Professional Documents
Culture Documents
Fraud and Corruption Risk Assessments: Whitepaper
Fraud and Corruption Risk Assessments: Whitepaper
Fraud and Corruption Risk Assessments: Whitepaper
Whitepaper
Fraud and
Corruption Risk
Assessments
JUNE 2017
Level 7, 133 Castlereagh Street, Sydney NSW 2000 | PO Box A2311, Sydney South NSW 1235
T +61 2 9267 9155 F +61 2 9264 9240 E enquiry@iia.org.au www.iia.org.au
Fraud and Corruption Risk
Assessments
• Decisions that might give significant benefits, or cause • Other entities and their employees, contractors, etc have
significant costs or inconvenience to clients, suppliers or access to it.
others. • Entities that have access to the information may not have
• Decisions that might give rise to substantial benefits for the processes, resources or incentive to properly protect
the individual decision-maker, unit or manager. it.
• Decisions we make that are important to our organisation. • The information is subject to legislative restrictions over
• Decisions that are otherwise higher risk. its collection, use, protection or disclosure, and this makes
improper use or access more serious.
Decisions that are generally higher risk typically include ones
• The information is subject to privacy rules.
where:
• Status of the information is unclear to staff or third parties
• The decision or the reasons for the decision are not well in relation to confidentiality, level of security required, etc.
documented • Internal controls for the protection of the information are
• The considerations taken into account have not been poor, eg poor password practices, people have access
disclosed to the entity affected by the decision. who do not need it, poor IT access controls, inadequate
• The decision does not follow a well-established process. audit trails, etc.
• The decision is largely subjective. • The information could be valuable to a third party, eg for
• The decision is made by only one person. marketing, commercial decisions, insider trading, illegal
• The decision is not reviewed properly. use, etc.
• Decisions of this kind are infrequent. • The information could cause significant damage to
• The decision-maker selects the item about which to make individuals it is about.
the decision. • Costs for the organisation associated with improper use
• The decision-maker is inexperienced, has limited by others could be significant.
knowledge of the matter, has limited time in which to • The information is a likely target, eg to embarrass the
consider the relevant factors, etc. organisation or key stakeholders.
• The entity affected by the decision is more likely to act • It is confidential information that is important to the
corruptly; eg the industry has a reputation for corrupt organisation or others, or is prone to theft, misuse or
or criminal activity, or the company has acted corruptly corruption.
before in Australia or overseas.
Funds-in
Information
Sources of revenue should generally be considered for
Information is often an important item for inclusion in a fraud associated fraud and corruption risks. Categories might
and corruption risk assessment, due to its value and the include:
reputational damage its misuse or disclosure might cause.
• Regular sources of revenue.
Information categories might include:
• Occasional and miscellaneous sources of revenue.
• Information subject to privacy rules. • Revenue collected by contractors or third parties.
• Information that is important to us or could be valuable to • Other funds that are substantial, or prone to fraud and
a third party. corruption.
Funds-in are generally higher risk if: • Things that are valuable.
• There is not a well-established and constantly used • Things that are easily taken, might not be missed, etc.
system for handling the revenue. • Things that staff, contractors or others are likely to
• The revenue is discretionary, or the calculation of the misuse.
revenue is complex or involves higher levels of discretion. • Other things we own or use that are significant, or prone
• The individual or cumulative amount of the revenue is to fraud and corruption.
substantial.
There are generally higher risk of items being stolen where:
• People paying the revenue resent paying it, for example
because it is seen as predatory, unfair or unreasonable. • The items have a high value.
• Theft of the funds would not be easily detected by the • The items are physically easy to take.
people paying the revenue. • The items are desirable or easy to sell.
• Collection is undertaken by contractors or third parties. • The items may not be missed if taken.
• Internal controls are poor, for example poor segregation • The items are not accounted for in a register.
of duties, lack of supervision, limited reconciliations, poor • If the items are taken it can be difficult to identify who
IT or accounting system, etc. took them.
• Physical security is poor, for example poor access and
Funds-out
security controls.
Statistically, the most significant fraud and corruption is • There is a history of items like these disappearing.
associated with outflows of funds. Categories that might be • The accounting or other controls covering these items
considered are: are poor, so it is easy to hide the misappropriation in the
books or records.
• Regular spending.
• There is a history of allowing staff to take the items.
• Funds to third parties such as contractors doing things for
us or on our behalf These are generally higher risk of these items being misused
• Irregular outgoings. where:
• Other spending that is substantial or prone to fraud and
• Internal controls over their use are poor.
corruption.
• There is a lack of policy guidance as to what use is, or is
Funds-out are generally higher risk where: not, allowed.
• Staff, contractors or other people are likely to misuse the
• There are poor internal controls, for example inadequate
items.
separation of duties, limited supervision or checking, etc.
• Misuse is unlikely to be detected or followed-up.
• Payments are not part of a continuous process, or are
• It would be difficult to detect or prove who misused the
irregular.
items.
• Only one person makes, initiates or authorises that type
of payment. Perceptions
• Individual or cumulative payments are large.
There may be situations when perceptions of fraud and
• There are high levels of subjectivity in the payments.
corruption may damage morale, reputation, brand, and
• Contractual arrangements are loose or subject to change.
relations with regulators, even when there is no evidence of
• There is no, or limited, post-transaction monitoring of
fraud or corruption. It may therefore be worth considering
payments to check they appear to be reasonable.
perceptions of fraud and corruption in decision-making. This
• There is a history of allowing suspicious payments.
may include decisions we make, or things we do, or others do
Things we own or use on our behalf, that people are likely to think are being done
corruptly. It is important we are seen to be honest and acting
Assets and resources owned or controlled by our organisation
with integrity.
are often susceptible to fraud and corruption. Categories that
might be considered are: