Fraud Control in Australian Goverment Entities

8/6/2019 Fraud Control in Australian Goverment Entities

1/108

Better Practice Guide March 2011

Fraud Control in Australian Government Entities


2/108

ISBN No. 0 642 81180 6

Commonwealth o Australia 2011

COPYRIGHT INFORMATION

This work is copyright. Apart rom any use as permitted under the Copyright Act 1968 , no part may be reproduced by any

process without prior written permission rom the Commonwealth.

Requests and inquiries concerning reproduction and rights should be addressed to the Commonwealth

Copyright Administration, Attorney-Generals Department, Robert Garran O ces, National Circuit, Canberra ACT 2600

http://www.ag.gov.au/cca

Questions or comments on the Guide may be re erred to the ANAO at the address below.

The Publications Manager Australian National Audit O ceGPO Box 707Canberra ACT 2601

Email: [email protected]

Website: http://www.anao.gov.au

This Better Practice Guide was prepared by the Australian National Audit O ce and KPMG.


3/108

ForewordFraud continues to be an ever-present threat to the Australian community, posing signi cant challenges toorganisations in its prevention and detection. Across business and government it has been estimated that onlya third o raud-related losses are actually being detected. 1

Sound and e ective raud control requires commitment at all organisational levels within an entity. Just asgovernance and project management arrangements have evolved to become common practice in governmententities, raud control strategies need to mature and become an accepted part o the day-to-day running o entities.

Recent de ciencies in the delivery o high-pro le government programs resulted, in part, rom a ailure toimplement robust raud control measures early in the li e cycle o these programs. This resulted in signi cantlosses and reputational damage rom raudulent behaviour. A sound understanding by senior management o

the responsibilities and expectations with regards to raud control, can help ensure the Australian Public Service(APS) meets community expectations that government services and programs will be delivered with integrity.

In March 2011, the Minister or Home A airs issued an updated version o the Commonwealth Fraud Control Guidelines (the Fraud Control Guidelines). These new guidelines are more principles-based, and establish the

raud control policy ramework within which entities determine their own speci c practices, plans and proceduresto manage the prevention and detection o raudulent activities.

This Better Practice Guide is intended to complement the Fraud Control Guidelines, and to augment the keyraud control strategies re erred to in the Guidelines. While this Guide is an important tool or senior management

and those who have direct responsibilities or raud control, elements o this Guide will be use ul to a wideraudience, including employees, contractors and service providers. The Guide also takes account o the act that

raud control arrangements need to be tailored to the individual entitys circumstances.

The Guide has been prepared in consultation with the Attorney-Generals Department and should be read inconjunction with the Fraud Control Guidelines and the APS Values and Code o Conduct. The ANAO wouldlike to acknowledge the assistance o KPMG in compiling this Guide, the Attorney-Generals Department incontributing to its content, and the entities that provided material or the case studies and input or otheraspects o the Guide.

Ian McPhee

Auditor-General

1. KPMG, Fraud and Misconduct Survey 2010 .


4/108


5/108

Contents

1. Introduct ion .................................................................................................................................... 1

1.1. The need or e ective raud control strategies ................................................................................... 11.2. Legislative and policy requirements ................................................................................................... 21.3. Who will bene t rom the Guide? ...................................................................................................... 21.4. Purpose and structure o the Guide .................................................................................................. 3

2. Leadership and Culture ................................................................................................................. 7

2.1. Leadership ....................................................................................................................................... 92.2. An ethical culture ............................................................................................................................10

3. Legislation, Policy and Governance ............................................................................................13

3.1. Legal ramework .............................................................................................................................153.2. Commonwealth Fraud Control Guidelinesthe policy ramework ................................................... 183.3. The role o central agencies ............................................................................................................ 193.4. Governance structures ...................................................................................................................20

4. Fraud Control StrategiesOverview.......................................................................................... 25

4.1. Key raud control themes ................................................................................................................274.2. Fraud control strategies and program management ........................................................................ 27

5. Fraud ControlPrevention .......................................................................................................... 29

5.1. Fraud risk management ..................................................................................................................325.2. Fraud policy ....................................................................................................................................40

5.3. Preventative measures ....................................................................................................................415.4. Communication o identi ed raud .................................................................................................. 475.5. Building raud prevention into program design ................................................................................ 48

6. Fraud ControlDetection .............................................................................................................51

6.1. Passive detection measures ........................................................................................................... 536.2. Active detection measures ..............................................................................................................566.3. Building raud detection into program management ........................................................................ 60

7. Fraud Contro lResponse ........................................................................................................... 61

7.1. Fraud investigation ......................................................................................................................... 637.2. Responding e ectively to raud ....................................................................................................... 69

7.3. Fraud response in program delivery ................................................................................................ 718. Fraud ControlMonitoring, Evaluation and Reporting ............................................................ 73

8.1. Monitoring and evaluation ...............................................................................................................758.2. Reporting ....................................................................................................................................... 778.3. Monitoring, evaluation and reporting in a program context .............................................................. 78

9. Identit y Fraudan Emerging Fraud Risk ................................................................................... 81

9.1. What is identity raud? ....................................................................................................................839.2. National Identity Security Strategy .................................................................................................. 839.3. Commonwealth law en orcement initiatives ..................................................................................... 849.4. Identity raud risk management options .......................................................................................... 85

Appendices ......................................................................................................................................... 87Index .................................................................................................................................................... 95


6/108


7/108

1

I n t r o d u c t i o n

Introduction

1.1. The need or e ective raud control strategiesFraud can be de ned as dishonestly obtaining a bene t by deception or other means. 2 Fraud controlre ers to the integrated set o activities to prevent, detect, investigate and respond to raud and tothe supporting processes such as sta training and the prosecution and penalisation o o enders.

Making sure that appropriate raud controls are in place, continues to be an important unctionin Australian Government entities. 3 Notwithstanding the nancial and personal cost o raud, thereputational damage to entities can be direct and long-lasting. Contemporary management in the

Australian public sector is underpinned by managers and senior executives who are amiliar with thekey elements o a robust raud control ramework, including policy, legal and governance requirements.

Fraud control strategies based on a bi-annual preparation o a raud control plan and raud risk assessmentare becoming less common. Increasingly, e ective raud control strategies are an integrated response led by theexecutive in an entity and embedded in its governance, program design and management. Such a proactiveapproach assists entities to manage raud risk to an acceptable level, mind ul o the changing landscape,source and types o raud risk that must be assessed and managed.

1.1.1. Delivering services and programs in a changing landscape

An executive in todays public sector is delivering programs and services in a changing and o ten challengingenvironment. Many Australian Government entities are responsible or administering signi cant levels o revenue,

expenditure and property, and because these activities involve contact with a broad range o clients and citizens,there is an increasing reliance on technology and e-commerce. These advances in the use o technology aremaking identity raud one o the astest growing crimes in Australia. In this environment, the prevention anddetection o raud is critical.

The application o sound governance to raud control is required to keep pace with the growing convergence o the public and private sectors. The step-up in the strategic partnerships and a greater emphasis on outsourcingo government services is creating a new environment o raud risk, that o raud by service providers. Fraudcontrol strategies must extend to these outsourced arrangements, partnerships and alliances through e ectivecontract management and strong relationships.

1.1.2. E ective program design and management

The emerging ocus on responsive and fexible programs to meet community and industry expectations canexpose the Commonwealth to internal and external raud risks. For instance, the demand or timeliness andfexibility in service delivery can create new challenges in maintaining the integrity o programs. The emergenceo these types o raud risks rein orces the imperative or entities to consider raud control at each critical stageo a programs li e cycle.

2. Attorney-Generals Department, Commonwealth Fraud Control Guidelines , Canberra, 2011.3. In broad terms entity is used to re er collectively to Australian government departments and other government bodies. The distinctions

between the types o government entities and relevance to raud control are set out in Chapter 3 .

1


8/108

Fraud Control in Australian Government Entities Better Practice Guide | Introduction2

1.1.3. Perpetrators o raud

The risk o raud can come rom inside an organisation, that is, rom its employees or contractors, or rom outsidean organisation, that is, external parties such as clients, consultants, service providers or other members o thepublic. Organisations must be alert to the risk o raud through collusion between employees and external parties(bribery, corruption and abuse o o ce are examples o this type o raud). In addition, recent raud responseactivities have identi ed that elements o organised crime are viewing government programs as potential targets

or systematic rorting and abuse.

1.2. Legislative and policy requirements The Australian Government is committed to protecting its revenue, expenditure and property rom raudulentactivity by taking a systemic approach to the management o raud across the Australian Public Service (APS).

This commitment is articulated in the provisions o the Financial Management and Accountability Act 1997 (the

FMA Act) and the Commonwealth Authorities and Companies Act 1997 (CAC Act).

1.2.1. Commonwealth Fraud Control Guidelines

The Australian Government rst released a Commonwealth Fraud Control Policy in 1987. In 2002, the governmentrecognised the need to update the policy to take into account developments in corporate governance, modernbusiness practices and developments in raud control. Accordingly, the then Minister or Justice and Customsissued the Commonwealth Fraud Control Guidelines (the Fraud Control Guidelines) under Regulation 19 o theFinancial Management and Accountability Regulations 1997 .

Following a review in 2010, the Minister or Home A airs issued an updated version o the Fraud Control Guidelines

in March 2011. The Fraud Control Guidelines establish the raud control policy ramework within which entitiesdetermine their own practices, plans and procedures to manage the prevention and detection o raudulentactivities within their organisation, and the investigation and, where appropriate, prosecution o o enders.

1.3. Who will bene t rom the Guide? This Guide is directed at a wide set o stakeholders who carry responsibility or the e ective and e cient controlo raud risks, both inside and outside the Australian Government.

Senior executives

The Guide has been developed with the rst our chapters being intended as a source o guidance or seniorexecutives. These introductory chapters provide the legislative and policy ramework or raud control in AustralianGovernment entities; set the tone or leadership, culture and integrity; and summarise the key strategies necessaryto ensure best practice raud control is embedded in organisational governance and processes.

Fraud Managers Fraud Managers have delegated responsibility or raud control within their organisation. This Guide is a keyre erence document to support the Fraud Managers day-to-day business.


9/108

3

1


Operational managers Those operational managers with responsibility or raud control strategies, such as analysis o managementaccounting reports or conducting compliance reviews, should use this document on a regular basis as a

re erence point.

Line area employees Because raud control is the responsibility o all employees, this Guide will be use ul in highlighting the importanceo ethics and integrity, and raising awareness o how internal raud controls, such as raud reporting channels,can help reduce raud risks.

Service providers and contractors The Fraud Control Guidelines point out that e ective raud control requires the commitment o all contractorsand external service providers. This Guide will assist in raising awareness o the better practice principles the

Australian Government expects rom contractors and service providers with respect to raud control.

1.4. Purpose and structure o the Guide This new Guide refects the changing raud risk landscape and explains what is involved in establishing a sound

raud control environment. The Guide updates the ANAOs 2004 Fraud Control Better Practice Guide 4 andincludes case studies and practical examples to assist entities to improve their raud control practices.

The Fraud Control Framework is illustrated in Figure 1.1. The ramework is consistent with the Commonwealthslegislative and policy requirements and is based on governance models and raud control strategies which areconsidered best practice in the public and private sectors.

The body o the Guide is organised around the elements o the raud control ramework, as depicted insequence below.

Figure 1.1: Fraud control ramework

4. ANAO Better Practice Guide Fraud Control in Australian Government Agencies , 2004.


10/108


Setting the right tone at thetop is critical to raud control in

Australian Government entities. An organisational culture basedon sound ethics and integrityis an essential ingredient thatunderpins e ective raud control.

The legislative ramework orraud control in Australian

Government is supportedby a number o key policies.Rigorous governance structuresand processes help ensure therequirements o these policiesand legislation are operationalisedin an accountable, e ective andtransparent way.

Central to better practiceraud control are key control

strategies which contributeto an e ective raud control

ramework. These strategies areinterdependent and subject toa cyclic process o review andenhancement.


11/108

5

1


Case studies The Guide includes case studies and practical examples to assist entities to improve their raud controlpractices. The Guide recognises that raud control arrangements will vary according to an organisations role,

size, unctions and particular characteristics, especially its raud risk pro le.

Program management Because o the growing emphasis on program delivery in the Australian Government, the Guide providesprogram-speci c assistance on how to manage raud risks at each critical stage o the program li e cycle. Thisassistance is provided throughout the Guide, in context with the pertinent raud control strategies.

Identity raud Identity raud is one o the astest growing crimes in Australia and costs the Australian community billions o dollars every year. Guidance on initiatives to combat the rapidly emerging problem o identity raud is provided in

a dedicated chapter .


12/108



13/108

2Leadership and Culture

Key points Strong executive leadership is integral to e ective raud control within

organisations.

I sta perceive that controls to respond to raud are not robust orsupported by management, they are much less inclined to report theirobservations or suspicions.

To keep astride o emerging raud risks there needs to be a shi t romtraditional raud control to contemporary raud control.

The establishment o an ethical culture is a key element o soundgovernance and plays an important role in preventing raud and helpingto detect it once it occurs.


14/108

Fraud Control in Australian Government Entities Better Practice Guide | Chapter 28


15/108

9

2

L e a d e r s h i p

a n

d C u l t u r e

2.1. Leadership The realisation o raud risks in a number o high-pro le government programs has resulted in a heightenedexpectation that raud risks will be given appropriate attention in the management o public sector entities. Forthis reason, there has been renewed ocus on strong and executive leadership to support e ective raud controlwithin organisations. Poor leadership can lead to a culture o complacency within organisations with respect to

raud control and management.

Managers are required to demonstrate an observably high level o commitment to the control o raud. Balancingraud control with other high-level corporate and operational responsibilities can be challenging or executives.

An e ective organisational governance structure, with clearly de ned roles and accountabilities or individualsand decision-making bodies ( or example, the Audit Committee, Executive Board or Program ManagementCommittee), can assist.

A top-down and bottom-up approach to raud control can help ensure an organisations policies, governancestructures and processes or managing raud risks are consistent and mutually rein orcing. Senior executives arebest placed to understand whole-o -organisation issues and risks, and to provide a broad context to raud riskassessments and raud monitoring and evaluation exercises. Table 2.1 provides the types o considerations oran Executive to be suitably engaged in their organisations raud control strategies.

Table 2.1: Considerations or an Executive suitably engaged in raud control

Who

Who reviews and evaluates the raud control plan?

Who hasnt done the raud awareness training?

Who analyses the raud risks in my organisation / program?

What

What are the drivers o raud risk at the organisation and program level?

What is my role in raud control?

What is a proportionate response to raud risks in my organisation / program?

When

When do I get involved in raud prevention and detection strategies?

When do we report raud in the organisation?

When do we analyse raud activity?

Where

Where can I nd my organisations Fraud Policy?

Where is the guidance on how to report raud in my organisation / program?

Where can I re er matters o serious and complex raud?

WhyWhy is our organisation / program at risk o raud?Why is governance so important to e ective raud control?

Why werent our raud risks reviewed when our organisation structure changed?

How

How do I get assurance that raud risks are addressed in program design?

How do I know our raud strategies are working in my organisation / program?

How does my organisation decide i a suspected raud will be investigated?

Recent studies have identi ed that a lack o leadership in raud prevention, detection and response can reducethe likelihood o raud being reported to management. I sta perceive that controls to respond to raud are notrobust or supported by management, they are much less inclined to report their observations or suspicions. 5

5. Brown, A J (ed.) Whistleblowing in the Australian Public Sector: Enhancing the theory and practice o internal witness management in public sector organisations , ANU E Press, Canberra, 2008.


16/108


To keep astride o emerging raud risks there needs to be a shi t rom traditional raud control to contemporaryraud control (as described below). To achieve this goal, Australian Government entities will be required to

embed key elements o raud control in organisational governance, leadership and culture. This can be made

possible through senior strategic oversight and leadership, and through e ective use o this Guide. Table 2.2 illustrates what is required to shi t rom traditional to contemporary raud control.

Table 2.2: Traditional vs. contemporary raud control

Traditional raud control Contemporary raud control

Fraud risk assessment is a static document only

updated every two years.

Fraud risk assessment is a living document

which is updated through regular, targeted

risk assessments.

Fraud control plan is updated and led until the

next biennial review.

Ongoing raud control where the raud control

plan is a living document, which is updated inlieu o raud risk assessments.

Fraud control plan is owned and managed by the

Fraud Manager.

Fraud control plan is owned by the Executive.

An entitys Audit Committee provides

independent assurance and advice to the

CEO / Board on the operation o key controls

and the raud control plan to the extent

that it is within its charter. The raud control

plan is managed by the Fraud Manager and

re erenced by all levels o management.

Program development and delivery is not re erencedby the raud control plan, and programs do not

consider raud control at key stages in the program

li e cycle.

Fraud control plan in orms raud riskassessment and raud control strategies or key

stages in the program li e cycle, particularly in

program design.

Fraud awareness training is delivered to new sta

members at induction.

Fraud awareness training is sponsored by

the Senior Executive and conducted regularly

under a risk-based approach.

2.2. An ethical culture The establishment o an ethical culture is a key element o sound governance and plays an important role inpreventing raud and helping to detect it once it occurs. The Public Service Act 1999 highlights the need or anethical culture and also sets out the APS Values and Code o Conduct. These provide mandatory requirements

or all APS employees to uphold the Values and to comply with the Code o Conduct.

While the Values and the Code o Conduct provide a commonly understood set o principles or APS employees,each entity must rein orce the intent o these documents through active management strategies. The AustralianPublic Service Commissioner provides a checklist to assist senior executives to assess how well the APS Valuesand Code o Conduct are being integrated into the management and culture o an entity. 6

6. Australian Public Service Commission, Embedding the APS Values: Framework and Checklist , 2003.


17/108

11

2

L e a d e r s h i p

a n

d C u l t u r e

Questions on this checklist include the ollowing.

In what ways do senior leaders demonstrate visible and strong commitment to the APS Values?

How do senior leaders communicate to employees that conduct consistent with the APS Values andCode o Conduct is expected and that misconduct will not be tolerated?

Are there learning and development programs available to all employees that: address theirresponsibilities under the APS Values and Code o Conduct, handling tensions inherent in the APS

Values; develop skills or ethical analysis and reasoning; and provide sources o guidance and direction?

Are all instructions and guidance to employees, including chie executive instructions, peoplemanagement rules and guidance, and advice on communications with ministers o ces and the media,consistent with and supportive o the APS Values and Code o Conduct?

What measures are in place to ensure that internal control systems, such as internal audit, raud control

strategies and risk assessment, are unctioning and e ective?

Senior executives must ensure the work practices o their organisations are consistent with the principles o the APS Values and Code o Conduct. Creating a culture in which employees are prepared to report a suspected

raud and supported when they do so is critical in the ongoing operation o an organisations raud controlstrategy. In terms o raud detection, the KPMG Fraud and Misconduct Survey 2010 identi ed that 20 per cento reported major rauds were identi ed by employees. 7 The Australian Institute o Criminology has also reportedthat the detection o external raud through discovery by sta members or colleagues was an important methodo detection.8

7. KPMG, Fraud and Misconduct Survey 2010 , p.12.8. Australian Institute o Criminology, Annual Report to Government 200708: Fraud against the Commonwealth , AIC, Canberra, 2009, p.36.


18/108



19/108

1Legislation, Policyand Governance 3Key points

The Australian Governments commitment to protecting its revenue,expenditure and property rom raudulent activity is articulated inthe Financial Management and Accountability Act 1997 and theCommonwealth Authorities and Companies Act 1997 .

Sections 14 and 41 o the Financial Management and Accountability Act1997 make it a criminal o ence or a Commonwealth o cer to misapply,improperly dispose o , or use public money or property.

Section 26 o the Commonwealth Authorities and Companies Act 1997 makes it a criminal o ence or o cers o a Commonwealth authority touse their position dishonestly with the intention o gaining a personaladvantage, to the detriment o the Commonwealth authority.

The Fraud Control Guidelines establish a raud control policy rameworkor Australian Government entities.

Fundamental to sound raud management is an overall governancestructure that appropriately refects the operating environment o an entity.

An entitys Audit Committee plays a key role in securing and enhancingawareness o raud control across an organisation, including reviewing

managements approach to new and emerging risks during periods o signi cant change, such as the implementation o new policies and programs.


20/108



21/108

15

3

L e g i s l a t i o n

,P

o l i c y

a n

d G o v e r n

a n

c e

The Australian Government is committed to protecting its revenue, expenditure and property rom raudulentactivity by taking a systemic approach to the management o raud across the Australian Public Service. Thiscommitment is articulated in the legal provisions o the:

Financial Management and Accountability Act 1997 (FMA Act); and

Commonwealth Authorities and Companies Act 1997 (CAC Act).

The governments raud control policy requirements or FMA Act agencies and CAC Act bodies are outlined inthe Commonwealth Fraud Guidelines 2011 (Fraud Control Guidelines). 9

The ollowing sections set out: key elements o the legal and policy ramework; the responsible central agencieswithin the Attorney-Generals port olio; and appropriate governance structures or entities. 10

3.1. Legal ramework

3.1.1. FMA Act

The FMA Act covers agencies which are legally and nancially part o the Commonwealth, and speci esthe responsibilities and powers o Chie Executive O cers (CEOs) and o cials, including the responsibilitiesassociated with the expenditure o public monies. Section 44 o the FMA Act requires a CEO to manage thea airs o the agency in a way that promotes the e cient, e ective, and ethical use o the Commonwealthresources or which the CEO is responsible. This legislation places the onus on CEOs to promote ethicalbehaviour in their agencies and recognises that leading rom the top is important in establishing the ethical tonein an organisation.

Provisions o the FMA with particular relevance to raud are sections 14 and 41, which make it a criminal o enceor a Commonwealth o cer to misapply, improperly dispose o , or use public money or property.

3.1.2. Public Service Act 1999 APS Values and Code o Conduct

The Public Service Act 1999 (Public Service Act) also supports the governments policy regarding the ethicalbehaviour o o cials in the APS. The APS Values, described in section 10 o the Public Service Act, provide thephilosophical underpinning o the APS and articulate its culture and ethos. The APS Values refect the Australiancommunitys expectations o public servants and are directly relevant to the roles and unctions o government,such as administration o revenue, expenditure and property and other core unctions o government including

policy development and review. The Public Service Act requires that APS employees at all times behave in away that upholds the APS Values and the integrity and good reputation o the APS. 11 The APS Values requireemployees to: have the highest ethical standards; be openly accountable; and deliver services airly, e ectively,impartially and courteously.

The APS Values are complemented by the requirements o the APS Code o Conduct, which is set out in section13 o the Public Service Act. Among other things, the Code requires that all APS employees:

behave honestly and with integrity in the course o their employment in the APS;

9. Appendix A lists the key elements o the Australian Governments legislation, policies and guidelines relevant to raud control.10. In this document, FMA Act agencies and CAC Act bodies are speci cally re erred to, where appropriate. As noted previously, the termentities is used to re er to both types o organisations collectively.

11. The Public Service Act 1999 applies to most FMA Act agencies and some CAC Act bodies. Re er to [accessed 15 April 2010].


22/108


disclose, and take reasonable steps to avoid, any confict o interest (real or apparent) in connection withtheir employment in the APS;

use Commonwealth resources in a proper manner;

not make improper use o inside in ormation or the employees duties, status, power or authority in orderto gain, or seek to gain, a bene t or advantage or the employee or or any other person; and

at all times behave in a way that upholds the APS Values and the integrity and good reputation o the APS.

The Public Service Act provides or the imposition o sanctions on APS employees ound to have breached the APS Code o Conduct. Possible sanctions include: termination o employment; reduction in classi cation; re-assignment o duties; reduction in salary; deductions rom salary, by way o ne; or a reprimand.

Figures 3.1 below illustrates the legislative and policy ramework or FMA Act agencies.

Figure 3.1: Legal and policy ramework or raud control in FMA Act agencies

Minister orHome A airs

Attorney-GeneralsDepartment

Australian Instituteo Criminology

Australian

Federal Police

Minister/Presiding O fcer

Chie Executive

FMA Act agency

Fraud

Control Guidelines

FMA Regs

FMA Act

Annual compliance report

F r a u d C o n

t r o l P l a n

( m a n

d a t o r y

u n

d e r

s .4 5 F M A A

c t )

A n n u a l c o m p l i a n c e r e p o r t

Survey o compliance with FMA Act and Commonwealth Fraud

Control Guidelines

Annual compliance report Annual Report(compliant with s.45 FMA Act)

Mandatory compliance

Reg 16A

Compliance report

Consultation

Source: KPMG.


23/108

17

3


,P

o l i c y

a n

d G o v e r n

a n

c e

3.1.3. CAC Act

The CAC Act applies to Commonwealth authorities and Commonwealth companies. Commonwealth authoritiesare bodies corporate that are established by legislation or a public purpose and which hold money on their ownaccount (that is, or their own purposes). Commonwealth companies are companies incorporated under theCorporations Act 2001 that the Commonwealth controls. CAC Act bodies are legally and nancially separate

rom the Commonwealth.

The CAC Act imposes a number o obligations on o cers and employees o Commonwealth authorities toexercise care and diligence and to act in good aith. As well as this general duty o care, the CAC Act imposesa number o additional obligations. For example, an o cer or employee o a Commonwealth authority must not:

improperly use his or her position to gain an advantage or him or her or someone else (section 24(1));and / or

improperly use in ormation obtained as an o cer or employee o a Commonwealth authority to gainadvantage or him or her or someone else or cause detriment to the Commonwealth authority or toanother person (section 25(1)).

In addition, an o cer o a Commonwealth authority must exercise his or her powers and discharge his or herduties in good aith in the best interests o the Commonwealth authority and or a proper purpose. 12 An o ceror employee o a Commonwealth authority may be liable to criminal sanctions where these obligations arebreached (section 26).

The CAC Act also contains rules relating to the disclosure o conficts o interest by directors o a Commonwealthauthority. For example:

a director o a CAC Act entity who has a material personal interest in a matter that relates to the a airso the authority must give other directors notice o this interest (section 27F(1)). Subject to speci cconditions, a director who has a material personal interest in a matter that is being considered at adirectors meeting, must not be present while the matter is being considered (section 27J(1)).

3.1.4. Overall expectations

While the legal and compliance obligations o FMA Act agencies and CAC Act bodies can di er, the Australiancommunity expects business in the public sector to be conducted ethically, displaying honesty, integrity, diligence,

airness, trust, and respect when dealing with others. For these reasons it is advisable that entities, (whetherFMA Act agencies or CAC Act bodies), put mechanisms in place to assist and train their sta to understandethical issues and develop the judgment and skills needed to deal appropriately with raud or other misconduct.

3.1.5. Prosecution

While raud against the Commonwealth may be prosecuted under a number o di erent Commonwealth laws,Part 7.3 o the Criminal Code Act 1995 speci cally deals with raudulent conduct against the Commonwealthand contains a range o criminal o ences or raud. These o ences may apply to APS employees, serviceproviders and contractors, or other members o the public.

12. Commonwealth Authorities and Companies Act 1997 , s 23.


24/108


The o ences provided in Part 7.3 o the Criminal Code Act 1995 include :

dishonestly obtaining a nancial advantage rom a Commonwealth entity by deception;

doing anything with the intention o dishonestly obtaining a gain rom a Commonwealth entity, or causinga loss to a Commonwealth entity; and

dishonestly infuencing a public o cial in the exercise o their duties.

3.2. Commonwealth Fraud Control Guidelinesthe policy ramework

The Australian Government rst released its raud control policy in 1987. Following a review in 2010, the Ministeror Home A airs issued new Fraud Control Guidelines in March 2011. The Fraud Control Guidelines establish

the raud control policy ramework within which entities determine their own speci c practices, plans andprocedures to manage the prevention and detection o raudulent activities within their organisation, and theinvestigation and, where appropriate, prosecution o o enders.

3.2.1. Applicability o the Fraud Control Guidelines

The purpose o the Fraud Control Guidelines is to establish the policy ramework and articulate the governmentsexpectations or all FMA Act agencies and relevant CAC bodies.

The Fraud Control Guidelines were issued under Regulation 19(1) o the Financial Management and Accountability Regulations 1997 . Regulation 19(2) requires o cials to have regard to the Fraud ControlGuidelines when per orming duties related to the e cient, e ective and ethical management o public resources.

Compliance with the Fraud Control Guidelines is also required by those CAC Act bodies that have received aGeneral Policy Order (made under section 48A o the CAC Act) rom the Minister or Finance and Deregulationthat the Fraud Control Guidelines apply to them. That said, the Fraud Control Guidelines state that, where aGeneral Policy Order does not apply to a CAC Act body, the body should consider applying the Fraud ControlGuidelines as a matter o policy and better practice.

3.2.2. De nition o raud

For the purpose o the Fraud Control Guidelines, raud against the Commonwealth is de ned as dishonestlyobtaining a bene t by deception or other means. A bene t is not restricted to monetary or material bene ts,and may be tangible or intangible. A third party may also obtain a bene t rather than, or in addition to, theperpetrator o the raud.

3.2.3. Objectives o the Fraud Control Guidelines

The Fraud Control Guidelines are part o the Australian Governments broader nancial management ramework,which creates an overarching requirement to manage an entitys a airs e ciently, e ectively and ethically andin accordance with the policies o the Commonwealth. The objectives o the Fraud Control Guidelines are to:protect public money and property; and protect the integrity and good reputation o Commonwealth entities.

This includes reducing the risk o raud occurring, discovering and investigating raud when it occurs, and taking

corrective action appropriate to the degree o raudulent behaviour.


25/108

19

3


,P

o l i c y

a n

d G o v e r n

a n

c e

3.3. The role o central agenciesThe Attorney-Generals Department

The Attorney-Generals Department is responsible or providing high-level policy advice to the governmentabout raud control arrangements within the Commonwealth. This includes developing and reviewing generalpolicies o government with respect to raud control, currently embodied in the Fraud Control Guidelines, andadvising Commonwealth entities about the content and application o those policies.

The Australian Institute o Criminology The Australian Institute o Criminology is responsible or conducting an annual raud survey o AustralianGovernment entities and producing a report on raud against the Commonwealth, and raud controlarrangements within Australian Government entities. This In-con dence report is known as the Annual Reportto Government: Fraud against the Commonwealth and, as mandated by the Fraud Control Guidelines, is to be

provided to the Minister or Home A airs.

The Australian Federal Police The Australian Federal Police investigates serious or complex crime against Commonwealth laws, its revenue,expenditure and property. Such crime can include both internal raud and external raud committed against theCommonwealth. Internal raud is raud perpetrated by an employee or contractor o an organisation. External

raud is raud perpetrated by a customer, external service provider or third party.

The Commonwealth Director o Public Prosecutions The Commonwealth Director o Public Prosecutions is responsible or prosecuting o ences againstCommonwealth law and or conducting related criminal assets recovery. All prosecutions and related decisionsare made in accordance with the guidelines set out in the Prosecution Policy o the Commonwealth.

The Australian National Audit O fce The ANAOs mandate extends to all FMA agencies, CAC Act bodies and subsidiaries, with the exception o the conduct o per ormance audits o government business enterprises and o persons employed or engagedunder the Members o Parliament Act 1994 .

The mandate includes the audit o the annual nancial statements o FMA agencies, CAC Act bodies andsubsidiaries. Financial statements may be misstated due to raud or error. In accordance with Australian auditingstandards, the ANAOs nancial statement audits include the identi cation and assessment o the risks o material misstatement o the nancial statements due to raud and the obtainment o su cient, appropriate auditevidence regarding these assessed risks through its audit procedures. In these audits the ANAO is concernedprimarily with two types o raud, these being misstatements resulting rom misappropriation o assets andmisstatements resulting rom raudulent nancial reporting.

The ANAO also conducts per ormance audits that evaluate the e ciency and administrative e ectivenesso Commonwealth public sector entities within its mandate. This may involve an examination o governancearrangements including risk management and other control structures, resource use, in ormation systems,per ormance measures, reporting and monitoring systems, and legal compliance. Per ormance audits may romtime to time be undertaken to examine the operations o entities raud control arrangements to prevent, detectand respond to raud. 13

13. Appendix D lists recent ANAO audits related to raud control.


26/108


3.4. Governance structuresFundamental to sound raud management is an overall governance structure that appropriately refects the

operating environment o an entity. An e ective organisational control structure, which includes raud control, willassist an entity to promote ethical and pro essional business practices, improve accountability, and contributeto quality outcomes.

When developing or maintaining a raud control governance structure, an entity needs to ensure it has ormallyconsidered the three generally recognised conditions or raud to occur: the presence o an opportunity (that is,poor internal and external controls); a motivated o ender; and rationalisation (justi cation by the individual orthe raudulent activity).

To minimise these conditions occurring, raud control measures need to be primarily ocused on restricting thelevel o opportunity available to potential raudsters through the development and implementation o an e ective

raud control ramework. The leadership demonstrated by the senior executives o an entity plays an importantrole with respect to raud control, and along with the organisational culture o an entity, are the primary controlsto minimise these conditions occurring. Important elements or e ective raud control include: governancestructures; organisational values and culture; and raud control strategies.

Appropriate governance structures are critical to the e ective operation o raud control within an entity andsupport the role o the CEO and compliance with the Fraud Guidelines. These governance structures need tobe well understood and accepted by the organisation.

Chie Executive O fcer or Secretary (FMA Act agency) The CEO or Secretary o an FMA Act agency is accountable or raud control within that agency and isresponsible or ensuring that adequate raud controls are in place to comply with the Fraud Control Guidelines.

This includes the need to ensure that a sound control ramework and governance mechanisms exist and aree ective in supporting raud control activities.

The Board and Chie Executive O fcer (CAC Act body) The directors o the Board o a CAC Act body have primary accountability or raud control, ensuring thatappropriate governance mechanisms and raud control rameworks are in place and operating as designed.

The CEO o a CAC Act body is accountable or raud control within that body and is responsible or ensuring thesound operation o the control environment, governance mechanisms and the raud control activities.

Executive leadership

Strong executive leadership rom management is integral to e ective raud control within an entity. Managersshould demonstrate an observably high level o commitment to raud control and the management o raud, inaddition to ensuring that business processes and internal and external controls are planned and undertaken

ollowing the due consideration o raud risk exposures. Managers should also ensure that adequate rameworksare established to support the monitoring and reporting o raudulent activities and progress in pursuing raudcontrol strategies.

Fraud Manager Clear lines o responsibility in relation to the co-ordination, monitoring, review and promotion o the raud control

ramework need to be established within an entity. This can include the appointment o a central point o contactor all raud-related matters. This central point o contact is o ten re erred to as the Fraud Manager.


27/108


28/108


C a s e S t u d y

Department o Veterans A airs Integrity Sub-committee The Department o Veterans A airs (DVA) has established a sub-committee o its Audit and RiskCommittee known as the Integrity Sub-committee. The sub-committee ocuses on a range o matterswhich includes:

reviewing DVAs raud control plan, and providing assurance to the Audit and Risk Committeethat DVA has appropriate policies, processes and systems in place to capture and e ectivelyinvestigate raud-related in ormation;

monitoring DVAs approach to suspected raud investigations and case management;

reviewing whether management has taken steps to embed a culture which is committed toethical and law ul behaviour; and

monitoring adherence to, and potential breaches o , DVAs integrity ramework and the internalcode o conduct.

Like the Audit and Risk Committee, the Integrity sub-committee has an independent member. Othermembers o the Committee have su cient, relevant, executive authority to deal with operational issues,should they arise.

Appendix B provides an aide-memoir designed to assist an Audit Committees consideration o raud controlthrough the review o material, discussion or presentations rom senior management. This aide-memoir consists o a series o questions, or high-level prompts, which should be tailored to meet the entitys particular circumstances.

Internal audit Internal audit provides an independent and objective review and advisory service to:

provide assurance to the CEO / Board that the nancial and operational controls designed to managethe entitys risks and achieve the entitys objectives are operating in an e cient, e ective and ethicalmanner; and

assist management in improving the entitys business per ormance. 15

Internal audit can speci cally assist an entity to manage raud control by providing advice on the risk o raud,

advising on the design or adequacy o internal controls to minimise the risk o raud occurring, and by assistingmanagement to develop raud prevention and monitoring strategies.

An e ective internal audit plan should include a review o those raud controls designed to address the signi cantraud risks aced by an entity.

15. ANAO Better Practice Guide Public Sector Internal Audit An investment in assurance and business improvement, 2007 , p.4.


29/108

23

3


,P

o l i c y

a n

d G o v e r n

a n

c e

3.4.1. Linking raud control across governance structures

Fraud control and its operation within an entity needs to orm part o its overall governance ramework. Owingto its nature and separate statutory reporting requirements, raud control can o ten operate in isolation withinan entity. An entitys audit committee can play a key role in securing awareness that raud control interacts andlinks with other governance rameworks across the entity. This understanding provides or raud and its possibleimpacts to be considered at appropriate times when signi cant changes or decisions occur, or example theimplementation o new policies and programs. Figure 3.2 illustrates how a governance structure might bearranged or raud control in an entity.

Figure 3.2: Fraud control governance structure

Chie Executive/

Board o Directors

Audit Committee Fraud Control O fcer

Fraud Risk Assessment

Internal Auditor

Fraud Control Plan

Source: KPMG.

Practical examples o linking raud control across governance structures include:

Linking the update o the raud risk assessment to the update o the entitys risk assessment andbusiness planning processes. This ensures raud and its possible consequences can be ormallyconsidered in context with other signi cant risks acing the entity.

Formalising the relationship between raud control and the operation o any compliance strategies that anentity has in place. This ensures the compliance strategies are in ormed by the outcomes o the entitys

raud risk assessment and raud control plan.


30/108


BETTER PRACTICE CHECKLIST

Fraud control governance arrangements

Does the entity have an e ective and articulated raud control ramework in place?

Does the entity have a central point o contact or raud control within the entity?

Does the Audit Committee have a role in overseeing the development and implementationo the raud risk assessment and raud control plan?

Is in ormation on the entitys values and code o conduct easily accessible to employeesand included as part o its induction processes?

Does the entity have a confict o interest policy and is this easily accessible and understoodby employees?


31/108


32/108



33/108

27

4

F r a

u

d C o n

t r o l

S t r a t e g i e

s O v e r v i e w

4.1. Key raud control themesFraud control requires the implementation o a number o key control strategies which contribute to an e ective

raud control ramework. These strategies are interdependent and subject to a cyclic process o review andenhancement. The strategies are grouped in our key themes:

Fraud prevention involves those strategies designed to prevent raud rom occurring in the rst instance;

Fraud detection includes strategies to discover raud as soon as possible a ter it has occurred;

Fraud response covers the systems and processes that assist an entity to respond appropriately to analleged raud when it is detected; and

Fraud monitoring, reporting and evaluation are strategies to provide assurance that legislativeresponsibilities are being met, as well as promoting accountability by providing in ormation that

demonstrates compliance with speci c raud control strategies.For these strategies to be e ective in the context o an overarching raud control ramework, each strategymust be subject to active management and ownership within an organisation. Senior executive oversightthrough sound governance arrangements will ensure that each strategy does not operate in isolation, and thatinterdependencies are e ectively identi ed and managed appropriately.

The ollowing our chapters provide better practice strategies, systems and processes associated with eachraud control theme described above.

4.2. Fraud control strategies and program managementGovernment entities are regularly required to develop and implement programs to acilitate the delivery o services or stimulus to speci c sections o the community. O ten these programs support the establishment ordelivery o new government services and/or payments. Whenever programs are developed, new opportunitiesto perpetrate raud may arise, giving rise to the need or an entity to consider the threat o raud to the program.

This raud is likely to be rom parties both internal and external to an organisation.

4.2.1. Strategic raud control

The implementation o a new program provides entities with a challenge in balancing the need to deliver theprogram in an e cient and e ective way, with its regulatory responsibilities relating to the proper use o public

monies and the Fraud Control Guidelines.

Managing the risk o raud in a program context typically involves its consideration at each critical stage o theprogram li e cycle. The critical stages o a program generally relate to its: design and business case; procurementstrategy; delivery / implementation / management; and closure.

The risk o raud should also be considered at the policy development stage. This is particularly relevant wherethe eatures o a new government policy or program a ect the inherent capacity o the initiative to be deliveredwith a high level o integrity. Factors that a ect the potential or raudulent activity include the degree o fexibilityin the eligibility rules and the schedule o services to be provided.

In such cases, the risk o raud will need to be assessed against desirable aspects o success ul program

implementation, such as timeliness, accessibility, and the level o personal in ormation required rom recipients.


34/108


Where the risk o raud is high, it will be appropriate to introduce preventative controls, such as increasedrequirements or personal and other relevant in ormation to establish eligibility and the appropriate level o payment, in order to reduce the potential or raud.

The method o delivery o a government policy or program can also a ect the risk o raud. For example,approaches to deliver government services increasingly use third-party providers and make greater use o e-commerce, including the internet. While these arrangements provide or ease o access to governmentservices, they may also increase the governments exposure to raud.

For most programs, the prevention, detection and response elements o the raud control ramework will needto be considered at each stage o the program. The key is to get the right balance between raud risk andcontrol, and to manage the raud risks while maximising and enhancing operational per ormance.

For many organisations, the resources available may be limited relative to its raud control responsibilities. Assuch, each entity needs to plan at both a strategic and operational level to best meet its responsibilities within

its allocated resources and budget. This means planning its raud control activities based on addressing priorityareas and providing or a method o measuring the outcomes o those activities, in terms o their success orotherwise, in meeting its primary objectives. For raud control purposes, the ocus is on reducing the level o

raud in the program through integrated strategies around prevention, detection and response.

4.2.2. Examples o program-speci c raud controls

The type and quantity o raud controls that can be established within a program generally depend on theobjective o the program and the mechanisms it uses to achieve its aim. Table 4.1 below has been structuredagainst the typical li e cycle o a program and provides some examples o raud controls that could be used ina program.

Table 4.1: Examples o raud controls at typical li e cycle phases o a program

Phase Examples o raud controls

Policy development, program

design and business case

Fraud risk assessment Fraud control plan Employment screening Communication and awareness

Procurement strategy Rigorous and transparent tender processes Screening o potential suppliers and customers Segregation o duties on selection and approval

o procurements

Delivery / implementation /

management

Regular supplier reviews (includes surprise audits) Data mining / analysis Internal and external reporting mechanisms (hotlines, website,

internal reporting channels) Response to identi ed / reported rauds Management / internal audit review o internal controls

Closure Management / internal audit review o program closure and

expenditure o nal monies


35/108

1Key points

Fraud prevention strategies are the rst line o de ence and provide themost cost-e ective method o controlling raud within an entity.

Risk management is crucial to raud control as it guides the developmento an e ective raud control plan.

A raud policy statement assists employees to understand what raud is,their organisations attitude to raud, and what to do i they suspect raudis being perpetrated.

In determining a t or purpose approach to managing raud risks, theresources devoted to preventative strategies should be proportionate tothe raud risk pro le.

Providing in ormation to employees and customers on raud detected andaction taken indicates that there are consequences attached to committing

raud and this can act as an e ective deterrent.

A separate raud risk assessment and raud control plan can be considered

or large or high-risk programs in order to address the raud risk applicableto the program.

Fraud ControlPrevention 5


36/108



37/108

31

5

F r a

u d C o n

t r o l P r e v e n

t i o n

Fraud prevention strategies are the rst line o de ence and provide the most cost-e ective method o controllingraud within an entity. To be e ective, raud prevention within an organisation requires a number o contributory

elements, including an ethical organisational culture, a strong awareness o raud among employees, suppliers

and clients, and an e ective internal control ramework.Key elements o e ective raud prevention include:

a robust Fraud Policy and Code o Conduct;

sound raud risk management processes;

a comprehensive raud control plan;

prudent employee, and third party, due diligence;

regular raud awareness training;

raud-related controls or activities with a high raud risk exposure;

system controls to ensure accurate and up-to-date data; and

communication about investigation outcomes to demonstrate that allegations and incidences o raudare serious and appropriately dealt with.

As with other raud control strategies, an organisation should align the resources it commits to preventativestrategies according to the raud exposure o the organisation.

Figure 5.1 illustrates a range o preventative strategies and measures that an entity could consider to manage itsraud risks. The identi ed strategies are mapped on a continuum o resource intensity and raud risk exposure.

The preventive measures contained at the base o the triangle generally represent those preventative measuresthat would need to be implemented by any entity to have an e ective raud control ramework. Strategies at theapex o the triangle are more appropriate i an entity has a signi cant raud exposure and/or signi cant resourcesto introduce the control.

In determining a t or purpose approach to managing raud risks, the resources devoted to preventativestrategies and controls should be proportionate to the raud risk pro le as indicated by, or example, themateriality, scope, complexity, and sensitivity o possible raudulent activities. The controls identi ed and theirassociated costs should be considered with respect to the nature and scale o the raud risks they are designedto address.


38/108


Figure 5.1: Fraud prevention measures

Source: KPMG.

5.1. Fraud risk managementRisk management is crucial to raud control, guiding the development o an e ective raud control plan andassociated strategies and activities to minimise the opportunities or raud to occur. Risk management providesa ramework to identi y, analyse, evaluate, and treat raud risks. While the approach taken may need to betailored to suit the particular needs o individual entities, using structured and systematic risk managementmethodologies can assist an organisation to assess the level and nature o its exposure to internal and external

raud threats; establish its raud risk pro le so that appropriate resources can be allocated to mitigate or minimisesigni cant raud risks; and evaluate the e ectiveness o its risk control measures.

Because there is o ten considerable overlap between organisational risksthat is, enterprise risk, business risk,audit risk, security risk and raud riskit is important that raud risk assessments are considered in the broader

context o organisation-wide strategic planning and risk assessment. Figure 5.2 illustrates how organisationalrisks can overlap. This overlapping o risks means, in turn, that controls addressing these risks may intersect.For example, security controls to manage risks to the integrity o an organisations in ormation systems can beequivalent to the raud controls required in the same systems. In addition, a robust raud control plan can itsel be an e ective control in the treatment o an organisations reputation and/or business continuity risks.


39/108

33

5

F r a

u d C o n

t r o l P r e v e n

t i o n

Figure 5.2: Overlap between the organisations risks

Source: KPMG.

5.1.1. Fraud risks

A central objective in raud control is to minimise the risk o raud occurring. The sources o raud risk willvary according to an entitys pro le. The ollowing elements will typically assist an entity to determine its raudrisk context:

role and unctions;

impact o change in structure or unction;

the operating environment and the entitys relative exposure to external and internal raud; and

exposure to ongoing and emerging raud risks.

5.1.2. Entity role and unctions

Entities in the general government sector undertake a variety o roles and unctions including: policy developmentand/or review; procurement, including tendering and managing supplier inter aces; revenue collection andadministration o payments to the general public (including social, health, and wel are payments); service deliveryto the general public, including through program and contract management; and administration o regulation.

An entity needs to consider the nature o its role and unction when identi ying its raud risks and mitigationstrategies. For example, an entity that interacts with the broader community is likely to have a di erent set o

raud risks rom one with a policy development ocus with little ormal contact with the community.


40/108


5.1.3. Change in structure or unction

Government policy or machinery o government changes may require the work per ormed by particular entitiesto change, i required by the government o the day. For instance, an entity may be required to introduce anew program, undergo changes to its structure, lose or inherit unctions, or change the means o delivery o an existing program. I an entity does undergo a substantial change in structure or unction, it should review its

raud risk assessment.

5.1.4. Relative exposure to external and internal raud

The risk o raud may be internal (perpetrated by an employee or contractor o an organisation) or external(perpetrated by a customer or an external service provider or third party). In complex raudulent activity theremay be collaboration between employees, contractors and/or external service providers.

Common types o internal fraud

include: the t or misuse o tangible assets (cash, inventory, plant andequipment) by employees; the t or misuse o intellectual property or other con dential in ormation (includinghealth, tax and personal records); nancial reporting raud; release or use o misleading in ormation or thepurposes o deceiving, misleading or to hide wrongdoing; alse invoicing; credit card and other payments raud;receiving bribes or improper payments; and misuse o position by employees in order to gain some orm o

nancial or non- nancial bene t (corruption). Typically, the principal opportunities or internal raud to occur ariserom poor internal controls.

External fraud , on the other hand, is where the threat o raud comes rom outside the organisation, that is, romexternal parties. Examples o external raud include: customers deliberately claiming bene ts rom governmentprograms that they are knowingly not eligible or; external service providers making claims or services that were

not provided; and individuals or businesses intentionally evading payment o taxes to government. Cases o complex raud may involve collaboration between agency employees and external parties.

5.1.5. Exposure to ongoing and emerging raud risks

Ongoing and emerging raud risks identi ed by entities completing the ANAOs 2009 raud survey included:unauthorised or inappropriate use o in ormation technology; the unauthorised access and release o in ormation;the orgery or alsi cation o records; identity raud; and opportunities or raud arising rom the way in whichgovernment conducts business, such as the outsourcing o service delivery to external service providers,the introduction o new policy initiatives and programs, the introduction o internet-based transactions andelectronic in ormation exchange. 16

Table 5.1 illustrates particular entity unctions and highlights corresponding examples o potential raud risks.

16. ANAO Audit Report No.42 200910, Fraud Control in Australian Government Agencies , Canberra, 2010.


41/108

35

5

F r a

u d C o n

t r o l P r e v e n

t i o n

Table 5.1: Entity role and typical raud risk

Type o entity / unction Examples o raud exposure / risk

Policy development

and/or review

Consultation with a range o stakeholders both inside and outside APSentities is a key, i not essential, input to policy development work. An

example o inappropriate behaviour in an organisation with a policy

ocus is where a Commonwealth employee makes improper use o

inside in ormation, or uses their status, power or authority in order to

gain or seek to gain a commercial bene t or other advantage.

Procurement including

tendering and managing

supplier inter aces

Government purchases include the acquisition o goods, services,

and property, including intellectual property. Public o cials should not

bene t personally rom procurement decisions involving expenditure o

public money. During any procurement, the community and potential

suppliers have a right to expect government representatives to per ormtheir duties in a air and unbiased way and that the decisions they make

will not be a ected by sel -interest or personal gain.

Revenue collection and

administering payments to

the general public

Tax evasion and bene t raud (including raud associated with

social, health, and wel are payments) is generally characterised by

the deliberate provision o incorrect in ormation in order to secure

payments or payment amounts or which the recipient is not entitled.

Based on knowledge o their customers, and evidence rom within their

systems or rom outside in ormation, customer- acing organisations

o ten undertake reviews that examine a recipients circumstances

where there is a perceived risk o raud. The aim o such reviews is to

detect a deliberate error, omission, misrepresentation or raud on the

part o a customer.

Service delivery to the

general public including

program and contract

management

Contracting (or outsourcing) is now an integral part o doing business

in the public sector and the delivery o many government programs

involves contracting with third-party providers. An example o external

raud includes the raudulent conduct o service providers who charge

the Commonwealth or goods or services that are not delivered, or

delivered in an incomplete way.

Exercising regulatory

authority

Risks o corruption and misconduct exist in all regulatory authorities.

Failure to minimise these risks undermines public con dence in the

regulator, resulting in loss o credibility. An example o corrupt and

inappropriate behaviour that may occur in a regulatory authority is

abuse o power, that is, when an o cial uses their authority as a

regulator to approve compliance with regulatory requirements in

exchange or a bene t or advantage.


42/108


5.1.6. Fraud risk assessment and management

The Fraud Control Guidelines require entities to conduct a raud risk assessment at least every two years and, indoing so, to be consistent with the Australian/New Zealand Standard AS/NZ ISO 31000:2009 Risk ManagementPrinciples and Guidelines, and Australian Standard AS 8001-2008 Fraud and Corruption Control when developingtheir risk assessments and raud control plans. 17 This risk management process is outlined in the Figure 5.3 below.

Figure 5.3: Risk management process

Establishing the context

Risk identifcation

Risk analysis

Risk evaluation

Risk assessment

Documented risk assessment

Communcationand

consultation

Monitoringand

review

R i s k a s s e s s m e n t R

i s k a s s e s s m e n

t

Source: AS/NZS ISO 31000:2009 Risk Management Principles and Guidelines.

Several eatures o the raud risk management process illustrated above are worth highlighting.

A robust raud risk assessment process involves communication and consultation with relevant employeesat all levels within an organisation during all stages o the risk management process. This communication should

17. Attorney-Generals Department, Commonwealth Fraud Control Guidelines , Canberra, 2011.


43/108

37

5

F r a

u d C o n

t r o l P r e v e n

t i o n

address issues relating to the risk itsel , its causes, its impact (i known) and the measures taken to treat it. This approach ensures those accountable or implementing the risk management process and stakeholdersunderstand the basis o decision-making, and the reasons why particular actions are required. 18

Establish the context involves articulating the organisations objectives and the external and internalparameters to be taken into account when managing risk. This process also sets the scope and risk criteria orthe remaining process.

Identi ying raud risks requires organisations to consider both internal and external raud risks including,where relevant to their operations, the potential or international raud. Organisations can also consider raudrisks that may emerge in the uture, or example, raud risks arising rom a change to an IT system or othersigni cant changes in business processes. It is also important that raud risks are taken into account in the designo a new system or program. Identi ying raud risks at the system and program levels will assist organisations toassess overall organisational risk, and to refect these risks in their strategic planning objectives.

As raud entails dishonesty and deception, the identi cation o raud risks requires a sceptical mindset andinvolves asking probing questions such as: How might a raudster exploit weaknesses in the systems o controls?How could a perpetrator override or circumvent controls? What could a perpetrator do to conceal raud?

Documenting and assigning ownership o the risks and controls is important. The business arearesponsible or managing a particular raud risk should be identi ed and the time rame or implementing anyremedial action should also be clearly documented in risk management plans. An example o a raud riskregister is provided at Appendix C.

It is also important to monitor and review the raud risk assessment regularly. The Fraud Control Guidelinesrequire a raud risk assessment to be per ormed at least every two years and coincide with a review o the raudcontrol plan. The Fraud Control Guidelines also require that where an entity undergoes a substantial change instructure or unction, or where there is a signi cant trans er in unction ( or example, as a result o outsourcing),the entity must undertake another raud risk assessment in relation to the changed unctions. 19 The FraudControl Guidelines note that, where appropriate, a rolling program may be introduced to update the raud riskassessment more regularly.

An organisation should also actively monitor and review its identi ed raud controls. Changes in the e ectivenessor applicability o these raud controls can impact on the organisations raud risk assessment to either increaseor decrease raud risk. An entitys internal audit area would generally be expected to assess periodically whetherthe entitys raud control ramework is appropriate and is operating e ectively (including monitoring the outcomeso the raud control ramework). The Audit Committee oversights this process. This role is explored urther inChapter 8 .

5.1.7. Preparation o a raud control plan

A raud control plan is developed or updated through the raud risk management process and containsa documented record o all raud control activities and strategies and their owners. As with the raud riskassessment, the raud control plan requires review every two years or earlier i the organisation experiencessigni cant change.

18. AS/NZS ISO 31000: 2009 Risk Management Principles and Guidelines , 2009, p.14.19. Attorney-Generals Department, Commonwealth Fraud Control Guidelines , Canberra, 2011.


44/108


The Fraud Control Guidelines outline the key eatures o an e ective raud control plan, which have beenincluded, and enhanced, in Table 5.2 below.

Table 5.2: Key eatures o an e ective raud control plan

Key eatures Comments

An outline o the structure o the

organisation.

Include re erence to speci c raud control structures in this

section o the plan.

A statement o the entitys

attitude, de nition and approach

to raud.

This statement should match that included in the entitys Fraud

Policy and be endorsed by the Chie Executive.

Demonstrated links to an up-to-

date risk assessment.

This promotes the link between raud risk and raud control.

Examples should be provided to demonstrate this.

Summary o the raud risksidenti ed.

This promotes awareness among sta o the raud risks aced byan organisation.

Outline the key controls in place

to address all identi ed high-

rated raud risks.

In ormation should be provided on the types and nature o raud

controls to in orm employees within the organisation. Where

possible links should be made to the organisations business

planning process.

Address both internal and

external raud risks.

Employees need to be aware o the existence o internal and

external raud.

Include a timeline or taking

actions on all strategies.

This timeline should include realistic deadlines and include

monitoring o the implementation o these strategies and

controls.

Assign ownership or the design,

implementation and evaluation o

identi ed raud controls.

The assignment o ownership is critical in establishing

accountability and promoting compliance with the raud control

plan. These responsibilities should also be highlighted in

individual per ormance agreements.

Rein orce the responsibilities

that all employees have or raud

control.

This provides another avenue to remind employees o their

responsibilities in relation to raud control.

Detail how employees can report

and respond to suspected raud.

This will provide employees with enough in ormation on how, and

to whom, they should report suspected instances o raud.

Outline how raud is investigated

within the organisation.

In ormation relating to the investigation process enables

employees to understand how raud is investigated and treated

within their organisation.

Establish per ormance indicators

and related targets.

Appropriate per ormance indicators enable the adequate

monitoring o the outcomes o proposed raud control strategies.

Include a summary o relevant

awareness-raising and training

strategies.

This provides in ormation on the raud awareness-raising

activities that are undertaken.

Chapter 8 provides urther guidance on the necessary monitoring and review activities that should be undertakento ensure that the raud control plan is current and relevant to the needs o the entity.


45/108

39

5

F r a

u d C o n

t r o l P r e v e n

t i o n

5.1.8. Organisation size

The nature and materiality o the internal and external raud risks aced by small public sector entities couldbe expected to be di erent rom the raud risks aced by large client- acing entities. For this reason, a betterpractice principle or small public sector entities is to have t or purpose mechanisms in place to combat

raud.

To mitigate the risk o internal raud occurring, the control structures within small organisations should have abasic level o preventative controls. For example, avoiding the concentration o key decision areas in the handso a single individual is undamental to the prevention o raud. Although the separation o duties is a power ulinternal control, it is not always easible in small organisations. Accordingly, there should be compensatingcontrols in place such as the Chie Executive or Board approving some transactions.

5.1.9. Outsourcing o raud control activities

Many entities choose to outsource various aspects o their raud control arrangements. The Fraud ControlGuidelines provide in ormation on the outsourcing o raud control activities, the key criterion being that theoutsourcing does not compromise the entitys raud control arrangements. 20 In reaching the decision tooutsource aspects o its raud control arrangements, an entity must ensure the outsourced provider is: suitablyquali ed and experienced; complies with the requirements o the Fraud Control Guidelines; is amiliar withthe entitys internal policies and procedures and applicable legislative responsibilities, as well as any potentialconficts o interest; and committed to complying with the requirements o the Privacy Act 1988 .

In addition, it is better practice or an entity outsourcing any or all o its raud control to ensure:

a raud risk assessment is undertaken as part o the development or update o its existing raud control plan;

the raud control plan covers all aspects o the entity, including its programs and services;

an in-house contact point is assigned or reporting and recording all allegations o raud; and

the purchasing entity appoints a manager to be responsible or raud control overall.

While all or part o the raud control arrangements can be outsourced, entities remain accountable or meetingtheir obligations under legislated requirements and the Fraud Control Guidelines.

20. Attorney-Generals Department, Commonwealth Fraud Control Guidelines , Canberra, 2011.


46/108


47/108

41

5

F r a

u d C o n

t r o l P r e v e n

t i o n

5.3. Preventative measures

5.3.1. Code o conduct A robust code o conduct is integral in establishing an ethical culture. Chapter 3 o this Guide outlines the APS Values and Code o Conduct.

For Australian Government agencies, the APS Values and Code o Conduct are the benchmark statements o appropriate behaviour or public servants. 22 Where applicable, entities can develop a Code o Conduct that suitstheir needs and that encapsulates issues unique to their organisation. This would need to be consistent withthe APS Values and Code o Conduct.

I an entity does not have its own

Documents

Fraud Control in Australian Goverment Entities