View
161
Download
0
Category
Preview:
Citation preview
IQPC Public Sector Fraud & Corruption Summit, CanberraFriday 28th October 2016Dr Darren O’Connell MBA FGIA
Workshop D: Conducting a Comprehensive Fraud and Corruption Risk Assessment – Part 1
1. Introductions
2. War stories
3. Part 1: Recap on better practice approaches to managing risk
4. Break
5. Part 2: Identifying and managing fraud and corruption risk
6 Summary and close
2
Workshop Agenda
1. Learn about tools and techniques to detect and assess risk
2. Learn how to perform a comprehensive risk assessment
3. Identify fraud and corruption risks in an internal environment, and when working with third-parties
4. Drawing insights from the results and improving your risk management framework
5. Overcoming common pitfalls
3
Workshop Objectives
Part 1: The Risk Management Process
5
• The key objectives or risk management are to:‒ Support informed risk-taking that promotes PHG’s objectives and success while recognising the risks associated with
key decisions‒ Create a robust control environment that reduces negative impacts to PHG’s performance‒ Avoid surprises by generating an increased understanding of key risks and providing early warning of increases in
exposure to adverse risk events‒ Reduce the cost to PHG from “fire fighting” versus proactive risk management‒ Generate a risk profile that will support the Executive’s ability to focus discussions and attention on the material risks‒ Provide the basis for identifying areas of priority for Internal Audit
• The key elements of the risk framework are:‒ Taking an evidence-based approach including:
• The rationale for scoring a risk in a particular way• An assessment of the financial impact of the risk should it eventuate
‒ Producing a manageable list of risks through the use of the bow-tie methodology that combines key causes and impacts into a single risk
‒ Defining the controls that should be in place and the key attributes of these controls that result in an effective control environment
‒ Assessing the effectiveness of individual controls and inclusion of commentary on the current gaps that result in controls not yet being fully effective
‒ Identifying Actions, in addition to current controls, to support further risk reduction for PHG‒ Achieving a direct linkage between controls and the Actions needed to improve them
The Risk Management Framework
6
Risk identificationRisk identification can be achieved through an analysis of critical activities, strategic plans, incident analysis, and a consideration of the changes facing your organisation.
The following questions can be used to assist in identifying risks:
Risk Identification
Strategic Plan
PESTLE Analysis
Agency Transformation
Audit Assurance
Business Resilience Event
Risk Register
What could go wrong?How could your organisation fail?
What must go right for your organisation to succeed?Where is your organisation vulnerable?
What assets does your organisation need to protect?Does your organisation have liquid assets or assets with alternative uses?
How could someone defraud from your organisation?
How could someone disrupt your operations?How does you know whether you are achieving your objectives?
On what information does your organisation most rely?On what does your organisation spend the most money?
How does your organisation invoice and collect its revenue?What decisions require the most judgment?
What activities are most complex?
7
Risk IdentificationCategory Description Subcategories Category Description Subcategories
Regulatory (Compliance/Legislation /Environmental) Risk
The risk of failing to meet government standards, laws and regulation (including WHS, environmental, etc.)
• Regulatory / legal• Contractual• Licensing /
Accreditation• Enviromental
Reporting
Strategic Foresight Risk
The risk arising from insufficient forward planning, inappropriate strategies, strategic alignment.
• Acquisitions, mergers & divestments
• Business transformation
Our People Risk
The risk of inappropriate HR policies, recruitment, training, retention, staff engagement and culture.
• People capacity & capability
• Planning & utilisation
• Unions / industrial relations
Major Project Risk
The risk of not achieving key project or event objectives, budgets, deadlines.
• Maintenance / upgrade
• Acquisition & lease• Disposal• Planning &
utilisation
Budget, Revenue and Capital Spend Risk
The risk of not achieving income or expenditure targets, inappropriate returns on investment, cash flow, financial sustainability (including financial reporting and processes, accounting controls).
• Meeting revenue/growth targets
• Insurance• Bribery, fraud &
corruption
Knowledge Management Risk
The risk of not protecting corporate knowledge, insufficient research to support initiatives, in adequate innovation.
• Information security• IT systems /
infrastructure• Intellectual property
Reputation, Stakeholder and Clients Risk
The risk of damage to PHG’s reputation and brand.
• Brand strength & relationships
• Adverse publicity• ICAC /
Ombudsman
External Risk The risk of economic shocks, changing public attitudes, political factors, changing customer or supplier needs (including social responsibility, stakeholder management).
• Government & Policy change
• PESTLE factors
Service Delivery (Internal / External) Risk
The risks associated with delivery of services to internal and external customers (including IT, Property, Procurement, Asset Management etc.).
• Tenancy performance / Retention / Acquisition
• Engagement• New opportunities
Work, Health and Safety Risk
The risk of unexpected events, business continuity, issues management, natural disasters, public hazards, legal and contract risks.
• Visitor safety• Environmental
incidents• Staff safety• BRF & CMP• Asset security
8
• A risk in an event that has a chance of less than 100% likelihood of occurring
• The following shows the “Bow-tie” method of risk identification:
Risk Identification
Risk Event
Ris
k C
ause
sK
ey c
ontr
ibut
ing
fact
ors
to th
e ris
k oc
curr
ing
Risk Im
pactsC
onsequences that can result if the risk w
ere to eventuate
Controls to Manage ImpactsControls that reduce the extent of impact if
the risk were to eventuate
Controls to Manage CausesControls that reduce the likelihood of the
causes occurring
9
The control environment usually comprises of four elements:1. Basic standards
• Code of Conduct, gift policy, conflict of interest register, staff training & awareness program
• Set minimum standards of behaviour• Options for disciplinary actions
2. Risk Management• Segregation, discretion reduction, delegations, management oversight, audit• Necessary to manage opportunities that cannot be designed out of the system
3. Operations• Incentives, process design, information and metrics, accountability and design location,
divisional arrangements, internal to market boundaries• Organisations exist to achieve particular outcomes• Tight operational design reduces opportunities for corruption
4. Design and oversight• Design, governance, management, audit, investigation, business improvement, legal• Requires clear understanding of operational realities
Source: Independent Commission Against Corruption © 2016
The Control Environment
10
The Risk Control Environment
Source: Independent Commission Against Corruption © 2016
11
• Identify the controls that should be in place to effectively manage the risk, including the controls required to reduce the potential for each of the causes to occur and to reduce the impact if the risk were to eventuate.
• For each control listed, ensure that the attributes (assurance) which make the control effective are listed.
Identifying Risk Controls
Risk Category
Risk subcategory
Example controls
Regulatory Contractual Governance oversight and approvals of contract variations and additional delivery of scope
Major Project Maintenance & Upgrade
Regular subcontractor performance review including quality and safety
Robust subcontractor selection criteria to assess value for money, quality and capability
Our PeoplePeople capacity & capability
Succession planning to account for temporary or permanent loss of key roles
Regular monitoring of retention rates and proactive implementation of required actions in response to decrease in rates
12
• The control assessment is the extent to which the control is being consistently implemented and reduces the risk, being rated effective, partially effective or ineffective. If a control is effective, it should be able to stand up to an audit of its effectiveness.
• The control testing outcome should identify any gaps that exist in the control’s effectiveness i.e. for any rating that is NOT “Effective”.
Risk Control Effectiveness
Control Effectiveness
Internal Audit Rating
Guide
Effective 5 Controls are well designed for the risk, are largely preventative and address the root causes. The controls are effective and reliable.
Mainly Effective 4 Well controlled with some control weaknesses / areas for improvement identified.
Adequate 3 Reasonable level of controls, however, some control weaknesses of concern identified.
Needs Improvement 2 Adequate level of control in some areas, however, significant control weaknesses in a number of areas.
Non-Effective 1 Poorly controlled. Significant weaknesses in internal controlsORThe controls that can be put in place are very limited due to the type of risk (beyond the control of your organisation / Agency)
13
• Determine what Actions are required to improve all mainly effective, adequate, needs improvement and non-effective controls to make them effective
• Actions should have completion dates of within the next 12 months
• For each Action, the below should be identified:A link to the related control/s which it is aiming to improveAny non-budgeted cost of implementing the ActionA due date and responsible person for implementing the Action
• It is important to then track Action implementation status (using RAG scale) including explanation for red Action status:
Red – The treatment has passed its due date Amber – The Action is at risk of not being completed by the due date Green – The Action is on track for completion by the due date Closed – The Action has been completed
• When an Action is complete, re-examine the control effectiveness
Risk Control Actions
14
Risk Severity - DefinitionsTerm Definition
Inherent Risk The level of risk, being the combination of impact and probability, that exists before PHG has put in place any controls
Residual Risk The level of risk, being the combination of impact and probability, that exists today taking into account the effectiveness of current controls
Target Risk The level of risk, being the combination of impact and probability, that is expected to be achieved after implementation of control treatments
• Assess the risk on the basis of the highest consequence criteria. For example, if a risk could result in both an operational and a financial consequence, and the latter is greater, then the consequence rating should be financial
• Rating the risk on this basis does not detract from the importance of managing other consequences which the risk could have
• Note that consequence and likelihood are not mutually exclusive. This means that you should identify the potential consequence of a risk and then consider the likelihood of the risk occurring and resulting in that level of likelihood.
15
Risk Severity - Consequences
16
Risk Severity - LikelihoodProbability assessment
1 – Rare 2 - Unlikely 3 - Possible 4 - Likely 5 – Almost Certain
<1% 1 – 20% 21% - 49% 50% - 85% >85%
<1 event in 100 years Several events in 100 years Several events in 10 years Several events in 1 year Multiple events in 1 year
Event may occur only in exceptional circumstances
Event may occur in exceptional circumstances
Event could occur at sometime
Event will occur at sometime Event will probably occur in most circumstances
Event is very unlikely to occur
Event is unlikely to occur Event is fairly likely to occur Event is likely to occur Event
17
Likelihood
Consequence Rare Unlikely Possible Likely Almost Certain
Severe High(15)
High(19)
High(22)
Extreme(24)
Extreme(25)
Major Medium(10)
Medium(14)
High(18)
High(21)
Extreme(23)
Moderate Medium(6)
Medium(9)
Medium(13)
High(17)
High(20)
Minor Low(3)
Low(5)
Medium(8)
Medium(12)
Medium(16)
Negligible Low(1)
Low(2)
Low(4)
Low(7)
Medium(11)
Risk Severity - Scoring
18
• The key steps to be undertaken in creating a risk register are:
Risk Register Creation
Discuss risks, considering all categories of risk, that may apply to the functionIdentify risks
Each risk register must contain the following “baseline” risks: WHS; Fraud & Corruption; Business/Project Continuity; and Procurement. Operational Risks are those that are not “baseline’ risks
Identify the causes and impacts of the risk, considering the key factors that could contribute to the risk occurring and the possible impacts that could result if the risk were to eventuate
Identify and assess the effectiveness of current controls including both those controls preventing the risk and those mitigating its impact should it occur
Assess inherent and residual risk based the probability and impact of the risk, taking into account the effectiveness of current controls, with this being the current level of exposure posed by the risk
Document the risk rationale and financial value of the residual risk
Identify the treatments required to improve the current control environment and identify the target risk score to be achieved subsequent to the treatments being implemented
For several risks...
Discuss risk ownership, with owners being the relevant senior management team member to own the risk and coordinate its effective management, and contacts being the person who will assist in populating the required risk information
Allocate ownership
19
• The key elements of a risk register are:• Risk owner• Causes• Impacts• Inherent risk• Existing controls being relied upon, including the:
Outline of the control in place Name of the control owner for each control Review requirements (i.e. assurance)
• Residual risk• Action plans (if required) containing for each plan:
An outline of the action plan, the owner and the expected completion date The target risk rating (risk rating after treatment plans are completed)
• Risk Scoring Inherent (no controls) Residual (existing controls) Target (when all controls are effective / new controls in place)
Risk Register Creation
Example of a risk register and break
Part 2: Managing Fraud & Corruption Risk
Bribery• Bribery is the giving, receiving of money, a gift or other advantage as an
inducement to do something that is dishonest, illegal or a breach of trust.Fraud• Fraud is the criminal deception intending to result in financial or personal gain.Corruption• Corruption is the misuse of public office or power for private gain; or misuse of
private power in relation to business outside the realm of government.Gifts and Benefits• Offering something of financial value that is to the advantage of another
person and in doing so is intending that individual to perform a function improperly or secure business or a business advantage.
Conflicts of Interest• A conflict of interest is a situation in which an employee has competing
professional or personal interests. Such competing interests can make it difficult for individuals to fulfil their PNSW duties impartially.
22
Definitions of Fraud and Corruption
23
• Recent scandals at the highest levels of Government has left a deeply negative impression on the tax payer
• Politicians and government employees aren’t held to the highest levels of accountability
• There is specific direction from the Department of Premier and Cabinet to improve governance (2014)
• PNSW has committed to the highest level of ethical standards
• Reputation is PNSW’s most valuable asset
Why is bribery, fraud and corruption a risk?
The Premier’s
Choice
24
The basic organisational environment
Governance PrinciplesRules, monitoring, compliance, minimised
discretion
Operational ControlsClear goals, tight systems, process controls,
information integrity, accountability
Institutional BasicsHierarchy as basis of supervision, management
based on written documents, expertly trained staff, full-time work, office rules control behaviour
Societal FoundationsDemocracy, free press, rule of law, property
rights
25
An historical anecdote• The year 1797-8.• The protagonists: The French Republic
and the USA.• There was an undeclared Quasi-War.• The USA sent a mission to France to
seek a peace deal and to prevent a further escalation of war.
• The provisional French government initially refused to negotiate but sent three unofficial French agents code-named “X”, “Y” and “Z”.
• A peace deal was initially offered but only if the American Government paid a bribe of £50,000 to the French Foreign Minister (“a personal gift”) and huge loan to the French Government (at war with many European nations).
• The American Commissioners refused and published details of the meetings.
Describe the environment that enabled this situation to occur?
26
The basic organisational environment
Governance PrinciplesRules, monitoring, compliance, minimised
discretion
Operational ControlsClear goals, tight systems, process controls,
information integrity, accountability
Institutional BasicsHierarchy as basis of supervision, management
based on written documents, expertly trained staff, full-time work, office rules control behaviour
Societal FoundationsDemocracy, free press, rule of law, property
rights
• In order to be able to manage the risk of a fraud and corruption event, we need to understand the ‘scale of the problem’.
• There are numerous sources of information that elaborate on how big a problem global corruption is:
• Deloitte Bribery and Corruption Survey 2015 Australia & New Zealand: Separate the wheat from the chaff
• Australian Institute of Criminology Fraud, bribery and corruption in Australian government agencies
• Transparency International Corruptions Perceptions Index
27
The Scale of the Problem
28
Fraud losses in 152 Commonwealth agencies versus fraud losses in 281 Australian and New Zealand organisations.
The Scale of the Problem
1997 2012$0
$100,000,000
$200,000,000
$300,000,000
$400,000,000
$500,000,000
$600,000,000
$153,176,000
$497,573,820
$105,000,000
$373,000,000
Commonwealth ANZ Private Sector
29
The financial value of fraud and corruption losses experienced by the Commonwealth broken down by internal sources and external sources.
Source: Australian Institute of Criminology, 2011.
The Scale of the Problem
2008-09 2009-10$2,800
$2,900
$3,000
$3,100
$3,200
$3,300
$3,400
Internal
2008-09 2009-10$650,000
$700,000
$750,000
$800,000
$850,000
External
30
The Scale of the Problem
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 20150
2
4
6
8
10
12
14
0
20
40
60
80
100
120
140
160
180
200
How Australia's CPI compared to the World
No. Countries Surveyed Rank
The Lifecycle of Fraud and Corruption Event
31
32
Corruption usually happens at the point where…
…into private hands.
• Tenderer/ Contractor/ supplier
• Property developer
• Business partner
• Family/ friend• Client• Public official• etc
…can be transferred
from a government agency…
Something of value…
• Tender/ Contract/ Purchase
• Information• Approval• Avoid fines,
fees & charges• Employment• Services• Equipment/
vehicles/ assets• Etc
Source: Independent Commission Against Corruption © 2016
MoneyIdeology
CoercionEgo
33
Sources & Causes of Fraud and CorruptionTight
Competition
Weak market
Stakeholder/ Industry Culture
Situational perspective
Psychological perspective
Supply of motivated offenders
Available opportunities
Absence of suitable guardians Rationalisation/
Integrity maturity
Motivation/ Pressure
Perceived Opportunities
ArroganceGreed is goodThe owe me
Narcissism
Everybody does itEntitlement
Criminal mindset
LifestyleGamblingConflict of interestDesireSecondary employmentFraud and
CorruptionAbility
Blind trustPoor governance
Corrupted industry association
Manager/ stakeholder override
Low maturity / inexperience
Regulatory capture
Role confusion
Weak policy & Systems
Weak non existence tender processes Approvals
Variations
LicencesDirect negotiations
Exposed assets
34
“It is not from the benevolence of the butcher, the brewer or the baker, that we expect our dinner, but from their regard to their own self interest. We address ourselves, not to their humanity but to their self-love, and never talk to them of our own necessities but of their advantages.”
Adam Smith [1723 – 1790]
Motivations and Incentives
35
Incentives can be obvious…• Profit o e.g increase share prices / value of an organisation
• Personal gain / self interest o e.g. falsifying sales figures to gain a bonus
• Help a friend / business partnero e.g. awarding contracts by favourtism
• Retributiono e.g. commits the act but frames someone else
• Substantial exactions o e.g. child support, fines & penalties, excessive loan repayments
• Personal issues / Pressureo e.g. Drug or gambling problem, civil or criminal court cases
• What else?
Motivations and incentives
36
…and not so obvious
Motivations and incentives
Source: Independent Commission Against Corruption © 2016
37
…and can even be innocuous…• Individuals engage in corruption for more “altruistic” reasons, to:o Avoid negative impactso Disguise incompetence / poor decisionso Satisfy the expectations of superiorso Deflect external criticism or damage to reputationo Elude office controversyo Avoid late-payment penalties by paying unauthorised invoiceso Comply with unrealistic but rigid deadlineso Be seen to comply with regulations or policies or procedureso Ensure a project has sufficient but un-costed ‘contingency’ project
money that avoids the need asking more later
Motivations and incentives
38
…which leads to equity and a sense of entitlement…• Equity is the need for fairness (though not necessarily equality)
• Fairness is perceived differently by individuals in a collective (team) environment
• Unfairness can create a motivation and incentive to engage in corruption• For examples, individuals can:o Increase the level of input by other members of the team;o Decrease the level of outcome due to other members of the team;o Compare themselves to someone else;o Decrease their personal input;o Increase their personal outcome;o Quit the team (or organisation)!
Motivations and incentives
39
…and to the dynamics of group behaviour…• Without individuals, the species could not survive• Without social groups, the individual could not survive• Legitimate behaviour is the price you pay to become a member of the
group• i.e. social groups need individuals to act in ways that benefit the group
• Illegitimate behaviour is rewarded by expulsion!• i.e. individuals need to learn to behave in ways that lead to acceptance
• Close knit groups enforce norms or behaviour• Behavioural norms once established are not easily or quickly changed• Individuals instinctively comply with norms even where their self-interest
is not being met• Leaders and followers of groups are not always obvious to outsiders
even where formal designations exist
Motivations and incentives
40
…and ultimately to culture!• What is culture?
• The ideas, customs, values and social behaviour of a particular social group
• How is culture measured, managed and changed?• Long term development, not quickly changed
• How does culture differ from norms of behaviour?• Small group units may endorse norms separate or in addition to cultural
expectations• Do organisations have a “culture” or are they a collection of like-minded
individuals?• Can individuals have different values and principles at work and home?• Can individuals adapt a new value system over time?
Motivations and incentives
41
Fraud Risk EventFaking approvals
Abusing cars and equipment
Rendering false invoices
Misusing computers and phones
Making dishonest decisions
Redirecting funds
Accepting bribes and kickbacks
Leaking confidential information
Theft
Abusing an office
Abusing allowances and credit cards
Fraud Event
Dishonesty
Benefit
Deception
Avoidance
42
Type of Corruption (Internal + External) 2007-08 2008-09 2009-10Bribery of employee 83 78 90
Accepting kickbacks / gratuities 5 12 13
Conflict of interest 59 54 353
Collusion or conspiracy 125 10 42
Abuse of power 36 77 88
Unknown 62 34 114
Other 43 7 245Source: Australian Institute of Criminology 2011
Examples from the Commonwealth
43
• Outsourcing of goods and services has become a ubiquitous feature of public, private and not-for-profit landscape.
• Numerous benefits: Cost reduction Greater global reach Improved customer service
• Numerous risks: Loss of data/IP Loss of key personnel Vendor failure Increased compliance costs … and the spectre of corruption
• Transaction Cost Economics (TCE) is a useful framework to employ when organisations engage with third parties to identify and mitigate fraud risk
Identifying Fraud Risk
44
• Contracting parties trading goods and services with third parties face a range of costs which can become a significant deterrent to completing the transaction depending upon the level of risk.
• Parties must “discover” what prices exist, negotiations between parties must take place, contracts have to be drawn up, inspections and judgements as to quality of the good or service have to made, and arrangements put in place to settle disputes.
• The principles of corporate governance in TCE are to implement a framework of controls that organises the transaction of goods and services in relation to their degree of specialty that minimises bounded rationality (information availability and its level of understanding) and safeguards against opportunism (i.e. fraud).
• This control framework includes the observation and monitoring of transactions costs and risks have a significant impact upon the transaction value.
Transaction Cost Economics
45
Governance Structure
Strengths Weaknesses
Marketplace Strong incentives to maximise net value Can’t protect transaction-specific investments
Contracts Some protection for investments; market-like
incentives
Can’t contract for all possible contingencies
Vertical Integration Internalises value of transaction-specific
investments
Can’t control costs as well as markets
Transaction Cost Economics• There are three “types” of contracting states which impact upon transaction
costs and the risks of fraud and corruption.• Each type has an associated governance structure that controls the level of
transaction costs but have strengths and weaknesses.
• The decision to transact within a particular governance structure depends on an organisation’s ability to minimise its transactions costs through its risk control environment.
46
Low barriers to entry A market characterised by numerous buyers and sellers, and low profit
margins.
Asset specificity Investments made in specialised goods or services for unique customers.
Location of facilities and the degree of human capital can also be significant
factors.
Weak markets A market with many sellers, few buyers and prices in a state of decline. In
addition, a weak market is characterised by poor regulation.
Peripheral product A good or service that is not the primary focus of an organisation but despite
being ancillary is still important.
Low reputational capital
Organisations that have little market presence, can close down without being
missed, and restart with little scrutiny.
High relationship / contact
A contracting relationship between a buyer and a seller characterised by high
frequency social interaction.
Networked industry An industry in which each member has linkages to other members.
Uncertain future work
Linked to asset specificity, the business contracted for is highly specific and
likely to be a one-off or there are large gaps between repeat business.Source: Waldersee, R and Shapiro, A, 2016. Strategic Responses to Corruption
Transaction-generated Risks
47
• Originally, the old Department of Railways was largely integrated vertically
• There were a small number of bilateral contracts with specialist makers of components and iron ore producers
• But markets developed and private (goods) railways began operating offering the opportunity to outsource part of the supply chain
• The organisational boundary between the Department and the market contracts
• As a result the number of market transactions increases as does the risk of being cheated
• As the risk increases so too does the cost of governance, i.e. monitoring the quality of the transaction
• At some stage the governance costs will not keep pace with the transaction risk opening up opportunities for corruption
TCE Example: Functional Outsourcing
Train Service
Driver Training
Drivers
Components
Trains
Maintenance Maintenance
Track Laying
Iron Ore
Bilateral Transaction
Train builders
Bilateral Transaction
Steel Tracks
Organisational Boundary
TCE Example: Government railways
Train Service
Driver Training
Drivers
Components
Maintenance Maintenance
Iron Ore
Market Transaction Train builders Market
TransactionSteel Tracks
Bilateral Transaction
Trains
Bilateral Transaction
Track Laying
Organisational Boundary
TCE Example: The Current Situation
Components
Maintenance Maintenance
Iron Ore
Market Transaction Train builders Market
TransactionSteel Tracks
Market Transaction
Market Transaction
Bilateral Transaction
Driver Training
Market Transaction
Trains
Market Transaction
Track Laying
Bilateral Transaction
Bilateral Transaction
DriversOrganisational Boundary
Train Service
Example: What happens with further outsourcing?
51
Transaction Governance Costs
Difficult to control:• Need• Price• Allocation• Deliveryof the good or service
Well-developed Governance (transactions are planned and predictable)
Low High
Low
High
Transaction Generated Risks
Tran
sact
ion
Gov
erna
nce
Cos
tsWhen Outsourcing Increases
53
• During the 2000s, the NSW ICAC investigated Railcorp.• It involved employees and managers at many levels of the organisation.• ICAC investigated allegations of:
• Fraud and bribery; • Improper allocation of contracts; • Unauthorised secondary employment; • Failure to declare conflicts of interest; • Falsification of time sheets; and • The cover-up of a safety breach.
• In financial terms RailCorp employees were found to have improperly allocated contracts totalling almost $19 million to companies owned by themselves, their friends or their families, in return for corrupt payments totalling over $2.5 million.
• ICAC reported findings of corrupt conduct on the part of 31 individuals including 14 RailCorp employees and staff of 16 private firms.
Operation Monto: key points
Inves
tigati
ve co
ntrols
54
The Control Environment
Preventative ControlsD
etec
tion
cont
rols
Cost effective internal controls
55
The control environment usually comprises of four elements:1. Basic standards
• Code of Conduct, gift policy, conflict of interest register, staff training & awareness program
• Set minimum standards of behaviour• Options for disciplinary actions
2. Risk Management• Segregation, discretion reduction, delegations, management oversight, audit• Necessary to manage opportunities that cannot be designed out of the system
3. Operations• Incentives, process design, information and metrics, accountability and design location,
divisional arrangements, internal to market boundaries• Organisations exist to achieve particular outcomes• Tight operational design reduces opportunities for corruption
4. Design and oversight• Design, governance, management, audit, investigation, business improvement, legal• Requires clear understanding of operational realities
Source: Independent Commission Against Corruption © 2016
The Control Environment
56
The Control Environment
Source: Independent Commission Against Corruption © 2016
57
Corruption Preventative Controls
Description
Budget controls This type of control is necessary in order to make sure that operational expenses do not exceed the projected revenue for the period, creating a net loss.
ICT system design Misuse of corporate information is a major source of corruption because it can be used to the advantage of third parties. The IT system should be able to track the flow of information from internal and external sources, prevents cyber threats and attacks and safeguard information integrity.
Structural arrangements The organisational structure that correctly reflects functional activities aligned to the business model, market activity and segregation of duties.
Inventory controls Tracking system that logs receivables, use of and re-ordering of inventory that can be monitored independently of inventory staff and is tied into the budget control system.
Accountabilities Staff evaluated against specific requirements of preventing, detecting and investigating instances of fraud.
Culture A culture that encourages ethical behaviour, discourages nefarious activity and welcomes whistleblowing (through independent and confidential channels). The behavioural outcomes are enshrined in a current and understood in the Code of Ethics & Conduct.
Delegation limits Prescribed limits on how employees can use the financial, operational, moral resources of the organisation in pursuit of its strategic objectives.
Procurement strategy A framework that expressly sets out the relationship between the organisation and third parties when transacting in the market.
Limit client interaction Ongoing interaction between third parties and staff creates a relationship based on mutual reciprocity. If the relationship is exclusive the opportunity increases for gift to lead to bribery and so staff managing relationship should be regularly rotated.
The Control Environment #1
58
The Control Environment #1• The top three factors are:
• Organisational culture• “Tone from the top”• Code of Conduct
• Organisational culture was listed as a top 3 factor by 73% of respondents.
• A surprise audit was the least reported factor, with only 5% of respondents listing it as a top 3 factor.
Source: Deloittes 2015, 2015. Deloitte Bribery and Corruption Survey 2015 Australia and New Zealand: Separate the wheat from the chaff. 13.
59
Corruption Detection Controls Description
Analysis of excessive employee payroll deductions Evidence of substantial deductions e.g. child support, loans, penalties or fines etc.?
Analysis of excess leave balances Do employees work excessive outside normal hours, is there evidence of excess leave accumulation?
Analysis of sick leave trends Excessive sick days with or without doctors certificates might indicate secondary (and competing) employment.
Remote Access of Information Are employees access corporate information and sending it outside the organisation without due justification?
Review of gift registers Do meetings between staff and third parties occur regularly, are gifts declared, do staff appear to be living beyond their means?
Analysis of inventory, spending and transaction patterns Run data analytics software on the financial system searching for matching bank accounts; transactional patterns with vendors, stock flow patterns in the inventory system; review of, and compliance to, purchase orders.
Analysis of complaint registers Is their a pattern of complaints by customers, vendors and other stakeholders against particular employees?
Review of internal audit findings Are their systematic control failures in areas of the business deemed high risk due to their interface with third parties?
The Control Environment #2
60
Corruption Investigative Controls Description
Clear documented investigation procedures
• Reports of fraud investigated promptly• Investigations are independent• Sufficient resources allocated including budget
Investigations conducted by qualified and experienced staff
• Recognised qualifications and experience
Decision-making protocols • Documented processes• Proportionate responses to incidents of fraud
Disciplinary systems • Staff understand fraud will not be tolerated and perpetrators will face disciplinary action
• Commitment to taking action against perpetrators of fraud
• Consistent application of sanctionsInsurance • Consider a fidelity guarantee policy to protect
against the financial consequences of fraud
The Control Environment #3
61
Commonwealth Fraud SpecialistsAgency fraud section staff and qualificationArea Prevention Detection Investigation
Year 2008-09 2009-10 2008-09 2009-10 2008-09 2009-10
Employees 454 680 442 1,620 2,062 1,126
% qualified 19% 15% 10% 8% 43% 93%
Change N= +226 +1,178 -936
Change %= +50% +267% -45%Source: Australian Institute of Criminology 2011.
62
Cash flowFunding availabilityInfrastructure program impactsAsset losses, availabilityIncident response costsStakeholder interventionNegative impacts of staffAbandoned and re-run tenders
Consequences of engaging fraud
Financial Operational
Adverse mediaLoss of public confidencePersonal and family impactsImpact on future employment
Reputation
Corrupt conduct chargesFraud and other chargesCivil suits and damagesForeclosure of department / agencyGaol
Disciplinary Legal
Code of Conduct breachDemotionLoss of job
63
Consequences of engaging in fraud
60%
12%
11%
5%
5%
4%
2% 1%
What is the key downside posed by domestic corruption to your organisation?
Reputational DamageDiversion of employee and management timeFinancial - cost to investigateNot applicable to my organisationFines, Settlements, ImprisonmentNegative impact on employee moraleOtherRemediation costs
64
• UK Bribery Act Covers the criminal law relating bribing anyone to induce them to act improperly;
and The failure of the commercial organisation to prevent bribery on its behalf. The Act became operational on 1 July 2011. It has near universal jurisdiction, allowing for the prosecution of an individual or
company with links to the UK regardless of where the crime occurred. Described as the toughest anti-corruption legislation in the world.
• Audit Office of New South Wales Fraud Control Improvement Toolkit 2015 The AONSW’s toolkit provides guidance and practical advice to help organisations
implement an effective fraud control framework. It highlights what should be present within an organisation to make fraud control
work and aligns with the Fraud and Corruption Control Standard AS8001-2008. NSW agencies are encouraged to follow this standard in the design and
implementation of their fraud control framework. The toolkit sets out ten attributes which help prevent, detect and respond to a
corruption event.
What does better practice corruption prevention look like?
65
Key principle Description1. Proportionate procedures Procedures to prevent fraud and bribery that are
proportionate to the risk that your organisation faces2. Top level commitment Commitment by your Executive to foster a culture where
fraud and corruption are never acceptable3. Risk assessment The periodic assessment of the nature and extent of your
exposure to the potential external and internal risks of fraud and corruption
4. Due diligence Taking a risk based approach, the application of due diligence processes and procedures in respect to customers and third parties who do business you
5. Communication and training Embedding and understanding fraud and corruption control through periodic and regular communication and training
6. Monitoring and review Periodic and regular reviews of procedures designed to prevent fraud and corruption, and makes improvements where necessary
UK Bribery Act: Principals of the framework
66
AONSW: Principles of the frameworkAttribute Checklist
1. Leadership • CEO and senior management commitment to fraud controls• Clearly defined CEO and senior management accountability and responsibility
2. Ethical Framework • Clear policies setting out acceptable standards of ethical bevahiour• Demonstrated compliance with the ethical framework• Employees articulate obligations to ethical behaviour and the organisation’s position on fraud
3. Responsibility Structures
• Management and all staff have clearly defined responsibilities for managing fraud• Fraud management is integrated with core business• Clearly defined roles for audit and risk committee and auditors• Staff with responsibility for fraud control and staff in high risk fraud areas are provided with training
4. Fraud Control Policy • Risk-based policies appropriate to the organisation• Holistic and integrated• Regularly reviewed, current and implemented
5. Prevention Systems • Proactive and integrated fraud risk assessment• Planning, follow up and accountability• Analysis of and reporting on suspected and actual frauds• Ethical workforce• IT security strategy
6. Fraud Awareness • Comprehensive staff education and awareness program• Staff awareness of fraud control responsibilities• Customer and community awareness
7. Third Party Management Systems
• Targeted training and education for key staff• Third party due diligence and clear contractual obligations and• Accountabilities• Effective third party internal controls• Third party awareness and reporting• Staff disclosure of conflicts of interest and secondary employment
67
AONSW: Principles of the frameworkAttribute Checklist
8. Notification Systems • Culture that supports staff reporting fraud and management acting on those reports• Polices, systems and procedures that support reporting• Processes to support upward reporting• External reporting
9. Detection Systems • Robust internal controls• Monitoring and review• Risk-based internal audit program
10. Investigation Systems
• Clear documented investigation procedures• Investigations conducted by qualified and experienced staff• Decision-making protocols• Disciplinary systems• Insurance
68
PNSW: In PracticePNSW’s approach to fraud and corruption control is based on the NSW Audit Office’s Fraud Control Improvement Kit (2015).
The PNSW Fraud & Corruption Control Framework supports DFSI’s Code of Ethics and Conduct and its governing principals set by the Executive. The scope of the Framework outlines:• PNSW’s requirements that relate to bribery, fraud
and corruption;• The agency's position on bribery, fraud and
corruption matters, as well as the governance of the framework and key roles and responsibilities;
• The DFSI’s Fraud & Corruption Control, Gifts and Benefits and Conflicts of Interest policies, as well as the Code of Ethics and Conduct, detail the specific requirements that must be met by all employees;
• The fraud reporting mechanisms sets out the requirements and processes that must be undertaken if an instance of corruption arises.
Frau
d Re
porti
ng
Syst
ems
Confl
icts
of I
nter
est
Anti
Frau
d
Anti
Corr
uptio
n
Gifts
and
Ben
efits
Key risks relating to Bribery, Fraud and Corruption
Business processes(e.g. Operations, HR, Finance, Strategy, Leasing
Procurement)
The Fraud and Corruption Control Environment
PNSW
• The process of risk management is a prescribed process: There are sequential and repeatable steps: risk identification cause and impact identification
control specification risk actions risk scoring review and repeat.• The most efficient approach is to “bow-tie” risks thereby creating a “parsimonious”
strategic risk register.• All organisations should include “baseline” risks which include an explicit reference to a
“failure to prevent fraud and corruption”.• There are many reasons why organisations experience a fraud or corruption event but
the single point of failure is the control environment.• Whenever there is an interface between government and the private sector and
opportunity to engage in fraud and corruption exists.• TCE provides a useful framework to analyse the sources of fraud and corruption risk
when dealing with third parties.• The control environment consists of three interlocking processes: prevention, detection
and investigative.• Without significant but efficient investment in compliance, the consequences of failing to
manage fraud and corruption risks are catastrophic.
69
Summary of Key Themes
Recommended