Testing the effectiveness of fraud controls

Fraud control testing explained

Fraud control testing is a process that applies different testing methods to measure the effectiveness of fraud controls.

Testing involves more than just checking if controls are in place or if processes are being followed. It involves considering and sometimes applying the common methods used by fraudsters to find ways around the controls your entity has in place. This helps entities find vulnerabilities and challenge assumptions about how fraud is managed.

Why fraud control testing is needed

Research shows that gaps or weaknesses in controls lead to more fraud than any other factor.

The effectiveness of fraud controls can also degrade over time. For example:

• Fraudsters are a committed adversary, continually developing new and novel ways to beat the controls entities put in place to counter them. In some circumstances this can involve professional facilitators who help criminals develop sophisticated fraud schemes.
• New enablers for fraud can emerge which can make traditional controls less effective, e.g. the prevalence of compromised identify information has rendered traditional identity authentication controls ineffective.
• Organisational change and digital transformation can also make entities vulnerable to losing oversight of risks and weakened control environments. 
• New technology and innovations also create opportunities to replace original controls with new, more cost-effective controls – increasing efficiency and improving user experience.

Fraud control testing is a proactive and proven way of eliminating blind spots. If you know where your entity is vulnerable, you are better informed to prevent fraud or uncover where you are being exploited.

Tips for getting started

The International Public Sector Fraud Forum (IPSFF) Fraud Control Testing Framework was produced in collaboration with the United Kingdom’s Public Sector Fraud Authority and the Commonwealth Fraud Prevention Centre. It has been designed to help counter fraud specialists, government officials (including policy designers) and senior leaders better understand and conduct fraud control testing within their entity. Download the IPSFF Fraud Control Testing Framework and How to Start Fraud Control Testing Guide for more detailed information about fraud control testing and how to get started.

There are also a number of other things you can do to get prepared for fraud control testing:

• Undertake fraud risk assessments. These will help you identify fraud risks and the fraud controls that your entity has in place. See the Centre’s Fraud Risk Assessment Guidance and Tools for leading practice.
• Identify who should conduct fraud control testing within your entity. For example, this can be your fraud control, audit or governance area.
• Obtain appropriate authority and approvals to start fraud control testing – this may include approval for an initial work plan.
• Use the processes and templates developed by our Centre to record and report actions, decisions, risks and outcomes.
• Start small. Once you have embedded the process in your entity you can invest more resources and build your capability.
• Conduct targeted fraud control assessments on your most critical fraud controls first.
• Start by using simple methods to test controls. As your skills develop you may wish to do more complex testing and use more advanced methods.
• Work with others across your entity. Close engagement with other staff is the most essential component of fraud control testing.
• Use our other resources, such as the Fraudster Personas and common fraud control measures.

What we mean by ‘testing’ controls

Not all fraud controls are the same and how you test them depends on a number of factors. Some different ways to test controls include:

• reviewing how they work, such as through desktop reviews and looking at case studies
• observing how they are applied, such as through a system or process walk-through or workshops with stakeholders
• analysing how they function, such as through sample reviews or data analysis
• actively testing or pressure testing how they operate such as through technical testing or covert testing to breach controls.

The IPSFF Fraud Control Testing Framework and Handbook of Fraud Control Testing Methods provides practical guidance on testing common types of fraud controls.

Some weaknesses you will likely discover

Some common vulnerabilities you can expect to uncover through fraud control testing include:

• a lack of fraud awareness among staff, contractors and suppliers
• staff not completing proper checks or verifying information received
• inadequate decision making and quality assurance processes
• weak technology/system controls
• inadequate detection processes
• a lack of oversight, documentation, reporting or reconciliation.

Other benefits

Fraud control testing can provide many other benefits including:

• enhancing operational efficiency and effectiveness
• preventing financial loss
• providing assurance that your entity’s fraud risks are being effectively managed
• increasing fraud awareness across your entity
• preserving public trust.

Connect with us to find out more

We have also created a range of tools, templates and guides to help you to start fraud control testing in your entity.

Contact us if you would like to find out more about fraud control testing.