GxP Lifeline

Why Fraud Control Plans Are Completely Unnecessary

May 3, 2018 By Rod Farrar Director, Paladin Risk Management Services

One of the plans that I see almost universally in government organizations, as well as in many large private companies, is the fraud control plan. It’s usually in place to highlight the organization’s approach to preventing, detecting and responding to fraud.

In my experience, however, these documents just become shelf ware until the next time it is mandated that they be updated. It’s astounding that there are so many cases of fraud each year, at all levels of government, yet these fraud control plans merely collect dust.

So, why isn’t the fraud control plan preventing and/or detecting the fraud?

Managing Fraud

In the majority of organizations, the fraud control plan is not a dynamic document, designed to manage the risk of fraud, and it is certainly not one that people refer to on a regular basis.

Now, we know it’s important to keep a fraud control plan in a safe place, but one government agency took it a little too far. I kid you not. When I was asked to review their fraud control plan, they had to remove it from a safe! But before you giggle, their rationale had some merit, which was that if the people wanting to commit fraud understood the vulnerabilities within the organization, it would make it easier for them to conduct fraud.

Risk Register

So, what is the alternative to a fraud control plan? Quite simply, it is the risk register. And herein lies the irony. In many organizations, the risks associated with fraud will not be captured in the risk register — just the fraud control plan.

So, what are the risks that should be captured in the risk register? For most organizations, the following list should cover the majority of fraud related risks:

Fraudulent/corrupt behavior by an employee involved in procurement.
Fraudulent/corrupt behavior by an employee involved in issuing of approvals/licences/authorizations.
Fraudulent behavior by an employee involved in financial transactions (including payroll).
Employee claims/receives benefits to which they are not entitled (includes leave, misuse of credit cards, etc).
Contractor/provider paid for goods/services not received.

Once the fraudulent behaviors are identified, when we go through the process of identifying the causes, the controls and the measures of effectiveness for those controls, we are then able to provide assurance that those controls are effective.

Conclusion

If the risks associated with fraud are managed in the risk register, then there is absolutely no reason to have a fraud control plan.

Unfortunately, dust-collecting fraud control plans will remain just that until it is recognized that they are of little use by those that insist government agencies and regulated entities maintain them.

Instead, manage the risk of fraud in your risk register and ensure all the controls that are in place are effective, and that way you will get much better outcomes.

Reprinted with permission. This blog post is part of a risk management series on Farrar's website at https://paladinrisk.com.au.

Rod Farrar is the Director of Paladin Risk Management Services, an Australian-based risk management business that provides risk management training and consultancy services to government and industry. Paladin’s flagship courses, the Diploma of Risk Management and Business Continuity and the Advanced Diploma of Governance, Risk and Compliance, have been attended by over 300 participants from all locations across Australia as well as Indonesia, New Zealand, PNG and Solomon Islands. Contact him at rod@paladinrisk.com.au.

QMS Features

QMS Overview

Document Control

Change Control

Training Management

Audit Management

Risk Management

Quality Event Management

CAPA Software

Deviations Management

Nonconformance

Out of Specification

Quality Management

Data and Analytics

MES Features

MES Overview

Batch Records

Device History Records

Equipment Calibration

Recipe Management System

Variant Management