When a board audit committee reviews quarterly financials and signs off on an external audit, there is often an implicit assumption that the organisation's financial controls are working as intended between those reporting moments. It is an assumption that, increasingly, the data does not support.

The 2024 ACFE Report to the Nations found that the median occupational fraud scheme runs for twelve months before detection.¹ In Australia, Warfield & Associates' decade-long study found schemes running for as long as 17 years.² External audits, present in 84% of victim organisations studied by the ACFE, failed to detect the fraud in the overwhelming majority of cases.¹ The most common detection method, globally, is a tip from a whistleblower.¹

This is the governance gap that boards are not discussing with enough urgency: the space between when a control is designed and when a failure is discovered. In that space, money moves. Suppliers are paid who should not be. Invoices are approved that were never legitimate. Policies are overridden by people trusted to enforce them.

The board's fiduciary responsibility is not satisfied by approving the existence of a control framework. It requires confidence that the framework is working, in real time, not in retrospect.‍

Australian boards are operating in a materially different regulatory environment to the one that existed three years ago.

ASIC commenced 132 new investigations in the first six months of 2025, more than double the 63 investigations in the same period the previous year.³ It secured six criminal convictions and over AUD $57.5 million in civil penalties in that same period, with a further AUD $240 million penalty against ANZ Banking Group still before the courts.³ Regulators have made clear that enforcement action will cut across financial services, superannuation, banking, and insurance, and that senior management and board oversight quality are under scrutiny, not just the outcomes.

Australia's expanded AML/CTF framework, which came into force in 2024 and extends obligations to a significantly broader range of entities from 2026, explicitly places boards and senior management in an active oversight role.⁴ The law no longer treats compliance as a back-office function. Boards that cannot demonstrate active, informed oversight of financial controls face personal exposure, not just organisational risk.

Emerging case law is reinforcing this. The 'extended stepping stones' approach being applied by ASIC in proceedings against Star Entertainment directors uses section 180 of the Corporations Act to hold directors personally accountable for failures in oversight, even where the AML/CTF Act does not explicitly impose personal liability.⁵ The direction of travel is clear: governance is becoming personal.

Boards that are focused on internal controls often overlook the exposure that accumulates through their supplier and vendor ecosystems. Third-party risk in finance is not a theoretical concern. It is where a significant proportion of actual losses occur.

Payment redirection fraud, where attackers impersonate a legitimate supplier and redirect invoice payments to fraudulent accounts, is one of the fastest-growing financial crimes in Australia. The ACCC's National Anti-Scam Centre identified it as a primary growth category, with payment redirection scams ranking among the top five loss categories nationally in 2024.⁶

The attack vector is straightforward: a fraudster compromises or impersonates a supplier's email account, issues a near-perfect replica invoice to the organisation's accounts payable team with updated bank details, and waits for the payment to be processed through normal channels. Because the invoice looks legitimate, with the correct ABN, correct supplier name, correct formatting, and AP teams who rely on manual review frequently approve it.

The ACFE study found that vendors and customers together account for 32% of fraud tips, suggesting that third-party fraud is being surfaced externally more often than it is being caught internally.¹ For boards, this raises a fundamental question: if suppliers are more likely to flag a fraudulent payment than the organisation's own systems, what does that say about the adequacy of the controls between commitment and payment?

The verification gap is structural: organisations approve payments to supplier names but rarely validate in real time that the payment destination matches verified, independent supplier records.

‍

The traditional board oversight model relies on management-prepared reporting reviewed at scheduled intervals. This model was designed for a slower, lower-volume financial environment. It cannot keep pace with the scale of modern AP operations, the speed at which AI-enabled fraud executes, or the real-time nature of the threat landscape.

What meaningful oversight now looks like is different. Boards with genuine visibility into financial controls can answer several questions at any moment, not just at quarter-end: Are payments being processed in conformity with approved policy? Are there anomalies in vendor payment patterns that have not been resolved? Has any payment been processed outside approved authority limits? Are supplier bank details being independently verified prior to settlement?

If the answers to these questions exist only in management reports prepared after the fact, the board is not overseeing financial controls. It is reviewing their historical performance.

In the ACFE data, organisations with continuous monitoring and anti-fraud controls embedded in their financial workflows detected fraud significantly faster and with significantly lower losses than those relying on periodic review. The median loss in organisations with fraud hotlines was 50% lower than in those without them.¹ Detection at the moment of transaction is categorically more effective than detection after settlement.

AI-enabled financial governance tools are now making this feasible at scale. Automated agents that validate payment data against verified supplier records, flag policy exceptions before funds move, and maintain complete audit trails give boards something they have historically not had: real-time assurance, not retrospective reporting.

‍

The question boards should be asking management is no longer "what controls do we have?" It is "how do we know those controls are working right now?"

The fraud that costs organisations the most is not the attack that triggers an immediate alarm. It is the one that runs quietly for months or years inside a control framework that exists on paper but fails in practice. The regulatory environment is shifting to make boards personally accountable for that gap. The threat environment, including AI-powered impersonation, invoice fraud and internal misconduct, is accelerating in ways that make the gap more dangerous with every passing quarter.

Real-time financial governance is no longer an operational aspiration. It is a board-level governance requirement. The organisations that recognise this first will be the ones that don't feature in the next decade's fraud statistics.

‍