Fraud risk assessments
Section 10 of the Public Governance, Performance and Accountability Rule (2014) is known as 'The Fraud Rule'. This rule is binding for all Commonwealth agencies.
Under paragraph (a) of the Fraud Rule, a fraud risk assessment must be conducted regularly and when there is a substantial change in the structure, functions or activities of the entity.
- What does 'regularly' mean? Subject to an entity's individual risks, entities are encouraged to conduct a risk assessment at least every two years. Entities responsible for activities with a high risk of fraud may wish to assess risk more frequently.
- What does 'substantial change' mean? Substantial changes could include change in organisational structure, introducing new programs, losing or inheriting programs, change in budgeting associated with programs (e.g. machinery of government changes) or changing the means of delivery of an existing program (e.g. expansion of, or into, online provision of information and services).
Under paragraph (c) (ii) of the Fraud Rule, the risk of fraud must be considered when planning and conducting the activities of the entities.
Conducting a fraud risk assessment
In conducting a fraud risk assessment, entities are encouraged to consider the relevant recognised standards. Currently:
- AS ISO 31000-2018 Risk Management–Principles and Guidelines
- AS 8001-2008 Fraud and Corruption Control [pending revision]
When considering fraud risk in an entity, consider the:
- role of the entity
- areas of potential exposure
- effectiveness of current countermeasures
- residual risk if the countermeasures operate as intended.
Also consider if the residual risk is aligned with the entity's stated fraud tolerance level. If the residual risk remains higher than the entity's tolerance level, implement improvements to the countermeasure environment to reduce the residual risk.
Conducting risk assessments requires specific expertise
Risk assessments can be conducted internally or outsourced:
- Internally: Risk assessments can be conducted using in-house resources, but it is important to ensure that the risk assessment team has access to the range of skills, knowledge and experience necessary to provide coverage of the categories of risk to be considered. These skills may not be available in-house (see Commonwealth Fraud Control Framework, page C10 paragraph 34); or
- Outsourced: Entities may choose to outsource all or part of the risk assessment and fraud control planning process. Consistent with PGPA Act responsibilities, outsourcing does not remove the responsibility of the accountable authority or senior management to manage fraud risk (see Commonwealth Fraud Control Framework, page C10 paragraph 35).
It is important to document and assign ownership of fraud risks and mitigation strategies
Ownership could be aligned with a particular role, person or business area. Entities are encouraged to have a fraud control officer or fraud manager who is responsible for the risk assessment process.
The fraud manager should endeavour to communicate the results of the risk assessment through executive channels. This communication could include a summary of the effectiveness of the current countermeasure environment, if the residual risk is aligned with the entity's fraud tolerance level and any intended action to mitigate the risk of fraud. Additionally, manage the process by documenting the dates when new mitigation strategies should be implemented.
As fraud entails dishonesty and deception, identifying fraud risks requires a sceptical mindset and involves asking probing questions, such as:
- How might a fraudster exploit weaknesses in the existing countermeasures?
- How could a perpetrator override or circumvent countermeasures?
- What could a perpetrator do to conceal fraud?
It is not always practical to institute measures to address every possible risk
A risk-based approach enables an entity to target its resources, both in prevention and detection, in problem areas. Therefore, it is important to carefully assess the current exposure and potential impact of the occurrence of fraud within the entity.
- What does 'exposure' mean? This incorporates the availability, value at risk and ease of access. For example, ask the following questions:
- Is the program accessible to anyone in the public or is it closed off to a select cohort? [Availability]
- What's the incentive? How much money, information, resources could be gained? [Value]
- How easy is it to exploit? Is it a new program that lacks maturity in its processes? Is there a history of fraud and non-compliance? How effective are the existing countermeasures? [Ease]
- What does 'impact' mean? Impact includes consideration of the current tangible and intangible impacts of fraud with current countermeasures in place. However, because fraud is both a risk and a hidden threat it is important to consider the potential future impact of fraudulent activity.
Common areas where fraud risk can arise
- Policy and program development and delivery
- Procurement – including tendering and managing supplier interfaces
- Revenue collection and administrating payments to the public
- Service delivery to the public, including program and contract management
- Provision of grants and funding arrangements
- Exercising regulatory authority
- Entities that receive/authenticate identification documents
- Entities that create identification documents
- Internal governance arrangements
- Changes in the activities or functions of an entity.
Reviewing a fraud risk assessment
Risk assessment is a continuous process. The fraud risk assessment can be updated through regular reviews and targeted risk assessments. Changes in the effectiveness or relevance of fraud countermeasures can affect an entity's fraud risk assessment.
It is valuable to monitor and review the fraud risk assessment and related strategies on an ongoing basis, in light of an entity's experience with continuing or emerging fraud vulnerabilities. An effective monitoring and evaluation regime for fraud risks can assist with accurately capturing and recording the significant fraud risks facing the entity, as well as with assessing the effectiveness of the entity's fraud countermeasures.
Periodic evaluations have the capacity to establish causal links. Over time, an evaluation strategy has the potential to provide insights into the appropriate balance between fraud prevention and detection strategies. An evaluation strategy may also provide insights into the relative weighting of entity incentives that focus on reducing the potential losses from fraud in the first instance, as opposed to discovering fraud after it has occurred.