Internal controls and risk management
A great deal has been written about risk management and the role it plays in controlling the risk of corrupt conduct. Agencies are best placed to determine how the risk of corruption is incorporated within their broader risk management framework. However, controls should be in place to prevent, detect and respond to corrupt conduct.
A standard set of preventive controls includes:
- a policy and procedure framework that considers the potential for corrupt conduct (where appropriate, anti-corruption policies and procedures should also bind suppliers and other external parties)
- segregation of duties to prevent an individual from exercising end-to-end control over risky processes
- training and awareness-raising activities targeted at the risk of serious misconduct
- setting and enforcing delegations and permissions
- supervision of high-risk functions and systems that impose joint decision-making
- key performance indicators that encourage ethical conduct
- transparency mechanisms that give internal and external parties access to the decision-making processes
- accountability mechanisms that oblige decision-makers to explain the reasons for their actions (for example, appeal processes)
- physical and information technology security controls to either prevent access to valuable assets/information or at least create an audit trail
- a screening process for new/continuing employees and due diligence measures for suppliers and business partners.
Detection controls include internal audit and internal reporting (mentioned above) as well as data analytics or suspicious transaction reporting, benchmarking, management/peer reviews and performance reporting.
A good way to verify that controls are working is it to create a process map or flowchart that shows who is, and who is not, involved at different steps and decision points and whether decisions and management oversight are supported by documents and reports. Process maps can expose inefficiencies and opportunities for corruption that may be embedded in a process.
Maintaining an up-to-date set of process maps can help agencies to discover gaps between actual and prescribed processes. Process mapping exercises may also reveal work-arounds or out-of-process conduct.