Recording, monitoring and reviewing controls

Fraud and corruption threats evolve very quickly and organisations must be agile and willing to change their approach to deal with these evolutions as and when they emerge. Therefore, it is essential that fraud and corruption risks are carefully monitored. This requires clear accountability for the management of risk, i.e. fraud and corruption risks related to an entity’s programs, functions or activities should be ‘owned’ by the relevant officials who are accountable for those programs, functions or activities. 

Risk owners are responsible for monitoring and reporting on their fraud and corruption risks and making sure that controls are developed and implemented in a timely manner. Functional control plans support risk owners to actively manage and oversee risk, and help ensure risks continue to be appropriately and proportionately managed within pre-defined levels of risk appetite or tolerance.

Key features of a control plan

Existing controls

Control plans should document the existing preventative, detective and corrective controls that are in place to address the identified risks. This should include a clear description of how these controls mitigate the risks.     

Accepted treatments

Control plans should document further treatments that risk and control owners have agreed to implement. This should include a clear description of how the treatment will further mitigate the risks, implementation information and timeframes.    

Control owners

Control plans should also identify the owner of each control or treatment. This creates accountability for control owners to monitor and report on the implementation, testing (where relevant), and effectiveness of controls.

Review and oversight mechanisms in a control plan

Control plans should include review and oversight mechanisms to enable entities to regularly evaluate the effectiveness of control plans. This is particularly important following changes in business processes or systems, or after instances of fraud and corruption have been discovered. 

Effective governance arrangement and internal feedback mechanisms ensure risk and control owners have an up-to-date understanding of their threat and risk environment, allowing them to: 

• update risk assessments to address emerging risks and vulnerabilities
• strengthen control frameworks to prevent and mitigate future incidents
• develop indicators to support proactive detection activities
• enhance the efficiency of business processes.

This can help ensure that control systems remain appropriate, cost-effective and proportionate to the actual fraud and corruption risks being addressed.

Reviewing control effectiveness

Global studies consistently reveal that weak controls lead to more fraud and corruption than any other factor. The effectiveness of controls can also degrade over time. For example:

• Fraudsters and corrupt actors are committed adversaries, continually developing new and novel ways to beat the controls organisation put in place to counter them. In some circumstances this can involve professional facilitators who help criminals develop sophisticated schemes.
• New enablers for fraud and corruption can emerge which can make traditional controls less effective, e.g. the prevalence of compromised identify information has rendered traditional identity authentication controls ineffective.
• Organisational change and digital transformation can also make public bodies vulnerable to losing oversight of risks and weakened control environments.^xxiii
• New technology and innovations also create opportunities to replace original controls with new, more cost-effective controls – increasing efficiency and improving user experience.^xxiv

The effectiveness of controls also has a direct influence on residual risk – that is, the likelihood, frequency, duration and impact of fraud and corruption occurring. Control testing should also be prioritised towards critical controls. Critical controls have the greatest effect on preventing the risk from happening or mitigating the consequences of the risk event.

The Commonwealth Fraud and Corruption Control Framework includes requirements for entities to periodically review control effectiveness. This involves gathering information and data to determine whether a control is functioning as intended. However, examining the effectiveness of fraud and corruption controls includes an additional consideration: accounting for the variable of a dishonest actor. 

The IPSFF Fraud Control Testing Framework sets out recommended best practice, key principles and materials for conducting fraud control testing within public sector organisations. 
The framework contains a suite of procedural guides, tools and templates to support officials to apply consistent and leading practice approaches to fraud and corruption control testing, including:

• procedural guides for undertaking Targeted Control Assessments and Control Environment Assessments
• a Pressure Testing Sub-framework for undertaking technical or covert testing
• a business process mapping template and instructions on how to map business processes and apply a fraud lens to identify vulnerabilities in the process, and  
• a variety of planning, activity and reporting templates.