Internal audit and work review
The Corruption risk management: Internal audit module discusses the role of internal audit in preventing corruption. However internal audit is also a way that organisations can detect fraud and corruption. Internal audit has a role in both preventing and detecting corruption.
As well as the wider audit processes, agencies should also have other work review processes in place. By "work review" we mean processes and systems that review transactions and other work performed by staff to ensure that it is correct and consistent with agency policy. Work review processes can be designed specifically to identify corrupt conduct. Ideally, such work review processes should occur in the ordinary course of operations, including during regular management and supervisory activities.
The role of internal audit and work review in detecting corruption
Agencies should have audit and work review processes in place which are capable of detecting the types of corrupt behaviour identified by the agency in its risk identification process.
Internal Audit should be proactive and should design and run programs aimed at detecting corruption. Audit work should target the agency's identified key risks and should occur sufficiently frequently to detect any corrupt conduct promptly. A recent global survey2 suggested that internal audit could increase its effectiveness in detecting corruption by:
- selecting site visits and audits based on potential corruption risks
- developing and performing specific corruption audits
- including risks related to corruption in the risk assessment process when developing audit plans
- modifying current audit scope and procedures to specifically address corruption risks
- completing corruption awareness / prevention training at least once every two years
- conducting regular reviews of incidents reported
- preparing a list of red flags based on incidents that have already been investigated, including a list of internal controls that have been breached
- compiling a database of all reported incidents in order to identify patterns and trends.
Internal audit should inform senior management about any deficiencies or issues that are identified during the audit process. Ideally, auditors should serve as a source of expertise and advice in relation to corruption detection for the rest of the agency.
Work review processes may be conducted by Internal Audit as part of the audit program. They may also be conducted by particular divisions of an agency such as Finance or IT in relation to particular agency functions or activities. For example, Finance could review private usage of agency credit cards over a certain period.
Supervisors or other managers could also conduct some work review processes at particular work locations. For example, an office manager might review customer applications for the preceding month to ensure that staff have consistently applied agency criteria.
Work reviews can be done regularly as part of an agency program or randomly in response to a particular concern, such as identification of a new corruption risk or elevation of an existing risk.
As part of the agency's corruption risk management process, work review processes should be monitored and evaluated to ensure that they operate as intended.
Many of the indicators of fraud and corruption can be found within an agency's financial, operational and transactional data using data analysis tools and techniques. Data analysis tools and techniques can be useful additions to an agency's audit and work review processes to help it identify potential fraud and corruption that otherwise might remain unnoticed, possibly for years.
Data analysis can help identify patterns that may indicate fraudulent activity such as unexpected relationships between subcontractors, for example, shared addresses, telephones, fax numbers, bank accounts or directors. It can also be used to compare computer records held for different purposes or by different bodies to identify discrepancies and anomalies. For example, an agency could compare the addresses of vendors with employee addresses to detect potentially fraudulent activity.
The benefits of data analysis can include:
- identification of hidden relationships between people, organisations and events
- a means to analyse suspicious transactions
- an ability to assess the effectiveness of internal controls intended to prevent or detect fraudulent activities
- the potential to continually monitor fraud threats and vulnerabilities
- the ability to consider and analyse thousands of transactions efficiently and cost effectively.3
Data can be analysed retrospectively or continuously, for example on a daily, weekly or monthly basis. Data analysis should not only be used by auditors. As part of their supervisory and work review processes, line managers can also use simple data analysis tools and techniques to extract information that may indicate fraudulent activity in their areas of responsibility.
Senior management response to audit recommendations
It is essential that agencies learn from the information collected in their audit and work review processes and take appropriate action in response to it.
The following case study illustrates the consequences for an agency that did not have audit or work review processes in place capable of detecting corrupt conduct and which failed to act on the information and recommendations that were provided by its audit process.
|Case study 1: Detecting corrupt conduct through internal audit and work review|
The ICAC investigated the conduct of a manager at an RTA Motor Registry. He was responsible for the effective operation of the registry. The ICAC found that from late 2002 to August 2006, he acted improperly by providing persons with various forms of assistance to improperly obtain motorcycle, car and truck licences in return for money and other benefits. He also created false documents in support of licence applications and passed these off as genuine to other registry staff.
The RTA conducted two scheduled audits in March 2004 and November 2005 at the Registry, which was classified as a medium-risk registry at the time. Considering that in 2005–2006 Botany Registry conducted 20,103 licence-related transactions, a relatively small number of between 43 and 58 transactions were sampled, two-thirds of which related to licensing. All the transactions sampled took place in the six weeks prior to the audit as this was the period of time that a Registry was required to retain supporting documents for transactions on site. The period between audits was determined by the risk rating of the Registry, so Registry Managers were aware of the approximate time when the next audit would be conducted. They were also advised of the date of the audit up to two weeks in advance of the audit visit. The RTA practice of sampling small numbers of transactions conducted only in the six weeks prior to the audit made it easier for a corrupt manager or other staff member to hide their corrupt transactions from the audit process.
The audits of the Registry in 2002, 2004 and 2005 all identified similar problems in areas relevant to the corrupt manager's activity. The 2005 audit report noted that these issues had never been adequately addressed. It found the overall level of internal controls operating at the Registry were unsatisfactory and recommended that the Registry be reclassified as high-risk. Not only did the audits fail to identify any aspects of the Registry Manager's corrupt activity, but his managers failed to ensure that the weaknesses in internal controls identified by the audits were strengthened between audits.
The ICAC recommended that:
The RTA's audit and work review process did not require the Registry Manager's supervisor (the regional manager) to undertake any independent checks on the Registry Manager's work or the transactions performed at the Registry. This was unfortunate as his fraudulent licence conversions and other corrupt conduct had left a record trail that could have flagged concerns had it been reviewed. However, due to the nature of the RTA's audit review processes, the records that might have alerted it to this aspect of his corrupt activity were not identified at any stage of the process, by his supervisor or by any other manager.
The ICAC recommended that the RTA's process should be strengthened by introducing a requirement for regional managers to undertake their own checks to ensure that the certifications provided by the Registry Managers are accurate and registries are operating as required. These checks could include independent analysis of the data available in the system for discrepancies and review of the accuracy of certification reports.
- Public Sector Internal Audit, Australian National Audit Office, Canberra.
- Public Sector Internal Audit Toolkit, Australian National Audit Office, Canberra.
- Internal Audit and Risk Management Policy for the NSW Public Sector, NSW Treasury.
- Institute of Internal Auditors Australia, www.iia.org.au
- NSW Treasury, www.treasury.nsw.gov.au
- NSW Audit Office, www.audit.nsw.gov.au
- Australian National Audit Office, www.anao.gov.au
Relevant topics on the ICAC website