Strong internal controls, including maintaining a robust internal control environment, are the best Why is there an increased way public sector organizations can mitigate focus on fraud worldwide? fraud. However, even a strong internal control Large corporate scandals and frauds have environment cannot guarantee that no frauds will shaken both the private and public sectors over take place within organizations. Implementation of recent decades. The negative effects of these further lines of defense, such as an efficient and frauds are significant but difficult to quantify and effective internal audit function, is important. This measure. Their impact is often damaging both publication describes some of the opportunities financially and reputationally to organizations and that new technologies, especially the use of data are therefore not widely publicized. Frauds are analytics, can offer for internal audits in preventing often very difficult to uncover. Despite increased and detecting fraud, and offers good practice fraud prevention and detection methods, many advice that organizations can follow in establishing frauds still are only accidentally discovered after effective fraud management programs. going on for prolonged periods. Governments and organizations have increased their efforts to address fraud risks, driven by the global growth What are the most common of fraud occurrence; the demands of a burgeoning types of fraud in the public regulatory environment; citizen increasing dissatisfaction with the scale of the fraud and sector? corruption as well as amplified requirements When it comes to fraud in the public sector, issues such as from external and internal auditors. More than bribery, corruption, and misuse of authority during public ever organizations are focused on establishing procurement often come to mind. These practices usually appropriate risk assessment processes and plans, involve misuse of entrusted power for personal gain, often and implementing fraud awareness programs, including cash given “under the table” so there is very little together with prevention and detection measures. or no financial statement evidence that a crime has occurred. Such crimes are uncovered in most cases through tips or complaints from third parties, often via a fraud hotline, or are detected during internal reviews, external audits, and by financial inspections. Frauds within the public sector, including State-Owned Enterprises (SOEs), originate from both internal and external sources. Internal frauds can be committed by any employee at any level within the organization. They can range from small-scale abuse of travel expenses to large-scale frauds involving high-value contracts and breaches of controls that could have serious and material consequences. Examples of internal frauds perpetrated by employees • Procurement fraud (e.g. false invoicing, and services, and receiving compensation credit card misuse, manipulations in the without reporting transactions); procurement process or procuring low • Fraudulent expenditure claims (e.g. quality items, receiving kickbacks for using false receipts to claim travel and referring contract work to related parties); accommodation allowances); • Theft and skimming (e.g. removing and • Payroll fraud (e.g. adding fake employees to selling inventory, cash, consumables, or the payroll or claiming overtime for hours information, fraudulent acceptance of goods not worked). More recently a portion of economic crime connected with public sector entities involves accounting fraud, including accounting or reporting manipulations. This has increasing relevance as public sector entities and governmental agencies introduce numerical performance indicators as an important measure of success and move towards accrual based accounting and financial reporting. This can raise incentive and pressure for management to misstate statistical and financial reporting to meet targets rather than focus on achieving outcomes. Other examples of fraud and illegal activities include money laundering (the transforming of profits of crime and corruption into legitimate assets); tax evasion (the deliberate reporting of false information in tax reporting); and informality (economic activity that is not taxed or monitored by governments). Do certain sectors or organizations carry greater fraud risk? A Global Fraud Survey conducted in 2016 by the Association of Certified Fraud Examiners found that the government and public administration sector was the second most represented sector, after the banking and financial services industry. Further, the survey found that organizations of different sizes are exposed to different fraud risks. Corruption was more prevalent in larger organizations, for example, while check tampering, skimming, payroll schemes, and cash theft were twice as common in small organizations as in larger organizations. The size of the organization and the complexity of the business matter when it comes to fraud risk exposure. Smaller organizations have limited resources to devote to the development of anti-fraud controls and their internal control systems may often be not so well developed as large organizations. Smaller companies often lack in house internal audit functions and are exempt from external audit requirements. These gaps in fraud prevention and detection leave small organizations more susceptible to frauds that can cause significant damage to their limited resources. What factors can indicate fraud? The Fraud Triangle can help explain the factors that lead to fraud and other types of unethical behavior within organizations. According to the theory three elements must exist for an individual to act unethically: # 1: Perpetrators of fraud need an incentive or pressure to engage in misconduct; # 2: There must be an opportunity to commit fraud and this is often the focus area for internal auditors; # 3: Perpetrators are often able to rationalize or justify their actions. Ra or re r su e o tio At es iv na titu Pr ent liz de at c In io FRAUD n Opportunity The fraud triangle provides a useful framework for organizations to analyze their vulnerability to fraud and unethical behavior. If companies focus on preventing each factor they can minimize instances of fraud and other forms of unethical behavior. Further, the theory is useful in understanding who is more likely to commit fraud and the circumstances under which fraud is more probable. This can help organizations focus their anti-fraud policies in targeted areas. For example, fraud is more likely to occur in circumstances when there are inadequate or ineffective internal controls, such as in the early stages of development of a project or process when controls are still being formulated or where there are only limited controls. Lack of resources can also present a risk affecting, for example, the integrity of controls if duties are not appropriately segregated, or allowing insufficient monitoring of transactions if an adequately staffed internal audit function is not in place. Indicative “Red Flags” for Public Sector Entities Below is a non-exhaustive list of fraud indicators (“red flags”) that may be relevant for public sector entities: • Pressure from an external party (e.g. • High turnover rate, dismissal, or political structure) reassignment of key employees; lack of technical expertise for assigned role; • Legislation, policies, and procedures that insufficient human resources to implement are not applied equally throughout public control procedures; sector organizations; • Senior managers under intense pressure to • Poor IT systems and lack of appropriate meet high targets may resort to unethical IT security; means to achieve their goals; • Centralized decision making which risks • Presence of non-routine transactions that undermining the necessary segregation lack proper approval or are not supported between procurement, contracting, and with appropriate documentation; approval; • Disgruntled employees who convey • New programs or early stages of programs dissatisfaction with the job, compensation, with effective controls not yet in place; or other factors; • No procedure in place for punishment • Large volumes of related party activities for fraudulent activities during extensive undertaken outside of the normal course period; of operating activity. • Overriding of controls by management and officers on grounds of urgent need; What are the responsibilities in respect of fraud within organizations? Management are ultimately responsible for fraud deterrence within organizations and have the primary responsibility for the prevention and detection of fraud and error by applying and maintaining appropriate accounting and internal control systems. Boards in SOEs with an oversight role are responsible for supervision of management’s identification of fraud risks and implementation of anti-fraud measures. Audit Committees are more common in the private sector and their roles include appointing external auditors and supervising the work of the internal audit function. Both management of a public sector organization and Boards with an oversight role set the tone from the top of organizations that fraud will not be accepted or tolerated in any form. Unless required by regulation, external auditors do not express an opinion on the system of internal controls. External auditors may test the internal controls established by management, on a sample basis, and gather appropriate evidence to provide a reasonable (high but not absolute) assurance that the financial information prepared by public sector organizations are free from material misstatement, whether caused by error or fraud. Having strong internal controls and performing periodical independent audits creates a strong internal control environment that deters fraud, but does not guarantee that no frauds will take place within organizations. The internal audit function is an efficient line of defense against fraud and has an important role within organizations in detecting and preventing fraud. Internal audit supports management by determining whether the organization has adequate internal controls and promotes an adequate control environment. A centralized internal audit function, that is independent and objective, is in a prime position to address fraud risk management programs, and to affect change. It is important to emphasize that different organizational structures and internal audit charters affect the internal audit’s ability to achieve that role. Internal auditors usually have a continuing presence in the entity and this presents an opportunity to gain a good and ongoing understanding of the organization and its internal control systems. While performing internal audits in accordance with the International Standards for the Professional Practice of Internal Auditing (ISPPIA),1 internal auditors supplement others within the entity when it comes to fraud detection and prevention. Standard 1210 requires that internal auditors have sufficient knowledge to evaluate the risk of fraud, although there is no expectation that their expertise should equal that of someone whose primary responsibility is detecting and investigating fraud. The Code of Ethics Ethics is at the core of the accountancy and audit profession and professionals must act in line with ethical codes so as to maintain the trust and confidence or their clients, employers and the public. The Code of Ethics issued by the Institute of Internal Auditors includes mandatory guidance to promote an ethical culture in the internal audit profession and provides a set of principles and rules of conduct for internal auditors. Recently, following a six-year, multi-stakeholder consultation process, the International Ethics Standards Board for Accountants® (IESBA®) issued a new ethical standard for auditors and other professional accountants “Responding to Non-Compliance with Laws and Regulations”2 that became effective on July 15, 2017. This standard is designed to strengthen the role of the accounting profession in the global fight against non-compliance with laws and regulations (NOCLAR) in areas such as fraud, money laundering, bribery, corruption, and violations of environmental laws and regulations. The standard provides a framework to guide professionals, engaged in practice and in business, in deciding how to best act in the public interest when they become aware of non-compliance. 1 https://na.theiia.org/standards-guidance/Public Documents/IPPF-Standards-2017.pdf 2 http://www.ifac.org/publications-resources/responding-non-compliance-laws-and-regulations Segregation of Duties Proper segregation of duties is essential for preventing fraud within organizations and without appropriate segregation of duties internal controls become week or break down. The underlying reason being this concept involves defining processes so as no individual has excessive system access that enables them to execute transactions across an entire business process without checks and balances. Establishing business processes with appropriate segregation of duties can become complex and expensive, so organizations need to prioritize and focus on transactions that pose the greatest risk to the business and use reliance on technology and IT when possible. Internal auditors support fraud detection and prevention within organizations by: • Examining and evaluating the adequacy and the effectiveness of internal controls within organizations, including those to prevent and detect fraud; • Planning and performing internal audits and reviews that include appropriate procedures based on assessed fraud risk; • Applying technology and data analytics to perform ongoing monitoring of fraud risks, search for unusual items, or identify potentially suspicious transactions for further investigation; • Provide consulting expertise to management while establishing fraud prevention measures or while identifying and assessing fraud risks. How can data analytics be leveraged as a fraud prevention and detection tool? Using data analytics can greatly assist fraud detection and prevention within organizations. There are many widely recognized benefits of the application of technology and data analytics tools in internal audits, resulting in internal audits that are more efficient and effective. Using data analytics gives internal audit teams access to new and improved ways of testing which lead to more focused and insightful internal audits, including the ability to: est entire populations and avoid losing the information in samples. Fraudulent transactions, by nature, do not • T occur randomly and may not be flagged by sampling transactions; roactive fraud detection by running repetitive or continuous analysis and engaging in real time testing. Having • P systems in place that alert to potential fraud or breach of controls as they occur, and look at every single transaction, acts as a strong preventative measure when people are made aware of these routines; • I dentify suspicious patterns in large populations, such as unusual relationships between vendors and employees (shared bank accounts, addresses, similar names), data matching, duplicate transactions, etc. Presently there is a skills and resources gap in public sector internal audit departments when it comes to use of technology and data analytics tools. Addressing this gap, by investing in data analytics tools and uplifting the skills of staff or engaging external experts, is an important focus area for public sector internal audit departments so the benefits offered by these technologies can be fully utilized. Fraud Risk Assessments and Fraud Plans All organizations should perform an assessment of fraud risks. These assessments are a key element in fraud risk management and play an important part in effective fraud prevention strategies. When fraud risks are identified, organizations should develop fraud plans that specify how those risks can be monitored, addressed, and mitigated. While performing fraud risk assessments, management should consider several questions such as how weaknesses in the control system may be exploited, can controls be overridden, what is the organization’s experience of frauds (by function, position, relationship), and how can they be prevented in the future. Assessments should include: • Identifying inherent fraud risks arising from internal and external sources and assessing the likelihood and significance of these identified risks occurring; • Identifying existing preventative and detection controls and mapping them to the relevant fraud risks, as well as evaluating whether the controls address identified fraud risks effectively; • Evaluating residual fraud risks resulting from ineffective or non-existent controls; and • When fraud risks are identified, developing a comprehensive fraud plan that includes assigning an appropriate person for addressing the risk, implementing systems to monitor the risk, and considering alternative controls to mitigate the risk. Fraud risk assessments should be updated at least every two years to reflect changes to the business and more frequently as new programs and initiatives are introduced. Fraud Management: Good Practices Senior Officials and Management have a critical role to play in implementing effective anti-fraud measures in public sector organizations. Strategies to be employed can include: Promoting a strong ethical culture across the organization Having a clear code of ethics that has been communicated effectively to all employees as well as implementing regular training in ethics and the organizational code of conduct. Setting the tone from the top Demonstrating ethical behavior, taking enforcement action against fraud perpetrators, and empowering and motivating staff to act and do the right thing. Implementing annual ethical compliance declarations from employees, suppliers, and other stakeholders These could prompt individuals to report any issues and improve their awareness of anti-fraud policies and procedures. Conflict of interest statements can also be implemented to ensure that full disclosure of circumstances has been made. Establishing Audit Committees and Boards with oversight roles within public sector organizations (starting with SOEs) Responsible to oversee management’s identification of fraud risks and implementation of anti-fraud measures, as well as supervising the work of the internal audit function. Implementing a robust anti-fraud environment Performing periodical fraud risk assessments that evaluate the exposure to various types of fraud; developing a fraud risk plan, procedures, and guidelines; as well as maintaining a strong internal control environment within the organization. Obtaining assurance that the risk of fraud is being effectively incorporated within the internal audit risk assessment is another well recognized anti-fraud deterrence measure. Fraud Management: Good Practices Focus on fraud during ongoing reviews Addressing fraud risk in the audit universe and plan as a core element of the annual risk assessment process. Performing internal audits that include in their scope a focus on fraud risk during every audit, applying appropriate professional skepticism in the exercise of professional judgment during internal audit reviews, and assessing the adequacy of the organization’s fraud risk management process. Establish and keep updated the internal audit fraud risk policy The policy states clearly the responsibilities for addressing fraud risk and should include supporting investigations, with internal audit involvement, into any irregular or suspicious activity involving employees, senior officials/management, and other parties that have a relationship with the organization. Investing appropriately in resources and capacity of internal audit departments Including adequate resourcing, with sufficient staff to respond effectively to fraud risks, enabling access to appropriate technology and data analytics tools that can significantly aid their investigations, as well investing in skills and competencies of internal audit staff. Emphasis on fraud-specific training Staff who manage payments, procurement, and contracting processes should receive specific fraud training to enhance their skills in fraud. Implementing organization wide fraud-awareness activities All staff should receive fraud awareness training to gain an understanding of the nature, factors that lead to, and characteristics of frauds. Fraud Management: Good Practices Establishing appropriate channels for reporting fraud Introducing hotlines and whistleblowing mechanisms, appointing irregularity officers as contact points for communicating and reporting frauds, conducting employee surveys, establishing policies for anonymity and confidentiality, as well as anti-retaliation policies, etc. Implementing procedures for responding and investigating fraud Cooperating with financial inspection and other respective bodies, and ensuring that fraud is investigated by government staff have the adequate skills and competences in areas of investigative interviewing and evidence handling skills. © 2017 International Bank for Reconstruction and Development / The World Bank 1818 H Street NW Washington DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org This work is a product of the staff of The World Bank with external contributions. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Rights and Permissions: The material in this work is subject to copyright. Because The World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to World Bank Publications, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2625; e-mail: pubrights@worldbank.org. ACKNOWLEDGEMENTS “Public Sector Internal Audit: Focus on Fraud” grew out of the exchange of ideas and information among members of the Internal Audit Training of Trainers Community of Practice (IA ToT), funded under the Strengthening Accountability and the Fiduciary Environment (SAFE) Trust Fund established by the Swiss State Secretariat for Economic Affairs (SECO) and the European Commission with the aim of improving public financial management in the Europe and Central Asia region. The World Bank Centre for Financial Reporting Reform (CFRR) wishes to thank all IA ToT members for their valuable input while developing this publication. The publication was developed by a World Bank team including Kalina Shukarova–Savovska, Senior Financial Management Specialist, CFRR, and Arman Vatyan, Senior Financial Management Specialist, with contributions from Daniela Danescu, Senior Consultant, Interim Audit Management Consultancy and Ljerka Crnkovic, Croatian Ministry of Finance, Central Harmonization Unit.