Conducting a thorough Fraud Risk Assessment in the Public and Social Sector

The first step in conducting a fraud risk assessment is to identify the key risks that the organisation faces. This involves understanding the organisation’s operations, financial transactions, and internal controls. It is important when identifying key risks that organisations refer to historical information (such as previous fraud issues or complaints that have been raised and investigated) as well as emerging trends and patterns in the market.

For example, during the Covid-19 pandemic, a fraud risk assessment identified that the various support schemes in place were susceptible to fraud due to the speed in which they needed to be issued, and the time available to design effective controls. Although the new offence focuses on failure to prevent fraud when the organisation is a beneficiary of the fraud, this example highlights the importance of identifying risks early on to mitigate future instances of potential fraud.

Public sector organisations need to ensure that they are updating and undertaking fraud risk assessments with the new failure to prevent fraud offence in mind. This means identifying the risks that the organisation faces whereby someone associated with the organisation may commit fraud which will ultimately result in the organisation benefitting from the fraud.

Once key risks have been identified, the next step is to assess the likelihood and severity of each risk. This involves evaluating the potential impact of each risk on the organisation and the probability of its occurrence. It may be most beneficial to plot these identified fraud risks on a risk matrix, to allow for effective prioritisation of taking mitigating action in relation to each one.

We have included an indicative example risk matrix to demonstrate how a typical risk matrix may look. Please note that the metrics and definitions for assessing the severity and likelihood of the various identified risks should be determined internally at the organisation in advance of plotting the risks on the matrix.

This risk matrix should be periodically refreshed to ensure that the risks are being treated appropriately and the risk of occurrence or level of severity is not being mistreated. For example, with phishing or similar fraud attacks, the risks to an organisation may be growing at present with the advent of widespread AI tool adoption, with fraudsters even using voice cloning tools to impersonate public figures or senior members of staff to pressure finance staff to process inappropriate payments.

The success of a fraud risk assessment depends on the active participation of people from all areas of your organisation. This ensures that all risks are identified, and that the assessment reflects the realities of your organisation’s operations.

To engage people in the process, organisations can:

1. Communicate the importance of the assessment: Explain why the Fraud Risk Assessment is being conducted and how it will benefit the organisation.
2. Involve staff in the identification of risks: Encourage staff to share their insights and experiences, as they may be aware of risks that are not immediately apparent to management.
3. Provide training: Equip staff with the knowledge and skills they need to identify and assess risks. It is worthwhile considering engaging third party experts for this, who have deep sector expertise and can steer participants on the best training options for their organisation.

By following these steps, public and social sector entities can conduct a thorough fraud risk assessment, helping them to prevent fraud, protect their resources, and not fall foul of the new offence.

Inviting comment on organisational risk matrices from staff of all levels can deliver further assurance to organisation leaders that risks have been assessed and plotted correctly.

Taking action to mitigate risks is one of the most important aspects of the fraud risk assessment – putting into practise the learnings of the assessment and putting in place controls and systems to protect the organisation from the aforementioned risks. This is part of organisations taking adequate steps to prevent fraud, protecting them from liability under the new Failure to Prevent Fraud Offence.

This can include the following:

1. Implement Prevention Measures:

• Prevention is the most effective way to address fraud and corruption. This involves creating systems and procedures that make it difficult for fraud to occur. This can effectively minimise the opportunity to commit fraud, one of the three elements of the fraud triangle.
• Sensitively consider introducing additional controls, reviews and sign-offs, to ensure effective segregation of duties and effective, robust approval of actions and fund movements. This must be done collaboratively with staff in relevant departments, to not create arduous unwieldly processes which take away from the efficiency service delivery.

2. Conduct Fraud Control Testing:

• This involves testing the existing controls to identify their effectiveness and limitations, and understanding the organisation's exposure to fraud risk.
• This should be done periodically and may be best to do on an unannounced basis, to ensure that the controls are being tested as in practice, rather than giving any staff a chance to review and backdate it.

3. Establish a Risk, Threat and Prevention Service:

• This involves setting up a dedicated service within the organisation to manage and mitigate risks and threats related to fraud.
• This can be through leveraging existing resources and expertise, designating roles and counter fraud monitoring responsibilities, and training staff as required.

4. Follow Professional Standards and Guidance:

• Adhere to the professional standards and guidelines set for conducting fraud risk assessments. This ensures the assessment process is robust and reliable.
• The organisations should work with reference to the Government Functional Standard GovS 013: Counter Fraud.

Fraud Risk Assessments should be looked at as an on-going process rather than a one-off activity. The anticipated guidance from the Government on the new failure to prevent fraud offence is likely to be principle driven which emphasises the need for reasonable procedures to be embedded into fraud risk management processes rather than being one-off tick box exercises.

Best practice is to ensure that the steps outlined above are performed in a continuous cycle on a regular basis to ensure organisations stay on top of their fraud risks, and then have adequate prevention measures in place to counter emerging risks. The importance of carrying out this process on a regular basis is due to the fluid and dynamic nature of fraud. New risks can appear, the impact or the severity of the risk may change, or new processes or programmes may be implemented that have not been assessed previously.

It is important to ensure that governance structures are put in place to assist with the continuous monitoring of the risks identified from a fraud risk assessment. Ensuring that this responsibility is delegated to a relevant committee or board (such as the Audit & Risk Committee) will make sure that any decisions or actions that are taken in relation to the risks are documented and followed up.

Fraud risk assessments are intricate processes that involve evaluating vulnerabilities, identifying potential threats, and assessing the likelihood of fraudulent activities within an organisation. These assessments require a deep understanding of financial accounting and reporting systems, internal controls, and risk management. They can be complex in nature and can often be susceptible to biased evaluation if undertaken internally, with staff members possibly under-assessing risk in areas in which they have control or responsibility for. Organisations may find it beneficial to engage third-party subject matter experts to collaborate on, review, or undertake the completion of a Fraud Risk Assessment.