Identifying and preventing

fraud & corruption in ESI Funds

Model for assessing risk of fraud

Dermot Byrne,
Head of Authority
ERDF Audit Authority, Ireland

This training has been organised by EIPA under the Framework Contract Nr 2018CE16BAT060. The
opinions expressed are those of the contractor only and do not represent the EC's official position
 Assessing risk of fraud

Contents
 Commission Guidance on Fraud Risk Assessment

 Annex 1 – Fraud risk assessment tool

 Annex 2 - Recommended mitigating controls

 Annex 3 - Template for anti-fraud policy

 Annex 4 - Audit of AFM’s by the Audit Authority

 Sampling techniques – an outline

 Assessing risk of fraud
EGESIF guidance note 14-0021-00 (2014)

 Assistance and recommendations to MA’s

 How to implement Article 125(4)(c) of CPR – effective and proportionate anti-fraud
measures
 Also includes guidance for AA as to how to verify MA compliance
 Approach of MA should be
 Proactive
 Structured
 Targeted

 Adoption of right “tone from the top”

 Fraud Risk Self-Assessment

EC recommend MA use the tools described in 4 Annexes:

Annex 1: Risk Assessment Tool

To be carried out by a self-assessment team set up by MA
Annex 2: Recommended mitigating controls
Non-binding further controls in response to any remaining risks.
Annex 3: Template for Anti-Fraud Policy Statement (tone at the top).
Annex 4: Guidance for Audit Authority verification work
Checklists to be used in systems audits of AFM’s
 Annex 1 - Fraud risk self-assessment
Quantify the likelihood & impact of the specific fraud risk (gross)

Assess the effectiveness of the current controls to mitigate the (gross) risk

Assess the net risk after taking into account the effectiveness of current
controls (residual risk)

Assess the effect of planned additional controls on the net (residual) risk

Define the target risk i.e. the risk level considered tolerable by the MA
 Annex 1 - Fraud risk self-assessment
There are 3 key control processes exposed to fraud:

1. Selection of applicants

2. Implementation and verification of operations

3. Certification and payment

 Annex 1 – Self Assessment Tool
Risk Likelihood
From a drop down menu the risk assessment team should select
a risk likelihood score from 1 – 4 based on likelihood of risk occurring
in the seven year programming period.

See Criteria below:

Score Likelihood
1 Will almost never happen
2 Will rarely occur
3 Will sometimes occur
4 Will often occur
 Annex 1 – Self Assessment Tool
LIKELIHOOD 4
Will
HIGH often occur
3
Will
sometimes
occur
MEDIUM 2
Will rarely
occur
1
LOW Will almost
never
happen
 Annex 1 – Self Assessment Tool
Risk Impact
Reputation On Objectives

1 Limited impact Additional work delayed other

processes

2 Minor impact Achievement of operational

objective delayed

3 Major impact e.g. nature of fraud is Achievement of operational

particularly serious or several objective endangered or
beneficiaries are involved. strategic objective delayed

4 Formal enquire from stakeholders, Strategic objective endangered

e.g. Parliament and/0 negative
press
 Annex 1 – Self Assessment Tool

1 2 3 4
Limited Minor Major Formal
impact impact impact enquiry
IMPACT
LOW MEDIUM HIGH
 Annex 1 – Self Assessment Tool
LIKELIHOOD 4
Will 8 12 16
HIGH ofter occur
3
Will 6 9 12
sometimes
occur
MEDIUM 2
Will rarely 4 6 8
occur
1 Will almost
never 2 3 4
LOW happen Minor impact Major impact Formal enquiry
1 Limited
impact
IMPACT
LOW MEDIUM HIGH
 Annex 1 – Self Assessment Tool

Total Risk Score (Gross)

The inputs into risk impact and risk likelihood will result
in a range of scores from 1 (1x1) to 16 (4x4).

The Rankings are outline below.

Score Ranking Colour

1-3 Tolerable
4-6 Significant
8 - 16 Critical
 Annex 1 – Self Assessment Tool
LIKELIHOOD
SIGNIFICANT CRITICAL CRITICAL CRITICAL
4 8 12 16
HIGH

TOLERABLE SIGNIFICANT CRITICAL CRITICAL

3 6 9 12

MEDIUM
TOLERABLE SIGNIFICANT SIGNIFICANT CRITICAL
2 4 6 8

LOW TOLERABLE TOLERABLE TOLERABLE SIGNIFICANT

1 2 3 4

IMPACT
LOW MEDIUM HIGH
 Annex 2 - mitigating controls

Annex 2
Annex 2 to Guidance suggest controls under the following headings:
 Selection of applicants
 Implementation and verification of operations
 Certification and payments
 Direct procurement by MA (if applicable)
 Fraud prevention

If MA … …
 Demonstrates a clear commitment to combat fraud and corruption
 Raises awareness about its preventative and detective controls
 Is determined to transmit cases to competent authorities for investigation and
sanctions

It will send a clear message to potential perpetrators

May change behaviours and attitudes towards fraud
Fraud prevention

1. Ethical
Culture
 Fraud prevention
Ethical Culture
 Mission Statement
Clear expression (internal and external) that MA striving to achieve highest ethical
standards
 Tone from the Top
Oral and/or written communication from highest level of MA that highest ethical
standard expected from staff and beneficiaries
 Code of Conduct
Unambiguous code of ethics that all staff must routinely declare adherence to:
 Conflicts of Interest – procedures to declare them
 Gifts and hospitality policy – explain responsibilities to staff
 Confidential information – explain responsibilities &
 Requirement to report fraud.

 Anti-fraud Policy – Annex 3 provides a Template for MA’s

Fraud prevention

1. Ethical
Culture
2. Policy,
Responsibilities,
Training, Reporting
 Fraud prevention

Allocation of Responsibilities
 MA must have clear allocation of responsibilities for setting up MCS
 That comply with EU requirements
 Verify that these systems effectively prevent, detect and correct fraud.
Training & awareness raising
 Both theoretical and practical
 Anti-fraud culture
 How to identify and respond to suspected cases of fraud
 Put clear reporting mechanisms in place
 Informally by way of newsletters, posters, group meetings
Fraud prevention

1. Ethical
Culture
2. Policy,
Responsibilities,
Training, Reporting
3. Internal
Control
System
 Fraud prevention

Internal control systems

 Controls focused at mitigating the identified risks
 Management verifications and on-the-spot controls
 Thorough management verifications will increase likelihood of detection
 Ensure awareness of fraud indicators
 Data analytics – ARACHNE
 Reporting mechanisms – Audit Authority, MS investigative authorities, OLAF
 Investigation, correction and prosecution by competent authority
Fraud prevention

1. Ethical
Culture
2. Policy,
Responsibilities,
Training, Reporting
3. Internal
Control
System

1, 2, 3
Help to reduce
Fraud
Risks
 Annex 4 – Audit Authority Audit

Annex 4 – AA verification of MA compliance with Article 125(4)

1.Review the process for fraud risk assessment
 Composition of assessment team
 Time and resources spent on exercise
 Sources of information were adequate (audit reports, fraud reports, other self
assessments)
 Exercised clearly documented
 Adequate oversight by senior management

2. Gross risks
 Review selection of the scores for IMPACT (explanations & supporting evidence)
 Review selection of the scores for LIKELIHOOD (explanations & supporting
evidence)
 Has the GROSS risk been calculated and graded (T,S,C) correctly?
 Annex 4 – Audit Authority Audit

Annex 4 – AA verification of MA compliance with Article 125(4)

3. Existing controls and Net Risk

 Select a sample of controls and verify
 Do the controls actually exist?
 Are they adequately documented?
 Review scores for effect of controls on the Gross Risk (Impact & Likelihood)
 Has net risk been calculated and graded (T, S, C) correctly?

4. Action Plan and Target Risk

 Select a sample of risks from fraud risk assessment (cover all processes)
 Review score given for effect of new controls (on Impact and Likelihood)
 Is score consistent with AA knowledge of effectiveness of control?
 Has Target Risk be calculated and graded correctly?
 Do additional controls appear to be optimal and well-considered?
 Sampling techniques
Risk-based sampling Random/Statistical sampling
If you want to find & fix a problem … If you want to give an objective, unbiased
and representative opinion/error rate

Will point you in direction of ‘bad’ projects Will select good and bad projects – every
unit in population has chance of selection

Will skew the audit result / error rate It will give a fair/accurate error rate because
based on representative sample
More suited to control than audit More suited to audit than control

Is subjective and reliant on professional Is objective/logical and not overly reliant on

judgement and risk tolerance professional judgement

Requires information about the nature of Can be applied to project financial data by
the project/operation, history, risks. means of Excel / IDEA
 Sampling techniques

Audit Authority Sampling:

12+ Months (1/1/N until 15/2/N+1) audit of operations should start immediately
• Consider sampling techniques to reduce workload and spread over time
•stratification,
•grouping,
•confidence levels,
•two semester sampling
• Consider potential impact of techniques chosen (e.g. grouping)
Questions?