Preventing and detecting fraud: are you staying ahead of the game?
People often think that auditors are responsible for detecting fraud. But they aren’t – international standards about auditing are clear that finding fraud isn’t the auditor’s responsibility. The job of preventing and detecting fraud rests with the senior leadership team and, if there is one, the governing body:
The primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management. It is important that management, with the oversight of those charged with governance, place a strong emphasis on fraud prevention, which may reduce opportunities for fraud to take place, and fraud deterrence, which could persuade individuals not to commit fraud because of the likelihood of detection and punishment.
Auditing standard about fraud: ISA (NZ) 240
We’re increasingly seeing indicators that the risks of fraud in the public sector are getting higher.
Fraud causes all sorts of damage – not just financial, and not just on that organisation but on the wider public sector as well. So what do the leaders of an organisation need to do?
Check that the controls are still up to scratch
Every organisation ought to have strong and tested controls in place to manage their business well. We can help a little, here: if we audit the organisation, we’ll do some testing of the key controls during the audit and tell the organisation about any weaknesses that we see. But the vigilance and attention on those controls needs to come clearly from the governing body and leadership team.
What’s an example of a key control? Well, the most basic is that money doesn’t get paid without someone senior first approving the payment – and the person deciding who gets paid is not the person who signs the cheques. That sort of control is called a “separation of duties”.
In New Zealand’s public sector, most of the controls are pretty good, which is why those controls are the usual way that fraud gets picked up.
It’s a rapidly changing world. The controls that worked very well for the last five years might not be quite strong enough now. We expect people in leadership roles to be thinking about these sorts of matters and taking action – controls need to stay relevant and effective, which means reviewing and testing them, and strengthening them where need be.
Get the culture right
Preventing fraud can’t ever be just about the systems and controls, because determined people will always find a way around them. We produced a series of reports in 2011 and 2012 about fraud, based on a big survey we commissioned. Back then, we said that the culture of an organisation is hugely important:
Building a culture where governance, management, and staff are receptive to talking about fraud is important. Our findings suggest that the incidence of fraud is lowest where a public entity's culture is receptive to these discussions, communication is regular, and where incidents are reported to the relevant authorities.
Fraud awareness, prevention, and detection in the public sector, 2012
People are less likely to try to get away with fraud if their co-workers know what to look for and will speak up if they suspect wrong-doing. This is where the “tone at the top” is particularly important – as New Zealanders, we tend to be trusting and our largely clean way of operating means that we aren’t used to fraud. Staff need to be reminded, often, that trusting other staff isn’t a fraud control.
It’s critical that senior managers get the balance right: trusting people to give their best at work while having strong checks and balances in place, and a culture where people feel safe to question and call out behaviour or practices that look a little odd or suspicious.
Take the risk of fraud seriously and respond decisively
We expect public sector organisations to be taking the risk of fraud seriously and have a plan for how to respond to suspected fraud:
The Auditor-General expects that every public entity should formally address the matter of fraud, and formulate an appropriate policy on how to minimise it and, if it occurs, how it will be dealt with.
Auditing standard about fraud: AG ISA (NZ) 240
We generally expect all suspected wrongdoing, including thefts and suspected fraud, to be referred to law enforcement agencies. In 2012, we found that only 39% of suspected fraud incidents had been reported to law enforcement agencies.
You don’t stop fraud by sweeping it under the carpet. Fraudsters need to be caught and stopped. If wrongdoing of any sort isn’t addressed – and not just by firing someone or letting them resign – then the poor behaviour can continue at another organisation in the public sector or elsewhere.
More about audits and fraud
If you want to know more, check out the standard about fraud that all auditors have to comply with and the data on suspected fraud that we get told about. There’s also useful information in the reports we published in 2011 and 2012 on fraud risks for different types of organisations.
If you want the essential stuff, it’s this:
- Trusting staff is not a control to prevent or detect fraud.
- Maintaining a culture of integrity can help to keep fraud at bay.
- A culture of integrity is most effective when supported by strong controls.
- Taking appropriate action where there is suspected fraud acts as a deterrent.
- Organisations need to refer instances of suspected fraud to the appropriate law enforcement agencies.
Given that it’s Fraud Awareness Week, we encourage all leaders in the public sector, no matter how large or small their organisation, to stop and think seriously about whether the key controls, the culture of their organisation, and the plan for responding to suspected fraud are all lined up to make it as difficult as possible for fraud to occur.