Managing fraud and corruption risks: Is your policy best practice?

By Andrew Moore
02 Sep 2021
As part of developing or updating your fraud and corruption policy, your organisation should conduct a fraud risk assessment using a methodology consistent with the relevant recognised standards.

Regardless of their size and the sophistication of their systems and processes, all organisations face the risk of fraud or corruption occurring – whether perpetrated by an employee, the result of entrenched business practices that have become accepted as the norm over time (or gone undetected), or involving a third party or external supplier. >One of the key findings of KPMG's 2021 Fraud Survey revealed 72% of organisations surveyed reported the risk of fraud and corruption had increased during the COVID-19 pandemic and 85% said they did not expect the risk to reduce this year.

Good corporate governance means having the best possible practices and systems in place to proactively identify, monitor, evaluate and respond to these risks, backed by regular and ongoing education of everyone in the business, from the top down.

A good place to start is ensuring you have a clear – and clearly articulated – fraud and corruption policy that sets out examples of what constitutes fraud and corruption, and steps for reporting any concerns.

Defining and providing examples of fraud and corruption

In June, Standards Australia released the third edition of AS 8001 The Australian Standard on Fraud and Corruption Control (for many years, the country's benchmark for preventing, detecting and responding to incidents of fraud and corruption). Amongst other things, it includes some useful definitions and examples of fraud and corruption which organisations should consider including when developing or amending their fraud and corruption policy.

Fraud has many forms

Fraud means dishonest activity causing actual or potential gain or loss to any individual or organisation. It includes theft of moneys or other property by persons internal and/or external to the organisation and/or where deception is used at the time, immediately before or immediately following the activity.

Examples of fraud may include (but are not limited to):

  • theft (eg. of plant, equipment, inventory, funds or cash);
  • accounting fraud (false invoicing, misappropriation etc.);
  • causing a loss or avoiding and/or creating a liability to organisation by deception;
  • misuse of an organisation's assets, equipment or facilities;
  • making or using false, forged or falsified documents;
  • wrongfully using or obtaining an organisation's information or intellectual property;
  • financial reporting fraud in order to obtain some form of improper benefit;
  • insider trading;
  • crypto-currency fraud (eg. theft of crypto currency, selling worthless crypto-currency for fiat currency, or use of IT equipment of the target organisation to mine crypto-currency);
  • unauthorised access to bank accounts, payment redirection or use of a corporate credit card; and
  • ransomware attacks or other cyber-intrusions (eg. “phishing” to obtain confidential information).

Examples of corruption

Corruption means dishonest activity in which a person associated with an organisation (for example, a director, officer, employee, contractor or agent) acts contrary to the interests of the organisation and abuses their position of trust to achieve personal advantage or advantage for another person or organisation.[1]

An "advantage" is not restricted to monetary or material benefits; it may be tangible or intangible, including the unauthorised provision of access to, or disclosure of, information.

Examples of corruption include (but are not limited to):

  • releasing confidential information for other than a proper business purpose;
  • collusive tendering (the act of multiple tenderers for a particular contract colluding in preparation of their bids);
  • payment or receipt of secret commissions or benefits (bribes), which may be paid in money or in some other form of value to the receiver and may relate to a specific decision or action by the receiver or generally;
  • a serious conflict of interest involving a director or senior executive of an entity acting in his or her own self-interest, rather than in the interests of the entity to which he or she has been appointed;
  • manipulation of the procurement process by improperly favouring one tenderer over another, or selectively providing information to some tenderers; [2]
  • gifts or entertainment intended to achieve a specific or generic commercial outcome in the short- or long-term in breach of the entity’s values, behavioural code or gifts policy (or any relevant external party’s value or behavioural code); and
  • bribing public officials (locally or in foreign jurisdictions) in order to secure a contract for the supply of goods and services.

Assessing the risks and developing a control plan

As part of developing or updating your fraud and corruption policy, your organisation should conduct a fraud risk assessment using a methodology consistent with the relevant recognised standards.

You should also develop, implement and maintain a fraud and corruption control plan regarding the organisation's exposure at strategic, operational and tactical levels, and to outline measures of prevention, detection, reporting and investigation.

What else your policy should include

In addition to defining and giving examples of fraud and corruption, your organisation's fraud and corruption policy should address:

  • the organisation's position on fraud and corruption, including the risk, and the importance of early detection;
  • how allegations or incidents of fraud or corruption will be managed and investigated, including the assistance expected from directors, officers, employees, contractors and agents;
  • the consequences of acting fraudulently or corruptly, including termination of employment and legal action commenced by the organisation;[3]
  • due diligence measures required to be undertaken when dealing with third parties;
  • reporting channels should an employee, contractor or agent identify suspicious activity (including reference to any applicable Whistleblower Policy);
  • the key supporting role of the organisation's internal audit team in managing fraud and corruption risks; and
  • where further information and any related policies can be found.

To ensure that all employees understand their obligations and responsibilities, the policy should be included in the organisation's induction training program and be accessible on its intranet.

The organisation should also ensure it can show that all directors, officers, employees, agents and contractors have been provided with a copy, as external advisers assisting with an investigation will always ask whether that occurred.

Evolving your policy over time

Finally, as good corporate governance should evolve with a company's changing circumstances and reflect current best practice, you should ensure your organisation's fraud and corruption policy is reviewed periodically and alongside a fraud risk assessment.

Your in-house team should take the lead in developing or updating your organisation's fraud and corruption policy in conjunction with key stakeholders in other departments such as finance, risk, IT and human resources.


[1] Standards Australia AS 8001:2021 cl 1.4.8. This can also involve corrupt conduct by the organisation, or a person purporting to act on behalf of and in the interests of the organisation, in order to secure some form of improper advantage for the organisation either directly or indirectly. Back to article

[2] This can occur even with no payment of a bribe or other benefit. This typically involves allowing tenderers to re-submit a previous "non-complying" tender after being provided with the details of other bids. Back to article

[3] Civil and criminal enforcement of fraud and corruption cases are regulated by various laws, including The Criminal Code Act 1995 (Cth), State/Territory criminal statutes, Corporations Act 2001 (Cth), Competition and Consumer Act 2010 (Cth), equity and the common law. Back to article

Get in touch

Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.