Author
Charles S.
Charles Strickland

Fraud and corruption risks are pervasive to all organisations, regardless of whether they operate in the public or private sector, or are for-profit or not-for-profit. 

It’s important that all entities self-assess their operating environments and any risks to them. But designing preventative and detective internal controls isn’t a one size fits all exercise. A large department has different risks to a hospital and health service, which again has different risks to a local government. This is expected as they operate in different environments.

Once an entity has identified any risks that arise from its self-assessment, it needs to ensure its overarching risk management plans effectively target and address them.

How do I complete a self-assessment?

We have updated our 2 better practice tools that help entities understand their fraud and corruption risks, determine how robust their internal control environments are, and document their risk treatments:

  1. Fraud risk assessment and planning model.
  2. Fraud and corruption self-assessment tool.

How do I use the fraud risk assessment and planning model?

Our model gives entities a step-by-step process for self-assessing how they identify fraud risk, control and treat risks, and monitor and report on the risks. It helps entities examine their business environment, develop overarching risk management plans, and conduct their fraud risk assessments in a comprehensive and consistent way.

It reflects our insights on fraud management from our audit work across public sector entities and local governments.

What does the fraud and corruption self-assessment tool do?

An effective fraud risk management framework includes an active strategy and effective controls to prevent, detect, and respond to occurrences of fraud or corruption. Having only policies, plans, and processes in place is not sufficient for combatting fraud and avoiding its high cost.

Our self-assessment tool enables entities to better understand where they need to improve their fraud controls and priority areas, so they can focus their improvement efforts on areas that matter most. It’s designed for use at an organisation-level, and entities will maximise its value if their assessment is evidence-based.

What’s changed in the update?

We refreshed both the tool and model in 2023 to align with revised guidance, standards, and requirements.

The new tool now reflects the revised Australian standard 8001:2021 Fraud and corruption control. This includes:

  • new, minimum requirements to guide an entity’s approach to fraud and corruption control
  • updated definitions 
  • requirements and guidance on information system security, and information and communication technology.

It supersedes our original tool published in 2015.

The new model now aligns with the updated Australian standard AS/ISO 31000:2018 Risk management – Guidelines; Queensland Treasury’s A Guide to Risk Management (2020); and Australian standard 8001:2021 Fraud and corruption control. It supersedes our original model published in 2018 alongside our report to parliament Fraud risk management (Report 6: 2017–18).

What should I do now?

We encourage all entities to periodically self-assess their fraud and corruption risks and their internal controls. The frequency of when they do so will depend on, for example, their size, and any changes in structure and objectives, processes/systems, and leadership. 

Better practice would be to use both the tool and model to complete an assessment, as this will provide detailed responses to support the assessment. Entities can use this to determine the most appropriate response to the results, and in briefing the board, chief executive, executive leadership, the audit and risk committee, and those charged with governance. 

The auditing standards require the Queensland Audit Office to consider fraud and corruption risks in planning and executing audits. We may ask if you have used our tools and to see the results. We encourage all entities to proactively discuss the results with their audit team.

Resources:

Related article