Baker Kosmac-Okwir, CFE, CIA, CPA,CGAP,
Fraud and Forensic Unit
Directorate of Internal Audit Services
Ministry of Finance, Planning and Economic Development
October 22, 2009
FOR THE FRAUD AND FORENSICS
UNIT (FFU) OF THE DIRECTORATE
OF INTERNAL AUDIT SERVICES
A
CRONYMS AND
A
BBREVIATION
IIA Institute of Internal Auditors
ACFE Association of Certified Fraud Examiners
IPPF International Professional Practice Framework
MFPED Ministry of Finance, Planning and Economic Development
FFU Fraud and Forensic Unit
FT The Forensic Tongue
MDAs Ministries Departments and Agencies
GOU Government of Uganda
IAD Internal Audit Services
GRC Governance, Risk Management and Control
CFE Certified Fraud Examiners
T
ABLE OF
C
ONTENTS
Acronyms and Abbreviation ... 2
Table of Contents ... 3
Acknowledgement ... 4
EXECUTIVE SUMMARY ... 5
INTRODUCTION ... 7
VISION ... 7
MISSION ... 8
CORE VALUES ... 8
GOAL ... 10
STRATEGIC OBJECTIVES ... 10
MANDATE ... 11
SCOPE, FUNCTIONS AND KEY ACTIONS ... 12
SWOT ANALYSIS ... 13
ANTI-FRAUDIMPLEMENTATION STRATEGY ... 16
A
CKNOWLEDGEMENT
EXECUTIVE
SUMMARY
This document defines a strategic plan for the Fraud and Forensic Unit (FFU) of the Directorate of Internal Audit Services (IAD) of the Ministry of Finance planning and Economic Development (MFPED) in the Government of Uganda (GOU). It covers the strengths, weaknesses, threats and opportunities; presents a series of fundamental statements relating to the FFU's vision, mission, values and objectives; and sets out the FFU's proposed strategies, goals and action programs. This is the first step in developing formalised structures in MFPED to deal with Fraud and forensics in the MDAs. Fraud is a specialised area that requires specialised and dedicated staff resources to deal with allegations and development of value adding solutions for preparation and deterring fraud
The Institute of Internal Auditors (IIA) International Professional Practice Framework (IPPF) 2009 Standard 2120.A2 requires the internal audit activity to evaluate the potential for the occurrence of FRAUD and how the organisation manages the Fraud risk. Standard 2210.A2 requires internal auditors to consider the probability of significant errors, FRAUD, noncompliance, and other exposures when development the engagement objectives.
I ter al audit is a i porta t o po e t of the go er e t’s financial management system
and expenditure control framework. A strong internal audit function helps ensure that the government agencies provide the public goods and services in an efficient and effective manner and that the risks of fraud, waste and misuse of public funds are minimized. Accordingly, the government internal audit in Uganda can make a valuable contribution to the economic development of the country which is engaged in the struggle to eradicate poverty and to achieve a better quality of life for its citizens.
the directorate of inspectorate and internal Audit (IIAD) will devote resources to prevention, investigation, detection and control solutions within the auditable Ministries, Departments and Agencies (MDA).
It’s therefore, i porta t to ha e a poli for fighting fraud as internal audit Directorate. The Forensics and Fraud Unit (FFU) in the Directorate of Internal Audit Services is intended to
stre gthe the Go er e t’s a ti-fraud efforts by adopting a robust fraud methodology, developing train and improving inter institutional relations with other public agencies engaged
i fighti g fraud. It’s therefore, esse tial to ha e a u it e tirel a d e lusi el dedi ated to
fraud.
Preparing the internal audit fraud unit to deal with fraud will have significant benefits for the Accounting Officers and the public administration in the Governance, Risk and Control assessments as well as capacity to prevent fraud.
The FFU would recommend actions to be taken to discourage the commission of fraud and limit fraud exposures when it occurs by assessing fraud risks, examining and evaluating the adequacy and effectiveness of the ministries internal controls system commensurate with the extent of a potential exposure.This plan provides the foundation for positive change within our operations and provides a roadmap for our future. We will implement these changes incrementally.
This strategic plan will be used to guide the work of the FFU and to communicate its results. It will serve as the means for demonstrating how the FFU fulfils its mandate on behalf of Directorate of Internal Audit Services. In its work, the FFU will be guided by, and comply with, Uganda Laws, the professional standards established by professional bodies and anti-fraud audit-related best practices in other jurisdictions.
INTRODUCTION
The IIA defines Fraud as any illegal act characterised by deceit, concealing or violation of
trust. Fraud e compasses an array of illegularaties and illegal acts characterized by intentional deception.
It can be perpetrated for the benefit of or to the detriment of the organization and by persons outside as well as inside the organization the acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organisations to obtain money, property, or services, to avoid payment or loss of services or to secure personal or business advantage.
The Forensics and Fraud Unit (FFU) in the Directorate of internal audit will strengthen the directorate by helping— Identify fraud and the causes of fraud in the Ministries, Departments and Agencies (MDA); assist ministries in fraud risks assessment (as all ministries are exposed to a degree of fraud risk). The unit will evaluate the extent to which effective internal controls are present to prevent and or detect fraud, and the honesty and integrity of those involved in the process). The FFU will help the Directorate accomplish its objectives by bringing a systematic disciplined approach to evaluate and improve the effectiveness of risk management, control, and Governance process in the MDAs.
This document initiates a comprehensive and highly consultative strategic planning process to identify the priorities and strategies for the FFU over the next three years. This strategic plan represent a common vision for the FFU that is a result of discussions with all staff along with the input of key stakeholders.
VISION
MISSION
To support the internal audit department to carry out its vision by providing anti-fraud solutions that will—Prevent, Detect, Investigate and Remedy through—financial accountability, Advocacy, Education and Enforcement.
CORE
VALUES
The FFU values are a statement of the high standards to hold in conducting ourselves and our work, and of the results we strive to achieve.
Impact FFU will focus on significant issues to make a positive and measurable difference
for the benefit of the MDAs.
We will demonstrate this by:
making decisions and exercising judgment to add value through our work;
using our skills and experience to their fullest potential;
seeking new processes and technology to do our work more effectively and efficiently;
continuously seeking innovative and better ways of doing things;
building on experience and applying best practices;
working as a team;
consulting with our stakeholders;
seeking and valuing the contribution of all our staff;
conducting and using research to stay informed about current events and future trends; and
Integrity and Ethical FFU will work together and with others in an open, honest, and
trustworthy manner while respecting the confidentiality of the
information we obtain.
We will demonstrate this by:
• open communication with the clients and our staff;
• ensuring transparency;
• respecting one another;
• telling the truth;
• considering different perspectives when making decisions;
• being objective in attitude and decision-making;
• respecting confidentiality; and
• Carrying through on promises.
Independence and
objectivity
FFU will report directly to the appointing authority at a time and
objective in the approach. FFU will adhere to professional codes of
ethics and independence standards, avoiding real and perceived
conflicts in the conduct of our work.
We demonstrate this by:
• adhering to our professional codes of ethics and independence standards;
• exhibiting independence in fact and in appearance;
• being non-partisan;
• avoiding perceived and real conflicts of interest;
• viewing situations with an appropriate degree of skepticism; and
• building and maintaining appropriate relationships.
GOAL
The priority goal is to be the number one provider of anti-fraud and forensic investigative solutions in the nation. This goal will be evidenced by:
• Nu er of Cases Opened for Investigation.
• Nu er of Arrests.
• Nu er of Cases Prese ted for Prose utio .
• Nu er of Referrals.
• A ou t of Court Ordered Restitutio
STRATEGIC
OBJECTIVES
The following strategic objectives will support our goal and the realization of our vision:
1. Developing capacity within the Directorate of internal audit to ensure that—the government assets and resources are safeguarded and actions and decisions of the ministries are in compliance with the laws and regulations;
2. Coordinate and supervise all fraud related audits by assigning most provable cases evidenced through screening & case management.
3. Develop a fraud risk profile for all ministries. Annually the FFU shall carry out fraud risk assessment and advise the IAD on key areas of focus.
4. Implement and expand anti fraud training to all MDAs. Strategies for improving the FFU shall include Human resource development through training and exposure, and resource allocation.
MANDATE
The Accountant General (AG) under the Public Finance and Accountability Act is responsible for establishing the Internal Audit in accordance with international professional standards. Section 7 (3) (h) of the Public Finance and Accountability Act 2003 (PFAA), requires the Accountant General to take precautions, by the maintenance of efficient checks, including surprise inspections, against the occurrence of FRAUD, embezzlement or mismanagement.
Section 7 (3) (c) of PFAA ensure that the system of internal control in every Government Ministry, department, fund, agency, or other reporting unit required to produce accounts under section 31 is appropriate to the needs of the organisations concerned and conforms to internationally recognised standards.
The International Standards for the Professional Practice (IPPF) requires that Internal Auditor to have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
The IPPF requires Internal Auditors to carry out a systematic review and appraisal of all operations for purposes of advising management as to the efficiency, economy and effectiveness of internal management policies, practices and controls.
SCOPE,
FUNCTIONS
AND
KEY
ACTIONS
SCOPE
The scope of work of the FFU is fraud examination, a methodology for resolving fraud allegation from inception to disposition by obtaining evidence and taking statements, writing reports testifying to finding and assisting in the detection and prevention of fraud. The scope requires the resolving of specific allegations to determine whether fraud has occurred or is occurring and to determine who is responsible by document examination, review of outside public data e.g. other public records and interviews to establish sufficient proof to support or refute a fraud allegation.
The scope will include Fraud and financial irregularity audits that are designed to verify the existence and magnitude of suspected fraud and financial irregularities. Fraud and financial irregularity audits may be conducted at the request of the Management and/or Audit Committee.
FUNCTIONS
The following summarizes key functions we will be taking to support the implementation of our strategies:
8. Identify key performance indicators to improve investigative performance; 9. Carrying out interviews and documenting the memorandum of interview; 10.Advise on policies regarding fraud prevention and detection;
11.Adhering to the standards of reporting on fraud.
KEY ACTIONS
The following summarizes key actions FFU will be taking to support the implementation of our strategies:
Prepare and implement a work plan;
Establish a consultation process to obtain input from external stakeholders;
Establish communication protocols on all phases of engagements;
Implement a risk-based methodology for selection of fraud audit priorities;
Establish and enhance a methodology based on risk planning of selected engagements;
Determine our needs for specialist expertise and options for meeting them;
Standardize our methodology;
Establish and enhance fraud audit quality assurance processes;
Encourage government to focus on implementation of our recommendations and improve processes for follow-up on engagement recommendations.
Establish aspects of our management of human resources including improved feedback on performance and implementation of a comprehensive professional development plan.
Conduct client satisfaction survey and address any issues identified.
Prepare and implement a long-term information technology strategy and tools for fraud mapping.SWOT
ANALYSIS
Strategy Selection
The strategy selection for the FFU shall be a hybrid. The strategy shall take components of
differentiation and also from network strategy. By definition differentiation is expressed in a
FRAUD PREVENTION
Table 1 shows the role— line management; risk management and compliance can play in the Prevention process.
Indeed, management is ultimately accountable for the establishment of comprehensive and compatible systems, sound operations and results and consequently for the prevention of fraud. Internal audit helps management through its analysis of each observation and its recommendation while assessing the internal controls, risks management and corporate governance of the company.
When special circumstances arise—newly discovered frauds, changed operating environment, restructuring, a new assessment should be performed. The communication of anti-fraud measures may be implemented through intranet messages, very specific messages (for external fraud), and newsletters with specific information for management.
I
NTERNAL AUDITOR’“ ROLE IN THE MDA
Internal auditors are responsible for assisting MDA to prevent fraud by examining and evaluating the adequacy and effectiveness of their internal controls' system, commensurate with the extent of a potential exposure within the MDA. When meeting their responsibilities, internal auditors should consider the following elements:
I. Control environment. Assess aspects of the control environment, conduct proactive
fraud audits and investigations, communicate results of fraud audits, and provide support for remediation efforts. In some cases, internal auditors also may own the whistleblower hotline.
II. Fraud risk assessment. E aluate a age e t’s fraud risk assess e t, i parti ular,
their processes for identifying, assessing, and testing potential fraud and misconduct schemes and scenarios, including those that could involve suppliers, contractors, and other parties.
III. Control activities. Assess the design and operating effectiveness of fraud-related
controls; ensure that audit plans and programs address residual risk and incorporate fraud audits; evaluate the design of facilities from a fraud or theft perspective; and review proposed changes to laws, regulations, or systems, and their impacts on controls.
IV. Information and communication.Assess the operating effectiveness of information and
matters; support the development of fraud indicators; and hire and train employees so they can have the appropriate fraud audit or investigative experience.
FRAUD DETECTION AND INVESTIGATION
Table 2, show the role-the audit committee, line management, internal audit, compliance and forensic audit, play in the detection process. A great role is done in the fraud auditing and recommendation stage by all the key players-line management, internal audit compliance with a significant part played by fraud audit.
Testing anti-fraud controls.
Fraud auditing (extensive testing) in case of missing anti-fraud controls or in case problems with anti-fraud controls where identified during testing.
Forensic Audit (and Line Management) is responsible for the day-to-day detection of fraud and Internal Audit for the identification of specific indications of fraud during audit assignments if red flags are identified.
Line Management, often together with Risk Management, is in charge of the assessment of the business processes. Line Management should detect potential fraud schemes while carrying out their periodical controls. Special Investigation (Forensic Audit) is in charge of the continuous monitoring (through IT tool). Internal Audit has the responsibility to include fraud auditing techniques in their audit activities.
During the evaluation and testing of the effectiveness of the controls, FFU will need to address the possibility that management might seek to circumvent or override controls intended to prevent or detect fraud.
The degree that fraud may be present in activities covered in the normal course of audit work, internal auditors have a responsibility to exercise due professional care as specifically defined in Standard 1220 of the International Standards for the Professional Practice of Internal Auditing with respect to fraud detection. However, most internal auditors are not expected to have knowledge equivalent to that of a person whose primary responsibility is detecting and investigating fraud. Also, audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected.
A well-designed internal control system should not be conducive to fraud. Tests conducted by auditors improve the likelihood that any existing fraud indicators will be detected and
o sidered for further i estigatio . I o du ti g e gage e ts, the i ter al auditor’s
Have sufficient knowledge of fraud to identify red flags indicating fraud may have been committed. This knowledge includes the characteristics of fraud, the techniques used to commit fraud, and the various fraud schemes and scenarios associated with the activities reviewed.
Be alert to opportunities that could allow fraud, such as control weaknesses. If significant control weaknesses are detected, additional tests conducted by internal auditors should be directed at identifying other fraud indicators. Some examples of indicators are unauthorized transactions, sudden fluctuations in the volume or value of transactions, control overrides, . Internal auditors should recognize that the presence of more than one indicator at any one time increases the probability that fraud has occurred.
Evaluate the indicators of fraud and decide whether any further action is necessary or whether an investigation should be recommended. Notify the appropriate authorities within the organization if a determination is made that fraud has occurred to recommend an investigation.
Forensic Auditors mainly manage this process.
The investigation process requires highly qualified people and specific skills. Only Forensic Auditors may conduct such an engagement. They are also the best aware of the legal aspects and contacts with authorities (legal counsel, regulators…); of ot letti g disappear e ide es and to conduct due investigations (at charge/at discharge).
In ministry departments and agencies this role will be carried out by the FFU. In this process the root causes of the fraud will identify in order to define what happened and the impact on
the fi a ial state e t, the i age… is esti ated.
I
NTERNAL AUDITOR’“ ROLE IN INVE“TIGATION
The role of internal audit in investigations should be defined in the internal audit charter as well as the fraud policies. For example, internal audit may have the primary responsibility for fraud investigations, may act as a resource for investigations, or must refrain from involving itself in investigations (because they are responsible for assessing the effectiveness of investigations).
Any of these roles can be acceptable, as long as the impact of these activities on internal audit s independence is recognized and handled appropriately.
To maintain proficiency, fraud investigation teams have a responsibility to obtain sufficient knowledge of fraud schemes, investigation techniques, and laws. There are programs that provide training and certifications for investigators and forensic specialists.
If FFU is responsible for ensuring that investigations are conducted, it may conduct an investigation using in-house staff, outsourcing, or a combination of both. In some cases, FFU may also use non-audit staff of the MDA as to assist.
THE INVESTIGATORS ROLE
An investigation plan shall be developed for each investigation, following the FFU’s investigation procedures or protocols. The Head of FFU will determine the knowledge, skills, and other competencies needed to carry out the investigation effectively and assign competent, appropriate people to the team. This process will include assurance that there is no potential conflict of interest with those being investigated or with any of the employees of the organization.
The plan should consider methods to:
o Gather evidence, such as surveillance, interviews, or written statements.
o Document the evidence, considering legal rules of evidence and the business uses of the
evidence.
o Determine the extent of the fraud.
o Determine the scheme (techniques used to perpetrate the fraud).
o Evaluate the cause.
o Identify the perpetrators.
At any point in this process, the investigator may conclude that the complaint or suspicion was unfounded and follow a process to close the case.
Activities should be coordinated with management, Attorney General, and other specialists, such as human resources, Police as appropriate throughout the course of the investigation. Investigators will be trained to be knowledgeable and cognizant of the rights of persons within the scope of the investigation and the reputation of the MDA itself. The level and extent of complicity in the fraud throughout the MDA will be assessed.
This assessment will be critical to ensuring that crucial evidence is neither destroyed nor tainted, and to avoid obtaining misleading information from persons who may be involved.
Responding to whistleblowers will be the responsibility of management, with the assistance of
Fore si Audit as it o er s specific allegations or suspicions of fraud a d this is the su je t of a fraud investigation. Management is responsible for resolving fraud incidents, not the internal auditor or FFU.
Resolution consists of determining what actions will be taken by the MDA once a fraud scheme and perpetrator[s] have been fully investigated, and evidence has been reviewed.
The FFU or Internal Auditors will assess the facts of investigations and advise management relating to remediation of control weaknesses that lead to the fraud. Internal Auditors shall design additional steps in routine audit programs or develop auditing for fraud programs to help disclose the existence of similar frauds in the future.
Management’s fraud policies and procedures should define who has authority and responsibility for each process. Internal auditors may only be involved as advisors in the processes.
REPORTING
STRATEGY
Each special investigation conducted must lead to the issuance of a report stating the facts, the causes and the recommendation for remedial actions. Regularly, FFU will issue statistics around the fraud cases.
Periodic reporting will be regularly addressed to the Permanent Secretary/Secretary to the Treasury and appropriate Audit Committee for oversight and make sure that appropriate measures are taken in time.
FRAUD AND FORENSIC POLICY
This paper proposes that a Fraud and Forensic policy statement is developed that details the legal framework to conduct the fraud and forensic in government.
FRAUD AND FORENSIC MANUAL
This paper proposes that a manual will developed to provide generic guideline to the FFU in the way fraud examination and investigation will be conducted.
will focus on Fraud Examination Principles, Law and Fraud, Professional interviewing skills, Anti-money Laundering, Computer Forensics, and Professional Fraud Specialised Examinations. With a professional staffed unit, creditability is expected from the assignments.
BUDGET IMPLICATION
The strategy will be implemented in three year period at the estimated expenditure budget of Ugx 3.9 billion, in year 2009 at Ugx 1.3bn, in year 2010 to 1.4billion and dropping in year 2012 to Ugx 1.1 billion. The detailed expenditure budget is annexed in annex I and II.
