Reviewing corruption prevention controls

Corruption controls are all the systems, policies and procedures an agency has in place to minimise corruption.  The purpose of a review of corruption controls is to ensure that the controls are working properly and are the right kind of control for your agency. 

While the focus here is on agencies reviewing corruption controls in response to corruption that has been detected or a 'near miss', note that reviews should also occur as part of routine corruption risk management and internal audit processes.

Regular, scheduled reviews of corruption controls should be a key part of any Corruption Prevention Plan. Whenever a control or controls appear to have failed or been breached, these controls should be reviewed to determine whether changes are needed. When improvements are required, they should be developed and implemented as soon as possible.

Examples of corruption controls that you might want to review include reporting systems, complaints management, auditing, investigations, disciplinary procedures, performance management systems and your overall corruption risk management system.

Senior management and control review

Senior managers are responsible for ensuring that the internal control environment is regularly reassessed and for ensuring that any recommendations arising out of this assessment are implemented. 

Internal audit has a specific role in internal control review.  Regular reviews of controls that may be a factor in corruption should also be included in annual audit programs.

Line management remains responsible for actually implementing revised internal controls, and any recommendations arising from internal control reviews should be provided to the manager of the department concerned.  Managers may require training in new or revised controls.

Case studies

Responding to corrupt conduct: Reviewing corruption controls

The ICAC held an investigation into corruption in a public agency in 1998, followed by another investigation into the same agency in 2003.

Following the 1998 investigation the agency stated that it would introduce new policies and procedures to prevent the corruption that had occurred.  However, ICAC's 2003 investigation found the same type of corruption had occurred.  The ICAC also found that the promised policies and procedures had not been successfully implemented. 

The agency said that its changing structure had made it difficult to implement the policies and procedures, and that these were no longer appropriate anyway because of decentralisation that had occurred.  The new CEO launched a reform process to overcome this problem, and commissioned a review of internal controls, including governance initiatives and internal audit structure.  These controls were then revised to ensure they were adequate for the agency's new structure.

 Responding to corrupt conduct: Reviewing corruption controls

The ICAC investigated an agency that held a collection of items for public use and research. Thousands of items were stolen over a period of several years by an employee.

The ICAC investigation found that the agency had very poor internal controls, including its procedures for stocktaking, movement of items between different departments of the agency and lending items to other institutions. The poor internal controls were a key factor in the employee being able to steal so many items. 

The investigation also found that with the exception of a single external review by the Internal Audit Bureau, the agency did not do its own review of corruption controls during the period in which the thefts were occurring.

The ICAC's final investigation report made several recommendations aimed at improving the agency's capacity to review its corruption controls to ensure they remained up-to-date and adequate for the corruption risks the agency faced.

Frequently asked questions

 When should an internal control be reviewed?

  • When flawed controls appear to have facilitated corruption that has occurred.
  • Following a 'near miss', when it looks like corruption could have occurred if an employee had noticed the opportunity.
  • As part of routine internal audit and corruption risk management processes.
  • Even if a control appears to be working well it should still be reviewed periodically.  A review every two to four years is reasonable, depending on the control and how important it is to your organisation.

What should happen if the review detects a weakness in an internal control?

The review should contain a recommendation on how to minimise or eliminate that weakness.

A senior manager should be made responsible for ensuring the recommendation is implemented.