Fraud and corruption health check
Issue 17, March 2014
Why you need it and what should it look like. The risks and realities of fraud and corruption are widely recognised as a significant issue for organisations, regardless of industry or geography.
- Deloitte’s Fraud Cube
- Subscribe to Forensic Foresight
- Risk enquiry form
- Follow us on Twitter
Managing fraud and corruption risk, and being prepared to deal with the very real possibility of fraudulent or corrupt conduct, is no longer an option for organisations.
There is increasing pressure, for example, for first world countries to lead anti-corruption activities and understand and manage risks associated with new anti-corruption legislation such as the United States Foreign Corrupt Practices Act, the United Kingdom Bribery Act and the relevant provisions of the Australian Commonwealth Crimes Act.
The stakes are high and the outcomes can be severe – from exposure to criminal sanctions and multi-million dollar fines to reputational damage and a direct hit to the bottom line. International agencies such as the World Bank, the Asian Development Bank and Australian Aid (formerly AusAID) all take a zero tolerance attitude to fraudulent activity and may refuse to issue contracts with entities that have failed to control activity in the past.
So the motivation for organisations to build a robust fraud control program is as more than compelling.
The key to addressing the risks associated with fraud and corruption is for an organisation to really understand its regional and global operations and, at the same time, consider governance and control environments. Aligning these two key elements is critical to being able to have confidence that these risks are under control.
A review of global operations, policies and procedures to ensure alignment with fraud and anti-corruption best practice may sound like a daunting process. However, applying a proven methodology consistent with Australian standards such as the Fraud and Corruption Control Standard 2008 and relevant legislative requirements will ensure the development of a robust and integrated framework – and what was once a daunting prospect becomes achievable.
At a minimum the key areas below should be considered and assessed to provide a complete view of an organisation’s risk context:
- Communication and training
- Investigation and discipline
- External & counter (third) party
Typically, a risk and evidenced-based approach is incorporated in the process to ensure that high risk areas receive the most attention.
A high level review of the above eight areas is undertaken, sourcing appropriate information to evidence the organisation’s compliance with the minimum standards and their risk context (established via a review of external/counterparty relationships and operations). Importantly, high level gaps between minimum standards and the actual organisational position are identified. This gap analysis is tempered by the risk context review, allowing the organisation to focus attention on gaps identified in high risk areas. The fundamentals of a best practice approach are still assessed in all areas.
Useful tools and models will typically visualise these results and present them to management in a way that communicates the context efficiently and effectively, creating a greater awareness of the real risks faced by the organisation. They also allow for deeper dives into high risk areas as needed...and from enhanced awareness and performance benchmarks, true insights are revealed.
Deloitte’s Fraud Cube
Deloitte’s Fraud Cube is entirely consistent with the above approach, and also introduces a unique visualisation tool to communicate risk context. It summarises key assessment areas for each relevant business unit of an entity, with a dashboard (see sample below) providing a compelling visual summary of the key risk areas and a simple view of the gaps in the organisation’s management of these risks.
Incorporating an interactive review capability, the dashboard is a powerful tool for managers and risk professionals to review their risk context at a summary level, and then at a detailed level, drilling into each area of concern.