3. Where to start
Table of contents
The Commonwealth Fraud and Corruption Control Framework requires entities to conduct fraud risk assessments regularly and when there is a substantial change in an entity’s structure, functions or activities. Substantial changes can include:
- machinery of government changes (the merging of entities)
- changes to service delivery models (such as the introduction of new technologies or the transitioning into the digital delivery of services)
- the design and delivery of new programs (such as eligibility payments and grant-based programs)
- government responses to urgent or emergency events (such as natural disasters).
The following can be a good starting point for conducting fraud risk assessments.
Conduct an environmental scan
This involves high-level analysis and evaluation of the events, trends, issues and expectations relevant to the entity. Conducting environmental scans using models such as PESTELO provide entities with a structured approach to identify the threats and other risk factors that might impact their functions and operations, as well as opportunities to exploit.
Useful sources of information to support environmental scanning can include:
- corporate plans and annual reports for your entity or others that you work closely with
- existing enterprise risk assessments, fraud and corruption risk assessments and control plans
- internal or external audit reports
- APSC Census or internal survey data
- internal intranet pages or external webpages about your entity’s programs and functions
- industry journals or expert publications, e.g. Countering the Insider Threat: A Guide for Australian Government
- government or industry reports, e.g. Ending the Shell Game: Cracking down on the Professionals who enable Tax and White-Collar Crimes (oecd.org).
Develop an enterprise-level risk assessment
Entities should conduct enterprise-level fraud risk assessments to get a broad and high-level understanding of an entities’ strategic fraud risks. An enterprise fraud risk assessment can build on existing program level fraud risk assessments (bottom up), or be a starting point to explore fraud risks within key function areas of an entity (top down). See below for more information about different levels of fraud risk assessment.
The Commonwealth Fraud Risk Profile is a good reference for entities looking to create or update their enterprise fraud risk assessment. This Profile provides a collective picture of fraud across the Australian Government based on enterprise fraud risks recorded across 15 different Australian Government entities. If you are a Commonwealth official, you can request a copy by emailing us at info@counterfraud.gov.au.
Support officials to identify and evaluate their own fraud risks
This involves providing officials across the entity with information and tools to help them to identify fraud risks, controls and residual fraud vulnerabilities within specific programs and functions. While less detailed and accurate than a fraud risk assessment, these evaluations can provide broader insights into risks across the entity and help officials make more informed decisions about how to manage risks and vulnerabilities. These evaluations can also identify where there is need to conduct more detailed fraud risk assessments.
Undertake strategic fraud risk profiling
This involves evaluating the key factors or attributes of functions and programs across the entity to identify those areas that are at higher risk of fraud. This can help entities develop of ‘heat map’ of potential fraud risk and prioritise effort, such as where to conduct more detailed fraud risk assessments. See below for more information about strategic fraud risk profiling.
It is important that fraud risk assessments are considered in the broader context of an entity’s enterprise-wide risks. For example, there is often considerable overlap between fraud, physical security and cyber security risks. The overlapping risks mean that controls also often intersect. For example:
- cyber security controls that protect the integrity of an entity’s payment processing system can also be an effective fraud control
- physical security controls can assist with managing fraud risks associated with the theft of portable and attractive items.
When conducting fraud risk assessments, it is important to consult closely with stakeholders responsible for managing these other categories of risks, such as the Agency Security Advisor and the Chief Information Security Officer. This will avoid duplication of effort and enable opportunities to leverage complementary cyber and security control measures to help combat fraud.
Fraud Control Officers should also make themselves familiar with the following Commonwealth Government security policies which complement the Commonwealth Fraud and Corruption Control Framework:
- Protective Security Policy Framework
- Australian Government Information Security Manual.
The diagram identifies the different levels and types of fraud risk assessments that can be performed. These levels are identified and explained in the content below.
There are four levels or types of fraud risk assessments that can be performed. These include:
- Enterprise Fraud Risk Assessment – this involves a high-level risk assessment of an entire entity’s exposure to fraud and corruption, which provides a landscape view of all activities, functions and expenditure areas across an entity and its operating environment.
- Thematic Fraud Risk Assessment – these focus on a group of functions or activities that are more susceptible to fraud and corruption, e.g. grants or procurement spending.
- Initial Fraud Impact Assessment – these focus on new policies, programs and initiatives to make an early assessment of the inherent fraud and corruption risks and potential impacts.
- Detailed Fraud Risk Assessment – these focus on activities, functions and programs that are at the highest risk from fraud or corruption. This type of risk assessment is more detailed and comprehensive compared to other types of fraud and corruption risk assessments
When embarking on fraud risk assessments, it is always a good approach to have a starting point, i.e. a high-level understanding of your entity’s strategic fraud risks – commonly referred to as an enterprise fraud risk assessment. An enterprise fraud risk assessment can also be useful when there are multiple stakeholders responsible for managing different and shared risks, as it can help you clarify accountabilities for managing fraud risks before diving into more detailed assessment activities.
Entities can then undertake further thematic-level assessments of some of the major functions or activities identified in the enterprise fraud risk assessment, e.g. grants spending or information security. This helps inform and assure the accuracy of the enterprise fraud risk assessment. These further assessments also provide officials delivering those functions or activities more information about the potential fraud risks, controls and residual fraud vulnerabilities they are responsible for managing.
Entities should also support officials to participate in a streamlined initial fraud impact assessment process that leverages their discrete business knowledge and technical expertise to identify and evaluate the inherent fraud risks and potential impacts within specific functions and programs. This devolved process can be informed by the results of environmental scans and higher-level risk assessments.
Conducting detailed fraud risk assessments across the different functions of an entity usually requires coordination and collaboration across multiple business areas. These assessments can be resource intensive and time consuming. Therefore, they should be targeted towards the highest risk operations, functions or programs Strategic fraud risk profiling can help entities prioritise this effort.
The Commonwealth Fraud Prevention Centre has developed a Fraud Risk Assessment Template that can help entities undertake and document the results of detailed fraud risk assessments.
Strategic profiling helps prioritise effort, i.e. where to conduct more detailed fraud risk assessments.
Because some Australian Government entities are responsible for multiple programs and business functions, conducting fraud risk assessments across these organisations can be complex, time consuming and difficult to prioritise. Strategic-level fraud risk profiling can help an entity to identify those areas of the entity that are at higher risk of fraud. This will enable Fraud Control Officers to formulate a ‘heat-map’ for fraud risk across the entity and to schedule fraud risk assessments on a prioritised basis.
This approach can also be adopted for national response arrangements which typically consist of multiple programs delivered by a number of entities, including state and territory government entities. Because the size, complexity and time-critical nature of these national response arrangements make it difficult to conduct fraud risk assessments across all programs, strategic fraud risk profiling will help prioritise fraud risk assessments in programs that are at higher risk of compromise.
Strategic fraud risk profiling can use a simple scoring approach to identify those groups, divisions, branches or programs that may have inherently higher levels of fraud risk. The scoring system can be based on a number of key factors or attributes such as:
- maturity of counter fraud capability within the entity
- business unit / program budget
- operational complexity
- extent of external party involvement
- maturity of operating systems, processes and delivery platforms
- extent to which delivery is dependent upon other business units or entities
- sensitivity of information held by the business unit
- potential to undermine government objectives and policies
- potential for reputational damage to government
- potential for harm to third parties (individuals or businesses)
- known fraud vulnerabilities
- instances of previous fraud against the business unit / program.
The Commonwealth Fraud Prevention Centre has published a Strategic Fraud Risk Profiling Tool to help you complete this assessment.
Large Australian Government entities (such as portfolio departments and large service delivery agencies) typically manage complex delivery programs and high value procurements that may carry numerous inherent fraud risks. For these entities, a rolling fraud risk assessment program (informed by strategic fraud risk profiling) may be more appropriate than a ‘point-in-time’ fraud risk assessment. This will enable entities to target those high-risk functions and programs on a priority basis, and address significant changes to structure and function as they arise. This approach also allows for continual monitoring, reporting, reassessment and improvement of fraud risk assessments and responses. For highly complex, resource-intensive or sensitive programs this is more favourable than an annual ‘set-and-forget’ approach.