Nobody likes to be misled, especially by people they trust or have an expectation will do the right thing, whatever that is. Fraud and corruption can be a blow to the self-image of capable managers and their confidence in their ability to deter or detect a fraudulent scheme. More so, they can have a negative impact on an organisation’s brand, image and reputation, organisational morale and where the loss is large – significantly impact the bottom line.
In a recent survey of fraud in Australian organisations, 84 percent of respondents agreed or strongly agreed with the proposition that fraud control is a governance issue.
Corporate governance is an entire culture that sets and monitors behavioural expectations intended to deter the fraudster. As part of the establishment of sound corporate governance, it is now clearly accepted that an organisation should formulate a fraud and corruption control strategy. Through the development and implementation of the strategy, compliance with anti-fraud and corruption control practices can be promoted, maintained and instances of fraud and corruption control non-conformance identified and dealt with quickly.
What is a fraud and corruption control strategy?
It is a comprehensive summary of key elements that the organisation has introduced to prevent, identify, manage, investigate and deal with fraud and corruption specific to its own circumstances. According to the Australian Standard AS8001-2003 , although an organisation’s approach to its strategy will be dependent upon its size, diversity, geographical spread and the industry in which it operates, the Standard recommends that a strategy contain a number of elements. Several of these elements are discussed below:
– Fraud and corruption awareness – How does the organisation educate their staff and stakeholders about how fraud and corruption occurs and what to do if it is discovered? This is a key element as fraud surveys have clearly demonstrated over time that the majority of frauds are discovered by staff and that whistleblowers are also an important source of information.
– Reporting of fraud and corruption – Is there a formal reporting process? Does senior management and the Audit and General hashtag linkage to COVID-19 Pandemic Risk Management Committee get told of all incidences ? If all instances are not recorded centrally, how does management assess the size and breadth of the problem and effectively manage it ? Also importantly, if the instances if fraud and corruption are not reported to the Audit and Risk Management Committee, how do they monitor the performance of senior management in managing the risk?
– Fraud and corruption risk assessment – Identifying a couple of fraud risks in your business risk assessment or enterprise risk management process is far from adequate. An organisation should not rely on management alone to come up with all potential risks as there may be a knowledge gap, a reluctance to identify the existing weaknesses, inadequate allocation of time to discuss the issues or lack of a persistent inquisitor to ask the tough questions and follow up. So, consider having someone involved who thinks like a fraudster and has experienced a broad range of fraud and corruption issues who can add real value to the process. The insights regarding risks and process weaknesses can be invaluable.
– Whistleblowing – How does your organisation protect whistleblowers? Does it encourage anonymous reporting ? Whistleblower programs allow employees and others to report concerns-including those about corporate fraud-and can allow the management and/or the Board to take early corrective action. Whistleblowing lines are now becoming more prominent in the private sector.
– Pre-employment screening – Is there a consistent process of screening across the organisation ? How thoroughly are background checks, such as prior employment history, tertiary qualifications and memberships of professional associations, conducted ? Does it cover only full-time employees or include contractors ?
– Regular reviews of internal controls – Effective internal controls cannot be both successful and static. They should be monitored and evaluated for improvements and changes made necessary by changing conditions. The scope and frequency of evaluations of the internal control structure depend on risk assessments and the overall perceived effectiveness of internal controls. As an example, under the Sarbanes-Oxley requirements, management is charged with performing an evaluation at least annually. Anti-money-laundering procedures employed by financial institutions are a good example of a proactive process designed to deter fraudulent transactions from taking place through a financial institution.