Develop a fraud control plan

What a fraud control plan includes

Your fraud control plan documents your entity’s key fraud risks and your current or planned strategies to counter fraud.

A fraud control plan might include:

• a statement about your entity’s tolerance for fraud risk
• an outline of key roles and responsibilities for fraud control within your entity
• a summary of relevant awareness-raising and training strategies
• a summary of how your entity assesses fraud risk and treats vulnerabilities
• a summary of the known fraud risks and vulnerabilities associated with your entity
• an outline of existing strategies to reduce fraud risk within your entity
• a timeline for taking actions on all strategies and countermeasures
• a clear position on who is accountable for designing, implementing and evaluating fraud strategies and countermeasures
• details on how officials can report suspected fraud
• protocols for how officials should respond to fraud incidents
• a summary of how information about fraud incidents is collected, analysed and reported.

What a good counter fraud strategy looks like

An example of what a good counter fraud strategy might look like:

1. Strategic Fraud Intelligence
   • Oversee and monitor your entity's counter fraud plan and strategy.
2. Fraud Risk Assessment
   • Undertake high level and functional/program level fraud risk assessments to proactively identify vulnerabilities and implement countermeasures. 
3. Counter Fraud Assurance
   • Undertake pressure testing to check that countermeasures are appropriate and work effectively.
4. Fraud Measurement
   • Undertake fraud measurement exercises to quantify the extent to which undetected fraud may exist. 
5. Referrals and Detection
   • Have processes and resources in place to receive and analyse tip-offs or detect indicators of potential fraud.
6. Intelligence and Investigations
   • Have processes and resources in place to analyse and investigate potential fraud.
7. Respond and Disrupt
   • Have processes in place to deal with potential fraud, including:
     • referrals for prosecution
     • coordinated disruption activities
     • improving prevention countermeasures.
8. Report and Adapt
   • Report on all counter fraud activities and loop this back to the strategic fraud intelligence resource to adapt the strategy.

When and how to review your fraud control plan

You should regularly review your fraud control plan to make sure it is being implemented appropriately and remains relevant to your entity’s fraud risks. Changes to your entity’s operations or environment can render existing fraud control plans and countermeasures ineffective or irrelevant.

Consider the following to decide if you should review your entity’s fraud control plan:

• Does your entity face new or evolving risks?
• Is your entity exposed to new or evolving technologies?
• Has your entity changed, or is planning to change its operations in any significant way?
• Has your entity entered into, or is planning to enter into any new major engagements or partnerships?
• Has your entity commenced, or is planning to commence any new programs or initiatives?

Test the effectiveness of your fraud control plan by asking the following questions:

• Have effective risk assessments been undertaken?
• Have awareness-raising and training activities been evaluated and shown to work well in practice?
• Are countermeasures operating as intended? Could alternate approaches have more effective outcomes?
• Are allegations recorded, analysed and followed-up in a timely manner?
• Are cases of fraud dealt with according to the Commonwealth Fraud Control Framework?
• Is information on cases of fraud used to update the fraud risk assessment and strengthen countermeasures?
• Is accurate information provided to the Audit Committee on a timely basis?

Additional tips for fraud control plans

• Make sure your fraud control plan is available and accessible to all staff.
• Assign executive-level ownership of your fraud control plan.
• Get your Accountable Authority to approve your fraud control plan and communicate it to your entity.
• Adopt fit-for-purpose processes to address fraud risks that are specific to your entity.
• Keep your fraud control plan up-to-date.
• A fraud control plan does not have to be developed as a stand-alone document. The plan can be part of your entity's strategic plan, business plan or risk management plan.
• It is beneficial to create a stand-alone fraud control plan if your entity has a high risk of fraud.