The question this answers
Which controls address which risks, and who’s responsible?
What the problem looks like without a control framework mapped to identified risks
Your grant program has controls scattered across different documents. Eligibility checks in the guidelines. Payment approvals in a finance procedure. Conflict of interest requirements in an HR policy.
No one has mapped them together. No one knows whether every identified risk has a control. No one knows who owns each control or whether it’s actually being applied.
When audit asks “how do you mitigate the risk of duplicate funding?”, you can’t point to a single document that answers the question.
What I deliver
A clear document that maps your controls to your risks. For each control, it shows:
- What risk it addresses: Linked directly to the risk assessment
- What the control is: Described specifically, not vaguely
- Who owns it: The role responsible for applying the control
- How it’s monitored: How you know the control is working
- Evidence of operation: What documentation exists to show the control was applied
The framework is designed so gaps are visible. If a risk has no control, you can see it. If a control has no owner, you can see it. If compliance isn’t monitored, you can see it.
What good looks like vs what bad looks like
Bad: A list of controls with no link to risks, no owners, and no monitoring.
“Applications are reviewed for eligibility.”
Who reviews them? Against what? How do you know it’s happening? What happens if it’s not?
Good:
| Risk | Control | Owner | Monitoring | Evidence |
|---|---|---|---|---|
| Duplicate applications | ABN cross-check at triage | Grants Officer | Weekly report of flagged duplicates reviewed by Program Manager | Cross-check log; escalation records |
| Ineligible applicants funded | Eligibility checklist completed for each application | Assessor | Sample audit of 10% of applications by Team Leader | Completed checklists on file |
| Conflicts of interest (panel) | Declaration signed before each panel meeting | Panel Chair | Declarations collected and filed; register maintained | Signed declarations; conflict register |
| Inflated supplier quotes | Conflict of interest declaration for suppliers over $5K | Grant recipient (at acquittal) | Spot-check of 5% of acquittals | Declarations on file; spot-check report |
| Fabricated acquittal evidence | Random site visits for grants over $50K | Program Manager | Site visit schedule maintained; findings reported | Site visit reports |
Now you can see the full control environment in one place, and demonstrate it to anyone who asks.
Why it matters
Controls only work if they’re applied consistently and someone is accountable for them.
A mapped control framework creates visibility. It shows how each risk is addressed. It assigns ownership so no control falls through the cracks. And it establishes monitoring so you know whether controls are working, not just whether they exist on paper.
When audit asks how you manage fraud risk, you hand them this document. The answer is already there.
Other Fraud, Risk & Probity Deliverables
Do You Actually Understand Your Grant Program’s Fraud Risks? → Fraud and corruption risk architecture designed around how your program actually operates. Vulnerabilities are identified at the design stage, with risk treatments built into program structure rather than layered on as compliance documentation.
Would your grant decisions stand up to a probity complaint? → Probity architecture built into panel and decision-making processes. Conflict management, confidentiality, and conduct requirements are designed into how decisions are made, not issued as guidance that people are expected to read and follow independently.
