Fraud Risk Management – Better Practice Guide
64
Report 20: 2021-22 22 June 2022 Western Australian Auditor General’s Report Fraud Risk Management – Better Practice Guide
-
Upload
khangminh22 -
Category
Documents
-
view
2 -
download
0
Transcript of Fraud Risk Management – Better Practice Guide
Report 20: 2021-22 22 June 2022
Western Australian Auditor General’s Report
Fraud Risk Management – Better Practice Guide
Office of the Auditor General Western Australia Report team: Carl Huxtable Chiara Galbraith National Relay Service TTY: 133 677 (to assist people with hearing and voice impairment) We can deliver this report in an alternative format for those with visual impairment. © 2022 Office of the Auditor General Western Australia. All rights reserved. This material may be reproduced in whole or in part provided the source is acknowledged. ISSN: 2200-1913 (print) ISSN: 2200-1921 (online)
The Office of the Auditor General acknowledges the traditional custodians throughout Western Australia and their continuing connection to the land, waters and community. We pay our respects to all members of the Aboriginal communities and their cultures, and to Elders both past and present.
WESTERN AUSTRALIAN AUDITOR GENERAL’S REPORT
Fraud Risk Management – Better Practice Guide
Report 20: 2021-22 June 2022
This page is intentionally left blank
THE PRESIDENT THE SPEAKER LEGISLATIVE COUNCIL LEGISLATIVE ASSEMBLY FRAUD RISK MANAGEMENT – BETTER PRACTICE GUIDE This report has been prepared for submission to Parliament under the provisions of section 23(2) and 24(1) of the Auditor General Act 2006. Better practice checklists regularly feature in my Office’s performance audit reports as a means of providing guidance to help the Western Australian public sector perform efficiently and effectively. This is the third comprehensive stand-alone better practice guide we have produced.
CAROLINE SPENCER AUDITOR GENERAL 22 June 2022
Contents Auditor General’s overview ......................................................................................... 2
Part 1: Introduction ..................................................................................................... 3
1.1 About this guide ...................................................................................................... 3
1.2 Who should use this guide ..................................................................................... 3
1.3 What is fraud and corruption................................................................................... 3
1.4 Fraud control principles .......................................................................................... 4
1.5 Acknowledgements ................................................................................................ 5
Part 2: Why develop a fraud risk management program ............................................ 6
2.1 Overview ................................................................................................................ 6
2.2 Public sector requirements ..................................................................................... 6
2.3 Impact of fraud in the WA public sector .................................................................. 6
2.4 Status of fraud control maturity across the sector ................................................... 8
Part 3: How to develop a fraud risk management program ...................................... 10
3.1 Overview ...............................................................................................................10
3.2 Where to look for fraud vulnerabilities ....................................................................11
3.3 Fraud risk management process ...........................................................................12
Appendix 1: Glossary ............................................................................................... 25
Appendix 2: References ........................................................................................... 27
Appendix 3: Fraud control system benchmarking tool .............................................. 28
Appendix 4: External threat assessment tool ............................................................ 32
Appendix 5: Tools to support the fraud risk management process ........................... 37
A5.1 Communication and consultation tool ..................................................................37
A5.2 Scope context and criteria tool ............................................................................38
A5.3 Risk assessment tools ........................................................................................39
A5.4 Risk treatment tools ............................................................................................50
Fraud Risk Management – Better Practice Guide | 2
Auditor General’s overview Fraud and corruption are ever present and growing threats to businesses, including the Western Australian public sector. As well as loss of funds, fraud and corruption can result in loss of confidence in government institutions. The community needs to have faith that the public sector is serving them well for democracy to work.
The social contract between taxpayer and Government is threatened when public money is misappropriated or other wrongdoing occurs. It strikes at the core of trust, accountability and transparency in Government.
Good governance is important to protect our power, water, justice and transport infrastructure, as well as our health, education and regulatory systems from ineffectiveness, inefficiency and of course failure to deliver what people need when they need it.
It is therefore critical that all levels of the Western Australian (WA) public sector commit to good governance to safeguard public assets from fraudulent or corrupt activity. To do this, every WA public sector entity must understand, in detail, the risks that occur generally within the public sector environment and the specific risks relevant to the activities they undertake.
A common motivator for most people who join the public sector is a desire to do a good job. To assist with this we develop and share guidance on better practice. The purpose of this Better Practice guide is to raise the standard of fraud and corruption control across the WA public sector. Parts 1 and 2 of this guide are aimed at decision makers, highlighting the importance of a fraud and corruption risk management program and the current state of fraud control in the WA public sector. Part 3 is aimed at guiding those responsible for developing and implementing an entity’s fraud risk management program.
The guide follows the establishment of our Forensic Audit team as set out in my report of December 2021, its purpose being to uplift fraud resilience within the WA public sector. As has always been the case, public sector entities are responsible for the prevention and detection of fraud and corruption. This guide is intended to empower entities to do more to discharge their governance responsibilities by better controlling their risks of fraud and corruption.
We encourage entities to use this guide along with the tools and other available resources to manage the risk of fraud against their entity. While fraud risks cannot be eliminated, a robust and well-resourced fraud risk management program can minimise the likelihood and consequences of fraud events.
We thank the Commonwealth Fraud Prevention Centre for their generous support in helping develop this guide as well as McGrathNicol Advisory for their guidance. We also extend our appreciation to the State entities that provided valuable feedback on the draft guide.
3 | Western Australian Auditor General
Part 1: Introduction 1.1 About this guide This Better Practice Guide aims to help Western Australian (WA) public sector entities to manage their fraud and corruption risks. It outlines why fraud and corruption risk management is important (Part 2) and provides practical guidance on the process of developing a fraud and corruption risk management program (Part 3).
The guide refers to a range of tools which are included in the appendices and available on our website (www.audit.wa.gov.au). The online tools will be updated as required.
1.2 Who should use this guide This guide is intended for use by WA public sector entities (entities) and may be applicable to other organisations.
Parts 1 and 2 are intended for directors general, chief executive officers, managers and other key decision makers. Part 1 outlines the high-level principles entities should apply to fraud and corruption risk management and Part 2 highlights the importance of entities implementing an effective fraud and corruption risk management program.
Part 3 is for those tasked with fraud risk management within an entity. It aims to step them through the process of developing, executing and monitoring an entity’s fraud and corruption risk management program.
Ultimately, preventing and detecting fraud and corruption is the responsibility of every person in the WA public sector, and as such, this guide may be relevant for all public sector employees.
1.3 What is fraud and corruption Fraud and corruption involve a benefit being obtained through dishonesty and/or an abuse of position to the detriment of another person or entity (Figure 1). They can pose a risk to an entity’s finances, reputation, and service delivery. More seriously, they go to the heart of trust and confidence in Government. In this guide, we use the term fraud to include corruption.
Source: OAG using information from the Victorian Auditor General’s Office – Fraud and Corruption Control report,
March 2018 Figure 1: Definitions of fraud and corruption
Fraud Risk Management – Better Practice Guide | 4
Not all fraud can be prevented – every organisation, public or private, is vulnerable. A robust and rigorous fraud control system, with appropriate prevention and detection processes, can reduce the risk of fraud occurring and minimise losses.
To effectively fight fraud an entity must first acknowledge that fraud occurs and then seek to understand how and why it occurs. The fraud triangle (Figure 2) outlines 3 key elements that are generally present when fraud has occurred in an entity:
• Opportunity – a vulnerability within systems or processes is identified and exploited.
• Motivation – also referred to as pressure, is the reason someone commits fraud.
• Rationalisation – how someone justifies their fraudulent behaviour to themselves.
With the right mix of motivation, opportunity and rationalisation even the most trusted employee can be tempted to commit a fraudulent act.
Source: OAG adapted from Other People’s Money1
Figure 2: The fraud triangle A fraudster’s personal motivation and the ability to rationalise their behaviour is largely beyond an entity’s control although, entities will benefit from being alert to and aware of behavioural red flags in respect of their staff and suppliers. The most effective way for an entity to manage its risk of fraud is by controlling the opportunity – implementing or enhancing controls aimed at preventing fraud or detecting it quickly if it does occur.
1.4 Fraud control principles To build a robust and effective fraud risk management program requires 10 essential principles. Each of the following principles link to 1 or more stages of a better practice fraud risk management program as set out in this guide.
1 Other People’s Money: A Study in the Social Psychology of Embezzlement, Dr Donald Cressey, Free Press 1953.
5 | Western Australian Auditor General
Strong leadership An entity’s leadership must model a commitment to fraud control, establishing a strong ‘tone at the top’ culture to demonstrate their personal commitment to operating with integrity and encouraging a ‘finding fraud is good’ mindset.
Recognise fraud as a business risk
Entities must acknowledge they are vulnerable to fraud. Fraud should be viewed and treated in the same way as an entity’s other enterprise risks.
Adequate control resourcing
Entities should invest in appropriate levels of fraud control resourcing including specialist information system security management personnel.
Clear accountability for fraud control
Entities should establish clear personal accountabilities for fraud control at the governance, executive management and management levels.
Implement and maintain an effective fraud control system
An effective fraud control system (FCS) can reduce the opportunity for fraud. It needs to align with better practice guidance, be fully implemented, monitored and updated periodically.
Periodic assessment of fraud risks
Fraud risk assessments should be carried out periodically or whenever a significant change that affects the entity occurs.
Effective awareness raising program across the entity
To ensure employees recognise red flags for fraud, entities should establish an effective awareness program.
Open channels to report suspicions of fraud
To encourage whistle-blowers to come forward entities should support: • active reporting of fraud through accessible anonymised reporting
channels
• ensure that the entire workforce is aware of organisational expectations for reporting detected or suspected cases of fraud
• ensure they have robust whistle-blower protection policies and procedure that includes assurance that victimisation of those who, in good faith, make such reports will not be tolerated.
Implement a fraud detection program
An effective fraud detection program that includes detection measures such as data analytics and post-transactional review are important.
Consistent response to fraud incidents
Rapid and robust response to suspected fraud events with effective investigation procedures will drive decisive action and result in better outcomes for detected fraud incidents. A strong and consistent response to all fraud events will send a strong message to the workforce that the entity will not tolerate fraud, no matter how minor.
Source: OAG Table 1: Foundation principles for fraud control
1.5 Acknowledgements We would like to express our appreciation to the entities and their employees who contributed to the development of this guide.
We also acknowledge and express our appreciation to the Commonwealth Fraud Prevention Centre (CFPC) and Standards Australia, who willingly shared their original intellectual property in the development of this guide, and McGrathNicol Advisory, who were engaged to provide technical expertise.
Fraud Risk Management – Better Practice Guide | 6
Part 2: Why develop a fraud risk management program 2.1 Overview In this part of the guide, we outline why entities should develop a fit for purpose fraud risk management program. In summary:
• there are WA government requirements to implement integrity measures to protect the financial and reputational position of entities
• the financial, reputational and human impact on an entity and its employees when fraud occurs can be significant
• entities’ fraud control maturity is not meeting best practice.
Fraud risk management has a critical role in preventing and promptly detecting fraud to minimise loss, retain trust in entities and protect employees.
2.2 Public sector requirements Entities are required to consider their risks and implement protections.
Treasurer’s Instruction (TI) 825 requires all WA State government entities to develop and implement a risk management program. The TIs state, where possible, entities’ policies and procedures should be consistent with Australian Standards including:
• AS ISO 31000:2018 – Risk management - Guidelines (risk standard)
• AS 8001:2021 – Fraud and corruption control (fraud control standard).
Similarly, Regulation 17 of the Local Government (Audit) Regulations 1996 requires local government CEOs to review their entity’s systems and procedures, including for risk management, to ensure they are effective and appropriate for the entity’s needs.
In addition to these requirements, the Public Sector Commission encourages all entities to commit to implementing its Integrity Strategy for WA Public Authorities 2020-2023. This strategy includes the Integrity Snapshot Tool which enables entities to self-assess their current integrity position and help identify areas for improvement.
This guide is intended to aid all entities in the application of the above Australian Standards and is not a replication of them. Entities should obtain a copy of the above from Standards Australia or from an authorised distributor to ensure a full and proper understanding of the content and their compliance with them.2
2.3 Impact of fraud in the WA public sector The Association of Certified Fraud Examiners Report to the Nations 2022, estimated that fraud losses in businesses, government and not-for-profits are approximately 5% of their
2 Reproduced by Office of the Auditor General (WA) with the permission of Standards Australia Limited under licence CLF0622OAGWA.
Copyright in AS 8001:2021 and AS ISO 31000:2018 vests in Standards Australia and ISO. Users must not copy or reuse this work without the permission of Standards Australia or the copyright owner.
7 | Western Australian Auditor General
annual turnover.3 If this estimate is an accurate reflection of actual fraud losses within the WA public sector, the impact on the people of WA, and the services to them, is considerable.
Fraud within the WA public sector is typical of instances in other jurisdictions and sectors where investigations regularly find deficiencies within entities’ controls. These deficiencies may have been identified earlier if the entities had a robust and rigorous fraud risk management program in place.
The following is a short summary of some detected fraud events within the WA public sector in the last 15 years and the practical impact on service delivery. These incidents demonstrate that the WA public sector remains vulnerable to fraud by members of its own workforce as well as external fraudsters.
Source: OAG
Figure 3: Examples of known fraud in the WA public sector
3 Association of Certified Fraud Examiners, Occupational Fraud 2022: A Report to the Nations.
Fraud Risk Management – Better Practice Guide | 8
The impact of fraud goes beyond financial and service delivery losses and includes:
• Human impact: Those who rely on government services (such as the elderly, the vulnerable, the sick and the disadvantaged) are often the ones most harmed by fraud, increasing the disadvantage, vulnerability and inequality they suffer.
• Reputational impact: When it is handled poorly, fraud can result in an erosion of trust in government and industries, and lead to a loss of international and economic reputation. This is particularly true when fraud is facilitated by corruption.
• Industry impact: Fraud can result in distorted markets where fraudsters obtain a competitive advantage and drive out legitimate businesses, affecting services delivered by businesses and exposing other sectors to further instances of fraud.
• Environmental impact: Fraud can lead to immediate and long-term environmental damage through pollution and damaged ecosystems and biodiversity. It can also result in significant clean-up costs.4
• Organisational impact: The impact of fraud on employees can be significant. It can lead to low morale, mistrust, inefficient additional oversight and ultimately staff leaving due to the entity’s damaged reputation. It can also result in reduced efficiency and effectiveness of the entity’s activities.
2.4 Status of fraud control maturity across the sector In 2021, we conducted a high-level review of State government entities’ fraud risk management. As reported in our Forensics Audit Report – Establishment Phase, we found many entities fell well short of better practice. We reported similar results in our 2013 report, Fraud Prevention and Detection in the Public Sector, and in our 2019 report, Fraud Prevention in Local Government. Significant work is required across the public sector to raise the standard of fraud risk management to a satisfactory level.
As part of our 2021 review we asked: “Has the entity completed an assessment of its fraud and corruption risks?” Set out at Table 2 is an analysis of the findings of that review.
Responses
Assessment completed
Assessment in progress
Assessment not completed
Total
71 12 11 92 Source: OAG
Table 2: Number of entities who have completed an assessment of their fraud and corruption risks We selected a sample of 12 entities for more detailed analysis. This further analysis highlighted several key themes as set out in Table 3 below:
Theme Summary Why it matters Lack of a risk framework
Some entities did not have an overall risk framework that could be applied in the context of fraud risk.
An overall risk framework ensures consistency in approach to all the entity’s identified risks.
4 Commonwealth Fraud Prevention Centre, The total impacts of fraud (accessed 17 May 2022).
9 | Western Australian Auditor General
Theme Summary Why it matters Entity size not an indicator of quality
Several larger entities provided insufficient details to show they had undertaken a fraud risk assessment. This suggests that inadequate resourcing is not the sole cause of poor fraud risk assessments being conducted.
The public sector collectively provides a diverse range of services and entities should apply a fit for purpose approach to their fraud risk assessment.
Lack of collaboration Our analysis suggested a lack of collaboration with risk and process owners in the identification and analysis of the entity’s fraud risks.
Collaboration is important because different employees bring different perspectives and experience.
No fraud risk register Many entities did not have a fraud risk register, despite this being a requirement of their fraud control program.
Entities cannot efficiently monitor and review fraud risks if they have not been documented. The appropriate way to document an entity’s fraud risks is in a fraud risk register.
Failure to assess fraud risk
It was clear from our analysis that a significant proportion of entities had not assessed their fraud risks. In many cases entities mistook a fraud control framework for a fraud risk assessment.
Entities must ensure they have a sound understanding of fraud risks that could impact their organisation – this can only be done by implementing a comprehensive process to identify, analyse and evaluate specific fraud risks that could impact the entity.
Data analytics not targeted
Entities had not identified and assessed relevant fraud risks prior to undertaking data analytics to identify fraudulent transactions.
Data analytics is a useful tool for the prevention and detection of fraud, but it requires discipline for it to be efficient and effective. Entities risk implementing inefficient and costly data analytics that are not effective for fraud risks specific to their entity.
Excessive generalisation
Fraud risks that were identified were excessively general rather than being linked to specific processes.
Entities must properly identify and define their vulnerabilities to enable implementation of effective controls.
Risk register limited to strategic risks
Fraud had been identified as an overall strategic risk; however, we saw little evidence that specific fraud risks were identified for individual business units or that a comprehensive fraud risk assessment had been undertaken across all parts of the organisation.
Source: OAG
Table 3: Themes identified from survey of entities’ fraud control maturity
Fraud Risk Management – Better Practice Guide | 10
Part 3: How to develop a fraud risk management program 3.1 Overview To effectively manage fraud risks, entities should develop and implement a robust and effective fraud risk management program. The program should be tailored to an entity’s objectives, environment and risk profile and cover:
• the 3 areas where fraud vulnerabilities can be found (based on AS 8001:2021 – Fraud and corruption control) – section 3.2
• the 6-stage process to manage risks (based on AS ISO 31000:2018 Risk management – Guidelines) – section 3.3.
The diagram below is a simple illustration of the fraud risk management program.
Source: OAG based on AS 8001:2021 and AS ISO 31000:2018
Figure 4: Risk management process including 3 areas of fraud risks to consider
11 | Western Australian Auditor General
3.2 Where to look for fraud vulnerabilities In accordance with AS 8001:2021, effective management of fraud risk requires a comprehensive examination of an entity’s overall fraud control system (FCS), external threats and operational (or internal) activities.
Our survey of State government entities found that most entities who had taken steps to manage their risk of fraud only considered 1 of the 3 vulnerability areas and none provided evidence that they had considered all 3.
The following is a brief overview of the 3 areas of fraud vulnerability. Whilst we have focused the fraud risk management process that follows at 3.3 on operational risks, it can be applied to the other 2 areas of fraud vulnerability.
A fraud control system is the tools and techniques used to mitigate an entity’s fraud risks. When considering fraud risks, analysing the existing control environment is important to assess how closely it aligns to better practice.
AS 8001:2021 – Fraud and corruption Control Clause 2.10 identifies 4 elements for an FCS: foundation, prevention, detection and response, examples of these are included in the table below:
FCS elements Overview
Foundation Adequate resourcing to implement a multi-faceted approach to managing fraud risks. Examples include specialist resourcing, awareness training, risk management, information security management systems.
Prevention Prevention controls are the most common and cost-effective way to mitigate fraud. Examples include an integrity framework, internal controls, workforce screening, physical security.
Detection Detection controls can help to identify when fraud has occurred but are not as cost-effective as preventative measures. Examples include post-transactional review, data analytics, whistle-blower management.
Response Response controls can assist the entity to respond to a fraud incident after it has occurred and are the least cost-effective, however can significantly reduce the impact of present and future frauds. Examples include investigation, disciplinary procedures, crisis management, recovery.
Source: OAG based on AS 8001:2021 – Fraud and corruption control Clause 2.10 Table 4: Elements of a fraud control system Entities may not have formally documented their FCS, but it is likely they have several existing controls.
Designing and implementing a robust fraud risk management program will inevitably strengthen an entity’s FCS. It is for this reason it is recommended an entity assess their FCS against better practice prior to undertaking the fraud risk management process.
The fraud control standard (Clause 2.10) sets out an approach to developing and implementing an entity’s FCS and a structure for documenting it. Appendix 3 is a tool for entities to benchmark their current FCS maturity against the fraud control standard.
Fraud Risk Management – Better Practice Guide | 12
Updating the fraud control system documents throughout the fraud risk management process assists entities to monitor their increased maturity.
External threats come from outside an entity and are largely beyond their control. The fraud control standard recommends entities consider the 6 external factors that can impact an organisation, known as the PESTLE model. The model is explained in the table below and a complete tool is provided in Appendix 4:
PESTLE factor Overview
Political To identify the political situation of the country, State or local government area in which the entity operates, including the stability and leadership of the government, whether there is a budget deficit or surplus, lobbying interests and local, regional, national or international political pressure.
Economic To determine the economic factors that could have an impact on the entity including interest rates, inflation, unemployment rates, foreign exchange rates and monetary or fiscal policies.
Social To identify the expectations of society by analysing factors such as consumer demographics, significant world events, integrity issues, cultural, ethnic and religious factors, and consumer opinions.
Technological To identify how technology, including technological advancements, social media platforms and the role of the internet more broadly, is affecting or could affect the entity.
Legal To identify how specific legislation, including industry specific regulations, and case law are affecting or could affect the entity’s future operations.
Environmental To identify how national and international environmental issues are affecting or could affect the entity.
Source: OAG based on AS 8001:2021 – Fraud and corruption control, Clause 2.9 Table 5: External factors that can impact an entity Operational fraud risks are the fraud risks associated with an entity’s day-to-day operations. There will be risks that are common to all entities (e.g. procurement, payroll, asset management) and those that are entity specific (e.g. property development, grant administration, major projects). Operational risks will also include changes in function or activity (e.g. new government initiative, creation of a relief fund in response to a natural disaster). The following section, Fraud risk management process, is focused on managing your operational fraud risks and discusses this in more detail. We also provide further tools in the appendix to assist with better managing them.
3.3 Fraud risk management process In this section we have mapped out the 6 stages in the risk management process as summarised in Figure 4 above. It is not a linear process; each stage will connect to others at different times throughout the risk management cycle.
We describe the stages and introduce several tools which can be used to assist in developing an effective fraud risk management program. The complete tools are included in the appendices and are available on our website. These tools are not an exhaustive list, there are many tools available (free and for a fee) and entities should determine which ones best suit their needs.
13 | Western Australian Auditor General
Communication and consultation To effectively identify fraud risks within an entity’s processes and systems, it is essential that the people who best know and run or control the business processes and business area are adequately engaged throughout the fraud risk management process. Entities should also consider if subject matter experts need to be engaged, such as information system security specialists.
Communication and consultation are intended:
“…to assist stakeholders in understanding risk, the basis on which decisions are made and the reasons why particular actions are required.”5
Employees can feel challenged when asked to respond to questions or contribute to discussions about fraud risks – they may feel that considering this issue with them or in their presence is, in effect, calling their integrity into question. Those tasked with the fraud risk management program should keep the people they need engaged and at ease throughout the process to ensure the best outcome.
Communication and consultation Better practice
Promote awareness and understanding of fraud risks
• Implement multimodal training programs specific to fraud risks – “What is a fraud risk”
• Effectively communicate to employees that the objective is to protect the integrity of the entity and employees
Bring different expertise together throughout the process using effective mechanisms
• Engage different levels of expertise and experience to bring various perspectives
• Use a variety of communication methods such as emails, workshops, one-on-one interviews and surveys to obtain a wide range of feedback and opinions
Build a sense of inclusiveness and ownership for process owners (e.g. one-on-one interviews, focus groups)
• Use fraud risk workshops to obtain “buy in” from process operators and owners
• Invite all relevant employees, regardless of seniority, to attend a workshop
Obtain sufficient knowledge from relevant stakeholders of business processes to facilitate fraud oversight and decision making
• Facilitate fraud risk workshops to discuss and map business processes and internal controls
• Ask attendees to consider “what could go wrong?” in processes they engage with or manage
• Identify areas of fraud risk in a process map that requires internal controls
Engage with relevant stakeholders to obtain feedback and information to support decision-making
• Structure emails and/or surveys that focus on fraud risks for specific processes
• Adopt appropriate modes of communication
Source: OAG Table 6: Better practice examples of the communication and consultation stage
5 AS ISO 31000:2018 Risk management - Guidelines Clause 6.2.
Fraud Risk Management – Better Practice Guide | 14
One way to enhance communication is by meeting one-on-one to facilitate a better understanding of relevant risk and control issues.
To help with communication and consultation, entities should prepare a communication plan that outlines the intended methods, people and timelines for consultation. This also forms the basis of reporting to any oversight committees on the progress of projects in the fraud risk management program. Examples of methods of communication and consultation are provided in Appendix 5.1.
Scope, context, and criteria Establishing the scope, context and criteria for the fraud risk assessment is done using the communication and consultation processes outlined above. They will differ for each entity and will be determined by the size and complexity of the process being assessed.
“…Scope, context and criteria involve defining the scope of the process and understanding the external and internal context.”6
Case study 1: Example of scope, context and criteria for a risk assessment of selected parts of the Procure to Pay process
Factor Procure to Pay
Scope • The specific parts of the Procure to Pay process to be assessed are: supplier selection, onboarding vendors, purchase validation (business case, receipt of goods/services) and release of payment.
• We will engage with the finance business unit and operational staff responsible for purchase orders and validation of receipt of goods/service.
• The entity’s risk assessment policy dated 31 January 2020 will be applied in conjunction with the approved fraud risk assessment program dated 30 June 2021.
• As the entity’s procurement staff are across the State, we will need to engage in a number of online meetings with potential site visits.
• Timeline:
o engagement with procurement staff by 30 June 2022
o identification of risks by 31 October 2022
o completion of risk register and mapping of risks by 31 December 2022
o first review to Internal Audit and Risk Committee (IARC) by 28 February 2023
o second review to IARC by 30 April 2023
o submission to Board for approval by 31 May 2023.
6 AS ISO 31000:2018 Risk management - Guidelines Clause 6.3.
15 | Western Australian Auditor General
Context Internal factors include:
• the strategic objectives of the entity are: community focused delivery of services, sound business practices and quality services. A list of the specific goods, services or works to be procured are provided in Annexure A
• the existing employee level in the Procure to Pay process is sufficient, however, their experience is inadequate. No training has been delivered in identifying indicators of potential fraud
• there is no assessment of fraud controls within vendors
• the entity has policies and processes in respect of independence for supplier selection panels and purchase validation.
External factors include:
• increasing fraud trends targeting procurement and finance teams (i.e. business email compromise – fake emails impersonating an internal senior person or a vendor)
• recent known scams in the public domain that have been uncovered.
Criteria • The below risk criteria are taken from the entity’s risk assessment policy dated 31 January 2020.
• The entity rates likelihood risk on a scale from extremely unlikely to almost certain. Within the Procure to Pay process, rare is conceivable but unlikely, unlikely is conceivable and has occurred in the past but unlikely in the next year.
• The entity rates consequence risk on a scale from negligible to catastrophic across the following loss factors: financial, reputational, legal, service delivery.
• Within the Procure to Pay process, negligible has no negative consequence, low disrupts internal non-management process and has no external financial loss, moderate requires corrective action by senior management, potential disciplinary action and minor financial impact etc.
Entities will need to develop a scope, context and criteria for all activities and processes they perform. The CFPC’s Fraud Risk Assessment Leading Practice Guide provides a strategic profiling tool in support of its recommendation that entities responsible for multiple activities and processes prioritise the areas of the entity that are at higher risk for fraud.
Scope, context and criteria Better practice
Define the scope of the activity being assessed for fraud risk including objectives and decisions to be made prior to commencing any fraud risk assessment
• Clearly document the scope and objective of the process that is being assessed for fraud risks
• Circulate a document that sets out the scope to all employee participating in the fraud risk assessment
• Break down complex processes into manageable scopes
Fraud Risk Management – Better Practice Guide | 16
Scope, context and criteria Better practice
Establish the context of the fraud risk activity
• Understand the external environment
• Understand the internal operating environment
• Reflect the specific environment of the activity to which the fraud risk management process is to be applied
Align the fraud criteria with an overarching risk management framework used to assess all business risks for consistency
• Review the entity’s existing risk management framework prior to commencing to ensure up-to-date and fit-for-purpose
• Align consequence and likelihood criteria and the risk rating matrix with existing framework
The fraud risk assessment criteria should reflect the organisation’s values, objectives and resources and be consistent with policies and statements about risk management
• Review the entity’s existing risk management policy to understand the entity’s risk appetite
Source: OAG Table 7: Better practice examples of the scope, context and criteria stage Appendix 5.2 provides a guide on how you could outline your scope, context and criteria.
Risk assessment Once the scope, context and criteria are established, entities need to assess their fraud risks.
If an entity has a detailed risk assessment approach, then it is logical and likely more efficient to apply that for fraud risks as well.
AS ISO 31000:2018 Risk Management - Guidelines sets out 3 sub-phases in the risk assessment stage:
• risk identification
• risk analysis
• risk evaluation.
The assessment stage is followed by treatment. An overview of the risk assessment and treatment stages is set out below.
17 | Western Australian Auditor General
Source: OAG based on AS ISO 31000:2018 Risk Management - Guidelines Clause 6.4 and 6.5 Figure 5: Risk assessment and treatment stages overview
Identifying risks
Think like a fraudster. Discover what you don’t know.
Risk identification involves:
“… finding, recognising and describing risks that might help or prevent an organisation achieve its objectives.”7
It is important to avoid the temptation to be defensive and dismiss risks before they have been properly analysed and evaluated.
Identifying fraud risks should be viewed as a creative process. Brainstorm the various fraud schemes that have and could be committed within or against the entity. An effective way to identify fraud risks is to map the process that is being assessed and identify vulnerabilities within the process. Below is an example of an accounts payable process map, sometimes referred to as a flow chart. The coloured circles represent identified fraud risks in the accounts payable (AP) process.
7 AS ISO 31000:2018 Risk management - Guidelines Clause 6.4.2.
Fraud Risk Management – Better Practice Guide | 18
Source: OAG
Figure 6: Accounts payable process map A fraud risk assessment should consider common methods used by fraudsters and look for vulnerabilities within the entity’s processes and activities. This will involve challenging assumptions about, and existing processes within, an entity to identify gaps and thinking of creative ways to circumvent internal controls.
Common frauds are a good place to start but entities should not stop there. Risk identification needs to be realistic but at the same time entities should remember that even the most far-fetched fraud scheme can occur when the right balance of motivation, rationalisation and opportunity are present. Asking hypothetical questions about how fraud could be perpetrated in a structured and controlled way will put the fraud risk assessment process on the right path.
Finally, a good fraud description will allow you to understand ways to prevent or detect the fraud. One way to identify and describe your fraud risks is to consider who did what and what the result was, also described below as the Actor, Action, Outcome method8:
8 Commonwealth Fraud Prevention Centre, Fraud Risk Assessment – Leading Practice Guide.
19 | Western Australian Auditor General
• actor – accounts payable (AP) officer
• action – submits and processes fictitious invoice
• outcome – payment of invoice results in money going to AP officer’s bank account.
Fraud risks that have been identified should be adequately documented on a fraud risk worksheet. Fraud risk worksheets can function as an aid to the risk assessment but also as a fraud risk register and an implementation worksheet.
Appendix 5.3 includes:
• an example of a fraud risk worksheet
• risk assessment and treatment process overview
• key questions you could ask when trying to identify fraud risks
• the CFPC’s Actor, Action, Outcome method of describing fraud risks
• an example diagrammatic presentation of assessed fraud risks
• a short summary of fraud risks that are commonly found in the public sector environment. The summary is not intended to be an exhaustive list. The examples in section 2.3 would also be useful in this exercise.
Analysing fraud risks
Once the potential fraud risks within the business unit or process have been identified the next step is to analyse the risks.
Risk analysis is:
“… a detailed consideration of uncertainties, resources, consequences, likelihood, events, scenarios, controls and their effectiveness.”9
Fraud risk analysis requires input from employees within the business unit(s) being assessed and any additional subject matter experts who can add value to the process.
An analysis of each risk includes considering:
• the likelihood of the risk occurring
• the consequence for the entity if it did occur
• resourcing constraints impacting controls
• the effectiveness of existing controls intended to mitigate the risks.
The entity should use its established risk analysis matrix to analyse the likelihood, consequences, and strength of existing controls to assign a risk rating to each fraud risk. It is critical that every business unit within an entity use the same risk analysis matrix to allow for a proper comparison of risks across the entity.
Figure 7 below is an example of a risk assessment matrix that shows the likelihood combined with the consequences risks results:
9 AS ISO 31000:2018 Risk management - Guidelines Clause 6.4.3.
Fraud Risk Management – Better Practice Guide | 20
Source: OAG
Figure 7: Example of a risk assessment matrix Sometimes an entity undertaking a fraud risk assessment can overestimate the effectiveness of internal controls. One technique to fully assess their effectiveness is to conduct a walk-through of the relevant process or activity and determine if the controls are currently operating effectively. Applying a sceptical approach to the controls and adopting the mindset of a determined fraudster can help to assess if a control can be overridden or avoided. Internal audit resources can also be helpful in this assessment.
Risk analysis Better practice
Consider uncertainties, risk sources, consequences, likelihood, events, scenarios, controls and their effectiveness
• Detailed documentation of the analysis including reasoning for decisions for example if a risk is determined to be HIGH for consequence document why and what inputs were used
Events can have multiple causes and consequences and affect multiple objectives
• Deep dive analysis to identify all causes, both internally, externally and potential consequences
Scrutiny of existing controls • Sufficiently analyse and test existing controls including walk-throughs and penetration testing
• Consider engaging specialists to identify gaps in existing system controls
Source: OAG Table 8: Better practice examples of the risk analysis stage
Evaluating fraud risks
Once an entity’s fraud risks have been analysed, they need to be evaluated against the entity’s risk appetite and tolerance. This should be defined in the entity’s risk management policy and framework. The evaluation is used to determine if further action is required to reduce identified residual risks to an acceptable level.
Entities’ risk appetites and tolerances vary and depend on factors such as the circumstances of a particular program, the cost-benefit of implementing controls to reduce the risk of fraud, resources or other constraints and reputational risk. Risk tolerance is not static and should be determined on a case-by-case basis for each risk identified.
21 | Western Australian Auditor General
The purpose of risk evaluation is to:
“… support decisions. Risk evaluation involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required.” 10
It is important that the evaluation of fraud risks involves detailed input from the process and risk owners and includes senior employees who can consider the cost of countering fraud against the entity’s risk tolerance. The evaluation considers the residual fraud risk and should conclude with one of the following outcomes11:
• avoid the risk
• accept the risk
• remove the risk source
• change the likelihood
• change the consequences
• share the risk
• retain the risk.
These conclusions, and links to any supporting documentation, should be included in the fraud risk assessment worksheet.
Risk evaluation Better practice
Evaluate results from risk assessment
• Comparing the results of the risk analysis with the established risk criteria to determine if and where additional action is required
Record and communicate evaluation results
• Risk evaluation outcomes are recorded, communicated and then validated at appropriate levels of the organisation
Source: OAG Table 9: Better practice examples of the risk evaluation stage
Risk treatment After finalising the risk assessment, the risk treatment process is undertaken. An entity’s evaluation of the risks and its risk appetite will determine if the residual risk is at an acceptable level or if treatment is required. Risk treatments can include enhancing existing controls, implementing new controls, or avoiding the risk altogether by no longer undertaking the activity, program or service.
An entity needs to consider how to mitigate the residual fraud risks that remain above the entity’s tolerance level. The objective of treating the fraud risk is to reduce the residual risk identified in the assessment to an acceptable level.
10 AS ISO 31000:2018 Risk management - Guidelines Clause 6.4.4.
11 AS ISO 31000:2018 Risk management - Guidelines Section 6.5.2.
Fraud Risk Management – Better Practice Guide | 22
The aim of risk treatment is to:
“.. select and implement options for addressing risk.”12
An overview of the risk treatment process has been set out in Figure 5.
Some treatments may enhance existing controls or introduce new controls. Fraud controls are specific measures, processes or functions that are intended to prevent or detect fraud events or to enable the entity to respond to them. These would be suitable to address the following outcomes:
• accept the risk
• change the consequence
• change the likelihood
• change both the consequence and likelihood
• share the risk
• retain the risk.
Subject to the entity’s risk appetite and tolerance, not every risk will require the development and implementation of treatments.
Risk treatment Better practice
Determine appropriate risk treatments
• Select risk treatment options with the entity’s objectives, risk criteria and available resources
• Balance the potential benefits against cost, effort or disadvantage of implementation
Document implementation plan
• Document the treatment plan outlining the responsibilities, resources and other relevant implementation information in the fraud risk worksheet
Risks that do not have a treatment option
• If no treatment options are available or if treatment options do not sufficiently modify the fraud risk, the risk is recorded and kept under ongoing review
Remaining risk is documented
• Inform decision makers and other stakeholders of the nature and extent of the remaining risk after treatment
• Document the remaining risk and subject to monitoring, review and, where appropriate, further treatment
Consider beyond economic consequences
• Justification for risk treatment is broader than solely economic consequences and considers the entity’s obligations, voluntary commitments and stakeholder views
Source: OAG Table 10: Better practice examples of the risk treatment stage
12 AS ISO 31000:2018 Risk management - Guidelines Clause 6.5.
23 | Western Australian Auditor General
A useful way to examine your controls is to ensure they are specific, measurable, achievable, relevant and timed (SMART). This model and examples of internal controls that may be applied with a view to change the consequence, likelihood or both are provided at Appendix 5.4.
Monitoring and review Entities should actively monitor the implementation of fraud risk treatments, because until the new or improved controls are in place, the fraud risk will remain above this tolerance level. Fraud risk owners will be responsible for ensuring the controls are implemented in a timely manner and remain effective. When a new or improved control has been implemented the entity should review the control in practice over time to ensure it continues to be effective.
Further, it is essential that entities have a program to continuously monitor and review their fraud risks. Sometimes only small changes to a business process or function can alter the inherent fraud risk rating, result in the emergence of new fraud risks, or impact the effectiveness of existing controls.
Monitoring and review is:
“… to assure and improve the quality and effectiveness of process design implementation and outcomes.”13
Monitoring and review Better practice
Monitoring and review takes place during all elements of fraud risk management program
• Monitoring and review includes planning, gathering and analysing information, recording results and providing feedback
Monitoring and review progress is reported
• Results of monitoring and review are incorporated throughout the entity’s performance management, measurement, and reporting activities
Source: OAG Table 11: Better practice examples of the monitoring and review stage
Recording and reporting As noted earlier, fraud risks identified through a fraud risk assessment can be integrated into the entity's broader enterprise risk register. Whether entities combine all risks into a single source risk register or maintain a separate fraud risk register, they must be documented and reported. Entities should report to appropriate oversight committees and management including any audit committees which are responsible for overseeing the entity risk management and internal controls.
Risk management process and its outcomes should be:
“… documented and reported through appropriate mechanisms.”14
13 AS ISO 31000:2018 Risk management - Guidelines Clause 6.6.
14 AS ISO 31000:2018 Risk management - Guidelines Clause 6.7.
Fraud Risk Management – Better Practice Guide | 24
The fraud risk assessment worksheet details several key processes and outcomes that should be documented including the methodology for the risk assessment, the results and the response.
Recording and reporting Better practice
Detailed recording of fraud risk assessment process
• Worksheets include adequate information that demonstrates reason for decisions made and actions taken
Ongoing monitoring and periodic review of the fraud risk management process and its outcomes is planned, and responsibilities clearly defined
• Updates provided to senior management and those charged with governance on progress
• Monitoring through audit committee
• Documented responsibilities for undertaking fraud risk management are outlined in the entities’ FCS
Source: OAG Table 12: Better practice examples of the recording and reporting stage
Conclusion Fraud is a pervasive and growing issue within Australia. Fraud can be initiated by employees or close associates of an entity and, increasingly, by parties with no apparent connection to the entity. It can also involve collusion between internal and external parties.
Historically, the approach of many Australian entities to fraud risk management has been wholly reactive. Entities that embrace adequate and proportionate approaches to managing fraud risks will increase their chance of reducing fraud events.
We encourage entities to use this guide along with the tools and any other available resources when applying AS ISO 31000:2018 – Risk management - Guidelines and AS 8001:2021 – Fraud and corruption control to manage the risk of fraud against their entity. While fraud risks cannot be eliminated, a robust and well-resourced fraud risk management program can minimise the likelihood and consequences of fraud events.
25 | Western Australian Auditor General
Appendix 1: Glossary Term Definition
Better practice guide (BPG) A fraud risk assessment better practice guide (this report).
Bribery Offering, promising, giving, accepting or soliciting of an undue advantage of any value (either financial or non-financial) directly or indirectly, and irrespective of location(s), in violation of applicable law, as an inducement or reward for a person acting or refraining from acting in relation to the performance of that person’s duties.
Cloud computing The practice of using a network of remote servers hosted on the internet to store, manage, and process data, rather than a local server or a personal computer.
Close associate A person with a close connection with the organisation other than an employee (e.g. director, consultant, contractor).
Collusive tendering The act of multiple tenderers for a particular contract colluding in preparation of their bids – also often referred to as bid rigging.
Conflict of interest A situation in which a person is in a position to derive personal benefit from actions or decisions made in their official capacity.
Corruption Dishonest activity in which a person associated with an entity (e.g. director, executive or employee) acts contrary to the interests of the entity and abuses their position of trust in order to achieve personal advantage or advantage for another person or entity.
Cryptocurrency A digital currency in which transactions are verified and records maintained by a decentralised system using cryptography, rather than by a centralised authority.
Data theft Also known as information theft. The illegal transfer or storage of personal, confidential, or financial information.
Enterprise risk Risks arising from the general operation of an entity that can impact on the entity’s ability to meet its objectives (refer also definition of ‘risk’ below).
FCS Fraud Control System - a framework for controlling the risk of fraud against or by an entity.
Fraud Dishonest activity causing actual or potential gain or loss to any person or entity including theft of moneys or other property by persons internal and/or external to the entity and/or where deception is used at the time, immediately before or immediately following the activity.
Identity fraud Also known as identity theft or crime. It involves someone using another individual’s personal information without consent, often to obtain a benefit.
Internal control Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance that information is reliable, accurate and timely.
Malware Malicious software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorised access to information or systems, deprive user’s access to information or which unknowingly interferes with the user's computer security and privacy.
Fraud Risk Management – Better Practice Guide | 26
Term Definition
Nepotism and/or Cronyism Where the appointee is inadequately qualified to perform the role to which he or she has been appointed. The appointment of friends and associates to positions of authority, without proper regard to their qualifications.
OAG The Office of the Auditor General.
PESTLE model Consideration of 6 external environmental factors that can impact an entity, namely the political, economic, social, technological, legal and environmental factors.
Phishing and/or Spear-phishing
Cyber-intrusion. Theft of intellectual property or other confidential information through unauthorised systems access.
Ransomware Form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.
Risk The effect of uncertainty on objectives. An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.
Risk appetite The level of overall risk an entity is prepared to accept in pursuing its objectives.
Risk tolerance The level of risk an entity is prepared to accept in relation to specific aspects of its operation – the practical application of the concept of ‘risk appetite’ to specific risk categories (relevantly to the subject of this guide, this can include application of an entity's risk appetite to the concept of fraud risk).
Social engineering A broad range of malicious activities accomplished through human interactions (e.g. psychological manipulation of people into performing actions or divulging confidential information).
27 | Western Australian Auditor General
Appendix 2: References Reference
Association of Certified Fraud Examiners, 2022.
Association of Certified Fraud Examiners, Occupational Fraud 2022: A Report to the Nations, 2022.
Australian Cyber Security Centre Australian Cyber Security Centre analysis, 2022.
Commonwealth Fraud Prevention Centre, Fraud Risk Assessment Leading Practice Guide, 2022.
Cressy, D., Other People’s Money: A Study in the Social Psychology of Embezzlement, Free Press, 1953.
Department of Justice, Corporations Act 2001, 2001.
Department of Justice, Western Australia Corruption, Crime and Misconduct Act 2003, 2022.
Department of Justice, Western Australia Financial Management Act 2006, 2022.
Department of Justice, Western Australia Government Financial Responsibility Act 2000, 2021.
Department of Justice, Western Australia Procurement Act 2020, 2021.
Department of Justice, Western Australia Public Interest Disclosure Act 2003, 2017.
Department of Justice, Western Australia Public Sector Management Act 1994, 2022.
Department of Treasury, Treasurer’s Instructions – specifically TI 825 Risk Management and TI 304 Authorisation of Payments, 2022.
Enacting legislation for GTEs and other government bodies
Office of the Auditor General Western Australia, Forensic Audit Report – Establishment Phase, November 2021.
Office of the Auditor General Western Australia, Fraud Prevention and Detection in the Public Sector, June 2013.
Public Sector Commission WA, Integrity Strategy for WA Public Authorities, 2019.
Standards Australia, AS 8001:2021 – Fraud and corruption control, June 2021.
Standards Australia, AS ISO 37001:2019 Anti-bribery management system, 2019.
Standards Australia, AS ISO 31000:2018 Risk management – Guidelines Risk Assessment, 2018.
Standards Australia, SA SNZ HB 436-2013 Risk Management Guidelines (companion to AS ISO 31000:2018), 2013.
Frau
d R
isk
Man
agem
ent –
Bet
ter P
ract
ice
Gui
de |
28
App
endi
x 3:
Fra
ud c
ontr
ol s
yste
m b
ench
mar
king
tool
An
impo
rtant
com
pone
nt o
f the
per
iodi
c as
sess
men
t of t
he e
ffica
cy o
f an
entit
y’s
FCS
is to
det
erm
ine
whe
ther
an
entit
y’s
FCS
alig
ns w
ith th
e re
quire
men
ts a
nd g
uida
nce
set o
ut in
the
stan
dard
, in
effe
ct, a
ben
chm
arki
ng o
f the
ent
ity’s
frau
d co
ntro
l pro
gram
aga
inst
the
requ
irem
ents
and
gu
idan
ce o
f the
sta
ndar
d. A
n or
gani
satio
n’s
perfo
rman
ce a
gain
st e
ach
elem
ent o
f the
sta
ndar
d ca
n be
ass
esse
d in
acc
orda
nce
with
a
5-el
emen
t rat
ing
sche
me
as s
et o
ut b
elow
.
Alig
nmen
t with
AS
8001
:202
1 –
Frau
d an
d co
rrup
tion
cont
rol b
est p
ract
ice
mod
el
Rat
ing
Mee
ting
bette
r pra
ctic
e 5
Appr
oach
ing
bette
r pra
ctic
e 4
Min
imum
acc
epta
ble
leve
l 3
Inad
equa
te b
ut s
ome
prog
ress
mad
e to
war
ds b
ette
r pra
ctic
e 2
Inad
equa
te –
no
prog
ress
tow
ards
ach
ievi
ng b
ette
r pra
ctic
e 1
The
follo
win
g ar
e th
e re
leva
nt s
teps
requ
ired
to p
repa
re a
nd d
eliv
er a
n FC
S be
nchm
arki
ng p
roje
ct:
Step
1
Con
sult
and
colla
bora
te a
cros
s th
e en
tity
in a
con
side
ratio
n of
the
FCS
benc
hmar
king
mod
el a
nd d
eter
min
e w
hich
, if a
ny, e
lem
ents
of t
he
mod
el a
re n
ot re
leva
nt to
the
entit
y’s
own
circ
umst
ance
s, m
ake
nece
ssar
y ad
just
men
ts to
the
mod
el in
pre
para
tion
for a
naly
sis.
15
Step
2
Gat
her a
ll en
tity
docu
men
tatio
n pe
rtain
ing
to th
e co
ntro
l of f
raud
risk
with
in th
e en
tity
– th
is w
ould
incl
ude:
•
curre
nt F
CS
docu
men
tatio
n
• cu
rrent
gov
erni
ng b
ody
char
ter
• m
ost r
ecen
t fra
ud ri
sk a
sses
smen
t
• th
e en
tity’
s di
scip
linar
y pr
oced
ures
• re
cent
ana
lysi
s of
aw
aren
ess
rais
ing
activ
ities
with
in th
e en
tity
• m
ost r
ecen
t ext
erna
l env
ironm
enta
l sca
n an
alys
is
15
e.g
. req
uire
men
ts a
nd g
uida
nce
of A
S 80
01:2
021
Sect
ion
3.6
Per
form
ance
Bas
ed T
arge
ts m
ay n
ot b
e re
leva
nt to
pub
lic s
ecto
r ent
ities
and
cou
ld th
eref
ore
be re
mov
ed fr
om th
e m
odel
.
29 |
Wes
tern
Aus
tralia
n Au
dito
r Gen
eral
• in
tern
al a
udit
char
ter
• an
y re
cent
inte
rnal
aud
it re
ports
in re
latio
n to
frau
d ris
k m
anag
emen
t
• al
l int
egrit
y re
late
d do
cum
enta
tion
• cu
rrent
wor
kfor
ce s
cree
ning
pol
icy
• cu
rrent
cyb
erse
curit
y / i
nfor
mat
ion
syst
em m
anag
emen
t pol
icie
s
• a
sum
mar
y of
the
last
5 y
ears
frau
d in
cide
nts
cove
ring
resu
lts c
ould
pro
vide
insi
ght i
nto
com
mon
act
iviti
es, t
hem
es a
nd w
eakn
esse
s. D
etai
ls
such
as
num
ber o
f eve
nts
per y
ear,
fraud
them
e (p
rocu
rem
ent,
CC
etc
), qu
antu
m, f
raud
sub
stan
tiate
d Y/
N, v
ulne
rabi
lity
iden
tifie
d, h
ow
vuln
erab
ility
treat
ed, d
ate
vuln
erab
ility
treat
ed
• re
ports
of a
naly
sis
of in
tern
al c
ontro
l effi
cacy
incl
udin
g pr
essu
re te
stin
g tra
nsac
tions
.
Step
3
Con
sult
broa
dly
acro
ss th
e en
tity
to a
rrive
at a
real
istic
and
relia
ble
asse
ssm
ent o
f the
ent
ity's
cur
rent
per
form
ance
aga
inst
eac
h re
leva
nt
elem
ent o
f AS8
001:
2021
. Con
sulta
tion
wou
ld in
clud
e:
• if
a re
leva
nt p
olic
y or
pro
cedu
re is
cur
rent
ly in
pla
ce o
r is
prop
osed
• th
e fre
quen
cy o
f rev
iew
of a
ll re
leva
nt p
olic
ies
and
proc
edur
es
• if
ther
e is
ade
quat
e re
sour
cing
to e
nsur
e th
at th
e FC
S is
pro
perly
and
effe
ctiv
ely
adm
inis
tere
d
• th
e cu
lture
with
in th
e en
tity
in te
rms
of a
dher
ence
to th
e ke
y el
emen
ts o
f the
FC
S.
Step
4
Col
labo
rate
with
rele
vant
sys
tem
and
pro
cess
ow
ners
to a
rrive
at a
ratin
g on
a s
cale
of 1
to 5
for e
ach
elem
ent o
f the
FC
S be
ing
asse
ssed
in
term
s of
its
curre
nt a
lignm
ent w
ith A
S 80
01:2
021.
Step
5
Con
sult
broa
dly
with
in th
e or
gani
satio
n in
rela
tion
to in
itiat
ives
cur
rent
ly in
trai
n fo
r im
plem
enta
tion
in th
e fu
ture
, col
labo
rate
with
rele
vant
sy
stem
and
pro
cess
ow
ners
to a
rrive
at a
ratin
g on
a s
cale
of 1
to 5
for e
ach
elem
ent o
f the
FC
S be
ing
asse
ssed
in te
rms
of it
s fu
ture
al
ignm
ent w
ith A
S 80
01:2
021
on th
e as
sum
ptio
n th
at th
e in
itiat
ive
is fu
lly im
plem
ente
d.
Step
6
Ente
r sco
res
into
the
mod
el a
nd re
view
the
outp
ut c
hart.
Step
7
Pres
ent t
o th
e re
leva
nt o
vers
ight
com
mitt
ee w
ithin
the
entit
y.
Step
8
Impl
emen
t rem
edia
l act
ion
requ
ired
for t
he e
ntity
to b
ette
r alig
n w
ith th
e be
tter p
ract
ice
mod
el p
er A
S 80
01:2
021.
Step
9
Mon
itor t
he o
ngoi
ng e
ffica
cy o
f the
FC
S in
ligh
t of t
his
anal
ysis
ove
r tim
e.
Frau
d R
isk
Man
agem
ent –
Bet
ter P
ract
ice
Gui
de |
30
Pres
enta
tion
of th
e be
nchm
arki
ng a
naly
sis
Th
e ou
tcom
e of
this
ana
lysi
s ca
n be
use
fully
pre
sent
ed in
a v
arie
ty o
f tab
ular
or g
raph
ical
form
ats.
The
way
in w
hich
the
benc
hmar
king
ana
lysi
s re
sults
are
pre
sent
ed w
ill de
pend
on
the
need
s of
the
entit
y. O
ne p
artic
ular
ly v
isua
l way
of p
rese
ntin
g th
e ou
tcom
es o
f the
ben
chm
arki
ng
anal
ysis
is b
y w
ay o
f a ‘s
pide
r-web
’ dia
gram
as
show
n be
low
.
A M
icro
soft
Exce
l too
l is
prov
ided
on
our w
ebsi
te w
ith d
etai
led
inst
ruct
ions
to a
ssis
t in
the
prep
arat
ion
of th
is a
naly
sis
and
prod
uctio
n of
the
spid
er w
eb d
iagr
am is
det
aile
d be
low
.
The
spid
er w
eb d
iagr
am is
par
ticul
arly
use
ful f
or p
rese
ntin
g cu
rrent
and
futu
re s
tate
alig
nmen
t of a
n en
tity’
s FC
S w
ith A
S 80
01:2
021
and
for
show
ing
impr
ovem
ent o
ver t
ime.
For
exa
mpl
e, if
a s
pide
r web
dia
gram
dep
ictin
g th
e cu
rrent
and
ant
icip
ated
alig
nmen
t of t
he e
ntity
’s F
CS
with
AS
800
1:20
21 is
pre
sent
ed to
eac
h m
eetin
g of
the
rele
vant
ove
rsig
htin
g co
mm
ittee
(e.g
. an
audi
t com
mitt
ee) t
he c
omm
ittee
wou
ld b
e ab
le to
ef
ficie
ntly
mon
itor p
rogr
ess
agai
nst a
ctio
n ite
ms
initi
ated
to a
ddre
ss id
entif
ied
gaps
.
31 |
Wes
tern
Aus
tralia
n Au
dito
r Gen
eral
The
gree
n ar
ea
Rep
rese
nts
the
entit
y’s
curre
nt a
lignm
ent w
ith th
e re
quire
men
ts a
nd g
uida
nce
of A
S 80
01:2
021.
The
ambe
r are
a R
epre
sent
s th
e en
tity’
s an
ticip
ated
futu
re a
lignm
ent w
ith th
e re
quire
men
ts a
nd g
uida
nce
of A
S 80
01:2
021
once
initi
ativ
es c
urre
ntly
in tr
ain
are
fully
impl
emen
ted.
The
oret
ical
ly, t
he a
mbe
r are
a sh
ould
pro
gres
sive
ly tu
rn to
gre
en o
ver t
he p
roje
cted
impl
emen
tatio
n tim
efra
me.
The
red
area
R
epre
sent
s th
e cu
rrent
‘gap
’ bet
wee
n ei
ther
the
curre
nt a
lignm
ent (
gree
n) o
r ant
icip
ated
futu
re a
lignm
ent (
ambe
r) w
ith th
e re
quire
men
ts
and
guid
ance
of A
S 80
01:2
021.
Frau
d R
isk
Man
agem
ent –
Bet
ter P
ract
ice
Gui
de |
32
App
endi
x 4:
Ext
erna
l thr
eat a
sses
smen
t too
l As
sess
men
t of e
xter
nal t
hrea
ts u
sing
the
PEST
LE m
odel
requ
ires
a rig
orou
s 7-
step
pro
cess
as
follo
ws:
Step
1: C
onsu
lt an
d co
llabo
rate
acr
oss
the
entit
y, m
ake
nece
ssar
y ad
just
men
ts to
the
wor
kshe
et in
pre
para
tion
for a
naly
sis.
Step
2: G
athe
r all
docu
men
tatio
n pe
rtain
ing
to e
xter
nal t
hrea
ts in
the
envi
ronm
ent i
n w
hich
the
entit
y op
erat
es o
r is
cons
ider
ing
oper
atio
ns.
Step
3: C
onsi
der t
he m
ost r
ecen
t fra
ud ri
sk a
sses
smen
t con
duct
ed in
rela
tion
to th
e en
tity'
s op
erat
ion.
Step
4: I
n co
llabo
ratio
n w
ith ri
sk a
nd p
roce
ss o
wne
rs, c
onsi
der t
he s
ix P
ESTL
E fa
ctor
s th
at c
ould
impa
ct th
e en
tity'
s fra
ud ri
sks.
Step
5: I
dent
ify e
xter
nal f
acto
rs th
at n
eed
to b
e ad
dres
sed
by th
e en
tity
to m
ore
effe
ctiv
ely
cont
rol f
raud
risk
s.
Step
6: D
evel
op ri
sk tr
eatm
ents
for r
isks
that
nee
d to
be
furth
er m
itiga
ted
and
adju
st in
frau
d ris
k as
sess
men
t and
frau
d co
ntro
l sys
tem
.
Step
7: R
evie
w e
xter
nal t
hrea
ts p
erio
dica
lly.
The
follo
win
g is
an
exam
ple
wor
kshe
et fo
r ass
essi
ng e
xter
nal t
hrea
ts a
gain
st a
n en
tity
usin
g th
e PE
STLE
mod
el.
PEST
LE fa
ctor
Ex
ampl
e qu
estio
ns to
con
side
r Ex
tern
al th
reat
as
sess
men
t A
ctio
n to
be
take
n (r
isk
asse
ssm
ent,
risk
trea
tmen
ts,
frau
d co
ntro
l sys
tem
)
Polit
ical
To id
entif
y th
e po
litic
al s
ituat
ion
of
the
coun
try in
whi
ch th
e or
gani
satio
n op
erat
es, i
nclu
ding
th
e st
abilit
y an
d le
ader
ship
of t
he
gove
rnm
ent,
whe
ther
ther
e is
a
budg
et d
efic
it or
sur
plus
, lob
byin
g in
tere
sts
and
inte
rnat
iona
l pol
itica
l pr
essu
re.
1.
Has
ther
e be
en a
rece
nt c
hang
e in
gov
ernm
ent (
at
loca
l, st
ate
or fe
dera
l lev
el)?
2.
Is th
ere
any
antic
ipat
ed c
hang
e in
gov
ernm
ent
fund
ing
fore
shad
owed
? H
ow w
ill a
chan
ge in
fu
ndin
g im
pact
the
entit
y’s
fraud
exp
osur
e (e
.g. a
n in
crea
se in
fund
ing
for g
rant
s or
a d
ecre
ase
in
fund
ing
for a
dmin
istra
tion)
?
3.
Is th
ere
any
legi
slat
ive
chan
ge a
ntic
ipat
ed in
re
latio
n to
em
ploy
men
t law
that
may
impa
ct th
e en
tity'
s ab
ility
to m
anag
e its
frau
d ex
posu
re?
Inse
rt te
xt
Inse
rt te
xt
33 |
Wes
tern
Aus
tralia
n Au
dito
r Gen
eral
PEST
LE fa
ctor
Ex
ampl
e qu
estio
ns to
con
side
r Ex
tern
al th
reat
as
sess
men
t A
ctio
n to
be
take
n (r
isk
asse
ssm
ent,
risk
trea
tmen
ts,
frau
d co
ntro
l sys
tem
) 4.
Is
ther
e a
likel
y in
crea
se o
r red
uctio
n in
go
vern
men
t man
date
d re
gula
tion?
5.
If ye
s, w
ill th
at g
ive
rise
to a
n in
crea
se in
the
entit
y’s
fraud
exp
osur
e (e
ither
inte
rnal
ly o
r ex
tern
ally
initi
ated
frau
d)?
6.
Are
ther
e an
y ot
her p
oliti
cal f
acto
rs th
e en
tity
shou
ld
cons
ider
?
Econ
omic
To d
eter
min
e th
e ec
onom
ic
fact
ors
that
cou
ld h
ave
an im
pact
on
the
orga
nisa
tion,
incl
udin
g in
tere
st ra
tes,
infla
tion,
un
empl
oym
ent r
ates
, for
eign
ex
chan
ge ra
tes
and
mon
etar
y or
fis
cal p
olic
ies.
1.
Are
all e
cono
mie
s in
whi
ch th
e en
tity
oper
ates
cu
rrent
ly s
tabl
e?
2.
If
ther
e ar
e in
dica
tions
of i
nsta
bilit
y in
an
econ
omy
in w
hich
the
entit
y op
erat
es, t
o w
hat d
egre
e w
ill th
is im
pact
the
risk
of fr
aud
with
in o
r aga
inst
the
entit
y?
3.
Ar
e th
ere
any
key
econ
omic
dec
isio
ns (e
ither
re
cent
ly im
plem
ente
d or
in c
onte
mpl
atio
n) li
kely
to
have
an
impa
ct o
n th
e en
tity’
s fra
ud e
xpos
ure
(e.g
. ris
ing
inte
rest
rate
s, a
cha
nge
in ta
xatio
n ra
tes)
?
4.
Is
ther
e cu
rrent
ly s
igni
fican
t pre
ssur
e on
wag
es
and
sala
ries
that
cou
ld a
ct to
redu
ce d
ispo
sabl
e in
com
e of
the
gene
ral p
opul
atio
n an
d to
wha
t de
gree
cou
ld th
at im
pact
on
the
entit
y’s
fraud
ex
posu
re?
5.
Is
ther
e lik
ely
to b
e a
chan
ge in
em
ploy
men
t lev
els
in th
e ec
onom
y in
the
next
thre
e to
five
yea
rs?
Inse
rt te
xt
Inse
rt te
xt
Frau
d R
isk
Man
agem
ent –
Bet
ter P
ract
ice
Gui
de |
34
PEST
LE fa
ctor
Ex
ampl
e qu
estio
ns to
con
side
r Ex
tern
al th
reat
as
sess
men
t A
ctio
n to
be
take
n (r
isk
asse
ssm
ent,
risk
trea
tmen
ts,
frau
d co
ntro
l sys
tem
)
6.
Is th
ere
likel
y to
be
a ch
ange
in w
orki
ng
arra
ngem
ents
that
may
incr
ease
the
risk
of fr
aud
with
in th
e en
tity
(e.g
. rem
ote
wor
king
, fle
xibl
e w
orki
ng a
rrang
emen
ts)?
7.
Are
ther
e an
y ot
her e
cono
mic
fact
ors
the
entit
y sh
ould
con
side
r?
Soci
al
To id
entif
y th
e ex
pect
atio
ns o
f so
ciet
y by
ana
lysi
ng fa
ctor
s su
ch
as c
onsu
mer
dem
ogra
phic
s,
sign
ifica
nt w
orld
eve
nts,
inte
grity
is
sues
, cul
tura
l, et
hnic
and
re
ligio
us fa
ctor
s, a
nd c
onsu
mer
op
inio
ns.
1.
Has
ther
e be
en a
mar
ked
decl
ine
in in
tegr
ity
stan
dard
s w
ithin
the
broa
der c
omm
unity
or i
s th
is
antic
ipat
ed g
oing
forw
ard?
How
cou
ld th
ese
chan
ges
impa
ct th
e en
tity’
s fra
ud e
xpos
ures
in th
e fu
ture
?
2.
Is it
like
ly th
at th
e en
tity
will
only
be
able
to a
ttrac
t ad
equa
te h
uman
reso
urce
is b
y of
ferin
g w
ork
arra
ngem
ents
that
are
not
sus
tain
able
for t
he
entit
y?
3.
Ar
e th
ere
any
othe
r soc
ial f
acto
rs th
ey s
houl
d co
nsid
er?
Inse
rt te
xt
Inse
rt te
xt
Tech
nolo
gica
l
To id
entif
y ho
w te
chno
logy
, in
clud
ing
tech
nolo
gica
l ad
vanc
emen
ts, s
ocia
l med
ia
plat
form
s an
d th
e ro
le o
f the
in
tern
et m
ore
broa
dly,
is a
ffect
ing
or c
ould
affe
ct th
e or
gani
satio
n.
1.
Doe
s th
e en
tity
have
a h
eavy
relia
nce
on
tech
nolo
gy in
tern
ally
?
2.
Doe
s th
e en
tity
have
a h
eavy
relia
nce
on
tech
nolo
gy to
inte
ract
with
ext
erna
l par
ties
incl
udin
g bu
sine
ss a
ssoc
iate
s, c
usto
mer
s, c
lient
s
Inse
rt te
xt
Inse
rt te
xt
35 |
Wes
tern
Aus
tralia
n Au
dito
r Gen
eral
PEST
LE fa
ctor
Ex
ampl
e qu
estio
ns to
con
side
r Ex
tern
al th
reat
as
sess
men
t A
ctio
n to
be
take
n (r
isk
asse
ssm
ent,
risk
trea
tmen
ts,
frau
d co
ntro
l sys
tem
) an
d th
e ge
nera
l pub
lic?
3.
D
oes
the
entit
y em
brac
e le
adin
g ed
ge c
yber
-se
curit
y?
4.
D
oes
the
entit
y ha
ve s
trict
pol
icie
s go
vern
ing
the
use
of it
s IT
equ
ipm
ent b
y th
e w
orkf
orce
for
pers
onal
pur
pose
s?
5.
D
oes
the
entit
y ha
ve s
trong
con
trols
ove
r the
use
of
tech
nolo
gy in
the
cour
se o
f rem
ote
wor
king
?
6.
D
oes
the
entit
y cl
osel
y m
onito
r dev
elop
men
ts in
te
chno
logy
-ena
bled
frau
d?
7.
Ar
e th
ere
any
othe
r tec
hnol
ogic
al fa
ctor
s th
at th
e en
tity
shou
ld c
onsi
der?
Lega
l
To id
entif
y ho
w s
peci
fic
legi
slat
ion,
incl
udin
g in
dust
ry
spec
ific
regu
latio
ns, a
nd c
ase
law
ar
e af
fect
ing
or c
ould
affe
ct th
e or
gani
satio
n’s
futu
re o
pera
tions
.
1.
Doe
s th
e en
tity
have
a s
trong
com
plia
nce
func
tion?
2.
Doe
s th
e en
tity
have
a s
trong
sen
se o
f its
ow
n du
ties
of in
tegr
ity w
hen
inte
ract
ing
with
ext
erna
l pa
rties
(i.e
. is
ther
e a
risk
of th
e en
tity
itsel
f bei
ng
accu
sed
of fr
audu
lent
or o
ther
ille
gal c
ondu
ct)?
3.
Are
ther
e in
dica
tors
of s
igni
fican
t cha
nge
in th
e re
gula
tory
land
scap
e af
fect
ing
the
entit
y?
4.
Is
the
entit
y aw
are
of it
s vi
cario
us li
abilit
ies
in
rela
tion
to th
e co
nduc
t of m
embe
rs o
f its
ow
n
Frau
d R
isk
Man
agem
ent –
Bet
ter P
ract
ice
Gui
de |
36
PEST
LE fa
ctor
Ex
ampl
e qu
estio
ns to
con
side
r Ex
tern
al th
reat
as
sess
men
t A
ctio
n to
be
take
n (r
isk
asse
ssm
ent,
risk
trea
tmen
ts,
frau
d co
ntro
l sys
tem
) w
orkf
orce
?
5.
Ar
e th
ere
any
othe
r leg
al fa
ctor
s th
at th
e en
tity
shou
ld c
onsi
der?
Envi
ronm
enta
l
To id
entif
y ho
w lo
cal,
natio
nal a
nd
inte
rnat
iona
l env
ironm
enta
l iss
ues
are
affe
ctin
g or
cou
ld a
ffect
the
orga
nisa
tion.
1.
Doe
s th
e en
tity
oper
ate
in c
ircum
stan
ces
whe
re
ther
e is
a li
kelih
ood
of a
hig
h en
viro
nmen
tal
impa
ct?
2.
If so
, doe
s th
is g
ive
rise
to a
ny ra
ised
risk
of
man
ipul
atio
n of
fina
ncia
l or n
on-fi
nanc
ial r
epor
ting?
3.
Are
ther
e an
y ot
her e
nviro
nmen
tal f
acto
rs th
at th
e en
tity
shou
ld c
onsi
der?
37 |
Wes
tern
Aus
tralia
n Au
dito
r Gen
eral
App
endi
x 5:
Too
ls to
sup
port
the
frau
d ris
k m
anag
emen
t pro
cess
A
5.1
Com
mun
icat
ion
and
cons
ulta
tion
tool
Fr
aud
risk
owne
rs c
an s
omet
imes
enc
ount
er p
robl
ems
with
thos
e re
spon
sibl
e fo
r dev
elop
ing,
impl
emen
ting
and
mai
ntai
ning
fra
ud c
ontro
ls re
latin
g to
thei
r ris
ks. T
his
may
be
beca
use
a co
ntro
l ow
ner i
s ex
perie
ncin
g st
affin
g or
fund
ing
cons
train
ts o
r th
ey la
ck th
e re
quis
ite e
xper
tise.
In th
ese
circ
umst
ance
s th
e pe
rson
task
ed w
ith p
erfo
rmin
g th
e fra
ud ri
sk p
rogr
am c
an a
ssis
t th
roug
h:
• re
ques
ting
prog
ress
ive
piec
es o
f wor
k
• fo
ster
ing
prod
uctiv
e lin
kage
s be
twee
n pa
rties
resp
onsi
ble
for f
raud
con
trol
• pr
ovid
ing
expe
rt ad
vice
to s
take
hold
ers
• se
ekin
g st
rate
gic
supp
ort f
rom
the
seni
or s
taff
to fo
rmul
ate
solu
tions
to im
pedi
men
ts a
t the
ope
ratio
nal o
r pro
gram
leve
l.
The
tabl
e be
low
des
crib
es s
ome
met
hods
for c
omm
unic
atio
n an
d co
nsul
tatio
n ac
ross
an
entit
y.
Stru
ctur
ed o
ne-o
n-on
e di
scus
sion
with
th
e pr
oces
s / r
isk
owne
rs
Spea
k w
ith re
leva
nt b
usin
ess
units
– th
e pe
ople
who
wor
k w
ith th
e sy
stem
s an
d pr
oces
ses
ever
y da
y.
Mee
t one
-on-
one
to fa
cilit
ate
an e
nhan
ced
unde
rsta
ndin
g of
rele
vant
risk
and
con
trol i
ssue
s.
Con
vene
focu
s gr
oups
with
pro
cess
and
ris
k ow
ners
and
sta
keho
lder
s
Faci
litat
e de
taile
d di
scus
sion
of f
raud
risk
s w
ith fo
cus
grou
ps a
long
with
one
-on-
one
mee
tings
as
an
effe
ctiv
e w
ay to
iden
tify
risks
, int
erna
l con
trols
that
sho
uld
miti
gate
thos
e ris
ks, w
heth
er th
ey a
re o
pera
ting
as in
tend
ed (t
hink
like
a fr
auds
ter),
ass
essi
ng ri
sks
and
deve
lopi
ng e
ffect
ive
risk
treat
men
ts.
Seek
inpu
t on
frau
d ris
k m
atte
rs fr
om
acro
ss th
e en
tity
In
vite
the
entir
e w
orkf
orce
to p
rovi
de th
eir i
nput
in re
latio
n to
the
entit
y’s
fraud
exp
osur
es in
an
onlin
e su
rvey
.
Reg
ular
repo
rtin
g to
the
proj
ect
man
agem
ent c
omm
ittee
A
proj
ect t
o m
anag
e fra
ud ri
sk s
houl
d be
sub
ject
to a
rigo
rous
pro
gram
of t
wo-
way
com
mun
icat
ion
betw
een
the
over
sigh
t com
mitt
ee a
nd th
e pr
actit
ione
r/tea
m ta
sked
with
the
proj
ect.
Exte
rnal
com
mun
icat
ion
and
cons
ulta
tion
The
proj
ect c
omm
ittee
and
the
team
resp
onsi
ble
for d
eliv
erin
g th
e pr
ojec
t sho
uld
cons
ider
the
bene
fits
of
com
mun
icat
ion
and
cons
ulta
tion
with
par
ties
exte
rnal
to th
e en
tity
such
as
regu
lato
rs, s
ubje
ct m
atte
r exp
erts
an
d pe
er o
rgan
isat
ions
.
Rep
ortin
g to
the
audi
t and
risk
com
mitt
ee
It is
impo
rtant
for a
n au
dit a
nd ri
sk c
omm
ittee
to b
e in
form
ed o
f dev
elop
men
ts in
rela
tion
to fr
aud
risks
be
caus
e th
ey a
re re
spon
sibl
e fo
r ove
rsee
ing
the
entit
y’s
risk
man
agem
ent a
nd in
tern
al c
ontro
ls.
Frau
d R
isk
Man
agem
ent –
Bet
ter P
ract
ice
Gui
de |
38
A5.
2 Sc
ope
cont
ext a
nd c
riter
ia to
ol
Fact
or
Def
initi
on
Frau
d ris
k as
sess
men
t “XX
Pro
cess
”
Scop
e Th
e bo
unda
ries
with
in w
hich
the
fraud
risk
as
sess
men
t will
take
pla
ce.
• Th
e sp
ecifi
c pa
rts o
f the
XX
proc
ess
to b
e as
sess
ed fo
r fra
ud ri
sks.
• Th
e bu
sine
ss u
nits
and
ope
ratio
nal t
eam
s in
volv
ed in
the
proc
esse
s to
be
asse
ssed
.
• To
ols
to b
e us
ed in
the
fraud
risk
ass
essm
ent.
• Lo
gist
ical
con
side
ratio
ns, m
ilest
ones
and
tim
elin
es fo
r com
plet
ing
the
fraud
risk
ass
essm
ent.
Con
text
Th
e in
tern
al a
nd
exte
rnal
fact
ors
influ
enci
ng th
e en
viro
nmen
t the
en
tity
oper
ates
in.
Inte
rnal
fact
ors
may
incl
ude:
• Th
e st
rate
gic
obje
ctiv
es o
f the
ent
ity a
nd h
ow th
is in
fluen
ces
the
XX p
roce
ss.
• Th
e ex
istin
g em
ploy
ee le
vel i
n th
e XX
pro
cess
and
thei
r exp
erie
nce,
as
wel
l as
thei
r lev
el o
f tra
inin
g in
iden
tifyi
ng in
dica
tors
of p
oten
tial f
raud
.
Exte
rnal
fact
ors
incl
ude:
• In
crea
sing
frau
d tre
nds
targ
etin
g XX
pro
cess
.
• R
ecen
t kno
wn
scam
s in
the
publ
ic d
omai
n th
at h
ave
been
unc
over
ed.
Crit
eria
Li
kelih
ood
and
cons
eque
nce
crite
ria a
ligne
d to
an
ent
ity’s
exi
stin
g ris
k fra
mew
ork
that
can
be
used
to
rate
frau
d ris
ks
iden
tifie
d in
the
fraud
risk
as
sess
men
t.
• Li
kelih
ood
crite
ria is
a ra
ting
scal
e (i.
e Ex
trem
ely
unlik
ely
to A
lmos
t cer
tain
) set
by
the
entit
y to
iden
tify
the
expe
cted
freq
uenc
y of
a fr
aud
risk
in th
e XX
pro
cess
bei
ng re
alis
ed, b
oth
with
no
inte
rnal
con
trols
in
pla
ce (i
nher
ent)
and
exis
ting
cont
rols
in p
lace
(res
idua
l).
• C
onse
quen
ce c
riter
ia is
a ra
ting
scal
e (L
ow –
Cat
astro
phic
) acr
oss
a nu
mbe
r of d
efin
ed lo
ss fa
ctor
s (i.
e. fi
nanc
ial d
amag
e, re
puta
tiona
l dam
age,
lega
l dam
age)
, to
iden
tify
the
expe
cted
impa
ct o
f a fr
aud
risk
in th
e XX
pro
cess
bei
ng re
alis
ed b
oth
with
no
inte
rnal
con
trols
in p
lace
(inh
eren
t) an
d ex
istin
g co
ntro
ls in
pla
ce (r
esid
ual).
• W
hat i
s ac
cept
able
freq
uenc
y / c
onse
quen
ce.
39 |
Wes
tern
Aus
tralia
n Au
dito
r Gen
eral
A5.
3 R
isk
asse
ssm
ent t
ools
A
5.3.
1 Ex
ampl
e fra
ud ri
sk a
sses
smen
t wor
kshe
et
A fra
ud ri
sk a
sses
smen
t wor
kshe
et c
an b
e us
ed to
doc
umen
t all
rele
vant
info
rmat
ion
for e
ach
risk
iden
tifie
d an
d as
sess
ed. H
avin
g ap
plie
d th
e w
orks
heet
for t
his
purp
ose
it ca
n al
so th
en b
e us
ed a
s a
risk
regi
ster
(alte
rnat
ivel
y, id
entif
ied
and
asse
ssed
frau
d ris
ks
coul
d be
incl
uded
in th
e en
tity’
s en
terp
rise
risk
regi
ster
).
Frau
d R
isk
Man
agem
ent –
Bet
ter P
ract
ice
Gui
de |
40
The
follo
win
g is
a s
hort
sum
mar
y of
the
info
rmat
ion
that
wou
ld b
e re
cord
ed o
n ea
ch ri
sk a
sses
smen
t she
et (n
ote
that
muc
h of
the
info
rmat
ion
refe
rred
to in
the
follo
win
g ta
ble
will
not h
ave
been
pre
pare
d in
the
risk
iden
tific
atio
n st
age
whe
n th
e fra
ud ri
sk w
orks
heet
is fi
rst c
reat
ed. T
he
wor
kshe
et is
inte
nded
to b
uild
ove
r tim
e as
the
entit
y w
orks
its
way
thro
ugh
the
iden
tific
atio
n, a
naly
sis,
eva
luat
ion
and
treat
men
t dev
elop
men
t ph
ases
).
As n
oted
abo
ve, e
ach
iden
tifie
d ris
k sh
ould
be
reco
rded
on
a se
para
te ri
sk a
sses
smen
t wor
kshe
et. T
he ri
sk a
sses
smen
t wor
kshe
et c
an th
en b
e us
ed a
s th
e en
tity’
s re
gist
er o
f fra
ud ri
sks.
Alte
rnat
ivel
y, id
entif
ied
and
asse
ssed
frau
d ris
ks c
an b
e re
cord
ed in
the
entit
y’s
ente
rpris
e ris
k re
gist
er.
Dat
a fie
ld
Info
rmat
ion
to b
e re
cord
ed (f
or e
ach
risk)
Frau
d R
isk
Num
ber
A re
fere
nce
num
ber u
niqu
e to
eac
h ris
k –
the
risk
num
ber i
s us
ed in
all
outp
uts
of th
e ris
k as
sess
men
t pro
cess
.
Frau
d R
isk
(Sho
rt Ti
tle)
Shor
t des
crip
tion
of th
e ris
k th
at is
gen
eral
ly u
sed
to id
entif
y th
e ris
k be
ing
disc
usse
d in
rele
vant
out
puts
.
Des
crip
tion
of R
isk
A m
ore
deta
iled
outli
ne o
f the
risk
con
sist
ent w
ith th
e sh
ort t
itle.
Ris
k O
wne
r Th
e in
divi
dual
or p
ositi
on w
ithin
the
busi
ness
uni
t who
has
prim
ary
resp
onsi
bilit
y fo
r the
bus
ines
s sy
stem
s re
leva
nt to
th
e id
entif
ied
fraud
risk
.
Dep
artm
ent
The
depa
rtmen
t to
whi
ch th
e bu
sine
ss u
nit b
elon
gs (s
ee b
elow
).
Syst
em B
usin
ess
Uni
t Th
e bu
sine
ss u
nit t
hat h
as m
ost c
ontro
l of t
he b
usin
ess
syst
ems
and
proc
esse
s re
leva
nt to
the
iden
tifie
d ris
k.
Ente
red
By
The
indi
vidu
al o
r pos
ition
who
ent
ered
the
fraud
risk
par
ticul
ars
into
the
risk
asse
ssm
ent w
orks
heet
.
Dat
e As
sess
ed
The
date
on
whi
ch th
e w
orks
heet
was
pop
ulat
ed.
Cur
rent
Inte
rnal
Con
trols
A
shor
t act
ive
title
/ de
scrip
tion
of e
ach
exis
ting
inte
rnal
con
trol (
e.g.
“Sys
tem
con
trols
onl
y al
low
lim
ited
auth
oris
ed
user
s to
cha
nge
bank
acc
ount
s”) a
nd a
sho
rt st
atem
ent a
s to
how
the
inte
rnal
con
trol m
itiga
tes
the
risk.
Cur
rent
Inte
rnal
Con
trols
Rat
ing
A ra
ting
on a
n ap
prop
riate
sca
le (i
.e. “
Inef
fect
ive”
, “Pa
rtial
ly E
ffect
ive”
or “
Effe
ctiv
e”) o
f the
effe
ctiv
enes
s of
eac
h in
tern
al c
ontro
l on
miti
gatin
g th
e ris
k.
Prop
osed
Tre
atm
ent
(If A
pplic
able
) Tr
eatm
ents
the
entit
y pr
opos
es to
take
to s
treng
then
the
exis
ting
inte
rnal
con
trol f
ram
ewor
k an
d re
duce
the
risk
ratin
g to
an
acce
ptab
le le
vel.
Prop
osed
Tre
atm
ent
(If A
pplic
able
) Rat
ing
A ra
ting
on a
n ap
prop
riate
sca
le (i
.e. “
Inef
fect
ive”
, “Pa
rtial
ly E
ffect
ive”
or “
Effe
ctiv
e”) o
f the
effe
ctiv
enes
s of
eac
h tre
atm
ent o
n m
itiga
ting
the
risk.
Prop
osed
Tre
atm
ent P
riorit
y
The
prop
osed
prio
rity
of th
e tre
atm
ent.
Ove
rall
Rat
ings
– P
re-tr
eatm
ent
Inte
rnal
Con
trol
A ra
ting
on a
n ap
prop
riate
sca
le (i
.e. “
Inef
fect
ive”
, “Pa
rtial
ly E
ffect
ive”
or “
Effe
ctiv
e”) o
f the
ove
rall
effe
ctiv
enes
s of
the
exis
ting
inte
rnal
con
trol f
ram
ewor
k on
miti
gatin
g th
e ris
k.
41 |
Wes
tern
Aus
tralia
n Au
dito
r Gen
eral
Dat
a fie
ld
Info
rmat
ion
to b
e re
cord
ed (f
or e
ach
risk)
Ove
rall
Rat
ings
– P
re-tr
eatm
ent
Like
lihoo
d A
ratin
g on
an
appr
opria
te s
cale
(i.e
. “Al
mos
t Cer
tain
” to
“Rar
e”) o
f the
like
lihoo
d of
a ri
sk b
eing
real
ised
with
the
exis
ting
inte
rnal
con
trol f
ram
ewor
k.
Ove
rall
Rat
ings
– P
re-tr
eatm
ent
Con
sequ
ence
A
ratin
g on
an
appr
opria
te s
cale
(i.e
. “Ex
trem
e” to
“Neg
ligib
le”)
of th
e co
nseq
uenc
e of
a ri
sk b
eing
real
ised
with
the
exis
ting
inte
rnal
con
trol f
ram
ewor
k.
Ove
rall
Rat
ings
– P
ost-t
reat
men
t In
tern
al C
ontro
l A
ratin
g on
an
appr
opria
te s
cale
(i.e
. “In
effe
ctiv
e”, “
Parti
ally
Effe
ctiv
e” o
r “Ef
fect
ive”
) of t
he o
vera
ll ef
fect
iven
ess
of th
e po
st-tr
eatm
ent i
nter
nal c
ontro
l fra
mew
ork
on m
itiga
ting
the
risk.
Ove
rall
Rat
ings
– P
ost-t
reat
men
t Li
kelih
ood
A ra
ting
on a
n ap
prop
riate
sca
le (i
.e. “
Alm
ost C
erta
in” t
o “R
are”
) of t
he li
kelih
ood
of a
risk
bei
ng re
alis
ed w
ith th
e po
st-
treat
men
t int
erna
l con
trol f
ram
ewor
k.
Ove
rall
Rat
ings
– P
ost-t
reat
men
t C
onse
quen
ce
A ra
ting
on a
n ap
prop
riate
sca
le (i
.e. “
Extre
me”
to “N
eglig
ible
”) of
the
cons
eque
nce
of a
risk
bei
ng re
alis
ed w
ith th
e po
st-tr
eatm
ent i
nter
nal c
ontro
l fra
mew
ork.
Ove
rall
Ris
k R
atin
g Pr
e-tre
atm
ent
A ra
ting
on a
n ap
prop
riate
sca
le (i
.e. “
Very
Hig
h” to
“Low
”) of
the
fraud
risk
leve
l by
refe
renc
e to
the
risk
mat
rix (t
akin
g in
to a
ccou
nt th
e as
sess
ed e
ffect
iven
ess
of p
re-e
xist
ing
inte
rnal
con
trols
).
Ove
rall
Ris
k R
atin
g Po
st-
treat
men
t A
ratin
g on
an
appr
opria
te s
cale
(i.e
. “Ve
ry H
igh”
to “L
ow”)
of th
e fra
ud ri
sk le
vel b
y re
fere
nce
to th
e ris
k m
atrix
taki
ng
into
acc
ount
the
asse
ssed
effe
ctiv
enes
s of
the
post
-trea
tmen
t int
erna
l con
trol f
ram
ewor
k.
Frau
d R
isk
Man
agem
ent –
Bet
ter P
ract
ice
Gui
de |
42
A5.
3.2
Ris
k as
sess
men
t and
trea
tmen
t pro
cess
ove
rvie
w
Sour
ce: O
AG b
ased
on
AS IS
O 3
1000
:201
8 R
isk
man
agem
ent -
Gui
delin
es C
laus
e 6.
4 an
d 6.
5
43 |
Wes
tern
Aus
tralia
n Au
dito
r Gen
eral
A5.
3.3
Key
frau
d ris
k id
entif
icat
ion
ques
tions
So
me
key
ques
tions
to a
sk w
hen
tryin
g to
iden
tify
fraud
risk
s ar
e lis
ted
belo
w.
Key
que
stio
ns th
at n
eed
to b
e as
ked
in id
entif
ying
frau
d ris
ks
If I w
ante
d to
ste
al fr
om th
is e
ntity
, kno
win
g w
hat I
kno
w a
bout
the
curre
nt b
usin
ess
syst
ems
proc
ess
and
inte
rnal
con
trols
, how
wou
ld I
do it
?
If I w
ante
d to
get
som
e so
rt of
impr
oper
fina
ncia
l or n
on-fi
nanc
ial a
dvan
tage
out
of m
y po
sitio
n, h
ow w
ould
I do
it?
Wha
t do
I kno
w a
bout
this
pro
cess
that
nob
ody
else
kno
ws
or c
heck
s?
Who
has
sol
e co
ntro
l ove
r spe
cific
sys
tem
s or
pro
cess
es th
at n
obod
y el
se h
as v
isib
ility
over
?
Wha
t for
ms
of p
aym
ent d
oes
this
pro
cess
hav
e –
is it
cas
h, c
ard,
EFT
etc
?
How
can
this
pro
cess
be
mad
e ea
sier
for t
he p
roce
ss o
wne
r at t
he e
xpen
se o
f the
ent
ity?
A5.
3.4
Com
mon
wea
lth F
raud
Pre
vent
ion
Cent
re’s
‘Act
or, A
ctio
n, O
utco
me’
met
hod
of d
escr
ibin
g fra
ud ri
sks16
An
effe
ctiv
e m
etho
d fo
r des
crib
ing
fraud
risk
is to
con
side
r the
act
or, a
ctio
n an
d ou
tcom
e. T
he le
vel o
f det
ail i
s im
porta
nt w
hen
desc
ribin
g fra
ud
risks
. With
out s
uffic
ient
det
ail i
t bec
omes
diff
icul
t to
cons
ider
the
fact
ors
(i.e.
act
ors
and
actio
ns) t
hat c
ontri
bute
to th
e fra
ud ri
sk a
nd h
ow fr
aud
cont
rols
will
spec
ifica
lly a
ddre
ss th
ese
cont
ribut
ing
fact
ors.
An e
xam
ple
of a
poo
rly d
efin
ed fr
aud
risk
from
the
invo
ice
paym
ent p
roce
ss p
rovi
ded
wou
ld b
e “F
raud
in th
e in
voic
e pa
ymen
t pro
cess
”.
The
follo
win
g ar
e m
ore
accu
rate
ly d
efin
ed fr
aud
risks
from
the
sam
e ex
ampl
e:
• “a
ser
vice
pro
vide
r (Ac
tor)
subm
its a
fals
ified
invo
ice
(Act
ion)
to re
ceiv
e a
paym
ent f
or s
ervi
ces
not p
rovi
ded
(Out
com
e)”
• “a
ser
vice
pro
vide
r (Ac
tor)
coer
ces
an o
ffici
al to
app
rove
and
/or p
roce
ss a
fals
ified
invo
ice
(Act
ion)
to re
ceiv
e a
paym
ent f
or s
ervi
ces
not
prov
ided
(Out
com
e)”
• “a
n of
ficia
l (Ac
tor)
man
ipul
ates
the
finan
ce s
yste
m (A
ctio
n) to
div
ert a
n in
voic
e pa
ymen
t to
thei
r ow
n ba
nk a
ccou
nt (O
utco
me)
”.
Judg
emen
t sho
uld
be a
pplie
d in
stri
king
a b
alan
ce b
etw
een
capt
urin
g su
ffici
ent d
etai
l and
doc
umen
ting
a m
anag
eabl
e nu
mbe
r of f
raud
risk
s.
This
cou
ld b
e ac
hiev
ed b
y co
mbi
ning
sim
ilar r
isks
and
cle
arly
doc
umen
ting
the
vario
us c
ontri
butin
g fa
ctor
s (a
ctor
s an
d ac
tions
).
16
Com
mon
wea
lth F
raud
Pre
vent
ion
Cen
tre ‘F
raud
Ris
k A
sses
smen
t – L
eadi
ng P
ract
ice
Gui
de’.
Frau
d R
isk
Man
agem
ent –
Bet
ter P
ract
ice
Gui
de |
44
The
desc
riptio
n ca
n he
lp w
ith a
n en
tity’
s as
sess
men
t of i
ts fr
aud
risks
and
how
it c
onsi
ders
way
s in
whi
ch to
con
trol i
t. So
me
of th
ese
cont
rols
m
ay a
lread
y ex
ist a
nd s
ome
may
be
new
.
For e
xam
ple,
an
entit
y m
ight
lim
it th
e op
portu
nity
for a
n ac
coun
ts p
ayab
le o
ffice
r to
subm
it an
d pr
oces
ses
a fic
titio
us in
voic
e th
at p
ays
into
an
empl
oyee
’s a
ccou
nt b
y:
• sp
littin
g th
e au
thor
isin
g po
wer
s (s
ubm
it an
d pr
oces
s)
o
segr
egat
ion
of d
utie
s be
twee
n in
voic
e en
try a
nd p
aym
ent a
utho
rity
• va
lidat
ing
the
invo
ice
deta
ils (f
ictit
ious
invo
ice)
o
third
par
ty v
erifi
catio
n of
goo
ds/s
ervi
ces
bein
g re
ceiv
ed
o
chec
k su
pplie
r det
ails
in y
our s
uppl
ier m
aste
r file
are
an
exac
t mat
ch to
pub
lic re
cord
s (e
.g. A
ustra
lian
Busi
ness
Reg
iste
r)
• cr
oss-
chec
king
inte
rnal
reco
rds
(em
ploy
ee a
ccou
nt)
o
com
pare
ban
k ac
coun
ts in
sup
plie
r pay
men
t file
aga
inst
em
ploy
ee b
ank
acco
unts
.
Entit
ies
can
link
each
of t
he a
bove
con
trols
bac
k to
dis
tinct
par
ts (a
ctor
, act
ion,
out
com
e) o
f the
frau
d de
scrip
tion.
45 |
Wes
tern
Aus
tralia
n Au
dito
r Gen
eral
A5.
3.5
Exam
ple
diag
ram
mat
ic p
rese
ntat
ion
of a
sses
sed
frau
d ris
ks
It ca
n be
use
ful t
o pr
esen
t ide
ntifi
ed a
nd a
ssis
t fra
ud ri
sks
in d
iagr
amm
atic
form
.
The
follo
win
g ex
ampl
e sh
ows
the
rela
tive
ratin
gs o
f lik
elih
ood
and
cons
eque
nce
and
the
resu
lting
ove
rall
risk
ratin
g fo
r ten
ac
coun
ts p
ayab
le re
late
d fra
ud ri
sks.
Dia
gram
mat
ic a
naly
sis
is a
lso
usef
ul to
sho
w th
e pr
ojec
ted
chan
ge in
risk
ratin
g as
a re
sult
of
impl
emen
tatio
n of
a tr
eatm
ent p
lan
intro
duci
ng n
ew o
r rev
ised
inte
rnal
con
trols
/ fra
ud c
ontro
ls. T
he c
hang
e in
ratin
g in
rela
tion
to ri
sk
PR-1
is d
ue to
the
intro
duct
ion
of n
ew o
r rev
ised
inte
rnal
con
trols
that
will
redu
ce th
e co
nseq
uenc
e of
the
risk
if it
did
occu
r (al
thou
gh in
this
ex
ampl
e th
e lik
elih
ood
rem
ains
unc
hang
ed).
Frau
d R
isk
Man
agem
ent –
Bet
ter P
ract
ice
Gui
de |
46
A5.
3.6
Exam
ple
publ
ic s
ecto
r fra
ud ri
sks
Th
e fo
llow
ing
is a
sho
rt su
mm
ary
of fr
aud
risks
that
are
com
mon
ly fo
und
in th
e pu
blic
sec
tor e
nviro
nmen
t. Th
is s
umm
ary
is n
ot
inte
nded
to b
e an
exh
aust
ive
list,
but i
t can
be
used
as
a ‘th
ough
t pro
voke
r’ in
the
iden
tific
atio
n of
ope
ratio
nal r
isks
type
s fa
cing
th
e en
tity
bein
g as
sess
ed.
Acc
ount
s pa
yabl
e fr
aud
Fals
e in
voic
ing
(cre
atio
n of
a
fictit
ious
ven
dor)
A
fictit
ious
ven
dor i
s cr
eate
d in
the
finan
ce s
yste
m to
whi
ch p
aym
ents
for f
alse
invo
ices
are
mad
e fo
r goo
ds/s
ervi
ces
not o
rder
ed a
nd n
ot d
eliv
ered
(typ
ical
ly fr
aud
of th
is ty
pe in
volv
es p
erso
nnel
with
in th
e en
tity
but i
t can
be
perp
etra
ted
at ti
mes
by
exte
rnal
par
ties
actin
g al
one
or b
y ex
tern
al p
artie
s op
erat
ing
in c
ollu
sion
with
a m
embe
r of t
he ta
rget
en
tity’
s w
orkf
orce
)
Frau
dule
nt c
hang
e to
ven
dor
mas
ter f
ile
Frau
dule
nt c
hang
e to
the
entit
y’s
vend
or m
aste
r file
(i.e
. cha
nge
of b
ank
deta
ils to
div
ert l
egiti
mat
e ve
ndor
pay
men
ts to
an
acc
ount
con
trolle
d by
the
perp
etra
tor)
– th
is c
an b
e do
ne b
y a
pers
on in
tern
al to
the
entit
y, a
per
son
exte
rnal
to th
e en
tity
or b
y co
llusi
on b
etw
een
inte
rnal
and
ext
erna
l per
sons
Onl
ine
bank
ing
fraud
M
anip
ulat
ion
of v
endo
r or o
ther
pay
men
ts in
the
onlin
e ba
nkin
g sy
stem
imm
edia
tely
prio
r to
exec
utio
n of
the
paym
ent
file
in th
e en
tity’
s on
line
bank
ing
syst
em –
the
fraud
ulen
t man
ipul
atio
n of
the
onlin
e pa
ymen
t file
is c
once
aled
by
mak
ing
fals
e en
tries
in th
e en
tity’
s ac
coun
ting
reco
rds
Fals
e in
voic
ing
(exi
stin
g ve
ndor
) M
anip
ulat
ion
and
proc
essi
ng o
f fra
udul
ent p
aym
ents
for i
nvoi
ces
appa
rent
ly re
nder
ed b
y a
legi
timat
e ve
ndor
but
, in
fact
, fra
udul
ently
gen
erat
ed a
nd is
sued
by
the
perp
etra
tor w
ho is
gen
eral
ly a
mem
ber o
f the
ent
ity's
ow
n w
orkf
orce
Dup
licat
e pa
ymen
ts fo
r the
in
voic
es a
lread
y se
ttled
M
ore
than
one
pay
men
t is
mad
e fo
r the
sam
e in
voic
e –
this
can
be
initi
ated
inad
verte
ntly
by
a ve
ndor
who
issu
es th
e sa
me
invo
ice
twic
e in
erro
r but
the
vend
or th
en fa
ils to
repo
rt th
e do
uble
rece
ipt a
nd fr
audu
lent
ly c
onve
rts th
e du
plic
ate
paym
ent
Proc
urem
ent a
nd te
nder
ing
Cor
rupt
ion
of th
e pr
ocur
emen
t pr
oces
s (in
volv
ing
pers
onne
l w
ithin
the
entit
y)
Cor
rupt
ion
invo
lvin
g an
em
ploy
ee o
f the
ent
ity a
nd a
ven
dor i
n th
e se
lect
ion
of a
win
ning
bid
or t
ende
r ofte
n in
volv
ing
brib
ery
/ kic
kbac
ks b
ut o
ften
mot
ivat
ed b
y pe
rson
al o
r fam
ily a
ssoc
iatio
n be
twee
n th
e bi
dder
and
the
entit
y’s
empl
oyee
w
ithou
t dire
ct fi
nanc
ial r
ewar
d –
corru
ptio
n ca
n in
volv
e pr
ovis
ion
of a
con
fiden
tial b
id p
rice,
con
tract
det
ails
or o
ther
se
nsiti
ve in
form
atio
n to
gai
n an
adv
anta
ge fo
r one
tend
erer
ove
r oth
er te
nder
ers
Bid
riggi
ng (e
xclu
ding
per
sonn
el
with
in th
e en
tity)
C
ollu
sive
tend
erin
g be
twee
n m
ultip
le b
idde
rs fo
r the
sam
e co
ntra
ct fo
r mut
ual a
dvan
tage
(no
invo
lvem
ent o
f the
en
tity’
s pe
rson
nel)
47 |
Wes
tern
Aus
tralia
n Au
dito
r Gen
eral
Proc
urem
ent a
nd te
nder
ing
Con
flict
s of
inte
rest
U
ndec
lare
d as
soci
atio
n be
twee
n an
em
ploy
ee o
f an
entit
y an
d a
tend
erer
giv
ing
rise
to a
n ac
tual
or p
erce
ived
bia
s in
aw
ardi
ng o
f a c
ontra
ct
Impr
oper
ly re
ceiv
ing
hosp
italit
y,
gifts
and
ben
efits
An
em
ploy
ee re
ceiv
ing
or s
olic
iting
hos
pita
lity,
gift
s or
ben
efits
from
a v
endo
r or p
oten
tial v
endo
r hop
ing
to g
ain
a co
mm
erci
al a
dvan
tage
in d
oing
so
– de
pend
ing
on th
e ci
rcum
stan
ces,
this
beh
avio
ur m
ay c
onst
itute
frau
d Fa
lsifi
catio
n an
d m
anip
ulat
ion
of c
laim
s fo
r wor
k-re
late
d ex
pend
iture
Use
of t
he e
ntity
’s fu
nds
for
pers
onal
exp
endi
ture
C
laim
ing
empl
oyee
exp
ense
s fo
r bus
ines
s-re
late
d ex
pend
iture
not
incu
rred
or in
curre
d fo
r per
sona
l use
or b
enef
it (s
uppo
rted
by fa
lse
or in
flate
d re
ceip
ts /
invo
ices
)
Dou
ble-
dipp
ing
Cla
imin
g m
ultip
le re
imbu
rsem
ents
for t
he s
ame
expe
nses
or c
laim
ing
for e
xpen
ses
paid
per
sona
lly u
sing
rece
ipts
for
purc
hase
s al
read
y m
ade
via
anot
her o
f the
ent
ity’s
reim
burs
emen
t sys
tem
s D
iver
sion
of i
ncom
ing
fund
s
Acco
unts
rece
ivab
le fr
aud
Red
irect
ion
of in
com
ing
rece
ipts
to a
spu
rious
acc
ount
follo
wed
by
writ
e-of
f of a
ccou
nts
rece
ivab
le b
alan
ce
Una
utho
rised
dis
coun
ts
Proc
essi
ng u
naut
horis
ed d
isco
unts
for e
arly
pay
men
t of i
nvoi
ces
whe
re th
e di
scou
nt v
alue
is fr
audu
lent
ly tr
ansf
erre
d to
th
e em
ploy
ee’s
ow
n ba
nk a
ccou
nt
An a
utho
rised
app
licat
ion
of
unkn
own
rece
ipts
Fu
nds
can
be re
ceiv
ed b
y an
ent
ity w
here
the
sour
ce o
f the
fund
s is
unk
now
n an
d th
e fu
nds
are
allo
cate
d to
a
susp
ense
acc
ount
pen
ding
rect
ifica
tion
– a
poss
ible
frau
d in
volv
es th
e tra
nsfe
r of p
art o
f the
bal
ance
of t
he s
uspe
nse
acco
unt t
o an
em
ploy
ee’s
ow
n be
nefit
with
a m
anip
ulat
ion
of th
e ac
coun
ting
syst
em to
con
ceal
the
thef
t
Infla
ting
invo
ice
valu
e In
flatin
g th
e va
lue
of a
n in
voic
e ra
ised
by
the
entit
y w
ith re
ceip
ts in
pay
men
t of t
he in
voic
e di
rect
ed to
a s
purio
us
acco
unt c
ontro
lled
by th
e st
aff m
embe
r con
cern
ed w
ho th
en re
dire
cts
the
corre
ct (r
educ
ed) v
alue
of t
he in
voic
e to
the
entit
y’s
corre
ct a
ccou
nt
Vend
or o
verp
aym
ent
Del
iber
atel
y ov
erpa
y a
vend
or in
pay
men
t of a
n in
voic
e fo
r goo
ds o
r ser
vice
s va
lidly
rece
ived
, cla
im a
refu
nd fo
r the
ov
erpa
ymen
t and
then
dire
ct th
e re
mitt
ance
to a
spu
rious
ban
k ac
coun
t
Thef
t of c
ash
all f
unds
rece
ived
Fr
audu
lent
ly fa
iling
to re
cord
rece
ipt o
f cas
h re
ceiv
ed a
nd th
en m
isap
prop
riate
for o
wn
bene
fit
Frau
d R
isk
Man
agem
ent –
Bet
ter P
ract
ice
Gui
de |
48
Payr
oll
Tim
eshe
et fr
aud
Frau
dule
nt s
ubm
issi
on o
f fal
sifie
d tim
eshe
ets
for c
asua
l em
ploy
ees
who
did
not
wor
k w
ith d
iver
sion
of r
esul
ting
rem
uner
atio
n ge
nera
ted
to o
wn
acco
unt
Frau
dule
nt a
ltera
tion
of
rem
uner
atio
n ra
tes
Alte
ratio
n of
rem
uner
atio
n ra
tes
(sal
arie
s or
hou
rly ra
tes)
in th
e pa
yrol
l sys
tem
in re
latio
n to
the
empl
oyee
mak
ing
the
chan
ge o
r for
ano
ther
em
ploy
ee in
exc
hang
e fo
r per
sona
l ben
efit
Gho
st e
mpl
oyee
frau
d Fa
bric
atio
n of
fict
itiou
s em
ploy
ees
on th
e pa
yrol
l with
rem
uner
atio
n pa
id to
ow
n ac
coun
t
Frau
dule
ntly
failin
g to
reco
rd
pers
onal
leav
e An
em
ploy
ee ta
king
per
sona
l lea
ve (a
nnua
l, lo
ng-s
ervi
ce, s
ick
or c
arer
’s le
ave)
with
out r
ecor
ding
the
leav
e in
the
HR
sy
stem
Wor
ker’s
com
pens
atio
n fra
ud
Wor
ker’s
com
pens
atio
n fra
ud –
frau
dule
nt c
laim
s fo
r inj
urie
s no
t sus
tain
ed
Ass
ets
and
Inve
ntor
y
Asse
t the
ft Th
eft o
f the
ent
ity’s
ass
ets,
incl
udin
g co
mpu
ters
and
oth
er IT
rela
ted
asse
ts
Info
rmat
ion
thef
t Th
eft o
r abu
se o
f pro
prie
tary
or c
onfid
entia
l inf
orm
atio
n (c
usto
mer
info
rmat
ion,
inte
llect
ual p
rope
rty, p
ricin
g sc
hedu
les,
bu
sine
ss p
lans
, etc
)
Una
utho
rised
priv
ate
use
of
empl
oyer
pro
perty
U
se o
f em
ploy
er p
rope
rty fo
r per
sona
l use
or b
enef
it
Cas
h th
eft
Thef
t of p
etty
cas
h M
anip
ulat
ion
of fi
nanc
ial r
epor
ting
Frau
dule
nt m
anip
ulat
ion
of a
n en
tity’
s fin
anci
al re
porti
ng
Frau
dule
nt m
anip
ulat
ion
of fi
nanc
ial r
epor
ts in
ord
er to
mak
e it
appe
ar th
at a
bus
ines
s en
tity
has
perfo
rmed
bet
ter (
in
finan
cial
or n
on-fi
nanc
ial t
erm
s) th
an it
has
act
ually
per
form
ed –
this
can
be
mot
ivat
ed b
y a
need
to d
emon
stra
te a
ce
rtain
leve
l of p
erso
nal p
erfo
rman
ce in
ord
er to
sec
ure
a pe
rform
ance
bon
us b
ut m
ay a
lso
be d
riven
in th
e pu
blic
se
ctor
by
the
need
to m
eet p
oliti
cal e
xpec
tatio
ns
49 |
Wes
tern
Aus
tralia
n Au
dito
r Gen
eral
Cyb
er-b
orne
atta
ck
Busi
ness
em
ail c
ompr
omis
e Em
ails
impe
rson
atin
g ve
ndor
s or
an
exec
utiv
e in
stru
ctin
g pa
ymen
t to
be m
ade
to a
spu
rious
ban
k ac
coun
t or a
cha
nge
to e
xist
ing
bank
det
ails
Phis
hing
em
ails
Em
ails
des
igne
d to
dup
e em
ploy
ees
into
pro
vidi
ng p
erso
nal i
nfor
mat
ion
(i.e.
by
clic
king
on
a lin
k or
ope
ning
an
atta
chm
ent)
Mal
war
e In
stal
ling
mal
war
e on
to a
com
pute
r or c
ompu
ter s
yste
m w
ithin
the
entit
y w
hich
then
issu
es fr
audu
lent
inst
ruct
ions
(e.g
. to
cha
nge
the
bank
acc
ount
of a
ven
dor i
n th
e ve
ndor
mas
terfi
le o
r cha
nge
the
payr
oll b
ank
acco
unt o
f one
or m
ore
empl
oyee
s)
Frau
d R
isk
Man
agem
ent –
Bet
ter P
ract
ice
Gui
de |
50
A5.
4 R
isk
trea
tmen
t too
ls
A5.
4.1
SMA
RT
prin
cipl
e fo
r co-
desi
gnin
g fr
aud
cont
rols
17
Thin
k ab
out t
he fr
aud
risk
you
have
des
crib
ed a
nd w
ays
in w
hich
you
mig
ht b
e ab
le to
pre
vent
, mon
itor o
r det
ect t
he
expl
oita
tion.
The
follo
win
g ta
ble
outli
nes
the
‘SM
ART’
prin
cipl
e w
hich
can
be
appl
ied
to h
elp
co-d
esig
n co
ntro
ls w
ith k
ey ri
sk s
take
hold
ers.
Spec
ific
Th
e co
ntro
l sho
uld
have
a c
lear
and
con
cise
obj
ectiv
e. T
hey
shou
ld a
lso
be w
ell d
efin
ed a
nd c
lear
to a
nyon
e w
ith a
bas
ic k
now
ledg
e of
th
e w
ork.
Con
side
r: w
ho, w
hat,
whe
re, w
hen
and
why
.
Mea
sura
ble
The
cont
rol a
nd it
s pr
ogre
ss s
houl
d be
mea
sura
ble.
Con
side
r:
• W
hat d
oes
the
com
plet
ed c
ontro
l loo
k lik
e?
• W
hat a
re th
e be
nefit
s of
the
cont
rol a
nd w
hen
they
will
be a
chie
ved?
•
The
cost
of t
he c
ontro
l (bo
th fi
nanc
ial a
nd s
taffi
ng re
sour
ces)
. A
chie
vabl
e
The
cont
rol s
houl
d be
pra
ctic
al, r
easo
nabl
e an
d cr
edib
le a
nd s
houl
d al
so c
onsi
der t
he a
vaila
ble
reso
urce
s. C
onsi
der:
• Is
the
cont
rol a
chie
vabl
e w
ith a
vaila
ble
reso
urce
s?
• D
oes
the
cont
rol c
ompl
y w
ith p
olic
y an
d le
gisl
atio
n?
Rel
evan
t Th
e co
ntro
l sho
uld
be re
leva
nt to
the
risk.
Con
side
r:
• D
oes
the
cont
rol m
odify
the
leve
l of r
isk
(thro
ugh
impa
ctin
g th
e ca
uses
and
con
sequ
ence
s)?
•
Is th
e co
ntro
l com
patib
le w
ith th
e en
tity’
s ob
ject
ives
and
prio
ritie
s?
Tim
ed
The
cont
rol s
houl
d sp
ecify
tim
efra
mes
for c
ompl
etio
n an
d w
hen
bene
fits
are
expe
cted
to b
e ac
hiev
ed.
17 C
omm
onw
ealth
Fra
ud P
reve
ntio
n C
entre
‘Fra
ud R
isk
Ass
essm
ent –
Lea
ding
Pra
ctic
e G
uide
’.
51 |
Wes
tern
Aus
tralia
n Au
dito
r Gen
eral
A5.
4.2
Exam
ple
inte
rnal
con
trol
s th
at m
ay b
e ef
fect
ive
in c
ontr
ollin
g fr
aud
risks
Th
e fo
llow
ing
is a
sho
rt su
mm
ary
of in
tern
al c
ontro
ls th
at e
xper
ienc
e ha
s sh
own
may
be
effe
ctiv
e in
con
trollin
g fra
ud ri
sks
in e
ach
of th
e ca
tego
ries
cont
empl
ated
in A
5.3.
6 ab
ove.
Onc
e ag
ain,
this
is n
ot in
tend
ed a
s an
exh
aust
ive
list a
nd is
inte
nded
to p
rom
ote
cons
ider
atio
n of
cur
rent
and
pos
sibl
e in
tern
al c
ontro
ls w
ithin
ea
ch W
A pu
blic
sec
tor e
ntity
whe
n un
derta
king
a ta
rget
ed fr
aud
risk
asse
ssm
ent.
It is
ant
icip
ated
that
thes
e in
tern
al c
ontro
ls m
ay b
e ef
fect
ive
in
cont
rollin
g fra
ud b
y:
• pr
even
ting
a fra
udul
ent t
rans
actio
n fro
m b
eing
pro
cess
ed
• qu
ickl
y de
tect
ing
a fra
udul
ent t
rans
actio
n af
ter i
t has
bee
n pr
oces
sed
ther
eby
prev
entin
g an
y fu
rther
tran
sact
ions
and
min
imis
ing
loss
• as
sist
ing
an e
ntity
to re
spon
d to
frau
d in
cide
nts
that
hav
e be
en d
etec
ted.
The
inte
rnal
con
trols
set
out
bel
ow c
an b
e us
ed to
:
• id
entif
y in
tern
al c
ontro
ls a
lread
y in
pla
ce d
urin
g th
e ris
k an
alys
is p
hase
of t
he ri
sk a
sses
smen
t
• id
entif
y in
tern
al c
ontro
ls th
at m
ay b
e us
eful
in fu
rther
miti
gatin
g fra
ud ri
sk in
the
risk
eval
uatio
n ph
ase
of th
e ris
k as
sess
men
t.
Acc
ount
s pa
yabl
e fr
aud
• Se
para
te p
rocu
rem
ent a
nd p
aym
ent f
unct
ions
• Se
para
te h
andl
ing
(rece
ipt a
nd d
epos
it) fu
nctio
ns fr
om re
cord
kee
ping
func
tions
(rec
ordi
ng tr
ansa
ctio
ns a
nd re
conc
iling
acco
unts
)
• R
equi
re re
conc
iliatio
n to
be
com
plet
ed b
y an
inde
pend
ent p
erso
n w
ho d
oes
not h
ave
reco
rd k
eepi
ng re
spon
sibi
litie
s
• M
onito
r the
ent
ity’s
fina
ncia
l act
ivity
, com
pare
act
ual t
o bu
dget
ed re
venu
es a
nd e
xpen
ses
• R
equi
re p
rocu
rem
ent a
nd a
ccou
nts
paya
ble
empl
oyee
s to
take
leav
e of
a m
inim
um d
urat
ion
(e.g
. tw
o w
eeks
at a
tim
e) w
ith a
noth
er m
embe
r of
the
team
per
form
ing
thei
r rol
e in
thei
r abs
ence
• If
the
entit
y is
so
smal
l tha
t dut
ies
cann
ot b
e se
para
ted,
requ
ire a
n in
depe
nden
t che
ck o
f wor
k be
ing
done
sup
plem
ente
d by
app
ropr
iate
and
ef
fect
ive
data
ana
lytic
s an
d ot
her r
evie
ws
appr
opria
te to
the
entit
y’s
situ
atio
n
Frau
d R
isk
Man
agem
ent –
Bet
ter P
ract
ice
Gui
de |
52
Proc
urem
ent a
nd te
nder
ing
• Im
plem
ent a
tend
erin
g / c
ontra
ctin
g pa
nel m
ade
up o
f ind
epen
dent
per
sonn
el (i
.e. u
ncon
nect
ed to
the
proc
urem
ent p
roce
sses
), to
ove
rsig
ht th
e aw
ardi
ng o
f con
tract
s
• St
anda
rd c
ontra
ct c
ondi
tions
and
spe
cific
atio
ns to
be
used
with
var
iatio
ns to
be
appr
oved
by
seni
or m
anag
emen
t
• U
se e
valu
atio
n cr
iteria
as
agre
ed b
y th
e co
ntra
ct p
anel
prio
r to
tend
erin
g
• C
ontra
ct te
rms
and
cond
ition
s sh
ould
be
thos
e of
the
purc
hasi
ng d
epar
tmen
t and
not
sub
ject
to c
hang
e w
ithou
t the
writ
ten
appr
oval
of s
enio
r m
anag
emen
t
• C
lear
aud
it tra
ils w
ith w
ritte
n re
cord
s in
clud
ing
form
al a
utho
risat
ion
of c
hang
es to
orig
inal
doc
umen
tatio
n
• In
depe
nden
t pos
t-tra
nsac
tiona
l rev
iew
of a
sub
stan
tial s
ampl
e of
tend
erin
g an
d co
ntra
ctin
g tra
nsac
tions
with
a p
artic
ular
focu
s on
hig
h-ris
k tra
nsac
tion
type
s
• Sp
littin
g of
con
tact
s sh
ould
not
be
perm
itted
unl
ess
auth
oris
ed b
y se
nior
man
agem
ent
• M
anag
emen
t rev
iew
s of
the
reas
onab
lene
ss a
nd c
ompe
titiv
enes
s of
pric
es
• En
sure
con
tract
ors
with
a p
oor p
erfo
rman
ce re
cord
are
rem
oved
from
the
appr
oved
sup
plie
r’s li
st
Fals
ifica
tion
and
man
ipul
atio
n of
cla
ims
for w
ork-
rela
ted
expe
nditu
re
• Li
mit
the
num
ber o
f ent
ity is
sued
pur
chas
ing
card
s an
d us
ers
• Se
t acc
ount
lim
its w
ith p
urch
asin
g ca
rd p
rovi
ders
(val
ue, i
tem
s th
at c
an b
e pu
rcha
sed
etc.
)
• R
equi
re e
mpl
oyee
s w
ith e
ntity
issu
ed p
urch
asin
g ca
rds
to s
ubm
it ite
mis
ed, o
rigin
al re
ceip
ts fo
r all
purc
hase
s fo
llow
ed b
y lo
dgem
ent o
f har
d co
py
supp
ortin
g do
cum
enta
tion
• In
depe
nden
t rig
orou
s ex
amin
atio
n of
cre
dit c
ard
trans
actio
ns e
ach
mon
th in
clud
ing
deta
iled
revi
ew o
f rel
evan
t rec
eipt
s, in
voic
es a
nd o
ther
su
ppor
ting
docu
men
tatio
n
53 |
Wes
tern
Aus
tralia
n Au
dito
r Gen
eral
Fals
ifica
tion
and
man
ipul
atio
n of
cla
ims
for w
ork-
rela
ted
expe
nditu
re
• Pe
riodi
c re
view
of a
sam
ple
of h
ardc
opy
supp
ortin
g do
cum
enta
tion
• M
onito
r the
ent
ity's
fina
ncia
l act
ivity
, com
pare
act
ual t
o bu
dget
ed re
venu
es a
nd e
xpen
ses
• R
equi
re a
n ex
plan
atio
n of
sig
nific
ant v
aria
tions
from
bud
get
Div
ersi
on o
f inc
omin
g re
ceip
ts
• Se
nd o
ffici
al n
otifi
catio
n to
all
regu
lar p
rovi
ders
/ su
pplie
rs w
ith p
artic
ular
s of
the
entit
y’s
bank
acc
ount
with
sta
tem
ent t
hat t
his
is th
e on
ly a
ccou
nt
to w
hich
refu
nds
shou
ld b
e re
mitt
ed
• In
depe
nden
t pos
t-tra
nsac
tiona
l vie
w o
f a s
ampl
e of
invo
ices
rend
ered
to id
entif
y an
y m
anip
ulat
ions
• In
depe
nden
t pos
t-tra
nsac
tiona
l rev
iew
of e
mai
ls b
etw
een
acco
unts
pay
able
/ ac
coun
ts re
ceiv
able
per
sonn
el w
ithin
the
entit
y an
d cu
stom
ers
/ cl
ient
s to
det
erm
ine
if th
ere
is a
ny in
dica
tion
of m
anip
ulat
ion
of in
voic
es ra
ised
or p
aym
ents
mad
e
Payr
oll
• Pa
yrol
l sys
tem
pro
cedu
res
and
train
ing
• Se
greg
atio
n of
dut
ies
prev
entin
g pa
yrol
l bat
ch fi
le p
aym
ents
or p
ayro
ll m
aste
r file
cha
nges
with
out t
wo
appr
over
s
• Li
mite
d sy
stem
adm
inis
trato
r acc
ess
to th
e pa
yrol
l sys
tem
• Sy
stem
con
trols
to p
reve
nt c
hang
es to
pay
rate
s or
sal
arie
s w
ithou
t app
rova
l
• C
hang
es to
pay
roll
mas
terfi
le (e
.g. p
artic
ular
ly fo
r ban
k ac
coun
t num
bers
) onl
y av
aila
ble
to e
mpl
oyee
s vi
a an
HR
‘kio
sk’ i
n th
e H
R s
yste
m –
sy
stem
una
ble
to p
roce
ss a
cha
nge
of b
ank
acco
unt n
umbe
r out
side
of t
he H
R k
iosk
• H
R s
yste
m to
aut
omat
ical
ly g
ener
ate
a co
nfirm
atio
n em
ail t
o th
e em
ploy
ee w
here
ther
e ha
s be
en a
cha
nge
of m
aste
rful d
ata
• R
igor
ous
appr
oval
pro
cess
for c
reat
ion
of n
ew e
mpl
oyee
s in
the
payr
oll s
yste
m
Frau
d R
isk
Man
agem
ent –
Bet
ter P
ract
ice
Gui
de |
54
Payr
oll
• Ti
mel
y no
tific
atio
n pr
oces
s fro
m H
R to
Pay
roll
of e
mpl
oyee
s du
e to
resi
gn fr
om th
e en
tity
• Pe
riodi
c re
view
of p
ayro
ll sy
stem
aud
it lo
gs
• M
anag
emen
t rev
iew
of v
aria
nce
repo
rts fr
om p
revi
ous
payr
oll r
un to
con
firm
reas
ons
for s
igni
fican
t diff
eren
ces
• Em
ploy
ee b
ackg
roun
d ch
ecks
for n
ew h
ires
with
acc
ess
to th
e pa
yrol
l sys
tem
– th
is s
houl
d in
clud
e cr
imin
al re
cord
scr
eeni
ng a
nd s
peci
fic
ques
tions
abo
ut a
ny p
revi
ous
inte
grity
con
cern
s / d
isci
plin
ary
findi
ngs
etc.
• M
anda
tory
pas
swor
d ch
ange
s fo
r tho
se w
ith a
cces
s to
the
payr
oll s
yste
m to
a s
uita
ble
stre
ngth
and
com
plex
ity
• Ph
ysic
al s
ecur
ity o
f com
pute
rs u
sed
by p
ayro
ll st
aff w
ith d
irect
sys
tem
acc
ess
• El
ectro
nic
times
heet
sys
tem
s an
d ap
prov
al p
roce
ss fo
r ove
rtim
e
Ass
ets
and
inve
ntor
y
• Ph
ysic
al s
ecur
ity o
f des
irabl
e as
sets
(i.e
. lap
tops
, IT
equi
pmen
t)
• Pa
ssw
ord
prot
ectio
n an
d re
mot
e w
ipin
g ca
pabi
lity
in th
e ca
se a
lapt
op is
lost
or s
tole
n
• R
egul
ar s
tock
take
s of
ass
ets
and
inve
ntor
y an
d up
datin
g as
set r
egis
ters
• Se
curit
y of
cas
h (i.
e. p
etty
cas
h) a
nd g
ift v
ouch
ers
in lo
cked
tins
or a
saf
e
• Tr
acki
ng s
yste
ms
for a
sset
s an
d ap
prov
al p
roce
ss fo
r tra
nsfe
r of l
ocat
ion
• M
aint
ain
vehi
cle
logs
, lis
ting
the
date
s, ti
mes
, mile
age
or o
dom
eter
read
ings
, pur
pose
of t
he tr
ip, a
nd n
ame
of th
e em
ploy
ee u
sing
the
vehi
cle
55 |
Wes
tern
Aus
tralia
n Au
dito
r Gen
eral
Man
ipul
atio
n of
fina
ncia
l rep
ortin
g
• Ac
tive
enga
gem
ent w
ith e
ntity
’s e
xter
nal a
udito
r in
rela
tion
to th
e an
nual
aud
it (i.
e. w
orki
ng c
olla
bora
tivel
y w
ith th
e au
dito
r to
iden
tify
any
man
ipul
atio
n of
the
finan
cial
repo
rting
)
• An
alys
is to
iden
tify
unus
ual a
ctiv
ity
• D
etai
led
revi
ew o
f jou
rnal
and
oth
er a
djus
tmen
ts to
the
gene
ral L
edge
r with
a fo
cus,
as
a m
inim
um, o
n hi
gh v
alue
tran
sact
ions
Cyb
er-b
orne
atta
ck
• Bi
tLoc
ker p
rote
ctio
n of
all
IT a
sset
s to
ens
ure
secu
rity
of d
ata
• Ac
cess
to d
atab
ases
/sys
tem
s re
quire
uni
que
user
logo
n id
entif
icat
ion
and
pass
wor
d au
then
ticat
ion
• D
ocum
ent a
utho
risat
ion
that
is n
eede
d to
est
ablis
h ac
coun
tabi
lity
and
issu
e, a
lter,
or re
voke
use
r acc
ess
• Pr
ohib
it sh
ared
use
r log
on ID
s an
d pa
ssw
ords
, and
use
r log
on ID
s an
d pa
ssw
ords
• Se
t dat
abas
e us
er a
cces
s pe
rmis
sion
s th
at a
re b
ased
on
the
prin
cipl
es o
f priv
ilege
and
sep
arat
ion
of d
utie
s
• R
estri
ct a
cces
s to
ser
vers
and
offi
ce lo
catio
ns w
hich
con
tain
sen
sitiv
e an
d co
nfid
entia
l dat
a by
phy
sica
l sec
urity
to a
utho
rised
per
sonn
el
• Ac
cess
to d
atab
ases
/sys
tem
s re
quire
uni
que
user
logo
n id
entif
icat
ion
and
pass
wor
d au
then
ticat
ion
This page is intentionally left blank
This page is intentionally left blank
Auditor General’s 2021-22 reports
Number Title Date tabled
19 Forensic Audit – Construction Training Fund 22 June 2022
18 Opinion on Ministerial Notification – FPC Sawmill Volumes 20 June 2022
17 2022 Transparency Report – Major Projects 17 June 2022
16 Staff Rostering in Corrective Services 18 May 2022
15 COVID-19 Contact Tracing System – Application Audit 18 May 2022
14 Audit Results Report – Annual 2020-21 Financial Audits of State Government Entities Part 2: COVID-19 Impacts 9 May 2022
13 Information Systems Audit Report 2022 – State Government Entities 31 March 2022
12 Viable Cycling in the Perth Area 9 December 2021
11 Forensic Audit Report – Establishment Phase 8 December 2021
10 Audit Results Report – Annual 2020-21 Financial Audits of State Government Entities 24 November 2021
9 Cyber Security in Local Government 24 November 2021
8 WA's COVID-19 Vaccine Roll-out 18 November 2021
7 Water Corporation: Management of Water Pipes – Follow-Up 17 November 2021
6 Roll-out of State COVID-19 Stimulus Initiatives: July 2020 – March 2021 20 October 2021
5 Local Government COVID-19 Financial Hardship Support 15 October 2021
4 Public Building Maintenance 24 August 2021
3 Staff Exit Controls 5 August 2021
2 SafeWA – Application Audit 2 August 2021
1 Opinion on Ministerial Notification – FPC Arbitration Outcome 29 July 2021
Office of the Auditor General Western Australia 7th Floor Albert Facey House 469 Wellington Street, Perth Perth BC, PO Box 8489 PERTH WA 6849 T: 08 6557 7500 F: 08 6557 7600 E: [email protected] W: www.audit.wa.gov.au
@OAG_WA Office of the Auditor General for Western Australia
