During his budget speech last Wednesday, Finance Minister, Calle Schlettwein, alluded to dancing with the snake, while speaking about the corrupt business practices permeating the country.
“Let us jointly remove the snakes from the dance floor, by reporting them instead of engaging them,” Schlettwein said.
“Whether it is the misuse of office, soliciting and receiving bribes, inflating tender prices, or whatever improper conduct, of persons who further their personal gain to the detriment of the common good, it must be dealt with. It is well-known that the poor suffer most from the impact of corruption. Let us make sure that all parties to these illicit activities are brought to book.”
Given the current state of economy, the temptation to dance with the snake is increasing day by day, as individual and companies craft clandestine ways to survive and keep up appearances.
We have civil servants, who have to serve, while trying to plot their way through these unfavourable economic circumstances, where retrenchments and foreclosures are becoming more commonplace.
We have the NGOs that have to implement projects, according to their proposal and budget, but whose employees also have to survive, after the projects are completed.
We have banks that have to issue loans, but who have loan officers that may be tempted to do something untoward, to benefit themselves. We have directors who have to maximise shareholder value, but who also have to take care of their own purses. We have politicians, who are accountable to the people, but also have a life outside politics, where the trappings of power and wealth are immense.
Every day professionals, politicians and others face all sorts of conflicting roles and situations, which if not monitored properly and ethically, by effective and efficient systems and controls, will render all anti-fraud and corruption talk hollow.
It is only through diligent and continuous monitoring that an organisation can protect itself against devastating acts of fraud and corruption.
Below are some key principles for proactively establishing an environment to effectively manage an organisation’s fraud and corruption risk.
Principle 1: A risk management programme
As part of an organisation’s governance structure, a fraud and corruption risk management programme should be in place, including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk.
Corporate governance defines the manner in which management and those charged with oversight accountability meet their obligations and fiduciary responsibilities to stakeholders. Boards and those entrusted with oversight, should be well-versed in corporate governance principles, and should ethically correct themselves.
Effective business ethics programmes can serve as the foundation for preventing, detecting, and deterring fraudulent and criminal acts. An organisation’s ethical treatment of employees, customers, vendors, and other partners, will influence those receiving such treatment.
These ethics programmes create an environment where making the right decision is implicit. To help ensure an organisation’s fraud risk management programme’s effectiveness, it is important to understand the roles and responsibilities that personnel at all levels of the organisation have, with respect to fraud risk management.
Principle 2: Exposure assessment
Fraud and corruption risk exposure should be assessed periodically by the organisation, to identify specific potential schemes and events that the organisation needs to mitigate. The foundation of an effective fraud risk management programme should be seen as a component of a larger enterprise risk management (ERM) effort, and is rooted in a risk assessment that identifies where fraud may occur, and who the perpetrators might be.
To this end, control activities should always consider both the fraud scheme and the individuals within, and outside the organisation, who could be the perpetrators of each scheme. If the scheme is collusive, preventive controls should be augmented by detective controls, as collusion negates the effectiveness of the segregation of duties.
To identify inherent fraud risks, organisations should gather information on risks that could apply to the organisation. Included in this process is the explicit consideration of all types of fraud schemes and scenarios - incentives, pressures, and opportunities to commit fraud - and IT fraud risks specific to the organisation.
The organisation should also assess the relative likelihood and potential significance of identified fraud risks, based on historical information, known fraud schemes and interviews with staff, including business process owners.
It should also decide what the response should be, to address the identified risks and perform a cost-benefit analysis of fraud risks, for which the organisation wants to implement controls or specific fraud detection procedures.
Principle 3: Prevention techniques
Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organisation.
One key to prevention is making personnel throughout the organisation aware of the fraud risk management programme, including the types of fraud and misconduct that may occur.
Establishing internal controls may not address all of an organisation’s fraud risks.
Fraud is a business risk that necessitates specific controls to mitigate against, which makes an organisation’s assessment process essential to fraud prevention.
In addition to implementing fraud preventive controls, it is important that the organisation assess and continuously monitors its operational effectiveness, to help prevent fraud from occurring.
Principle 4: Detection
Detection techniques should be established to uncover fraud events, when preventive measures fail or unmitigated risks are realised.
Having effective detective controls in place, and visible, is one of the strongest deterrents to fraudulent behaviour. Used in tandem with preventive controls, detective controls enhance a fraud risk management programme’s effectiveness, by providing evidence that preventive controls are working as intended, and are identifying fraud that occurs. Although detective controls may provide evidence that fraud is occurring, or has occurred, they are not intended to prevent fraud
Principle 5: Reporting process
A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used, to help ensure potential fraud is addressed appropriately and timely.
It is essential that any violations, deviations or other breaches of the code of conduct or controls, regardless of where in the organisation, or by whom they are committed, be reported and dealt with in a timely manner. Appropriate punishment must be imposed, and suitable remediation completed. The board should ensure that the same rules are applied at all levels of the organisation, including senior management.