Skip to main content

Controlling Fraud and Corruption Risk – Leading Practice Guide

Publisher
Commonwealth Fraud Prevention Centre
Publication date
March 2025

Introduction

The Australian Government takes fraud and corruption extremely seriously. Fraud and corruption are a growing societal and economic issue that is increasingly affecting individuals, businesses and governments across Australia and around the world. If not effectively controlled, fraud and corruption can undermine the objectives of every Australian Government entity in all areas of their business, including delivery of services and programs, policy-making, regulation, taxation, procurement, grants and internal procedures.

While some individuals will always look to make dishonest gain where there is opportunity, the risks and impacts of fraud and corruption can be substantially minimised by taking a systematic and considered approach to its management.

Because fraud and corruption continually evolve, we also must continue to innovate and evolve our controls and control frameworks to deal with this adaptive problem.

Purpose of this guide

The purpose of this guide is to help Australian Government officials better understand the factors that lead to fraud and corruption, and provide advice on a range of strategies that entities can implement to mitigate the probability of these risks as well as the harm they cause for the public sector and those who rely on us.

This guide should be read alongside our Fraud Risk Assessment Leading Practice Guide.

Why it’s important to manage fraud and corruption 

Fraud and corruption in the public sector undermine public confidence in government, leads to higher taxes to pay for services, and directly increases the costs for all Australians in areas like child care, education and visiting the GP. The significant cost of fraud and corruption, including the high cost of investigations, also means less funds are available to the government to support Australia’s economy, educate our future generations, provide quality public healthcare, and maintain a strong safety net for our most vulnerable and disadvantaged citizens. Fraud and corruption also cause significant harm to our communities, our industries and our environment. 

The International Public Sector Fraud Forumi (IPSFF) has established 5 principles for public sector fraud and corruption.

  1. There is always going to be fraud 
    It is a fact that some individuals will look to make gains where there is opportunity, and organisations need robust processes in place to prevent, detect and respond to fraud and corruption.
  2. Finding fraud is a good thing
    If you don’t find fraud you can’t fight it. This requires a change in perspective so the identification of fraud is viewed as a positive and proactive achievement.
  3. There is no one solution
    Addressing fraud needs a holistic response incorporating detection, prevention and redress, underpinned by a strong understanding of risk. It also requires cooperation between organisations under a spirit of collaboration.
  4. Fraud and corruption are ever changing
    Fraud, and counter fraud practices, evolve very quickly and organisations must be agile and change their approach to deal with these evolutions.
  5. Prevention is the most effective way to address fraud and corruption
    Preventing fraud through effective counter fraud practices reduces the loss and reputational damage. It also requires less resources than an approach focused on detection and recovery.

As Commonwealth officials, we have certain obligations that we are required to meet to prevent, detect and respond to fraud and corruption. 

Legislative frameworks

The Commonwealth Fraud and Corruption Control Framework (framework), under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), supports Australian Government entities to effectively manage the risks of fraud and corruption. The framework comprises the core elements of effective fraud and corruption control: 

  • governance and oversight 
  • targeted and rigorous risk assessments 
  • informed and targeted control plans, and 
  • effective controls encompassing appropriate prevention, detection, investigation, referral and reporting mechanisms.

The Commonwealth Risk Management Policy (CRMP) sets out the mandatory requirements for managing risks in undertaking government activities. This includes the requirement for an organisation's risk management framework to ensure that controls are effective and proportionate to the level of risk to be managed, and each control has a clearly designated owner who regularly reports on implementation, testing and effectiveness of the control.  

Roles and responsibilities

All public officials are responsible for managing and escalating risks in their daily workii. The CRMP defines specific responsibilities for managing risk across various roles, including those assigned to the accountable authority, senior executives, risk management functions and responsibilities shared by all staff.  Effectively managing risk needs a holistic response and requires cooperation between programs within and across organisations under a spirit of collaboration.

The ‘three lines of defence’ model describes the roles and responsibilities of different officials in an effective risk management approach. The model can be applied to design effective arrangements for the governance and management of fraud and corruption risk within entities as follows: 
 

1st line of defence – management/business owners

This includes the accountable authority, the Chief Risk Officer (if applicable), senior executives and front-line managers, who are responsible for anticipating and managing operational risk, and escalating issues. All officials must act in good faith and for proper purposes, and not improperly use their position or information.

2nd line of defence – risk management and compliance

This supports the first line of defence through the implementation of effective governance, risk and compliance functions. This includes officials who are responsible for establishing frameworks, assessing current and emerging risks, and coordinating the monitoring, reporting and escalation of risk at the enterprise level. 

3rd line of defence – audit and assurance

This assesses how effective the organisation is at identifying and managing its risks. This includes internal and external audit and assurance functions responsible for providing independent oversight by monitoring and reviewing internal controls.

As noted in our Fraud Risk Assessment Leading Practice Guide, managing risks like fraud and corruption is a professional exercise that requires: 

  • knowledge of different methods and enablers,
  • risk management processes, and 
  • discrete business processes and systems. 

The process requires coordination and collaboration across multiple business areas. Effective management of fraud and corruption risks cannot be achieved solely by those who specialise in compliance or the management of risk or be outsourced to contractor, risk committee or audit function. While all officials play an important role in managing these risks, risk owners are ultimately accountable for managing, monitoring, reporting and escalating risks.

According to Brett Johnson, former U.S. most wanted cybercriminal turned cybersecurity consultant, there are three necessities to fraud that often involve other illicit activities

Managing risks like fraud and corruption is a professional exercise that requires; knowledge of different methods and enablers,
risk management processes, and discrete business processes and systems

Residual risk is the risk remaining once controls have been successfully applied. Developing a clear understanding of the purpose and effectiveness of controls is critical to accurately assessing and measuring the residual risks

References for the Controlling Fraud and Corruption Risk – Leading Practice Guide

Was this page helpful?