Fraud Risk Management under the microscope
How would yours stack up?
A report by the Victorian Auditor-General’s Office (VAGO) “Fraud Prevention Strategies in Local Government” was tabled in the Victorian Parliament on 6 June 2012 and included a summary of the results of an assessment of the effectiveness of a sample of Victorian local councils’ fraud prevention strategies and selected controls1.
Although targeted at local government, the findings are a timely reminder for all organisations that fraud is a risk that requires particular attention and unique strategies to manage effectively.
The VAGO assessment drew upon an earlier 2008 VAGO report2 that found significant deficiencies in Victorian local government’s fraud management practices. VAGO found that although fraud management practices had been improved since the 2008 report, the improvements were limited and not consistent across all of the councils examined. In addition, the report recommended the implementation of a number of further strategic and control improvements to ensure effective fraud control.
This article takes a closer look at the recommendations made by VAGO in the 2012 report and provides our perspective on how they might be implemented in a broader organisational context.
The report acknowledges that eliminating fraud completely is not possible, but stresses the importance of targeted preventive measures to mitigate the risks.
The Auditor-General concluded that none of the examined councils adopted “…a strategic and coordinated approach to the management of fraud risk”3 and this lack of adoption resulted in ineffective fraud prevention strategies. Specifically he noted the absence of fraud control plans and risk assessments which, along with regular monitoring and reporting on its effectiveness, are key components of an effective fraud control framework.
The Auditor-General also criticised the adequacy of particular controls including pre-employment screening policies and procedures and also highlighted specific examples of deficiencies in the examined councils’ internal control environment that posed fraud risk if left untreated.
Although the microscope in this instance was on local government, the better practices considered by the Auditor-General apply to a much broader demographic. As such, the recommendations provide a useful benchmark for examining the fraud management practices of any organisation.
In our experience the VAGO observations are not unique or limited solely to local government entities.
In our fraud risk management work we often see organisations that struggle to develop and implement robust fraud and corruption risk management strategies. When reading through the VAGO findings and recommendations below, it would be worth considering how your organisation would fare if a similar assessment was undertaken.
The VAGO findings and recommendations
The report found that, overall, although the examined councils had implemented some aspects of a fraud control framework to varying degrees, the lack of a strategic and coordinated approach at all councils meant fraud risks could not be adequately mitigated.
It also found that the internal control environment of the examined councils contained a number of deficiencies, specifically in pre-employment screening, accounts payable processes and asset management, all of which are inherently high risk areas for fraud and mismanagement.
The recommendations made by VAGO address concerns relating to both key internal fraud controls and overarching fraud prevention strategies of the councils examined, but are sufficiently broad to be applied to private sector and other public sector organisations, and so provide a useful source of guidance for those looking to strengthen their fraud mitigation strategies.
According to the report, none of the councils had clearly documented the elements of their fraud risk management strategy, nor developed indicators for evaluating their effectiveness4. A common method for documenting an organisation’s fraud control initiatives is via a fraud control plan, a document VAGO also considers to be a key aspect of effective fraud control.
The report states that a Fraud Control Plan “…is a critical component of an effective fraud control framework”5 , and recommended all councils “develop and maintain an up to date fraud control plan and associated strategies based on a comprehensive assessment of fraud risks”6 .
Understanding a Fraud Control Plan
In line with the above finding from the report, we also recommend organisations develop a Fraud Control Plan to guide the strategic, operational and tactical approach to managing fraud and corruption risk. The Plan should encompass all prevention, detection, reporting, and investigation measures the organisation has in place, or intends to put in place. Typically this would include at a minimum:
- Identification of employees responsible for implementing the Plan and monitoring its implementation
- A summary of the identified internal and external fraud risks or vulnerabilities (with reference to the latest fraud risk assessment) and the overall fraud context of the particular organisation
- The treatment strategies or controls (eg policies, procedures and governance structures) in place to mitigate the identified risks above
- An explanation of how the organisation will handle allegations or suspicions of fraud, including investigations procedures and recovery actions (including when incidents will be referred to the police)
- An outline of fraud awareness training programs and requirements for employees to undertake training
- Mechanisms for collecting, analysing and reporting the number and nature of incidents of actual frauds
- Avenues available for employees, third party contractors and external parties to report fraud or suspected fraud.
Accompanying the Plan should be a fraud policy statement, comprising:
- The definition of fraud and an outline of the organisation’s position on fraud. This should be produced under the name of executive or senior management to set the ‘tone from the top’ and to communicate a ‘no tolerance’ attitude to fraud and corruption
- The organisation’s commitment to investigating and prosecuting fraud or pursuing other effective remedies
- A statement of employee and contractor responsibilities relating to the prevention and reporting of fraud and how fraud is to be reported
- The consequences of acting fraudulently
- An assurance that allegations and investigations will be handled professionally and confidentially
- Directions as to how allegations and incidents of fraud are to be managed
- Advice on where further information can be found.
We note that although the term ‘fraud’ is used in the VAGO report, it is also important to consider the related concept of corruption and how corrupt activities such as bribery and inappropriate relationships should be managed. Often it will be necessary to separately define corrupt activities to differentiate from fraud and theft in the Fraud Control Plan and accompanying documents.
The VAGO report highlighted deficiencies in the manner in which a small sample of local government entities managed the risk of fraud. It would be unfair, however to suggest that it is only local government that experiences difficulties in managing the risk of fraud and corruption. In our experience it is often the case that unless an organisation has detected fraud it will not be a risk that is front of mind.
Recent high profile cases of fraud, often perpetrated by relatively junior staff, have shown the potentially devastating consequences these acts can have on the victim organisation, from reputational damage and exposure to regulator and law enforcement scrutiny, to employee morale and financial impacts resulting from prosecution.
In our view boards of directors and executive management have a clear responsibility to acknowledge that fraud and corruption risk exists and to invest in strategies that will give an organisation the best chance of mitigating; detecting and responding to events should they eventuate.
Fraud risk and corruption management fundamentals, seven things to consider:
Director | Forensic
+61 3 9671 7550
1 VAGO, Fraud Prevention Strategies in Local Government, 2012, pvii-viii
2 Local Government: Results of the 2006-07 audits
3 VAGO, p9
4 VAGO, p11
5 VAGO, p6
6 VAGO, p9