Watching the detectives: how superannuation fund administrators keep fraudsters at bay

Perpetrators of fraud will generally seek and exploit any number of loopholes in order to scam money from their victims. In the superannuation arena, additional vigilance is needed to protect members from the threat of unwanted scams targeting the constant and attractive flow of Superannuation Guarantee monies.

The risk is constantly shifting. Indeed, new portability requirements for funds may have increased their vulnerability to fraud by, for example, requiring rollovers to be processed within a shorter period. This is but one of many of the complex dynamics that fund administrators face when protecting against the risk of fraudulent activity for funds and their members.

The most practical way to design effective preventive controls is to, in effect, think like a fraudster. Workshop the potential fraud – discussing ways by which internal or external fraudsters might try to defraud the fund; prior fraud events; previous control reviews and the existing suite of controls.

Rice Warner believes that Australia’s superannuation funds, generally speaking, are doing a decent job in terms of preventative controls to mitigate the risk of superannuation fraud.

The regulatory framework is geared towards prevention of fraud. For example, APRA’s prudential standards include many requirements for the avoidance of fraud risk, as do its guide for trustees “How to Reduce the Risk of Fraud” and checklist for trustees “Superannuation Fraud”.

Further, APRA’s Prudential Standard SPS 220 “Risk Management” requires that the RSE licensee has a risk management framework that addresses both external and internal risks, including governance risk and operational risk.

The frontline in reducing the risk of internal or external fraud is an adequate system of internal control. Internal controls can generally be classified as preventive or detective.

Preventive controls are the first line of defence and are designed to prevent fraud occurring in the first place.  They include adequacy of records, access to systems, segregation of duties, authorisation and review requirements, etc.

Detective controls are the second line of defence, designed to detect fraud once it has occurred. They include reconciliations and review. Detective controls act as a deterrent to those intending fraud and therefore serve a preventive function as well.

It is not the role of external auditors to detect fraud – in forming an audit opinion on the financial results auditors rely on reasonable assurances that the financial information is materially correct.

Control design should be subject to regular review to ensure that their effectiveness has not been affected by changes in operational processes.  For example, changes in staff roles, procedures or systems may create new opportunities for fraud.

The application of controls should also be reviewed on a regular basis to ensure that the controls are being applied effectively and as originally designed.

Implementation of preventive and detective internal controls often happens on a piecemeal basis over many years as a reaction to different control reviews or audits, or following an actual fraud.  As a result some funds end up with a range of poorly co-ordinated controls.  The lack of integration can often result in control gaps (fraud opportunities) or control overlap (inefficient use of resources).

The more poorly integrated the control environment, the more difficult it becomes to form an overall view on whether all gaps are covered.