Report 6: 2017–18
Report type

Audit Objective

In this audit we assessed if agencies appropriately identify and assess fraud risks, and apply appropriate risk treatments and control activities to adequately manage their exposure to fraud risks.

We assessed if the agencies' risk management plans effectively targeted and addressed fraud risks and if there were any obvious omissions from risk registers.

Overview

Recent fraud attempts in the Queensland public sector highlight the need for agencies to implement effective fraud control measures.

To effectively manage and identify fraud risks, agencies need to examine their business environments to understand its potential exposure to fraud. Agencies that do not dedicate sufficient time and resources to understanding their fraud risks, can be exposed without realising it.

This audit assessed if agencies appropriately identify and assess fraud risks, and apply appropriate risk treatments and control activities to adequately manage their exposure to fraud risks.

The report also includes better practice statements for fraud risk management, common fraud risks, and guidance for conducting a fraud risk susceptibility analysis. We have also published a fraud risk assessment and planning tool to help agencies idenitfy, record and monitor fraud risks. You can download the tool by clicking 'Download better practice guide' on the left-hand menu.  

Recommendations

We recommend that all public sector agencies:

1.

self-assess against the better practices listed in this report to improve fraud control policies and plans where required, and make sure accountabilities and responsibilities for fraud control are clear.

2.

integrate fraud risk management systems and procedures within existing enterprise risk management frameworks.

The integrated framework should include the requirement to:

  • conduct regular fraud risk assessments at the entity and detailed level, to identify current and emerging risks
  • record fraud risks in a fraud risk register or using a fraud risk category in existing registers
  • train and provide guidance to employees on how to conduct fraud risk assessments, and how to effectively design, implement and monitor controls to mitigate risks
  • ensure control owners regularly assess and report on the operational effectiveness of fraud controls
  • document controls and treatments to mitigate fraud risks that are clear and measurable, with a defined timeframe and assigned to a responsible officer.
3.

monitor through their governance forums, their agencies' exposure to fraud risk and the effectiveness of their internal controls to mitigate any risks.

Key governance committees, including boards and audit and risk committees should:

  • review whether the agency has a comprehensive enterprise risk management framework in place, to effectively identify and manage risks, including fraud risks
  • ensure the agency has appropriate processes or systems to capture and assess fraud risks
  • review reports on fraud risks, and fraud incidents (that occur both within the agency and the broader public sector), considering how reported allegations and confirmed incidents may change identified fraud risks.