Clearly defined and separate lines of defence generally ensure the most effective risk management, enhancing the prevention and detection of corruption.
Corruption is not just a public sector problem, although it will certainly receive more attention. There is a public interest in what the public sector does, because taxpayers' money is used and, as a result, transactions must be both transparent and purposeful. However, this does not mean that there is no corruption in the private sector and that business leaders do not have to deal with it.
Corruption can broadly be defined as a misuse of trust, more narrowly a misuse of position or power for self-interest. Understandably, there is less coverage of private sector corruption, as those involved in business are reluctant to discuss such issues in public. The core of private corruption cases is no different from that of the public sector.
However, corruption and fraud in the private sector are more difficult to prove than in the public sector. In small and medium-sized (SME) enterprises, which are numerous in Estonia, the operation is less formal and is often not regulated by thorough rules of procedure. The private sector is also characterized by long-standing business partnerships, less formal communication and more complex contractual relationships, which make it difficult to prove prohibited benefits and activities.
According to the Fraud Triangle model, three elements are required for fraud to occur:
In other words: if a person has a financial motivator that he or she can justify and the right environment and opportunity is in place, there is a fertile ground for committing fraud.
The motive may be caused, for example, by a situation when the employee's income decreases – the employee may be motivated to earn his or her lost income otherwise. A fraudulent situation can easily arise even if the remuneration policies of managers/employees are linked to factors that can be manipulated. For example, if the remuneration is related to the profit from the transaction or the number of contracts, it is possible these will be artificially distorted or created.
Due to the endowment effect, a person perceives giving up or losing something as a loss, so they are willing to try not to lose what is perceived as belonging to them. Consequently, the employee also finds a convincing justification for himself why his misdemeanour is justified.
These two conditions – motive and justification – are often ones that the employer usually cannot control. However, the employer can make the implementation of fraud as difficult as possible by constantly improving the company's internal control environment. It is important to maintain this level even in a crisis.
In a crisis, it is common to look for places where costs could be saved. They often turn out to be various support services (marketing, IT development projects, internal control and internal audit) because they do not directly generate revenue for the company. This does not mean that they would create less value for the company.
An organization's risk management should be built on the principle of the Three Lines of Defence and should exist in some form in every company, regardless of the size or complexity of the company.
The Three Lines of Defence model distinguishes three groups (or lines) associated with effective risk management: functions that take and manage risks; functions that control risks; functions that provide independent assurance. External auditors, regulators and other external bodies are not part of the organization but can play an important role in the overall governance and control structure. Governing bodies and senior management are in the best position to ensure that the model is implemented, while being the primary stakeholders in the defence lines.
The weakening of the internal control system and the reduction of the workload of the Third Line of Defence can be fatal for the company. While the Second Line of Defence serves a very important purpose, it cannot, unlike internal audit, provide a fully independent analysis of risk management and internal control. However, the above is necessary for management bodies to fulfil their duties and responsibilities, including defining and ensuring appropriate strategies, processes and risk management.
The Third Line of Defence is an internal audit that provides assurance, as an independent function, that previous lines of defence are working as intended and/ or which processes need to be improved. Internal audit has the necessary competence, resources and access to relevant information in all business units to allows better detection of fraud and other inconsistencies that needs to be further investigated. Internal processes and controls should be strengthened to detect potential misappropriations, including random checks to detect possible fraud or inconsistencies.
In the current coronary crisis, it must be borne in mind that, although many jobs can be done remotely, it is not possible to control everything remotely. In a crisis, only the emerging problems are often dealt with, and normal control activities are relegated to the background. However, this creates a favourable environment for fraud, because if the availability of information is limited and checks cannot be carried out (sufficiently), the risk of misuse is higher. Employees may feel that this is a good opportunity to act unnoticed.
People who remain in the company may also feel pressure from managers to increase work efficiency, because the workload is generally not reduced by laying off people, ie the same work must be done with fewer people. The feeling that a person is not valued enough can also lead to fraud.
In the case of corruption, it is important to understand that it is a complex issue and that it is difficult to identify and prove corruption. In the case of the private sector, it should be borne in mind that, although most cases of corruption and fraud are perpetrated by a lower-level employee rather than by management, corruption at management level causes much greater financial damage. Also, a cooperating group can cause significantly greater financial and reputational damage than an individual.
Our business leaders have turned to us for help, either to carry out special audit to determine the extent of the effects of fraud or to improve processes as a result of fraud. Unfortunately, the damage will only be reversed once the damage has already occurred, although it could have been prevented by reviewing and improving the processes. It is not uncommon for an employee to have caused damage to a company for years before problems start to arise. In many cases, the company has been harmed by a long-term employee or member of senior management who is almost completely trusted and allowed to do more than others (irregularities accepted by others).
