Skip to content. | Skip to navigation

Personal tools

You are here: Home / Governance and accountability / Preventing and detecting fraud: are you staying ahead of the game?

Preventing and detecting fraud: are you staying ahead of the game?

Posted by Karen Smith | Governance and accountability | Nov 13, 2017
It’s Fraud Awareness Week. Now’s a good time for leaders to check whether they’re as prepared as they could and should be…

Fraud Awareness Week

People often think that auditors are responsible for detecting fraud. But they aren’t – international standards about auditing are clear that finding fraud isn’t the auditor’s responsibility. The job of preventing and detecting fraud rests with the senior leadership team and, if there is one, the governing body:

The primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management. It is important that management, with the oversight of those charged with governance, place a strong emphasis on fraud prevention, which may reduce opportunities for fraud to take place, and fraud deterrence, which could persuade individuals not to commit fraud because of the likelihood of detection and punishment.

Auditing standard about fraud: ISA (NZ) 240

We’re increasingly seeing indicators that the risks of fraud in the public sector are getting higher.

Fraud causes all sorts of damage – not just financial, and not just on that organisation but on the wider public sector as well. So what do the leaders of an organisation need to do?

Check that the controls are still up to scratch

Every organisation ought to have strong and tested controls in place to manage their business well. We can help a little, here: if we audit the organisation, we’ll do some testing of the key controls during the audit and tell the organisation about any weaknesses that we see. But the vigilance and attention on those controls needs to come clearly from the governing body and leadership team.

What’s an example of a key control? Well, the most basic is that money doesn’t get paid without someone senior first approving the payment – and the person deciding who gets paid is not the person who signs the cheques. That sort of control is called a “separation of duties”.

In New Zealand’s public sector, most of the controls are pretty good, which is why those controls are the usual way that fraud gets picked up.

It’s a rapidly changing world. The controls that worked very well for the last five years might not be quite strong enough now. We expect people in leadership roles to be thinking about these sorts of matters and taking action – controls need to stay relevant and effective, which means reviewing and testing them, and strengthening them where need be.

Get the culture right

Preventing fraud can’t ever be just about the systems and controls, because determined people will always find a way around them. We produced a series of reports in 2011 and 2012 about fraud, based on a big survey we commissioned. Back then, we said that the culture of an organisation is hugely important:

Building a culture where governance, management, and staff are receptive to talking about fraud is important. Our findings suggest that the incidence of fraud is lowest where a public entity's culture is receptive to these discussions, communication is regular, and where incidents are reported to the relevant authorities.

Fraud awareness, prevention, and detection in the public sector, 2012

People are less likely to try to get away with fraud if their co-workers know what to look for and will speak up if they suspect wrong-doing. This is where the “tone at the top” is particularly important – as New Zealanders, we tend to be trusting and our largely clean way of operating means that we aren’t used to fraud. Staff need to be reminded, often, that trusting other staff isn’t a fraud control.

It’s critical that senior managers get the balance right: trusting people to give their best at work while having strong checks and balances in place, and a culture where people feel safe to question and call out behaviour or practices that look a little odd or suspicious.

Take the risk of fraud seriously and respond decisively

We expect public sector organisations to be taking the risk of fraud seriously and have a plan for how to respond to suspected fraud:

The Auditor-General expects that every public entity should formally address the matter of fraud, and formulate an appropriate policy on how to minimise it and, if it occurs, how it will be dealt with.

Auditing standard about fraud: AG ISA (NZ) 240

We generally expect all suspected wrongdoing, including thefts and suspected fraud, to be referred to law enforcement agencies. In 2012, we found that only 39% of suspected fraud incidents had been reported to law enforcement agencies.

You don’t stop fraud by sweeping it under the carpet. Fraudsters need to be caught and stopped. If wrongdoing of any sort isn’t addressed – and not just by firing someone or letting them resign – then the poor behaviour can continue at another organisation in the public sector or elsewhere.

More about audits and fraud

If you want to know more, check out the standard about fraud that all auditors have to comply with and the data on suspected fraud that we get told about. There’s also useful information in the reports we published in 2011 and 2012 on fraud risks for different types of organisations.

If you want the essential stuff, it’s this:

  • Trusting staff is not a control to prevent or detect fraud.
  • Maintaining a culture of integrity can help to keep fraud at bay.
  • A culture of integrity is most effective when supported by strong controls.
  • Taking appropriate action where there is suspected fraud acts as a deterrent.
  • Organisations need to refer instances of suspected fraud to the appropriate law enforcement agencies.

Given that it’s Fraud Awareness Week, we encourage all leaders in the public sector, no matter how large or small their organisation, to stop and think seriously about whether the key controls, the culture of their organisation, and the plan for responding to suspected fraud are all lined up to make it as difficult as possible for fraud to occur.

Conor McGarrity
Conor McGarrity says:
Nov 17, 2017 01:19 PM
It's also important to note that with the rapid advancements in data analysis there is greater scope now to employ automated techniques to monitor for fraud red flags. The best starting point involves establishing the contributing factors in each of the previous known fraud cases:
 
What were the key touch-points for the fraudulent acts (how did the opportunity arise, how was it maximised and why didn’t we spot it)?
What were the prevailing operational/contextual factors at the time (e.g. a need to expand operations / compressed delivery timeframes, a need to facilitate quicker transactions or simple self-sustaining greed)?
What data is or was available that could have helped to prevent or detect this activity earlier, and how do we make sure we can use it better in the future?
 
With the rapid democratisation of data there is greater opportunity to access information that might allow for extra analysis. Ongoing fraud risk analysis and monitoring is therefore not as difficult to do as you might think – it just takes a new approach to understanding what the integrity risks look like, how the conduct could be perpetrated and what data we have available to monitor for the specific risk occurring.
Karen Smith
Karen Smith says:
Nov 20, 2017 01:23 PM
Hi Conor,
Thanks for your comment. Yes, you are so correct - since the release of our reports about fraud there have been rapid advancements in data analysis. You have raised some fantastic questions, some of which we are currently exploring.
Karen
Add comment

You can add a comment by filling out the form below. Plain text formatting. Web and email addresses are transformed into clickable links. Comments are moderated.

Question: Type the code word, 567, here
Your answer: