5. Reporting, monitoring and review
Table of contents
As indicated in Section 2.1, leadership is critical to ensure activities such as strategic risk profiling and fraud risk assessments are reported, monitored and reviewed to achieve effective fraud prevention outcomes. Strategic reporting to executive committee/s can be useful leverage for influencing action to counter fraud. For example, business areas will be more inclined to take positive action if they know their decisions to counter fraud will be reported to an executive committee.
Entities should actively monitor the implementation of fraud controls, because until new controls are in place, those fraud risks that sit outside an entity’s risk tolerance will still carry an inherently high rating. As indicated in Section 2.4, fraud risk owners will be responsible for making sure the controls for their risks are implemented in a timely manner and remain effective.
It is also essential that an entity’s fraud risks are carefully monitored. Sometimes only small changes to a business process or function can alter the inherent risk rating of a known fraud risk, result in the emergence of new fraud risks, or impact the effectiveness of existing controls.
A Fraud Control Officer should use a risk register which is suitable for recording, analysing, evaluating, treating and reporting fraud risks. The risk register should be used in a manner which is consistent with the entity’s risk management framework.
Entities should establish feedback loops for insights to be gained by targeted fraud and corruption risk assessments, ideally through responsible governance committees, senior executives and relevant business areas to inform the entity’s management of fraud and corruption risks. For example, the results of targeted fraud and corruption risk assessments should inform any reviews of fraud and corruption risks at the enterprise level or organisational fraud and corruption risk profiling. This will allow higher-level activities to be intelligence-led and lead to more effective targeting of counter fraud capability and resources towards the entity’s highest fraud and corruption risks and vulnerabilities.
The diagram shows how the different risk assessments and activities might flow from an enterprise-level risk assessment, organisational risk profiling, thematic risk assessments to detailed risk assessments. Initial impact assessments of new policies, programs and initiatives can inform enterprise risk assessments and organisational risk profiling. The below shows how these assessments form part of a continuous feedback loop.
See Information Sheet – Element 8: Recording and reporting fraud and corruption for advice on internal reporting and feedback mechanisms.
The effectiveness of controls has a direct influence on residual risk – that is, the likelihood, frequency, duration and impact of fraud and corruption occurring. The Commonwealth Fraud and Corruption Control Framework includes requirements for entities to periodically review control effectiveness. This involves gathering information and data to determine whether a control is functioning as intended. However, examining the effectiveness of fraud and corruption controls includes an additional consideration: accounting for the variable of a dishonest actor.
The IPSFF Fraud Control Testing Framework contains a suite of procedural guides, tools and templates to support officials to apply consistent and leading practice approaches to fraud and corruption control testing.
See Information Sheet – Element 3: Reviewing control effectiveness for further advice on developing this capability.