pbo agency risk management plan 1314 - staff services fraud... · web viewstaff falsify travel...

Fraud Risk Assessment Template2017

Service Division / College / Research School:

Endorsed by GM (if applicable): Approved by College Dean/Research School Director/Service Division Director:

Date:

Contents

GUIDANCE 3

FRAUD RISK ASSESSMENT TEMPLATE 4

RISK ACTION PLAN 13

APPENDIX A FRAUD INDICATORS AND POSSIBLE CONTROLS 14

APPENDIX B RISK MATRIX 15

Guidance

Service Divisions, Colleges and Research Schools must conduct a Fraud Risk Assessment or update their previous assessment every 2 years or sooner if a significant operational change is implemented, which could heighten the risk of fraud. The template is used to list all areas of potential risk, identify the sources and impacts of the risk, and document current controls and planned treatments.

When completing the template, various areas of potential fraud risk are identified, along with the source and impact of the risk. Subsequently, existing controls that manage the risk are identified and management makes an assessment of the current level of residual risk, using the risk matrix (Appendix B), to assign a risk rating. Management is then required to develop action plans to manage this residual risk, and assign accountability for the action plans.

A risk that has been assessed as low is an acceptable risk that can be managed by routine procedures. A risk that has been assessed as moderate requires the responsible area to develop and implement a risk action plan with specific monitoring or response procedures.

All extreme and high risks require immediate action by senior management. Line areas should consult the Corporate Governance & Risk Office (CGRO) as soon as possible for advice on developing a risk action plan. CGRO will report extreme and high fraud risks and the resultant risk action plans to the ARMC.

Action plans developed to manage the risks identified are documented in the Risk Action Plan section, with assigned owners and timelines, to track implementation and to monitor progress of planned risk mitigation strategies.

The following attached appendices provide further information to assist in completing the assessment:

Appendix A contains a list of fraud indicators and example controls that may assist in the completion of this template.

Appendix B is the Risk Matrix that is used to determine the risk rating of an identified risk.

Fraud Risk Assessment Template

# Fraud Risk Risk Sources and Impacts (Method)

Current Fraud Controls (Existing Controls)

Current Risk(Controls in

place)

Accept risk?

Treatment plans to manage the risk Person responsible

Broad Risk Area

Human Resources

1 Human ResourcesFalsified documentation

Falsified testimonials and qualifications provided by a prospective employee in order to secure a position at the University or by an existing employee for remuneration benefit, through a promotion etc.

Employees are asked to provide original or certified qualifications prior to commencement.

Reference checks carried out on new joiners in order to validate employment history and work experience.

Consequence: Likelihood: Risk Rating:

2 Falsified claims for leaveAbsence of leave applications for leave taken

Staff take leave without booking through HORUS to maximise leave balances.

Supervisors are aware of staff movements for any period of time and ensure that leave applications are submitted and approved.





place)

Accept risk?


3 Inappropriate access to staff and student personal information

Unauthorised access or misuse of privilege access to staff or students’ personal information through the Student Administration and Human Resources Management System for personal gain.

HRMS access is only provided on a need to know basis through a formal approval process.


4 Inflated working hours

An employee inflates the casual hours worked or overtime claims for personal gain.

A casual employee cannot submit a timesheet for payment before it is approved by their supervisor.

Supervisors track staff workload and deliverables prior to authorising timesheets.





place)

Accept risk?


Finance

5 Dishonest claims by third party

Payments to contractors/consultants are approved prior to completion of work or work is not performed to required standard.

Invoices submitted are inflated by the contractor or supplier and do not agree with the original contract.

Formal process of reviewing the cost and deliverables against contracts prior to authorisation of payment.

Appropriate delegation levels assigned to approve payments.


6 Personal expenditure charged to the ANU Purchase Card not repaid

Lack of oversight by supervisors of staff members making claims for private or inappropriate expenditure, either through the reimbursement process or on the University purchase card.

Staff members submit a claim through the reimbursement process after charging the expense to the purchase card. (duplicate claim)

All credit card transactions greater than the allowed threshold to be supported by receipts.

A monthly review of credit card statements to supporting documentation to ensure purchases are appropriate and follow up unsupported or inappropriate transactions with relevant staff and take appropriate action.





place)

Accept risk?


7 Falsified travel claims

Staff falsify travel claims, either to utilise for private expenditure or to receive a per diem.

Staff do not provide adequate supporting documentation and detailed travel itinerary/invoice from University appointed travel agents or provide fake documentation when seeking travel approval.

All staff travel claims are reviewed in detail prior to being approved by their supervisor.


8 Not reporting FBT entertainment expenses

Staff incur entertainment expenses without appropriately disclosing FBT declarations.

The University has a food and drink FBT declaration which must be adhered to and all entertainment expenditure is to be supported by receipts.





place)

Accept risk?


Procurement Activities

9 Contracts awarded to service providers/vendors without adherence to the University’s Procurement policy.

Appointments of contractors/ consultants are not in accordance with the University’s procurement policy and procedures.

Procurement being divided or split into separate parts to circumvent the procurement threshold.

Purchasing goods and/or services from suppliers who are current employees of the University.

An appointed person checks to ensure that all procurement activities need to comply with the University’s procurement threshold requirements.

Independent and objective members on the evaluation panel are to ensure the procurement process is undertaken in accordance with appropriate probity and approval process.





place)

Accept risk?


10 Conflict of Interest and Collusion

Staff do not declare a material personal interest in a significant University transaction or contract.

Collusive practices between suppliers and staff resulting in the awarding of goods & services in exchange for a benefit.

Personal interests are declared including any interest in any entity with which the University conducts business.

Declared company directorships, secretaryships and partnerships require approval.

Awareness of the University’s Code of Conduct through compulsory induction training.

Appropriate delegation levels assigned to senior management.

Independent members on the contract evaluation panel will minimise the likelihood of collusion.





place)

Accept risk?


11 Bribes to University staff by third parties

Staff received private gifts/benefits from service providers in exchange for the award of a contract.

Staff must declare all gifts received from third parties, regardless of the value of the gift.

Colleges and Service Divisions should maintain a gifts register to track amounts on a cumulative basis.


Assets

12 Theft or unreturned property

Staff leaving the ANU without returning ANU property such as (iPads, phones, purchase cards etc);

Theft of physical assets such as IT devices, tools etc

Staff are required to complete the University’s Code of Conduct training.

Exit Checklist is required to be completed and signed off by the appropriate delegate prior to the release of the final termination pay.


13 Information SystemsUnauthorised staff accessing systemsStaff selling, leaking or misusing information

Staff obtain access to documents containing confidential and sensitive information with the intention of misusing the information.

Access to documents containing confidential and sensitive information is secured and provided on a need to know basis.





place)

Accept risk?


Academic Integrity (if applicable)

14 Manipulation of student enrolments or student results

Staff inflate the marked grades of students in exchange for a benefit

Staff perform favours in exchange for a kickback (eg. award a credit to waive the requirement for first year study)

Staff, in collusion with overseas students or an agent, manipulate applications which would normally be rejected.

Research School Board of Examiners reviews results for inconsistencies, courses are delivered by different lecturers.

Secure handling of exam papers.

Checking of exam result processing by more than one staff member.

Segregation of duties between Research School staff and student admissions team.


15 Students gain unauthorised access to exam papers

Staff provide a copy of an exam paper or the security of the exam paper is compromised eg. theft, leaking.

Secure handling of exam papers.

Policies and procedures relating to secure storage and handling of exam papers.





place)

Accept risk?


16 Unwarranted grant of scholarship

Student is granted a scholarship without meeting the scholarship requirements.

Checks on the validity of a scholarship before it is approved and processed.

Delegation Framework outlines the authorised approver of the scholarship grant.


17 Falsification or plagiarism of research work for personal gain or benefit

An Academic plagiarises another person’s work or self-plagiarises own work to different publications.

An Academic falsifies research data which results in additional grant funding.

Academic Research Misconduct Procedures.

Ethics Protocol which includes reference to secure storage of data and software systems.


Risk Action Plan

A risk that has been assessed as low is an acceptable risk that can be managed by routine procedures. A risk that has been assessed as moderate requires the responsible area to develop and implement a risk action plan with specific monitoring or response procedures.

All extreme and high risks require immediate action by senior management. Line areas should consult the Corporate Governance & Risk Office (CGRO) as soon as possible for advice on developing a risk action plan. CGRO will report extreme and high fraud risks and the resultant risk action plans to the ARMC.

Action plans developed to manage the risks identified are documented in the Risk Action Plan section, with assigned owners and timelines, to track implementation and to monitor progress of planned risk mitigation strategies.

The following Risk Action Plan should be used to monitor the implementation of planned risk mitigation strategies.

Fraud Risk Action # Risk mitigation action Owner and

Timeframe Status

Risk TitleRisk description

1.1 xxx Officer responsible

Due date

Not started

Appendix A Fraud Indicators and possible controls

Fraud indicators In populating the Fraud Risk Assessment template, the following prompts may be useful to assist Colleges and Service Divisions to capture as many fraud risks across the business cycle as possible.

Account payable Cash handling Procurement Asset management Travel Payroll Employee Leave Staff Reimbursement Pre-employment Screening Examination Procedures ITS Security Student Grades Private Consulting Research Integrity International Agents

Within each of these business-cycle areas a number of fraud risks may exist, for example:

Non-enforcement of the University’s Code of Conduct or other policies and procedures

End-of-period transactions that are complex, unusual or significant

Unexplained changes in trends or financial statements High staff turnover Low staff morale Inventory shortages Staff members with excessive annual leave entitlements Multiple changes to student exam results Changes in a staff member’s lifestyle or behaviour.

ControlsThe following examples may assist Service Divisions, Colleges and Research Schools to identify controls and risk mitigation strategies:

Clearly defined lines of authority and responsibilities for decision-making as outlined in policies and procedures

Separation of duties to ensure that more than one person is required to complete a task as outlined in policies and procedures

Physical safeguards, such as locks, sign-out procedures and inventory tags, over assets to prevent) unauthorised acquisition, use or disposition of ANU assets

Proper documentation, paper or electronic, to support the completion of the lifecycle of a transaction or activity, including evidence that the transaction or activity was performed, who performed it and where authority to perform came from and appropriate storage protocols as outlined in policies and procedures

Proper approvals and delegations that are specific, appropriate, accurate and comply with policy and procedures

Physical inventories, undertaken frequently, over assets to ensure timely detection of authorised acquisition, use and disposition of ANU assets

Independent validation of transaction accuracy as part of checking and reporting procedures

Enforcement of conflict of interest declarations Requiring staff members to take holidays over university shut

down periods Mandatory compliance with gift policy and the regular checking

and reporting of a gift register Proper training of staff on fraud management principles and

activities Extensive pre-employment checks, including police checks.

Appendix B Risk Matrix

Risk Rating MatrixIMPACT/CONSEQUENCE

LIKELIHOOD5 4 3 2 1

Catastrophic Major Moderate Minor Insignificant

5 Almost Certain

Extreme(25)

Extreme(20)

High(15)

High(10)

Moderate(5)

4 Likely Extreme(20)

High(16)

High(12)

Moderate(8)

Moderate(4)

3 Possible High(15)

High(12)

Moderate(9)

Moderate(6)

Low(3)

2 Unlikely High(10)

Moderate(8)

Moderate(6)

Low(4)

Low(2)

1 Rare Moderate(5)

Moderate(4)

Low(3)

Low(2)

Low(1)

Risk is typically assessed as a function of the likelihood of the risk and the consequence of it materialising. As a result, not all risks are the same and should not be managed as such. The ANU uses a risk management matrix to assess the level of risk and facilitate an appropriate response. The matrix and accompanying definitions and escalation protocols are designed to provided staff with guidance on what to do (monitor or mitigate the risk) and where to escalate the risk (i.e. to line manager or higher). The risk matrix is the endorsed framework for assessing risks at all levels within the university (strategic, operational and day-to-day) and should be used to determine an appropriate course of action.

Risk Rating Descriptors and Mitigating Action Requirements

Risk Rating Score Description Action Required

Extreme 20 - 25 Risks that significantly exceed the acceptable tolerance and need urgent and immediate attention.

University Executive responsibility, immediate treatment required. - Escalate to the responsible University Executive immediately with a detailed treatment plan. - Report to the Vice-Chancellor, ARMC and Council.

High 16 - 10 Risks that exceed the risk acceptance threshold and require proactive management.

College GM/Service Division Director/Head of School responsibility. Treatment required.- Escalate to responsible management immediately with detailed treatment plan to reduce risks to an acceptable level within 3 months. - Report to COO or DVCs and ARMC, as appropriate.

Moderate 4 - 9 Risks that are within the acceptable threshold and require active monitoring.

College GM/Service Division Director/Head of School responsibility. Treatment required.- Escalate to responsible management immediately with detailed treatment plan to reduce risks to an acceptable level within 3-6 months.

Low 1 - 4 Risks that are below the acceptable threshold and do not require active management.

Local line management responsibility, treatment not required. - Significant management effort should not be directed towards these risks.

Consequence Rating: Evaluation CriteriaFactors of Consequences/ Categories of

Risk

Colleges or Service Division Activity Major Projects

Reputation and Image Compliance with Legislation Disruption to Operations Financial General Environment & Social Impacts

Project Budget

Project Delays Managing Contractor/

Head Contractor

Cons

eque

nce

Cate

gory

Catastrophic

-Long term damage to reputation and standing of the University-Serious public or media outcry

with national and international coverage-Significant breakdown in strategic and/or business partnerships

-Major systemic non-conformance resulting in loss of TEQSA license, other key license or accreditation-Criminal convictions resulting in imprisonment-Significant legal penalties or regulator sanctions-Litigation including class actions jeopardising future approvals, licensing and funding.

-Disruption to services causing campus closure or key business closure for > 1 month- Critical infrastructure service loss for > 1 month.

Financial impact >$50M

-Extensive detrimental long term impacts on the environment and community.-Catastrophic and/or extensive discharge of persistent hazardous pollutant.

>20% of project budget

Project halted, major delayDuration increased >30%

Legal recourse initiated.

Major

-Sustained damage to brand/image or reputation nationally or locally-Significant adverse national media coverage- Breakdown in strategic and/or business partnership

-Systemic non-conformance resulting in suspensions or conditional licenses-University staff prosecuted without being imprisoned-Legal penalties or regulator sanctions

-Disruption to teaching/course schedules or key business activities for > 1 week-Several key operational areas closed-Critical infrastructure service losses for > 1 week.

Financial impact >$30M and<$50M

-Long term detrimental environmental or social impact- Chronic and/or significant discharge of pollutant.

10-20% of project budget

Major delayDuration increased >10%

Executive intervention

Moderate

-Significant short term damage to reputation-Heavy local media coverage

-Serious one off non-conformance resulting in suspensions or conditional licenses-University staff being subject to legal proceedings-Minor or no legal penalties

-Disruption to a number of operational areas for up to one week-Critical service interruption not back within the agreed timeframe.


-Serious, discharge of pollutant-Source of community annoyance within general neighbourhood that requires remedial action.


Significant delay Duration increased >5%

Resolved at senior management level.

Minor

-Minor, adverse local public or media attention and complaints-Reputation of a small number of people affected

-One off non-conformance-University receiving warning or other notice from regulatory authority to rectify non-conformance

-Some disruption to operational activity exceeding 1 day-Local interruption only, service loss to localised operations.


-Short term, detrimental effect on the environment or social impact- Minor discharge of pollutants within local neighbourhood.


Short delayDuration increased < 2%

Resolved at working level.

Insignificant

-Issue resolved promptly by day to day management processes-Little or no adverse media coverage

-Minor non-conformance rectified internally-Unlikely to result in adverse regulatory response or action.

-Disruption of < 1 day to operational activity-No interruption to infrastructure services.

Financial impact <$5M

-No lasting detrimental effect on the environment ie. Harm, nuisance, noise, fumes, odour, dust emissions of short-term duration.

< 1% of project budget

Little or no delay Either party is irritated but no formal complaints.

# The consequences category for "Project Budget" may differ according to the overall value of the project itself. Likewise, the criteria for "Project Delays" may also vary depending on the specific project deadlines.

Likelihood Rating: Evaluation CriteriaYou will determine how likely the University will be exposed to each specific risk after taking into account current internal controls and considering factors such as:1. Anticipated frequency of occurrence;2. The external environment (e.g. regulatory, economic, competition, community expectations and market issues);3. The procedures, tools and skills currently in place; and4. History of previous events - both the University and other providers.

Likelihood ratingThe number of times within a specified period in which a risk may occur either as a consequence of business operations or through failure of operating systems, policies or procedures.

Likelihood The risk/the event Occurrence ProbabilityAlmost Certain Expected to occur in most circumstances. Multiple over 12 months >70%Likely Will probably occur in most circumstances Once every 12 months 51 - 70%Possible Might occur within a 5 year time period Once every 1 - 5 years 21 - 50%Unlikely Could occur within a specified time period Once every 5-10 years 5 - 20%Rare May only occur in exceptional circumstances Once every 20 years < 5%

pbo agency risk management plan 1314 - staff services fraud... · web viewstaff falsify travel...

Documents