Organizational Change and Fraud Risk Management in NATO

Scott A. Cohen, CFE, CIA

NATO Airlift Management Agency

Director, Internal Audit

2012 ACFE European Fraud Conference

Agenda

• Disclaimer • Summary

• North Atlantic Treaty Organization • NATO Airlift Management Agency • NATO Agencies Reform • Impact of Organizational Reform • Application of the Fraud Triangle • Potential Frauds • Impact on NATO Support Agency Management • Recommendations • Summary Re-visited

• Internal Audit Perspective

Disclaimer

• This briefing represents the opinion of the briefer and does not necessarily reflect the opinions of NATO leadership.

• Nothing in this briefing should be construed to imply that there is an increase in any particular fraud occurring. This briefing is concerned with the environment created by organizational reform.

• NATO is presented as a case study of an organization in transition. Focus should remain on the reasons why organizational change or reform leads to an increase in the risk of fraud.

Summary

• The changes put into place to achieve the objectives of organizational reform are precisely what increases the risk of fraud. – Organizational reform + Fraud Incentives = Increased Risk of Fraud

• No evidence that there is fraud occurring in response to reform initiatives

– Existing controls may be insufficient to prevent fraud

– Environment is more conducive to fraud occurring

• Organizational reform places burden on management to address increased risks, not only to the reform project itself, but of fraud.

• Could the objectives of NATO reform (cost savings) have been achieved in another way?

North Atlantic Treaty Organization (NATO)

• North Atlantic Council – Political (Brussels)

• SHAPE – Military (Mons)

• Allied Command – Transformation (Norfolk, Virginia)

• Joint Force Commands – Operations

• Agencies

– Support for operations

– Support to other NATO organizations

– Provide capabilities to NATO nations

• Large and small organizations within the organization

– Discussion in the briefing applies to both

(REUTERS/Goran Tomasevic)

NATO Airlift Management Agency (NAMA)

• Provide programme management and support to the Heavy Airlift Wing (HAW) – Technical Management – Logistics and Procurement – Financial Management – Legal, HR, Information Technology

• The Heavy Airlift Wing flies C-17 Globemaster III aircraft in support

of national missions – Transport equipment and personnel – Iraq and Afghanistan, Africa, Haiti, et al.

• Twelve participating nations

– 10 NATO nations, 2 Partnership for Peace

Mission Highlights

7

ISAF 80% of HAW Missions

Haiti Earthquake Relief 3 Missions Jan-Feb 2010

Polish Victim Repatriation April 2010

OIF/Iraq 3 Missions December 2009

Uganda ATLAS DROP April 2011

NATO Agencies Reform - What

• Overall, 14 agencies will be consolidated into 3 agencies

• NATO Airlift Management Agency (NAMA) will merge with two other agencies: Central European Pipeline Management Agency (CEPMA) and NATO Maintenance and Supply Agency (NAMSA) to form the NATO Support Agency (NSPA)

– Aviation programme management

– Fuel Pipeline management

– Weapon System Partnerships, Maintenance and Logistics

NATO Agencies Reform – Why?

• Efficiency and cost savings

• Shared services: Financial, HR, Legal, IT

• Decision to not close existing bases

• Redraw the organizational diagram

– 3 agencies reporting to the North Atlantic Council

– Add a layer of management oversight

• Opinion:

– Improve oversight by the NAC of the agencies

– Cost savings could have been achieved without a merger

– Impact on cost to the nations is uncertain

Impact of Organizational Reform (COSO Internal Control Framework)

• Organizational reform changes the Internal Control Framework

– Structure of the organization – Culture of an organization

• NAMSA and NAMA – Bring in new people

– Policies and procedures (Procurement, Finance) – Reporting relationships and management oversight

– Information technology – Communications (Formal and Informal) – Risks facing the organization are changed

• Additional risks from each of the organizations • Some risks are mitigated • Priorities change

Application of Fraud Triangle

• Pressure

– People may lose their jobs (Shared services)

– Assigned to other positions/locations

• Rationalization

– Years of service

– Not my agency anymore (yet)

• Opportunity (Internal control framework)

– Internal control environment changed

– Internal controls previously relied upon may not exist

– Management override as new people do not understand system

Opportunity

Potential Frauds (Operational Level)

• Financial Statement

• Misappropriation of Assets

– Pay and Allowances

– Dummy employees

– Requirements for travel

– Spend money on projects that are not required

– Gold-plated requirements (airworthiness)

• Corruption

– Employment

– Payments to vendors

– Political (justification for reorganization)

Political Fraud (Strategic)?

• Definition of Fraud (Reminder)

– Intentional misrepresentation of a material fact that is relied upon by others and causes harm

• Need for organizational reform – Cost savings and efficiency

– Increased control of the organization

• Agencies reform structure and processes

– Significant investment in time and personnel

• Not intentional, therefore not fraud

NSPA Management Impact and Response

• Reform places additional burden on NSPA management to ensure controls are designed and implemented to reduce the risk of fraud

• NATO agencies reform to date is focused on organizational structure and functions – “As-is, Where is”

• Risk is considered in terms of project risk of the reform efforts and

not on activities within the agencies

• Risk register for the agencies that are merging are not updated – Fraud not considered

• No consideration of Internal Audit function performed until after the

merger

Recommendations

• Update the risk management plan for additional risks/changes in risk, including fraud risk, posed by agency reform

• Ensure control activities of the legacy agencies are in place through the transition period

• Do not change reporting relationships and management oversight until new control activities are implemented – “As-Is, Where is” conflicts with guidance to develop coordinated processes

• Address risk management and internal controls (including

management oversight) concurrent with changes in structure and functions

Summary Re-visited

• The changes put into place to achieve the objectives of organizational reform are precisely what increases the risk of fraud – Organizational reform + Fraud Incentives = Increased Risk of Fraud

• No evidence that there is fraud occurring in response to reform initiatives

– Existing controls may be insufficient to prevent fraud

– Environment is more conducive to fraud occurring

• Organizational reform places burden on management to address increased risks, not only to the reform project itself, but of fraud.

• Could the objectives of NATO reform (cost savings) have been achieved in another way?

Internal Audit Perspective

• Organizational change and Fraud Risk Management: Who asked me to do this?

• Internal auditor

– COSO Internal Control Framework

– Governance, Risk Management and Internal Controls

– Consideration of fraud:

• What are the conditions under which fraud is more likely?

• Fraud triangle: way of analyzing motivatiom

• If it exists, how would it present itself? Look for red flags

• Development of position paper to NSPA Management

Questions?

NATO Alliance

• Political and military alliance to provide for the collective self-defense of its members

• 28 Nations:

– Albania, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Netherlands, Norway, Poland, Portugal, Romania, Slovenia, Slovakia, Spain, Turkey, United Kingdom, United States

• http://www.nato.int/cps/en/natolive/what_is_nato.htm

“Association of Certified Fraud Examiners,”

“Certified Fraud Examiner,” “CFE,” “ACFE,”

and the ACFE Logo are trademarks owned by

the Association of Certified Fraud Examiners,

Inc. The contents of this paper may not be

transmitted, re-published, modified,

reproduced, distributed, copied, or sold without

the prior consent of the author.