Attribute 2: Responsibility Structures

The Need to Establish and Define Organisational Responsibility

Management is charged with the stewardship of the agency's assets. It must create an appropriate atmosphere within the agency. This includes the effective establishment of organisational responsibility for fraud control. Senior management was aware of its responsibility to assist with the prevention of fraud in only 70% of agencies surveyed.

Defining organisational responsibility for fraud control is concerned with establishing a truly comprehensive and effective organisational framework through which the agency's fraud control strategy can operate. Without this roles will be unclear and vital aspects of fraud control may be neglected.

A comprehensive responsibility structure must be developed to implement and give effect to the agency's fraud control strategy.

Management Responsibilities

Amongst the various roles with which senior management of an agency are charged are responsibilities to:

• achieve defined goals
• safeguard all assets
• assure the efficient use of resources
• satisfy all legislative requirements and other relevant directives
• facilitate effective and transparent, visible accountability.

In part, management deals with these responsibilities through the implementation of sound systems of internal control. This in turn assists in the prevention and detection of fraud.

Many managers do not fully understand or appreciate the full dimensions of their roles and responsibilities in terms of accountability generally and fraud control in particular.

Appendix 1 outlines professional standards relating to the detection and prevention of fraud. This appendix has been prepared and included in response to continuing argument and confusion over the respective roles and responsibilities of management and auditors in the area of fraud control.

The Audit Office has stated that:

basically, the responsibility for the prevention of fraud rests with management.

(1993 Report to Parliament, Volume 1, page 18).

Managers must realise that fraud does exist and may occur within their area of responsibility. This needs to be conveyed to all levels of management and they should be made aware of the responsibility that is attached to their position in the prevention and detection of fraud.

At a strategic level management's responsibility to prevent and detect fraud should be reflected in the agency's:

• corporate plan
• management plans
• operational manuals.

At the operational level management's responsibility to prevent and detect fraud should be included in:

• job descriptions and statements of duties
• office circulars
• office procedures.

Management should carry out these responsibilities through the day to day operations of their job and their interaction with staff.

Managers must set standards and instill these ideals in their staff. If staff are to follow correct control procedures, as well as be aware of the possibility of fraud occurring and report any suspected fraud, they must look towards their managers for guidance and support. If that support is not evident then an unfavourable work environment may result. This in turn could severely affect the implementation and subsequent effectiveness of the fraud control strategy.

Employee attitudes and behaviour within a large agency was found to be heavily influenced by management leadership rather than the laid down policy and procedures. Some officers took active steps to discourage a serious dishonest practice but received little support from senior management. This was conducive to establishing a culture where corruption could prosper.

The Fraud Control Committee

Where feasible a fraud control committee is suggested as a potentially useful means for implementing fraud control. The committee is ideally placed to take responsibility for setting priorities, coordinating the agency's fraud control strategy and communicating it to all levels of management and staff alike.

The agency's fraud control strategy document should state who is on the committee and detail its responsibilities.

Generally the committee should comprise senior officers who effectively represent the organisation's key personnel. Where the agency already has an Audit Committee in operation it may wish to combine the two. However, the roles and purpose of each are not identical and care should be taken if such a course is contemplated. Membership of each committee may also not necessarily be identical.

The committee should meet on a regular basis particularly in the early period of development of the agency's strategy. In the long term the committee should continue to meet as needs dictate; but at least on a six monthly basis.

The fraud control committee is able to provide vital support to the chief executive. The committee is positioned to play a key role in setting policy and ensuring the collective policies within the overall fraud control strategy operate effectively.

Suggestions for some of the committee's responsibilities include:

• coordinating the agency's overall approach towards fraud control.
• drafting the fraud control strategy, establishing a timetable for implementation and monitoring progress.
• oversighting the development of elements and actions under the ten individual attributes of the strategy, including such key matters as:
  • developing fraud reporting and disclosure protection policies.
  • determining policy on how investigations should be handled.
  • assessing the results of fraud risk assessments.
  • oversighting the development of fraud education programs.
• ensuring that all fraud control initiatives are prioritised and applied consistently.
• ensuring that all fraud initiatives are capable of integration within the agency.
• documenting management responsibility to prevent and detect fraud.
• receiving reports of suspected fraud (though these may go elsewhere as well, or instead. This is to be determined under one of the specific attributes).
• reviewing investigation reports.
• ratifying disciplinary action (though this may occur other ways).
• instituting systems for reporting to the ICAC (though the principal officer must retain specific responsibility for reporting to the Commission).
• keeping informed of current developments and issues in fraud control generally and disseminating relevant best-practice information throughout the organisation as appropriate.
• reviewing the ongoing effectiveness of the strategy overall and of the various elements under each of the ten attributes.
  

A Comprehensive Responsibility Structure

It may be desirable to designate a Fraud Prevention Manager to implement and coordinate ongoing fraud control activities at the operational level. To achieve this the committee will need to give the position appropriate authority and a clear mandate to implement required reforms.

Establishing functional responsibility through a Fraud Prevention Manager need not necessarily involve an additional position on a permanent basis. The role could possibly be assigned to an existing position. These decisions will need to be taken based on factors such as the size of the agency and the extent of action required in the first instance.

However, the development of an effective responsibility structure does not stop there. For the agency's fraud control strategy to be truly effective the responsibility structure must effectively involve operational line management.

Line managers are responsible for day to day operations and as such are at the coal face to meet fraud head on. It is through their actions that the agency will largely attempt to prevent and detect fraud.

Fraud control responsibilities to be defined for line managers could include:

• informing divisional/section managers of their responsibility for fraud prevention and detection.
• coordinating fraud education programs for divisional/sectional managers and staff employees.
• delegation of duties to divisional/sectional managers where practical.
• setting/enforcing disciplinary standards.
• identifying high fraud risk areas.
• identifying specific sources of fraud risk.
• assessing the cost benefit of introducing anti-fraud procedures.
• developing/modifying local practices to reduce fraud risks.
• ensuring that fraud control plans for each region/division/directorate are properly prepared and acted upon.
• monitoring continued operation of controls to prevent fraud.
• reporting suspected frauds.

In "lateral" terms the responsibility structure for fraud control could traverse all operational dimensions of the agency. "Vertically", depending on the size and form of the agency, the structure could encompass operational levels ranging from the chief executive to operational section managers as depicted in Figure 2.2.

Figure 2.2: A Comprehensive Responsibility Structure for Fraud Control is required.

It is acknowledged that not every agency will be able to or would need to set up a structure along the lines envisaged by Figure 2.2. The size of the agency coupled with resource requirements must be considered. However, this should not be used as an excuse to avoid the need to set up an effective responsibility structure.

Large agencies should be able to work under a structure that defines responsibilities for a fraud control committee; a fraud prevention manager; and for line management right down to divisional/section managers.

Medium sized and small agencies should generally attempt to develop similar responsibility structures to that for large agencies. However, in some instances responsibility at the divisional or sectional level will need to be amalgamated and a designation of fraud prevention manager may not be present.

A classic symptom of appearing to define responsibility but in reality failing to do so is when responsibility for fraud control has become the exclusive domain of elite groups within the agency.