Key fraud control considerations
A systematic approach to fraud control contains the following elements in an ongoing cycle:
Fundamentals for sound fraud control
- Are the entity's fraud control arrangements consistent with the expectations of the Commonwealth Fraud Control Framework established under the Public Governance, Performance and Accountability Rule 2014?
- Is the senior leadership team suitably visible and engaged in fraud control within the entity?
- Does the entity promote an ethical culture to assist in preventing fraud and helping detect it once it occurs?
- Has the accountable authority established a suitable governance structure for fraud control that reflects the operating environment and risks of the entity?
- Does the entity take opportunities to engage with other entities and relevant networks to share information and experiences relating to contemporary fraud control approaches?
Risk management and planning
- Does the entity manage its fraud risks in a way which best suits the individual circumstances of the entity, in the context of the entity's overarching risk management framework (as described in the Commonwealth Risk Management Policy)?
- What is the most effective mechanism to consult and communicate with staff on fraud risks and the entity's fraud control plan?
- Has the entity identified relevant fraud risks, taking into consideration the entity's role, size and function, ongoing and emerging fraud risks, and broader organisational risks?
- Are the fraud control mechanisms in place to address identified fraud risks fit for purpose and based on the entity's individual risk context?
- When did the entity last conduct a fraud risk assessment?
- Was a fraud risk assessment conducted when there was a substantial change in the structure, functions or activities of the entity?
- Is the fraud risk assessment updated through regular, targeted risk assessments?
- Has the entity developed and implemented a fraud control plan following the fraud risk assessment?
- Does the entity's Audit Committee receive sufficient and timely information on fraud control arrangements to allow it to provide adequate assurance to the accountable authority?
- Does the Executive have clear oversight of the entity's fraud control plan?
- Does monitoring and evaluation of the fraud control plan inform fraud risk assessment and fraud control strategies on an ongoing basis?
- Does monitoring and evaluation of the fraud control plan inform fraud risk assessment and fraud control strategies for key stages in the life-cycle of the entity's key functions, particularly program design?
- Are there any entity functions or responsibilities, including large and/or high risk programs that warrant their own fraud control plan based on assessed risks?
- Are the resources allocated for fraud prevention measures proportionate to the fraud risk profile (taking into account the materiality, scope, complexity and sensitivity of possible fraudulent activities)?
- What mechanisms are in place—such as a fraud strategy statement and fraud awareness training —to ensure that officials in the entity are made aware of what constitutes fraud?
- How does the entity ensure the risk of fraud is taken into account in planning and conducting the activities of the entity?
- Is there a process for staff to disclose conflicts of interest and has this process been communicated to staff?
- Has the entity established suitable employment screening processes for new employees, and where required, existing employees?
- What processes does the entity have in place for engaging third-parties? Does the entity take steps to ensure the bona fides of third-parties and have appropriate provisions in contracts and agreements to assist with fraud prevention?
- Are fraud risks considered early and throughout the design of policies and programs to allow appropriate countermeasures to be built into the policy or program design?
- If the entity has a specialised fraud team, do line areas engage with the fraud team to identify fraud risks and appropriate preventive countermeasures?
- Does the entity have processes for communicating the outcomes of completed fraud investigations?
- Does the entity monitor and assess the effectiveness of its fraud prevention activities? How does this assessment inform ongoing fraud arrangements?
Discover more information about fraud prevention countermeasures.
- What mechanisms are in place for detecting incidents of internal and external fraud or potential fraud against the entity?
- Is there a process for officials of the entity and other persons to report suspected fraud confidentially?
- Does the entity's culture encourage the reporting of suspected fraud?
- Are the resources allocated to fraud detection measures proportionate to the fraud risk profile (taking into account the materiality, scope, complexity and sensitivity of possible fraudulent activities)?
- Does the entity have a range of internal and external reporting mechanisms in place for parties to report suspected unethical behaviour (including fraud)?
- Does the entity review the integrity (currency and accuracy) of their data?
- Does the entity monitor and assess the effectiveness of its fraud detection activities? How does this assessment inform ongoing fraud control arrangements?
Discover more information about fraud detection countermeasures.
- What mechanisms does the entity have in place for investigating or otherwise dealing with incidents of fraud or suspected fraud?
- Is there an electronic system (fraud incident register) for recording allegations?
- Do the entity's incidents of potential fraud warrant development of a case prioritisation model?
- Are there procedures in place which cover the process for undertaking initial evaluations of allegations?
- Does the entity use the Australian Government Investigations Standards when conducting investigations?
- Are employees or contractors responsible for conducting investigations on behalf of the entity appropriately qualified?
- Is relevant fraud investigation capability available within the entity, or have other arrangements for investigations been considered?
- Is there a policy that recovery action be undertaken only where the likely benefit will exceed the recovery costs?
- Are there processes in place to seek recoveries?
- Following an instance of fraud, does the entity review the work processes subject to the fraud to determine whether changes are required to existing processes, including processes relating to fraud risk assessment and fraud prevention?
- Does the entity monitor and asses the effectiveness of its fraud response activities? How does this assessment inform ongoing fraud control arrangements?
Discover more information about fraud response countermeasures.
Recording and reporting fraud
- What mechanisms are in place for recording and reporting instances of fraud or suspected fraud?
- Are the mechanisms in place for recording and reporting incidents of fraud appropriate for the number and type of cases of fraud and the complexity of investigations undertaken?
- Do recording and reporting mechanisms include the outcomes of incidents and investigations?
- Are fraud incidents reported, and outcomes of investigations communicated internally to officials of the entity?
- Does the entity report annually to the responsible Minister or Presiding Officer (as required) on fraud initiatives planned and undertaken, the significant fraud risks facing the entity, and any significant fraud incidents that occurred?