2016 - iqpc - understanding and assessing corruption risk

IQPC Public Sector Fraud & Corruption Summit, CanberraFriday 28th October 2016Dr Darren O’Connell MBA FGIA

Workshop D: Conducting a Comprehensive Fraud and Corruption Risk Assessment – Part 1

1. Introductions

2. War stories

3. Part 1: Recap on better practice approaches to managing risk

4. Break

5. Part 2: Identifying and managing fraud and corruption risk

6 Summary and close

2

Workshop Agenda

1. Learn about tools and techniques to detect and assess risk

2. Learn how to perform a comprehensive risk assessment

3. Identify fraud and corruption risks in an internal environment, and when working with third-parties

4. Drawing insights from the results and improving your risk management framework

5. Overcoming common pitfalls

3

Workshop Objectives

Part 1: The Risk Management Process

5

• The key objectives or risk management are to:‒ Support informed risk-taking that promotes PHG’s objectives and success while recognising the risks associated with

key decisions‒ Create a robust control environment that reduces negative impacts to PHG’s performance‒ Avoid surprises by generating an increased understanding of key risks and providing early warning of increases in

exposure to adverse risk events‒ Reduce the cost to PHG from “fire fighting” versus proactive risk management‒ Generate a risk profile that will support the Executive’s ability to focus discussions and attention on the material risks‒ Provide the basis for identifying areas of priority for Internal Audit

• The key elements of the risk framework are:‒ Taking an evidence-based approach including:

• The rationale for scoring a risk in a particular way• An assessment of the financial impact of the risk should it eventuate

‒ Producing a manageable list of risks through the use of the bow-tie methodology that combines key causes and impacts into a single risk

‒ Defining the controls that should be in place and the key attributes of these controls that result in an effective control environment

‒ Assessing the effectiveness of individual controls and inclusion of commentary on the current gaps that result in controls not yet being fully effective

‒ Identifying Actions, in addition to current controls, to support further risk reduction for PHG‒ Achieving a direct linkage between controls and the Actions needed to improve them

The Risk Management Framework

6

Risk identificationRisk identification can be achieved through an analysis of critical activities, strategic plans, incident analysis, and a consideration of the changes facing your organisation.

The following questions can be used to assist in identifying risks:

Risk Identification

Strategic Plan

PESTLE Analysis

Agency Transformation

Audit Assurance

Business Resilience Event

Risk Register

What could go wrong?How could your organisation fail?

What must go right for your organisation to succeed?Where is your organisation vulnerable?

What assets does your organisation need to protect?Does your organisation have liquid assets or assets with alternative uses?

How could someone defraud from your organisation?

How could someone disrupt your operations?How does you know whether you are achieving your objectives?

On what information does your organisation most rely?On what does your organisation spend the most money?

How does your organisation invoice and collect its revenue?What decisions require the most judgment?

What activities are most complex?

7

Risk IdentificationCategory Description Subcategories Category Description Subcategories

Regulatory (Compliance/Legislation /Environmental) Risk

The risk of failing to meet government standards, laws and regulation (including WHS, environmental, etc.)

• Regulatory / legal• Contractual• Licensing /

Accreditation• Enviromental

Reporting

Strategic Foresight Risk

The risk arising from insufficient forward planning, inappropriate strategies, strategic alignment.

• Acquisitions, mergers & divestments

• Business transformation

Our People Risk

The risk of inappropriate HR policies, recruitment, training, retention, staff engagement and culture.

• People capacity & capability

• Planning & utilisation

• Unions / industrial relations

Major Project Risk

The risk of not achieving key project or event objectives, budgets, deadlines.

• Maintenance / upgrade

• Acquisition & lease• Disposal• Planning &

utilisation

Budget, Revenue and Capital Spend Risk

The risk of not achieving income or expenditure targets, inappropriate returns on investment, cash flow, financial sustainability (including financial reporting and processes, accounting controls).

• Meeting revenue/growth targets

• Insurance• Bribery, fraud &

corruption

Knowledge Management Risk

The risk of not protecting corporate knowledge, insufficient research to support initiatives, in adequate innovation.

• Information security• IT systems /

infrastructure• Intellectual property

Reputation, Stakeholder and Clients Risk

The risk of damage to PHG’s reputation and brand.

• Brand strength & relationships

• Adverse publicity• ICAC /

Ombudsman

External Risk The risk of economic shocks, changing public attitudes, political factors, changing customer or supplier needs (including social responsibility, stakeholder management).

• Government & Policy change

• PESTLE factors

Service Delivery (Internal / External) Risk

The risks associated with delivery of services to internal and external customers (including IT, Property, Procurement, Asset Management etc.).

• Tenancy performance / Retention / Acquisition

• Engagement• New opportunities

Work, Health and Safety Risk

The risk of unexpected events, business continuity, issues management, natural disasters, public hazards, legal and contract risks.

• Visitor safety• Environmental

incidents• Staff safety• BRF & CMP• Asset security

8

• A risk in an event that has a chance of less than 100% likelihood of occurring

• The following shows the “Bow-tie” method of risk identification:

Risk Identification

Risk Event

Ris

k C

ause

sK

ey c

ontr

ibut

ing

fact

ors

to th

e ris

k oc

curr

ing

Risk Im

pactsC

onsequences that can result if the risk w

ere to eventuate

Controls to Manage ImpactsControls that reduce the extent of impact if

the risk were to eventuate

Controls to Manage CausesControls that reduce the likelihood of the

causes occurring

9

The control environment usually comprises of four elements:1. Basic standards

• Code of Conduct, gift policy, conflict of interest register, staff training & awareness program

• Set minimum standards of behaviour• Options for disciplinary actions

2. Risk Management• Segregation, discretion reduction, delegations, management oversight, audit• Necessary to manage opportunities that cannot be designed out of the system

3. Operations• Incentives, process design, information and metrics, accountability and design location,

divisional arrangements, internal to market boundaries• Organisations exist to achieve particular outcomes• Tight operational design reduces opportunities for corruption

4. Design and oversight• Design, governance, management, audit, investigation, business improvement, legal• Requires clear understanding of operational realities

Source: Independent Commission Against Corruption © 2016

The Control Environment

10

The Risk Control Environment


11

• Identify the controls that should be in place to effectively manage the risk, including the controls required to reduce the potential for each of the causes to occur and to reduce the impact if the risk were to eventuate.

• For each control listed, ensure that the attributes (assurance) which make the control effective are listed.

Identifying Risk Controls

Risk Category

Risk subcategory

Example controls

Regulatory Contractual Governance oversight and approvals of contract variations and additional delivery of scope

Major Project Maintenance & Upgrade

Regular subcontractor performance review including quality and safety

Robust subcontractor selection criteria to assess value for money, quality and capability

Our PeoplePeople capacity & capability

Succession planning to account for temporary or permanent loss of key roles

Regular monitoring of retention rates and proactive implementation of required actions in response to decrease in rates

12

• The control assessment is the extent to which the control is being consistently implemented and reduces the risk, being rated effective, partially effective or ineffective. If a control is effective, it should be able to stand up to an audit of its effectiveness.

• The control testing outcome should identify any gaps that exist in the control’s effectiveness i.e. for any rating that is NOT “Effective”.

Risk Control Effectiveness

Control Effectiveness

Internal Audit Rating

Guide

Effective 5 Controls are well designed for the risk, are largely preventative and address the root causes. The controls are effective and reliable.

Mainly Effective 4 Well controlled with some control weaknesses / areas for improvement identified.

Adequate 3 Reasonable level of controls, however, some control weaknesses of concern identified.

Needs Improvement 2 Adequate level of control in some areas, however, significant control weaknesses in a number of areas.

Non-Effective 1 Poorly controlled. Significant weaknesses in internal controlsORThe controls that can be put in place are very limited due to the type of risk (beyond the control of your organisation / Agency)

13

• Determine what Actions are required to improve all mainly effective, adequate, needs improvement and non-effective controls to make them effective

• Actions should have completion dates of within the next 12 months

• For each Action, the below should be identified:A link to the related control/s which it is aiming to improveAny non-budgeted cost of implementing the ActionA due date and responsible person for implementing the Action

• It is important to then track Action implementation status (using RAG scale) including explanation for red Action status:

Red – The treatment has passed its due date Amber – The Action is at risk of not being completed by the due date Green – The Action is on track for completion by the due date Closed – The Action has been completed

• When an Action is complete, re-examine the control effectiveness

Risk Control Actions

14

Risk Severity - DefinitionsTerm Definition

Inherent Risk The level of risk, being the combination of impact and probability, that exists before PHG has put in place any controls

Residual Risk The level of risk, being the combination of impact and probability, that exists today taking into account the effectiveness of current controls

Target Risk The level of risk, being the combination of impact and probability, that is expected to be achieved after implementation of control treatments

• Assess the risk on the basis of the highest consequence criteria. For example, if a risk could result in both an operational and a financial consequence, and the latter is greater, then the consequence rating should be financial

• Rating the risk on this basis does not detract from the importance of managing other consequences which the risk could have

• Note that consequence and likelihood are not mutually exclusive. This means that you should identify the potential consequence of a risk and then consider the likelihood of the risk occurring and resulting in that level of likelihood.

15

Risk Severity - Consequences

16

Risk Severity - LikelihoodProbability assessment

1 – Rare 2 - Unlikely 3 - Possible 4 - Likely 5 – Almost Certain

<1% 1 – 20% 21% - 49% 50% - 85% >85%

<1 event in 100 years Several events in 100 years Several events in 10 years Several events in 1 year Multiple events in 1 year

Event may occur only in exceptional circumstances

Event may occur in exceptional circumstances

Event could occur at sometime

Event will occur at sometime Event will probably occur in most circumstances

Event is very unlikely to occur

Event is unlikely to occur Event is fairly likely to occur Event is likely to occur Event

17

Likelihood

Consequence Rare Unlikely Possible Likely Almost Certain

Severe High(15)

High(19)

High(22)

Extreme(24)

Extreme(25)

Major Medium(10)

Medium(14)

High(18)

High(21)

Extreme(23)

Moderate Medium(6)

Medium(9)

Medium(13)

High(17)

High(20)

Minor Low(3)

Low(5)

Medium(8)

Medium(12)

Medium(16)

Negligible Low(1)

Low(2)

Low(4)

Low(7)

Medium(11)

Risk Severity - Scoring

18

• The key steps to be undertaken in creating a risk register are:

Risk Register Creation

Discuss risks, considering all categories of risk, that may apply to the functionIdentify risks

Each risk register must contain the following “baseline” risks: WHS; Fraud & Corruption; Business/Project Continuity; and Procurement. Operational Risks are those that are not “baseline’ risks

Identify the causes and impacts of the risk, considering the key factors that could contribute to the risk occurring and the possible impacts that could result if the risk were to eventuate

Identify and assess the effectiveness of current controls including both those controls preventing the risk and those mitigating its impact should it occur

Assess inherent and residual risk based the probability and impact of the risk, taking into account the effectiveness of current controls, with this being the current level of exposure posed by the risk

Document the risk rationale and financial value of the residual risk

Identify the treatments required to improve the current control environment and identify the target risk score to be achieved subsequent to the treatments being implemented

For several risks...

Discuss risk ownership, with owners being the relevant senior management team member to own the risk and coordinate its effective management, and contacts being the person who will assist in populating the required risk information

Allocate ownership

19

• The key elements of a risk register are:• Risk owner• Causes• Impacts• Inherent risk• Existing controls being relied upon, including the:

Outline of the control in place Name of the control owner for each control Review requirements (i.e. assurance)

• Residual risk• Action plans (if required) containing for each plan:

An outline of the action plan, the owner and the expected completion date The target risk rating (risk rating after treatment plans are completed)

• Risk Scoring Inherent (no controls) Residual (existing controls) Target (when all controls are effective / new controls in place)

Risk Register Creation

Example of a risk register and break

Part 2: Managing Fraud & Corruption Risk

Bribery• Bribery is the giving, receiving of money, a gift or other advantage as an

inducement to do something that is dishonest, illegal or a breach of trust.Fraud• Fraud is the criminal deception intending to result in financial or personal gain.Corruption• Corruption is the misuse of public office or power for private gain; or misuse of

private power in relation to business outside the realm of government.Gifts and Benefits• Offering something of financial value that is to the advantage of another

person and in doing so is intending that individual to perform a function improperly or secure business or a business advantage.

Conflicts of Interest• A conflict of interest is a situation in which an employee has competing

professional or personal interests. Such competing interests can make it difficult for individuals to fulfil their PNSW duties impartially.

22

Definitions of Fraud and Corruption

23

• Recent scandals at the highest levels of Government has left a deeply negative impression on the tax payer

• Politicians and government employees aren’t held to the highest levels of accountability

• There is specific direction from the Department of Premier and Cabinet to improve governance (2014)

• PNSW has committed to the highest level of ethical standards

• Reputation is PNSW’s most valuable asset

Why is bribery, fraud and corruption a risk?

The Premier’s

Choice

24

The basic organisational environment

Governance PrinciplesRules, monitoring, compliance, minimised

discretion

Operational ControlsClear goals, tight systems, process controls,

information integrity, accountability

Institutional BasicsHierarchy as basis of supervision, management

based on written documents, expertly trained staff, full-time work, office rules control behaviour

Societal FoundationsDemocracy, free press, rule of law, property

rights

25

An historical anecdote• The year 1797-8.• The protagonists: The French Republic

and the USA.• There was an undeclared Quasi-War.• The USA sent a mission to France to

seek a peace deal and to prevent a further escalation of war.

• The provisional French government initially refused to negotiate but sent three unofficial French agents code-named “X”, “Y” and “Z”.

• A peace deal was initially offered but only if the American Government paid a bribe of £50,000 to the French Foreign Minister (“a personal gift”) and huge loan to the French Government (at war with many European nations).

• The American Commissioners refused and published details of the meetings.

Describe the environment that enabled this situation to occur?

26

The basic organisational environment

Governance PrinciplesRules, monitoring, compliance, minimised

discretion

Operational ControlsClear goals, tight systems, process controls,

information integrity, accountability

Institutional BasicsHierarchy as basis of supervision, management

based on written documents, expertly trained staff, full-time work, office rules control behaviour

Societal FoundationsDemocracy, free press, rule of law, property

rights

• In order to be able to manage the risk of a fraud and corruption event, we need to understand the ‘scale of the problem’.

• There are numerous sources of information that elaborate on how big a problem global corruption is:

• Deloitte Bribery and Corruption Survey 2015 Australia & New Zealand: Separate the wheat from the chaff

• Australian Institute of Criminology Fraud, bribery and corruption in Australian government agencies

• Transparency International Corruptions Perceptions Index

27

The Scale of the Problem

28

Fraud losses in 152 Commonwealth agencies versus fraud losses in 281 Australian and New Zealand organisations.


1997 2012$0

$100,000,000

$200,000,000

$300,000,000

$400,000,000

$500,000,000

$600,000,000

$153,176,000

$497,573,820

$105,000,000

$373,000,000

Commonwealth ANZ Private Sector

29

The financial value of fraud and corruption losses experienced by the Commonwealth broken down by internal sources and external sources.

Source: Australian Institute of Criminology, 2011.


2008-09 2009-10$2,800

$2,900

$3,000

$3,100

$3,200

$3,300

$3,400

Internal

2008-09 2009-10$650,000

$700,000

$750,000

$800,000

$850,000

External

30


1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 20150

2

4

6

8

10

12

14

0

20

40

60

80

100

120

140

160

180

200

How Australia's CPI compared to the World

No. Countries Surveyed Rank

The Lifecycle of Fraud and Corruption Event

31

32

Corruption usually happens at the point where…

…into private hands.

• Tenderer/ Contractor/ supplier

• Property developer

• Business partner

• Family/ friend• Client• Public official• etc

…can be transferred

from a government agency…

Something of value…

• Tender/ Contract/ Purchase

• Information• Approval• Avoid fines,

fees & charges• Employment• Services• Equipment/

vehicles/ assets• Etc


MoneyIdeology

CoercionEgo

33

Sources & Causes of Fraud and CorruptionTight

Competition

Weak market

Stakeholder/ Industry Culture

Situational perspective

Psychological perspective

Supply of motivated offenders

Available opportunities

Absence of suitable guardians Rationalisation/

Integrity maturity

Motivation/ Pressure

Perceived Opportunities

ArroganceGreed is goodThe owe me

Narcissism

Everybody does itEntitlement

Criminal mindset

LifestyleGamblingConflict of interestDesireSecondary employmentFraud and

CorruptionAbility

Blind trustPoor governance

Corrupted industry association

Manager/ stakeholder override

Low maturity / inexperience

Regulatory capture

Role confusion

Weak policy & Systems

Weak non existence tender processes Approvals

Variations

LicencesDirect negotiations

Exposed assets

34

“It is not from the benevolence of the butcher, the brewer or the baker, that we expect our dinner, but from their regard to their own self interest. We address ourselves, not to their humanity but to their self-love, and never talk to them of our own necessities but of their advantages.”

Adam Smith [1723 – 1790]

Motivations and Incentives

35

Incentives can be obvious…• Profit o e.g increase share prices / value of an organisation

• Personal gain / self interest o e.g. falsifying sales figures to gain a bonus

• Help a friend / business partnero e.g. awarding contracts by favourtism

• Retributiono e.g. commits the act but frames someone else

• Substantial exactions o e.g. child support, fines & penalties, excessive loan repayments

• Personal issues / Pressureo e.g. Drug or gambling problem, civil or criminal court cases

• What else?

Motivations and incentives

36

…and not so obvious



37

…and can even be innocuous…• Individuals engage in corruption for more “altruistic” reasons, to:o Avoid negative impactso Disguise incompetence / poor decisionso Satisfy the expectations of superiorso Deflect external criticism or damage to reputationo Elude office controversyo Avoid late-payment penalties by paying unauthorised invoiceso Comply with unrealistic but rigid deadlineso Be seen to comply with regulations or policies or procedureso Ensure a project has sufficient but un-costed ‘contingency’ project

money that avoids the need asking more later


38

…which leads to equity and a sense of entitlement…• Equity is the need for fairness (though not necessarily equality)

• Fairness is perceived differently by individuals in a collective (team) environment

• Unfairness can create a motivation and incentive to engage in corruption• For examples, individuals can:o Increase the level of input by other members of the team;o Decrease the level of outcome due to other members of the team;o Compare themselves to someone else;o Decrease their personal input;o Increase their personal outcome;o Quit the team (or organisation)!


39

…and to the dynamics of group behaviour…• Without individuals, the species could not survive• Without social groups, the individual could not survive• Legitimate behaviour is the price you pay to become a member of the

group• i.e. social groups need individuals to act in ways that benefit the group

• Illegitimate behaviour is rewarded by expulsion!• i.e. individuals need to learn to behave in ways that lead to acceptance

• Close knit groups enforce norms or behaviour• Behavioural norms once established are not easily or quickly changed• Individuals instinctively comply with norms even where their self-interest

is not being met• Leaders and followers of groups are not always obvious to outsiders

even where formal designations exist


40

…and ultimately to culture!• What is culture?

• The ideas, customs, values and social behaviour of a particular social group

• How is culture measured, managed and changed?• Long term development, not quickly changed

• How does culture differ from norms of behaviour?• Small group units may endorse norms separate or in addition to cultural

expectations• Do organisations have a “culture” or are they a collection of like-minded

individuals?• Can individuals have different values and principles at work and home?• Can individuals adapt a new value system over time?


41

Fraud Risk EventFaking approvals

Abusing cars and equipment

Rendering false invoices

Misusing computers and phones

Making dishonest decisions

Redirecting funds

Accepting bribes and kickbacks

Leaking confidential information

Theft

Abusing an office

Abusing allowances and credit cards

Fraud Event

Dishonesty

Benefit

Deception

Avoidance

42

Type of Corruption (Internal + External) 2007-08 2008-09 2009-10Bribery of employee 83 78 90

Accepting kickbacks / gratuities 5 12 13

Conflict of interest 59 54 353

Collusion or conspiracy 125 10 42

Abuse of power 36 77 88

Unknown 62 34 114

Other 43 7 245Source: Australian Institute of Criminology 2011

Examples from the Commonwealth

43

• Outsourcing of goods and services has become a ubiquitous feature of public, private and not-for-profit landscape.

• Numerous benefits: Cost reduction Greater global reach Improved customer service

• Numerous risks: Loss of data/IP Loss of key personnel Vendor failure Increased compliance costs … and the spectre of corruption

• Transaction Cost Economics (TCE) is a useful framework to employ when organisations engage with third parties to identify and mitigate fraud risk

Identifying Fraud Risk

44

• Contracting parties trading goods and services with third parties face a range of costs which can become a significant deterrent to completing the transaction depending upon the level of risk.

• Parties must “discover” what prices exist, negotiations between parties must take place, contracts have to be drawn up, inspections and judgements as to quality of the good or service have to made, and arrangements put in place to settle disputes.

• The principles of corporate governance in TCE are to implement a framework of controls that organises the transaction of goods and services in relation to their degree of specialty that minimises bounded rationality (information availability and its level of understanding) and safeguards against opportunism (i.e. fraud).

• This control framework includes the observation and monitoring of transactions costs and risks have a significant impact upon the transaction value.

Transaction Cost Economics

45

Governance Structure

Strengths Weaknesses

Marketplace Strong incentives to maximise net value Can’t protect transaction-specific investments

Contracts Some protection for investments; market-like

incentives

Can’t contract for all possible contingencies

Vertical Integration Internalises value of transaction-specific

investments

Can’t control costs as well as markets

Transaction Cost Economics• There are three “types” of contracting states which impact upon transaction

costs and the risks of fraud and corruption.• Each type has an associated governance structure that controls the level of

transaction costs but have strengths and weaknesses.

• The decision to transact within a particular governance structure depends on an organisation’s ability to minimise its transactions costs through its risk control environment.

46

Low barriers to entry A market characterised by numerous buyers and sellers, and low profit

margins.

Asset specificity Investments made in specialised goods or services for unique customers.

Location of facilities and the degree of human capital can also be significant

factors.

Weak markets A market with many sellers, few buyers and prices in a state of decline. In

addition, a weak market is characterised by poor regulation.

Peripheral product A good or service that is not the primary focus of an organisation but despite

being ancillary is still important.

Low reputational capital

Organisations that have little market presence, can close down without being

missed, and restart with little scrutiny.

High relationship / contact

A contracting relationship between a buyer and a seller characterised by high

frequency social interaction.

Networked industry An industry in which each member has linkages to other members.

Uncertain future work

Linked to asset specificity, the business contracted for is highly specific and

likely to be a one-off or there are large gaps between repeat business.Source: Waldersee, R and Shapiro, A, 2016. Strategic Responses to Corruption

Transaction-generated Risks

47

• Originally, the old Department of Railways was largely integrated vertically

• There were a small number of bilateral contracts with specialist makers of components and iron ore producers

• But markets developed and private (goods) railways began operating offering the opportunity to outsource part of the supply chain

• The organisational boundary between the Department and the market contracts

• As a result the number of market transactions increases as does the risk of being cheated

• As the risk increases so too does the cost of governance, i.e. monitoring the quality of the transaction

• At some stage the governance costs will not keep pace with the transaction risk opening up opportunities for corruption

TCE Example: Functional Outsourcing

Train Service

Driver Training

Drivers

Components

Trains

Maintenance Maintenance

Track Laying

Iron Ore

Bilateral Transaction

Train builders


Steel Tracks

Organisational Boundary

TCE Example: Government railways

Train Service

Driver Training

Drivers

Components


Iron Ore

Market Transaction Train builders Market

TransactionSteel Tracks


Trains


Track Laying

Organisational Boundary

TCE Example: The Current Situation

Components


Iron Ore

Market Transaction Train builders Market

TransactionSteel Tracks

Market Transaction

Market Transaction


Driver Training

Market Transaction

Trains

Market Transaction

Track Laying



DriversOrganisational Boundary

Train Service

Example: What happens with further outsourcing?

51

Transaction Governance Costs

Difficult to control:• Need• Price• Allocation• Deliveryof the good or service

Well-developed Governance (transactions are planned and predictable)

Low High

Low

High

Transaction Generated Risks

Tran

sact

ion

Gov

erna

nce

Cos

tsWhen Outsourcing Increases

53

• During the 2000s, the NSW ICAC investigated Railcorp.• It involved employees and managers at many levels of the organisation.• ICAC investigated allegations of:

• Fraud and bribery; • Improper allocation of contracts; • Unauthorised secondary employment; • Failure to declare conflicts of interest; • Falsification of time sheets; and • The cover-up of a safety breach.

• In financial terms RailCorp employees were found to have improperly allocated contracts totalling almost $19 million to companies owned by themselves, their friends or their families, in return for corrupt payments totalling over $2.5 million.

• ICAC reported findings of corrupt conduct on the part of 31 individuals including 14 RailCorp employees and staff of 16 private firms.

Operation Monto: key points

Inves

tigati

ve co

ntrols

54


Preventative ControlsD

etec

tion

cont

rols

Cost effective internal controls

55

The control environment usually comprises of four elements:1. Basic standards

• Code of Conduct, gift policy, conflict of interest register, staff training & awareness program

• Set minimum standards of behaviour• Options for disciplinary actions

2. Risk Management• Segregation, discretion reduction, delegations, management oversight, audit• Necessary to manage opportunities that cannot be designed out of the system

3. Operations• Incentives, process design, information and metrics, accountability and design location,

divisional arrangements, internal to market boundaries• Organisations exist to achieve particular outcomes• Tight operational design reduces opportunities for corruption

4. Design and oversight• Design, governance, management, audit, investigation, business improvement, legal• Requires clear understanding of operational realities



56



57

Corruption Preventative Controls

Description

Budget controls This type of control is necessary in order to make sure that operational expenses do not exceed the projected revenue for the period, creating a net loss.

ICT system design Misuse of corporate information is a major source of corruption because it can be used to the advantage of third parties. The IT system should be able to track the flow of information from internal and external sources, prevents cyber threats and attacks and safeguard information integrity.

Structural arrangements The organisational structure that correctly reflects functional activities aligned to the business model, market activity and segregation of duties.

Inventory controls Tracking system that logs receivables, use of and re-ordering of inventory that can be monitored independently of inventory staff and is tied into the budget control system.

Accountabilities Staff evaluated against specific requirements of preventing, detecting and investigating instances of fraud.

Culture A culture that encourages ethical behaviour, discourages nefarious activity and welcomes whistleblowing (through independent and confidential channels). The behavioural outcomes are enshrined in a current and understood in the Code of Ethics & Conduct.

Delegation limits Prescribed limits on how employees can use the financial, operational, moral resources of the organisation in pursuit of its strategic objectives.

Procurement strategy A framework that expressly sets out the relationship between the organisation and third parties when transacting in the market.

Limit client interaction Ongoing interaction between third parties and staff creates a relationship based on mutual reciprocity. If the relationship is exclusive the opportunity increases for gift to lead to bribery and so staff managing relationship should be regularly rotated.

The Control Environment #1

58

The Control Environment #1• The top three factors are:

• Organisational culture• “Tone from the top”• Code of Conduct

• Organisational culture was listed as a top 3 factor by 73% of respondents.

• A surprise audit was the least reported factor, with only 5% of respondents listing it as a top 3 factor.

Source: Deloittes 2015, 2015. Deloitte Bribery and Corruption Survey 2015 Australia and New Zealand: Separate the wheat from the chaff. 13.

59

Corruption Detection Controls Description

Analysis of excessive employee payroll deductions Evidence of substantial deductions e.g. child support, loans, penalties or fines etc.?

Analysis of excess leave balances Do employees work excessive outside normal hours, is there evidence of excess leave accumulation?

Analysis of sick leave trends Excessive sick days with or without doctors certificates might indicate secondary (and competing) employment.

Remote Access of Information Are employees access corporate information and sending it outside the organisation without due justification?

Review of gift registers Do meetings between staff and third parties occur regularly, are gifts declared, do staff appear to be living beyond their means?

Analysis of inventory, spending and transaction patterns Run data analytics software on the financial system searching for matching bank accounts; transactional patterns with vendors, stock flow patterns in the inventory system; review of, and compliance to, purchase orders.

Analysis of complaint registers Is their a pattern of complaints by customers, vendors and other stakeholders against particular employees?

Review of internal audit findings Are their systematic control failures in areas of the business deemed high risk due to their interface with third parties?


60

Corruption Investigative Controls Description

Clear documented investigation procedures

• Reports of fraud investigated promptly• Investigations are independent• Sufficient resources allocated including budget

Investigations conducted by qualified and experienced staff

• Recognised qualifications and experience

Decision-making protocols • Documented processes• Proportionate responses to incidents of fraud

Disciplinary systems • Staff understand fraud will not be tolerated and perpetrators will face disciplinary action

• Commitment to taking action against perpetrators of fraud

• Consistent application of sanctionsInsurance • Consider a fidelity guarantee policy to protect

against the financial consequences of fraud


61

Commonwealth Fraud SpecialistsAgency fraud section staff and qualificationArea Prevention Detection Investigation

Year 2008-09 2009-10 2008-09 2009-10 2008-09 2009-10

Employees 454 680 442 1,620 2,062 1,126

% qualified 19% 15% 10% 8% 43% 93%

Change N= +226 +1,178 -936

Change %= +50% +267% -45%Source: Australian Institute of Criminology 2011.

62

Cash flowFunding availabilityInfrastructure program impactsAsset losses, availabilityIncident response costsStakeholder interventionNegative impacts of staffAbandoned and re-run tenders

Consequences of engaging fraud

Financial Operational

Adverse mediaLoss of public confidencePersonal and family impactsImpact on future employment

Reputation

Corrupt conduct chargesFraud and other chargesCivil suits and damagesForeclosure of department / agencyGaol

Disciplinary Legal

Code of Conduct breachDemotionLoss of job

63

Consequences of engaging in fraud

60%

12%

11%

5%

5%

4%

2% 1%

What is the key downside posed by domestic corruption to your organisation?

Reputational DamageDiversion of employee and management timeFinancial - cost to investigateNot applicable to my organisationFines, Settlements, ImprisonmentNegative impact on employee moraleOtherRemediation costs

64

• UK Bribery Act Covers the criminal law relating bribing anyone to induce them to act improperly;

and The failure of the commercial organisation to prevent bribery on its behalf. The Act became operational on 1 July 2011. It has near universal jurisdiction, allowing for the prosecution of an individual or

company with links to the UK regardless of where the crime occurred. Described as the toughest anti-corruption legislation in the world.

• Audit Office of New South Wales Fraud Control Improvement Toolkit 2015 The AONSW’s toolkit provides guidance and practical advice to help organisations

implement an effective fraud control framework. It highlights what should be present within an organisation to make fraud control

work and aligns with the Fraud and Corruption Control Standard AS8001-2008. NSW agencies are encouraged to follow this standard in the design and

implementation of their fraud control framework. The toolkit sets out ten attributes which help prevent, detect and respond to a

corruption event.

What does better practice corruption prevention look like?

65

Key principle Description1. Proportionate procedures Procedures to prevent fraud and bribery that are

proportionate to the risk that your organisation faces2. Top level commitment Commitment by your Executive to foster a culture where

fraud and corruption are never acceptable3. Risk assessment The periodic assessment of the nature and extent of your

exposure to the potential external and internal risks of fraud and corruption

4. Due diligence Taking a risk based approach, the application of due diligence processes and procedures in respect to customers and third parties who do business you

5. Communication and training Embedding and understanding fraud and corruption control through periodic and regular communication and training

6. Monitoring and review Periodic and regular reviews of procedures designed to prevent fraud and corruption, and makes improvements where necessary

UK Bribery Act: Principals of the framework

66

AONSW: Principles of the frameworkAttribute Checklist

1. Leadership • CEO and senior management commitment to fraud controls• Clearly defined CEO and senior management accountability and responsibility

2. Ethical Framework • Clear policies setting out acceptable standards of ethical bevahiour• Demonstrated compliance with the ethical framework• Employees articulate obligations to ethical behaviour and the organisation’s position on fraud

3. Responsibility Structures

• Management and all staff have clearly defined responsibilities for managing fraud• Fraud management is integrated with core business• Clearly defined roles for audit and risk committee and auditors• Staff with responsibility for fraud control and staff in high risk fraud areas are provided with training

4. Fraud Control Policy • Risk-based policies appropriate to the organisation• Holistic and integrated• Regularly reviewed, current and implemented

5. Prevention Systems • Proactive and integrated fraud risk assessment• Planning, follow up and accountability• Analysis of and reporting on suspected and actual frauds• Ethical workforce• IT security strategy

6. Fraud Awareness • Comprehensive staff education and awareness program• Staff awareness of fraud control responsibilities• Customer and community awareness

7. Third Party Management Systems

• Targeted training and education for key staff• Third party due diligence and clear contractual obligations and• Accountabilities• Effective third party internal controls• Third party awareness and reporting• Staff disclosure of conflicts of interest and secondary employment

67

AONSW: Principles of the frameworkAttribute Checklist

8. Notification Systems • Culture that supports staff reporting fraud and management acting on those reports• Polices, systems and procedures that support reporting• Processes to support upward reporting• External reporting

9. Detection Systems • Robust internal controls• Monitoring and review• Risk-based internal audit program

10. Investigation Systems

• Clear documented investigation procedures• Investigations conducted by qualified and experienced staff• Decision-making protocols• Disciplinary systems• Insurance

68

PNSW: In PracticePNSW’s approach to fraud and corruption control is based on the NSW Audit Office’s Fraud Control Improvement Kit (2015).

The PNSW Fraud & Corruption Control Framework supports DFSI’s Code of Ethics and Conduct and its governing principals set by the Executive. The scope of the Framework outlines:• PNSW’s requirements that relate to bribery, fraud

and corruption;• The agency's position on bribery, fraud and

corruption matters, as well as the governance of the framework and key roles and responsibilities;

• The DFSI’s Fraud & Corruption Control, Gifts and Benefits and Conflicts of Interest policies, as well as the Code of Ethics and Conduct, detail the specific requirements that must be met by all employees;

• The fraud reporting mechanisms sets out the requirements and processes that must be undertaken if an instance of corruption arises.

Frau

d Re

porti

ng

Syst

ems

Confl

icts

of I

nter

est

Anti

Frau

d

Anti

Corr

uptio

n

Gifts

and

Ben

efits

Key risks relating to Bribery, Fraud and Corruption

Business processes(e.g. Operations, HR, Finance, Strategy, Leasing

Procurement)

The Fraud and Corruption Control Environment

PNSW

• The process of risk management is a prescribed process: There are sequential and repeatable steps: risk identification cause and impact identification

control specification risk actions risk scoring review and repeat.• The most efficient approach is to “bow-tie” risks thereby creating a “parsimonious”

strategic risk register.• All organisations should include “baseline” risks which include an explicit reference to a

“failure to prevent fraud and corruption”.• There are many reasons why organisations experience a fraud or corruption event but

the single point of failure is the control environment.• Whenever there is an interface between government and the private sector and

opportunity to engage in fraud and corruption exists.• TCE provides a useful framework to analyse the sources of fraud and corruption risk

when dealing with third parties.• The control environment consists of three interlocking processes: prevention, detection

and investigative.• Without significant but efficient investment in compliance, the consequences of failing to

manage fraud and corruption risks are catastrophic.

69

Summary of Key Themes

2016 - iqpc - understanding and assessing corruption risk

Documents