Fraud risk for the EU budget — what the ECA recommends
Media reports on fraud cases involving EU funds have a high likelihood of catching the interest of the public. The perception that EU spending, but also cross-country fiscal mechanisms like VAT or emissions trading, is particularly prone to fraud schemes and organised crime does not contribute to strengthening the citizen’s trust in the Union. This is one of the reasons why the ECA decided to look into how the European Commission fights fraud in EU spending. Judit Oroszki, principal manager, was the head of task for the audit that resulted in special report 1/2019: ‘Fighting fraud in EU spending: action needed.’ She provides insights into key reflections and challenges when approaching the audit subject and what has happened since the publication of this report in January 2019.
By Judit Oroszki, Financing and Administering the Union Directorate
Fraud is cross-cutting by nature, meaning that the risk of fraud may be present within the whole EU budget, although to differing degrees. It is a consensus view by experts in the field that fighting fraud effectively requires a comprehensive fraud management framework, covering the full cycle of anti-fraud activities. This must consist of a series of actions to prevent, detect and respond to/ deter fraud*.
*Audit brief — Fighting fraud in EU spending
How did we approach the audit?
The EU fraud management framework consists of several institutions and bodies (involved at different stages of the framework) implementing certain parts of the framework (such as prevention, detection, investigation or sanctioning/prosecution) and working under different jurisdictions. Overall, quite a complex picture.
From the outset, given the amount of resources at our disposal, it was obvious, however, that we would not be able to cover the whole fraud risk management framework, for both the revenue and spending side of the EU budget. This clearly would have been too broad an audit subject.
For this reason, when preparing our audit, the first key step was to map the main bodies involved in the EU’s fraud management cycle, together with identifying the key risks to their performance in fighting fraud. This mapping exercise helped us to decide on the focus of the audit (see Table 1).
We also considered the areas covered by previous audits: we had already looked into the fraud management framework in the area of own resources and the management of OLAF [1] — the EU’s key anti-fraud body. We therefore decided to focus our audit on EU spending (rather than revenue) and on the aspects of prevention and sanctioning of fraud affecting the EU’s financial interests.
Fraud prevention is more cost-effective than detection and correction
In recent years, several standard setters have highlighted the importance of fraud prevention (i.e. reducing opportunities for fraud to take place). This is because preventing the occurrence of fraud is much more cost-effective than the detection and correction of fraud, which is often followed by lengthy, costly and sometimes unsuccessful administrative procedures to prove and sanction fraudulent acts and recover the financial damages caused by these acts. Also, by the time the fraud is discovered, the money is often unrecoverable (or at least the chance to recover the full amount is very slim). In our report, we also highlight the difficulties of recovering EU funds based on OLAF’s investigative reports.
Not surprisingly, assessing the actual results of fraud preventive actions is actually quite challenging. In an ideal world, one would need to know the overall scale of fraud, how much and what type of fraud can be prevented and at which costs and how much is actually prevented.
In crime prevention, it is important to gain insight into the potential overall scale of a crime, including undetected cases. But how can you acquire knowledge about cases not reported to law enforcement authorities?
Gaining insight into the overall scale of certain traditional crimes (such as vehicle theft or burglary) is a common practice for national enforcement authorities (see Figure 1 below).
For financial crimes, such as fraud, coming up with an estimate for the overall scale or overall cost of crime is more challenging compared to other traditional crimes. This is because, by its very nature, fraud is elusive, i.e. it is conceived in a way which makes detection difficult. In addition, due to the nature of fraud, victims may not always be even aware that a fraud has been committed; or they may not consider that they are directly (or personally) affected.
Challenges in fighting fraud against the EU budget
When we look at fraud against EU spending there is a further aspect to be considered. Around 85 percent of the EU budget is spent though Member State governments and regional or even sub-regional bodies. In other words, the main victim of fraud against EU spending is the EU (rather than the national or regional) budget. This creates an obvious moral hazard, because, instead of protecting the EU budget, the priority of Member States may be rather to spend all earmarked EU funds.
An EU-wide system of fraud prevention, detection and correction can therefore only work effectively if the European Commission can fully rely on the Member States to ensure that the money is spent in accordance with the applicable rules, and that Member State administrations are effective in detecting and reporting cases of suspicion of fraud to the EU. Unfortunately, it is far from certain whether this is always the case.
The importance of assessing the risk of fraud
Generally speaking, the best way to prevent and detect fraud is through effective internal controls. In recent years there has been growing consensus amongst key standard setters, such as the the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the Institute of Internal Auditors (IIA), the Chartered Institute of Public finance and Accountancy (CIPFA), the Association of Certified Fraud Examiners (ACFE) and SAIs (such as the US GAO or the Australian NAO) that the assessment of fraud risks needs to be incorporated and strengthened in the framework of internal controls.
Importantly, the 2016 COSO Fraud Risk Management Guide also underlines that simply adding the fraud risk to the existing internal control assessment is not enough. Conducting a meaningful fraud risk assessment involves looking at what has happened in the past, with the aim of identifying the crucial elements which may have enabled fraud to be committed. Criminology work and a criminology perspective are very relevant to this assessment. Key in fraud prevention is to understand the causes of fraud. Several models have been developed to identify the elements that lead perpetrators to commit fraud. Donald Cressey proposes a fraud triangle framework [2] while other conceptual frameworks have complemented this by also focusing on the individual’s capability, i.e. his or her personal traits and abilities [3] (see Figure 2 below). These models have influenced standards and good practice guides on how fraud risk assessments can be performed by internal controllers.
Some of the factors that enable fraud to occur relate to ineffective control or governance system, which provide an opportunity for fraudsters to act. Other factors (such as incentives and rationalisation) refer to the motivation that leads to unethical behaviour and the way potential fraudsters justify their acts as something that is not to be considered as a criminal activity.
Recently, therefore, fraud experts have been putting more and more emphasis on the type of person who commits fraud [4]. This requires an analysis of the capabilities of potential fraudsters, i.e. the individual skills and traits needed to exploit opportunities to commit fraud [3]. This type of analysis may be similar to the criminal profiling used by criminologists and law enforcement authorities and is an investigative method that uses behaviours and psychological analysis to generate predictions about the characteristics of the most likely suspects of a crime [6].
This is why we need to analyse incentives/pressures, opportunities and rationalisations when performing fraud risk assessment. Internal control systems, however, primarily address incentives and opportunities, which in most cases are easier to spot [7]. In other words, internal control systems are necessary — but they may not be sufficient to fight fraud effectively.
What data is available on potential fraudsters against the EU budget?
All of these above considerations and reflections led us to look closely in our audit at how the Commission and OLAF collect data on fraud affecting the financial interest of the EU and what use they make of this data for fraud prevention purposes. We based our criteria on the key elements identified by standard setters such as the COSO and CIPFA guidelines. In essence, these bodies argue that knowledge about previously identified fraud cases is key. Without a good understanding of past fraud schemes and the types of fraudsters committing fraud it is simply not possible to establish well-focused and cost-effective methods to prevent fraud.
However, our audit showed that the Commission does not have comprehensive However, our audit showed that the Commission does not have comprehensive and comparable information on the detected fraud level in EU spending. This is also due to the fact that the methodologies Member States use to prepare their official statistics on detected fraud differ, and the information reported in the Commission’s Irregularity Management System (IMS) is incomplete. The Commission also refrains from complementing official statistics by its own estimates of undetected fraud.
We also found that there is only little qualitative information on the nature and causes of fraud. Some information is available on fraud patterns and schemes used in different sectors, but the information available is neither systematically updated nor actively used by the Commission. So far, the Commission has not attempted to identify what causes some recipients of EU money to commit fraud. In this context, it would also have been interesting to compare how Member States deal with such cases when there is EU funding, and when there is no such funding. However, we found that such a comparison is not possible since most Member States do not collect separate data on crimes against the financial interest of the European Union and those affecting only the national budget.
Better insight into fraud against the EU budget needed
This illustrates that there is a need to gain a better insight into the scale, nature and causes of fraud in EU spending. In particular, we recommended in our report that the Commission should put in place a robust fraud reporting system, providing information to assess the scale, nature and root causes of fraud. In particular, it should:
- enhance the Irregularity Management System (IMS) so that information on criminal investigations related to fraud affecting the EU’s financial interests are reported in a timely manner by all competent authorities, and
- build its capacity to collect information from different sources on the risk of fraud and corruption against the EU budget, measure this risk on a recurring basis using different methods (encounter surveys and indexes based on administrative data); and consider establishing risk indicators by spending area, country and sector.
Analysing these data sets will also require new approaches and techniques, where big data and algorithms will play an obvious and increasing role.
Last but not least, we saw an urgent need for the Commission to update its anti-fraud strategy, dating from 2011. This update would then provide an opportunity for the Commission to address the weaknesses in fraud prevention identified by our audit.
The Commission’s 2019 anti-fraud strategy — a first response to our report
The Commission took up our recommendation swiftly. In April 2019 (i.e. not even three months after the publication of our special report), it has adopted its new anti-fraud strategy entitled “Commission Anti-Fraud Strategy: enhanced action to protect the EU budget” [7]. Based on a qualitative fraud risk assessment, the Commission defined two key objectives for the coming years:
- data collection and analysis: to further improve the understanding of fraud patterns, fraudsters’ profiles and systemic vulnerabilities relating to fraud affecting the EU budget and
- coordination, cooperation and processes: to optimise coordination, cooperation and workflows for the fight against fraud, in particular among Commission departments and executive agencies.
Putting the strategy into action
The Commission must now demonstrate that it will use all available means to fight against fraud which is to the detriment of the EU budget. This cannot be done without having a good knowledge and data about past fraud patterns, the causes of fraud and the motivation for committing fraud. Analysing what causes fraudsters to commit fraud is a method used by criminal sociologists and psychologists. Using theories and practices from other disciplines — such as criminology — and incorporating these into the internal control framework of an organisation allows for a better understanding of the motivations and processes behind these crimes and could help guide the design of controls to prevent and detect fraud.
The 2019 Commission anti-fraud strategy explicitly recognises the need for better data collection and analysis to understand fraud patterns and fraudsters’ profiles. This is already a very important step forward. What matters now is that this strategy is put into action swiftly.
[1] Special report 1/2005 concerning the management of the European Anti-Fraud Office (OLAF), special report 2/2011 — Follow-up of special report 1/2005 concerning the management of the European Anti-Fraud Office (OLAF); Opinion No 6/2005, Opinion No 7/2006, Opinion No 6/2011.
[2] Cressey, D. R. (1953). Other People’s Money. Montclair, NJ: Patterson Smith, pp.1–300.
[3] Wolfe, D., & Hermanson, D. R. (2004). The fraud diamond: Considering four elements of fraud. The CPA Journal, 74 (12), 38–42; Crowe Horwath LLP, Trust is a Professional Hazard! (2011)
[4] See also ‘Improving fraud risk management with an enhanced Fraud Triangle’, by Douglas M. Boyle, DBA, CPA, CMA; F. Todd DeZoort, PhD, CFE; Dana R. Hermanson, PhD; David T. Wolfe, CPA, CFF; Fraud Magazine, March/April 2018
[5] Kocsis, R. “Criminal Profiling: International Theory, Research, and Practice” (2007).
[6] “Rationalizing Fraud — How Thinking Like a Crook Can Help Prevent Fraud”, By Natalia Mintchik, PhD, CPA and Jennifer Riley, PhD, CPA, The CPA Journal, March 2019 issue.
[7] European Commission; Communication from the Commission to the European Parliament, The Council, The European Economic and Social Committee, The Committee of the Regions and the Court of Auditors, Commission Anti-Fraud Strategy: enhanced action to protect the EU budget, COM(2019) 196 final.
This article was first published on the 2/2019 issue of the ECA Journal. The contents of the interviews and the articles are the sole responsibility of the interviewees and authors and do not necessarily reflect the opinion of the European Court of Auditors.
