International Journal of Government Auditing – July 2010
Editor's note: This article expresses the personal views of the authors and in no way constitutes a formal/official position of the European Commission.
Toward the end of 2007, allegations of fraud were made involving millions of euros spent to carry out research projects funded by the European Union (EU). This alleged fraud had apparently gone on for a number of years and had been previously undetected.
This article describes the factors that may have allowed this alleged fraud to occur and the actions that have been taken to address it and prevent its future recurrence. While the alleged fraud in this case occurred in the context of audits of research grants—a rather common public sector role—we believe that the lessons learned can be applied in many other areas in the public sector, such as grants and subsidies or the procurement of infrastructure, goods, or services.
The European Commission is the executive arm of the EU. DG INFSO, one of the Commission’s departments, provides EU grants to information technology research projects by cofunding the costs incurred. DG INFSO manages 5,000 projects, and its 15,000 beneficiaries invest more than 1 billion euros per year. DG INFSO carries out 200 annual financial audits on these projects, and the audit results contribute to the annual assurance process.
OLAF, the European Anti-Fraud Office, conducts administrative antifraud investigations to protect the EU budget. Although statutorily part of the European Commission, OLAF is operationally independent as far as its investigations are concerned. It can carry out controls with the help of Member State authorities and, in some cases, with powers similar to national administrative authorities. In its investigations, OLAF cooperates with European Commission departments and national authorities and helps the Commission prevent fraud.
How Did It Start?
At the end of 2007, OLAF contacted DG INFSO to discuss allegations that several entities had claimed substantial but fictitious costs in EU-funded research projects. A highly disturbing detail was that some of these entities had received clean audit reports in the recent past.
As DG INFSO and OLAF analyzed the projects and entities in question, we determined that to confirm or dismiss these allegations we needed radically new cooperation mechanisms between our two departments to synchronize audits and investigations.
A first step was to ensure that we were using the most modern auditing methods, drawing on the new standards issued by the International Auditing and Assurance Standards Board adapted to the public sector context by INTOSAI, and carefully tailoring them to the particular situation.
We also realized that we needed to get insight and drill into vast amounts of data (thousands of legal entities, contracts, transactions, people, addresses, and e-mails). To do that, the advanced data-mining tools that OLAF used were adapted to DG INFSO’s audit environment. This resulted in excellent synergies between audits and investigations, though we were always careful to bear in mind and respect the different roles and mandates of audit and investigation.
The information gathered seemed to confirm that a complex fraud scheme had been discovered that might have gone unnoticed over many years. The alleged fraud was conservatively estimated at millions of euros. The alleged fraud scheme we identified gave both auditors and investigators new insights about the strengths and weaknesses of their respective methods and the importance of an effective cooperation between the two professions.
Let us share some of these lessons learned from an auditor’s point of view.
How Could This Go Unnoticed?
We are convinced that the alleged perpetrators of the fraud had in-depth knowledge of the EU’s control systems and were constantly adapting their behavior as the controls evolved. Loopholes or weaknesses in the regulations were exploited, and misrepresentations were used to an extent that none of us had seen before. The modus operandi included the following:
EU services were not prepared for the complexity of this fraud scheme and its massive use of misrepresentation. Also, the auditors used traditional audit approaches with standard audit programs that were simply bound to fail in this case. Furthermore, audits were conducted as separate assignments, without links between them.
A key weakness of the existing control processes was undoubtedly the lack of healthy professional skepticism in planning and carrying out audits. Fraud was considered as a scope exception in the auditors’ opinion rather than an integral part of the scope, as specified in International Standard on Auditing (ISA) 240 “The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements,” and International Standard of Supreme Audit Institutions (ISSAI) 1240.
Why Could This Fraud Be Addressed Now?
The shock of large-scale fraud in entities with a clean audit opinion provoked a radical rethinking of our tools and methods, resulting in the following:
Building on this information, a large number of targeted audits were launched, incrementally building on available information.
Audits were conducted with the level of secrecy required by investigations, limiting the information to a core group of staff. Information was shared on a “need to know” basis. Data and documents were protected using encryption techniques; they were also protected physically.
Lessons Learned for Ongoing Audits and Investigations
While this approach was applied for the first time in a specific fraud case, the lessons learned have now been integrated into our respective daily activities. The following sections describe some of the key elements that have been adopted.
Preparation for Fieldwork
The preparation is designed to
The aim is to assess the risk of intentional material misstatements in the entity’s cost claims. Two main factors influence this risk:
For this risk assessment, we analyze the entity as a whole, using all accessible information sources—internal, open, and commercial.
Information is extracted from DG INFSO’s contract management systems, and EU project officers are interviewed about the entity’s performance. Unexpected changes in the project’s objectives are highlighted. Documents submitted by the entity are assessed for indications of misrepresentation or anomalies (in names, signatures, authenticity, authors, or dates). Previous and related audit reports on the entity are analyzed.
Information is collected from company registries: shareholders, directors, related entities, contact references, and accounting data. Information is cross-checked with open sources (such as Google, company Web sites, Wayback Machine, phonebooks, and Google Maps) and internal sources.
Information about the entity’s key staff is collected from open sources (such as LinkedIn, PIPL, 123People, and Yasni) and cross-checked with the data provided by the entity.
Information about other fund sources is collected. Income from grants is compared with the entity’s annual income statements to assess potential overdependency on grants, which could be an incentive to invent and claim costs not incurred.
All the gathered information is structured and discussed in a brainstorming session with the audit team to determine the key risks and the appropriate audit program.
In most cases, we grant a very short lead-time between the time the audit is announced and the fieldwork (2 weeks instead of months) in order to find the situation as unaltered as possible. In cases where there are clear indications of fraud, OLAF carries out on-the-spot checks without any advance warning, involving DG INFSO auditors as technical experts.
Our aim during fieldwork is to
We implement an audit program that is tailored to the entity, applying professional skepticism at every stage. If new elements or new risks emerge during the fieldwork, the audit program is quickly fine-tuned to address them. We ensure that we incorporate unpredictable or unusual components in the program. For example, we
We pay additional attention to any scope limitations imposed by the entity.
Essential documents—authenticated by the entity where relevant—are safeguarded as part of the audit documentation. In doing so, we also bear in mind the need for OLAF investigators to substantiate their case and allow documents to be swiftly transmitted to national judicial authorities.
Feedback to the audited entity may be limited to protect subsequent audits or investigations.
After the Fieldwork
After the fieldwork, our main goal is to
We analyze the collected information for coherence and plausibility. In some cases, we organize audits in related entities to obtain a complete overview. Communication of conclusions to the audited entity may be deferred until all the linked audits have been completed.
All comments that the audited entity makes when reviewing the audit findings are carefully analyzed, and the audit conclusions are worded carefully.
We feed lessons we have learned concerning potential weaknesses of operational controls into DG INFSO operational services to allow them to improve the controls of the payment and other processes (information technology systems, changing procedures, training staff).
We actively encourage that audit conclusions be implemented as swiftly and efficiently as possible in order to achieve a rapid recovery of improper payments and to dissuade other beneficiaries from similar fraudulent activities.
Our new approach is not only resulting in more effective audits and investigations, but also preventing problems. However, it also brings new challenges:
Both these points underline the importance of active communication with internal and external stakeholders to avoid serious misunderstandings. The underlying reasoning should be that detecting fraud is a positive result that demonstrates an improved control system and, first and foremost, helps ensure that money is used for its intended and rightful purpose.
Therefore, higher error rates that result from better detection mechanisms are, at least in the short term, good news and a promise of better public services in the future.
This article demonstrates how EC services implemented INTOSAI’s motto, “Experientia mutua omnibus prodest.” In this case, mutual experience did benefit all and resulted in a new combined audit and investigation approach that helped to successfully untangle a very complex and costly example of fraud.
The lessons learned have already led to improved financial and other controls in INFSO. The new approach and tools will also be used by other EC bodies to implement their risk analysis and organize their controls.
We are sure the improved detection of irregularities and the subsequent administrative, financial, and judicial follow-up will also prevent future problems.
However, we also expect that perpetrators of fraud will apply their own lessons learned, which means that our methods will need continuous updating to keep abreast of a changing reality. This case has given us new perspectives and a salutary electroshock, preparing us also for new challenges. We have identified misrepresentation as a key risk factor in our audit work and developed appropriate methods to cover this risk. Things will never be the same again.
 To improve readability, the term “fraud” is used here to refer to irregularities and suspected fraud, even though the allegations have not been substantiated in a court of law.