Airline Fraud Survey 2006. Rania Bejjani 8 November 2006 IAAIA Conference – Goa, India Rania Bejjani

Airline Fraud Survey 2006 Overview Survey background and participants Key findings Recommended actions to reduce fraud Questions and answers Key findings cover: - What are the most common and costly schemes? What are their impact and how does 2006 compare with 2000 Who is more exposed to risk What are the expectations for 2007? How well do you manage fraud risk and who is responsible for doing so? Airline Fraud Survey 2006

Survey background and participants

Airline Fraud Survey 2006 Objectives Our objectives were to: understand fraud risks and how these are impacting the airline industry around the world capture the root causes airlines believe are driving certain types of fraud consider trends of fraud since the last survey in 2000 flag changes and schemes which have been found to help reduce or mitigate these risks inform the airline industry of the risks it faces, share lessons learnt and promote a more secure and controlled business environment identify the key step or steps all airlines need to take to address fraud Airline Fraud Survey 2006

Airline Fraud Survey 2006 Methodology Key steps included: Survey questions were pulled together by Deloitte and the IAAIA building on the 2000 IATA/IAAIA survey Confidential personal invites were sent out to Heads of Internal Audit or Finance Directors (for smaller airlines) to nearly 180 airlines worldwide Responses have been summarized on an aggregate, collective no-name basis and confidentiality has been maintained at all times Airline Fraud Survey 2006

Who participated? Airlines from across the 5 continents Asia 12% Europe 44% Middle East 10% Americas 17% Africa 7% Pacific 10% Network carriers 76% Low cost carriers 17% Charter carriers 7% Airline Fraud Survey 2006

Participants’ demographics: How do you compare? In 2000, average employees was: 9980 Average Gross Revenue was: USD 1.9bn Revenue distribution Airline industry has “grown” compared to 2000, when the average Gross Revenue was USD1.9 bn and airlines had on average 9980 employees Airline Fraud Survey 2006

Key Findings Overview

Airline Fraud Survey 2006 Key findings Fraud related loss increased 5 fold since 2000: On average each airline suffered at least USD 3M in 2006 External fraud is by far greater than internal fraud Credit card fraud is the single most prevalent and costly fraud scheme costing every airline on average nearly USD 1M 99% of technology fraud relates to poor IT security Airline Fraud Survey 2006 99% of technology fraud relates to poor IT security

Airline Fraud Survey 2006 Key findings - cont’d 90% think fraud will increase or at least remain the same in 2007 Over 60% have no anti-fraud programmes, do not perform risk assessments and do not track or record fraud 31% discover fraud “by accident” and 45% are informed by external parties 60% rely on IA as a solution to fraud yet airlines have smaller IA teams than other industries Airline Fraud Survey 2006

Key Findings A closer analysis

How much does fraud cost you? Have you experienced fraud Yes No during the last 12 months? 79% 21% On average: Fraud related loss per airline has increased 5 fold since 2000 Every airline has suffered in 2006 a loss of at least USD 3M Estimated loss across the industry is USD 600M Airline Fraud Survey 2006

External versus internal fraud External fraud is by far greater than internal fraud in volume and impact Impact across industry is $3M X 200 airlines world-wide as registered with IATA Airline Fraud Survey 2006

What are the most common and most costly fraud schemes?

External fraud

External fraud schemes – Survey findings “Other” relates to instances of travel agency abuse, estimated at USD 35M and experienced by one airline (distinct from above) Cross-border ticketing and tariff abuse were experienced by one airline only. Therefore if we exclude those 3 above Mention counterfeit ticket and say that overall compared with 2000, numbers have decreased and talk about that for 2 sec Airline Fraud Survey 2006

External fraud schemes – A closer analysis If we exclude those schemes affecting one airline only, what are the most significant external frauds affecting all airlines? Credit card fraud: 60% of external fraud related losses relate to credit card abuse 33% of respondents have experienced credit card fraud Related losses nearly average USD 1M per airline, that’s an estimated at least USD100M across the industry Technology and web-based fraud: 17% of external fraud losses relate to technology and the web 26% of respondents have suffered USD 10.2M in total Third party providers’ fraud: 17% of external fraud losses relate to third party providers 10% of respondents have suffered USD 9.3M in total Again if we extrapolate credit card fraud across the industry - $850k X 200 = nearly USD 170 Million!!! Warning – naturally not all airlines accept credit card payments in the same frequency – but still this is the most important theme Credit card fraud is the most prevalent and costly fraud scheme Airline Fraud Survey 2006

Understanding credit card fraud Credit card fraud related average 2000 2006 loss per airline in USD 96k 854k Analysis by Gross Revenue Analysis by location For large airlines, average cost is USD 2.5M each Again if we extrapolate credit card fraud across the industry - $850k X 200 = nearly USD 170 Million!!! Warning – naturally not all airlines accept credit card payments in the same frequency – but still this is the most important theme In Europe and US, average cost is USD 1.5M per airline Airline Fraud Survey 2006

Technology and web based fraud All respondents believe that technology surpassing current controls in place is a key driver of fraud A third nearly have experienced some form of technology fraud costing USD 10.2M In 2006, 67% of respondents think additional fraud risks have been taken by their airline because of new technology, compared with 44% in 2000 99% of technology fraud (in volume and USD impact) relate to “Internet payment fraud” Contributing to Link also to FF abuses (only cost 270k) Credit card fraud related loss Average per airline: USD 1M Estimate across industry: USD 100+M Is your IT security not robust enough? Airline Fraud Survey 2006

Types of frauds perpetrated Third party fraud – What are the common schemes and who are the perpetrators? Types of frauds perpetrated 8 types of fraud were considered. Below are the top 3: Other types of fraud reported included theft of airline goods / services and the use of declined credit cards 10 different outsourcing / service providers were considered. Below are the top 3: Other includes “travel agents” and “advertising agencies”, which were not part of the original 10 Perpetrators of fraud Billing for services not rendered 75% Incorrect pricing 11% Double billing 14% Other 1% In flight service providers 86% Ground handlers 13% 20 Airline Fraud Survey 2006 Airline Fraud Survey 2006 ©2006 Deloitte & Touche LLP. Private and confidential

External fraud schemes – Summary comparison with 2000 In 2000, 3 most common and costly external fraud schemes were: Tariff abuse Ticket theft Credit card fraud In 2006, 3 most common and costly internal fraud schemes are: Credit card fraud Technology and web-based fraud Third party providers’ fraud The fraud profile has changed since 2000: Credit card fraud has significantly increased in volume and costs Ticket theft, tariff abuse and counterfeit tickets have been experienced by fewer airlines Technology effect is more evident Shift of fraud profile due to decrease in the use of manual tickets, increase of online sales, distribution channels or improved controls on previously experienced frauds Airline Fraud Survey 2006

Internal fraud

Internal fraud schemes – Survey findings Comment on the high number of suspected versus proven – link that back to lack of focus on fraud and anti-fraud programmes/whistleblowing etc Link back again to lack of internal controls over FF, inventory and cargo Stock mgt (whether it be on board or cargo) is particularly vulnerable area There seem to be a focus on proving abuses of IT resources which link back to policies and procedures, more than there is a focus on the “revenue / value leakage” areas such as FF and inventory. Airline Fraud Survey 2006

Internal fraud schemes – Summary comparison with 2000 In 2000, the 3 most common internal fraud schemes were: Cargo theft Ticket theft Expense account fraud In 2000, the 3 most costly internal fraud schemes were: Payroll theft Cargo theft Ticket theft How does that compare with the 2006 survey? In 2006, the 3 most common internal fraud schemes are: Frequent flyer abuses Inventory theft Cargo theft In 2006, the 3 most costly internal fraud schemes are: Diversion of revenue Frequent flyer abuses Abuse of passenger personal details Frauds relating to frequent flyer and passenger personal details abuses are on the increase Airline Fraud Survey 2006

Compliance with Payment Card Industry standards 33% of respondents have experienced external credit card frauds costing them USD 35M 20% of respondents have experienced internal abuse of passengers’ personal details costing them USD 3.5M 7% have experienced instances where their employees stole the identity of their passengers 24% are not aware of the new Payment Card Industry (PCI) standards by credit card companies Are the “aware” airlines compliant with the new PCI standards? This is a key slide and quite topical Payment Card Industry standards were issued in 2006 and require compliance by end of 2006 They apply to all companies – all over the world Developed by visa and mastercard, but all remaining card companies (Amex, diners, etc) have now signed up Sets out the rules for processing credit card transactions and collating / retaining credit card details – outlining what you can and cannot do. Link to IT security over systems and customer information Airline Fraud Survey 2006

Who is more exposed to fraud?

Does size matter? Company size Average Number of Fraud Cases Internal External Total Revenue Bracket < USD 100M 2 1 3 USD 100M - 999M 19 125 144 USD 1000M - 2499M 28 127 155 USD 2500M - 4499M 2 706 708 > USD 4500M 77 727 803 Total 33 346 379 Airline Fraud Survey 2006

Where is exposure to fraud higher? On average, airlines operating in the Middle East, Americas and the Pacific are more exposed to internal fraud then their counterparts in other parts of the world European and Asian airlines experience significantly more external fraud Average number of internal fraud cases per airline Average number of external fraud cases per airline 11 63 35 80 30 44 33 10 20 40 50 60 70 90 Europe Americas Africa Middle East Asia Pacific Total * 681 54 3 760 53 413 100 200 300 400 500 600 700 800 Europe Americas Africa Middle East Asia Pacific Total Note here that the cases of internal fraud in the Middle East are experienced by ONE airline mainly. Therefore might not necessarily be reflective of the entire region * The high number of cases is driven by one airline in particular. Therefore average may not be truly reflective of the region’s practices. Airline Fraud Survey 2006

Does your business model affect fraud exposure? Link larger number of internal fraud at NCs to 1) larger number of staff 2) legacy functions, processes and old bespoke systems with limited audit trails Link large number of external fraud at LCCs to 1) Larger reliance on external parties and 3rd party providers 2) smaller back offices, so less checks are performed and 3) internet sales with small investment in secure IT systems. Key message though: are NC truly tracking fraud cases? Are LCCs focusing more on these because they are more cost conscious? Low Cost Carriers are significantly more exposed to external fraud Airline Fraud Survey 2006

What are the expectations for fraud in 2007?

Fraud expectations for 2007 Will the occurrences of fraud increase in comparison to 2006? The main reasons for the expected fraud increase are: 0% 20% 40% 60% 80% 100% Changes in routes flown Complex fare structures Economic pressure New products not regulated Staff reduction Technology surpassing controls Weakening of society values Organized crime Resources allocated to fraud control Strongly agree Agree Strongly disagree Disagree Airline Fraud Survey 2006

How well do you manage fraud risks?

How well do you manage fraud? Airlines surveyed confirmed that they have experienced fraud, yet: 72% do not have a fraud policy 56% do not perform a risk assessment 65% do not have an anti-fraud programme 63% do not have a whistle-blowing mechanism to report fraud 61% do not have a formal system to track fraud Airlines lack robust and well established anti-fraud programme to prevent, detect, report and track fraud. This is increasing your risks of and vulnerability to fraud Feedback from airlines suggests that many found quantifying their fraud losses and validating the completeness of the data submitted in the survey challenging due to the lack of centralised, consistent or formal records of fraud Airline Fraud Survey 2006

How do you assess fraud risk? 39% perform the fraud risk assessment yearly 28% link the risks of fraud identified to anti-fraud programmes and controls 21% follow a set of stringent and consistent procedures when fraud is detected Only 22% have a good representation from across management, business units and locations when performing the risk assessment When presenting link back to Sarbanes-Oxley requirements for anti-fraud programmes –recommended: - frequency - <check my training notes and update this > I think must be at least yearly. 6 monthly recommended - involvement – the wider the better / exercise should involve senior management including the Audit Committee, along with middle mgt and representation from key locations and regions. - the risks identified should be linked back to the existing anti-fraud programmes and controls – accordingly identify action plans to put in place the relevant mitigating controls - should be documented - process should be monitored and reviewed regularly / its effectiveness assessed by management. S404 requirements specifically state management responsibilities as: 1. Establish and maintain antifraud programs and controls. 2. Maintain adequate documentation of design of antifraud programs and controls. 3. Evaluate design and operating effectiveness of antifraud programs and controls. 4. Evaluate and communicate findings. However “one size does not fit all”. Level of formality and documentation will vary Public Entities: Ordinarily deficiencies in antifraud programs and controls are at least significant deficiencies. An ineffective control environment or risk assessment function is at least a significant deficiency and is a strong indicator of a material weakness. <PCAOB AS 2, paraphrased p.139 & 140> Need to identify potential fraud schemes / potential perpetrators / likelihood and impact of risks The risk assessment initiatives being undertaken are not stringent and comprehensive enough to reduce fraud Airline Fraud Survey 2006

Fraud identification - How did you discover the frauds? 14 potential mechanisms that airlines rely on to discover fraud were considered in the survey and here are the most common: Link back to the other slides – around internal controls and management Throw the question at the audience whether that rings a bell with them Challenge the audience on the 30% (External audit + outsiders) Query why so LOW from the anonymous whistle-blowing and link that back to the lack of anti-fraud programmes Up to 31% discover the frauds by “accident” Combined 45% of respondents are informed by external parties Nearly 50% rely on internal assurance processes such as internal audit and internal control procedures Airline Fraud Survey 2006

Who is responsible for fraud prevention, detection and investigation?

Responsibility for fraud prevention, detection and investigation In 2006, departments responsible for fraud response have remained overall the same compared with 2000 IT Security are out of the equation Airline Fraud Survey 2006

Responsibility for fraud prevention, detection and investigation Percentage of respondents’ reliance on the following departments for fraud response At least 60% of airlines rely on Internal Audit to prevent, detect and investigate fraud Airline Fraud Survey 2006

Responsibility for fraud prevention, detection and investigation Have your staffing, retention and training been appropriate to meet these challenges? Airline Fraud Survey 2006

How do airlines compare with other industries? Warning that different industries have different requirements and for example banking is highly regulated. But even when compared with “Transportation” industry, airlines seem to have smaller teams Source of industry figures: The Institute of Internal Auditors' Global Auditing Information Network (GAIN) Compared with other industries, airlines have smaller internal audit teams Airline Fraud Survey 2006

Actions to reduce fraud

Steps to reduce fraud Are you focusing on the right steps? Responses from the survey suggest that: improving internal controls increasing reference checks on new employees increased focus by Senior Management on the problem are considered to be the most effective steps to reduce fraud in the future Given the findings relating to the most common fraud schemes, how fraud is currently managed and the level of resources, the above are not enough Think and challenge. Given the findings have they selected the right steps Challenge employee references – on one hand that links with “too much freedom to employees” and 2mgt override of controls” in case the new employees are “mgt”. However, when they are not, this may be focusing on the WRONG issue Airline Fraud Survey 2006

The top 3 steps every airline needs to take to address fraud Involve IT Security To address credit card and internet payment fraud To design improved internal controls to keep up with new technologies To facilitate compliance with PCI standards Implement a preventative anti-fraud programme Assess fraud risks regularly and link them to controls Define a fraud policy and educate your staff Involve all relevant parties and increase senior management focus Improve your detective capability Larger and fraud-trained internal audit teams with a wider scope/reach A whistle-blowing / speaking up mechanism to report fraud internally A central repository to record, monitor and escalate as appropriate Airline Fraud Survey 2006

Questions and answers

Statement of Responsibility Disclaimer Deloitte has made no attempt to verify the reliability of the information or representations provided to us by the organizations participating in the 2006 Airline Fraud Survey. This summary document is limited in nature, and does not comprehend all matters relating to the survey that might be pertinent to your self-assessment. We make no representation as to the sufficiency of this summary for your purposes.  This document should not be viewed as a substitute for other forms of analysis that management should undertake in order to assess whether their internal controls, anti-fraud program or internal audit strategy are adequate or appropriate for the organization’s purposes. The information in this report is not intended to constitute legal, accounting, tax, investment, consulting, or other professional advice or services. Before making any decision or taking any action which might affect your personal finances or business, you should consult a qualified professional advisor.   This document is solely for your informational purposes and internal use and you will not disclose it to any other person or entity. This document is prepared solely for presenting the key findings of the Airline Fraud Survey. Therefore you should not, without our prior written consent, refer to or use our name or this document for any other purpose, disclose them or refer to them in any prospectus or other document, or make them available or communicate them to any other party. No other party is entitled to rely on our document for any purpose whatsoever and thus we accept no liability to any other party who is shown or gains access to this document. THIS SUMMARY AND THE INFORMATION CONTAINED HEREIN IS PROVIDED “AS IS,” AND DELOITTE MAKES NO EXPRESS OR IMPLIED REPRESENTATIONS OR WARRANTIES REGARDING THIS REPORT OR THE INFORMATION. YOUR USE OF THIS REPORT AND INFORMATION IS AT YOUR OWN RISK. DELOITTE WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE DAMAGES OR OTHER DAMAGES, WHETHER IN AN ACTION OF CONTRACT, STATUTE, TORT (INCLUDING, WITHOUT LIMITATION, NEGLIGENCE) OR OTHERWISE, RELATING TO THE USE OF THIS REPORT OR INFORMATION. Deloitte & Touche LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at Stonecutter Court, 1 Stonecutter Street, London EC4A 4TR, United Kingdom. Deloitte & Touche LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu ('DTT'), a Swiss Verein whose member firms are separate and independent legal entities. Neither DTT nor any of its member firms has any liability for each other's acts or omissions. Services are provided by member firms or their subsidiaries and not by DTT. Airline Fraud Survey 2006

Member of Deloitte Touche Tohmatsu