Governance

Corporate governance incorporates the management arrangements put in place to direct, control and report on the activities and functions of organisations and how they relate to all external parties. These arrangements determine the delegation of roles, rights and responsibilities between the different stakeholders and participants in the organisation. They define the rules, procedures and levels for making decisions on all corporate matters. They also define the processes for establishing the organisation's objectives, aims and policies, implementing the strategic and business plans and allocating budgets and resources. They include establishing and maintaining a clear and consistent hierarchy of policies, procedures, system of internal control, and assurance and reporting mechanisms. It is through these management arrangements that the objectives and plans are risk assessed and the performance and results are measured, regularly monitored and reported. These arrangements need to be fully documented and communicated to stakeholders and staff throughout the organisation and appropriate training provided. The chief executive / accounting officer has responsibility for maintaining a sound system of internal control that supports the achievement of the organisation's objectives, aims and policies whilst safeguarding funds and assets. The internal control system should be designed to respond to and manage the risks which organisations face in the achievement of their objectives, aims and policies. The role of internal audit is to deliver an opinion to the chief executive / accounting officer on the whole of an organisation's risk management, system of internal control and corporate governance arrangements. Organisations operating in all sectors are now required to describe their corporate governance statement / statement on internal control and the results of the annual review of its effectiveness in the annual report and accounts. Managing the Risk of Fraud and Irregularities In the context of corporate governance, fraud / irregularities occurring are just one of many risks an organisation faces and needs to manage. Fraud can include theft, false accounting, bribery and corruption, deception and collusion. Managing fraud and irregularity risk combines the probability of them occurring and the corresponding impact measured in monetary terms. Preventative controls and the creation of the right type of corporate culture will tend to reduce the likelihood of fraud and irregularities occurring while detective controls and effective contingency planning can reduce the size of losses. Everyone in an organisation contributes to the management of fraud risk. This starts at the top where senior management set the tone of the organisation and promote an anti-fraud culture throughout the organisation. Operational staff design, implement and operate the control actions required to minimise risk. The human resource function ensures that the right staff are recruited, trained and given development opportunities, and accommodation services ensure physical security and IT services promote computer and data security. An organisation’s approach to fraud should be communicated throughout the organisation, including contractors and third parties delivering services on behalf of the organisation. Senior management should try to create the conditions in which staff have neither the motivation nor the opportunity to commit fraud. Under the right conditions staff are themselves an excellent deterrent against fraud and they should have avenues for reporting suspicions of fraud. Staff should be encouraged to report suspicions of fraud either to their line managers, internal audit or to a hotline set up for this purpose. A clear statement of commitment to ethical behaviour throughout the organisation should help to ensure that staff know that they are expected to follow the rules without circumventing controls and that they should avoid or declare any conflicts of interest. Establishing all these arrangements contributes to an anti-fraud culture. There are usually two key documents used in establishing and promoting an anti-fraud culture: the Fraud Policy Statement and the Fraud Response Plan. The Fraud Policy Statement should state that the organisation takes fraud very seriously and has a “zero tolerance”. It should require all staff at all times to act honestly and with integrity and to safeguard the resources for which they are responsible. It should state that all cases of actual or suspected fraud will be rigorously and promptly investigated and dealt with appropriately through legal and disciplinary actions. These actions would be against the perpetrators of fraud, supervisors where supervisory failures have contributed to the commission of fraud, staff who fail to report fraud; and for the recovery of assets. The overall management of anti-fraud activities should be allocated to an appropriate senior officer such as the principal finance officer. This appointment and his responsibilities should be stated in the policy statement along with the responsibilities of other operational managers and individual staff for managing the risk of fraud and irregularities. Management has the responsibility for conducting fraud investigations but internal audit may be asked to assist, and in some organisations may have responsibility for conducting investigations delegated to them. Fraud investigation is an area that requires specialist knowledge and where management or internal audit has this responsibility they need to develop and maintain appropriate levels of expertise. The Fraud Response Plan should describe how to report suspicions that a fraud has been committed or suspicious circumstances are seen, how investigations will be conducted and concluded, and require full co-operation with whoever is conducting fraud investigations or internal checks or reviews. The organisation then needs to define and maintain an adequate system of internal controls that helps prevent and detect fraud when it occurs. This system should be tested regularly to ensure it operates effectively. A risk assessment of the types of fraud that could occur, commensurate with the levels of control maintained and the risk of potential exposure, should be carried out regularly on all the activities and functions of the organisation. Also, the system should require new controls to be introduced to reduce the risk of similar fraud occurring where a fraud has taken place.