NSW Audit Office - Better Practice - 1994 - Fraud Control Volume 2: Strategy

Attribute 1: Integrated Macro Policy

The Need to Establish a Fraud Control Strategy

In June 1990 the Premier's Department advised all agencies by circular of a new requirement to establish a strategy to prevent internal and external fraud. A 1993 performance audit conducted by the Audit Office clearly indicated that there was still much room for improvement to achieve full and effective implementation of the Premier's Department directive.

Each agency should possess a fraud control strategy as a clearly identifiable instrument at the policy level.

The strategy should detail the agency's stance on fraud. Many separate policy and action elements may be required for the strategy to be sufficiently comprehensive. The strategy must be properly conceived, constructed and documented in a suitable form so as to effectively draw all elements together to form a holistic and integrated raft of fraud countermeasures.

Only 60% of agencies surveyed indicated they possessed a formal fraud control strategy. Without one there is a risk that the various components of fraud control within an agency may have been formulated in such a way that the separate elements do not effectively complement one another. In a worst case scenario separate elements could possibly even contradict or detract from one another. There is also a risk that other vital elements may not have been considered at all.

Management Attitudes

Prior to the development of any strategy to prevent and detect fraud management attitudes may need to be changed. Despite strong and continuing evidence of the extent and resilience of fraud management often seem to develop a curious overconfidence in the adequacy of their fraud protection, or worse still not to accept that fraud may exist in their organisation.

There is evidence of organisations with no previous record of fraud suddenly becoming inundated with potential cases when a formalised strategy is introduced.

Inappropriate management attitudes in this area are not exclusive to either the public or private sectors, nor to any particular form of organisation. They appear simply to be a bad habit which many managers may have developed. Unless such management attitudes change effective fraud prevention and control cannot be implemented.

Managers must be made to realise the value of a fraud control strategy.

In the case of private sector or public sector commercial agencies fraud can result in:

a poor reputation and public image
a lack of business credibility
low employee morale and performance
poor dividend returns
reduced market share
an uncompetitive pricing structure
an inability to meet short term commitments
an inadequate capital base for future expansion
the business failing.

How common is fraud? Some 370 of the 850 largest companies across Australia experienced some form of fraud in 1993.

Fraud can be just as relevant and damaging to non-commercial and public sector inner-budget agencies. Performance is impaired. Funds are wasted and lost. As a result additional pressures are placed on budgets. Political embarrassment and damage to the State's reputation or rating may occur.

Specifically, it is estimated by various sources that up to 5% of turnover or gross sales could be lost to fraudulent activities.

Federal public sector fraud has been estimated at up to $13 billion annually. Without effective fraud control measures being in place the NSW public sector could be exposed to a potential fraud risk in excess of $1 billion each year.

Format of The Fraud Control Strategy

It is the agency's prerogative to determine the type and format of documentation it wishes to adopt for its fraud control strategy. Suggested formats include:

a single comprehensive and complete document addressing in detail all the aspects of fraud prevention and detection for the agency
a strategy outline which is brief in nature emphasisingthe ten attributes involved in fraud prevention but delegating the development of policies, actions and fraud countermeasures for each of these to other documents or designated areas within the organisation
a compilation of plans based on strategies produced by sections, divisions or regions of the agency merged into an overall corporate fraud strategy.

A variety of hybrid arrangements are also possible. Factors such as the size of the agency, its structure, the nature of operational divisions and so on should be taken into consideration in determining the most appropriate documentation format to use.

Usability and impact should also be considered. Where a single very large document may be apparent a series of linked papers may be more appropriate. The ability of documentation to effectively communicate and to deliver a strong impact are very important aspects to be considered.

An Holistic and Fully Integrated Package

As explained earlier, this fraud control model deliberately focuses firstly at the macro strategic level before going on to address matters of detail.

Attribute no.1 should actually be applied as the final step in formulating the agency's fraud control strategy. Having determined all of the specific elements necessary to address the other dimensions of the model this attribute requires that all elements then be considered from a macro perspective. The purpose is to consider the extent to which the raft of policies, actions and measures developed are able to work together in an effective and constructive manner. It also prompts the agency not to overlook any important issues and to consider whether its strategy is truly holistic and comprehensive.

Have the various policies and actions of the agency under each of the model's attributes been developed in view of the agency's needs and what will be most appropriate and effective for its situation? Has suitable research and analysis been undertaken in this respect? Has the issue of cost effectiveness been addressed?

Implementation Plan

Agencies should develop a clear, formal plan and timetable to implement a fraud control strategy. The time frame will naturally vary depending on the size and nature of the agency and the status of fraud control measures currently in place.

As a guide it is suggested that a medium sized agency currently not possessing any substantial aspects of fraud control in terms of the model should be able to develop and implement an adequate strategy within a twelve month time frame. At the most (that is for a large complex agency with much action required), full development and implementation of the strategy should not take in excess of two years. Agencies who have some fraud prevention elements in place could expect to implement a fully integrated fraud prevention strategy well inside these periods.

Each agency is more than capable of determining its own implementation plan and timetable, and must necessarily do so themselves to account for relevant factors such as available resources, other organisational priorities and so on.

The extent to which the various elements or phases of the process can be undertaken concurrently or need to run consecutively will greatly affect the total elapsed time required to develop and fully implement the strategy. This is only partly a factor of available resources. The extent to which relevant elements of the strategy already exist in some form within the agency is a major factor. The extent to which the agency adopts a "matrix-approach" to developing and implementing the various elements of the strategy will also determine how long it takes and the extent to which actions can proceed concurrently.

A matrix approach would involve the agency delegating responsibility for developing certain parts of the strategy to various sections within the organisation such as administration; personnel; training; industrial relations; public relations; internal audit and so on.

For a matrix approach to succeed a detailed implementation plan would need to be constructed and an implementation coordinator nominated. Active liaison, close monitoring, clear target dates and regular reporting would all be essential elements.

Many agencies will already have experience using approaches of this kind which are commonly used for the development and implementation of corporate and strategic plans. The fraud control strategy is, after all, only a particular form of strategic plan.

Implementation is not a one-off event. Ongoing review will be required to ensure that the strategy is effective and that further developments are made as required. Volume 3 specifically serves this purpose.

Costs and Resources

Implementing the conceptual framework of this model costs very little. It requires a change in thinking in some cases; adoption of an integrated and strategic approach; and use of a well structured and organised method. Beyond this, it is not the model but the agency's needs and situation which will determine what actions, and hence costs and resources, will be required.

The model is not an end in itself. It does not impose a standard cost factor on each agency. Rather, it provides a means to manage the overall study of an agency and subsequent development of an appropriate and cost effective strategy for fraud control.

Both large and small, simple and complex agencies can use the model with equal relevance. The level of detailed effort required to address fraud will naturally vary between agencies depending on factors such as their size and nature.

Proper application of the model will enable an appropriate and value-for-money approach to fraud control to be implemented.