Skip to main content

I want to do a fraud risk assessment

A fraud risk assessment helps you identify, analyse and treat your entity's fraud risks. A good assessment will identify how potential fraudsters might attempt to defraud your entity and help you develop new countermeasures. It is also an opportunity for you to evaluate the effectiveness of existing countermeasures.


What is a fraud risk assessment

A fraud risk assessment is a process to help you better understand your entity’s fraud exposure, the associated risks and the strength of your existing countermeasures.

A good fraud risk assessment helps you specifically identify how potential fraudsters might attempt to bypass existing countermeasures. If the assessment identifies these countermeasures are not adequate to address the inherent fraud risks, you can consider improving them or implementing new and more effective countermeasures.

You can only accurately determine your risk and risk appetite if you understand exactly what needs to happen for a fraud to occur. If you have a clear and specific understanding of your entity’s fraud risks, you are better positioned to make necessary adjustments to corporate processes or to amend policy and program design.

The fraud risk assessment process should be both evidence-based and creative. Those completing the assessment need to be aware of known fraud methods, consider who might defraud their corporate processes or programs, and identify how they would do it.

The outcomes of fraud risk assessments are an integral part of a fraud control plan, which outlines your entity’s plans, processes and existing countermeasures for mitigating the assessed fraud risks.


The five principles for conducting fraud risk assessments

Principle 1: Conduct a strategic assessment at the beginning to identify key areas of risk or vulnerabilities you should cover.

Principle 2:  Use the “actor, action and outcome” method to clearly articulate your fraud risks. See Annex B in Fraud in Emergency Management and Recovery.

Principle 3: Identify relevant countermeasures to help you understand what is in place and what fraud risks are not being effectively countered.

Principle 4: Consider the risks that remain after countermeasures have been applied to help you decide if you need to do more to mitigate the risks.

Principle 5: Assign owners who will action the findings from fraud risk assessments to help make sure risks are managed effectively and within your entity’s stated tolerance levels.

To help you apply these principles, the Commonwealth Fraud Prevention Centre has worked closely with the UK Government Counter Fraud Profession to develop a ‘Standardised Fraud Risk Assessment template’. You can request a copy of this template reaching out to us through the contact us form. 


When to complete a fraud risk assessment

All Commonwealth entities are required to conduct fraud risk assessments regularly, such as when planning and conducting activities, or when there has been a substantial change in the structure, functions or activity of the entity (Section 10 of the Public Governance, Performance and Accountability Rule 2014).

A risk-based approach helps you target your entity’s resources to your highest risk areas first. To identify these areas, carefully consider the current exposure and potential impact of fraud occurring within your entity.


The meaning of 'regularly'

Entities are encouraged to conduct a risk assessment at least every two years. Entities responsible for activities with a high risk of fraud may wish to assess risk more frequently.


The meaning of 'substantial change'

Substantial changes could include change in organisational structure, introducing new programs, losing or inheriting programs, change in budgeting associated with programs (e.g. machinery of government changes) or changing the means of delivery of an existing program (e.g. expansion of, or into, online provision of information and services). 


The meaning of 'exposure'

Is the program accessible to the public or is it closed off to a select group of people? [Availability]

What's the incentive? How much money, information, resources could be gained? [Value]

How easy is it to exploit? Is it a new program that lacks maturity in its processes? Is there a history of fraud and non-compliance? How effective are the existing countermeasures? [Ease]


The meaning of 'impact'

Impact includes consideration of the current tangible and intangible impacts of fraud with current countermeasures in place. Learn more on the Total Impacts of Fraud page.


Common areas where fraud risk can arise

  • Policy and program development and delivery
  • Revenue collection and administering payments to the public
  • Service delivery to the public, including program management
  • Provision of grants and funding arrangements
  • Exercising regulatory authority
  • Corporate financial transactions
  • Procurement and contract management
  • Payroll administration
  • Changes in the activities or functions of an entity
  • Issuing or using identity information.


Who needs to be involved in the process

A comprehensive fraud risk assessment process brings together people from across an entity to examine fraud risks and explore options to counter the likelihood and consequences of fraud.

Fraud risk assessments are preferably facilitated by staff with fraud risk experience and supported by stakeholders who have the necessary range of skills, knowledge and experience to help identify and address fraud risks.

You may choose to outsource all or part of your fraud risk assessment. Outsourcing does not remove the responsibility of the Accountable Authority or senior management to manage fraud risk (paragraph 35 of the Commonwealth Fraud Control Framework).

Entities are encouraged to have a Fraud Control Officer or Fraud Manager who is responsible for overseeing the risk assessment process.

Two critical steps in the process are:

  1. allocating ownership of fraud risks and their countermeasures to relevant roles, persons or business areas, and
  2. documenting the dates when new countermeasures (also known as treatments) should be implemented.

The Fraud Manager should also communicate the results of the risk assessment through executive channels. This communication could include:

  • a summary of the effectiveness of the current countermeasures,
  • if the residual risk is aligned with your entity's fraud tolerance level, and
  • any intended action to mitigate the risk of fraud.


When to review a fraud risk assessment

Fraud risk management is a continuous process that does not finish when a risk assessment is finalised. It is important to monitor and review fraud risks on an ongoing basis to stay on top of continuing or emerging fraud vulnerabilities. An effective monitoring and evaluation system for fraud risks can help you accurately capture any changes to the fraud risk profile of your entity, assess the ongoing effectiveness of your entity's countermeasures, and monitor the implementation of new or enhanced countermeasures.

Over time, an evaluation strategy has the potential to provide insights into the appropriate balance between fraud prevention and detection strategies. For example, it can help identify your entity’s determination to prevent fraud as opposed to discovering fraud after it has occurred.


Other support

The Commonwealth Fraud Prevention Centre works to support entities to enhance their risk assessment processes by providing tools and guidance and through the facilitation of risk assessment workshops.

For further information relating to available tools and guidance material or participating in the Centre’s risk assessment workshops, please reach out to us through the contact us form.

Other resources

This framework outlines the Australian Government's requirements for fraud control. The three key documents in the Framework are the Fraud Rule, Fraud Policy and Fraud Guidance. It requires that government entities put in place a comprehensive fraud control program that covers prevention, detection, investigation and reporting strategies.

This standard provides guidelines for managing fraud risks. This standard can be used during the life of an entity and applied to any activity. It is not industry or sector specific.

Was this page helpful?