Thursday, 4 May 2023

By Anya Gielen and Cameron Anderson

At their core, fraud and corruption still carry a significant human element – both in cause and solution.

The Australian Standard 8001 - Fraud and Corruption Control (‘AS 8001’ or ‘the Standard’) provides guidance on the development, implementation and maintenance of a ‘Fraud and Corruption Control System’ (‘FCCS’). However, leaders and organisations should not reduce the meaning of the word ‘system’ to computerised information systems. Integrity management cannot be addressed purely via an off the shelf, ‘set and forget’ piece of software, a tick-the-box checklist or a static documented framework which collects dust on the shelf. Instead, the FCCS should comprise a cross-collaborative system of risk-aware teams which work together within the internal and external environment of the organisation to devise multi-factorial strategies to combat integrity breaches.
The human element of fraud is apparent when considering the fraud triangle1, a theory which posits that three factors are present for every fraud:
  1. A pressure or incentive motivating individuals to act.
  2. An internal rationalisation that occurs; and
  3. The opportunity to commit the action.
While the third factor, opportunity, is typically addressed through internal controls, fraud can and does still occur. This is because controls can break down, fail or be overridden by people in a position of authority or trust. The risk that fraud can occur despite controls is known as residual fraud risk, which, along with the first two factors (pressure/incentive and rationalisation), can be further mitigated through people-related actions. For example, an incentive to manipulate sales figures can be reduced through the elimination of sales bonuses, but managers may still be pressured to hit targets and meet budgets. As such, there is still a need to establish an organisational culture of integrity to reduce the likelihood of employees falsifying sales or leveraging improper accounting techniques for personal gain.

The Standard recommends 14 foundational elements as the underlying governance arrangements which should support a FCCS. A human-centred approach is a common thread among these elements, and covers the following key principles:
  • Organisations need to define roles and responsibilities in fraud and corruption control, with defined accountabilities cascading from the governing body and top management throughout all levels of the organisation. Specific accountabilities should be assigned to key internal fraud control resources (i.e., a fraud control specialist) but should also reflect interactions with supporting functions (such as cybersecurity, anti-money laundering, people and culture, and internal and external audit teams).
  • In addition to clear and accessible documentation of the FCCS, the organisation must ensure appropriate steps are taken to implement the documented framework. This requires:
  • Supporting processes and procedures to ensure documented fraud control arrangements are practised with sufficient resource allocation to ensure efficacy.
  • Training and awareness measures to ensure staff maintain familiarity with the FCCS.
  • Record keeping policies and processes to ensure that adequate records of business activity are sufficiently maintained to support the preventative, detective and response pillars of fraud and corruption control.
  • Defined practices to encourage and embed coordination and collaboration across functions within the FCCS so that the defined roles and responsibilities work together as part of a system and not as separate siloed practices.
The last point around coordination and collaboration is an area where many organisations struggle. Far too often a siloed approach is adopted, which can lead to unidentified risks, inefficiencies and blind spots. For example, a key control to address the risk of corruption is the maintenance of a Conflicts of Interest (COI) register. However, such a register is not very useful if it is not referenced by functions across the organisation. Some organisations conduct annual COI attestations which require employees in positions of authority to declare their external financial interests. However, if there is no specific COI process for the declaration of relationships, or no consideration of previously declared interests during procurement or recruiting decisions (e.g. hiring a contractor who is then converted to a permanent employee), then a COI may go unidentified and uncontrolled even in spite of a past declaration. As such, there is a need for connection between the COI register and the procurement and recruitment functions as a minimum, so that COI are not only declared, as and when appropriate (in higher risk scenarios), but that action plans are also actively followed.

Organisations also need to consider ethical culture holistically. Whilst it is reasonable and appropriate that an organisation’s people function has responsibility for responding to misconduct not considered to be fraud and corruption, such incidents (e.g. harassment, bullying, discrimination, non-compliance, etc.) may indicate an organisational culture that tolerates other issues, including fraudulent or corrupt behaviour. Fraud risk owners need to understand the frequency of misconduct, such as bullying and harassment, to be able to assess whether ethical culture is a reliable control. Communication and collaboration across all functions responsible for integrity management is essential.

While simple in theory, addressing the human element of integrity management is complex. The solution will be different for every organisation, but in our experience of reviewing clients’ FCCS, a commitment to routine helps. Tone from the top is critical in endorsing the FCCS, emphasising an intolerance for fraud or corruption and conveying the repercussions for employees who do not adhere to the requirements put in place by the FCCS. Regular coordination between different risk owners may help to identify high-risk hotspots, trends or emerging risks, but will also ensure risk owners are sufficiently informed to be able to appropriately assess risks. Coordination and collaboration can also enable better informed process/control design. Fraud risk owners and investigators can provide valuable input into process, system and control design to minimise the opportunities for fraud and corruption. Similarly, integrity management resources can sense-check system design to help ensure data-based evidence is generated and collected, or readily available, for use in detection and investigation should it be required.

1 Cressey, D.R. (1953), Other People’s Money: A study in the social psychology of Embezzlement, The Free Press, Glencoe, Illinois