2. Core foundations for leading practice

It is essential for senior officials to demonstrate a genuine commitment to controlling the risks of fraud in their entity’s functions and programs. This level of commitment will make sure sufficient resources and effort are applied to the fraud risk assessment process. Strong leadership requires decisions to be made, to allocate tasks to specific people and to provide them with the authority to carry out these tasks. It also makes sure all staff take full responsibility for their role in the prevention of fraud in their entity. In summary, strong leadership requires someone with authority keeping others accountable for managing fraud risks.
 

Section 17AG of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) requires, among other things, Accountable Authorities to certify in their annual report that fraud and corruption risk assessments control plans have been prepared for the entity. Section 10 of the PGPA Rule also requires entities to identify officials responsible for fraud and corruption control. The Policy requires non-corporate Commonwealth entities to clearly define and document the roles and responsibilities of specific officials, positions or internal governance bodies in relation to preventing, detecting, responding and reporting on fraud and corruption.

An entity should also assign overall responsibility for fraud control to a ‘Senior Fraud Officer’, either as part of their normal duties or as a position with designated responsibility for overseeing an entity’s broader counter fraud strategy. Who performs this role will be determined by the size of the entity and the extent of fraud risks inherent in the entity’s functions. For example, the Senior Fraud Officer might be an entity’s Chief Operating Officer, Chief Risk Officer or a member of the entity’s Risk Committee.

The main responsibilities of the Senior Fraud Officer are to:

• help improve corporate understanding and commitment to the fraud risk assessment process
• confirm that fraud risk assessments are conducted to an acceptable standard, are performed in a timely manner and are sufficiently resourced
• encourage business units to actively engage with fraud risk assessments
• exercise their authority to implement change and monitor outcomes
• endorse an entity’s fraud risk assessment(s) and fraud control plan(s)
• make sure outcomes of fraud risk assessments are clearly communicated across the entity.

The Commonwealth Fraud and Corruption Control Framework requires the development (or update) of a fraud control plan to help entities with managing the risks identified through their fraud risk assessments. Fraud control plans can document an entity’s approach to controlling fraud at a strategic, operational and tactical level, and encompass awareness raising and training, prevention, detection, reporting and investigation measures.

Text alternative

The diagram provides an example of a comprehensive counter fraud approach, illustrating how fraud risk assessments are an integral component of the approach.

A good counter fraud approach involves a strategic intelligence function that oversees the operation of fraud control. Depending on the entity, this function may be performed by a team, an individual such as Senior Fraud Officer, or a risk committee. This function should have the information and authority to effectively formulate and adjust the entity’s counter fraud strategy.

An entity should then conduct strategic fraud risk profiling to focus effort by triaging risk areas for further assessment. These further fraud risk assessments involve risk identification, risk analysis and risk evaluation, and lead to two outputs:

• better intelligence for the strategic intelligence function
• decisions about what to do with specific risks.

Decisions about what to with specific risks will depend on the entity’s risk appetite, but ultimately result in two paths:

1. Treating the risks through a systems-based approach – this involves treating risks by developing treatments, examining controls, sharing and analysing data, and measuring fraud.
2. Managing the risks through an incident-based approach – this involves managing risks by detecting fraud and non-compliance, gathering intelligence, investigating and enforcing compliance, and disrupting fraud and recovering losses.

The incident-based approach should identify causes and enablers that are fed into the systems-based approach to prevent further fraud and non-compliance of that kind.

The results from both the system- and incident-based approaches should be reported back through to strategic intelligence function to continually adjust and improve the strategy. The learnings can provide useful information to support activities such fraud awareness and training, fraud narrative and investment, and fraud reporting. The learnings also support engagement with other entities through strategic collaboration, capability baselining, and capability sharing and development. 

Fraud Control Officers require an entity’s support to develop and implement an effective counter fraud approach. Without adequate resourcing, active support from management and top-level backing from the Senior Fraud Officer, a Fraud Control Officer will not have the capacity to conduct robust and comprehensive fraud risk assessments, potentially leaving the entity exposed to unacceptable fraud risks.
 

It is preferable that Fraud Control Officers, or other officials with responsibility for conducting fraud risk assessments, possess the following attributes and core competencies:

• critical thinking skills
• an ability to apply professional scepticism and to challenge assumptions
• counter fraud knowledge and experience
• risk management knowledge and risk assessment skills
• an understanding of business process management and how technology supports business processes
• sound communication and facilitation skills.

Fraud risks inherent to an entity’s programs and services should be ‘owned’ by the relevant officials who have accountability for the functions and programs. It is the responsibility of the fraud risk owners to monitor and report on their fraud risks and make sure that controls are developed and implemented in a timely manner. Sometimes these fraud controls are the responsibility of other officials in different business units, so it’s important for fraud risk owners to communicate effectively with the relevant fraud control owners.
 

The PGPA Act requires Commonwealth entities to establish an audit committee and the PGPA Rule requires audit committees to review the appropriateness of an entity’s systems for risk oversight and management, and internal control. Accordingly, an entity’s audit committee should include fraud risk management as part of its charter and advise on key aspects.
 

Text alternative

The diagram communicates the role of an audit committee in providing strategic oversight for fraud control, which includes:

1. Integrating fraud risk assessments within the entity’s overall risk profile
2. Maintaining an awareness of the identification and management of fraud risk through the entity’s enterprise risk management process
3. Reviewing the process for management of fraud risk, including the adequacy of internal controls in minimising their impact
4. Through the internal and external audit programs, reviewing the effectiveness of the fraud risk assessment process and the adequacy of the internal control structure and systems, including fraud controls 
5. Reporting to the Accountable Authority on fraud risks.
    

Larger entities with more extensive fraud risk profiles due to the nature and size of their functions may consider establishing a dedicated fraud risk management committee. This committee should not replace senior officials’ commitment to the fraud risk assessment process, but act as a forum for senior officers to better understand fraud risks and fraud controls. Such a committee should include senior officers from across the entity to provide a balanced approach and help engagement with staff and relevant stakeholders. 

See Information Sheet – Element 4: Governance and oversight for further advice.