The table below shows key principles on which our audit focused. These principles are not exhaustive. Entities seeking to implement better practice approaches should also consult the Standard, and the guidelines prepared by the Department of Local Government, Sport and Cultural Industries.
||What we would expect
Develop a coordinated approach to manage fraud risks
|Risks are understood
- Fraud risks across organisation are assessed, documented and controls are in place.
|Approach is documented
- Fraud and Corruption Control Plan (Plan) is in place and reviewed at least once every 2 years.
|Internal audit considers fraud risks
- Audit committee engages with internal audit plan to ensure fraud risks are considered.
Create a fraud resistant organisation
|Policy framework is in place
- Integrity policies (such as Codes of Conduct and conflicts of interest) are appropriate, clearly written and available.
- Staff regularly engage with integrity policies. For example, signing yearly an understanding of the Code of Conduct.
- Fraud prevention and awareness training, newsletters and presentations are used to communicate entities ethical standards to staff.
|Internal controls are in place
- Business processes, especially those assessed as higher risk, have controls that are well documented, updated and understood by all staff.
- Entities verify identity and credentials of all new employees and employees transferring to areas of higher risk, including:
- verify necessary qualifications
- review of past work history and referee checks
- criminal background checks
- confirm professional memberships are valid.
- Supplier credentials are checked, particularly for high-risk or high value purchases, including:
- Confirm ABN
- confirm directors are not bankrupt or disqualified.
Entities are ready to detect fraud
|Detection systems are in place
- Entities should implement detection systems, as appropriate to their business needs, to identify potential fraud as soon as possible.
- Multiple avenues are in place for staff, the public and suppliers to report concerns.
- Reporting processes are well advertised, and include anonymous options.
Entities are ready to respond to potential fraud
|All information is considered
- Entities should implement processes to record, analyse and escalate all incidents.
- Processes are in place to review internal controls after incidents.