Conduct a fraud and corruption risk assessment

What is a fraud and corruption risk assessment#

A fraud and corruption risk assessment is a process to help you better understand your entity's fraud and corruption exposure, the associated risks and the strength of your existing controls.

A good fraud and corruption risk assessment helps you specifically identify how potential fraudsters and criminals might attempt to find a way around existing controls. If the assessment identifies these controls are not adequate to address the fraud and corruption risks, you can consider improving them or implementing new and more effective controls.

You can only accurately determine your risk and risk appetite if you understand exactly what needs to happen for a fraud or corruption to occur. If you have a clear and specific understanding of your entity's fraud and corruption risks, you are better positioned to make necessary adjustments to corporate processes or to amend policy and program design.

The fraud and corruption risk assessment process should be both evidence-based and creative. Those completing the assessment need to be aware of known fraud methods and corrupt conduct, consider who might defraud their corporate processes or programs and identify how they would do it.

The outcomes of fraud risk and corruption assessments are an integral part of a fraud and corruption control plan, which outlines your entity's plans, processes and existing countermeasures for countering the assessed fraud and corruption risks.

We have developed a Fraud Risk Assessment Leading Practice Guide to communicate key principles and methods taken from leading practices across sectors. Entities can then apply or adapt these methods to suit their individual circumstances.

When to complete a fraud and corruption risk assessment#

The Commonwealth Fraud and Corruption Control Framework requires entities to conduct fraud and corruption fraud risk assessments regularly and when there is a substantial change in an entity's structure, functions or activities. Substantial changes can include machinery of government changes, changes to service delivery models (such as the introduction of new technologies or the transitioning into the digital delivery of services), and the design and delivery of new programs, or government responses to urgent or emergency events.

Subject to an entity's individual risks, entities are encouraged to conduct risk assessments at least every 2 years.

Common areas where fraud and corruption risks can arise#

Every Commonwealth entity is exposed to fraud and corruption in some form but because it is usually hidden from sight, constantly changing and not well understood by most people, the risks and impacts of fraud and corruption are often underestimated and overlooked. These are the common areas where fraud and corruption risks can emerge:

Some common areas where fraud and corruption risks can emerge include:

• policy and program development and delivery
• revenue collection and administering payments to the public
• service delivery to the public, including program management
• provision of grants and funding arrangements
• exercising regulatory authority
• corporate financial transactions
• procurement and contract management
• payroll administration
• changes in the activities or functions of an entity
• disaster and emergency management responses
• rapid implementation of government initiatives and services  
• introduction of new technologies and transition into digital delivery of services
• introduction, transition into and use of identity verification processes for service delivery to the public
• access, disclosure and/use of personal or sensitive information.

Enterprise-level fraud and corruption risk assessment#

Entities should start by identifying the risk of fraud and corruption at the enterprise level and assess the potential for these risks to impact an entity’s key organisational objectives and core business. Fraud and corruption risks can be assessed at the enterprise level as part of an entity’s broader enterprise level risk assessment processes, or as a discrete assessment. Assessing fraud and corruption risks at the enterprise level looks at the entity as a whole and gives an overview of the main fraud and corruption risks the entity faces. This type of risk assessment considers and provides a landscape view of all activities, functions and expenditure areas across the entity and its operating environment.

Targeted fraud and corruption risk assessment#

As well as undertaking enterprise-level assessments of fraud and corruption risk, entities must undertake further assessments for activities, functions and programs that are at the highest risk from fraud or corruption. This may include activities undertaken by third parties on behalf of the entity.

When considering the need for targeted fraud and corruption risk assessments and other activities, entities should be mindful of common areas where fraud and corruption may arise.

Entities are encouraged to undertake initial impact assessments during the design of new policies, programs or initiatives. An Initial Fraud Impact Assessment (IFIA) is used to make an early high-level assessment of the inherent risks and potential impacts of a new policy, program and initiative. These assessments may inform policy development or design factors such as eligibility criteria or data collection and can be used to mitigate the risks of fraud or corruption and promote integrity through good design. These assessments may also inform whether further targeted risk activity is required.

Strategic fraud and corruption risk profiling#

Because some Commonwealth entities are responsible for multiple programs and business functions, conducting fraud and corruption risk assessments across these entities can be complex, time consuming and difficult to prioritise. Strategic-level fraud and corruption risk profiling can help an entity to identify those areas of the entity that are at higher risk of fraud and corruption. This will enable fraud and corruption control officers to a schedule fraud and corruption risk assessments on a prioritised basis.

This approach can also be adopted for national response arrangements which typically consist of multiple programs delivered by a number of Commonwealth entities to provide funding initiatives to individuals, entities and businesses.

Our Strategic Fraud Risk Profiling Tool can help officials identify high risk areas while prioritising efforts in their entities.

The fraud and corruption risk assessment process#

When conducting fraud and corruption risk assessments, the Commonwealth Fraud and Corruption Control Framework encourages entities to consider the relevant recognised standards, currently the Australian/New Zealand Standard AS/NZ ISO 31000-2018 Risk Management—Principles and Guidelines and the Australian Standard AS 8001-2008 Fraud and Corruption Control. Entities are also encouraged to consider their own risk management framework.

Feedback loops

Entities should establish feedback loops (ideally through responsible governance committees, senior executives and relevant business areas), to harness the insights gained from targeted fraud and corruption risk assessments. These insights then inform the entity’s management of fraud and corruption risks.

This approach ensures higher-level activities are intelligence-led and counter fraud capability and resources are effectively targeted towards the entity’s highest fraud and corruption risks and vulnerabilities.

Fraud and corruption control plans

A control plan outlines an entity’s plans, processes and existing controls for mitigating fraud and corruption risks.

These risks are identified based on the outcomes of a fraud and corruption risk assessment, and are a key part of a fraud and corruption control plan.

Entities should document the results of their fraud and corruption risk assessments and control plans in a way that is accessible to risk, control and treatment owners. This will help them to understand the entity’s fraud and corruption risks and vulnerabilities, and make informed decisions on recommended treatment strategies, if required.

Who is responsible for fraud and corruption risk assessments#

An entity should assign overall responsibility for fraud and corruption control (and fraud and corruption risk assessments) to a senior fraud and corruption officer. This could be as part of their normal duties or as a position with designated responsibility for overseeing an entity's broader counter fraud and corruption strategy.

The main responsibilities of the senior fraud and corruption officer are to:

• help improve corporate understanding and commitment to the fraud and corruption risk assessment process
• confirm that fraud and corruption risk assessments are conducted to an acceptable standard, in a timely manner and with sufficient resources
• encourage business units to actively engage with fraud and corruption risk assessments
• exercise their authority to implement change and monitor outcomes
• endorse an entity's fraud and corruption risk assessment(s) and fraud and corruption control plan(s)
• make sure outcomes of fraud and corruption risk assessments are clearly communicated across the entity.

Fraud and corruption control officers, or relevant designated officers, support the senior fraud and corruption officer to coordinate fraud and corruption risk assessments and maintain an entity's fraud and corruption control plan.

Ideally fraud and corruption control officers should possess the following attributes and core competencies:

• critical thinking skills
• the ability to apply professional scepticism and challenge assumptions
• counter fraud and anti-corruption knowledge and experience
• risk management knowledge and risk assessment skills
• an understanding of business process management and how technology supports business processes
• sound communication and facilitation skills.

Support available#

To help entities enhance their capability to conduct fraud risk assessments, we provide:

• accessible guidance and tools (see below)
• advice and workshops on fraud and corruption risk assessment concepts and methods.

Please contact us to discuss how we can help.