Building Ethics in the Public Service elliot

Derek Elliot, 10th IACC, Workshop contribution, Civil Society

Derek Elliot

I have been asked to speak to you today about work that District Audit have undertaken in conjunction with a number of bodies that we audit, to try to tackle the complex issue of organizational cultures and in particular managerial responsibility and accountability as regards anti-fraud culture and what this actually means.

District Audit is one of the largest public audit bodies in the United Kingdom. Our statutory remit is one of the widest of any external auditor, with a Code of Practice approved by Parliament every five years. Our responsibilities include opinions, regularity, legality, value for money and management arrangements, as well as ensuring that satisfactory arrangements exist for ensuring proper standards for financial conduct and for prevention and detection of fraud and corruption. This includes ensuring that audited bodies have not only developed, promulgated and monitored appropriate standards, codes, strategies, etc. but also that they have articulated and promoted appropriate values and standards across the organization.


Assessing, Influencing, Changing
Anti-fraud Cultures

What is an anti-fraud culture?
Why does it matter?
How can you assess it?
How can you change it?


I should say that I am not a believer in off-the-shelf best practice solution, but I do recognize the benefits of drawing on and learning from the experiences of others.

My session will draw on my own experiences and from similar work subsequently undertaken by colleagues at a number of audits around the United Kingdom. The work also formed the subject of the research for the final dissertation of a Fraud Management M.A. that I have recently completed. Should any of you wish to look into the issue any further, The M.A. is available to members of the IPF Better Governance and Counter Fraud Forum on their websites or from me.

What is the objective of my session?

To consider this, we first need to agree on what we mean by culture. Being a person who likes things simple, the most straightforward definition of culture that I came across was that of Deal and Kennedy.


Assessing, Influencing, Changing
Anti-fraud Cultures

"The Way We Do The Things Around Here"

(Deal and Kennedy)


Although a simple statement, the challenge in practice is far more complex. Culture is often most visible in stories that people tell about their organization. We need to find out what the stories are and to realize that there can be significant differences between corporate and organizational culture. The former often being what managers would like it to be and latter what it actually is.

Corporate culture can more easily be addressed and policies regarding the acceptance or otherwise of business risks can be laid down. Organizational culture, on the other hand, can too easily be taken for granted. Shifts may be imperceptible and evolutionary and can have a positive or negative impact on the standards, controls, ethics and beliefs on which a sound control environment is founded.

The statements helped bring together many concerns that had worried me in my early years at work as regards the way auditors approached systems work and control and environments, which too often were founded on intent rather than practice and reality and on the existence rather than the application of controls. For the rest of my session, I will use this thinking to focus on what is often referred to as anti-fraud culture and on the positive or negative impact it can have on the risks of improper financial conduct or fraud and corruption.


Assessing, Influencing, Changing
Anti-fraud Cultures
Anti-fraud Culture – Does It Matter?

Yes or No


In my view, not surprisingly the answer is a resounding Yes. In the last 5 years we have seen a growing recognition around the world of the importance of anti-fraud culture to an organization, in particular, the need for organizations to set the right "Tone from the Top".

In the UK a variety of government committees and departments have recognized it, as well as the government itself in "A New Ethical Framework", "Countering Fraud in the NHS" and "Beating Fraud is Everyone's Business", which related to social security fraud to name just a few.

To try to show the importance of anti-fraud culture, I need to go back to my original definition of culture – "the way things are done around here". Anti-fraud culture is what actually happens in relation to the myriad of controls, codes and frameworks that comprise the control environment of an organization. Many, if not most, organizations in public sector in the UK do not lack rules, frameworks or standards. In fact in some areas we have possibly got too many. When things go wrong and the inquest begins, it is not usually a finding that there were no rules or producers laid down or that there were no systems. It is application not existence that was the fundamental issue.

However, basic audit work does not always recognize this – system-based audits and high level risk assessments focused just on the mechanics of systems and procedures and past evidence if any, of problems and concerns can leave audits and auditors and, most importantly, audited bodies open to great risk.

For example, the organizations we audit have multitudes of codes of conduct, practice and governance but there are critical questions that we must consider having identified their existence.


Assessing, Influencing, Changing
Anti-fraud Cultures
Codes of Conduct / Practice

What are they intended to achieve?
Do those who matter know of them?
How is their effectiveness evaluated?
Who ensures compliance?


The UK saw a number of high profile public sector scandals in the 1999's, which gained much media attention as well as necessitating District Auditors to use their formal powers of public reporting.

One of these reports to a Metropolitan Borough Council in 1998 – not untypical in its conclusion – referred to:


Assessing, Influencing, Changing
Anti-fraud Cultures
District Auditors Statutory Report
Metropolitan Borough Council (1998)

  • The approach behaviour of members

  • Failures in top management

  • Behaviour of some officers

  • Failure to follow proper processes

  • Lack of openness

  • Climate of suspicion and distrust

  • Custom and practice


Such features were noted to various degrees in most if not all of the reports on the other scandals.

So in my view anti-fraud culture does matter, as these failings can be addressed and can be influenced – one of the most critical features being the "Tone from the Top", which is set intentionally and sometimes unintentionally by senior management, boards, councils, committees, etc. It must be more than "do as I say" rather than the reality, which is likely to be "do as I do".

The key question facing the auditors and managers of any organization should be: How do we find out what our prevailing culture is and what its impact on the control environment is in order to decide whether we want or need to change it?


Assessing, Influencing, Changing
Anti-fraud Cultures

  • Control and Risk Self-assessment (CRSA)


The issue for both management and auditors is how can we assess the prevailing anti-fraud culture and gauge its likely impact on the system of controls and producers that we have set up - control environment.

In recent years, much has been written and spoken about Control and Risk Self-Assessment, often referred to as CRSA or CSA. The technique has gained major recognition for the contribution it can play in getting to the heart of issue, identifying solutions and gaining ownership and commitment.

A typical definition of CRSA is "A process that allows workgroups to identify or refine business and quality objectives while assessing the adequacy of plans and controls in place to meet those objectives".

It is a technique that is, in my view, much more than an audit tool for assessing fraud risk, with immense value across the whole spectrum of organizational and managerial activity. CRSA can put you in direct contact with people actually operating systems and provide an environment where they can reflect on their work openly, honestly and safely.


Assessing, Influencing, Changing
Anti-fraud Cultures

  • Control and Risk Self-assessment (CRSA)


I would like to demonstrate how District Audit made practical use of CRSA to both assess and influence culture and have since taken it forward - and then to consider whether the outputs actually made any difference and to conclude with a few pointers for instilling sound anti-fraud cultures in organizations.

From 1995 to late last year, I had the opportunity as a District Auditor to work with the new management team for a very troubled London borough as they attempted tom turn round an organization that had been likened to an out-of-control and unholy supertanker that to date no one had been able to turn around.

Among its many problems of budget deficiencies, poor services and weak management were very high levels of fraud and corruption, which were having a significant impact on local tax-payers as well as on the Council's reputation and respect with citizens and central government.

One of the Council's many priorities was to address fraud, corruption and culture and its Chief's Executive asked for assistance from District Audit and the Audit Commission. Our challenge was to find a way to engage with managers that would enable the strengths and weaknesses of the prevailing culture to be gauged and at the same time to rise awareness of fraud risks, as well as drive home the importance of managerial responsibility in developing and instilling an anti-fraud culture and a strong control environment.

A number of immediate problems presented themselves.


Assessing, Influencing, Changing
Anti-fraud Cultures
Initial Problems

  • Reaching managers

  • Engaging interest

  • Building trust

  • Personal development

  • Use of results


The authority had around 6,000 staff and a decision was made to approach 200-300 of the most senior managers departmentally, in groups of 20 to 30, and for Directors and Auditors to introduce and facilitate sessions that would hopefully capture interest, whilst raising awareness of fraud and probity risks reference to real-life experiences elsewhere.

The collective views of the individuals were gathered during the sessions by means of CRSA questionnaires addressing key probity issues completed anonymously and then assimilating the results for group discussion. The questionnaires sought views on the overall culture of the organization, the framework of rules and regulations in place within respective departments and provided linkages to practical application. A full set of questions can be viewed on the IFP Better Governance and Counter Fraud Forum website or obtained from District Audit.

The aim was to raise awareness of participants about the role they had in maintaining a sound or effective control environment and in the creation of a strong anti-fraud culture as well as to let them know the fraud risks that they might encounter. Some of the linkages demonstrated the ineffectiveness of many controls if managerial accountability and responsibility were absent or deficient.

The seminars concluded with discussion groups considering the results of the questionnaires and developing their key action points relevant to their directorate for presentation to their director. A final plenary session then compared the findings and key actions of each group. Each directorate received its own summary report within 10 days of the event.

It was with some trepidation that we approached the first seminars.


Assessing, Influencing, Changing
Anti-fraud Cultures
Awareness Seminars

Would the approach work?
Would Managers participate?
Would outputs/outcomes be meaningful?
Would Council value the work?


Thankfully, and to everyone's great relief, the answer was a resounding Yes in each case and the feedback was enlightening.

"It's the first time anyone has ever asked me."
"I now see auditors in a different light."
"Can we have follow-up sessions?"
"Can we cascade them to our staff?"
were typical responses.

Most heartening of all was the response from the Chief Executive and Chief Officers as well as from leading politicians to the value of the sessions and their endorsement of the approach.

Evaluating the results of the CRSA questionnaires departmentally and corporately in the form of the bar charts also provided interesting conclusions on which future actions could be based. The overall conclusion supported my original contention that the greatest risk to the Council:


Assessing, Influencing, Changing
Anti-fraud Cultures
Key Risk

Not from:
Failure to set up proper rules, procedures, codes, guidelines

But from:
Absence of effective anti-fraud culture characterized by a failure to operate and implement rules procedures and codes effectively and to identify and act when breaches or failings occurred.


These findings would be, and is in my view, similar at many not most large public sector organizations and in the UK private sector was mirrored recently in KPMG's published findings relating to frauds in the financial sector.

The key issues across the departments in the London borough were summarized as follows:


Assessing, Influencing, Changing
Anti-fraud Cultures
Key Findings

  • Staff recognized Council's new commitment

  • BUT

  • So's, FR's and changes not properly communicated

  • No training to explain, support conduct guidelines

  • Disciplinary procedures ineffective

  • Many controls no longer worked effectively

  • Managerial overview ineffective

  • No whistleblowing arrangements

  • Recruitment procedures weak


However, findings mean nothing without action. What did the Council do as a result?


Assessing, Influencing, Changing
Anti-fraud Cultures
Actions Taken By The Council

  • Anti-fraud strategy

  • New recruitment procedures, checks

  • Training

  • Internal audit refocused

  • Audit Committee revamped

  • Actions tracked, monitored


The follow-up included further seminars, which were run by the Council's newly-formed Corporate Anti-fraud Team, at which the CRSA questionnaires were used to track progress. At the same time, District Audit began to run similar seminars at some other health and local government bodies and the questionnaires were used at some professional anti-fraud seminars

The results of all these then became the research subject of my M.A. I have not got time to go into the details today, but they are available to you, should you wish, and they again supported my main theme regarding risk.

Comparing the results of workshops over the time also clearly supported the conclusion that they increased managerial awareness, accountability and responsibility. My research was also supported by independent and subsequent UK research undertaken by the Directorate of Counter Fraud Services (DCFS) in the National Health Services.

DCFS, which was set up in 1999 to organize and co-ordinate counter-fraud work across all NHS bodies, embarked on its own series of culture and awareness seminars and sought the views of representative sample of senior managers and board members with a CRSA-type questionnaires in 1999. These were then followed up in 2000.

The results of their work also stressed the importance of anti-fraud culture and "Tone from the Top" and demonstrated a significant increase in managerial awareness and accountability between the seminars.


Assessing, Influencing, Changing
Anti-fraud Cultures
Evaluation of the Approach

  • Allows meaningful judgments of anti-fraud culture and practical application of controls

  • Is to benefit in determining actions needed

  • Participants found it useful

  • Senior management value outputs


Although, as in local government, much more has happened to counter-fraud in the NHS in the last few years than just the returning of seminars and completion of questionnaires, they formed an important part of the package as a whole and are undoubtedly a significant factor in the outcomes identified.

As a part of my M.A., research was also undertaken to compare the results and outputs between sectors and organizations and with generally held views and perceptions.

So my device to you is, if you have not done so already: why not give it a try? If you are an auditor, you might just find it enhances your role in your organization, provides real input to questions of risk assessment and could be very developmental to the audit staff involved. If you are a manager, take up the challenge of finding out what is really happening in your organization and seek every opportunity to develop the spirit of openness and shared accountability to which this could contribute.

Finally, to return to my original objectives:

Changing Cultures
It is now the view of most commentators that "tone from the Top" and managerial actions are the key factors in setting, influencing and changing culture. As part of the seminars, the opportunity was taken to remind managers of the part that they intentionally, or most often unintentionally, play using the following slides.


Assessing, Influencing, Changing
Anti-fraud Cultures
The Role of the Organization

Good practices in preventing Fraud

  • Positive attitude from the top

  • Effective and accountable management

  • Arrangements for concerns to be raised

  • Well-documented controls and procedures

  • Sound recruitment and disciplinary procedures

  • Strong internal and external audit

  • Well-managed investigations

  • Effective use of IT

  • Good liaison arrangements with relevant agencies


Key features of good practices include an anti-fraud and corruption strategy, clearly communicated codes of practice for officers and Members, clear definition of responsibilities and guidance regarding interests and hospitality.

There is often confusion surrounding the purpose and content of an anti-fraud and corruption strategy. At its simplest, such as strategy is a statement of values and commitments that an organization expects that it and all of the people working for it will uphold and be bound by.

It is not a document that should be measured for quality in terms of its weight or by its use of technical jargon. Nor is it something where you can justify ticking the job done box by taking someone else's strategy of their shelf, adapting it and then putting it onto your shelf. Adopting a strategy is merely the first step in the process of communication, awareness and winning hearts and minds.

If we now move to the role of managers, who very often don't realize their individual responsibility until it is too late and the bayonets are out and the post-mortems begin. These are the people at a day-to-day level who are responsible for preventing and detecting fraud and corruption. How can managers turn the corporate ethical and control framework into reality and play their part in creating an anti-fraud culture?


Assessing, Influencing, Changing
Anti-fraud Cultures
The Role of Managers

Creating an anti-fraud culture


  • Rules

  • Responsibilities

  • Parameters


  • Don't take advantage

  • Don't turn a blind eye

  • Don't excuse the inexcusable


  • Encourage

  • Listen


  • Treat fraud as fraud

  • Sound recruitment policies/references


  • From others

  • From past mistakes


If managers are to play their part in initiating a strong culture, they must be prepared to lead by example.

"Do as I say, not do as I do" is not an opinion, in reality people will follow their leaders and leaders must set a good example.

If managers take long lunches, receive borderlines hospitality, raid the stationery cabinet for home use or request favors from the recipients of services, don't think other staff won't notice and can only really expect them to act differently? Similarly, the attention managers give to controls and rectifying weaknesses will set their perspectives in future. This is what "Tone from the Top" means to me.

What are the big messages we stress to managers?

Always remember that there is no smoke without fire - if something comes to your attention or someone raises an issue, don't immediately seek to rationalize the situation and defend the status quo. Some of the worst cases I have come across rumbled around for years before they finally blew up, and in some cases, auditors are put under great pressure to remove references from management letters or audit reports or are accused of making mountains out of molehills. Most importantly, do not seek to make excuse for others who may not deserve such support - let them explain things themselves.

Clearly communicate rules, parameters and boundaries and remember, as I said, that this is no just a tick box affair. Culture comes from the heart. If you or your organization don't mean it, the most of your staff will see through the sham. Most importantly, if you do find a fraud, treat it as a fraud and don't hide it away and try to suppress those who may not deserve such support - let them explain things themselves.

Finally, especially if you are an auditor, don't take anyone or anything for granted, and be aware of how much things have changed in recent years. What will never change is that, if something sounds too good to be true, it almost certainly is.

If you would like to find out more about Audit's Changing Organizational Cultures work, or receive an electronic copy of Derek Elliott's M.A., please contact Lauren Tourle at: District Audit 4th Floor, Millbank Tower, Millbank, London, SW1P 4QP, United Kingdom, or via fax number 00 44-207-233-6490 or e-mail: If you wish to receive information via e-mail, there will be charge. We may have to recover costs for producing and posting hard copies however.

docBuilding Ethics in the Public Service elliot

Brazil 2012

Brazil 2012

IACC Video

IACC Video