The science of controlling fraud and corruption risk

A healthy organisational culture can be one of the most effective strategies to prevent fraud and corruption. Conversely, an unhealthy workplace culture can create the conditions for fraud or corruption to occur:

• opportunity through poor internal and external controls 
• pressure such as incentives that encourage fraudulent or corrupt behaviour 
• rationalisation or justification by the individual for the dishonest activity. 

A culture of integrity requires a strong value-driven mindset at every level, exemplified by leaders setting the ‘tone from the top’, as well as systems and frameworks that enable and encourage individuals to do the right thing.^xi The culture of an organisation also greatly influences how people approach their role in managing fraud and corruption risk. Internal policies, frameworks and controls to combat fraud and corruption cannot work on their own; they must be supported by an organisational culture underpinned by ethics, accountable risk owners and capable guardians.

The following 3 pillars that underpin a culture of integrity within an organisation:

Leadership and Stewardship

In an organisation the “tone from the top’’ can either reinforce ethical behaviour, encouraging it to permeate throughout the culture of the organisation, or undermine it. When leadership openly communicates its commitment to integrity, it sets a precedent for the entire organisation.

Stewardship is a shared responsibility, reflected in the decisions we make – from the advice we provide to government, to the way we work together across agencies, to how we care for the public trust placed in us. 

Policies and Processes

Policies and processes serve as the backbone of an organisation’s culture, influencing its norms, values and practices.

Policies establish guidelines for behaviour, decision-making and interactions shaping the way people engage with each other and the organisation as a whole. Clear and well-defined policies promote consistency, fairness and accountability, fostering a culture of trust and respect. The enforcement of policies communicates the organisation’s commitment to its values and standards, removing the opportunity for fraud and corruption, influencing employees’ behaviour and shaping the overall cultural landscape.

Processes exert significant influence over an organisation’s culture and are driven by relevant policies. The way tasks are structured, workflows are designed and decisions are made all contribute to shaping the prevailing norms and values within the workplace. Efficient, transparent and robust processes can foster a culture of accountability, collaboration and trust. The alignment of processes with an organisation’s goals and values reinforces the desired cultural attributes driving employee behaviour and organisational performance. By continuously refining and adapting processes to meet evolving needs, organisations can build a culture that promotes resilience in the face of change.

People^xii

Individuals play a crucial role in influencing and promoting a culture of integrity within their organisation.

Through their actions, attitudes and interactions, people collectively create the environment that defines the organisation’s identity and values. By fostering collaboration, diversity and a sense of belonging through wellbeing support, people cultivate a culture that promotes innovation, productivity and overall success. 
 

As the well-known Peter Drucker quote says, “what gets measured gets managed,” and that is true for fraud and corruption. One of the challenges in controlling fraud and corruption within the public sector is a limited evidence of their extent and impacts. This is because fraud and corruption are hidden crimes – deliberately concealed by the perpetrators and often overlooked by the affected organisations and programs. However, we know that when organisations invest in capability to find fraud and corruption, they generally find lots of it. It’s there under the surface, we just need to put the effort in to look for it.

The IPSFF Fraud Loss Measurement Framework helps organisations undertake measurement exercises in a way that provide a credible estimate of the levels of fraud and error related to a specific program, activity or function (based on a sample dataset of transactions or payments). This framework outlines:

• What Fraud Loss Measurement (FLM) is and how it relates to broader fraud measurement and other essential capabilities like risk assessment and control testing.
• The purpose and benefits of FLM
• The governance arrangements that support effective FLM capability 
• The skills and attributes required by staff undertaking FLM exercises
• How to establish a FLM process
• How to undertake a FLM exercise, including: 
  • where to undertake measurement,
  • what to measure for, 
  • how to choose the right sample, and
  • how to report on results.

A control is any process, policy, device, system, practice or other action that is put in place to modify the likelihood or consequence of a risk, or to detect if a risk is happening. Controls operate together, and are generally dependent on one another, to mitigate different risks across an organisation or within a specific program, function or activity. An integrated assembly of controls make up a control environment.

Fraud and corruption controls and how they help to mitigate risk

Controls vary in purpose and application. There are 3 key categories of controls, which play a fundamental role in helping entities prevent, detect and respond effectively to fraud and corruption:

Prevention controls are the most common and cost-effective way to stop fraud and corruption, as they prevent or limit the size of risk by reducing the likelihood and consequences of fraud and corruption.

Detection controls can identify and disrupt fraud and corruption and reduce consequences, but are not as cost-effective as prevention controls; however they can significantly reduce impacts, if detection occurs early.

Corrective controls respond to fraud and corruption after they have occurred, to help reduce or disrupt additional consequences, and while they are not as cost-effective as prevention or detection controls, they can significantly reduce the impacts, if implemented effectively.

When determining the level of risk, the combination of the likelihood and consequence that provide an estimation of the current risk level:

• Likelihood: the probability (what is the chance of fraud or corruption taking place) and frequency (the number of fraud or corruption incidents that can be expected).
• Consequence: the duration (time before fraud is prevented, detected or disrupted) and the impact (the potential severity of the fraud or corruption).

When looking to mitigate a risk, you can reduce the likelihood (probability and frequency) through prevention controls. A reduction in the consequences (duration and impact) can be achieved through prevention controls but is often achieved through effective detection controls (reduced time to action) and response controls (to reduce or remediate the impacts). 

The most efficient path to reduce risk is achieved by reducing both the likelihood and consequences - through a combination of effective prevention, detection and corrective controls. However, while all these controls are important, control environments should always be geared towards prevention as this is the most cost-effective means of minimising the risk of fraud and corruption to begin with and avoiding the harm they cause.
 

Early consideration of risk can position an organisation to appropriately balance service delivery priorities such as streamlining processes and improve user experience with safeguarding the integrity of government services, resources and systems.

Assessing fraud and corruption risk and defining prevention mechanisms during the design phase of policies, programs and transformation initiatives is important to ensure that vulnerabilities are identified early. Controls can then be embedded in the policy and legislative frameworks themselves, for example by: 

• providing robust legislative powers to authenticate identity 
• sharing information with other entities, or
• verifying a person’s fitness and propriety before allowing them to access a government scheme or service. 

Accounting for fraud and corruption risks should start with understanding and analysing the features of the new initiative, for example: 

• whether the program establishes new targets for fraud or corruption (e.g. new financial or non-financial benefits), 
• how and where the program will be delivered, 
• what the anticipated volume of transactions is, or 
• what the government’s expectations in terms of priorities and delivery mechanisms are.

Understanding these factors will help you identify threats, vulnerabilities and other risk factors that might impact on the initiative, and policy elements that could mitigate fraud and corruption.