A human-centred approach
At their core, fraud and corruption still carry a significant human element – both in cause and solution.
The Australian Standard 8001 - Fraud and Corruption Control ('AS 8001' or 'the Standard') provides guidance on the development, implementation and maintenance of a 'Fraud and Corruption Control System' ('FCCS'). However, leaders and organisations should not reduce the meaning of the word 'system' to computerised information systems. Integrity management cannot be addressed purely via an off the shelf, 'set and forget' piece of software, a tick-the-box checklist or a static documented framework which collects dust on the shelf. Instead, the FCCS should comprise a cross-collaborative system of risk-aware teams which work together within the internal and external environment of the organisation to devise multi-factorial strategies to combat integrity breaches.
The human element of fraud is apparent when considering the fraud triangle1, a theory which posits that three factors are present for every fraud:
- A pressure or incentive motivating individuals to act.
- An internal rationalisation that occurs; and
- The opportunity to commit the action.
While the third factor, opportunity, is typically addressed
through internal controls, fraud can and does still occur. This is
because controls can break down, fail or be overridden by people in
a position of authority or trust. The risk that fraud can occur
despite controls is known as residual fraud risk, which, along with
the first two factors (pressure/incentive and rationalisation), can
be further mitigated through people-related actions. For example,
an incentive to manipulate sales figures can be reduced through the
elimination of sales bonuses, but managers may still be pressured
to hit targets and meet budgets. As such, there is still a need to
establish an organisational culture of integrity to reduce the
likelihood of employees falsifying sales or leveraging improper
accounting techniques for personal gain.
The Standard recommends 14 foundational elements as the underlying governance arrangements which should support a FCCS. A human-centred approach is a common thread among these elements, and covers the following key principles:
- Organisations need to define roles and responsibilities in fraud and corruption control, with defined accountabilities cascading from the governing body and top management throughout all levels of the organisation. Specific accountabilities should be assigned to key internal fraud control resources (i.e., a fraud control specialist) but should also reflect interactions with supporting functions (such as cybersecurity, anti-money laundering, people and culture, and internal and external audit teams).
- In addition to clear and accessible documentation of the FCCS, the organisation must ensure appropriate steps are taken to implement the documented framework. This requires:
- Supporting processes and procedures to ensure documented fraud control arrangements are practised with sufficient resource allocation to ensure efficacy.
- Training and awareness measures to ensure staff maintain familiarity with the FCCS.
- Record keeping policies and processes to ensure that adequate records of business activity are sufficiently maintained to support the preventative, detective and response pillars of fraud and corruption control.
- Defined practices to encourage and embed coordination and collaboration across functions within the FCCS so that the defined roles and responsibilities work together as part of a system and not as separate siloed practices.
The last point around coordination and collaboration is an area
where many organisations struggle. Far too often a siloed approach
is adopted, which can lead to unidentified risks, inefficiencies
and blind spots. For example, a key control to address the risk of
corruption is the maintenance of a Conflicts of Interest (COI)
register. However, such a register is not very useful if it is not
referenced by functions across the organisation. Some organisations
conduct annual COI attestations which require employees in
positions of authority to declare their external financial
interests. However, if there is no specific COI process for the
declaration of relationships, or no consideration of previously
declared interests during procurement or recruiting decisions (e.g.
hiring a contractor who is then converted to a permanent employee),
then a COI may go unidentified and uncontrolled even in spite of a
past declaration. As such, there is a need for connection between
the COI register and the procurement and recruitment functions as a
minimum, so that COI are not only declared, as and when appropriate
(in higher risk scenarios), but that action plans are also actively
followed.
Organisations also need to consider ethical culture
holistically. Whilst it is reasonable and appropriate that an
organisation's people function has responsibility for
responding to misconduct not considered to be fraud and corruption,
such incidents (e.g. harassment, bullying, discrimination,
non-compliance, etc.) may indicate an organisational culture that
tolerates other issues, including fraudulent or corrupt behaviour.
Fraud risk owners need to understand the frequency of misconduct,
such as bullying and harassment, to be able to assess whether
ethical culture is a reliable control. Communication and
collaboration across all functions responsible for integrity
management is essential.
While simple in theory, addressing the human element of
integrity management is complex. The solution will be different for
every organisation, but in our experience of reviewing clients'
FCCS, a commitment to routine helps. Tone from the top is critical
in endorsing the FCCS, emphasising an intolerance for fraud or
corruption and conveying the repercussions for employees who do not
adhere to the requirements put in place by the FCCS. Regular
coordination between different risk owners may help to identify
high-risk hotspots, trends or emerging risks, but will also ensure
risk owners are sufficiently informed to be able to appropriately
assess risks. Coordination and collaboration can also enable better
informed process/control design. Fraud risk owners and
investigators can provide valuable input into process, system and
control design to minimise the opportunities for fraud and
corruption. Similarly, integrity management resources can
sense-check system design to help ensure data-based evidence is
generated and collected, or readily available, for use in detection
and investigation should it be required.
Footnote
1 Cressey, D.R. (1953), Other People's Money: A study in the social psychology of Embezzlement, The Free Press, Glencoe, Illinois
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.