Skip to main content.

Identifying and addressing fraud in procurement



There has always been a threat of fraud and corruption in procurement in both the private and the public sectors. It can be argued that fraud and corruption are equally serious no matter how much publicity they receive. However, news spreads far more swiftly now than it did even ten years ago, and the associated reputational risk of fraud and corruption amplifies the damage they can do. Minimising fraud and corruption is both an ethical necessity and an essential component of good governance.

This case study outlines risk management activities associated with potential fraud and corruption in the procurement function of a public-sector entity. The aim was to identify and determine the priority of risks associated with fraud and corruption, and to ensure that appropriate controls were in place or identified for future treatment.

The specific objectives of the risk assessment were to:

  • Identify, analyse and evaluate risks that affect the procurement function achieving its objectives at each stage of the procurement process, particularly those relating to fraud and corruption and breaches of probity and ethical standards
  • Determine the effectiveness of the existing controls for the risks and identify control gaps
  • Prioritise risks associated with fraud and corruption for treatment action, and provide key inputs for the development of options and appropriate control strategies to further treat the risks
  • Identify personnel responsible for producing risk treatment actions and those responsible for ensuring and sustaining the effectiveness of the controls.

While this case is set in the context of a government agency, most of the lessons are relevant to any organisation.

Procurement context

The demand for the agency’s services was projected to increase, due in part to:

  • Demographic changes in the agency’s customer base, affecting both the geographic distribution and the level of demand
  • Changes in customer preferences for specific services, some associated with climate change and perceived higher energy costs
  • The Government’s desire to address perceived poor satisfaction among the agency’s customers.

The need for additional and enhanced services was projected to lead to an increase in the number and scale of procurement activities. In particular, it was likely that:

  • Significant asset upgrades would be required
  • A large capital injection would be needed over and above the current capital programme.

In addition, recent investigations and follow-on actions by Government regulators and auditors, combined with increased adverse media coverage, had generated an increased awareness of and sensitivity to fraud and corruption.

Internal changes in the agency were also important:

  • A new Board had been appointed, with a higher focus on risk management, probity and ethics and a mandate to enhance business conduct
  • The agency was under budgetary pressure as a result of Government policies to achieve ‘efficiency dividends’, a euphemism for reducing costs
  • A new enterprise risk management framework was being implemented
  • The procurement organisation had been restructured, with revised processes, and a new procurement system had been installed.

The organisation was relatively large. Changing the entrenched culture and attitudes would be a challenge, and staff contending with cost savings, a new risk management framework, the restructuring of the organisation and introduction of a new procurement system might be more likely to make errors than they would have in a stable environment.

Key elements

The key elements used to structure the analysis are shown in Table 1.

Table 1: Key elements




Workforce capabilities and culture

Incentives, remuneration and performance management

Interaction with internal customers, external customers and suppliers

Internal processes

Organisational structure

Codes of conduct and delegations

Compliance and auditing functions

Information and technology platforms

External stakeholders

Customer and supplier relationships

Relationships with government departments

Protocols and probity

Management of the media and communications

Financial systems

Invoicing and accounts payable processes

Personnel records

Financial auditing

Internal and external reporting

Risk assessment

Risk identification

The work fell into two parts: a main risk identification activity, consisting of preparatory analysis and investigations leading to a risk workshop, followed by an initial control analysis workshop. All participants were asked to provide a list of risks in their area of procurement and in the agency in general, based around fraud and corruption scenarios. Additional information was extracted from fraud and corruption audits, checklists and incident histories. These risks were compiled prior to the risk workshop, grouped into the four key elements in Table 1.

The list of risks was reviewed and expanded in the risk workshop.

The risk assessment was limited in scope to procurement and, specifically, to fraud and corruption. This analysis identified potentially serious and important risks, but the narrow scope could not be inclusive of all the risks associated with the procurement function; there are many more procurement-related risks that do not involve fraud and corruption. Work was in hand to ensure these were addressed elsewhere as part of the overall enterprise risk management activity.

The most important existing controls were recorded for each risk.

Risk analysis and evaluation

Risks were analysed using the processes set out in the agency’s enterprise risk management framework, which was compatible with ISO 31000. For each risk, with its group of current controls, the analysis recorded:

  • The effectiveness of the controls as a whole, compared to the best the agency could achieve, using the control effectiveness rating in Table 2
  • The consequences of the risk, with the controls in place
  • The likelihood of that level of consequence arising, again with the controls in place
  • The level of risk, based on the consequences and their likelihood
  • The potential exposure, the maximum foreseeable loss for the agency should all the controls fail, rated using the agency’s consequence scale.

Further analysis was conducted outside the workshop with small groups of managers and individual meetings.

Table 2: Control effectiveness



Fully effective

Nothing more to be done except review and monitor the existing controls. Controls are well designed for the risk, are largely preventative and address the root causes and management believes that they are effective and reliable at all times. Reactive controls only support preventive controls.

Substantially effective

Most controls are designed correctly and are in place and effective. Some more work to be done to improve operating effectiveness or management has doubts about operational effectiveness and reliability.

Partially effective

While the design of controls may be largely correct in that they treat most of the root causes of the risk, they are not currently very effective. There may be an over-reliance on reactive controls.


Some of the controls do not seem correctly designed in that they do not treat root causes, those that are correctly designed are operating effectively.

Largely ineffective

Significant control gaps. Either controls do not treat root causes or they do not operate at all effectively. Controls, if they exist are just reactive.

None or totally ineffective

Virtually no credible control. Management has no confidence that any degree of control is being achieved due to poor control design or very limited operational effectiveness.

Initial outcomes from the assessment

Figure 1 shows how many of the 24 risks that were analysed fell into each region of the agency’s rating framework. The eight High risks, those in the pink zone, are listed in Table 3.

Figure 1: Levels of risk

Table 3: Summary of the highest risks

Something happens …

Leading to …

The agency pays for work that has not been carried out, or not carried out to the required standard

Reputation damage

Reduced value for money; financial loss

Low quality of work received

Adverse safety impacts

A staff member purchases equipment unnecessarily

Reputation damage

Increased purchase cost; reduced value for money; financial loss

Reduced staff morale

An employee makes false expense claims

Reputation damage

Reduced value for money; financial loss

An employee enters false information into financial systems for own benefit

Reputation damage

Reduced value for money; financial loss

Reduced staff morale

An employee claims overtime that has not been worked

Reputation damage

Reduced value for money; financial loss

Reduced staff morale

Lower productivity

Lack of commercial acumen by managers results in fraudulent and corrupt activity going undetected

Reputation damage

Reduced value for money; financial loss

Managers lack the confidence to detect and challenge fraudulent and corrupt practices

Collusion between staff and suppliers willing to participate in fraudulent activity

Reputation damage

Increased purchase cost

Reduced competition in the market because some suppliers are reluctant to bid

Reduced quality

Reduced staff morale

Fraud and corruption extent is overstated

Unhealthy paranoia about fraud and corruption

Employees become suspicious of others’ behaviour when unwarranted

Employees feel they are being unfairly targeted, resulting in reduced staff morale

Reduced value for money (overcautious, etc.)

Lower productivity

Figure 2 shows the relationship between control effectiveness of the risks and their levels of risk, the numbers showing how many fell into each cell of the matrix. Initially, attention should be focussed on improving the controls for the eight highlighted risks, those where it was acknowledged that more could be done, of which four are rated High. The High risk with controls that are largely ineffective might warrant particular scrutiny.

Figure 2: Control effectiveness and levels of risk

Most of the risks remain quite high and so require further treatment action. It is noticeable that some of the lower-rated risks have high levels of control effectiveness, while some of the higher-rated risks have weaker controls than might be expected or desired.

Further analysis

Overall, many of the fraud-related risks in the procurement function stem from causes of a similar nature. They can be classified into five main groups:

  • An employee causes a contract or a position on a panel to be awarded inappropriately (10 of the 24 risks identified)
  • The agency pays for work that has not been carried out or is not to the required standard (9 of the 24 risks identified)
  • An employee manipulates financial systems for his or her own benefit
  • An employee receives a benefit from a supplier or potential supplier
  • An employee solicits a benefit from a supplier or potential supplier.

The classification into these main groups provides some insight into the functional areas of the organisation in which owners for these risks might be located, those managers who are in the best position to control and treat them. The groups also demonstrate that many of the risks are just different ways of thinking about quite similar scenarios, and so many of them have similar controls and can be addressed by similar forms of risk treatment.

Risk treatment

Identification of control gaps and treatment options

A detailed control analysis was conducted for each of the 24 risks, including the eight highest risks noted in Table 3. The analyses all used the ‘bow tie’ template in Figure 3. Bow ties set out the causes and impacts clearly for each risk, and the controls in place for each one. (More details on bow tie analysis are available here.)

The ‘control gaps’ (where there were few effective controls for identified causes or impacts of each risk) provided a starting point for identifying options for further risk treatment. Most of the identified existing controls were allocated to a control owner.

Figure 3: Bow tie template for control analysis

The risks and the possible treatment options were mapped onto the stages in the agency’s procurement process (Figure 4). The purpose was to facilitate integration of new controls arising from the implementation of treatment actions with procurement activities at each stage.

Figure 4: Risks and procurement stages

Procurement function changes

As part of wider improvement across the agency's procurement function, several changes were initiated. Some of these would also address risks associated with fraud and corruption. They are outlined in Table 4.

Table 4: Changes in agency procurement




Centralised structure

Staff specialisation

Central contact point: Procurement Help Desk


Standardised and consistent processes and accountabilities

Automated delegations

Controls to detect non-compliance


Integrated system, with simplified user interfaces

Enforced segregation of duties

Standardised evaluation criteria

Formalised purchase orders, via the system

Standard reporting, including for monitoring and audit


Identifying fraud and corruption risks and controls

The approach adopted here to identifying risks associated with fraud and corruption was at a relatively high level, in the sense that it viewed the procurement process as a set of broad stages (Figure 4). One purpose of the analysis was to identify the main risks and their controls for each stage; the risk identification was suitable for that purpose.

If a more detailed and specific analysis had been needed, then a procedural HAZOP might have been conducted to examine each procurement activity in finer detail for a more comprehensive identification of potential fraud and corruption risks and control weaknesses, but that was not required here. In addition, as noted above, there were a relatively small number of specific causes for many of the procurement risks identified.

While risk identification was at relatively high level, the bow tie approach to recording controls and identifying control gaps outlined in Figure 3 was far more detailed. This allowed attention to be focussed on risk treatment and control improvement, fostering important benefits for the agency, rather than on more specific risk identification that may not have generated much additional value.

Where detail is needed then it can be obtained, but if it is not needed it is often more cost-effective to adopt a simpler approach. An investment of effort in identifying risks that reflected different aspects of the same scenario enabled the analysis to yield powerful insights that might not have been identified if a narrow, detailed analysis of each risk had been pursued on a piecemeal basis.

Addressing fraud and corruption risk

It is very difficult to address risks associated with fraud and corruption in isolation. In most circumstances fraud and corruption are outcomes or consequences of risks rather than sources of uncertainty themselves. Many people find it far easier and more powerful to identify sources of risk and then move forward to identify consequences, whereas ‘working backwards’ from consequences to causes is less familiar.

A high-level risk identification process, followed by classifying the risks into five main categories that were more closely associated with actions, clarified the analysis of controls and control gaps in a way the participants could engage with more readily. This promoted a more holistic perspective and a broader range of identified risks.

In most of our work we find that it is important to avoid categorising risks by outcomes or kinds of consequences: ‘fraud risk’, ‘conduct risk’, ‘environmental risk’, ‘legal risk’ and so on. There are many reasons for this:

  • As noted above, if they are provided with sound facilitation that helps them avoid defaulting to these common labels, it is easier for people to identify and think clearly about causes followed by consequences rather than the other way around, leading to more comprehensive risk assessment that is easier to understand and use as a basis for management action
  • It limits silo-based thinking, allowing all the risks the organisation faces to be addressed together, in a way that supports more effective treatment selection and more efficient resource allocation
  • It supports a more balanced assessment of risks that have several different kinds of consequences, each of which may be important; for example, for many risks the negative consequences for the organisation’s image and reputation may be far more severe than the direct cost of fraud, the effect on the environment or other impacts.

Integrating fraud and corruption controls

It is widely acknowledged that the most effective fraud and corruption controls are those that are ‘built in’ to standard business processes. In terms of the Three Lines of Assurance (or Three Lines of Defence) model, these are the controls at line 1, implemented as part of business-as-usual in an organisation rather than additional tasks.

In this case the risk assessment was linked to changes in the procurement function noted in Table 4. This allowed control design and implementation to be integrated with the revised processes and incorporated in the new technology. The changes to the procurement function provided an additional incentive and stimulus to the participants in the risk assessment process – they could see a clear pathway for implementing the outcomes from their assessment efforts.


Association of Certified Fraud Examiners (2020) Report to the Nations: 2020 Global Study on Occupational Fraud and Abuse. (Link here.)

Audit Office of New South Wales (2018) Internal Controls and Governance 2018. 30 October. (Link here.)

Independent Commission Against Corruption, New South Wales (2018) Corruption and Integrity in the NSW Public Sector: an assessment of current trends and events. 4 December, ISBN 978-1-921688-83-6. (Link here.)

Standards Australia (2008). AS 8001-2008 Fraud and Corruption Control. Standards Australia, Sydney, ISBN 0 7337 8522 0.

Public sector agency
Public sector and government business