Fraud control plan
Key tips for fraud control plans
- Ensure that fraud control plans are available and accessible to all officials
- Assign executive-level ownership of the fraud control plan and get it endorsed by the Accountable Authority
- Fraud control plans do not have to be developed as a stand-alone document. The plan could be integrated into the entity's strategic plan, business plan or risk management plan
- Stand-alone fraud control plans are encouraged to be created for entities with a high risk of fraud
- Maintain and update the fraud control plan, ideally conducted by a fraud control officer or fraud manager
- Adopt fit-for-purpose mechanisms to address fraud risks that are specific to the entity.
What could be in a fraud control plan?
- A fraud risk tolerance statement
- An outline of key roles and responsibilities for fraud control within the entity
- A summary of relevant awareness-raising and training strategies
- Demonstrated links between an up-to-date fraud risk assessment and fraud countermeasures
- A summary of fraud risks and vulnerabilities associated with the entity
- If relevant, include strategies to mitigate the risk of identity fraud
- Information about implementing fraud control arrangements within the entity
- A timeline for taking actions on all strategies and countermeasures
- Assign ownership for the design, implementation and evaluation of identified fraud countermeasures
- Treatment strategies and countermeasures put in place to manage fraud risks and vulnerabilities
- Details on how officials can report and respond to suspected fraud
- Mechanisms for collecting, analysing and reporting fraud incidents
- Protocols for handling fraud incidents.
Reviewing a fraud control plan
Regularly reviewing the fraud control plan can assist with ensuring that the plan is implemented appropriately and remains relevant to the fraud risks being faced by an entity. Changes to the entity's operations or environment can render existing fraud countermeasures ineffective or irrelevant.
Key changes include:
- emerging risks
- new technologies
- changes in organisational partners and operations
- the commencement of new initiatives.
Testing the effectiveness of a fraud control plan could include an assessment of the following:
- Have risk assessments have been undertaken appropriately?
- Have awareness-raising and training activities been evaluated and shown to work well in practice?
- Are other fraud countermeasures operating as intended? Could alternate approaches have more effective outcomes?
- Are allegations recorded, analysed and followed-up in a timely fashion?
- Are cases of fraud dealt with according to applicable external and internal standards?
- Are remedies applied appropriately?
- Is information on cases of fraud used to update the fraud risk assessment and strengthen countermeasures?
- Is accurate information provided to the Audit Committee on a timely basis?