Pictured launching the PwC 2016 Economic Crime survey are (l-r): Declan McDonald (Advisory Partner, PwC), Nóirín O'Sullivan (Commissioner of the Garda Síochána), Pat Moran (Cybersecurity Leader, PwC) and Ciarán Kelly (Advisory Leader, PwC).
The average cost of fraud to organisations in Ireland has increased from €498,000 in 2014 to €1.7m, according to PwC’s 2016 Irish Economic Crime Survey. The report also revealed that the incidence of cyber attacks has almost doubled since 2012, and that the main driver of internal economic crime is opportunities prompted by poor control environments.
The 2016 Irish Economic Crime Survey, a nationally-focused version of PwC’s bi-annual global study that gathers information from over 6,000 participants in 115 countries, and over 100 in Ireland, revealed that more than one in three Irish organisations (34%) experienced economic crime in the last two years, up from a quarter (26%) two years ago.
The most prevalent economic crime reported were asset misappropriation (53%), followed by cybercrime (44%), accounting fraud (18%) and money laundering (15%). Globally, 36% of organisations were victims of economic crime with cybercrime representing nearly a third (32%) of all crimes.
Speaking at the survey launch, Ciarán Kelly, PwC Advisory Leader, said: “The survey findings confirm an increasingly complex economic crime environment driven by asset theft, cyber threats, accounting fraud and money laundering, while the cost of the crimes on Irish organisations is rising. Too few companies are adapting their risk assessments and control frameworks fast enough. Action on economic crime is not the responsibility of one person or a team, it must be embedded within an organisation’s culture.”
Commenting on the launch of the survey, Nóirín O’Sullivan, Commissioner of the Garda Síochána, said: “The research highlights the need for vigilance on the part of companies and individuals in their commercial dealings. With cybercrime becoming so common, it is even more essential that they continue to access crime prevention advice to avoid becoming the victims of fraud. The involvement of law enforcement agencies at an early stage acts as a major deterrent. This study also provides insight into how organisations can protect themselves, their businesses and their property from fraud and cybercrime.”
Nearly half (44%) of organisations in Ireland who reported economic crime suffered a cyber attack in the last two years. This has almost doubled since 2012 (25%) and is substantially higher than the global results (32%). Of those affected by cybercrime in Ireland, nearly one in five (18%) incurred losses of between €92k and €4.6m (Global: 13%).
Pat Moran, PwC Leader for Cybercrime, commented: “A cyber crisis can be one of the most challenging and complicated that any organisation will face. They require strategies around investigation and communication, as well as significant forensic and analytical capabilities. In today’s risk landscape, a company’s degree of readiness to handle a cyber crisis can be a marker of competitive advantage and ultimately ensure its survival.”
Less than half (41%) of respondents said that they had fully trained first response team to mobilise should a technology breach occur. Too many Irish organisations are leaving first response to their IT teams without adequate intervention or support from other key players. Only 39% of respondents reported having a fully operational incident response plan in place with over a quarter (28%) having no plan in operation.
Pat Moran said: “Cybercrime is also perceived to be the highest economic crime risk going forward for Irish businesses. Looking to the future, cybercrime is forecasted to be the most frequent type of economic crime. Over a third (36%) expect more cyber attacks in the future. This may be reflective of cybercrime having a higher profile in the media through the occurrence of a number of high profile incidents as well as the significant increase of devices that are now connected to the internet. Despite significant financial losses being linked to cybercrime, respondents cited the theft or loss of personal identity information and reputational damage as having the greatest impact to their organisations ahead of actual financial loss.”
The survey highlights that a more comprehensive approach is required to detect fraud. Over 70% rely on Internal Audit for their risk assessment and compliance, however, conversely, less than 10% of fraud is detected by Internal Audit. There is an increase in detecting fraud through external tip-offs (2016: 15%; 2014: nil). 24% of Irish respondents confirmed that they either did not know how the fraud was detected or if it was detected by accident (up from 18% in 2014). The most common detection method is suspicious transaction reporting.
Overall, the report finds that business detection and response plans are not keeping pace with the level and range of threats now facing organisations, with a developing trend of too much being left to chance. It warns that a passive approach to detecting and preventing economic crime is a recipe for disaster.
Pat Moran added: “Only 3% of Irish companies use data analytics to detect fraud. Irish organisations should consider using data analytics, including threat intelligence, more than they are currently doing so. This is an underutilised control method and it has proven to be a very useful preventative method to identify the threat of fraud to an organisation. In addition, there have been significant innovations in fraud detections within the FinTech and cloud space which should also be considered.”
Nearly half (47%) of Irish organisations believe that they will increase their spending to respond to the threat of economic crime in terms of the compliance programmes and resource spend. Within two years, six of the G20 (UK, USA, Italy, France, Canada and Australia) expect cybercrime to be the largest economic crime threat to their organisation.
An organisation’s code of conduct is critical and although 91% of Irish organisations confirmed they had a code of conduct, only 61% said that regular training or advice was in place. The report warns that such perception gaps can create potential vacuums within which unethical activities can arise.
Declan McDonald, Advisory Partner, PwC Ireland, said: “Often the response to a threat is to improve internal control. However, our report shows that the corporate control environment in Ireland is 17% less effective in detecting and preventing economic crime than it was two years ago. In our experience, organisations are not investing enough in preventing fraud from happening and have a bias towards a focus on remediating incidents after the event than preventing them in the first place. It’s interesting to note the responses to future concerns and risks. With the exception of cybercrime, Irish businesses appear less concerned than our global counterparts about the risks of the other economic crimes surveyed, and in some instances, by a considerable margin.
“In addition to a strong control environment, it’s important that organisations embed a culture of awareness from top to bottom to mitigate the risks of economic crime particularly in circumstances where attacks are becoming more sophisticated.”
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 223,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.
PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
©2017 PwC. All rights reserved