pbo agency risk management plan 1314 - staff services fraud... · web viewstaff falsify travel...
TRANSCRIPT
Fraud Risk Assessment Template2017
Service Division / College / Research School:
Endorsed by GM (if applicable): Approved by College Dean/Research School Director/Service Division Director:
Date:
Contents
GUIDANCE 3
FRAUD RISK ASSESSMENT TEMPLATE 4
RISK ACTION PLAN 13
APPENDIX A FRAUD INDICATORS AND POSSIBLE CONTROLS 14
APPENDIX B RISK MATRIX 15
Guidance
Service Divisions, Colleges and Research Schools must conduct a Fraud Risk Assessment or update their previous assessment every 2 years or sooner if a significant operational change is implemented, which could heighten the risk of fraud. The template is used to list all areas of potential risk, identify the sources and impacts of the risk, and document current controls and planned treatments.
When completing the template, various areas of potential fraud risk are identified, along with the source and impact of the risk. Subsequently, existing controls that manage the risk are identified and management makes an assessment of the current level of residual risk, using the risk matrix (Appendix B), to assign a risk rating. Management is then required to develop action plans to manage this residual risk, and assign accountability for the action plans.
A risk that has been assessed as low is an acceptable risk that can be managed by routine procedures. A risk that has been assessed as moderate requires the responsible area to develop and implement a risk action plan with specific monitoring or response procedures.
All extreme and high risks require immediate action by senior management. Line areas should consult the Corporate Governance & Risk Office (CGRO) as soon as possible for advice on developing a risk action plan. CGRO will report extreme and high fraud risks and the resultant risk action plans to the ARMC.
Action plans developed to manage the risks identified are documented in the Risk Action Plan section, with assigned owners and timelines, to track implementation and to monitor progress of planned risk mitigation strategies.
The following attached appendices provide further information to assist in completing the assessment:
Appendix A contains a list of fraud indicators and example controls that may assist in the completion of this template.
Appendix B is the Risk Matrix that is used to determine the risk rating of an identified risk.
Fraud Risk Assessment Template
# Fraud Risk Risk Sources and Impacts (Method)
Current Fraud Controls (Existing Controls)
Current Risk(Controls in
place)
Accept risk?
Treatment plans to manage the risk Person responsible
Broad Risk Area
Human Resources
1 Human ResourcesFalsified documentation
Falsified testimonials and qualifications provided by a prospective employee in order to secure a position at the University or by an existing employee for remuneration benefit, through a promotion etc.
Employees are asked to provide original or certified qualifications prior to commencement.
Reference checks carried out on new joiners in order to validate employment history and work experience.
Consequence: Likelihood: Risk Rating:
2 Falsified claims for leaveAbsence of leave applications for leave taken
Staff take leave without booking through HORUS to maximise leave balances.
Supervisors are aware of staff movements for any period of time and ensure that leave applications are submitted and approved.
Consequence: Likelihood: Risk Rating:
# Fraud Risk Risk Sources and Impacts (Method)
Current Fraud Controls (Existing Controls)
Current Risk(Controls in
place)
Accept risk?
Treatment plans to manage the risk Person responsible
3 Inappropriate access to staff and student personal information
Unauthorised access or misuse of privilege access to staff or students’ personal information through the Student Administration and Human Resources Management System for personal gain.
HRMS access is only provided on a need to know basis through a formal approval process.
Consequence: Likelihood: Risk Rating:
4 Inflated working hours
An employee inflates the casual hours worked or overtime claims for personal gain.
A casual employee cannot submit a timesheet for payment before it is approved by their supervisor.
Supervisors track staff workload and deliverables prior to authorising timesheets.
Consequence: Likelihood: Risk Rating:
# Fraud Risk Risk Sources and Impacts (Method)
Current Fraud Controls (Existing Controls)
Current Risk(Controls in
place)
Accept risk?
Treatment plans to manage the risk Person responsible
Finance
5 Dishonest claims by third party
Payments to contractors/consultants are approved prior to completion of work or work is not performed to required standard.
Invoices submitted are inflated by the contractor or supplier and do not agree with the original contract.
Formal process of reviewing the cost and deliverables against contracts prior to authorisation of payment.
Appropriate delegation levels assigned to approve payments.
Consequence: Likelihood: Risk Rating:
6 Personal expenditure charged to the ANU Purchase Card not repaid
Lack of oversight by supervisors of staff members making claims for private or inappropriate expenditure, either through the reimbursement process or on the University purchase card.
Staff members submit a claim through the reimbursement process after charging the expense to the purchase card. (duplicate claim)
All credit card transactions greater than the allowed threshold to be supported by receipts.
A monthly review of credit card statements to supporting documentation to ensure purchases are appropriate and follow up unsupported or inappropriate transactions with relevant staff and take appropriate action.
Consequence: Likelihood: Risk Rating:
# Fraud Risk Risk Sources and Impacts (Method)
Current Fraud Controls (Existing Controls)
Current Risk(Controls in
place)
Accept risk?
Treatment plans to manage the risk Person responsible
7 Falsified travel claims
Staff falsify travel claims, either to utilise for private expenditure or to receive a per diem.
Staff do not provide adequate supporting documentation and detailed travel itinerary/invoice from University appointed travel agents or provide fake documentation when seeking travel approval.
All staff travel claims are reviewed in detail prior to being approved by their supervisor.
Consequence: Likelihood: Risk Rating:
8 Not reporting FBT entertainment expenses
Staff incur entertainment expenses without appropriately disclosing FBT declarations.
The University has a food and drink FBT declaration which must be adhered to and all entertainment expenditure is to be supported by receipts.
Consequence: Likelihood: Risk Rating:
# Fraud Risk Risk Sources and Impacts (Method)
Current Fraud Controls (Existing Controls)
Current Risk(Controls in
place)
Accept risk?
Treatment plans to manage the risk Person responsible
Procurement Activities
9 Contracts awarded to service providers/vendors without adherence to the University’s Procurement policy.
Appointments of contractors/ consultants are not in accordance with the University’s procurement policy and procedures.
Procurement being divided or split into separate parts to circumvent the procurement threshold.
Purchasing goods and/or services from suppliers who are current employees of the University.
An appointed person checks to ensure that all procurement activities need to comply with the University’s procurement threshold requirements.
Independent and objective members on the evaluation panel are to ensure the procurement process is undertaken in accordance with appropriate probity and approval process.
Consequence: Likelihood: Risk Rating:
# Fraud Risk Risk Sources and Impacts (Method)
Current Fraud Controls (Existing Controls)
Current Risk(Controls in
place)
Accept risk?
Treatment plans to manage the risk Person responsible
10 Conflict of Interest and Collusion
Staff do not declare a material personal interest in a significant University transaction or contract.
Collusive practices between suppliers and staff resulting in the awarding of goods & services in exchange for a benefit.
Personal interests are declared including any interest in any entity with which the University conducts business.
Declared company directorships, secretaryships and partnerships require approval.
Awareness of the University’s Code of Conduct through compulsory induction training.
Appropriate delegation levels assigned to senior management.
Independent members on the contract evaluation panel will minimise the likelihood of collusion.
Consequence: Likelihood: Risk Rating:
# Fraud Risk Risk Sources and Impacts (Method)
Current Fraud Controls (Existing Controls)
Current Risk(Controls in
place)
Accept risk?
Treatment plans to manage the risk Person responsible
11 Bribes to University staff by third parties
Staff received private gifts/benefits from service providers in exchange for the award of a contract.
Staff must declare all gifts received from third parties, regardless of the value of the gift.
Colleges and Service Divisions should maintain a gifts register to track amounts on a cumulative basis.
Consequence: Likelihood: Risk Rating:
Assets
12 Theft or unreturned property
Staff leaving the ANU without returning ANU property such as (iPads, phones, purchase cards etc);
Theft of physical assets such as IT devices, tools etc
Staff are required to complete the University’s Code of Conduct training.
Exit Checklist is required to be completed and signed off by the appropriate delegate prior to the release of the final termination pay.
Consequence: Likelihood: Risk Rating:
13 Information SystemsUnauthorised staff accessing systemsStaff selling, leaking or misusing information
Staff obtain access to documents containing confidential and sensitive information with the intention of misusing the information.
Access to documents containing confidential and sensitive information is secured and provided on a need to know basis.
Consequence: Likelihood: Risk Rating:
# Fraud Risk Risk Sources and Impacts (Method)
Current Fraud Controls (Existing Controls)
Current Risk(Controls in
place)
Accept risk?
Treatment plans to manage the risk Person responsible
Academic Integrity (if applicable)
14 Manipulation of student enrolments or student results
Staff inflate the marked grades of students in exchange for a benefit
Staff perform favours in exchange for a kickback (eg. award a credit to waive the requirement for first year study)
Staff, in collusion with overseas students or an agent, manipulate applications which would normally be rejected.
Research School Board of Examiners reviews results for inconsistencies, courses are delivered by different lecturers.
Secure handling of exam papers.
Checking of exam result processing by more than one staff member.
Segregation of duties between Research School staff and student admissions team.
Consequence: Likelihood: Risk Rating:
15 Students gain unauthorised access to exam papers
Staff provide a copy of an exam paper or the security of the exam paper is compromised eg. theft, leaking.
Secure handling of exam papers.
Policies and procedures relating to secure storage and handling of exam papers.
Consequence: Likelihood: Risk Rating:
# Fraud Risk Risk Sources and Impacts (Method)
Current Fraud Controls (Existing Controls)
Current Risk(Controls in
place)
Accept risk?
Treatment plans to manage the risk Person responsible
16 Unwarranted grant of scholarship
Student is granted a scholarship without meeting the scholarship requirements.
Checks on the validity of a scholarship before it is approved and processed.
Delegation Framework outlines the authorised approver of the scholarship grant.
Consequence: Likelihood: Risk Rating:
17 Falsification or plagiarism of research work for personal gain or benefit
An Academic plagiarises another person’s work or self-plagiarises own work to different publications.
An Academic falsifies research data which results in additional grant funding.
Academic Research Misconduct Procedures.
Ethics Protocol which includes reference to secure storage of data and software systems.
Consequence: Likelihood: Risk Rating:
Risk Action Plan
A risk that has been assessed as low is an acceptable risk that can be managed by routine procedures. A risk that has been assessed as moderate requires the responsible area to develop and implement a risk action plan with specific monitoring or response procedures.
All extreme and high risks require immediate action by senior management. Line areas should consult the Corporate Governance & Risk Office (CGRO) as soon as possible for advice on developing a risk action plan. CGRO will report extreme and high fraud risks and the resultant risk action plans to the ARMC.
Action plans developed to manage the risks identified are documented in the Risk Action Plan section, with assigned owners and timelines, to track implementation and to monitor progress of planned risk mitigation strategies.
The following Risk Action Plan should be used to monitor the implementation of planned risk mitigation strategies.
Fraud Risk Action # Risk mitigation action Owner and
Timeframe Status
Risk TitleRisk description
1.1 xxx Officer responsible
Due date
Not started
Appendix A Fraud Indicators and possible controls
Fraud indicators In populating the Fraud Risk Assessment template, the following prompts may be useful to assist Colleges and Service Divisions to capture as many fraud risks across the business cycle as possible.
Account payable Cash handling Procurement Asset management Travel Payroll Employee Leave Staff Reimbursement Pre-employment Screening Examination Procedures ITS Security Student Grades Private Consulting Research Integrity International Agents
Within each of these business-cycle areas a number of fraud risks may exist, for example:
Non-enforcement of the University’s Code of Conduct or other policies and procedures
End-of-period transactions that are complex, unusual or significant
Unexplained changes in trends or financial statements High staff turnover Low staff morale Inventory shortages Staff members with excessive annual leave entitlements Multiple changes to student exam results Changes in a staff member’s lifestyle or behaviour.
ControlsThe following examples may assist Service Divisions, Colleges and Research Schools to identify controls and risk mitigation strategies:
Clearly defined lines of authority and responsibilities for decision-making as outlined in policies and procedures
Separation of duties to ensure that more than one person is required to complete a task as outlined in policies and procedures
Physical safeguards, such as locks, sign-out procedures and inventory tags, over assets to prevent) unauthorised acquisition, use or disposition of ANU assets
Proper documentation, paper or electronic, to support the completion of the lifecycle of a transaction or activity, including evidence that the transaction or activity was performed, who performed it and where authority to perform came from and appropriate storage protocols as outlined in policies and procedures
Proper approvals and delegations that are specific, appropriate, accurate and comply with policy and procedures
Physical inventories, undertaken frequently, over assets to ensure timely detection of authorised acquisition, use and disposition of ANU assets
Independent validation of transaction accuracy as part of checking and reporting procedures
Enforcement of conflict of interest declarations Requiring staff members to take holidays over university shut
down periods Mandatory compliance with gift policy and the regular checking
and reporting of a gift register Proper training of staff on fraud management principles and
activities Extensive pre-employment checks, including police checks.
Appendix B Risk Matrix
Risk Rating MatrixIMPACT/CONSEQUENCE
LIKELIHOOD5 4 3 2 1
Catastrophic Major Moderate Minor Insignificant
5 Almost Certain
Extreme(25)
Extreme(20)
High(15)
High(10)
Moderate(5)
4 Likely Extreme(20)
High(16)
High(12)
Moderate(8)
Moderate(4)
3 Possible High(15)
High(12)
Moderate(9)
Moderate(6)
Low(3)
2 Unlikely High(10)
Moderate(8)
Moderate(6)
Low(4)
Low(2)
1 Rare Moderate(5)
Moderate(4)
Low(3)
Low(2)
Low(1)
Risk is typically assessed as a function of the likelihood of the risk and the consequence of it materialising. As a result, not all risks are the same and should not be managed as such. The ANU uses a risk management matrix to assess the level of risk and facilitate an appropriate response. The matrix and accompanying definitions and escalation protocols are designed to provided staff with guidance on what to do (monitor or mitigate the risk) and where to escalate the risk (i.e. to line manager or higher). The risk matrix is the endorsed framework for assessing risks at all levels within the university (strategic, operational and day-to-day) and should be used to determine an appropriate course of action.
Risk Rating Descriptors and Mitigating Action Requirements
Risk Rating Score Description Action Required
Extreme 20 - 25 Risks that significantly exceed the acceptable tolerance and need urgent and immediate attention.
University Executive responsibility, immediate treatment required. - Escalate to the responsible University Executive immediately with a detailed treatment plan. - Report to the Vice-Chancellor, ARMC and Council.
High 16 - 10 Risks that exceed the risk acceptance threshold and require proactive management.
College GM/Service Division Director/Head of School responsibility. Treatment required.- Escalate to responsible management immediately with detailed treatment plan to reduce risks to an acceptable level within 3 months. - Report to COO or DVCs and ARMC, as appropriate.
Moderate 4 - 9 Risks that are within the acceptable threshold and require active monitoring.
College GM/Service Division Director/Head of School responsibility. Treatment required.- Escalate to responsible management immediately with detailed treatment plan to reduce risks to an acceptable level within 3-6 months.
Low 1 - 4 Risks that are below the acceptable threshold and do not require active management.
Local line management responsibility, treatment not required. - Significant management effort should not be directed towards these risks.
Consequence Rating: Evaluation CriteriaFactors of Consequences/ Categories of
Risk
Colleges or Service Division Activity Major Projects
Reputation and Image Compliance with Legislation Disruption to Operations Financial General Environment & Social Impacts
Project Budget
Project Delays Managing Contractor/
Head Contractor
Cons
eque
nce
Cate
gory
Catastrophic
-Long term damage to reputation and standing of the University-Serious public or media outcry
with national and international coverage-Significant breakdown in strategic and/or business partnerships
-Major systemic non-conformance resulting in loss of TEQSA license, other key license or accreditation-Criminal convictions resulting in imprisonment-Significant legal penalties or regulator sanctions-Litigation including class actions jeopardising future approvals, licensing and funding.
-Disruption to services causing campus closure or key business closure for > 1 month- Critical infrastructure service loss for > 1 month.
Financial impact >$50M
-Extensive detrimental long term impacts on the environment and community.-Catastrophic and/or extensive discharge of persistent hazardous pollutant.
>20% of project budget
Project halted, major delayDuration increased >30%
Legal recourse initiated.
Major
-Sustained damage to brand/image or reputation nationally or locally-Significant adverse national media coverage- Breakdown in strategic and/or business partnership
-Systemic non-conformance resulting in suspensions or conditional licenses-University staff prosecuted without being imprisoned-Legal penalties or regulator sanctions
-Disruption to teaching/course schedules or key business activities for > 1 week-Several key operational areas closed-Critical infrastructure service losses for > 1 week.
Financial impact >$30M and<$50M
-Long term detrimental environmental or social impact- Chronic and/or significant discharge of pollutant.
10-20% of project budget
Major delayDuration increased >10%
Executive intervention
Moderate
-Significant short term damage to reputation-Heavy local media coverage
-Serious one off non-conformance resulting in suspensions or conditional licenses-University staff being subject to legal proceedings-Minor or no legal penalties
-Disruption to a number of operational areas for up to one week-Critical service interruption not back within the agreed timeframe.
Financial impact >$10M and<$30M
-Serious, discharge of pollutant-Source of community annoyance within general neighbourhood that requires remedial action.
5-10% of project budget
Significant delay Duration increased >5%
Resolved at senior management level.
Minor
-Minor, adverse local public or media attention and complaints-Reputation of a small number of people affected
-One off non-conformance-University receiving warning or other notice from regulatory authority to rectify non-conformance
-Some disruption to operational activity exceeding 1 day-Local interruption only, service loss to localised operations.
Financial impact >$5M and<$10M
-Short term, detrimental effect on the environment or social impact- Minor discharge of pollutants within local neighbourhood.
1-5% of project budget
Short delayDuration increased < 2%
Resolved at working level.
Insignificant
-Issue resolved promptly by day to day management processes-Little or no adverse media coverage
-Minor non-conformance rectified internally-Unlikely to result in adverse regulatory response or action.
-Disruption of < 1 day to operational activity-No interruption to infrastructure services.
Financial impact <$5M
-No lasting detrimental effect on the environment ie. Harm, nuisance, noise, fumes, odour, dust emissions of short-term duration.
< 1% of project budget
Little or no delay Either party is irritated but no formal complaints.
# The consequences category for "Project Budget" may differ according to the overall value of the project itself. Likewise, the criteria for "Project Delays" may also vary depending on the specific project deadlines.
Likelihood Rating: Evaluation CriteriaYou will determine how likely the University will be exposed to each specific risk after taking into account current internal controls and considering factors such as:1. Anticipated frequency of occurrence;2. The external environment (e.g. regulatory, economic, competition, community expectations and market issues);3. The procedures, tools and skills currently in place; and4. History of previous events - both the University and other providers.
Likelihood ratingThe number of times within a specified period in which a risk may occur either as a consequence of business operations or through failure of operating systems, policies or procedures.
Likelihood The risk/the event Occurrence ProbabilityAlmost Certain Expected to occur in most circumstances. Multiple over 12 months >70%Likely Will probably occur in most circumstances Once every 12 months 51 - 70%Possible Might occur within a 5 year time period Once every 1 - 5 years 21 - 50%Unlikely Could occur within a specified time period Once every 5-10 years 5 - 20%Rare May only occur in exceptional circumstances Once every 20 years < 5%