Fraud, Waste, and Abuse
The fundamental elements of an effective anti-fraud program that should be established by each agency are:
- Creating and maintaining a culture of honesty,
- Evaluating the risks of fraud and implementing the processes, procedures and controls needed to mitigate those risks, and
- Developing an appropriate oversight process.
Creating a Culture of Honesty and High Ethics
It is each agency’s responsibility to create a culture of honesty and high ethics. Such a culture is rooted in a strong set of core values (or value system) that provides the foundation for employees as to how the agency conducts its business. It also allows an entity to develop an ethical framework that covers (1) fraudulent financial reporting, (2) misappropriation of assets, (3) corruption, as well as other issues.
Creating a culture of honesty and high ethics should include the following:
- Setting the tone at the top
- Creating a positive workplace environment
- Hiring and promoting appropriate employees
Setting the Tone at the Top
The cornerstone of an effective anti-fraud environment is a culture with a strong value system founded in integrity. The value system is reflected in a code of ethics. The code of ethics should reflect the core values of the entity and guide employees in making appropriate decisions during their workday. The code of ethics might include such topics as ethics, confidentiality, conflicts of interest, and fraud. Each agency shall develop a code of ethics, which shall be communicated to each employee. Each employee shall sign a statement that they have received and understand the code of ethics. See Code of Ethics for an example.
The Code of Ethics shall be included in an employee handbook or policy manual so that it can be referred to when needed.
Creating a Positive Workplace Environment
Without a positive workplace environment, there are more opportunities for poor employee morale, which can affect an employee’s attitude about committing fraud against an entity. Factors that detract from a positive work environment and may increase the risk of fraud include:
- Negative feedback and lack of recognition for job performance
- Perceived inequities in the organization
- Fear of delivering “bad news” to supervisors and/or management
- Less-than-competitive compensation
- Poor training and promotion opportunities
- Lack of clear organizational responsibilities
- Poor communication practices or methods within the organization
Hiring and Promoting Appropriate Employees
Each employee has a unique set of values and personal code of ethics. When faced with sufficient pressure and a perceived opportunity, some employees will behave dishonestly rather than face the negative consequences of honest behavior. The threshold at which dishonest behavior starts, however, will vary among individuals. If an entity is to be successful in preventing fraud, it must have effective polices that minimize the chance of hiring or promoting individuals with low levels of honesty, especially for positions of trust.
Proactive hiring and promotion procedures may include:
- Conducting background investigations on individuals being considered for employment or for promotion to a position of trust,
- Thoroughly checking a candidate’s education, employment history, and personal references,
- Periodic training of all employees about the entity’s values and code of ethics, and
- Incorporating into regular performance reviews an evaluation of how each individual has contributed to creating an appropriate workplace environment in line with the entity’s values and code of ethics.
New employees should be trained at the time of hiring about the entity’s values and its code of ethics. This training should explicitly cover expectations of all employees regarding (1) their duty to communicate certain matters; (2) a list of the types of matters, including actual or suspected fraud, to be communicated along with specific examples; and (3) information on how to communicate those matters. In addition to training at the time of hiring, employees should receive refresher training periodically thereafter.
Management needs to clearly articulate that all employees will be held accountable to act within the entity’s code of ethics. All employees within senior management and the finance function, as well as other employees in areas that might be exposed to unethical behavior (for example, procurement, disbursement and receipting) should be required to sign a code of ethics annually.
Requiring periodic confirmation by employees of their responsibilities will not only reinforce the policy but may also deter individuals from committing fraud and other violations and might identify problems before they become significant. Such confirmation shall include statements that the individual understands the entity’s expectations, has complied with the code of ethics, and is not aware of any violations of the code of ethics. The confirmation shall reiterate the employee’s obligation to report fraud, waste and abuse of government resources.
At the time of performing annual employee performance evaluations, a signed confirmation should be obtained from the employee that they have read and understand the entity’s code of ethics.
A thorough investigation should be conducted for each alleged incident of fraud. If allegations of fraud are substantiated, then appropriate and consistent actions should be taken against violators.
Expectations about the consequences of committing fraud must be clearly communicated throughout the entity. For example, a strong statement from management that dishonest actions will not be tolerated, and that violators will be terminated and referred to the appropriate authorities, clearly establishes consequences and can be a valuable deterrent to wrongdoing.
State employees have the option of reporting allegations of fraud directly to the Office of Internal Audit. They can contact the Office of Internal Audit at (501) 682-0370, the 24-hour toll free Report Center at (800) 952-8248, or complete a fraud reporting form and mail to the Office of Internal Audit.
State agency management must be familiar with the Arkansas Whistle-Blower Act and their responsibility not to take adverse action against a public employee because the public employee or a person authorized to act on behalf of the employee communicates in good faith the existence of waste of public funds, property, or manpower; including federal funds, property, or manpower administered or controlled by a public employee; or a violation or suspected violation of a law, rule, or regulation adopted under the law of this state or a political subdivision of the state to an appropriate authority.
Evaluation Processes and Controls
Neither fraudulent financial reporting nor misappropriation of assets can occur without a perceived opportunity to commit and conceal the act. Organizations should be proactive in reducing fraud opportunities by (1) identifying and measuring fraud risks, (2) taking steps to mitigate identified risks, and (3) implementing and monitoring appropriate preventive and detective internal controls and other deterrent measures.
Identifying and Measuring Fraud Risks
Management has primary responsibility for establishing and monitoring all aspects of the entity’s risk assessment and prevention activities. Fraud risks often are considered as part of an agency-wide risk assessment program, though they may be addressed separately. The risk assessment process should consider the vulnerability of the entity to fraudulent activity (fraudulent financial reporting, misappropriation of assets, and corruption) and whether any of those exposures could result in a material misstatement of the financial statements or material loss to the organization.
The nature and extent of management’s risk assessment activities should be commensurate with the size of the entity and complexity of its operations. For example, the risk assessment process is likely to be less formal and less structured in smaller entities. However, management should recognize that fraud can occur in organizations of any size or type. Accordingly, management should develop a heightened “fraud awareness” and an appropriate fraud risk-management program, and appropriate oversight.
Managing the risk of fraud is the same in principle as managing any other business risk. When considering fraud risks in specific operations, agency management must determine which operational areas are most susceptible to fraud risk. Areas with previous losses, areas handling cash and areas distributing and administering grants are examples of areas that may be more susceptible to fraud.
The risk assessment should be performed by each agency once every two years.
Mitigating Fraud Risks
Once risk areas are identified by management, it is necessary to evaluate the adequacy of existing internal control activities and determine if further controls or changes to existing controls are required to reduce or eliminate the risk. Although there may be high risk fraud indicators in certain instances, other compensating measures may exist to mitigate the weakness in controls. It may be possible to reduce or eliminate certain fraud risks by making changes to the entity’s activities and processes. For example, the risk of misappropriation of funds may be reduced by implementing a central lockbox at a bank to receive payments instead of receiving money at the entity’s various locations. The risk of corruption may be reduced by closely monitoring the entity’s procurement process, etc.
Developing an Appropriate Oversight Process
To effectively prevent or deter fraud, an entity should have an appropriate oversight function in place. Agency management is responsible for overseeing the activities carried out by employees, and typically does so by implementing and monitoring processes and controls such as those previously discussed.
Management is encouraged to utilize an internal audit function in carrying out their oversight responsibility. An effective internal audit team can be extremely helpful in performing aspects of the oversight function. Internal auditors have the opportunity to evaluate fraud risks and controls and to recommend actions to mitigate risks and improve controls.
Internal auditors can be both a detection and a deterrence measure. Internal auditors can assist in the deterrence of fraud by examining and evaluating the adequacy and the effectiveness of the system of internal control. In carrying out this responsibility, internal auditors should, for example, determine whether:
- The organizational environment fosters control consciousness,
- Realistic organizational goals and objectives are set,
- Written policies exits that describe prohibited activities and the action required whenever violations are discovered,
- Appropriate authorization policies for transactions are established and maintained,
- Policies, practices, procedures, reports and other mechanisms are developed to monitor activities and safeguard assets, particularly in high-risk areas,
- Communication channels provide management with adequate and reliable information, and
- Recommendations need to be made for the establishment or enhancement of cost effective controls to help deter fraud.
Agencies that are governed by a board or commission are also encouraged to establish an audit committee to support the oversight function. One way that public officials can enhance accountability and demonstrate proper stewardship over public funds is to establish and support an adequate internal environment within their organizations. A critical element of the internal control environment is an effective audit committee that provides oversight of matters of financial reporting, auditing and internal control. An effective audit committee can provide several important aspects of control, including: ensuring the independence of the internal auditing function and ensuring appropriate action is taken on audit findings. The audit committee serves in a unique capacity as an important communication link among external and internal auditors and operating management, and as a means of reducing the risk of management override of key elements of the agency’s internal control structure.