Compliance Crisis Unveiled: 44% of Compliance Professionals Admit Unpreparedness for 2024 Challenges

Compliance Crisis Unveiled: 44% of Compliance Professionals Admit Unpreparedness for 2024 Challenges

Our latest survey has exposed a stark reality: 44% of compliance officers and managers feel unprepared for the compliance challenges that lie ahead in 2024. Only 7% feel fully confident in tackling the challenges in the year ahead, signalling a potential industry-wide gap in readiness to address the ever-changing regulatory landscape. 

The survey gathered 212 responses from industry leaders across the UK, USA, Spain and Germany, and gauged professionals’ confidence levels and preparedness in managing compliance issues. The findings underscore a critical need for robust compliance training programs as organisations navigate an increasingly complex regulatory environment. 

Beyond the headline unpreparedness, the survey explored various dimensions of compliance readiness:

1. Fraud Prevention Training

While 27% have implemented failure to prevent fraud training and an additional 27% are planning to do so, a concerning 46% revealed they have not yet rolled out failure to prevent fraud training, are undecided or have no plans to in the near future. This lack of preparation and preventive measures leaves businesses at an increased risk of fraudulent activities.

The new “failure to prevent fraud” offence comes into the UK as part of the Economic Crime and Corporate Transparency Act, which marks a significant shift in how businesses will be held accountable to combat corporate fraud and protect victims. Failure to provide adequate training can leave organisations susceptible to financial losses and reputational damage.

2. CSRD Compliance Preparedness

Only 2% of compliance professionals claimed to be fully prepared for Corporate Sustainability Reporting Directive (CSRD) compliance despite 50,000 companies worldwide being expected to be impacted by it. In comparison, almost half (47%) expressed uncertainty or deemed CSRD irrelevant to their operations.

As 2024 sees the first published reports from many large companies on their CSRD compliance, the global implications will ripple through supply chains, demanding a proactive approach.

3. Neurodiversity Training

In an era witnessing a quadrupling of neurodiversity discrimination cases from 2018-2022, compared to the number of cases from 2003-2017, organisations risk legal repercussions and employee well-being concerns without proactive measures for the fair treatment of neurodivergent employees to create a work environment that values and respects differences. 

Despite these figures, only 8% of businesses polled incorporate neurodiversity training into their yearly programs, and a notable 28% have no plans to do so, potentially hindering the creation of an inclusive work environment and causing an escalation of neurodiversity discrimination cases.

4. Gifts and Hospitality Registers

With 2023 witnessing a nearly quarter-billion pound fine against mining giant Glencore for flying suitcases stuffed with cash to local public officials, getting a handle on gifts and hospitality is crucial for businesses to get right in 2024. Worryingly, when questioned on the types of gift registers in place, 43% of compliance professionals admitted relying on outdated spreadsheets, while 18% admitted to not using any tools for this purpose at all, despite a legal requirement to implement procedures to prevent bribery.

Given the prevalence of digital solutions, the reliance on manual tools poses a risk to accurate and comprehensive compliance tracking. Organisations should consider investing in modern systems and technologies for more efficient and accurate compliance management.

5. Internal Policies on the Role of AI

Finally, the survey explored internal policies on the role of AI. While 23% have established policies, 37% have not considered AI policies in the workplace.

As AI integration becomes more commonplace, organisations must proactively develop and update policies to ensure responsible and ethical use. Neglecting this aspect may expose organisations to legal and moral concerns.

“As the compliance landscape undergoes rapid evolution with various regulations coming into force, this survey reveals a glaring gap in preparedness among compliance professionals,” said Nick Henderson-Mayo, Director of Learning and Content at VinciWorks. “The findings emphasise the critical need for proactive compliance procedures and new initiatives, including training. There are solutions out there for busy compliance professionals, including new technologies and automation. Being prepared is half the battle, and businesses can buffet against global headwinds by investing in proactive compliance and risk mitigation.”

To support compliance professionals in understanding the compliance challenges that lie ahead, VinciWorks is offering a free guide on Compliance Trends 2024.

In a recent study carried out by VinciWorks, a global compliance eLearning provider, 212 compliance professionals were surveyed on Compliance Trends 2024.

The Biggest Data Breaches in 2018 – and what they Teach us about Data Security

Every week we get news of another massive data breach. While some commentators are suggesting that this is the new normal, and that data leaks and hacks are an inevitable part of our connected world, it’s worth looking at the largest data breaches to see what they have in common – and what they can teach us about data security for 2019.

1: Aadhaar (1.1 billion)

Who?

India’s national personal identity card system contains information on Indian residents, including biometric data, names and information on connected services, such as bank accounts.

How?

A state-owned utility company called Indane was tapping into the Aadhaar database using an unsecured API. Hackers cracked the API and gained access to more than a billion records.

2: Marriott Starwood (500 million)

Who?

Marriott is the world’s largest hotel chain. Their Starwood brand operates a rewards scheme, and this database was accessed by hackers. While the breach was reported in 2018, it is believed to be a long-running data leak, stretching back to 2014.

How?

While details of the hack have not been released, the US government has laid the blame at the door of Chinese state hackers.

3: Exactis (340 million)

Who?

Exactis is a marketing and data aggregation firm. They hold comprehensive data on most US citizens, including information about preferences, interests and family connections.

How?

Exactis was storing more than 2 terabytes of personal data on a publicly accessible server. The exposed data was detected by a security researcher, who notified the FBI and Exactis, who have since protected the database. The researcher found the open database by using a scanning tool to find unshielded ElasticSearch instances.

4: MyFitnessPal (150 million)

Who?

MyFitnessPal is a fitness and diet-tracking app owned by Under Armour, the athletic clothing company.

How?

Details are lacking. The company has only said that an unauthorised person accessed data. While some user passwords were stolen in the hack, they were encrypted with a hashing function called bcrypt, which means the information is protected.

5: Quora (100 million)

Who?

Quora is a hugely popular question-and-answer site, with millions of active users.

How?

The company has not released details yet, and have only stated that an unauthorised person accessed user records. Quora also stated that they are engaging a forensic technologist to help them trace the cause of the breach and prevent future hacks.

6: MyHeritage (92 million)

Who?

MyHeritage is an online genealogy and DNA testing service.

How?

They don’t know. One of the firm’s security team found a trove of MyHeritage data on an external server. The database includes 92 million records, including names, email addresses and hashed passwords. MyHeritage has engaged an external security consultant to identify the source of the breach.

7: Cambridge Analytica (87 million)

Who?

A Facebook game called ThisIsYourDigitalLife passed user data to several third parties, including Cambridge Analytica, a data analytics company that worked with the Trump presidential campaign to target ads to swing voters.

How?

Because of Facebook permission settings at the time, the game allowed the developer to harvest information on their users, and their users’ friends and contacts. This meant that only 270,000 people installed the app, but the developer was able to pass data on millions of people to Cambridge Analytica.

8: Google+ (52 million)

Who?

Google+ is a social network. In March, Google announced that some Google+ app developers had accidentally been given access to user data. In December, Google announced that a second data breach, which they may have tried to hide, affected 52.5 million users.

How?

The Google+ hack seems to have been caused by a glitch that made user profile information available to app developers. Google is now planning to close their social network.

9: Chegg (40 million)

Who?

Chegg is an online store offering textbooks, tutors and online study support.

How?

An unauthorised third party was able to access a company database that included customer data for Chegg and some of their other brands.

10: Facebook (29 million)

Who?

The world’s largest social network was hacked, exposing sensitive user data including contact information, searches and usage history.

How?

Hackers exploited vulnerabilities in Facebook’s code to get access tokens, which then gave them full access to users’ details.

How can you avoid a data breach?

There are a few patterns in the top 10 data breaches of 2018:

Weak software. Many of these breaches were caused by vulnerabilities or weaknesses in the systems used.

Glitches. Hackers have a keen eye for glitches in software that have unintended consequences. These are ruthlessly exploited to access data that is usually hidden.

Mystery losses. A worrying trend from the top 10 is the number of ‘unknowns’. At the time of reporting, a number of companies have been unable to confirm how the hack was perpetrated.

The main lesson to learn from these examples is that hackers are creative and flexible, and that data leaks from organisations in many different ways.

Internal agents, external criminals, weak software, outdated software connections and APIs, weak passwords, clumsy security practices, social engineering – these are all common components of data breaches.

This suggests that organisations have a lot of work to do to protect every corner of their castle. Hackers look for weak spots in many different areas, and so organisations must address every aspect of their security: software, hardware, people, processes and culture.

Are Your Intangible Assets and Intellectual Property Adequately Protected?

Are Your Intangible Assets and Intellectual Property Adequately Protected?

Your business has probably invested in security to protect your physical property, but how much care is given to the intangible property that your business relies on?

It’s normal to lock down valuable equipment, but organisations are waking up to the fact that some of their most valuable possessions can’t be locked in a box or guarded with cameras.

Consider the difference between recovering from the theft of equipment and rebuilding a business that has lost its competitive advantage. Equipment may be costly, but it can be bought again. Intellectual property, and the things that make your business unique, are harder to replace.

Such intangible assets can be copied, stolen or leaked to third parties, and the loss may not even be detected until a rival puts these valuable secrets to work.

How difficult would it be for your organisation to deal with a competitor that suddenly has access to your customer database? Or your secret recipe? Or your manufacturing specifications? These kinds of threats are truly existential. And yet they are often ignored.

What can your company do to protect intangible assets and intellectual property?

Define your property

Before you figure how to protect your intangible assets, you need to know what you’re protecting. An audit of your business can help to identify unseen valuables, such as:

  • branding
  • processes
  • databases
  • software
  • product designs
  • customer research.

Update contracts

Confidentiality must be bound into your contracts with employees, contractors, suppliers and customers. Define the obligations for all stakeholders so that any breach of contract can be quickly resolved.

The ISO 27001 information security standard

The ISO 27001 standard focuses on information security. Attaining this standard is a good way to protect your business from risks and reduce the chances of losing intellectual property or other intangible assets.

Some organisations insist on ISO 27001 compliance as a prerequisite for doing business, because accreditation means that the organisation has taken steps to protect their information, which in turn means that your data is protected when under their care.

Has your organisation implemented systems to protect intangible assets?

Visit www.delta-net.com/compliance to view Protecting Assets eLearning from DeltaNet.

Jail term for VW boss after emission scandal

Since the VW emissions scandal broke in September 2015, observers have been wondering if any of the company’s executives would face jail time for their involvement in the massive fraud.

At the end of last year, Oliver Schmidt was sentenced at a court in Detroit to seven years in jail and a $400,000 fine.

Oliver Schmidt, a German national, played a key role at VW’s engineering office in Michigan. As the head of the environmental compliance team, Schmidt knew that Volkswagen vehicles did not comply to US environmental standards, and that VW was using computer trickery to fool investigators. Schmidt actively misled US investigators and is accused of destroying incriminating documents.

Before receiving his sentence, Schmidt acknowledged his complicity. “I only have myself to blame,” he said, “I made bad decisions and for that I am sorry.”

About the VW scandal

The VW emissions scandal emerged in 2015, when the Environmental Protection Agency (EPA) discovered software in VW cars designed to make the cars seem less polluting. The software detected when the cars were being tested, and then switched the engines into an alternative mode that produced fewer emissions. With this method, VW were able to make investigators believe that diesel VW cars operated within limits set by the Clean Air Act.

This means that VW engines were emitting nitrogen oxide pollutants up to 40 times beyond the quantity allowed by US law.

Learning from VW

Volkswagen’s fraud has cost the company billions, lost them decades of goodwill, demolished trust and lead to resignations, recriminations and now, for Oliver Schmidt, jail time. The total cost of the scandal is difficult to determine because it is so vast, and because some effects will not be fully realised in the short term. Only time will tell how badly this incident affects VW.

What happened at VW is a reminder of how bad decisions at one level can ripple up through an organisation. Even though VW employees are reported to have warned against the fraud before it became company practice, the warnings were not heeded. The executives that gave the green light to the scam were blinded by the bucks; all they could see was the immense earning potential of their supposedly low-emission diesel cars. Profits were prioritised over ethical, environmental and legal concerns.

This highlights a key challenge for all organisations; how do we put compliance and lawfulness above profit? How do we ensure an ethical corporate culture, even when the temptation to cheat is so great?

At VinciWorks, we create eLearning programmes on a range of compliance topics, including Environmental Awareness, Code of Conduct, Competition Law, and Treating Customers Fairly. Because our training is online, it can be easily delivered to all personnel, wherever they are based. VinciWorks training is a practical solution to manage your compliance training requirements. Contact our team to learn more about our eLearning.

Going global with VinciWorks

Going global with VinciWorks

Compliance Week Europe

This conference is designed to help compliance, audit, legal and risk executives understand how they can build and manage their ethics and compliance programmes more effectively.

Topics to be discussed include:

  • GDPR
  • Cyber Fraud
  • AML programmes
  • Whistleblowing
  • Anti-Bribery
  • Collusion
  • Ethics & Compliance
  • Sanctions
  • Supply Chain risk
  • Fraud indicators and red flags

International Fraud Awareness Week

International Fraud Awareness Week

During International Fraud Awareness Week, we consider the typical profile of a fraudster – as well as what you can do to reduce the risk of being a victim of fraud.

In KPMG’s new study, Global Profiles of the Fraudster, they analyse the findings of investigations into 750 fraudsters operating in 81 countries. So what can we learn from KPMG’s findings?

The true face of fraud is shockingly familiar

Many of us imagine that crime is something that stalks us from a distance, and that crimes against us will be perpetrated by strangers. The facts suggest we should shift our fear closer to home; 65% of the victims in 750 incidents of crime were employing the perpetrator. Another 21% were former employees, perhaps enabled by their knowledge and experience of security controls and weaknesses.

We might imagine that fraudsters are new joiners, or people who are less loyal to the company. Not so: 38% had more than 6 years’ service.

Familiarity breeds contempt?

And think that the typical fraudster is a low-earning staff member? In fact, 58% were managers and directors – the senior personnel most trusted with authority. And this authority is frequently used to undermine or circumvent controls and security systems: 44% of the perpetrators had unlimited authority.

While 66% of the fraudsters caught were motivated by greed, the report highlights an interesting subset of criminals: those motivated by a desire to conceal poor performance, or create the appearance that targets had been met, amounted to 35%.

Most fraudsters are male. Just 17% were female. And 68% were between the ages of 36 and 55.

This tells us that the average fraudster might not be a desperate, down-on-their-luck chancer with nothing to lose. The greatest risk to your organisation might come from your senior management team – or even your chief executive. As KPMG state in their report: “Outwardly, fraudsters in general are three times as likely to be regarded as friendly as not and are rarely perceived as loners. They tend to be highly respected and don’t necessarily have a showy lifestyle. In short, they may not conform to the stereotypical view of how people expect a fraudster to behave.”

Weak controls enable fraud

The report from KPMG states that fraud is often facilitated by technology, but it’s the weak internal controls that leave organisations vulnerable to fraud from within. KPMG quote Lem Chin Hok, Head of KPMG Forensic, KPMG in Singapore: “Internal controls are weak when they are poorly designed and are not followed by employees. A thorough fraud risk assessment is likely to show where the gaps are.”

During International Fraud Awareness Week, it’s vital that organisations don’t just look beyond their walls when implementing fraud prevention controls. KPMG’s study adds to the evidence that points to internal agents as likely perpetrators of corporate crime, and this potential risk must be considered when developing fraud prevention plans and procedures.

Candidates are lying to get jobs – have you hired on false pretences?

Candidates are lying to get jobs – have you hired on false pretences?

How well do you know the people you hire? In today’s competitive job market, it’s perhaps unsurprising that candidates are embellishing their CVs with ‘little white lies’ in order to stand out to recruiters.

A recent analysis by The Risk Advisory Group of over 5000 CVs found that 70% contained inaccuracies, ranging from minor exaggerations to outright lies.

“A growing number of people are applying for jobs with inaccurate CVs. Some discrepancies may be genuine slip-ups, but others are deliberate attempts by job seekers to deceive employers in order to get ahead,” said Michael Whittington, Head of Employee Screening at The Risk Advisory Group.

63% of the CVs analysed contained falsehoods pertaining to academic qualifications, with one claiming to have obtained an MBA from a university that doesn’t exist, while another cited attendance at a prestigious English university but failed to mention having been expelled long before graduation. Other inaccuracies related to employment history, skills and responsibilities, and criminal records – one even omitting fraud committed against a previous employer.

“Trust is very important in professional relationships, and by lying on your CV, you breach that trust from the very outset,” said Rosemary Haefner, vice-president of human resources at CareerBuilder. However, damaging a professional relationship could be the least of the employee’s problems. Candidates who lie during the recruitment process could be found to be in breach of contract resulting in immediate termination, and some CV falsehoods could even constitute “fraud by false representation,” which carries a maximum 10-year jail sentence.

From the employer’s point of view, hiring an employee based on false information could also have unpleasant consequences.

“The repercussions of making the wrong hire can be huge. It can cost a company time, money and, potentially, its reputation if things go awry. And with organised crime and insider fraud on the rise, it can also leave a business exposed to infiltration by rogue candidates, leading to data hacking and security breaches,” warns Michael Whittington.

Steve Girdler, managing director at HireRight, adds: “Organisations are disproportionately focused on external threats, such as cyber security, while paying scant attention to the greatest risk to their safety and reputation – properly qualified, professional employees. They should stop taking applicants at face value and give the same due diligence to employees as they do to other risks.” Research by Careerbuilder backs him up. It found that 51% of employers said they spent more than two minutes reviewing a CV, and one in four spent less than a minute. 12% admitted to spending only 30 seconds reading a candidate’s CVs, so it’s hardly surprising that so many inaccuracies are going undetected.

“We urge companies to validate the credentials of all potential hires in advance, thereby avoiding costly mistakes further down the line,” concluded Michael Whittington.

Fraud detection red flags: 12 common signs to look out for

Fraud continues to be a high profile news story: in the last week, a former Ukip MEP has been jailed over £500k expenses fraud, the finance director of Bannatyne Group was in court over fraud amounting to £8m, and it was revealed that in 2014 insurance fraud was worth an incredible £1.32bn.

Fraud, or deception for personal gain or to cause loss to another party, comes in many forms, making protecting your organisation against fraud an ongoing challenge.

There are numerous risks to organisations: job applicants lying on CVs in order to get jobs, employees filing false expenses claims, and senior staff abusing their positions for financial gain are just a few examples.

As well as fraud within organisations, every individual working for an organisation is a potential target for fraudsters – and it could well be the organisation’s money and reputation which ends up lost.

Consequences

The consequences of fraud are extremely serious, including imprisonment, hefty fines and damage to reputation of both the individual and the organisation.

Fines, lost revenue and legal costs associated with fraud can lead to reduced wages, cancelled bonuses, decreased morale and even redundancies.

Our Online Fraud and Market Abuse training is designed to help protect organisations against the various threats posed by fraud by raising awareness among all staff.

Everyone in an organisation is responsible for detecting fraud and protecting the organisation from its consequences. This excerpt from the ‘Identifying and preventing fraud’ section of the course demonstrates 12 red flags to help individuals detect fraud in your organisation:

Behavioural red flags

  • Employees who consistently work longer hours than their colleagues for no apparent reason and are reluctant to take time off.
  • Employees with a sudden change of lifestyle and/or social circle.
  • Employees under apparent stress without identifiable pressure.
  • Employees who request significant detail about proposed internal audit scopes or inspections.

Financial red flags

  • Employees known by others to be under external financial pressure.
  • Employees who appear to make a greater than normal number of mistakes, especially where these lead to financial loss through cash or account transactions.
  • Employees with unexplained sources of wealth, or at the highest level of performance (e.g. sales) where there might be a concern that they are achieving this through suspect activity.
  • Employees with competing or undeclared external business interests.

Procedural red flags

  • Employees making procedural or computer-system enquiries inconsistent or not related to their normal duties.
  • Customers or suppliers insisting on dealing with just one individual.
  • Managers who avoid using the purchasing department.
  • Poor engagement with corporate governance philosophy.

These red flags are designed simply to raise awareness and help in the detection of fraud by giving employees an idea of what to look out for – they do not constitute evidence that fraud is taking place.

Our Online Fraud and Market Abuse training covers identifying and preventing fraud in much greater detail, including technology fraud, internal and external fraud, the Fraud Act 2006, the consequences, investigation and reporting of fraud.