One of the plans that I see almost universally in government organizations, as well as in many large private companies, is the fraud control plan. It’s usually in place to highlight the organization’s approach to preventing, detecting and responding to fraud.
In my experience, however, these documents just become shelf ware until the next time it is mandated that they be updated. It’s astounding that there are so many cases of fraud each year, at all levels of government, yet these fraud control plans merely collect dust.
So, why isn’t the fraud control plan preventing and/or detecting the fraud?
In the majority of organizations, the fraud control plan is not a dynamic document, designed to manage the risk of fraud, and it is certainly not one that people refer to on a regular basis.
Now, we know it’s important to keep a fraud control plan in a safe place, but one government agency took it a little too far. I kid you not. When I was asked to review their fraud control plan, they had to remove it from a safe! But before you giggle, their rationale had some merit, which was that if the people wanting to commit fraud understood the vulnerabilities within the organization, it would make it easier for them to conduct fraud.
So, what is the alternative to a fraud control plan? Quite simply, it is the risk register. And herein lies the irony. In many organizations, the risks associated with fraud will not be captured in the risk register — just the fraud control plan.
So, what are the risks that should be captured in the risk register? For most organizations, the following list should cover the majority of fraud related risks:
Once the fraudulent behaviors are identified, when we go through the process of identifying the causes, the controls and the measures of effectiveness for those controls, we are then able to provide assurance that those controls are effective.
If the risks associated with fraud are managed in the risk register, then there is absolutely no reason to have a fraud control plan.
Unfortunately, dust-collecting fraud control plans will remain just that until it is recognized that they are of little use by those that insist government agencies and regulated entities maintain them.
Instead, manage the risk of fraud in your risk register and ensure all the controls that are in place are effective, and that way you will get much better outcomes.
Reprinted with permission. This blog post is part of a risk management series on Farrar's website at https://paladinrisk.com.au.