We found that entities have not developed a good understanding of their fraud risks, or a clear vision of how they will manage them. As a result, entities cannot be sure they have adequate controls in place. These findings are similar to those of our 2013 audit into State government entity fraud controls, which found a lack of risk assessment and planning.
None of the entities we reviewed had assessed all their fraud risks. We found strategic risk registers included some consideration of external theft and fraud. But, these were incomplete, focussed on external threats, and did not consider all fraud risks. This supports results from our questionnaire, as 25% of respondents told us they had not completed a fraud risk assessment. Completing an assessment would give entities a view of all their risks, and allow them to evaluate their controls.
|Twenty-nine of the 116 entities (25%) that responded to this part of our questionnaire advised that they had not assessed their fraud risks. These entities had a combined expenditure of over $310 million in 2017-18.|
We found that most entities have not developed a Fraud and Corruption Control Plan (Plan). These results are similar to those from our 2013 audit of fraud prevention in State government entities. That audit reviewed 9 State government entities and found none had developed a Plan. Plans are important better practice tools that capture an entity’s commitment to manage its fraud risks, communicate its approach, and set timeframes and responsibilities.
Of the entities reviewed, only East Pilbara had developed a Plan. While the Shire completed this in 2013, it has not implemented any of the Plan’s actions.
All 5 entities had Codes of Conduct (Codes) and East Pilbara, Nedlands and Vincent also have strategic fraud prevention policies. While these contain anti-fraud information, they are not as comprehensive as a Plan as they do not include controls, or assign timeframes or responsibilities for actions. Without a Plan, entities cannot be sure their approach to managing fraud risks is comprehensive.
Responses to the questionnaire show this is an issue across the sector, as more than half (54%) the entities told us they had not created a Plan.
We received documents from 26 of the entities who told us they had a Plan or equivalent. However, we found only 7 of these contained all the key elements of the Standard. A further 8 contained at least 2 of the elements. Avenues for reporting suspected fraud, key controls to deal with fraud related risks and comprehensive fraud risk assessments were elements that were most commonly absent.
 Office of the Auditor General 2013 Fraud prevention and detection in the Public Sector. Report 7 – June.
 We reviewed the documents for key elements of the Standard including an entity position statement, accountabilities, a fraud risk assessment, outline of key controls, and reporting avenues and protections.