Testing the effectiveness of fraud controls
On this page
Fraud control testing explained
Fraud control testing is a process that applies different testing methods to measure the effectiveness of fraud controls.
Testing involves more than just checking if controls are in place or if processes are being followed. It involves considering and sometimes applying the common methods used by fraudsters to find ways around the controls your entity has in place. This helps entities find vulnerabilities and challenge assumptions about how fraud is managed.
Why fraud control testing is needed
Research shows that gaps or weaknesses in controls lead to more fraud than any other factor.
The effectiveness of fraud controls can also degrade over time. For example:
- Fraudsters are a committed adversary, continually developing new and novel ways to beat the controls entities put in place to counter them. In some circumstances this can involve professional facilitators who help criminals develop sophisticated fraud schemes.
- New enablers for fraud can emerge which can make traditional controls less effective, e.g. the prevalence of compromised identify information has rendered traditional identity authentication controls ineffective.
- Organisational change and digital transformation can also make entities vulnerable to losing oversight of risks and weakened control environments.
- New technology and innovations also create opportunities to replace original controls with new, more cost-effective controls – increasing efficiency and improving user experience.
Fraud control testing is a proactive and proven way of eliminating blind spots. If you know where your entity is vulnerable, you are better informed to prevent fraud or uncover where you are being exploited.
Tips for getting started
We have developed the Commonwealth Pressure Testing Framework to help counter fraud specialists, government officials (including policy designers) and senior leaders better understand and conduct pressure testing within their entity. Download the Commonwealth Pressure Testing Framework and How to Start Pressure Testing Guide for more detailed information about pressure testing and how to get started.
There are also a number of other things you can do to get prepared for pressure testing:
- Undertake fraud risk assessments. These will help you identify fraud risks and the fraud controls that your entity has in place. See the Centre’s Fraud Risk Assessment Guidance and Tools for leading practice.
- Identify who should conduct fraud control testing within your entity. For example, this can be your fraud control, audit or governance area.
- Obtain appropriate authority and approvals to start fraud control testing – this may include approval for an initial work plan.
- Use the processes and templates developed by our Centre to record and report actions, decisions, risks and outcomes.
- Start small. Once you have embedded the process in your entity you can invest more resources and build your capability.
- Conduct targeted fraud control assessments on your most critical fraud controls first.
- Start by using simple methods to test controls. As your skills develop you may wish to do more complex testing and use more advanced methods.
- Work with others across your entity. Close engagement with other staff is the most essential component of fraud control testing.
- Use our other resources, such as the Fraudster Personas and common countermeasures.
What we mean by ‘testing’ controls
Not all fraud controls are the same and how you test them will always depend on a number of factors. Some different ways to test controls include:
- reviewing how they work such as through desktop reviews and looking at case studies
- observing how they are applied such as through a system or process walk through or workshops with stakeholders
- analysing how they function such as through sample reviews or data analysis
- actively testing or pressure testing how they operate such as through technical testing or covert testing to breach controls.
Some weaknesses you will likely discover
Some common vulnerabilities you can expect to uncover through fraud control testing include:
- a lack of fraud awareness among staff, contractors and suppliers
- staff not completing proper checks or verifying information received
- inadequate decision making and quality assurance processes
- weak technology/system controls
- inadequate detection processes
- a lack of oversight, documentation, reporting or reconciliation.
Fraud control testing can provide many other benefits including:
- enhancing operational efficiency and effectiveness
- preventing financial loss
- providing assurance that your entity’s fraud risks are being effectively managed
- increasing fraud awareness across your entity
- preserving public trust.
Connect with us to find out more
We have also created a range of tools, templates and guides to help you to start fraud control testing in your entity.
Contact us if you would like to find out more about fraud control testing.