Commonwealth Pressure Testing

Framework

2

CounterFraud.gov.au

Document Map

The following diagram maps out the documents and products that exist under this framework.

Pressure Testing Framework

Attachment A – Process for Targeted Assessments

Attachment B – Process for Critical and Comprehensive Assessments

Attachment C – Technical and Covert Testing

Products

Reporting Templates Guides Forms

3

CounterFraud.gov.au

Table of Contents 1 Executive Summary .......................................................................................................................... 4

1.1. The purpose of this framework ........................................................................................................... 4

1.2. What is pressure testing ...................................................................................................................... 4

1.3. Why dedicate resources to pressure testing ....................................................................................... 4

1.4. Why there is a need for pressure testing ............................................................................................ 5

1.5. What we mean by ‘testing’ countermeasures .................................................................................... 6

1.6. Some common vulnerabilities you might find ..................................................................................... 6

1.7. How pressure testing will improve how your entity manages fraud .................................................. 6

2 Foundations for pressure testing ...................................................................................................... 7

2.1 Where pressure testing fits within your entity’s counter fraud plan and system .............................. 7

2.2 Governance arrangements required for pressure testing................................................................... 7

3 Pressure testing processes ............................................................................................................... 8

3.1 Where to start ..................................................................................................................................... 8

3.2 What processes you need to follow .................................................................................................... 8

4 Pressure testing methods ................................................................................................................. 9

4.1 How to identify fraud risks .................................................................................................................. 9

4.2 How to think like a fraudster ............................................................................................................... 9

4.3 What is a countermeasure ................................................................................................................ 11

4.4 How to identify different countermeasures ...................................................................................... 12

4.5 some ways you can test countermeasures ....................................................................................... 13

4.6 Testing methods ................................................................................................................................ 14

4.7 Some examples of different qualitative and quantitative measurements ....................................... 15

4.8 How to choose the right process and methods................................................................................. 16

4.9 How to determine if a countermeasure is effective or not ............................................................... 16

5 Treating countermeasure vulnerabilities ........................................................................................ 18

5.1 What happens if you find vulnerabilities in countermeasures ......................................................... 18

6 Reporting and monitoring .............................................................................................................. 18

6.1 How to track the progress of a pressure test .................................................................................... 19

6.2 What to report on.............................................................................................................................. 19

7 Support and continuous improvement ........................................................................................... 20

7.1 Where to get support ........................................................................................................................ 20

7.2 How to connect with others who are doing pressure testing ........................................................... 20

7.3 How to provide feedback to improve the framework ....................................................................... 20

8 Glossary of terms ........................................................................................................................... 21

4

CounterFraud.gov.au

1 Executive Summary 1.1. The purpose of this framework

Fraud is a serious, underestimated and often unchecked problem. Every Commonwealth entity is exposed to fraud in some way, and many are an active target for fraudsters, scammers and criminals. Entities do not always consider fraud when conducting their activities or know where they are vulnerable. This framework sets out key principles and materials for conducting pressure testing within Commonwealth entities. Conducting pressure testing enables entities to identify fraud vulnerabilities and determine if their countermeasures (also known as controls) work effectively. This in turn can help entities prevent fraud and the devastating impacts it can have on the government, people, industries, services, and the environment. This framework will help fraud specialists, government officials (including policy designers) and senior leaders to better understand pressure testing and how to conduct it within their entity. This framework is issued by the Commonwealth Fraud Prevention Centre within the Australian Government Attorney-General’s Department and sets out the recommended best practice for pressure testing. It is a principles based document and is designed to be flexible and adapted to entities’ individual circumstances. It should be read alongside the Commonwealth Fraud Control Framework and other relevant documents produced by the Commonwealth Fraud Prevention Centre.

1.2. What is pressure testing Pressure testing is more than just looking at whether correct processes are being followed or checking compliance with a list of requirements. It is a leading-edge capability that helps entities test the effectiveness of their fraud countermeasures using different testing methods. Pressure testers apply creative and critical thinking and look at processes and systems from the perspective of a fraudster. They do not assume countermeasures work effectively or trust that people will follow processes, rules and norms. Instead, pressure testers scrutinise processes and countermeasures by considering the common methods of fraudsters and applying an understanding of what motivates and enables individuals to commit fraud. Pressure testing can also involve simulating common methods of insider threats and criminals to find a way around countermeasures and expose vulnerabilities. This is similar to ethical hacking processes applied in cyber security by both government and the private sector. This active form of testing is an effective way to evaluate countermeasures but is not essential nor necessarily the best testing method in every circumstance. The primary methods of pressure testing involve close collaboration with stakeholders to evaluate countermeasures and co-design treatments to address vulnerabilities identified during the process.

1.3. Why dedicate resources to pressure testing Managing fraud can be a complex business which requires entities to dedicate resources across a range of important functions such as fraud risk assessments and fraud investigations. Section 2.1 of this framework provides an explanation of how pressure testing sits within fraud control strategies.

5

CounterFraud.gov.au

Pressure testing gives officials assurance that the entity’s ability to prevent, detect and respond to fraud is adequate and effective. It is a proactive way to eliminate an entity’s blind spots. If an entity knows where it is vulnerable and tests assumptions about the effectiveness of its controls, it is better informed to prevent fraud or uncover where it is being exploited and prevent the extended impacts of fraud. Pressure testing can be conducted with a low number of resources. For example, one staff member can perform pressure tests. However, the value an entity receives from pressure testing increases as it invests more resources and builds its capability. Pressure testing has been successfully conducted for a number of years in Australian government entities (such as Services Australia and the Department of Agriculture, Water and the Environment) and the United States Government Accountability Office. This framework builds upon their leading practice to give pressure testers a choice of processes that can be performed at different scales to suit the needs and resources of each entity. For example, entities can apply a pressure test to:

an individual countermeasure a select number of critical countermeasures all the countermeasures entities can find within a business process or function.

Refer to the Commonwealth Fraud Prevention Centre’s guide on building a counter fraud investment case for practical advice on seeking new investment and resources.

1.4. Why there is a need for pressure testing Fraud is a serious, underestimated and unchecked problem. Fraudsters are a capable and committed adversary who actively look for vulnerabilities within government programs. Recent studies by KPMG, PwC and the Association of Certified Fraud Examiners (ACFE) highlight that weak fraud countermeasures lead to more fraud than any other factor:

KPMG’s 2016 report ‘Global Profiles of the Fraudster’ notes that, “weak internal controls were a contributing factor for 61 per cent of fraudsters, compared with 54 per cent in 2013.” KPMG also found that while fraud detection methods continue to improve, technology is creating weaknesses as quickly as it is filling gaps.

PwC in their 2018 Global Economic Crime and Fraud Survey found that opportunities to commit fraud was the “leading contributor to the most disruptive fraud committed by internal actors.” Furthermore, PwC noted “virtually every significant internal fraud is a result of management circumventing or overriding controls,” and concluded that, “it is important to be wary of the false sense of security that internal controls, even well-designed ones, can bring.”

ACFE in their 2018 Global Fraud Study highlighted that the most prominent weaknesses contributing to fraud are a lack of internal controls (30 per cent) and the ability to override internal controls (19 per cent of cases). Their analysis in 2016 also revealed that weak controls allow fraud to go undetected for longer, leading to larger fraud.

6

CounterFraud.gov.au

The New South Wales Independent Commission Against Corruption recently warned that organisations undergoing major restructures or technological transformations are particularly vulnerable to losing oversight of risks and weakened control environments.1 In this environment, entities must be alert to the changing nature of fraud, and manage the evolving risk accordingly. This must involve constant vigilance and a process for testing the effectiveness of fraud countermeasures. 1.5. What we mean by ‘testing’ countermeasures How a fraud team ‘tests’ a countermeasure will always depend on the type of countermeasure. They may also need to test countermeasures in different ways. The primary methods include:

research - such as desktop reviews and looking at case studies observation - such as process walk-throughs or workshops with stakeholders analysis - such as sample reviews or data analysis testing - such as technical testing or covert actions to breach countermeasures

This framework provides practical guidance on identifying and testing common types of fraud countermeasures. 1.6. Some common vulnerabilities you might find Entities and fraud teams can expect to find the following common vulnerabilities through pressure testing:

A lack of fraud awareness Inadequate quality assurance Staff or processes not verifying information or evidence A lack of effective oversight Weak technology countermeasures Inadequate detection countermeasures A lack of reporting or reconciliation.

1.7. How pressure testing will improve how your entity manages fraud Entities and fraud teams can expect to receive the following additional benefits through pressure testing:

Gain a better understanding of its different functions, programs and risks. Provide assurance that known risks or potential risks are effectively managed. Establish closer working relationships with internal and/or external stakeholders. Increase fraud awareness within the entity to help staff acknowledge the risk of fraud and the

vulnerabilities in their processes. Identify and fix previously unknown vulnerabilities. Maintain program integrity though transformation activities. Align the entity’s existing counter fraud assurance processes to a whole-of-government

approach. Improve the effectiveness of service delivery and organisational objectives.

Refer to the Commonwealth Fraud Prevention Centre’s guide on how to start pressure testing for practical steps entities can take to adopt pressure testing.

1 Keeping it together: systems and structures in organisational change, p. 7, NSW Independent Commission Against Corruption, 2017

7

CounterFraud.gov.au

2 Foundations for pressure testing 2.1 Where pressure testing fits within your entity’s counter fraud plan and approach The following diagram identifies where pressure testing fits within a good counter fraud approach.

Figure 1: Counter Fraud approach

2.2 Governance arrangements required for pressure testing Pressure testing relies on the active engagement and support of senior officials within each entity. The processes and governance arrangements included in this framework can help achieve both of these particularly when scoping and approving activities and when managing the outcomes of a pressure test.

Before entities start pressure testing, they must put the following governance arrangements in place: Obtain approval from a relevant accountable official to start pressure testing, which may include

adding it to an entity’s fraud control plan and strategy. Identify who will approve individual pressure test plans and covert testing activities (if required). Identify who will approve individual pressure test reports. Identify how key actions, decisions and outcomes will be recorded and reported. Identify how the implementation of treatments will be recorded and monitored.2

2 You might evolve these governance arrangements over time.

8

CounterFraud.gov.au

3 Pressure testing processes 3.1 Where to start When starting with pressure testing, it is beneficial for entities to start small and focus on a small number of countermeasures using simple methods. As entities build in maturity and capability, they may wish to conduct more comprehensive testing and utilise more advanced methods.

This framework outlines three pressure testing processes for entities to choose from. This enables them to conduct pressure testing at their preferred level of intensity (see Figure 2). Having these options can help entities to build their capability over time and choose the appropriate testing for their circumstances.

Figure 2: Pressure testing processes

Process Purpose

Targeted Assessment

Testing individual countermeasures

Targeted Assessments help entities test the effectiveness of a single countermeasure or a small number of closely associated countermeasures. These targeted and agile assessments take minimal effort and allow entities to selectively test key countermeasures across a wide range of systems, processes and risks.

Critical Assessments

Testing only the most critical

countermeasures

Critical Assessments help entities identify and test the effectiveness of the most critical countermeasures within a program or function. This process would help make sure resources are focused on an entity’s more critical countermeasures within a broader control environment.

Comprehensive Assessments

Testing all known countermeasures across integrated

environments

Comprehensive Assessments help entities undertake comprehensive ‘deep-dive’ reviews that consider multiple current or emerging fraud risks across programs, payments, systems and processes and assess the effectiveness of the integrated control environment at mitigating these risks.

3.2 What processes you need to follow The processes to follow for these assessments are covered in more detail under the following attachments:

Attachment A includes an outline of the process for undertaking a targeted assessment, a process map and an overview of the different stages.

Attachment B includes an outline of the process for undertaking critical and comprehensive assessments, a process map and an overview of the different stages.

Attachment C includes principles and processes for undertaking covert and technical testing.

An entity must manage operational risks associated with pressure testing in accordance with its risk management policy. It can be beneficial to develop a plan to deal with outcomes from the test including communications with relevant stakeholders.

9

CounterFraud.gov.au

4 Pressure testing methods 4.1 How to identify fraud risks Pressure testers may be able to use existing fraud risk assessments to identify known risks and vulnerabilities. However, these might not always be available or helpful and may be based on incorrect assumptions. Therefore, during planning, pressure testers may need to complete an independent assessment of risks and vulnerabilities.

Refer to the Commonwealth Fraud Prevention Centre’s leading practice guide on fraud risk assessment for practical advice on risk identification, risk analysis, risk evaluation and risk treatment.

Tip: A good method for identifying fraud risk is to consider the actor, action and outcome. For example, a service provider (actor) provides false information about a service (action) to receive a government grant (outcome). Another similar formula that can help identify how someone would target a function or program, or get around a countermeasure is ABCD:

Actors – Who are the actors involved? For example, recipients, staff, service providers.

Benefits – What benefits would they gain by committing fraud? Countermeasures – What countermeasures would they encounter? Determined adversary – How would a determined adversary

deliberately find a way around countermeasures to gain the benefit?

4.2 How to think like a fraudster Fraud schemes vary in their complexity and creativity. On one end they might involve an individual stumbling upon an opportunity, such as a lack of oversight, and then taking advantage of their position and knowledge to exploit it. The other end might involve determined individuals or groups deliberately probing for ways to exploit programs and services, and creatively using tried and tested fraud methods to mislead or exploit the system. Pressure testing is an equally creative process and it helps to think like a fraudster when evaluating processes and testing countermeasures.

Pressure testing is more than just looking at whether countermeasures are in place and processes are being followed. Instead of simply trusting staff, providers and participants to follow processes, rules and norms, pressure testers consider the common methods employed by fraudsters and look for common features or vulnerabilities in programs or functions that motivate and enable them to commit fraud. This will require pressure testers to challenge assumptions and apply creative and critical thinking to find ways around countermeasures just like fraudsters do.

10

CounterFraud.gov.au

The following eight Fraudster Personas help entities look at processes, systems and countermeasures from the perspective of a fraudster (see Figure 3):

Figure 3 – Fraudster Personas

The Reckless Someone who acts recklessly (without care, responsibility or regard to the consequences of their actions) by disregarding requirements, procedures, warnings or directions.

The Deceiver Someone who dishonestly gains a personal benefit by making others believe something that is not true.

The Impersonator Someone who dishonestly gains a personal benefit by pretending they are another person or entity.

The Fabricator Someone who dishonestly gains a personal benefit by inventing or producing something that is false.

The Coercer Someone who dishonestly gains a personal benefit by influencing, manipulating or bribing another person to act in a desired way.

The Exploiter Someone who dishonestly gains a personal benefit by using something for a wrongful purpose.

The Concealer Someone who dishonestly gains a personal benefit by preventing their actions from being seen or known about.

The Organised Groups who dishonestly gain a benefit by using any combination of the other methods in a planned, coordinated and sophisticated way.

11

CounterFraud.gov.au

Fraudster Personas represent the different types of fraudsters who target government programs and services. Understanding these personas will help pressure testers consider the methods a fraudster might use to target a function or program, or get around a countermeasure. The Fraudster Personas can be adapted to address the types of fraudsters that are specific to your entity or program.

Note: fraudsters often exhibit behaviours from several different personas. For example, they may deceive a public official, impersonate another individual, fabricate evidence and then conceal their activity.

Visit CounterFraud.gov.au for more information on these Fraudster Personas including case studies.

4.3 What is a countermeasure Countermeasures are individual measures, processes or functions that help entities prevent, detect and respond to fraud. An integrated assembly of countermeasures make up a control environment. Some entities may refer to countermeasures as controls.

There are three high level categories of countermeasures:

Prevention

Prevention countermeasures are the most common and cost effective way to reduce fraud. They reduce the likelihood and consequences of fraud by preventing or limiting the extent of the risk occurring.

Prevention countermeasures can include people or process countermeasures to increase transparency and influence behaviours, or processes and technology-based countermeasures to stop or limit fraudulent activity.

Detection

Detection countermeasures can help to identify when fraud has occurred. They can help disrupt additional fraud and reduce the consequences. Detection countermeasures are not as cost effective as prevention countermeasures. However, the impacts of fraud can be significantly reduced if detected early.

Detection countermeasures can include people and process countermeasures such as conducting fraud awareness training and developing tip-off processes or technology-based countermeasures such as fraud detection programs.

Response

Response countermeasures respond to fraud after it has occurred. They help to reduce the consequences or disrupt additional consequences. Response countermeasures are not as cost effective as prevention or detection countermeasures. However, if implemented effectively, the present and future impacts of fraud can be significantly reduced.

Response countermeasures can include people and process countermeasures such as trained fraud investigators and investigation processes, or technology-based countermeasures such as audit logging and surveillance.

12

CounterFraud.gov.au

Countermeasures vary in their purpose and application. For example:

• Cultural and behavioural factors can play a large role in encouraging or discouraging fraudulent activities. Some countermeasures such as incentives, training or deterrence measures can:

• influence behaviours or decisions to encourage compliance with rules, processes and expectations

• influence behaviours or decisions to discourage non-compliance with rules, processes and expectations.

• Process countermeasures manage risk through a consistent application of designed functions. If designed correctly, countermeasures such as mandatory requirements, evidence verification, decision-making, documentation and quality assurance checks or audits can:

• increase the likelihood of compliance with rules, processes and expectations • decrease the opportunity for non-compliance with rules, processes and expectations.

• Technology countermeasures manage risk though automated application of designed functions. If designed correctly, countermeasures such as guided procedures, data matching, audit logging and fraud detection programs can:

• automatically enforce consistent compliance with rules, processes and expectations • automatically safeguard against non-compliance with rules, processes and expectations.

Visit CounterFraud.gov.au for more information about specific strategies and fraud countermeasures.

4.4 How to identify different countermeasures As with identifying fraud risks, pressure testers may be able to use available fraud risk assessments to identify existing countermeasures. However, pressure testers will also likely discover undocumented countermeasures when they engage with relevant stakeholders.

Refer to the Commonwealth Fraud Prevention Centre’s catalogue of common countermeasures for help with discovering different types of fraud countermeasures.

The catalogue of common countermeasures is also available on CounterFraud.gov.au. This catalogue provides guidance on how to measure different types of countermeasures. This can improve the quality and consistency of testing across similar types of countermeasures. Consistent categories and metrics can also improve reporting.

The catalogue of common countermeasures provides:

A summary of each countermeasure Specific examples of each countermeasure An explanation of the purpose of each countermeasure Suggested ways of measuring the effectiveness of each

countermeasure Vulnerabilities to consider for each countermeasure3 Dependencies, which are links to other countermeasures that entities can

consider within a broader control environment.

3 These are not available on www.CounterFraud.gov.au but can be provided on request.

13

CounterFraud.gov.au

4.5 Some ways you can test countermeasures Pressure testers can use a variety of techniques to test the effectiveness of different types of fraud countermeasures. The type of method used will most often depend on the type of countermeasure being tested. Pressure testers may also need to test countermeasures in different ways.

Tip: A good analogy is how someone might measure the value of a gold nugget. They cannot measure the value of the nugget just by weighing it. Nor can they measure its value just by its purity. They need to determine its weight and purity, and then they need to consider the current market price for gold. Similarly, there may be different measurements needed to determine the true effectiveness of a countermeasure.

The primary testing methods involve research and working collaboratively with stakeholders to understand and observe how countermeasures work. In fact, stakeholder engagement is the most essential component of pressure testing. Pressure testers will directly engage staff at all levels of an entity, from senior officials and policy experts to frontline staff. Engaged stakeholders are essential for helping pressure testers understand complex or discreet processes and procedures. Pressure testers will also collaborate with stakeholders to co-design fraud risk treatments (see Chapter 5 for advice on treating vulnerabilities).

As an entity’s capability increases, it may also want to use more advanced ‘hands on’ methods such as data analysis and covert testing (see Figure 4).

Figure 4 – Methodology spectrum

14

CounterFraud.gov.au

4.6 Testing methods

Testing method Example

Rese

arch

Desktop reviews – Research existing documents and compare against better practice and mandatory requirements. This enables the testing officers to confirm that the design of the countermeasure is sound.

Reviewing an entity’s operational privacy policy to determine if it meets legislative, whole-of-government and better practice requirements.

Case studies – Review related circumstances where fraud has been perpetrated.

Analyse the outcomes of relevant fraud investigations completed within or outside the entity.

Obs

erve

Interviews, workshops or surveys – Collaborate with those involved in the implementation of a countermeasure. These can be focused on the design and/or implementation of the countermeasure.

Conducting a ‘Black Hat’ workshop with stakeholders or surveying a sample of staff to get their perspective on the effectiveness of countermeasures.

System or process walk through – A staff member runs testing officers through the process to demonstrate existing practices and how countermeasures apply.

Staff walking testers through the system/process to demonstrate how a claim is processed and how countermeasures work.

Anal

yse

Sample analysis - To test against a specific policy, process and/or procedure. This is usually used to determine compliance, but may also be useful in assessing whether something is user-friendly.

Checking a sample of procurements for compliance against the department’s procurement policies and processes.

Data analysis – Collecting quantitative and qualitative data and interpreting the results to measure the countermeasure effectiveness and fraud impacts.

Collecting data to determine what percentage of staff have completed fraud awareness training within the past 12 months.

Test

Technical testing* – Practical testing of countermeasures to confirm they exist and observe how they operate. Specific tests would need to be designed for different topics.

Cyber Security Teams running tests to provide reports that demonstrate countermeasure effectiveness. For example, Penetration Testing.

Covert testing* – Controlled scenario-based testing aimed at finding a way around fraud countermeasures and observing responses.

Attempt to record a fake overtime claim to observe how approval, system and reporting countermeasures work.

* See Attachment C for guidance on undertaking technical or covert testing.

15

CounterFraud.gov.au

4.7 Some examples of different qualitative and quantitative measurements

Examples of qualitative measurements

Obtaining advice from subject matter experts about how countermeasures operate.

Comparing processes and work practices against: • organisational or program policies and procedures • ANAO performance audit reports or guidance • Australian standards • whole-of-government requirements such as the

Commonwealth Procurement Rules. Checking a sample of completed activities to confirm compliance

with rules, processes and expectations. Surveying staff to get their feedback on training or processes. Reviewing the results of past internal or external audits. Testing the functionality of system countermeasures to make sure

they are operating to design specifications. Gathering feedback from external parties such as the

Commonwealth Department of Public Prosecutions on the quality of briefs of evidence.

Examples of quantitative measurements

Analysing statistical data or comparing results against a benchmark, for example, comparing the number of staff with a privileged system access versus the number of staff who are meant to have access.

Identifying the percentage of staff within a work unit who have undertaken fraud awareness training or information security training within the last 12 months.

Confirming the percentage of activities that undergo quality assurance checks.

Identifying the number of staff in Security Clearance Assessed Positions without a current security clearance.

Reviewing detection program results including the number of unauthorised accesses detected compared to previous periods.

Reviewing the number and type of cases referred for investigation compared to previous periods.

Identifying the percentage of successful prosecutions for a particular type of fraud matter.

16

CounterFraud.gov.au

4.8 How to choose the right process and methods

Not all of the above methods need to be applied in a pressure test. The type of processes and methods chosen may depend on an entity’s resources and capabilities (see Figure 6). For example, a targeted assessment using research and observational methods will require less resources and capability than a comprehensive assessment involving more advanced analytical and testing methods.

Figure 6 – Resource and capability matrix

Note: Numbers in this figure represent resource intensiveness on a scale of 1-5, with 1 being low resource and 5 being high resource.

4.9 How to determine if a countermeasure is effective or not

After testing a countermeasure, pressure testers can consider the following questions to inform their conclusion about its effectiveness:

What is the objective of the countermeasure and its unique role in managing the risk? What assumptions were made about the purpose and effectiveness of the countermeasure? What conclusions can be drawn from the testing results? Does the countermeasure work as designed? How do you know? What else can be checked to verify the countermeasure is working as designed? Is the countermeasure relevant and up to date? Is the countermeasure automated or applied by people? If applied by people, how do you know they

are applying the countermeasure consistently or correctly? What are the activities that support or enable the countermeasure? Are there backup countermeasures or fail-safes that would apply if the countermeasure does not

work? Does the countermeasure lead to any unintended changes in behaviour?

The following table provides guidance on the qualitative and quantitative considerations when determining a countermeasure’s effectiveness. The traffic light system is a useful way to communicate where countermeasures are effective or where vulnerabilities require action.

17

CounterFraud.gov.au

Rating Quantitative considerations Qualitative considerations Action required

Effective

• The countermeasure operates as specified 100% of the time.

• The countermeasure operates as specified 90-99% of the time, however there are backup countermeasures (fail-safes) in place.

• The countermeasure is operating as specified.

• The countermeasure clearly addresses the risk causes or consequences.

• The countermeasure provides a reasonable level of assurance that objectives are being met.

• Continue monitoring the countermeasure.

Partially Effective

• The countermeasure operates as specified 90-99% of the time.

• The countermeasure operates as specified 60-89% of the time, however there are backup countermeasures (fail-safes) in place.

• The countermeasure is occasionally operating as specified.

• The countermeasure partially addresses the risk causes or consequences.

• The countermeasure provides little assurance that objectives are being met.

• Review the countermeasure and consider action to improve its design and/or operational effectiveness.

• Consider implementing backup countermeasures (fail-safes)

Ineffective

• The countermeasure operates as specified less than 60% of the time.

• The countermeasure operates as specified 60-89% of the time, and there are no backup countermeasures (fail-safes) in place.

• The countermeasure does not operate as specified.

• The countermeasure does not address the risk causes or consequences.

• The countermeasure provides no assurance that objectives are being met.

• Take action to replace the countermeasure or improve its design and/or operational effectiveness.

• Implement backup countermeasures (fail-safes)

Note: The measures for assessing the effectiveness of each countermeasure will vary depending on the type of countermeasure. For example, some countermeasures may not even be partially effective if they operate as specified 90% or even 99% of the time.

18

CounterFraud.gov.au

5 Treating countermeasure vulnerabilities

5.1 What happens if you find vulnerabilities in countermeasures

Pressure tests will uncover gaps and vulnerabilities in an entity’s countermeasures. The processes outlined under Attachments A and B encourage a collaborative, co-design approach to treating these gaps and vulnerabilities. A collaborative approach helps an entity to:

achieve greater engagement and buy-in from stakeholders cultivate positive and productive relationships with stakeholders support stakeholders to implement robust treatments.

Refer to the Commonwealth Fraud Prevention Centre’s leading practice guide on fraud risk assessment for practical advice on risk treatment.

The SMART principle is an example of what to consider when co-designing treatments with stakeholders:

Specific The treatment should have a clear and concise objective, be well defined and clear to anyone with a basic knowledge of the work. Consider who, what, where, when and why.

Measurable The treatment and its progress should be measurable. Consider: • What does the completed treatment look like? • What are the benefits of the treatment and when they will be achieved? • The cost of the treatment (both financial and staffing resources)

o how do the costs balance against the treatments? Achievable The treatment should be practical, reasonable and credible considering the available

resources. Consider: • Is the treatment achievable with available resources? • Does the treatment comply with policy and legislation?

Relevant The treatment should be relevant to the risk. Consider: • Does the treatment modify the level of risk (through impacting the causes and

consequences)? • Is the treatment compatible with the entity’s objectives and priorities?

Timed The treatment should specify timeframes for completion and when benefits are expected to be achieved.

19

CounterFraud.gov.au

6 Reporting and monitoring

6.1 How to track the progress of a pressure test

Entities can use the PTP02 - Reporting Template – Pressure Test Reporting Tracker to track the progress and record the outcomes of pressure tests undertaken. This tracker provides entities with a holistic view of multiple pressure tests and helps them measure performance and other key metrics.

6.2 What to report on

Entities are encouraged to report the following to the Commonwealth Fraud Prevention Centre at the end of each financial year or upon request:

The number of pressure tests each entity currently has underway under the following categories: • Targeted Assessments. • Critical Assessments. • Comprehensive Assessments.

The number of pressure tests each entity has completed under the following categories: • Targeted Assessments. • Critical Assessments. • Comprehensive Assessments.

The total number of countermeasures each entity tested. The number (and percentage) found to be: • effective • partially effective • ineffective.

The number of treatments recommended and the total number agreed to be implemented. The number of resources dedicated to pressure testing (FTE at both the beginning and end of the

financial year). Entities are also encouraged to provide a summary report to the Commonwealth Fraud Prevention Centre on the countermeasures tested and the vulnerabilities found. This report will support the Commonwealth Fraud Prevention Centre to continually update and improve the Catalogue of common countermeasures and share learnings and common vulnerabilities with key stakeholders. This report will also enable the Commonwealth Fraud Prevention Centre to share learnings between entities in applying this framework.

20

CounterFraud.gov.au

7 Support and continuous improvement

7.1 Where to get support

Visit CounterFraud.gov.au or contact the Commonwealth Fraud Prevention Centre at info@counterfraud.gov.au.

7.2 How to connect with others who are doing pressure testing

The Commonwealth Fraud Prevention Centre will be facilitating a regular pressure testing community of practice to support collaboration and the sharing of better practices. Email the Commonwealth Fraud Prevention Centre at info@counterfraud.gov.au if you would like to join.

7.3 How to provide feedback to improve the framework

We welcome your feedback on the Commonwealth Pressure Testing Framework. Email info@counterfraud.gov.au with your thoughts or suggestions.

21

CounterFraud.gov.au

8 Glossary of terms Authorising officer – the person or group of persons who has responsibility for authorising a pressure test and approving the results

Comprehensive assessment – a pressure test covering all fraud countermeasures in a program or function

Control owner – the person responsible for a fraud control environment or countermeasure

Countermeasure – individual measures, processes or functions that help entities prevent, detect and respond to fraud. An integrated assembly of countermeasures make up a control environment

Covert test – a controlled scenario based test aimed at actively circumventing fraud countermeasures

Critical assessment – a pressure test focusing on the most critical countermeasures in a program or function

Entity – a department of state, a parliamentary department, a listed entity or a body corporate established by a law of the Commonwealth

Fraud – dishonestly obtaining a benefit or causing a loss by deception or other means

Fraud control plan – a plan outlining the treatment strategies and controls put in place to manage fraud risks and vulnerabilities in an entity

Fraud control strategy – a document outlining an entity’s strategic direction for countering fraud including dealing with emerging and future fraud risks

Official – an official as set out under section Public Governance, Performance and Accountability Act 2013

Pressure test – a method of testing the effectiveness of fraud countermeasures

Pressure tester – an individual or team conducting a pressure test

Targeted assessment – a pressure test focusing on a single or small number of closely associated countermeasures

Technical test – practical testing of fraud countermeasures to confirm they exist and observe how they operate

22

CounterFraud.gov.au

We aim to be your trusted adviser.

The Commonwealth Fraud Prevention Centre works with Commonwealth entities to adopt and further develop pressure testing process and techniques. It has also created a range of templates and guides for conducting pressure tests.

Contact us at info@counterfraud.gov.au if you would like more information about pressure testing, be involved in the Commonwealth Pressure Testing Community of Practice or would like a copy of the Commonwealth Pressure Testing Framework.

CounterFraud.gov.au

info@counterfraud.gov.au

Copyright Disclaimer This guidance is provided in accordance, and subject to, the Attorney-General’s Department’s copyright terms and conditions which can be accessed at Counterfraud.gov.au/disclaimer-and-copyright.