A truly systematic approach, whereby risk management is undertaken routinely and integrated into existing processes, is vital for effective fraud and corruption risk governance within the public sector. Fraud risk governance not only relates to systems and policies; it also shapes the culture of an organisation, and its capacity and readiness to deal with risks. By endorsing anti-fraud policies, senior management can demonstrate its commitment to a culture of integrity, and lay out provisions for the fraud risk management process. Managing authorities (MAs) in the Slovak Republic have developed and adapted their procedures regarding fraud risk assessment in line with the European Commission’s Guidance Note on Fraud Risk Assessment and Effective and Proportionate Anti-Fraud Measures, developed by the Expert Group on European Structural and Investment Funds (hereafter EGESIF) (European Commission, 2014[14]). However, MAs could further integrate fraud risk management activities into existing practices. This includes developing stand-alone anti-fraud policies and fostering a proactive risk culture. In addition, MAs could take steps to build skills and invest in the training needed for improving the capacity of employees to carry out assessments that account for fraud and corruption risks. Improving capacity can further expand and anchor good practices.

In addition, enhanced co-operation and knowledge sharing are vital to ensure that programme authorities are maximising their skills and expertise to mitigate fraud and corruption risks. In the Slovak Republic, MAs do not regularly involve other authorities responsible for ESI Funds management or oversight. Nor do they communicate effectively with law enforcement authorities such as the General Prosecutor’s Office (GPO) once cases of fraud or corruption have been referred to those bodies. By establishing a task force within the Anti-Fraud Co-ordination Service (AFCOS) network, the Government of the Slovak Republic can provide MAs with the means to improve their risk assessments, and ensure that fraud and corruption risk management is embedded in authorities’ practices. Furthermore, setting up information-sharing forums between programme authorities and law enforcement authorities can keep MAs up to date regarding evolving fraud and corruption activities, which can then be used in future risk assessments.

Another key area for effective governance of risk management is monitoring and evaluation (M&E). International standards emphasise the need for governments to perform M&E in order to assess outcomes and update activities to improve fraud and corruption risk management (COSO, 2016[16]). Moreover, the European Commission (EC) encourages Member States and programme authorities to define procedures for monitoring the implementation of fraud prevention and detection measures. This includes reporting what anti-fraud measures have been set up, and how effectively they have been applied. In this context, the unit of analysis for M&E is not individual risks, but the entire system in place for managing them. Specifically, M&E involves the systematic collection of evidence dealing with the design, implementation and results of the policies, controls and actions taken to manage fraud and corruption risks. Effective monitoring allows managers to adapt when issues arise while evaluations offer insights into an ongoing or completed activity, to support decisions about relevance, effectiveness and potential alternatives.

M&E is not the sole responsibility of audit entities or other oversight bodies. Responsibility for monitoring and evaluating fraud risk management is a shared one that concerns MAs, the Audit Authority (AA), and working groups. M&E can moreover act as a management tool to drive improvements in specific areas, such as the governance structure for risk management and risk assessments, by integrating lessons learned and feedback loops. In discussing paths to better governance for managing risks, this chapter also explores ways that MAs can refine their approaches to evaluating risk management activities, particularly fraud and corruption risks, and in so doing continuously improve risk management involving ESI Funds.

Taking into account these governance issues, this chapter focuses on the following priorities:

• Priority 1: Develop explicit anti-fraud policies and foster a positive risk culture

• Priority 2: Establish a formal mechanism for co-ordination among authorities

• Priority 3: Increase the capacity to manage fraud and corruption risks with improved training

• Priority 4: Improve feedback loops with law enforcement authorities to enhance risk assessments

• Priority 5: Monitor and evaluate fraud risk management activities and controls

Legal and policy frameworks in the Slovak Republic provide the foundation for fraud risk management relating to the implementation of ESI Funds, such as the government’s National Anti-Fraud Strategy (NAFS) and the methodological setting of risk management practices by the Ministry of Finance. Moreover, the EC provides programme authorities with guidance on developing anti-fraud policies as part of their strategic anti-fraud measures, such as working to promote an anti-fraud culture and allocating responsibilities for tackling fraud. As of 2019, the four MAs participating in the OECD project had developed such policies; some had been approved while others were in the process of being approved by the Secretary-General of the relevant ministry. However, the OECD identified several MAs in the Slovak Republic that have yet to fully adopt anti-fraud policies relating specifically to ESI Funds – even if, in general, MAs have established risk management procedures to implement operational programmes (OPs),

Risk management is a growing practice across the Slovak public sector. Anti-fraud policies serve as a valuable tool to embed fraud and corruption risk management into MA practices, and ensure that risk management is sustainable. Some MAs currently have anti-fraud policies in place that include an explicit statement on corruption and fraud risk management responsibilities and activities; it is vital that the remaining MAs establish such policies. Besides ensuring that employees are aware of their fraud risk management obligations and promoting a positive risk culture within MAs, these policies can also communicate to other stakeholders – including the public – that MAs are committed to mitigating fraud and corruption risks in the implementation of OPs. Regarding the participating MAs, only one has made their anti-fraud policy available on line.

In addition, managing fraud and corruption risks in the Slovak Republic is heavily focused on compliance. As a result of the compliance-based approach used by MAs to examine fraud and corruption, certain risks may not be given adequate attention and may not be properly prioritised. Moreover, some MAs have risk management procedures that do not include explicit mention of managing fraud and corruption risks. According to systems audits undertaken in 2017, these are analysed with other types of risks included in risk assessments. In the case of one OP, the AA concluded that the MA did not sufficiently identify fraud risks in the Catalogue of Selected Risks, implying that the MA did not determine that this category of risk merited attention.

Senior management in the MAs that do not currently have an anti-fraud policy can establish one tailored to their OPs. The policy can demonstrate senior management expectations, their commitment to integrity, and a zero-tolerance approach regarding fraud and corruption. The policy may vary depending on the context of different MAs and the maturity of their risk management function, but it should achieve the following:

• Articulate the anti-fraud and anti-corruption objectives of MAs in implementing OPs – An explicit policy is a communication tool for MAs and employees involved in implementing ESI-funded projects. The policy should include definitions of fraud, corruption and irregularities, and make explicit linkages between the anti-corruption and anti-fraud objectives of MAs and their risk management activities. These objectives should be considered alongside those of the OP, taking into account the types of fraud and corruption that pose the highest risk in this context.

• Clearly define roles and responsibilities regarding fraud and corruption risk management – MAs are responsible for identifying and managing risks, but successful fraud risk management depends on the contribution of each employee within the MA. Alongside their risk management functions, managers within MAs are responsible for the day-to-day handling of fraud and corruption risks. Their tasks include ensuring that internal controls are in place and functioning, and (more generally) preventing and detecting fraud and corruption risks. These different roles should be outlined in policy.

• Detail the steps involved in fraud reporting and investigation procedures – Employees within MAs should be aware of the appropriate channels to use when reporting suspected fraud or corruption. This would include clearly detailing how staff report internally and to external bodies (i.e. law enforcement authorities, and the European Anti-Fraud Office [OLAF]), and the actions that should be triggered when potential fraud or corruption is reported.

• Stipulate how the fraud risk management framework should be monitored – Policy should detail how fraud risk management activities will be monitored and evaluated, for example through periodic or ongoing evaluations, and also outline who is responsible for undertaking these activities (The Chartered Institute of Public Finance & Accountancy, 2014[23]; COSO, 2016[16]). Later in the chapter there are further examples of and discussion about monitoring and evaluating risk management activities.

For those MAs that do not currently have an anti-fraud policy in place or are in the process of developing one, opportunities remain to design policies that go beyond alignment with EGESIF. Given that fraud and corruption risks differ among OPs and among MAs, these policies should not be one-size-fits-all: different entities have different objectives and varied risk profiles (GAO, 2015[19]). Anti-fraud policies should take into account the fraud risk scenarios encountered by the MA in question. An anti-fraud policy in fact provides an opportunity to define fraud and other types of misconduct. A European Court of Auditors report from 2019 found that not all Member States interpret the European Union (EU) definition of fraud in the same way, meaning that some fraudulent activities are not reported by programme authorities (European Court of Auditors, 2019[4]). MAs in the Slovak Republic should ensure that the anti-fraud policy provides clear definitions of what constitutes fraudulent or corrupt activity, in line with EC definitions. Box ‎3.1 provides an example of a comprehensive counter fraud policy for the European Regional and Development Fund in the United Kingdom.

For the MAs that already have an anti-fraud policy in place, a review of the policy could allow for further improvement of its components. For instance, an annual review could be undertaken by senior management to assess its relevance in relation to the fraud risk profile of the MA. Inputs from previous risk assessments, fraud reporting, results of investigations and audit reports can be used during the review process. In line with this strategy, updated anti-fraud policies could include information on how the MA is using data-driven approaches to mitigate fraud and corruption risks, as well as outlining the measurement criteria and tools that will be used to evaluate their fraud risk management activities (see Priorities 5 and 6). Once established, updated and approved, the anti-fraud policy of each MA should be visible both within the entity and externally. This can include publishing the policy on the intranet and distributing it to staff members. To ensure that the public and third parties involved in the implementation of OPs can see the commitment of MAs to combating fraud and corruption, the policy can also be published on line via the webpage of the responsible MA or the OP webpage.

When conducting risk assessments, MAs expressed a need for improved co-ordination. Nonetheless, none of the MAs involves other authorities responsible for ESI Fund management or oversight, such as the certifying authority (CA), intermediate bodies (IBs), the Anti-Fraud Co-ordination Service (AFCOS), audit authority (AA), Corruption Prevention Office (CPO) and Public Procurement Office (PPO) in the risk assessment process. The limited co-operation that exists among these authorities is centred on policy co-ordination and high-level information sharing, but co-ordination is not focused on fraud or corruption risk management directly. The absence of inputs from these stakeholders may lead to incomplete risk assessments, because identification and analysis could overlook certain risks recognised by other authorities. For instance, the CA can have a more comprehensive view of fraud risks concerning certification and payments. AFCOS can bring specific anti-fraud expertise and knowledge of new and evolving schemes into the assessment process. The PPO collects data on breaches and infringements of procurement processes in OPs, which may reveal high-risk areas during this stage. The CPO provides a comprehensive list of potential corruption risks for various sectors that may inform risk assessments.

A core element of effective risk management is communication, which means the timely involvement of stakeholders to take into consideration their knowledge, views, and perceptions. This risk management principle implies a systematic approach to communication and consultation, sharing information with targeted audiences, and obtaining feedback from relevant parties to shape risk management (ISO, 2018[24]). Several EU Member States, such as the Netherlands and Spain, have transitioned to a more co-operative approach to conducting fraud risk assessments. In doing so, they bring together diverse expertise and insights regarding anti-fraud and anti-corruption measures. Such an approach has allowed these Member States to establish risk-based measures for managing fraud risks more effectively (PWC, 2018[17]). In France, the General Commission for Equal Territories (CGET) has organised regular meetings for all the authorities responsible for European programmes covering different topics, including the fight against fraud (Box ‎3.2).

In addition, the AA can offer insights based on its audits while continuing to maintain its independence as an audit institution. The EC provides guidance to Member States on a common methodology for assessing Management and Control Systems (MCS), including assessment criteria for Key Requirement (KR) 7 on anti-fraud measures (European Commission, 2014[26]). Under Regulation No. 1303/2013 of the Common Provisions Regulation (CPR) (European Parliament, 2013[27]), the AA is required to carry out systems audits of the MCS of MAs, IBs, and CAs. Systems audits aim to obtain reasonable assurance that MCS function effectively and efficiently to prevent errors and irregularities (including fraud) and that, if these appear, the system is capable of detecting and correcting them. In the Slovak Republic, the AA performs system audits of the completed risk assessments per KR 7 on anti-fraud measures, and therefore may need to limit its role in designing the risk assessments for MAs. Nonetheless, the AA can participate in an advisory capacity, as it will have a government-wide vantage point from which to inform the identification of risks and honing of risk assessments.

In interviews with the OECD, MAs highlighted different expectations they have with regard to the anti-fraud measures they should be implementing and the criteria by which the AA audits their MCS. Specifically, the AA adheres strictly to EGESIF guidance, whereas some MAs view that guidance as a starting point and aim to tailor their practices to specific contexts. Such strict adherence can result in missed opportunities for MAs to properly adapt their risk management activities and use the resulting audits to improve fraud and corruption risk management practices.

The first step in addressing these issues is to improve communication among stakeholders and encourage engagement with the AA. Constructive and frequent communication between the AA and MAs can help improve the overall resilience of ESI Funds to fraud and corruption while allowing the AA to remain independent. See Box ‎3.3 for an example of how the AA in the Netherlands works with programme authorities to improve fraud prevention and detection, and sets the expectation for audits. In other Member States such as Estonia, Ireland and Lithuania, the AAs play a role in fraud prevention through advising MAs and CAs. For example, the Irish AA has created a list of fraudulent practices detected during their audits to spread fraud awareness to the relevant authorities. To further enhance fraud and corruption risk management, more frequent exchanges between MAs and the AA would be particularly beneficial as part of the M&E processes. Allowing such exchange would provide structure, incentives and shared objectives, so that communication among AAs, MAs and others go beyond ad hoc activity and towards a more systematic approach.

MAs could benefit from improved interactions and sharing of experiences, particularly with regard to practices for managing and assessing risks. In workshops organised by the OECD, the participating MAs voiced a strong desire for a knowledge-sharing platform dealing specifically with the issue of combating fraud and corruption in ESI Funds. Regular exchanges on fraud and corruption risk assessments can help enhance individual OP risk assessments and improve coherence across programme authorities, all the while recognising the need for tailoring to different contexts. In addition, MAs could work together to strengthen their fraud risk assessments by inviting a wider range of authorities to exchange views on and experiences with potential fraud risks and appropriate mitigating actions.

In the Slovak Republic, a key co-ordinating body in the anti-fraud and control architecture is the Central Contact Point (CCP) OLAF, which performs the role of the Anti-Fraud Co-ordination Service (AFCOS) that exists in each EU Member State. The AFCOS network consists of bodies involved in the management and implementation of ESI Funds, notably MAs, IBs, the CA and AA, and numerous other authorities such as the PPO, the Supreme Audit Office of the Slovak Republic (NKU), the Anti-Monopoly Office (AMO), GPO, and the Ministry of Justice. The Steering Committee for the Protection of the Financial Interests of the EU, which is made up of representatives from different programme authorities, co-ordinates and supports co-operation among AFCOS network partners. Before the updated National Strategy for the Protection of the European Union’s Financial Interests was approved on 30 May 2019, there were five working groups under the steering committee. The working groups held periodic meetings on the following topics: irregularities, Article 325 of the Treaty on the Functioning of the European Union (TFEU), co-operation in the co-ordination of control activities, public procurement, and communication.

The existing structure could accommodate a platform for co-ordination and knowledge sharing among MAs, IBs, the AA, and the CA on issues relating to fraud risk management in the implementation of ESI Funds. Formal co-ordination can take the form of a task force with resources and expertise in fraud and corruption risk management. MAs can ensure that experienced and well-informed representatives participate on this task force. Programme authorities could also organise frequent and regular meetings or workshops with MAs, IBs, the CA and AA, and other AFCOS network partners to share good practices for managing fraud and corruption risks. Specifically, representatives from the respective risk management working groups can establish regular interactions to develop more comprehensive approaches to conducting fraud risk assessments. Workshops and discussions can be facilitated by experts, both internal and external, that possess experience in managing fraud and corruption risks involving ESI Funds. With assistance from CCP OLAF, the task force could invite other authorities, including the CPO, PPO and NKU to provide input in discussions on improving fraud and corruption risk assessments. The Central Co-ordination Body (CCB) can also support the task force in facilitating co-operation.

Based on the OECD review of relevant documentation and interviews with practitioners, the current risk management practices of programme authorities in the Slovak Republic reveal a lack of capacity in identifying and analysing fraud and corruption risks (see Chapter 2). MAs in many EU Member States share the same challenge: they are expected to implement ESI-funded projects in compliance with numerous legal provisions set out by the EC, while also developing effective anti-fraud measures (a central theme during the current programming period). As a result, Member States may not have developed sufficient expertise or skills relating to the implementation and monitoring of anti-fraud measures or performing risk assessments. In the Slovak Republic, MAs could build expertise in fraud risk management by developing and planning anti-fraud training tailored to the specific context of each OP.

As of 2019, several MAs in the Slovak Republic are handing anti-fraud training over entirely to external bodies such as CCP OLAF. That office has organised training activities and seminars for AFCOS network partners based on the Training Plan for the Protection of the EU’s Financial Interests in the Slovak Republic. The list of training programmes for 2017-18 shows that ten seminars took place covering a wide variety of topics: building awareness of fraud; the most common infringements of public procurement rules; detection of fraudulent practices in the implementation of ESI Funds; and cartels and distortion of competition. One seminar in 2017 focused on risk management and the set-up of control mechanisms in structural funds. Another training session dealing with management of fraud and corruption risks involving ESI Funds is planned for 2019. The number and nature of trainings organised by CCP OLAF depend on the available budget and needs of the AFCOS network partners. As such, trainings may be ad hoc and irregular.

Overall, representatives from the risk management working groups see opportunities for receiving more specific and practical training in identification, analysis and management of fraud and corruption risks in structural funding. Moreover, Member States are required by the EC to provide training for staff involved in verifying the use of ESI Funds specifically concerning potential fraud, sharing information on detected fraud cases, red flags, and practical application of available tools. The Slovak Republic Government’s own National Anti-Fraud Strategy stipulates that all employees involved in implementing ESI Funds should receive integrity training, as well as technical training to help them better identify and analyse risks. Explicitly, the NAFS states that training should focus on strengthening the skills of employees to recognise red flags and cases of suspected fraud, and the steps to take in response. In addition to capacity building, training staff on specific anti-fraud measures helps raise awareness of the commitment of MAs to fighting fraud and corruption involving structural funds (European Commission, 2014[14]).

CCP OLAF and MAs can establish formalised, regular and ongoing training programmes to complement ad hoc seminars for developing skills in fraud and corruption risk management. Since training resources are limited, training priorities should primarily target staff with direct responsibility for identifying, analysing and mitigating fraud and corruption risks. These employees can include participants from risk management working groups and personnel within MAs and IBs who carry out control activities such as on-the-spot (OTS) checks, internal audits and investigations. Trainers can use employee surveys, international recommendations and consultation groups to identify training needs. In addition, regular training assessments can help ensure that staff trainings within MAs and IBs take into consideration the particular fraud and corruption risks associated with the OPs that they are implementing. Based on the OECD review of the needs and challenges of MAs, key topics to consider include:

• fraud and corruption risk identification and analysis

• indicators and red flags for potential fraud and corruption

• practical co-operation and information exchange between law enforcement agencies and programme authorities – for example, sharing information on cases, best practices and recommendations made

• monitoring and oversight of contractors and subcontractors

• components of an internal control system and risk management practices in public institutions

• administrative investigation of tips received from whistleblowers and other reporting channels.

Another way to formalise training is through professional certification. MAs can facilitate training and skills acquisition by encouraging employees to attain internationally recognised qualifications, such as the Institute of Internal Auditor’s Certification in Risk Management Assurance, the Association of Certified Fraud Examiner’s certification, or the Certificate in Fraud Risk Management from the Chartered Institute of Public Finance & Accountancy. Furthermore, training programmes should be holistic in nature and include guidance not only on fraud risk management, but also on how to foster a culture of integrity. Interactive activities can be employed as training techniques, such as dilemma training whereby employees are presented with particular situations and ways to deal with them realistically. Such exercises may be more effective at instilling knowledge than formalistic check-the-box activities. Experiential learning activities can prepare employees who undertake risk assessments and populate risk registers, as demonstrated in the example from the Netherlands (Box ‎3.4).

Introducing immersion seminars and peer-to-peer exchanges can also enhance training activities and strengthen participants’ capacity to manage fraud and corruption risks involving ESI Funds. To increase training resources and expertise so as to share good practices and deliver capacity-building workshops, relevant authorities such as CCP OLAF, MAs, CAs and the CCB could seek support from experts and skilled practitioners from other EU Member States. Two specific programmes that allow such exchange and capacity building are TAIEX-REGIO Peer 2 Peer and Hercules III. TAIEX is designed to enable public officials managing the European Regional Development Fund and Cohesion Fund to exchange knowledge and find realistic solutions to problems. Three types of technical assistance are expert missions, study visits and workshops, which are financed by the EC. Hercules III helps to fund projects including training activities, which can help combat fraud and corruption. This programme provides opportunities for experts to share best practices through seminars and conferences on a variety of topics such as corruption prevention in procurement. It can also cover more specialised training to improve skills in digital forensic detection and fraud prevention.

Capacity building requires ongoing investment and resource allocation, which appears to be a major constraint in the Slovak Republic. When developing plans for the next programming period (2021-27), the CCB and MAs could establish a dedicated budget in the national technical assistance programme to fund training courses related to fraud and corruption risk management and anti-fraud measures. The objectives of training programmes should meet the requirements of the NAFS and the priorities of the government of the Slovak Republic in reducing fraud and corruption risks. Risk management procedures for some OPs utilise fraud indicators, but this practice has not yet been implemented in all MAs (see Chapter 2). For example, the internal documentation of OP Quality of Environment provides a comprehensive list of red flags, particularly those that are relevant in the procurement cycle. Other MAs can further develop and expand training in this area to ensure that staff in MAs are aware of fraud indicators and red flags and so can respond proportionately to potential fraud and corruption.

Throughout the implementation of OPs in the Slovak Republic, co-ordination among multiple ministries and departments is vital for the referral of suspected fraud and corruption cases to law enforcement authorities and other relevant bodies. Within existing co-ordination mechanisms, the GPO and AMO have signed co-operation agreements with CCP OLAF, the AA and the CCB that provide a basis for information exchange. There are also co-ordination mechanisms in place to detect and report fraud based on existing risk management practices. The Ministry of Education, Science, Research and Sport, for example, has entered into a co-operation agreement with the PPO and the Government Office of the Slovak Republic: the Ministry actively co-operates with both bodies using lists of risk indicators to detect breaches of competition rules or fraudulent behaviour. In addition, MAs must routinely deal with requests for information from the National Criminal Agency to assist with investigations.

Despite these existing activities and co-ordination mechanisms, MAs and other stakeholders highlighted difficulties in following up with law enforcement authorities regarding the outcomes of reported fraud incidents. Limited communication from these authorities concerning prosecuted cases presents a significant challenge for MAs when reviewing their controls and taking corrective action. Improving the feedback loop regarding prosecution and correction could also enhance fraud risk assessments, reinforce fraud deterrence, and allow MAs to address control vulnerabilities more effectively, reducing the risk of similar fraud incidences occurring in the future. Several Member States have in place measures to foster close co-operation between ESI Funds authorities and investigative and law enforcement bodies (Box ‎3.5).

There are several opportunities to improve information sharing between law enforcement bodies and entities responsible for fraud and corruption prevention. For instance the former, including the GPO, can regularly attend information-sharing workshops aimed at helping programme authorities identify fraud and corruption trends and patterns and modes of operation. CCP OLAF currently organises at least one training session in co-operation with experienced prosecutors and police investigators from the GPO and National Criminal Agency. The most recent seminar in December 2018 covered criminal activity regarding financial interests in the EU. In addition, law enforcement bodies, as well as other entities such as the GPO and AMO, could participate in the newly formed task force.

The aforementioned entities have access to information that is critical for improving fraud and corruption prevention and detection measures. However, such information is not being used to the fullest possible extent. For example, the GPO circulates information on the outcome of fraud cases with CCP OLAF without any granular data. In addition, representatives from the AMO note that their office monitors ESI Funds and undertakes analyses on beneficial ownership and bid rigging; these analyses could be provided to the MAs and assist them in identifying fraud and corruption risks during the tendering phase of projects. MAs and other programme authorities can benefit from acquiring and analysing information concerning trends in investigation and prosecution, and receiving this information in a timely manner could improve their anti-fraud measures and risk assessments. Specifically, MAs and risk management working groups can use information about schemes and parties involved to inform risk identification as well as risk scoring, so that both are informed by real-world experiences and the results of their own referrals. The sharing of practices is mutually beneficial, as it allows police and law enforcement bodies to build expertise. In turn, this may lead to more effective investigations and prosecutions related to fraud and corruption in EU structural funds.

M&E can take place at the government level as well as at the institutional level. In EU-funded project implementation, M&E of fraud risk management is a shared responsibility. It involves the MAs, the AA and working groups. In the Slovak Republic, MAs are at the fifth stage of their risk management programmes, which means they will begin the M&E process in 2019. During this process, risk management working groups for the respective OPs will determine whether the controls implemented are effective by assessing reductions in perceived risks. This M&E process pertains to risk management more broadly but includes a focus on fraud risks and related control activities.

EGESIF and the risk management provisions established for programme authorities provide a basis for M&E of some fraud risk management activities. Given the importance of Key Requirement (KR) 7 during the current programming period, the Slovak Republic has taken steps to ensure that MAs have in place anti-fraud measures that are in line with the components of KR 7. During the M&E process laid out in the respective risk management procedures for OPs, members of the risk management working groups are responsible for assessing whether controls have been effective based on results of risk assessments. This provides insight into how effectively controls are functioning and whether they are commensurate with identified risks; however, this practice constitutes only one part of a comprehensive evaluation of fraud risk management measures and activities within MAs.

As mentioned earlier in this strategy, some of the OP risk catalogues have not captured all relevant fraud and corruption risks. As a result, the monitoring stage of risk management may not accurately capture the reality of which fraud and corruption risks arise within each OP. The current M&E process only assesses identified fraud and corruption risks and implemented controls at the operational level. It does not evaluate the effectiveness of fraud risk assessments, governance structures for managing risks, or other fraud prevention measures. The Slovak Republic is not alone in facing this challenge. From its findings, the European Court of Auditors reports that none of the MAs included in the audit save one examines the effectiveness of their fraud prevention and detection measures, and there are only limited records of which measures are used. As a result, anti-fraud measures are not evaluated in terms of their actual results (European Court of Auditors, 2019[4]).

Although neither the MAs nor the risk management working groups in the Slovak Republic have a systematic or formalised method for undertaking M&E of their risk management practices, some are indeed evaluating the effectiveness of their risk management activities, albeit in an ad hoc manner. Some of the participating MAs have developed methodologies to undertake assessments using techniques such as data harvesting, which are informed by inputs from audit findings and other data sources. However, there appears to be confusion within MAs as to whether or not these methodologies are correct or effective, and in some cases they are not documented. The MAs represented have not developed measurement criteria to monitor and evaluate fraud and corruption risk management activities, which may render evaluations inaccurate and allow deficiencies to go unnoticed in the fifth stage of their risk management programmes.

As of 2019, the EC does not require Member States to systematically assess the horizontal implications of suspected fraud in their MCS, nor does it monitor and evaluate implementation of anti-fraud measures in a comprehensive way. However, in the framework of its revised Anti-Fraud Strategy (European Commission, 2019[28]), the EC is developing profiles of the anti-fraud capabilities of Member States in relation to prevention and detection (European Court of Auditors, 2019[4]). This signals the growing importance of monitoring and evaluating anti-fraud measures, and at this stage provides the Slovak Republic with an opportunity to develop their M&E practices ahead of trends.

To further systematise and integrate M&E activities, the risk management working groups and risk management functions in MAs could benefit from developing targeted, simple tools to structure the evaluation process. These tools can include indicators that help to measure key aspects of anti-fraud policies and risk management practices. This would help ensure that MAs are managing fraud and corruption risks in line with EU policies and regulations, as well as international standards. Moreover, it would support the MAs in their monitoring and evaluation not only of risks, but also of the governance, policies, tools and practices for managing those risks. Easily interpreted templates can help ensure that evaluations capture a range of relevant components of fraud and corruption risk management. Annex A shows a scorecard tailored to the ESI Funds context that can be applied to OPs in the Slovak Republic; however, this tool should be used as a starting point for risk management working groups and MAs to develop their own scorecards in line with their specific needs and risks in their OPs.

Scorecards are typically used to perform organisational self-assessments. They may use a traffic light system or numerical scoring to indicate whether components are functioning properly or require further improvements. For example, in the traffic light system, red indicates that a particular area or factor needs substantial strengthening and improvement, whereas yellow denotes that an area needs a degree of improvement that is not substantive. A green scoring could mean that an area is functioning effectively and does not require improvement (see Table ‎3.1 and Annex A for examples). These scorecards would ideally cover the key elements of the following areas: fraud and corruption prevention; fraud risk assessment; control activities; corrective action and investigation; and monitoring and evaluation. Assessment of some of these areas may require a more subjective review based on a particular context (e.g. organisational culture) while other areas will be more concrete (e.g. have a documented fraud risk profile). When designing their scorecards, the risk management working groups or functions within MAs can select which scoring system they deem most suitable. Employing numerical scoring may allow for more in-depth assessment, whereas the traffic light system provides an overview of where challenges lie or where fraud risk management activities are functioning effectively.

When developing the components of the M&E scorecards, the working groups or risk management functions can use the assessment criteria for Key Requirement (KR) 7 as an initial basis, but it is recommended that the scorecards cover a broader range of measures relating to fraud and corruption risk management (See Annex A). This requires an assessment of the fraud risk management objectives and anti-fraud measures of the MA relating to their OP implementation. Some initial questions to be considered in this exercise include:

• Is fraud risk assessment an integral part of the risk management process?

• Does the assessment of fraud consider fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and corruption can occur?

• Is regular reporting and monitoring in place in the public organisation relating to its exposure to fraud?

• Are controls and an early warning system in place to identify information signalling new risks that could have a significant impact on the MA?

• Do personnel report through established channels internal control issues to the appropriate internal and external parties in a timely manner, to enable the public organisation to promptly evaluate those issues?

• Does management take adequate and timely actions to analyse and correct deficiencies reported by personnel, internal audit function, or financial and non-financial internal and external monitoring activities?

• Does management monitor the status of corrective actions taken so that they are completed in a timely manner and bring the expected result (e.g. the recommendations of the internal audit or results of monitoring activities)? (Boryczka, Bochnar and Larin, 2019[29])

Developing measurement criteria enables MAs to benchmark performance against best practices and internal expectations, allowing for continuous improvement of their respective risk management practices. This is reflected in Principle Five of the Fraud Risk Management Guide developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The guide describes how establishing measurement criteria enables monitoring and evaluation, as well as analytical comparisons of an organisation’s fraud risk management activities (COSO, 2016[16]). Using defined metrics allows MAs to measure and benchmark actual fraud incidents against the past, providing insights on what is working and what needs further improvement. If there are flaws or gaps in the fraud risk management frameworks of MAs, the speed at which they are discovered can have a critical impact on mitigation. Benchmarking progress and challenges in this way fosters a longer-term view of fraud and corruption prevention in the implementation of OPs. Measurement criteria to track performance of fraud risk management complements the scorecards for M&E, and should be used as inputs for such evaluations.

The primary responsibility for establishing measurement criteria lies with the risk management working groups. For OPs that do not have this structure, the risk management function within the MA could have the primary responsibility. Additionally, the AFCOS-level task force recommended under Priority 1 provides an opportunity for MAs to engage with other programme authorities and utilise their expertise for developing their measurement criteria. For example, CCP OLAF and the CPO can provide targeted inputs for indicators to assess fraud and corruption risk management. When establishing these metrics, a variety of data sources could be considered. Information and data can be drawn primarily but not exclusively from the following sources:

• company registers;

• IMS

• ITMS 2014+

• database maintained by the AMO

• database maintained by the NKU

• database maintained by the PPO

• audit and control reports by the NKU and AA.

Where possible, the measurement criteria should capture the outcome and performance of fraud and corruption risk management, and be in line with the anti-fraud and anti-corruption objectives of MAs. However, considering that risk management is a relatively nascent practice in MAs, data to evaluate the fraud risk management framework may not be readily available and/or measurable, making it more difficult to gauge the outcomes of fraud risk management practices. Where data are unavailable, at a minimum, MAS could assess inputs and outputs for fraud risk management activities. Taking into account the available data sources mentioned above, the risk management working groups or risk management functions within MAs can undertake a mapping exercise to assess what information they can extract from these sources. The initial measurement criteria to be monitored could include:

• the number of irregularities reported as fraudulent in ITMS 2014+ and known fraud or corruption operations committed against programme authorities in the Slovak Republic, including in IBs

• the number of fraud or corruption cases reported to law enforcement authorities by MAs or other public bodies

• the number of allegations of suspected fraud or corruption, both from within MAs and from external actors (i.e. allegations received via whistle-blowing channels)

• the types of fraud and corruption experienced, and resulting losses

• control weaknesses or fraudulent activity uncovered through management verifications and checks or audits

• the number of staff and external parties (i.e. IBs) that have not signed a code of conduct/code of ethics/conflict of interest disclosure

• the number of employees who have not undertaken anti-fraud, anti-corruption or integrity training

• the number of fraud-related audits performed by the relevant audit functions (i.e. internal audit, AA and NKU).

In particular, MAs in the Slovak Republic can make use of reported suspicion of fraud to better assess their internal control systems and fraud risk management frameworks. Box ‎3.6 provides an example of how Spanish programme authorities have uncovered specific and systematic fraud incidents in OP implementation based on an initial suspicion of fraud.

Once the measurement criteria have been established, the risk management working groups or functions can undertake comparative analyses to aid their M&E of fraud risk management, and identify challenges or successes. For example, the measurement criteria can be used to compare types of fraudulent irregularities and cases of fraud and corruption with those previously detected during project implementation. It can also be used to inform the scorecard evaluation, the results of which could be communicated to senior management to ensure that resources are allocated in proportion to risk management activities and to remediate deficiencies.