Managing Risk of Fraud – Some good practices
- Posted by Srinivas Alamuru on Jul 27, 2020
Fraud is an unlawful advantage gained by a person through deceit or concealment. Fraud results in significant losses to the public exchequer and adversely affects service delivery. Fraud, like corruption, deprives the community of resources which would otherwise have been available for improving wellbeing of people by providing better services. Fraud in certain sensitive areas (e.g. issue of passports) canhave harmful consequences for the security of the country. Benefit payments (such as scholarships and old age pensions), wage and payroll payments and subsidies under various government schemes have generally been more vulnerable to fraud.
However, it is seen that corruption draws a lot of attention in media and otherwise. Transparency International’s corruption perception index is closely followed from year to year. There is a specific law viz. Prevention of Corruption Act and institutions such as Central Vigilance Commission that address the risk of corruption. Whereas, fraud does not receive the same notice although a casual glance at reports of Comptroller and Auditor General, Vigilance Commissions and in the media shows that governments are all the time losing substantial amounts due to fraudulent activities. In India, there is no separate legislation dealing with fraud as in the United Kingdom(Fraud Act 2006)and the USA (Major Fraud Act 1988). Although, fraudulent activities are covered by the Indian Penal Code, the word ‘fraud’ itself is not defined; instead what constitutes ‘doing a thing fraudulently’ is explained in Section 25 as – ‘a person is said to do a thing fraudulently if he does that with intent to defraud but not otherwise’. The expression fraudulently occurs in Sections 206, 207, 208, 242, 246, 247, 252, 253, 261, 262, 263 and Sections 421 to 424. Forgery
Besides numerous small value opportunistic frauds committed by individuals, there are also serious frauds involving organized effort and complex operations involving huge amounts such as the Stamp Paper Scam, Fodder Scam and several others. Although losses due to fraud are common and they add up to sizable sum, there have been no systematic efforts to collect data, practices, etc. It is seen that most government departments do not have any formal approach to managing fraud. Sometimes even basic checks and balances (internal controls) are lacking and obvious fraud indicators (red flags) are ignored. Lessons learned from experience are not internalized through improvement in systems.
In some developed countries, on the other hand, there is a continuous effort to estimate and assess likely frauds and address the risk by taking suitable measures. The UK Department for Work and Pensions, for instance periodically estimates losses on account of possible fraud in programs such income support and Job seekers’ allowance. Similarly, National Health Service estimates prescription fraud. There are several practice guides like The Orange Book – Management of Risk – Principles and Concepts (October 2004) and Managing the Risk of Fraud – A Guide for Managers (May 2003) brought out by Her Majesty’s Treasury, U.K. for government managers to deal with fraud. Several key departments have counter fraud units.
Corruption and Fraud
The Asian Development Bank defines corruption most concisely as ‘the abuse of public or private office for personal gain.’ Corruption 'involves behaviour on part of the officials in the public sector, whether politicians or civil servants, in which they improperly and unlawfully enrich themselves, or those close to them, by misuse of the public power entrusted to them' (Transparency International, 1996).
Fraud is defined as 'a legal concept, which involves acts of deceit, trickery, concealment, or breach of confidence that are used to gain some unfair or dishonest advantage; an unlawful interaction between two entities, where one party intentionally deceives the other through the means of false representation in order to gain illicit, unjust advantage.' (XVI International Conference of Supreme Audit Institutions (INCOSAI) Uruguay, 1998).
Many definitions of corruption include fraud thus collapsing the distinction between fraud and corruption. Actually although ‘fraud and corruption are linked, they are not the same, rather they are like two concentric circles that overlap in some areas but are separate in others. You can have fraud and no corruption. You can have corruption and no fraud. But where there is fraud there is often corruption’ (OECD/ADB 4th Anti-corruption conference).
Internal, external and collusive frauds
While an internal fraud is one where an employee of the organization commits fraud and an ‘external fraud is where third parties, such as businesses, individuals or organized crime groups, steal money from a department or agency, either by obtaining payments to which they are not entitled or keeping monies that they should pay over to the department. Frauds are opportunistic attempts by individuals or businesses to obtain financial advantage.' (A Guide to good practice in tackling external fraud, National Audit Office, U.K.) Collusive fraud is where fraud by a third party is facilitated by an insider i.e. the employee who receives a kickback for the assistance he renders.
The fraud triangle
Typically, fraud takes place when there is a) an incentive (low risk - high return) or pressure (of personal circumstances, say indebtedness or an addiction); and b) an opportunity present in the form of a weak control (an open door); and c) an attitude or value which allows the perpetrator to rationalize the fraudulent act (e.g. it is their mistake that they left the door open; or they deserve / can afford it anyway).
The Fraud Triangle (see figure) is key to understanding and dealing with the risk of fraud as all measures for mitigating the risk have to deal with tackling these three elements one way or the other. If strong and effective internal controls deny the opportunity for fraud, equally strong detect controls would take away the incentive for committing fraud.
Deterring Fraud
‘All types of fraudsters weigh up the potential gains against the risk of getting caught and the sanctions they may face. Government departments and agencies need to make fraud as unattractive as they can’ (Good Practice in Tackling External Fraud –National Audit Office & HM Treasury, U.K.). Therefore, government must put in place strong measures that would dissuade anyone from committing fraud. Combined with preventive controls, detective controls enhance the effectiveness of an anti fraud program by providing evidence that preventive controls are working as intended and identifying fraud if it occurs.
The entity must adopt a strategic and risk-based approach to managing fraud. It should create an anti-fraud culture through publicity campaigns, which would alert the would-be fraudsters that the entity follows a zero tolerance approach towards fraud. Most importantly, the entity should formally adopt and issue a Fraud Risk Control Policy, which would include assigning ownership and responsibility for overall management of anti-fraudactivities to a senior functionary. Assessing the organization’s vulnerability to fraud and developing a suitable response is very important.
Preventing fraud
If deterrence is the first line of defence, prevention is the second line of defence in fraud control. An important instrument for preventing fraud is through effective internal controls. Processes should be reengineered to reduce the risk of fraud. While introducing a new scheme or program, the potential risks of fraud must be evaluated to ensure that there are no loopholes that potential fraudsters would exploit. A very important preventive measure is to properly screen candidates for security risks before taking them on employment. Often, it is seen that persons engaged on temporary / casual basis are entrusted with sensitive tasks related to handling cash and banking, which is highly detrimental.
Detecting Fraud
Even after having very strong deterrent and preventive mechanisms there will always be a possibility of the potential fraudster getting around the controls to commit a fraud. Moreover, it is practically impossible to prevent all types of fraud. Nor would it be cost effective. Therefore, it is important that there are sound systems to detect instances of fraud at the earliest. In fact, one of the strongest deterrents to fraud is the perception that effective detect controls are in place.
Detect controls provide evidence that fraud has occurred, or is occurring. Although they are not by themselves intended to prevent fraud, a strong and effective detect control actually prevents fraud from occurring as the certainty of detection (fraud being found out) decreases the incentive to commit fraud. Detect controls are generally also more economical. A proper audit trail, record of logging into system (in case of computerized systems), surveillance cameras, having a well-publicised whistle blower policy, etc. have remarkable impact on controlling fraud. Use of statistical and IT tools (data analytics) would be very helpful in detecting frauds in a timely manner. Three important fraud detection methods are process related controls specifically designed to detect fraudulent activity viz. reconciliations, independent reviews, physical inspections/counts, analyses, and audits.
In order to be able to detect a fraud, the concerned staff should be familiar with the likely frauds and the indicators that would point to the fraud. They should be sensitized to fraud indicators (red flags) so that they are able to trigger closer examination of evidence to establish fraud. Suspicious behaviour (such as staying late beyond office hours or attending office on holidays for no apparent reason), unusual events, etc. should raise alarm.
Investigating and dealing with frauds detected.
Nothing can be a greater deterrent to fraud than an efficient investigation and quick delivery of punishment. Conversely, a low risk of either being caught or, if caught, not being quickly and severely punished increases the incentive to commit fraud. Therefore, it is absolutely imperative that once a fraud is detected, it is investigated in the most professional, objective and timely manner possible. Investigations must be undertaken by trained staff, be compliant with the legal provisions and brought to closure without undue delay. Longwinded procedures and several levels of appeals that delay the endshould be avoided by instituting a more effective and efficient procedures.
Conclusion
Risk of fraud is ever present and every organisation has a responsibility to manage it in the best manner possible. That this has to be driven from the top management cannot be over emphasized. Head of the organization must be aware that one’s organization is vulnerable to fraud and should take primary responsibility to deal with it. There is no substitute to constant vigilance.
This blog is based on the document ‘Management of Risk of Fraud in Government - A Good Practices Guide’ prepared by the author. The full text can be downloaded from Centre for Good Governance website or by following the link - https://www.cgg.gov.in/core/uploads/2017/07/Fraud-Risk-Management-Good-Practices-Guide.pdf
Like
0
0 Comments
