1. IQPC Public Sector Fraud & Corruption Summit, Canberra
Friday 28th October 2016
Dr Darren O’Connell MBA FGIA
Workshop D: Conducting a Comprehensive Fraud and Corruption
Risk Assessment – Part 1

2. 1. Introductions
2. War stories
3. Part 1: Recap on better practice approaches to managing risk
4. Break
5. Part 2: Identifying and managing fraud and corruption risk
6 Summary and close
2
Workshop Agenda

3. 1. Learn about tools and techniques to detect and assess risk
2. Learn how to perform a comprehensive risk assessment
3. Identify fraud and corruption risks in an internal environment, and
when working with third-parties
4. Drawing insights from the results and improving your risk
management framework
5. Overcoming common pitfalls
3
Workshop Objectives

4. Part 1: The Risk Management Process

5. 5
• The key objectives or risk management are to:
‒ Support informed risk-taking that promotes PHG’s objectives and success while recognising the risks associated with key
decisions
‒ Create a robust control environment that reduces negative impacts to PHG’s performance
‒ Avoid surprises by generating an increased understanding of key risks and providing early warning of increases in
exposure to adverse risk events
‒ Reduce the cost to PHG from “fire fighting” versus proactive risk management
‒ Generate a risk profile that will support the Executive’s ability to focus discussions and attention on the material risks
‒ Provide the basis for identifying areas of priority for Internal Audit
• The key elements of the risk framework are:
‒ Taking an evidence-based approach including:
• The rationale for scoring a risk in a particular way
• An assessment of the financial impact of the risk should it eventuate
‒ Producing a manageable list of risks through the use of the bow-tie methodology that combines key causes and impacts
into a single risk
‒ Defining the controls that should be in place and the key attributes of these controls that result in an effective control
environment
‒ Assessing the effectiveness of individual controls and inclusion of commentary on the current gaps that result in controls
not yet being fully effective
‒ Identifying Actions, in addition to current controls, to support further risk reduction for PHG
‒ Achieving a direct linkage between controls and the Actions needed to improve them
The Risk Management Framework

6. 6
Risk identification
Risk identification can be achieved through an analysis of critical activities, strategic plans, incident analysis,
and a consideration of the changes facing your organisation.
The following questions can be used to assist in identifying risks:
Risk Identification
Strategic Plan
PESTLE
Analysis
Agency
Transformation
Audit Assurance
Business
Resilience Event
Risk Register
What could go wrong?
How could your organisation fail?
What must go right for your organisation to succeed?
Where is your organisation vulnerable?
What assets does your organisation need to protect?
Does your organisation have liquid assets or assets with alternative uses?
How could someone defraud from your organisation?
How could someone disrupt your operations?
How does you know whether you are achieving your objectives?
On what information does your organisation most rely?
On what does your organisation spend the most money?
How does your organisation invoice and collect its revenue?
What decisions require the most judgment?
What activities are most complex?

7. 7
Risk Identification
Category Description Subcategories Category Description Subcategories
Regulatory
(Compliance/
Legislation
/Environment
al) Risk
The risk of failing to meet
government standards, laws
and regulation (including WHS,
environmental, etc.)
• Regulatory / legal
• Contractual
• Licensing /
Accreditation
• Enviromental
Reporting
Strategic
Foresight
Risk
The risk arising from insufficient
forward planning, inappropriate
strategies, strategic alignment.
• Acquisitions,
mergers &
divestments
• Business
transformation
Our People
Risk
The risk of inappropriate HR
policies, recruitment, training,
retention, staff engagement and
culture.
• People capacity &
capability
• Planning &
utilisation
• Unions / industrial
relations
Major Project
Risk
The risk of not achieving key
project or event objectives,
budgets, deadlines.
• Maintenance /
upgrade
• Acquisition & lease
• Disposal
• Planning &
utilisation
Budget,
Revenue and
Capital
Spend Risk
The risk of not achieving income
or expenditure targets,
inappropriate returns on
investment, cash flow, financial
sustainability (including financial
reporting and processes,
accounting controls).
• Meeting
revenue/growth
targets
• Insurance
• Bribery, fraud &
corruption
Knowledge
Management
Risk
The risk of not protecting
corporate knowledge,
insufficient research to support
initiatives, in adequate
innovation.
• Information security
• IT systems /
infrastructure
• Intellectual property
Reputation,
Stakeholder
and Clients
Risk
The risk of damage to PHG’s
reputation and brand.
• Brand strength &
relationships
• Adverse publicity
• ICAC /
Ombudsman
External Risk The risk of economic shocks,
changing public attitudes,
political factors, changing
customer or supplier needs
(including social responsibility,
stakeholder management).
• Government &
Policy change
• PESTLE factors
Service
Delivery
(Internal /
External)
Risk
The risks associated with
delivery of services to internal
and external customers
(including IT, Property,
Procurement, Asset
Management etc.).
• Tenancy
performance /
Retention /
Acquisition
• Engagement
• New opportunities
Work, Health
and Safety
Risk
The risk of unexpected events,
business continuity, issues
management, natural disasters,
public hazards, legal and
contract risks.
• Visitor safety
• Environmental
incidents
• Staff safety
• BRF & CMP
• Asset security

8. 8
• A risk in an event that has a chance of less than 100% likelihood of
occurring
• The following shows the “Bow-tie” method of risk identification:
Risk Identification
Risk Event
RiskCauses
Keycontributingfactorstotherisk
occurring
RiskImpacts
Consequencesthatcanresultifthe
riskweretoeventuate
Controls to Manage Impacts
Controls that reduce the extent of impact if
the risk were to eventuate
Controls to Manage Causes
Controls that reduce the likelihood of the
causes occurring

9. 9
The control environment usually comprises of four elements:
1. Basic standards
• Code of Conduct, gift policy, conflict of interest register, staff training & awareness
program
• Set minimum standards of behaviour
• Options for disciplinary actions
2. Risk Management
• Segregation, discretion reduction, delegations, management oversight, audit
• Necessary to manage opportunities that cannot be designed out of the system
3. Operations
• Incentives, process design, information and metrics, accountability and design location,
divisional arrangements, internal to market boundaries
• Organisations exist to achieve particular outcomes
• Tight operational design reduces opportunities for corruption
4. Design and oversight
• Design, governance, management, audit, investigation, business improvement, legal
• Requires clear understanding of operational realities
Source: Independent Commission Against Corruption © 2016
The Control Environment

10. 10
The Risk Control Environment
Source: Independent Commission Against Corruption © 2016

11. 11
• Identify the controls that should be in place to effectively manage the risk, including the
controls required to reduce the potential for each of the causes to occur and to reduce
the impact if the risk were to eventuate.
• For each control listed, ensure that the attributes (assurance) which make the control
effective are listed.
Identifying Risk Controls
Risk
Category
Risk
subcategory
Example controls
Regulatory Contractual
Governance oversight and approvals of contract variations and
additional delivery of scope
Major Project
Maintenance
& Upgrade
Regular subcontractor performance review including quality and
safety
Robust subcontractor selection criteria to assess value for money,
quality and capability
Our People
People
capacity &
capability
Succession planning to account for temporary or permanent loss of
key roles
Regular monitoring of retention rates and proactive implementation of
required actions in response to decrease in rates

12. 12
• The control assessment is the extent to which the control is being consistently
implemented and reduces the risk, being rated effective, partially effective or ineffective. If
a control is effective, it should be able to stand up to an audit of its effectiveness.
• The control testing outcome should identify any gaps that exist in the control’s
effectiveness i.e. for any rating that is NOT “Effective”.
Risk Control Effectiveness
Control
Effectiveness
Internal
Audit Rating
Guide
Effective 5 Controls are well designed for the risk, are largely preventative and address the
root causes. The controls are effective and reliable.
Mainly Effective 4 Well controlled with some control weaknesses / areas for improvement identified.
Adequate 3 Reasonable level of controls, however, some control weaknesses of concern
identified.
Needs Improvement 2 Adequate level of control in some areas, however, significant control weaknesses
in a number of areas.
Non-Effective 1 Poorly controlled. Significant weaknesses in internal controls
OR
The controls that can be put in place are very limited due to the type of risk
(beyond the control of your organisation / Agency)

13. 13
• Determine what Actions are required to improve all mainly effective, adequate, needs improvement
and non-effective controls to make them effective
• Actions should have completion dates of within the next 12 months
• For each Action, the below should be identified:
 A link to the related control/s which it is aiming to improve
 Any non-budgeted cost of implementing the Action
 A due date and responsible person for implementing the Action
• It is important to then track Action implementation status (using RAG scale) including explanation for
red Action status:
 Red – The treatment has passed its due date
 Amber – The Action is at risk of not being completed by the due date
 Green – The Action is on track for completion by the due date
 Closed – The Action has been completed
• When an Action is complete, re-examine the control effectiveness
Risk Control Actions

14. 14
Risk Severity - Definitions
Term Definition
Inherent Risk The level of risk, being the combination of impact and probability, that exists before
PHG has put in place any controls
Residual Risk The level of risk, being the combination of impact and probability, that exists today
taking into account the effectiveness of current controls
Target Risk The level of risk, being the combination of impact and probability, that is expected to
be achieved after implementation of control treatments
• Assess the risk on the basis of the highest consequence criteria. For example, if a risk could result
in both an operational and a financial consequence, and the latter is greater, then the consequence
rating should be financial
• Rating the risk on this basis does not detract from the importance of managing other consequences
which the risk could have
• Note that consequence and likelihood are not mutually exclusive. This means that you should
identify the potential consequence of a risk and then consider the likelihood of the risk occurring
and resulting in that level of likelihood.

15. 15
Risk Severity - Consequences

16. 16
Risk Severity - Likelihood
Probability assessment
1 – Rare 2 - Unlikely 3 - Possible 4 - Likely 5 – Almost Certain
<1% 1 – 20% 21% - 49% 50% - 85% >85%
<1 event in 100 years Several events in 100 years Several events in 10 years Several events in 1 year Multiple events in 1 year
Event may occur only in
exceptional circumstances
Event may occur in
exceptional circumstances
Event could occur at
sometime
Event will occur at sometime Event will probably occur in
most circumstances
Event is very unlikely to
occur
Event is unlikely to occur Event is fairly likely to occur Event is likely to occur Event

17. 17
Likelihood
Consequence Rare Unlikely Possible Likely Almost Certain
Severe
High
(15)
High
(19)
High
(22)
Extreme
(24)
Extreme
(25)
Major
Medium
(10)
Medium
(14)
High
(18)
High
(21)
Extreme
(23)
Moderate
Medium
(6)
Medium
(9)
Medium
(13)
High
(17)
High
(20)
Minor
Low
(3)
Low
(5)
Medium
(8)
Medium
(12)
Medium
(16)
Negligible
Low
(1)
Low
(2)
Low
(4)
Low
(7)
Medium
(11)
Risk Severity - Scoring

18. 18
• The key steps to be undertaken in creating a risk register are:
Risk Register Creation
 Discuss risks, considering all categories of risk, that may apply to the functionIdentify risks
 Each risk register must contain the following “baseline” risks: WHS; Fraud & Corruption;
Business/Project Continuity; and Procurement. Operational Risks are those that are not “baseline’
risks
 Identify the causes and impacts of the risk, considering the key factors that could contribute to the
risk occurring and the possible impacts that could result if the risk were to eventuate
 Identify and assess the effectiveness of current controls including both those controls preventing
the risk and those mitigating its impact should it occur
 Assess inherent and residual risk based the probability and impact of the risk, taking into account
the effectiveness of current controls, with this being the current level of exposure posed by the risk
 Document the risk rationale and financial value of the residual risk
 Identify the treatments required to improve the current control environment and identify the target
risk score to be achieved subsequent to the treatments being implemented
For several risks...
 Discuss risk ownership, with owners being the relevant senior management team member to own
the risk and coordinate its effective management, and contacts being the person who will assist in
populating the required risk information
Allocate ownership

19. 19
• The key elements of a risk register are:
• Risk owner
• Causes
• Impacts
• Inherent risk
• Existing controls being relied upon, including the:
 Outline of the control in place
 Name of the control owner for each control
 Review requirements (i.e. assurance)
• Residual risk
• Action plans (if required) containing for each plan:
 An outline of the action plan, the owner and the expected completion date
 The target risk rating (risk rating after treatment plans are completed)
• Risk Scoring
 Inherent (no controls)
 Residual (existing controls)
 Target (when all controls are effective / new controls in place)
Risk Register Creation

20. Example of a risk register and break

21. Part 2: Managing Fraud & Corruption Risk

22. Bribery
• Bribery is the giving, receiving of money, a gift or other advantage as an
inducement to do something that is dishonest, illegal or a breach of trust.
Fraud
• Fraud is the criminal deception intending to result in financial or personal gain.
Corruption
• Corruption is the misuse of public office or power for private gain; or misuse of
private power in relation to business outside the realm of government.
Gifts and Benefits
• Offering something of financial value that is to the advantage of another
person and in doing so is intending that individual to perform a function
improperly or secure business or a business advantage.
Conflicts of Interest
• A conflict of interest is a situation in which an employee has competing
professional or personal interests. Such competing interests can make it
difficult for individuals to fulfil their PNSW duties impartially.
22
Definitions of Fraud and Corruption

23. 23
• Recent scandals at the highest
levels of Government has left a
deeply negative impression on the
tax payer
• Politicians and government
employees aren’t held to the
highest levels of accountability
• There is specific direction from the
Department of Premier and Cabinet
to improve governance (2014)
• PNSW has committed to the
highest level of ethical standards
• Reputation is PNSW’s most
valuable asset
Why is bribery, fraud and corruption a risk?
The
Premier’s
Choice

24. 24
The basic organisational environment
Governance Principles
Rules, monitoring, compliance, minimised
discretion
Operational Controls
Clear goals, tight systems, process controls,
information integrity, accountability
Institutional Basics
Hierarchy as basis of supervision, management
based on written documents, expertly trained
staff, full-time work, office rules control behaviour
Societal Foundations
Democracy, free press, rule of law, property
rights

25. 25
An historical anecdote
• The year 1797-8.
• The protagonists: The French Republic
and the USA.
• There was an undeclared Quasi-War.
• The USA sent a mission to France to
seek a peace deal and to prevent a
further escalation of war.
• The provisional French government
initially refused to negotiate but sent
three unofficial French agents code-named “X”, “Y” and “Z”.
• A peace deal was initially offered but only if the American Government paid a
bribe of £50,000 to the French Foreign Minister (“a personal gift”) and huge
loan to the French Government (at war with many European nations).
• The American Commissioners refused and published details of the meetings.
Describe the environment that enabled this situation to occur?

26. 26
The basic organisational environment
Governance Principles
Rules, monitoring, compliance, minimised
discretion
Operational Controls
Clear goals, tight systems, process controls,
information integrity, accountability
Institutional Basics
Hierarchy as basis of supervision, management
based on written documents, expertly trained
staff, full-time work, office rules control behaviour
Societal Foundations
Democracy, free press, rule of law, property
rights

27. • In order to be able to manage the risk of a fraud and corruption event,
we need to understand the ‘scale of the problem’.
• There are numerous sources of information that elaborate on how big
a problem global corruption is:
• Deloitte Bribery and Corruption Survey 2015 Australia & New Zealand:
Separate the wheat from the chaff
• Australian Institute of Criminology Fraud, bribery and corruption in
Australian government agencies
• Transparency International Corruptions Perceptions Index
27
The Scale of the Problem

28. 28
Fraud losses in 152 Commonwealth agencies versus fraud losses in 281
Australian and New Zealand organisations.
The Scale of the Problem
$153,176,000
$497,573,820
$105,000,000
$373,000,000
$0
$100,000,000
$200,000,000
$300,000,000
$400,000,000
$500,000,000
$600,000,000
1997 2012
Commonwealth ANZ Private Sector

29. 29
The financial value of fraud and corruption losses experienced by the
Commonwealth broken down by internal sources and external sources.
Source: Australian Institute of Criminology, 2011.
The Scale of the Problem
$2,800
$2,900
$3,000
$3,100
$3,200
$3,300
$3,400
2008-09 2009-10
Internal
$650,000
$700,000
$750,000
$800,000
$850,000
2008-09 2009-10
External

30. 30
The Scale of the Problem
0
20
40
60
80
100
120
140
160
180
200
0
2
4
6
8
10
12
14
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
How Australia's CPI compared to the World
No. Countries Surveyed Rank

31. The Lifecycle of Fraud and Corruption Event
31

32. 32
Corruption usually happens at the point where…
…into
private
hands.
• Tenderer/
Contractor/
supplier
• Property
developer
• Business
partner
• Family/ friend
• Client
• Public official
• etc
…can be
transferred
from a
government
agency…
Something
of value…
• Tender/
Contract/
Purchase
• Information
• Approval
• Avoid fines,
fees & charges
• Employment
• Services
• Equipment/vehi
cles/ assets
• Etc
Source: Independent Commission Against Corruption © 2016

33. Money
Ideology
Coercion
Ego
33
Sources & Causes of Fraud and Corruption
Tight
Competition
Weak
market
Stakeholder/
Industry
Culture
Situational
perspective
Psychological
perspective
Supply of motivated
offenders
Available
opportunities
Absence
of suitable
guardians Rationalisation/
Integrity maturity
Motivation/
Pressure
Perceived
Opportunities
Arrogance
Greed is good
The owe me
Narcissism
Everybody does it
Entitlement
Criminal mindset
Lifestyle
Gambling
Conflict of interest
Desire
Secondary employment
Fraud and
Corruption
Ability
Blind trust
Poor governance
Corrupted industry
association
Manager/
stakeholder override
Low maturity /
inexperience
Regulatory capture
Role confusion
Weak policy & Systems
Weak non existence
tender processes Approvals
Variations
Licences
Direct negotiations
Exposed assets

34. 34
“It is not from the benevolence of the butcher, the brewer or
the baker, that we expect our dinner, but from their regard to
their own self interest. We address ourselves, not to their
humanity but to their self-love, and never talk to them of our
own necessities but of their advantages.”
Adam Smith
[1723 – 1790]
Motivations and Incentives

35. 35
Incentives can be obvious…
• Profit
o e.g increase share prices / value of an organisation
• Personal gain / self interest
o e.g. falsifying sales figures to gain a bonus
• Help a friend / business partner
o e.g. awarding contracts by favourtism
• Retribution
o e.g. commits the act but frames someone else
• Substantial exactions
o e.g. child support, fines & penalties, excessive loan repayments
• Personal issues / Pressure
o e.g. Drug or gambling problem, civil or criminal court cases
• What else?
Motivations and incentives

36. 36
…and not so obvious
Motivations and incentives
Source: Independent Commission Against Corruption © 2016

37. 37
…and can even be innocuous…
• Individuals engage in corruption for more “altruistic” reasons, to:
o Avoid negative impacts
o Disguise incompetence / poor decisions
o Satisfy the expectations of superiors
o Deflect external criticism or damage to reputation
o Elude office controversy
o Avoid late-payment penalties by paying unauthorised invoices
o Comply with unrealistic but rigid deadlines
o Be seen to comply with regulations or policies or procedures
o Ensure a project has sufficient but un-costed ‘contingency’ project
money that avoids the need asking more later
Motivations and incentives

38. 38
…which leads to equity and a sense of entitlement…
• Equity is the need for fairness (though not necessarily equality)
• Fairness is perceived differently by individuals in a collective (team)
environment
• Unfairness can create a motivation and incentive to engage in corruption
• For examples, individuals can:
o Increase the level of input by other members of the team;
o Decrease the level of outcome due to other members of the team;
o Compare themselves to someone else;
o Decrease their personal input;
o Increase their personal outcome;
o Quit the team (or organisation)!
Motivations and incentives

39. 39
…and to the dynamics of group behaviour…
• Without individuals, the species could not survive
• Without social groups, the individual could not survive
• Legitimate behaviour is the price you pay to become a member of the
group
• i.e. social groups need individuals to act in ways that benefit the group
• Illegitimate behaviour is rewarded by expulsion!
• i.e. individuals need to learn to behave in ways that lead to acceptance
• Close knit groups enforce norms or behaviour
• Behavioural norms once established are not easily or quickly changed
• Individuals instinctively comply with norms even where their self-interest
is not being met
• Leaders and followers of groups are not always obvious to outsiders
even where formal designations exist
Motivations and incentives

40. 40
…and ultimately to culture!
• What is culture?
• The ideas, customs, values and social behaviour of a particular social
group
• How is culture measured, managed and changed?
• Long term development, not quickly changed
• How does culture differ from norms of behaviour?
• Small group units may endorse norms separate or in addition to cultural
expectations
• Do organisations have a “culture” or are they a collection of like-minded
individuals?
• Can individuals have different values and principles at work and home?
• Can individuals adapt a new value system over time?
Motivations and incentives

41. 41
Fraud Risk Event
Faking approvals
Abusing cars and equipment
Rendering false invoices
Misusing computers and phones
Making dishonest decisions
Redirecting funds
Accepting bribes and kickbacks
Leaking confidential information
Theft
Abusing an office
Abusing allowances and credit cards
Fraud
Event
Dishonesty
Benefit
Deception
Avoidance

42. 42
Type of Corruption (Internal + External) 2007-08 2008-09 2009-10
Bribery of employee 83 78 90
Accepting kickbacks / gratuities 5 12 13
Conflict of interest 59 54 353
Collusion or conspiracy 125 10 42
Abuse of power 36 77 88
Unknown 62 34 114
Other 43 7 245
Source: Australian Institute of Criminology 2011
Examples from the Commonwealth

43. 43
• Outsourcing of goods and services has become a ubiquitous feature of public,
private and not-for-profit landscape.
• Numerous benefits:
 Cost reduction
 Greater global reach
 Improved customer service
• Numerous risks:
 Loss of data/IP
 Loss of key personnel
 Vendor failure
 Increased compliance costs
 … and the spectre of corruption
• Transaction Cost Economics (TCE) is a useful framework to employ when
organisations engage with third parties to identify and mitigate fraud risk
Identifying Fraud Risk

44. 44
• Contracting parties trading goods and services with third parties face a range
of costs which can become a significant deterrent to completing the
transaction depending upon the level of risk.
• Parties must “discover” what prices exist, negotiations between parties must
take place, contracts have to be drawn up, inspections and judgements as to
quality of the good or service have to made, and arrangements put in place to
settle disputes.
• The principles of corporate governance in TCE are to implement a framework
of controls that organises the transaction of goods and services in relation to
their degree of specialty that minimises bounded rationality (information
availability and its level of understanding) and safeguards against opportunism
(i.e. fraud).
• This control framework includes the observation and monitoring of
transactions costs and risks have a significant impact upon the transaction
value.
Transaction Cost Economics

45. 45
Governance
Structure
Strengths Weaknesses
Marketplace Strong incentives to maximise net value Can’t protect transaction-specific investments
Contracts Some protection for investments; market-like
incentives
Can’t contract for all possible contingencies
Vertical Integration Internalises value of transaction-specific
investments
Can’t control costs as well as markets
Transaction Cost Economics
• There are three “types” of contracting states which impact upon transaction
costs and the risks of fraud and corruption.
• Each type has an associated governance structure that controls the level of
transaction costs but have strengths and weaknesses.
• The decision to transact within a particular governance structure depends on
an organisation’s ability to minimise its transactions costs through its risk
control environment.

46. 46
Low barriers to entry A market characterised by numerous buyers and sellers, and low profit
margins.
Asset specificity Investments made in specialised goods or services for unique customers.
Location of facilities and the degree of human capital can also be significant
factors.
Weak markets A market with many sellers, few buyers and prices in a state of decline. In
addition, a weak market is characterised by poor regulation.
Peripheral product A good or service that is not the primary focus of an organisation but despite
being ancillary is still important.
Low reputational
capital
Organisations that have little market presence, can close down without being
missed, and restart with little scrutiny.
High relationship /
contact
A contracting relationship between a buyer and a seller characterised by high
frequency social interaction.
Networked industry An industry in which each member has linkages to other members.
Uncertain future
work
Linked to asset specificity, the business contracted for is highly specific and
likely to be a one-off or there are large gaps between repeat business.
Source: Waldersee, R and Shapiro, A, 2016. Strategic Responses to Corruption
Transaction-generated Risks

47. 47
• Originally, the old Department of Railways was largely integrated
vertically
• There were a small number of bilateral contracts with specialist makers
of components and iron ore producers
• But markets developed and private (goods) railways began operating
offering the opportunity to outsource part of the supply chain
• The organisational boundary between the Department and the market
contracts
• As a result the number of market transactions increases as does the risk
of being cheated
• As the risk increases so too does the cost of governance, i.e. monitoring
the quality of the transaction
• At some stage the governance costs will not keep pace with the
transaction risk opening up opportunities for corruption
TCE Example: Functional Outsourcing

48. Train Service
Driver Training
Drivers
Components
Trains
Maintenance Maintenance
Track Laying
Iron Ore
Bilateral
Transaction
Train builders
Bilateral
Transaction
Steel Tracks
Organisational Boundary
TCE Example: Government railways

49. Train Service
Driver Training
Drivers
Components
Maintenance Maintenance
Iron Ore
Market
Transaction Train builders
Market
TransactionSteel Tracks
Bilateral
Transaction
Trains
Bilateral
Transaction
Track Laying
Organisational
Boundary
TCE Example: The Current Situation

50. Components
Maintenance Maintenance
Iron Ore
Market
Transaction Train builders
Market
TransactionSteel Tracks
Market
Transaction
Market
Transaction
Bilateral
Transaction
Driver Training
Market
Transaction
Trains
Market
Transaction
Track Laying
Bilateral
Transaction
Bilateral
Transaction
Drivers
Organisational
Boundary
Train Service
Example: What happens with further outsourcing?

51. 51
Transaction Governance Costs

52. Difficult to control:
• Need
• Price
• Allocation
• Delivery
of the good or service
Well-developed
Governance
(transactions are
planned and
predictable)
Low High
Low
High
Transaction Generated
Risks
TransactionGovernance
Costs
When Outsourcing Increases

53. 53
• During the 2000s, the NSW ICAC investigated Railcorp.
• It involved employees and managers at many levels of the organisation.
• ICAC investigated allegations of:
• Fraud and bribery;
• Improper allocation of contracts;
• Unauthorised secondary employment;
• Failure to declare conflicts of interest;
• Falsification of time sheets; and
• The cover-up of a safety breach.
• In financial terms RailCorp employees were found to have improperly
allocated contracts totalling almost $19 million to companies owned by
themselves, their friends or their families, in return for corrupt payments
totalling over $2.5 million.
• ICAC reported findings of corrupt conduct on the part of 31 individuals
including 14 RailCorp employees and staff of 16 private firms.
Operation Monto: key points

54. 54
The Control Environment
Detectioncontrols
Cost effective
internal controls

55. 55
The control environment usually comprises of four elements:
1. Basic standards
• Code of Conduct, gift policy, conflict of interest register, staff training & awareness
program
• Set minimum standards of behaviour
• Options for disciplinary actions
2. Risk Management
• Segregation, discretion reduction, delegations, management oversight, audit
• Necessary to manage opportunities that cannot be designed out of the system
3. Operations
• Incentives, process design, information and metrics, accountability and design location,
divisional arrangements, internal to market boundaries
• Organisations exist to achieve particular outcomes
• Tight operational design reduces opportunities for corruption
4. Design and oversight
• Design, governance, management, audit, investigation, business improvement, legal
• Requires clear understanding of operational realities
Source: Independent Commission Against Corruption © 2016
The Control Environment

56. 56
The Control Environment
Source: Independent Commission Against Corruption © 2016

57. 57
Corruption Preventative
Controls
Description
Budget controls This type of control is necessary in order to make sure that operational expenses do not exceed the
projected revenue for the period, creating a net loss.
ICT system design Misuse of corporate information is a major source of corruption because it can be used to the
advantage of third parties. The IT system should be able to track the flow of information from internal
and external sources, prevents cyber threats and attacks and safeguard information integrity.
Structural arrangements The organisational structure that correctly reflects functional activities aligned to the business model,
market activity and segregation of duties.
Inventory controls Tracking system that logs receivables, use of and re-ordering of inventory that can be monitored
independently of inventory staff and is tied into the budget control system.
Accountabilities Staff evaluated against specific requirements of preventing, detecting and investigating instances of
fraud.
Culture A culture that encourages ethical behaviour, discourages nefarious activity and welcomes
whistleblowing (through independent and confidential channels). The behavioural outcomes are
enshrined in a current and understood in the Code of Ethics & Conduct.
Delegation limits Prescribed limits on how employees can use the financial, operational, moral resources of the
organisation in pursuit of its strategic objectives.
Procurement strategy A framework that expressly sets out the relationship between the organisation and third parties when
transacting in the market.
Limit client interaction Ongoing interaction between third parties and staff creates a relationship based on mutual
reciprocity. If the relationship is exclusive the opportunity increases for gift to lead to bribery and so
staff managing relationship should be regularly rotated.
The Control Environment #1

58. 58
The Control Environment #1
• The top three factors are:
• Organisational culture
• “Tone from the top”
• Code of Conduct
• Organisational culture was listed
as a top 3 factor by 73% of
respondents.
• A surprise audit was the least
reported factor, with only 5% of
respondents listing it as a top 3
factor.
Source: Deloittes 2015, 2015. Deloitte Bribery and Corruption Survey 2015 Australia and New Zealand: Separate the wheat from the
chaff. 13.

59. 59
Corruption Detection Controls Description
Analysis of excessive employee payroll deductions Evidence of substantial deductions e.g. child support,
loans, penalties or fines etc.?
Analysis of excess leave balances Do employees work excessive outside normal hours, is
there evidence of excess leave accumulation?
Analysis of sick leave trends Excessive sick days with or without doctors certificates
might indicate secondary (and competing) employment.
Remote Access of Information Are employees access corporate information and sending
it outside the organisation without due justification?
Review of gift registers Do meetings between staff and third parties occur
regularly, are gifts declared, do staff appear to be living
beyond their means?
Analysis of inventory, spending and transaction patterns Run data analytics software on the financial system
searching for matching bank accounts; transactional
patterns with vendors, stock flow patterns in the inventory
system; review of, and compliance to, purchase orders.
Analysis of complaint registers Is their a pattern of complaints by customers, vendors and
other stakeholders against particular employees?
Review of internal audit findings Are their systematic control failures in areas of the
business deemed high risk due to their interface with third
parties?
The Control Environment #2

60. 60
Corruption Investigative Controls Description
Clear documented investigation
procedures
• Reports of fraud investigated promptly
• Investigations are independent
• Sufficient resources allocated including budget
Investigations conducted by
qualified and experienced staff
• Recognised qualifications and experience
Decision-making protocols • Documented processes
• Proportionate responses to incidents of fraud
Disciplinary systems • Staff understand fraud will not be tolerated and
perpetrators will face disciplinary action
• Commitment to taking action against perpetrators
of fraud
• Consistent application of sanctions
Insurance • Consider a fidelity guarantee policy to protect
against the financial consequences of fraud
The Control Environment #3

61. 61
Commonwealth Fraud Specialists
Agency fraud section staff and qualification
Area Prevention Detection Investigation
Year 2008-09 2009-10 2008-09 2009-10 2008-09 2009-10
Employees 454 680 442 1,620 2,062 1,126
% qualified 19% 15% 10% 8% 43% 93%
Change N= +226 +1,178 -936
Change %= +50% +267% -45%
Source: Australian Institute of Criminology 2011.

62. 62
Cash flow
Funding availability
Infrastructure program impacts
Asset losses, availability
Incident response costs
Stakeholder intervention
Negative impacts of staff
Abandoned and re-run tenders
Consequences of engaging fraud
Financial
Operational
Adverse media
Loss of public confidence
Personal and family impacts
Impact on future employment
Reputation
Corrupt conduct charges
Fraud and other charges
Civil suits and damages
Foreclosure of department /
agency
Gaol
Disciplinary Legal
Code of Conduct breach
Demotion
Loss of job

63. 63
Consequences of engaging in fraud
60%
12%
11%
5%
5%
4%
2% 1%
What is the key downside posed by domestic corruption to
your organisation?
Reputational Damage
Diversion of employee and management time
Financial - cost to investigate
Not applicable to my organisation
Fines, Settlements, Imprisonment
Negative impact on employee morale
Other
Remediation costs

64. 64
• UK Bribery Act
 Covers the criminal law relating bribing anyone to induce them to act improperly;
and
 The failure of the commercial organisation to prevent bribery on its behalf.
 The Act became operational on 1 July 2011.
 It has near universal jurisdiction, allowing for the prosecution of an individual or
company with links to the UK regardless of where the crime occurred.
 Described as the toughest anti-corruption legislation in the world.
• Audit Office of New South Wales Fraud Control Improvement Toolkit 2015
 The AONSW’s toolkit provides guidance and practical advice to help organisations
implement an effective fraud control framework.
 It highlights what should be present within an organisation to make fraud control
work and aligns with the Fraud and Corruption Control Standard AS8001-2008.
 NSW agencies are encouraged to follow this standard in the design and
implementation of their fraud control framework.
 The toolkit sets out ten attributes which help prevent, detect and respond to a
corruption event.
What does better practice corruption prevention look like?

65. 65
Key principle Description
1. Proportionate procedures Procedures to prevent fraud and bribery that are
proportionate to the risk that your organisation faces
2. Top level commitment Commitment by your Executive to foster a culture where
fraud and corruption are never acceptable
3. Risk assessment The periodic assessment of the nature and extent of your
exposure to the potential external and internal risks of
fraud and corruption
4. Due diligence Taking a risk based approach, the application of due
diligence processes and procedures in respect to
customers and third parties who do business you
5. Communication and training Embedding and understanding fraud and corruption
control through periodic and regular communication and
training
6. Monitoring and review Periodic and regular reviews of procedures designed to
prevent fraud and corruption, and makes improvements
where necessary
UK Bribery Act: Principals of the framework

66. 66
AONSW: Principles of the framework
Attribute Checklist
1. Leadership • CEO and senior management commitment to fraud controls
• Clearly defined CEO and senior management accountability and responsibility
2. Ethical Framework • Clear policies setting out acceptable standards of ethical bevahiour
• Demonstrated compliance with the ethical framework
• Employees articulate obligations to ethical behaviour and the organisation’s position on fraud
3. Responsibility
Structures
• Management and all staff have clearly defined responsibilities for managing fraud
• Fraud management is integrated with core business
• Clearly defined roles for audit and risk committee and auditors
• Staff with responsibility for fraud control and staff in high risk fraud areas are provided with training
4. Fraud Control Policy • Risk-based policies appropriate to the organisation
• Holistic and integrated
• Regularly reviewed, current and implemented
5. Prevention Systems • Proactive and integrated fraud risk assessment
• Planning, follow up and accountability
• Analysis of and reporting on suspected and actual frauds
• Ethical workforce
• IT security strategy
6. Fraud Awareness • Comprehensive staff education and awareness program
• Staff awareness of fraud control responsibilities
• Customer and community awareness
7. Third Party
Management Systems
• Targeted training and education for key staff
• Third party due diligence and clear contractual obligations and
• Accountabilities
• Effective third party internal controls
• Third party awareness and reporting
• Staff disclosure of conflicts of interest and secondary employment

67. 67
AONSW: Principles of the framework
Attribute Checklist
8. Notification Systems • Culture that supports staff reporting fraud and management acting on those reports
• Polices, systems and procedures that support reporting
• Processes to support upward reporting
• External reporting
9. Detection Systems • Robust internal controls
• Monitoring and review
• Risk-based internal audit program
10. Investigation
Systems
• Clear documented investigation procedures
• Investigations conducted by qualified and experienced staff
• Decision-making protocols
• Disciplinary systems
• Insurance

68. 68
PNSW: In Practice
PNSW’s approach to fraud and corruption control is
based on the NSW Audit Office’s Fraud Control
Improvement Kit (2015).
The PNSW Fraud & Corruption Control Framework
supports DFSI’s Code of Ethics and Conduct and its
governing principals set by the Executive.
The scope of the Framework outlines:
• PNSW’s requirements that relate to bribery, fraud
and corruption;
• The agency's position on bribery, fraud and
corruption matters, as well as the governance of the
framework and key roles and responsibilities;
• The DFSI’s Fraud & Corruption Control, Gifts and
Benefits and Conflicts of Interest policies, as well as
the Code of Ethics and Conduct, detail the specific
requirements that must be met by all employees;
• The fraud reporting mechanisms sets out the
requirements and processes that must be
undertaken if an instance of corruption arises.
FraudReporting
Systems
ConflictsofInterest
AntiFraud
AntiCorruption
GiftsandBenefits
Key risks relating to Bribery, Fraud and
Corruption
Business processes
(e.g. Operations, HR, Finance, Strategy, Leasing
Procurement)
The Fraud and Corruption Control Environment
PNSW

69. • The process of risk management is a prescribed process:
 There are sequential and repeatable steps: risk identification  cause and impact identification
 control specification  risk actions  risk scoring  review and repeat.
• The most efficient approach is to “bow-tie” risks thereby creating a “parsimonious”
strategic risk register.
• All organisations should include “baseline” risks which include an explicit reference to a
“failure to prevent fraud and corruption”.
• There are many reasons why organisations experience a fraud or corruption event but
the single point of failure is the control environment.
• Whenever there is an interface between government and the private sector and
opportunity to engage in fraud and corruption exists.
• TCE provides a useful framework to analyse the sources of fraud and corruption risk
when dealing with third parties.
• The control environment consists of three interlocking processes: prevention, detection
and investigative.
• Without significant but efficient investment in compliance, the consequences of failing to
manage fraud and corruption risks are catastrophic.
69
Summary of Key Themes