Audit of Global Fund Fraud Risk Management
On 6 July the Office of the Inspector General (OIG) issued its audit report on Fraud Risk Management.
The OIG assessed the maturity of the Global Fund’s fraud risk management framework against the five core components set out in the guide on fraud risk management published in 2016 by The Association of Certified Fraud Examiners (ACFE) and The Committee of Sponsoring Organisations of the Treadway Commission:
- Fraud risk monitoring
- Fraud risk governance
- Risk assessment
- Fraud control activity
- Fraud investigation and corrective activity
The OIG also rated each component using the five-point scale from the Enterprise Anti-Fraud Maturity Assessment Model (in the Anti-Fraud Playbook: The Best Defense Is A Good Offense. 2020 Grant Thornton LLP and ACFE) – see Figure 1.
Figure 1: Anti-fraud Maturity Rating
The Global Fund operates in challenging environments which expose its programs to fraud and abuse. Most countries supported by the Global Fund are ranked below average on the Corruption Perceptions Index (CPI) published by Transparency International. About $6 billion of Global Fund monies go to countries in the bottom 45 of the 180 countries in the CPI report. Eligible Global Fund countries in the bottom half of the CPI score account for 83% ($10.3 billion) of Global Fund allocations.
The COVID-19 pandemic and changes in working practices have increased opportunistic fraud in programs, requiring strong monitoring mechanisms.
In 2017, the Board, in approving the Policy to Combat Fraud and Corruption (PCFC), defined fraud as any act or omission, including a misrepresentation, that knowingly or recklessly misleads, or attempts to mislead, a party to obtain a financial or other benefit or to avoid an obligation. The definition of fraud risk was widened to consider programmatic as well as financial risks: specifically, section 3.3 of the PCFC states that “The Global Fund recognizes that fraud and corruption infiltrate not only financial management, but also strategic decision-making, governance, public health systems, program quality and reporting.”
Programmatic fraud refers to fraud other than financial frauds, such as “health product substitution and counterfeiting, as well as misrepresentation or manipulation of any information arising from or relating to Global Fund Activities such as proposals, plans, evaluations, performance data, epidemiological data, reports, and audits” (PCFC, section 4.3).
The Global Fund Board and its Committees have approved several policies and guidance documents relevant to fraud risk management (Figure 2 below).
Figure 2: Main Anti-fraud Policies and Guidelines at the Global Fund
Fraud risk management at the Global Fund
The Global Fund Integrated Risk Management framework is built on three lines of defence: (1) the Country Team and support of in-country assurance providers; (2) the Risk Department and other risk owners, such as the Technical Advice and Partnerships team, Finance Department and Supply Operations; and (3) the OIG and the external auditor, who report to the Board or its Committees.
Fraud trends: types of allegations and sources
During 2019-2021, the OIG opened 489 investigations into the following types of allegations:
- Theft of equipment, commodities and money, referred to as abusive practices (157 investigations, or 32% of cases);
- Fraudulent practices, which included data manipulation, misrepresentation and fraudulent documents (116 investigations, or 24% of cases);
- Price fixing, bid rigging and Conflicts of Interest, referred to as collusive practice (71 investigations, 15% of cases); and
- Corrupt practices including bribery (66 investigations, 13% of cases).
Fraudulent and corrupt practices therefore collectively accounted for 37% of cases investigated by the OIG in this period.
Not all investigations result in a published report; the OIG issues case closure memoranda when the investigation is inconclusive or an allegation is unfounded (the evidence does not support the allegations), not material, there has already been a proportionate response, risks have been mitigated, or deficiencies addressed.
OIG investigations produce Agreed Management Actions (AMAs) based on lessons learned from cases. AMAs included financial recoveries, sanctions of entities and individuals, and the strengthening of controls and processes.
The OIG identified non-compliant transactions totalling $143.2 million between 2019 and 2021, most of them due to fraudulent practices and theft. In the same period, the proposed recoveries of funds as a result of OIG investigations during that period was $14.4 million. Principal Recipients (PRs) and sub-recipients (SRs) are most frequently the subjects of OIG investigations, respectively accounting for 42% and 23% of investigations.
The number of allegations generally aligns with the size of funds allocated by region, with most allegations affecting grants in the Global Fund’s High Impact Africa 1, High Impact Africa 2, and High Impact Asia regions (see Figure 3).
Figure 3: Allocation and Number of Screening Reports by Region
As of 31 December 2021, the Secretariat had reported $26.7 million in outstanding recoverable amounts resulting mostly from non-compliance expenditures and mismanagement.
Audit objective, scope and rating
The audit sought to assess the maturity of the Global Fund’s framework (including policies and procedures) on fraud and corruption and to position the organization in a rating scale for further improvement.
The Global Fund’s fraud risk management framework was reviewed against the five components list under Background above.
Instead of using the standard audit rating scale, the OIG used the assessment model to rate the maturity of the Global Fund fraud risk management framework and its underlying processes. Maturity is split into five stages – ad-hoc, initial, repeatable, manageable and leadership, as shown in Figure 4.
Figure 4: Enterprise Anti-fraud Maturity Model from Anti-fraud Playbook by ACFE/Grant Thornton
Audit conclusions on overall maturity
The COVID pandemic and changing work practices have led to increased fraud risk. Agile risk management is needed to anticipate and institute preventive and detection controls to respond to potential fraud. The various elements of the Global Fund’s approach are at different levels of maturity. As the fraud risk landscape evolves, the organization will need to strengthen its preventive and monitoring activities, and to put more focus on non-financial fraud.
The maturity level for each component assessed by the OIG is shown in Figure 5.
Figure 5: Assessed Maturity Model of Fraud Risk Assessment Management Component
Audit conclusions on fraud risk governance
The Global Fund has defined frameworks, policies, structures and processes which direct the management of fraud risks and support its zero tolerance of prohibited practices. While significant progress has been made regarding financial fraud risks, there is less consideration of programmatic fraud risks. There is limited clarity in roles and responsibilities for programmatic fraud risks at Board, Committee and Secretariat levels. The Secretariat needs to define overall ownership and accountability for fraud risk and implement the PCFC plan.
Audit conclusions on risk assessment
Integrated Risk Management framework processes are generally aligned with the Global Fund’s internal and external environments. Tools have been developed to support assessments in core functions, leveraging the work of assurance providers. To further mature, fraud assessment needs to proactively identify fraud scheme types, improve the implementation of mitigation measures, and consider grant-level programmatic risks.
At grant level, fraud risk assessment is considered at various stages of the grant life cycle, as described in Figure 6.
Figure 6: Process for Financial Fraud Risk Assessment