Why Australia’s fraud detection needs a fresh approach

By Marina Williams

When long-running fraud is finally uncovered, the same questions resurface: Who should have stopped it? Were red flags missed? Was the board asleep at the wheel? Did auditors overlook something?

The reality is that fraud detection and fraud prevention are multilayered responsibilities, and those tasked with monitoring (internal parties) and investigating (external parties) say no single group carries the blame.

“Detecting fraud is inherently challenging due to its intentional concealment,” says Jeffrey Luckins FCPA, partner, audit and assurance at William Buck. “Fraudulent people often exploit weak internal controls, override processes or collude with others, making discovery difficult.”

According to to a Global Economic Crime Survey 2024 from PwC, 47 per cent of organisations worldwide experienced fraud in the past two years, with cybercrime, corruption and procurement fraud topping the list.

Fraud typically involves an activity that has not been authorised. When opportunity, pressure or incentive, and rationalisation converge (the “fraud triangle”), the likelihood of fraud increases. The impact can have far-reaching effects on an organisation and its employees.

As fraud evolves alongside emerging technologies and increasing digital complexity, prevention grows more challenging.

Not just about financials

The Commonwealth Fraud and Corruption Control Framework 2024 defines fraud as dishonestly obtaining (or attempting to obtain) a benefit or causing a loss by deception. That benefit may not be for the perpetrator directly — it can also be for a third party.

“Even recklessness, not thinking about the impact on others, can potentially be fraudulent,” says Gavin Stuart, partner and lawyer at Bartier Perry.

The losses are staggering. The Australian Competition and Consumer Commission’s Targeting scams report cited more than A$2 billion in fraud-related financial losses in Australia in 2024.

Even the public sector is not immune. Fraud and error, including unreported fraud, could be costing the Commonwealth up to A$100 million per day, according to the Commonwealth Fraud Prevention Centre.

As fraud risk increases, board accountability for fraud risk management is also under sharper scrutiny, particularly in sectors vulnerable to cybercrime and procurement fraud.

“Fraud doesn’t just hit the financials, it erodes trust and organisational morale,” says Stan Gallo, forensic services partner at BDO Australia. “Investigating fraud is like pulling on a thread. You start with one small thing, but as you keep pulling — the whole lot unravels.”

Common and emerging frauds

Gallo notes that traditional frauds still dominate: asset misappropriation, false invoicing, ghost employees and financial-statement manipulation.

“We still see long-running frauds where the fraudster approved their own invoices using a colleague’s login. The detection tools exist — they are just not as effective as they need to be.”

Modern risks, however, have grown darker. Emerging fraud types such as identity theft, deepfakes, synthetic identities and compromised business emails exploit digital systems, making detection harder without advanced tools and oversight. “Fraud used to focus on stealing money,” Gallo states.

 

"Investigating fraud is like pulling on a thread. You start with one small thing, but as you keep pulling — the whole lot unravels."

 

“Now it’s about stealing identity, data, trust and reputation, which are then monetised. The fraudster doesn’t always look like the typical ‘bad guy’. They might be your colleague, friend or a vendor.”

According to Melody Carr, head of FINPRO claims & technical at Marsh, cyber-enabled fraud has changed the stakes of economic crimes. “It is fast, hard to trace and often global. Once reputational damage hits, recovery can take years.”

Detection tools and roles

While emerging technologies are helping to detect fraud, it is people who make the difference. “AI can, for instance, help flag shared accounts and duplicate payments, but in the end, it’s usually a person that is close to the process who spots what doesn’t add up,” Luckins says.

Yet, the auditors’ role in fraud prevention and detection is often misunderstood, he adds. 

“There’s an audit expectation gap. Stakeholders expect us to uncover every fraudulent act, but that’s not our mandate unless it materially affects financial statements.”

Internal auditors, on the other hand, are embedded in organisations and are expected to proactively assess fraud risk.

 

"AI can, for instance, help flag shared accounts and duplicate payments, but in the end, it’s usually a person that is close to the process who spots what doesn’t add up."

 

“External auditors provide independent oversight, but internal auditors are the early line of defence,” Luckins says. “The most resilient organisations use both.”

The COSO Internal Control framework is one of the best fraud-prevention models, which is supported by fraud-detection technology such as AI-driven analytics, machine learning, blockchain for transaction integrity and behavioural profiling software.

“Technology can flag anomalies at scale, but effectiveness depends on the inputs and how much trust you place in it,” Stuart says.

Culture as control

If controls are the locks on the door, culture is the reason people don’t try to open it. A healthy culture or strong tone at the top of an organisation can be one of the most effective best practices for fraud prevention, regardless of the size of the business.

“When staff feel valued, supported and aligned with the organisation’s mission, there’s far less temptation or rationalisation for fraud,” Carr says. “You need a culture where asking questions is safe and encouraged.”

Gallo agrees that culture is often the most overlooked part of any prevention strategy. “Organisations invest in tools and tech, but if employees feel disengaged, isolated or mistreated, all that investment becomes secondary.”

A duty to act

Even after fraud is uncovered, some organisations choose not to pursue charges. “Some businesses quietly let offenders go to avoid reputational damage,” Gallo says. “But we’ve seen the same people resurface elsewhere and do it again. Choosing not to report merely delays consequences and often magnifies them.”

Carr agrees. “Reporting isn’t just compliance — it protects the whole sector. Fraud doesn’t stay internal; it spreads. Today, staying passive isn’t an option; there’s a proactive duty to act.”

Whistleblower protections and reporting obligations highlight the ethical considerations for reporting internal fraud in Australian companies. However, Carr cautions that these structures must be robust. “False accusations can damage trust. That’s why strong whistleblower protections and independent hotlines are vital.”

Everyone plays a part

While management holds primary responsibility for implementing fraud controls, detection is shared. “Fraud prevention is a team sport,” Gallo says. 

“Everyone in the organisation, from entry-level staff to the board, has a role.”

Carr urges businesses to make fraud awareness part of onboarding and everyday culture. “Make it part of the everyday conversation. Help staff recognise fraud and report it confidently.”

That education can be powerful.

Gallo recalls a case where a small red flag raised by one employee led to the discovery of a A$14 million fraud.

“The discloser didn’t know what was wrong, just that something wasn’t right, and pushed their point. That gut feeling cracked the whole thing open.”

Prevention still beats cure

Despite the rise in advanced fraud-detection tools, all four experts agree: prevention remains the most effective and affordable approach.

“Education is the cheapest and most effective strategy,” Gallo says. “We’re unpacking a case that started with a bogus vendor and weak controls. If someone had asked a few questions early on, it wouldn’t have happened.”

For small and large businesses in Australia, fraud-detection best practices must balance affordable tools with strong cultural and governance foundations.

“The best organisations are the ones patching the cracks before anything leaks,” Stuart says. “Fraud doesn’t just disappear — it finds the gaps.”