Audit of Global Fund Fraud Risk Management
Oliver Campbell WhiteArticle Type:
Article Number: 9
You need to be wide awake to understand this
ABSTRACT The Office of the Inspector General report on its audit of Global Fund fraud risk management adopts a new method of assessment that is not easy to follow because the so-called fraud management maturity levels are not readily understandable; and they bear no relation to the assessments made in the previous audit of fraud risk management. Apologies for the conclusions appearing vague but interested readers should go to the full report for the detailed findings that led to those conclusions; however, you may find the OIG responses to the commentary less than convincing.
On 6 July the Office of the Inspector General (OIG) issued its audit report on Fraud Risk Management.
The OIG assessed the maturity of the Global Fund’s fraud risk management framework against the five core components set out in the guide on fraud risk management published in 2016 by The Association of Certified Fraud Examiners (ACFE) and The Committee of Sponsoring Organisations of the Treadway Commission:
- Fraud risk monitoring
- Fraud risk governance
- Risk assessment
- Fraud control activity
- Fraud investigation and corrective activity
The OIG also rated each component using the five-point scale from the Enterprise Anti-Fraud Maturity Assessment Model (in the Anti-Fraud Playbook: The Best Defense Is A Good Offense. 2020 Grant Thornton LLP and ACFE) – see Figure 1.
Figure 1: Anti-fraud Maturity Rating
The Global Fund operates in challenging environments which expose its programs to fraud and abuse. Most countries supported by the Global Fund are ranked below average on the Corruption Perceptions Index (CPI) published by Transparency International. About $6 billion of Global Fund monies go to countries in the bottom 45 of the 180 countries in the CPI report. Eligible Global Fund countries in the bottom half of the CPI score account for 83% ($10.3 billion) of Global Fund allocations.
The COVID-19 pandemic and changes in working practices have increased opportunistic fraud in programs, requiring strong monitoring mechanisms.
In 2017, the Board, in approving the Policy to Combat Fraud and Corruption (PCFC), defined fraud as any act or omission, including a misrepresentation, that knowingly or recklessly misleads, or attempts to mislead, a party to obtain a financial or other benefit or to avoid an obligation. The definition of fraud risk was widened to consider programmatic as well as financial risks: specifically, section 3.3 of the PCFC states that “The Global Fund recognizes that fraud and corruption infiltrate not only financial management, but also strategic decision-making, governance, public health systems, program quality and reporting.”
Programmatic fraud refers to fraud other than financial frauds, such as “health product substitution and counterfeiting, as well as misrepresentation or manipulation of any information arising from or relating to Global Fund Activities such as proposals, plans, evaluations, performance data, epidemiological data, reports, and audits” (PCFC, section 4.3).
The Global Fund Board and its Committees have approved several policies and guidance documents relevant to fraud risk management (Figure 2 below).
Figure 2: Main Anti-fraud Policies and Guidelines at the Global Fund
Fraud risk management at the Global Fund
The Global Fund Integrated Risk Management framework is built on three lines of defence: (1) the Country Team and support of in-country assurance providers; (2) the Risk Department and other risk owners, such as the Technical Advice and Partnerships team, Finance Department and Supply Operations; and (3) the OIG and the external auditor, who report to the Board or its Committees.
Fraud trends: types of allegations and sources
During 2019-2021, the OIG opened 489 investigations into the following types of allegations:
- Theft of equipment, commodities and money, referred to as abusive practices (157 investigations, or 32% of cases);
- Fraudulent practices, which included data manipulation, misrepresentation and fraudulent documents (116 investigations, or 24% of cases);
- Price fixing, bid rigging and Conflicts of Interest, referred to as collusive practice (71 investigations, 15% of cases); and
- Corrupt practices including bribery (66 investigations, 13% of cases).
Fraudulent and corrupt practices therefore collectively accounted for 37% of cases investigated by the OIG in this period.
Not all investigations result in a published report; the OIG issues case closure memoranda when the investigation is inconclusive or an allegation is unfounded (the evidence does not support the allegations), not material, there has already been a proportionate response, risks have been mitigated, or deficiencies addressed.
OIG investigations produce Agreed Management Actions (AMAs) based on lessons learned from cases. AMAs included financial recoveries, sanctions of entities and individuals, and the strengthening of controls and processes.
The OIG identified non-compliant transactions totalling $143.2 million between 2019 and 2021, most of them due to fraudulent practices and theft. In the same period, the proposed recoveries of funds as a result of OIG investigations during that period was $14.4 million. Principal Recipients (PRs) and sub-recipients (SRs) are most frequently the subjects of OIG investigations, respectively accounting for 42% and 23% of investigations.
The number of allegations generally aligns with the size of funds allocated by region, with most allegations affecting grants in the Global Fund’s High Impact Africa 1, High Impact Africa 2, and High Impact Asia regions (see Figure 3).
Figure 3: Allocation and Number of Screening Reports by Region
As of 31 December 2021, the Secretariat had reported $26.7 million in outstanding recoverable amounts resulting mostly from non-compliance expenditures and mismanagement.
Audit objective, scope and rating
The audit sought to assess the maturity of the Global Fund’s framework (including policies and procedures) on fraud and corruption and to position the organization in a rating scale for further improvement.
The Global Fund’s fraud risk management framework was reviewed against the five components list under Background above.
Instead of using the standard audit rating scale, the OIG used the assessment model to rate the maturity of the Global Fund fraud risk management framework and its underlying processes. Maturity is split into five stages – ad-hoc, initial, repeatable, manageable and leadership, as shown in Figure 4.
Figure 4: Enterprise Anti-fraud Maturity Model from Anti-fraud Playbook by ACFE/Grant Thornton