Different control strategies
Table of contents
According to Brett Johnson, former U.S. most wanted cybercriminal turned cybersecurity consultant, there are three necessities to fraud that often involve other illicit activities:
- Gathering data and capability
- Committing the crime
- Cashing out
A robust control environment goes beyond target hardening and requires entities to expand their horizons to consider the broader system in which they operate:
- What are the upstream enablers and precursors to fraud or corruption against the organisation and how can we reduce these?
- Where is our organisation most susceptible to fraud and corruption and can we harden these targets?
- How do we reduce the time it takes to respond to incidents?
- How can we effectively contain the fraud or corruption in the system?
- What are the downstream effects and impacts of fraud and corruption and how can we mitigate these?
A robust control environment delivers defence-in-depth through a range of deterrence, prevention, detection and corrective controls. These layers of control will ensure the organisation is reducing the risk of fraud and corruption from all angles, i.e. reducing the probability, frequency, duration and impacts.
In this section, we explore the following five layers of control and what effect they can have on risk, an offender’s perspective, and the elements that lead to fraud, corruption and crime in general.

Known as primordial prevention, initiatives that address the underlying causes and enablers of fraud and corruption can reduce the reliance on internal control systems. These initiatives can involve disrupting key and illicit enablers that give criminals the capability to commit fraud or act corruptly. For example, preventing or remediating the compromise of personal identifying information means that criminals are not able to use this information to commit fraud. These initiatives are generally effective at the enterprise or cross-government level, e.g. promoted through laws and national policy.
Examples of addressing underlying causes and enablers
- Establishing governance arrangements to enable effective decision-making, accountability, oversight and assurance; all of which create conditions that supress fraud and corruption.
- Undertaking suitability and integrity checks for key personnel to remove the opportunity for fraudulent or corrupt actors to be employed or access government schemes.
- Working with regulators and industry, e.g. industry bodies, associations and civil society to ensure industry players meet appropriate standards of professional and ethical conduct.
- Supporting members of the community and businesses to protect themselves against becoming victims of scams, identity theft and compromise.
- Reviewing and strengthening weak controls, which is one of the leading enablers to fraud and corruption.
Effect on the probability, frequency, duration or impact of risk
Addressing the underlying causes and enablers helps reduce the likelihood of fraud and corruption. For example, reducing the ability of criminals to get access to sensitive or compromised information reduces their capability to defraud government programs or act corruptly, thereby reducing the likelihood (probability and frequency) of these risks.
Effect on the elements of the fraud diamond
Addressing the underlying causes and enablers helps reduce:
- the pressure to commit fraud or act corruptly (e.g. acting on greed or out of compulsion because of addiction)
- a person’s ability to rationalise fraud or corruption (e.g. the risk/reward ratio is not in their favour)
- a person’s capability to commit fraud or act corruptly (e.g. they don’t have the means to do so).
Effect on the elements of routine activity theory
Addressing the underlying causes and enablers helps mitigate:
- the presence of a motivated offender
- a suitable and accessible target
- the absence of capable guardians that could intervene.
Effect from a potential offender’s perspective
I don’t have the opportunity, means or motivation to commit fraud or act corruptly.
Behavioural interventions involve situational characteristics that encourage ethical and honest behaviour or influence desired choices or courses of action. Dishonest actors are also rational actors. They will try to maximise reward while keeping the risk as low as possible. A range of strategic and tactical actions can be applied to reduce a person’s ability to rationalise their actions, including by influencing the risk vs reward calculation of committing fraud or acting corruptly or appealing to moral identity. This can often be the determining factor in stopping them from attempting to defraud the government or acting corruptly in the first place. These are effective at the operational, enterprise and cross-government level.
Examples of influencing behaviour and choices
- Incentivising desired behaviour within an organisation or outside of it.
- Fostering positive and inclusive culture underpinned by honest and ethical leadership.
- Increasing transparency and oversight over actions or decisions.
- Deterrence messaging, including promotion of an organisation’s detection capability.
- Conducting quality assurance activities to confirm that processes are being followed.
- Tough enforcement conditions.
Effect on the probability, frequency, duration or impact of risk
Influencing behaviour and choices help reduce the likelihood of fraud and corruption. Behavioural research has found that a person’s fear they might get caught offending is a much greater deterrent than their fear of the consequences that would follow. Therefore, communicating that structured processes are in place, discrepancies will be discovered and deliberate offenders will be caught can reduce the likelihood (probability and frequency) of fraud and corruption risk.
Effect on the elements of the fraud diamond
Influencing behaviour and choices helps reduce:
- the pressure to commit fraud or act corruptly (e.g. by influencing people’s perceptions and biases before they even consider committing fraud)
- a person’s ability to rationalise fraud or corruption (e.g. by increasing the perceived risks or reducing the perceived benefits of engaging in fraudulent and corrupt conduct).
Effect on the elements of routine activity theory
Influencing behaviour and choices helps mitigate:
- the presence of a motivated offender
- the absence of capable guardians that could intervene.
Effect from a potential offender’s perspective
I don’t think to commit fraud or act corruptly or I choose not to act dishonestly because I might get caught or in trouble.
Known as primary prevention, these controls prevent the act of fraud or corruption from occurring in the first place. Prevention is the most efficient and effective way to address fraud and corruption. Building control frameworks with an emphasis on prevention strengthens our ability to deliver desired outcomes, reduces the costs involved in delivering services and maintains public trust in government and our institutions. Most importantly, prevention helps us avoid the serious harms fraud and corruption causes for those who rely on us. Prevention controls are generally effective at the operational and enterprise level.
Examples of prevention controls
- Limiting access to systems, data, information, physical documents, spaces and assets
- Confirming and authenticating the identities of relevant individuals.
- Having clear and specific eligibility requirements and restricting approval to requests or claims that meet established criteria.
- Pre-filling data from reliable sources.
- Approval workflows to ensure decisions can only be made by an authorised decision-maker.
- Segregation of duties to prevent staff from holding incompatible functions or roles that may enable them to commit fraud or act corruptly.
Effect on the probability, frequency, duration or impact of risk
Prevention controls help reduce the likelihood of fraud and corruption. For example, collecting or validating data from reliable sources makes it difficult for a dishonest actor to provide false or misleading information, thereby reducing the likelihood (probability and frequency) of fraud or corruption risk. Moreover, prevention controls can help identify attempted fraud or corruption early, or reduce the volume of incidents that need to be responded to, thereby also reducing the duration and impact of the risk.
Effect on the elements of the fraud diamond
Prevention controls help reduce:
- the opportunity a person has to commit fraud or act corruptly (e.g. by preventing unauthorised access to a system or account)
- a person’s capability to commit fraud or act corruptly (e.g. they don’t have the access to do so).
Effect on the elements of routine activity theory
Prevention controls help mitigate:
- a suitable and accessible target
- the absence of capable guardians that could intervene.
Effect from a potential offender’s perspective
I can’t commit fraud or act corruptly even if I wanted to.
Fraudsters and corrupt actors rely on deception – and critical to countering fraud then is revealing this deception. Known as secondary prevention, detecting fraud and corruption enables us to effectively deal with incidents, minimise the consequences through early intervention and address the underlying causes and vulnerabilities. Detection can also deter potential perpetrators by increasing the level of perceived risk associated with committing such wrongful acts. Detection controls are generally effective at the operational and enterprise level.
Examples of detection controls
- Verifying information provided by an applicant, including data matching post claim.
- Compliance or performance reviews to monitor ongoing work performance or the delivery of contract obligations.
- Staff or external parties are enabled and encouraged to lodge tip-offs or Public Interest Disclosures.
- Automatically notifying staff, customers or vendors about high-risk events or transactions, such as changes to bank accounts or unusual online account activity.
- Fraud detection software programs that analyse data to detect what is different from what is standard, normal or expected.
Effect on the probability, frequency, duration or impact of risk
Detection controls help reduce the consequences of fraud and corruption. For example, a regular exception report or reconciliation process to identify anomalous transactions enables the organisation to intervene early and reduce the consequences (duration and impact) of fraud or corruption risk. Moreover, people’s awareness of the exception report or reconciliation process deters them from attempting fraud or acting corruptly, thereby also reducing the probability of the risk.
Effect on the elements of the fraud diamond
Detection controls help reduce:
- the opportunity a person has to commit fraud or act corruptly (e.g. their actions are detected and responded to quickly, therefore they can’t keep offending)
- a person’s ability to rationalise fraud or corruption (e.g. they are aware the detection controls exist so don’t even try).
Effect on the elements of routine activity theory
Detection controls help mitigate:
- the absence of capable guardians that could intervene
- the presence of a motivated offender.
Effect from a potential offender’s perspective
There is limited reward for me in committing fraud or acting corruptly and there is a high chance that I might get caught.
An effective control system includes appropriate response mechanisms that help reduce the impact and severity of fraud or corruption that has already occurred. These can involve a range of administrative, civil and criminal interventions, including containment, disruption, investigation, disciplinary action, recovery, remediation, and where appropriate prosecution. A strategic and planned response can reduce the financial and reputational damage caused by fraud and corruption. Corrective controls are generally effective at the enterprise or cross-government level.
Examples of corrective controls
- Employing trained analysts and investigators who can effectively respond to fraud and corruption incidents and allegations.
- An incident response plan that sets out the protocols for how to respond to an allegation or incident of fraud or corruption.
- Disruption activity, such as terminating contracts, de-registering service providers or issuing Commonwealth debt notices.
- Conducting fraud and corruption investigations in line with the Australian Government Investigation Standard.
- Applying and enforcing penalties for non-compliance, misconduct, fraud and corruption.
Effect on the probability, frequency, duration or impact of risk
Corrective controls help reduce the consequences of fraud and corruption. For example, disruption activity can reduce the extent of fraud and corruption, shorten the timescale of offending, and increase the chances that losses can be recovered, thereby reducing the consequences (duration and impact) of the risk.
Effect on the elements of the fraud diamond
Corrective controls help reduce:
- a person’s ability to rationalise fraud or corruption (e.g. by increasing the perceived risks or reducing the perceived benefits of engaging in fraudulent and corrupt conduct)
- a person’s capability to commit fraud or act corruptly (e.g. they can no longer use compromised identify information, as new identifiers have been issued, and can’t go on to commit fraud or act corruptly against a different program or service).
Effect on the elements of routine activity theory
Corrective controls help mitigate:
- the absence of capable guardians that could intervene
- a suitable and accessible target
- the presence of a motivated offender.
Effect from a potential offender’s perspective
There is limited reward in me committing fraud or acting corruptly and the consequences I would receive outweigh the benefits.