Conduct a fraud risk assessment
On this page
What is a fraud risk assessment
A fraud risk assessment is a process to help you better understand your entity's fraud exposure, the associated risks and the strength of your existing controls.
A good fraud risk assessment helps you specifically identify how potential fraudsters might attempt to find a way around existing controls. If the assessment identifies these controls are not adequate to address the fraud risks, you can consider improving them or implementing new and more effective controls.
You can only accurately determine your risk and risk appetite if you understand exactly what needs to happen for a fraud to occur. If you have a clear and specific understanding of your entity's fraud risks, you are better positioned to make necessary adjustments to corporate processes or to amend policy and program design.
The fraud risk assessment process should be both evidence-based and creative. Those completing the assessment need to be aware of known fraud methods, consider who might defraud their corporate processes or programs and identify how they would do it.
The outcomes of fraud risk assessments are an integral part of a fraud control plan, which outlines your entity's plans, processes and existing countermeasures for countering the assessed fraud risks.
We have developed a Fraud Risk Assessment Leading Practice Guide to communicate key principles and methods taken from leading practices across sectors. Entities can then apply or adapt these methods to suit their individual circumstances.
When to complete a fraud risk assessment
The Commonwealth Fraud Control Framework requires entities to conduct fraud risk assessments regularly and when there is a substantial change in an entity's structure, functions or activities. Substantial changes can include machinery of government changes, changes to service delivery models (such as the introduction of new technologies or the transitioning into the digital delivery of services), and the design and delivery of new programs, or government responses to urgent or emergency events.
Subject to an entity's individual risks, entities are encouraged to conduct risk assessments at least every 2 years.
Common areas where fraud risks can arise
Every Commonwealth entity is exposed to fraud in some form but because it is usually hidden from sight, constantly changing and not well understood by most people, the risks and impacts of fraud are often underestimated and overlooked. These are the common areas where fraud risks can emerge:
Some common areas where fraud risks can emerge include:
- policy and program development and delivery.
- revenue collection and administering payments to the public.
- service delivery to the public, including program management.
- provision of grants and funding arrangements.
- exercising regulatory authority.
- corporate financial transactions.
- procurement and contract management.
- payroll administration.
- changes in the activities or functions of an entity.
- issuing or using identity information.
Strategic fraud risk profiling
Because some Commonwealth entities are responsible for multiple programs and business functions, conducting fraud risk assessments across these entities can be complex, time consuming and difficult to prioritise. Strategic-level fraud risk profiling can help an entity to identify those areas of the entity that are at higher risk of fraud. This will enable fraud control officers to a schedule fraud risk assessments on a prioritised basis.
This approach can also be adopted for national response arrangements which typically consist of multiple programs delivered by a number of Commonwealth entities to provide funding initiatives to individuals, entities and businesses.
Our Strategic Fraud Risk Profiling Tool can help officials identify high risk areas while prioritising efforts in their entities.
The fraud risk assessment process
When conducting fraud risk assessments, the Commonwealth Fraud Control Framework encourages entities to consider the relevant recognised standards, currently the Australian/New Zealand Standard AS/NZ ISO 31000-2018 Risk Management—Principles and Guidelines and the Australian Standard AS 8001-2008 Fraud and Corruption Control. Entities are also encouraged to consider their own risk management framework.
Consistent with the relevant standards as well as international and domestic leading practice approaches, the risk assessment process is broken down into 4 steps.
Who is responsible for fraud risk assessments
An entity should assign overall responsibility for fraud control (and fraud risk assessments) to a senior fraud officer, either as part of their normal duties or as a position with designated responsibility for overseeing an entity's broader counter fraud strategy. The main responsibilities of the senior fraud officer are to:
- help improve corporate understanding and commitment to the fraud risk assessment process
- confirm that fraud risk assessments are conducted to an acceptable standard, are performed in a timely manner and are sufficiently resourced
- encourage business units to actively engage with fraud risk assessments
- exercise their authority to implement change and monitor outcomes
- endorse an entity's fraud risk assessment(s) and fraud control plan(s)
- make sure outcomes of fraud risk assessments are clearly communicated across the entity.
Fraud control officers, or relevant designated officers, support the senior fraud officer in coordinating fraud risk assessments and maintaining an entity's fraud control plan. It is preferable that fraud control officers possess the following attributes and core competencies:
- Critical thinking skills.
- An ability to apply professional scepticism and to challenge assumptions.
- Counter fraud knowledge and experience.
- Risk management knowledge and risk assessment skills.
- An understanding of business process management and how technology supports business processes.
- Sound communication and facilitation skills.
Support available
We help entities enhance their capability to conduct fraud risk assessments by providing:
- accessible guidance and tools (see below)
- advice and workshops on fraud risk assessment concepts and methods.
Please contact us to discuss how we can help.