Agencies lacked a coordinated approach to managing fraud and corruption risks:
- No agency had developed a fraud and corruption control plan. The Standard recommends this as an organisation’s first step to control its fraud and corruption exposure. Such a plan represents better practice and enables agencies to assure themselves that their approach to managing fraud and corruption risks is comprehensive, on-going and effective. Without organisational commitment agencies are less likely to identify and address their specific fraud and corruption risks.
- All agencies identify and assess risks as part of their organisational risk management processes. However, seven agencies had not considered the specific risk of fraud or corruption through this process. It is important that agencies identify fraud and corruption risks specific to their operations, so they can then implement effective policies, procedures and suitable controls to mitigate the identified risks.
Agencies can do more to prevent fraud and corruption. We tested two basic fraud controls and found:
- All nine agencies were conducting some form of employment screening, though the reasons for the screening were not well documented or well understood by those who conducted it. It was therefore not surprising to find that agencies were not consistently conducting this screening.
- Five agencies did not have a coordinated approach to training staff for fraud and corruption. Training enables agencies to highlight indicators of fraud to staff and to give them the basic skills to recognise circumstances that could give rise to fraud.
- Most agencies have resources allocated to the conduct of employment screening and the coordination of training. However these resources have not been focussed on fraud and corruption as a potential risk.
Fraud and corruption risks are not sufficiently linked to internal audit programs.
Only two agencies had identified their specific fraud and corruption risks and only one of these two had linked these risks to their agency’s internal audit program. A function of Internal Audit is to test the effectiveness of controls including those that can prevent or detect fraud and corruption.
Agencies responded appropriately to incidents of fraud where they had occurred, however did not require post incident reviews or trend analysis as part of their fraud management framework.
We found all agencies that had incidents of fraud had investigated and taken appropriate action. Only two agencies required post incident reviews of controls following the identification of fraud, and only one analysed incident trend information to identify systemic control weaknesses. Agencies may be missing opportunities to strengthen controls through lessons learned.
Our fraud and corruption maturity assessment shows that all agencies have room for improvement.
Our overall assessment of the maturity of each agency highlighted that all agencies regardless of size had room for improvement in how they prevented and detected fraud. We rated each agency against five criteria and gave ratings of zero to five on each with three being acceptable. Only one agency met the minimum rating on all criteria.