Fostering corruption. Or not.
People tend to make use of opportunities presented to them, often with little regard for ethics. In some cases this is done within the constraints of the law (which does not concern us here), and in some cases this is done outside the law (which does concern us here). Since we know that people will take advantage of opportunity, those developing projects have a fiduciary obligation to make sure that the possibilities of fraud and corruption are minimized without damaging the opportunity. This is generally done through the internal audit function.
Auditing can be intrusive and disruptive, particularly when the auditors are demanding records from the past. While forensic auditing is important after the fact, we are largely interested in preventing problems with an internal audit, rather than in picking up the pieces after an incident. Because of this, we believe that it is better to figure out the areas of risk and audit the present activities in these areas. If, when we show up, the risk is less than we had expected, we are happy to admit we misjudged, and move on. By taking this approach, common to most forms of risk management, we are able to minimize cost, maximize effectiveness, and minimize the opportunity for fraud and corruption on projects.
The problem, however, is often not the approach to auditing, but the sheer failure to provide sufficient on-site concurrent internal auditing and oversight when it is clear that it is needed. As an example, in the March 2005 issue of AEGIS we discussed the fact that both the UN Food for Oil program and the US Iraq Development Fund failed to provide adequate onsite audits, when it was clear that this would lead to corruption and fraud, as this kind of failure always does. The UN auditors with whom we have spoken believe that they could have predicted, based on the lack of supervision, how much would be lost to corruption, and that their GAO counterparts could have done the same for the losses in the Iraq Development Fund.
The bottom line is that risk management allows you to manage risk. If you choose not to implement risk management, you are, by default and abrogation of your responsibilities, choosing to allow risk to manage you. Internal audit of high-risk areas of exposure is a key tool. Use it, and use it wisely.