Why Fraud Control Plans are Completely Unnecessary
One of the plans that I see almost universally in government organisations, as well as in many large private companies, is the Fraud Control Plan. It’s usually in place to highlight the organisation’s approach to preventing, detecting and responding to fraud.
In my experience, however, these documents just become shelf ware until the next time it is mandated that they be updated. It’s astounding that there are so many cases of fraud each year, at all levels of Government, yet these fraud control plans merely ‘collect dust’.
So, why isn’t the Fraud Control Plan preventing and/or detecting the fraud?
In the majority of organisations, the Fraud Control Plan is not a dynamic document, designed to manage the risk of fraud and it is certainly not one that people refer to on a regular basis.
Now we know it’s important to keep a fraud control plan in a safe place, but one government agency took it a little too far. I kid you not, when I was asked to review their Fraud Control Plan they had to remove it from a safe! But before you giggle, their rationale had some merit, which was that if the people wanting to commit fraud understood the vulnerabilities within the organisation, it would make it easier for them to conduct fraud.
So, what is the alternative to a Fraud Control Plan? Quite simply – it is the risk register. And herein lies the irony. In many organisations, the risks associated with fraud will not be captured in the risk register – just the Fraud Control Plan.
So, what are the risks that should be captured in the risk register? For most organisations, the following list should cover the majority of fraud related risks:
- Fraudulent/corrupt behaviour by an employee involved in procurement.
- Fraudulent/corrupt behaviour by an employee involved in issuing of approvals/ licences/authorisations.
- Fraudulent behaviour by an employee involved in financial transactions (including payroll).
- Employee claims/receives benefits to which they are not entitled (includes leave, misuse of credit cards. etc).
- Contractor/provider paid for goods/services not received.
Once the fraudulent behaviours are identified, when we go through the process of identifying the causes, the controls, and the measures of effectiveness for those controls, we are then able to provide assurance that those controls are effective.
If the risks associated with fraud are managed in the risk register, then there is absolutely no reason to have a Fraud Control Plan.
Unfortunately, dust-collecting Fraud Control Plans will remain just that until it is recognised that they are of little use by those that insist government agencies and regulated entities maintain them.
Instead, manage the risk of fraud in your risk register and ensure all of the controls that are in place are effective, and that way you will get much better outcomes.
Don’t risk not knowing risk management – register for a Paladin Risk Management course today!