is a case of fraud that cannot be prevented through data security compliance alone.

"Fraud is to be looked at separately from data security. A separate, formal anti-fraud policy is necessary to have clarity on what is fraud and what is not," says Mr Sunil Chandiramani, Partner and National Director, Risk and Business Solutions, Ernst and Young India.

Communication is key

The survey also says that even when companies do have some form of anti-fraud policy they do not always communicate it properly to employees. Citing examples, he says issues such as `can a commission be considered a bribe?'; `is bribing under certain circumstances acceptable?'; and `is lying about your company's capabilities to gain a client acceptable?' have to be defined.

Some companies have induction programmes to create awareness among employees about fraud-related practices.

Aztec Software has posters in its office that read `You don't share your toothbrush, why share your data'. Scope International Pvt Ltd has a three-week induction programme covering risk management.