David T.
David Toma

We have a fraud risk susceptibility framework that can help with conducting fraud risk assessments.

The first step in conducting fraud risk assessments is to understand what business units, functions or services are most susceptible to fraud risks. This enables an agency to focus its fraud risk mitigation activities in areas of higher risk.

As part of our recent report Fraud risk management (Report 6: 2017–18), we developed a Fraud risk assessment and planning tool that can help public agencies identify specific fraud risks. Also in this report, and in our earlier report Fraud management in Local Government (Report 19: 2014–15), we produced a fraud risk susceptibility analysis.  

In designing this fraud susceptibility framework, we considered what characteristics make a business unit, function or service more susceptible to fraud risk. This does not mean that fraud has necessarily occurred in those areas, but that there is a higher risk that it could occur.

Here are some questions from the framework which can help to identify if an area is susceptible to fraud risk:

  • Financial—are there high volumes or high values of transactions flowing to third parties? Do the values exchanged match the benefits received (e.g. grants, subsidies, donations)? Do accounting balances require subjective measurements?
  • Relationshipsdoes a supplier have a high dependency on the public sector agency? Is there limited market depth in the supply market? Do remuneration arrangements exist which provide for large bonuses relative to base salary contingent on achieving targets?
  • Attitudes—does senior management fail to promote good governance or address internal control issues identified by auditors? Is there a reluctance to disclose information publicly?
  • Use of assets—Do staff have access to commercially sensitive valuable information that is not publicly available? Can staff access highly portable and attractive items of equipment?
  • Decision-making—are operations and decision-making decentralised? Is it difficult to supervise work performed?

Check out our framework to see what the potential fraud exposure is if the answers to the above questions are ‘yes’.

Doing this type of assessment can then help us to target areas of higher risk for a more detailed fraud risk assessment where we identify what specific risks a business unit, function or service areas is exposed to, what the consequences are if those risks materialize, and what controls have, or need to implement, to mitigate those risks.

Related article

As technology opens doors for increased efficiency, connectivity and sharing, it opens our work and home to cyber risk.