Background

1. The Australian Government (the government) defines fraud as:

Dishonestly obtaining a benefit or causing a loss by deception or other means.¹

2. Fraud requires intent, and is more than carelessness, accident or error. Without intent, an incident may indicate non-compliance rather than fraud.²

3. Fraud against the Commonwealth can be committed by Commonwealth officials or contractors (internal fraud) or by external parties such as clients, service providers, members of the public or organised criminal groups (external fraud).³ In some cases fraud against the Commonwealth may involve collusion between external and internal parties, and can include corrupt conduct such as bribery. However, not all corrupt conduct meets the definition of fraud.⁴

4. Australian Government entities have long been required to establish arrangements to manage fraud risks. The government’s requirements for fraud control are contained in the 2017 Commonwealth Fraud Control Framework⁵ (the Framework) pursuant to the Public Governance, Performance and Accountability Act 2013 (PGPA Act). The Framework comprises three tiered documents — the fraud rule, fraud policy and fraud guidance — with different binding effects for corporate and non-corporate Commonwealth entities.⁶ The Attorney-General’s Department is responsible for administering the Framework.

5. As non-corporate Commonwealth entities, Australian Government departments must comply with the fraud rule and fraud policy. While the fraud guidance is not binding, the government considers the guidance to be better practice and expects entities to follow it where appropriate.⁷

6. This audit is one in a series of three performance audits reviewing fraud control arrangements in selected departments — the Department of Foreign Affairs and Trade, the Department of Home Affairs, and the Department of Social Services. The focus of this audit report is the Department of Foreign Affairs and Trade.

Rationale for undertaking the audit

7. This audit series is intended to provide assurance to the Parliament regarding the fraud control arrangements of selected Australian Government departments. All Commonwealth entities are required to have fraud control arrangements in place because preventing, detecting and responding to fraud against the Commonwealth is necessary to ensure the proper use of public resources, financial and material losses are minimised, and public confidence is maintained. In addition, this audit series aims to assist all Commonwealth entities to consider the effectiveness of their fraud control arrangements, including areas where additional effort would improve consistency with whole of government better practice fraud guidance (discussed in paragraph 5) and the take-up of whole of government advice on new and emerging fraud risks (discussed in paragraph 10).

Audit objective and criteria

8. The objective of the audit was to assess the effectiveness of the Department of Foreign Affairs and Trade’s fraud control arrangements. The high level audit criteria were that the department:

• complies with the mandatory requirements set out in the Commonwealth Fraud Control Framework and arrangements are consistent with the government’s better practice guidance; and
• promotes a fraud aware culture.

9. The ANAO did not assess whether specific controls are in place or the effectiveness of such controls in the selected entity.⁸

10. The ANAO reviewed fraud control arrangements in place within the department during the period of audit fieldwork, September 2019 to early February 2020. On 18 February 2020 the Australian Government activated the Emergency Response Plan for Novel Coronavirus (COVID-19).⁹ On 27 March 2020 the Australian Federal Police’s Operation Ashiba and the Commonwealth Counter Fraud Prevention Centre in the Attorney-General’s Department established the Commonwealth COVID-19 Counter Fraud Taskforce intended to support Commonwealth agencies to prevent fraud against the COVID-19 economic stimulus measures.¹⁰ The Commonwealth Fraud Prevention Centre circulated the Fraud Control in COVID-19 Emergency and Crisis Management fact sheet to Commonwealth entities, with information about key fraud risks related to COVID-19 response efforts.

11. The Department of Foreign Affairs and Trade was invited by the ANAO to make a representation in relation to its current or planned arrangements to address increased fraud risks resulting from the COVID-19 response. The department advised the ANAO in June 2020 that:

In response to COVID-19, DFAT undertook assessments of risk and whole of Government consultations to inform the focus for fraud operations.

The department has and will continue to concentrate on (a) ensuring continuity in case referrals and management under remote working; and (b) proactive engagement and communications with internal and external stakeholders emphasising practical up-front counter-measures to disrupt and reduce the impacts of fraud. An ‘infographic’ on how to manage fraud under COVID-19 in DFAT specific operations has been circulated to staff.

DFAT governance committees, including the Audit and Risk Committee and the Performance, Risk and Resourcing Committee, were briefed on the approach (in April and May respectively). Deputy Secretaries and First Assistant Secretaries have emailed internal and external stakeholders emphasising core principles for fraud prevention.

DFAT is participating in the whole of Australian Government Senior Officers Fraud Forum. The Fraud Control Section has sent a Cable to all staff and portfolio agencies sharing fraud related insights from the Australian Criminal Intelligence Commission. Further whole of Government products have and will continue to be circulated across the Department.

Conclusion

12. Fraud control arrangements in the Department of Foreign Affairs and Trade are largely effective. The department’s arrangements comply with the mandatory requirements of the Commonwealth Fraud Control Framework, are largely consistent with the whole of government better practice fraud guidance, and the accountable authority has taken steps to promote a fraud aware culture. Further attention is required to address low levels of compliance with mandatory fraud awareness training requirements and to improve consistency with internal requirements by identifying fraud control owners and updating investigations procedures.

13. The department has developed and implemented a fraud control plan, completed fraud risk assessments and has guidance and procedures to assist officials to understand what constitutes fraud and to carry out their fraud prevention responsibilities.

14. The department has mechanisms in place to assess and provide assurance of its controls. Internal reporting and oversight would be strengthened by: requiring business areas to report on progress to reduce fraud risks above the tolerance level; and ensuring that responsibility for controls is assigned by position, in line with internal guidance.

15. The department has put in place controls to detect fraud, including reporting channels for use by staff and members of the public. The department’s fraud investigation procedures are largely consistent with the Australian Government Investigations Standards, with attention required to update some procedures.

16. The department has taken steps to promote a fraud aware culture and meets the reporting requirements set out in the framework. While there is internal messaging to staff about fraud control and a program of mandatory fraud awareness training, completion rates for that training are consistently low. Recent remediation measures are credited with improved compliance, but continued attention is required as failure to adequately address non-compliance with mandatory requirements communicates to staff that compliance is optional.

Supporting findings

Risk management, planning and prevention

17. The department considers fraud risk in the context of its overarching risk management framework. Fraud risks must be considered by departmental officials when they are conducting risk assessments. The Secretary’s expectation for work areas to control fraud in their activities is documented in the fraud control plan. The department’s fraud toolkit for staff provides information and instructions to assist staff to meet this expectation.

18. As required by the fraud rule, fraud risks are identified and the assessments are conducted at regular intervals. The department conducted a fraud risk assessment in 2017 prior to the development of the fraud control plan. In 2019, a fraud risk assessment for seven (mostly financial) business processes was conducted. Both fraud risk assessments involved consultation with relevant areas across the department. Departmental staff have or are in the process of gaining qualifications in fraud control.

19. Fraud risks are assessed and given a fraud risk exposure rating based on the likelihood and consequences of the risk occurring. Depending on the assessed exposure rating and having regard to the department’s tolerance level, these risks are then addressed with responses ranging from monitoring to actively treating the risk. Of the 91 fraud risks identified in the department’s 2017 fraud risk assessment, seven (7.7 per cent) were identified in internal reporting as ‘critical’ fraud risks. One additional ‘critical’ risk was identified in the department’s 2019 fraud risk assessment. The department took action to address these ‘critical’ fraud risks and reported on the actions taken to mitigate these risks to its Executive.

20. The department has a range of preventive controls in place to prevent fraud and tests its controls to ensure they are operational. The department has undertaken control reviews and has mechanisms in place to provide assurance around its control environment. These mechanisms could be better supported by clear assignment of control owners, by position, in line with the department’s risk management guide.

Detection, investigation and response

21. The department has processes for departmental staff and others (such as members of the public and funding recipients) to confidentially report allegations of fraud. The department’s main source of fraud detection is tip offs from within the department (for allegations of internal fraud) or from sources external to the department (for allegations of external fraud). The department has a publicly available procedure for handling Public Interest Disclosures. The department also detects fraud through other detective controls. These include internal audits, data analytics and forensic examination.

22. The department’s investigation procedures are largely consistent with the Australian Government Investigations Standards. The department’s policy and procedures for conducting investigations of suspected internal fraud require updating.

Culture, assurance and reporting

23. The department has set expectations and promotes a fraud aware culture through: a fraud strategy statement; a Fraud Control Toolkit for Funding Recipients; a fraud control plan; a conduct and ethics manual for departmental staff; a Fraud Control Toolkit for Staff; fraud awareness programs for funding providers; and internal messaging to all staff from the Secretary about fraud control. The department’s audit and risk committee charter and work plan allow the committee to review the department’s fraud risks. The committee has done so and provided reports to the Secretary.

24. Completion rates for the department’s mandatory fraud awareness training are consistently low — in the range of 31 to 65 percent between 2018 and 2020.

25. The department has provided assurance about its fraud control arrangements through reporting. The department has:

• met annual report requirements under subsection 17AG(2) of the Public Governance, Performance and Accountability Rule 2014;
• complied with mandatory reporting obligations in the Commonwealth Fraud Control Policy to provide information to the Australian Institute of Criminology annually; and
• implemented the fraud guidance recommendation to keep the Minister informed about entity fraud control arrangements and significant issues.

Recommendations

Summary of entity response

The Department of Foreign Affairs and Trade (DFAT) welcomes the report, which is part of a series of three audits on selected Commonwealth entities assessing the effectiveness of fraud control arrangements. We welcome the findings that fraud control arrangements are largely effective and the department’s arrangements comply with mandatory requirements of the Commonwealth Fraud Control Framework.

DFAT is committed to continuous improvement in our framework to prevent, detect and respond to fraud. Fraud undermines our ability to achieve objectives and reduces the effectiveness of the Australian Government’s policies and programs. We accept the audit report recommendations regarding identification of control owners by position, updating aspects of investigations procedures and improved staff compliance relating to mandatory fraud awareness training. DFAT will address these recommendations through ongoing update in our fraud control policies, procedures and guidelines.

Key messages from this audit for all Australian Government entities

26. This audit is one in a series of three performance audits reviewing fraud control arrangements in selected non-corporate Australian Government entities:

• the Department of Foreign Affairs and Trade;
• the Department of Home Affairs; and
• the Department of Social Services.

27. Key messages from this audit series will be outlined in an ANAO Insights product available on the ANAO website.

Introduction

1.1 Fraud against the Commonwealth causes financial and material loss, reducing the amount of money available for public goods and services and impacting on government’s ability to achieve its objectives. Fraud can also damage trust in government. Managing fraud risk is a responsibility shared by all Commonwealth officials, with ongoing effort commensurate to the scale of fraud risk required to effectively prevent, identify and respond to fraud. Fraud threats are constantly evolving, meaning responses need to be dynamic.

1.2 The Australian Government (the government) defines fraud as:

Dishonestly obtaining a benefit or causing a loss by deception or other means.¹¹

1.3 Fraud requires intent, and is more than carelessness, accident or error. Without intent, an incident may indicate non-compliance rather than fraud.¹² Fraud against the Commonwealth may include (but is not limited to):

• theft;
• accounting fraud (for example, false invoices, misappropriation);
• misuse of Commonwealth credit cards;
• unlawful use of, or unlawful obtaining of, property, equipment, material or services;
• causing a loss, or avoiding and/or creating a liability;
• providing false or misleading information to the Commonwealth, or failing to provide information when there is an obligation to do so;
• misuse of Commonwealth assets, equipment or facilities;
• cartel conduct;
• making or using, false, forged or falsified documents; and/or
• wrongfully using Commonwealth information or intellectual property.¹³

1.4 Fraud against the Commonwealth can be committed by Commonwealth officials or contractors (internal fraud) or by external parties such as clients, service providers, members of the public or organised criminal groups (external fraud).¹⁴ In some cases fraud against the Commonwealth may involve collusion between external and internal parties, and can include corrupt conduct such as bribery. However, not all corrupt conduct meets the definition of fraud.¹⁵

The Australian Government’s fraud control framework

1.5 Australian Government entities have long been required to establish arrangements to manage fraud risks. At the time of this audit, the government’s requirements for fraud control are contained in the 2017 Commonwealth Fraud Control Framework¹⁶ (the Framework) pursuant to the Public Governance, Performance and Accountability Act 2013 (PGPA Act). A desktop review conducted by the ANAO of state and territory and international fraud control frameworks is presented at Appendix 2.

1.6 The Framework is intended to: allow Commonwealth entities to manage their fraud risks in a way which best suits the individual circumstances of the entity; and support the accountable authority¹⁷ to effectively discharge their responsibilities under the PGPA Act. The Framework comprises three tiered documents with different binding effects:¹⁸

• Section 10 of the Public Governance, Performance and Accountability Rule 2014 (the fraud rule): A legislative instrument binding all Commonwealth entities and setting out the key requirements of fraud control.
• The Commonwealth Fraud Control Policy (the fraud policy): An Australian Government policy binding non-corporate Commonwealth entities¹⁹ setting out procedural requirements for specific areas of fraud control such as investigations and reporting.
• Resource Management Guide No. 201 — Preventing, detecting and dealing with fraud (the fraud guidance): A better practice document setting out the government’s expectations in detail for fraud control arrangements within all Commonwealth entities.

1.7 As non-corporate Commonwealth entities, Australian Government departments must comply with the fraud rule and fraud policy. While the fraud guidance is not binding, the government considers it to be better practice and expects entities to follow it where appropriate.²⁰

1.8 The Attorney-General’s Department (AGD) administers the Framework. The Australian Government is providing $16.4 million over two years from 2019–20 to AGD ($6.6 million) and the Australian Federal Police (AFP) ($9.8 million) to pilot and continue measures to strengthen Commonwealth counter-fraud arrangements.²¹ The AGD established the Commonwealth Fraud Prevention Centre, and is piloting measures to improve the sharing of data, information and knowledge across government. The AFP established Operation Ashiba to lead a Commonwealth multi-agency taskforce intended to support and strengthen whole of government efforts to detect, disrupt and respond to serious and complex fraud.

Responsibilities of accountable authorities

1.9 The PGPA Act and the PGPA Rule contain specific duties and requirements for the accountable authority of a Commonwealth entity pertaining to internal control arrangements, including for fraud control and relevant reporting (Table 1.1).

Table 1.1: Responsibilities of accountable authorities (PGPA Act and PGPA Rule)

Note a: In respect to ‘proper use’, section 8 of the PGPA Act provides that: ‘proper, when used in relation to the use or management of public resources, means efficient, effective, economical and ethical’.

Source: PGPA Act and PGPA Rule.

Extent of fraud against the Commonwealth

1.10 The Australian Government has reported that the extent of fraud against the Commonwealth, including the exact cost and impact, is unknown.²² Fraud can be hidden, difficult to detect or remain unreported. The Australian Institute of Criminology (AIC) produces an annual report measuring levels of fraud detected and investigated across the Commonwealth on the basis of data self-reported by Commonwealth entities via an online questionnaire.²³ The Commonwealth fraud investigations 2017–18 and 2018–19 report²⁴ stated that of 155 entities with responses, 30 (19 per cent) commenced internal fraud investigations and 37 (24 per cent) commenced external fraud investigations. In total, 52 (34 per cent) different entities commenced investigations. In 2018–19, 27 (17 per cent) entities finalised internal fraud investigations and 34 (22 per cent) entities finalised external fraud investigations. In total, 44 (28 per cent) different entities finalised fraud investigations in the 2018-19 financial year. The AIC estimated fraud losses during 2018–19 of $149,680,728 ($2,775,917 from internal fraud; $146,904,811 from external fraud), on the basis of completed investigations where fraud could be quantified.²⁵

1.11 The results of a desktop review by the ANAO of international research to estimate fraud losses is presented in Appendix 2.

Previous audits

1.12 The interim audit phase of the ANAO’s annual program of financial statements audits includes an assessment of the effectiveness of each entity’s internal controls as they relate to the risk of misstatement in the financial statements. Auditor-General Report No.46 2018–19 Interim Report on Key Financial Controls of Major Entities (the controls report) reported that at the completion of the ANAO’s interim audits for the 26 major entities included in that report, the key elements of internal control were operating effectively for 19 entities²⁶, including the three departments selected for this performance audit series.²⁷ In the context of the ANAO’s review of entity internal controls, the controls report included a focus on and an analysis of, payment card and fraud control policies together with a continued review of compliance with the Commonwealth’s finance law.²⁸

1.13 Australian Government fraud control arrangements have also been the subject of previous ANAO performance audits. The most recent relevant audit was tabled in 2018–19 and examined the fraud control arrangements of the National Disability Insurance Agency (NDIA). The audit found that while the NDIA was largely compliant with the requirements of the Commonwealth Fraud Rule²⁹ there was scope to improve: fraud prevention strategies; measures to detect potential fraud; and the effectiveness of fraud control governance and reporting arrangements.³⁰ A key learning for other government entities arising from the audit was that the Commonwealth Fraud Control Framework (not just the Fraud Rule) provides a robust framework for all government entities to manage fraud risk. In the absence of it being mandatory for corporate entities to comply with all elements of the framework, corporate entities should see its implementation as good practice.³¹

1.14 An ANAO audit tabled in 2014–15 of the fraud control arrangements of selected entities³² found that overall these entities were generally compliant with the applicable requirements of the 2011 Fraud Control Guidelines (the Guidelines) that were in effect during the course of the audit. The audit included one recommendation.

To facilitate the timely preparation of the annual Fraud Against the Commonwealth Report and the annual Compliance Report to Government, the ANAO recommends that the Attorney-General’s Department formalises its business arrangements with the Australian Institute of Criminology.³³

1.15 From 1 July 2014, the Guidelines were replaced with the Commonwealth Fraud Control Framework pursuant to the PGPA Act. The fraud policy was reissued in August 2016, with new provisions implementing the ANAO recommendation detailed in paragraph 1.14 by formalising the requirement for entities to provide information to the AIC to facilitate the AIC annual fraud report.³⁴ The fraud guidance was reissued in August 2017.³⁵

Selected entities in this audit series

1.16 This audit is one in a series of three performance audits reviewing fraud control arrangements in selected departments — the Department of Foreign Affairs and Trade, the Department of Home Affairs and the Department of Social Services. The focus of this audit report is the Department of Foreign Affairs and Trade.

1.17 Other audits in the series are:

• Auditor-General Report No.43 2019-20 Fraud Control Arrangements in the Department of Home Affairs; and
• Auditor-General Report No.44 2019-20 Fraud Control Arrangements in the Department of Social Services.

1.18 Contextual information about the Department of Foreign Affairs and Trade is provided at Table 1.2.

Table 1.2: Contextual information about the Department of Foreign Affairs and Trade

Note a: ‘Fraud-related duties’ as defined within the 2018–19 AIC fraud questionnaire, could include work in fraud control policy, fraud risk management, prevention, detection, investigation, delivery of training and/or fraud reporting.

Source: ANAO drawing on the Department of Foreign Affairs and Trade 2018–19 Annual Report, 2019–20 Portfolio Budget Statements and AIC 2018–2019 fraud questionnaire.

Rationale for undertaking the audit

1.19 This audit series is intended to provide assurance to the Parliament regarding the fraud control arrangements of selected Australian Government departments. All Commonwealth entities are required to have fraud control arrangements in place because preventing, detecting and responding to fraud against the Commonwealth is necessary to ensure the proper use of public resources, financial and material losses are minimised, and public confidence is maintained. In addition, this audit series aims to assist all Commonwealth entities to consider the effectiveness of their fraud control arrangements, including areas where additional effort would improve consistency with whole of government better practice fraud guidance (discussed in paragraphs 1.6 and 1.7) and the take-up of whole of government advice on new and emerging fraud risks (discussed in paragraph 1.22).

Audit approach

Audit objective, criteria and scope

1.20 The objective of the audit was to assess the effectiveness of the Department of Foreign Affairs and Trades’ fraud control arrangements. The high level audit criteria were that the department:

• complies with the mandatory requirements set out in the Commonwealth Fraud Control Framework and arrangements are consistent with the government’s better practice guidance; and
• promotes a fraud aware culture.

1.21 The ANAO did not assess whether specific controls are in place or the effectiveness of such controls in the selected entity.³⁶

1.22 The ANAO reviewed fraud control arrangements in place within the department during the period of audit fieldwork, September 2019 to early February 2020. On 18 February 2020 the Australian Government activated the Emergency Response Plan for Novel Coronavirus (COVID-19).³⁷ On 27 March 2020 the Australian Federal Police’s Operation Ashiba and the Commonwealth Counter Fraud Prevention Centre in the Attorney-General’s Department established the Commonwealth COVID-19 Counter Fraud Taskforce intended to support Commonwealth agencies to prevent fraud against the COVID-19 economic stimulus measures.³⁸ The Commonwealth Fraud Prevention Centre circulated the Fraud Control in COVID-19 Emergency and Crisis Management fact sheet to Commonwealth entities, with information about key fraud risks related to COVID-19 response efforts.

1.23 The Department of Foreign Affairs and Trade was invited by the ANAO to make a representation in relation to its current or planned arrangements to address increased fraud risks resulting from the COVID-19 response. The department advised the ANAO in June 2020 that:

In response to COVID-19, DFAT undertook assessments of risk and whole of Government consultations to inform the focus for fraud operations.

The department has and will continue to concentrate on (a) ensuring continuity in case referrals and management under remote working; and (b) proactive engagement and communications with internal and external stakeholders emphasising practical up-front counter-measures to disrupt and reduce the impacts of fraud. An ‘infographic’ on how to manage fraud under COVID-19 in DFAT specific operations has been circulated to staff.

DFAT governance committees, including the Audit and Risk Committee and the Performance, Risk and Resourcing Committee, were briefed on the approach (in April and May respectively). Deputy Secretaries and First Assistant Secretaries have emailed internal and external stakeholders emphasising core principles for fraud prevention.

DFAT is participating in the whole of Australian Government Senior Officers Fraud Forum. The Fraud Control Section has sent a Cable to all staff and portfolio agencies sharing fraud related insights from the Australian Criminal Intelligence Commission. Further whole of Government products have and will continue to be circulated across the Department.

Audit methodology

1.24 The audit methodology involved:

• assessing entity arrangements against the mandatory requirements of the Commonwealth Fraud Control Framework;
• reviewing entity records;
• reviewing entity procedures for planning, prevention, detection, investigation and responding to fraud and allegations of fraud, against the fraud guidance; and
• discussions with relevant entity staff.

1.25 To assess the department’s compliance with the Commonwealth Fraud Control Framework, the ANAO has read the fraud rule in conjunction with the fraud guidance, and has based its assessment and findings on the suite of documents produced by the department to support fraud control planning

1.26 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $215,000.

1.27 The team members for this audit were Tracy Cussen, Ailsa McPherson, Michael Fitzgerald, Hannah Climas and Michelle Page.

2.1 Section 10 of the Public Governance, Performance and Accountability Rule 2014 (the fraud rule) requires the accountable authority of a Commonwealth entity to take all reasonable measures to prevent fraud relating to the entity.³⁹ In order to prevent fraud, entities must understand their fraud risks and ensure arrangements are in place to prevent fraud from occurring.

2.2 The ANAO examined entity compliance with the mandatory requirements of the Commonwealth Fraud Control Framework and the extent to which entity arrangements are consistent with Resource Management Guide No. 201 — Preventing, detecting and dealing with fraud (the fraud guidance), to assess:

• whether the entity has considered fraud risk management within the context of its overall risk management process, including the content of the entity’s fraud control plan;
• how fraud risks are identified and whether these assessments are conducted at regular intervals;
• how identified fraud risks are assessed and addressed; and
• whether preventive controls to manage fraud risks have been identified and are being adequately assessed.

Is fraud risk considered within the context of the overall risk management process?

2.3 As a non-corporate Commonwealth entity, the Department of Foreign Affairs and Trade (DFAT or the department) is bound by the Australian Government’s Commonwealth Fraud Control Policy (fraud policy), which states that:

Non-corporate Commonwealth entities must ensure that their fraud control arrangements are developed in the context of the entity’s overarching risk management framework as described in the Commonwealth Risk Management Policy.⁴⁰

2.4 In addition, the fraud guidance states that:

It is important to avoid looking at fraud in isolation from the general business of the entity. Entities are strongly encouraged to develop dynamic fraud risk assessment procedures integrated within an overall business risk approach rather than in a separate program.⁴¹

2.5 To assess whether fraud risk is considered within the context of DFAT’s overarching risk management process, the ANAO reviewed how fraud is considered in the department’s risk management guide and assessed whether the contents of the department’s fraud control plan contained the components suggested in the fraud guidance.

DFAT’s risk management guide

2.6 The Secretary⁴² issued the risk management guide (the risk guide) in December 2018, with an updated version released in February 2020. The guide aims to help departmental officials manage risk in delivering on the department’s objectives. The guide contains the department’s risk management framework, which is:

The sum of all the policies, procedures, and governance structures that directly or indirectly guide the behaviour and actions of officers to manage risks in the pursuit of objectives.

2.7 The department’s risk management guide is intended to support the department’s compliance with the Commonwealth Fraud Control Framework. While specific risks the department faces in delivering on its objectives are not detailed in the risk guide, the guide does identify risk policy areas. These are areas with risks that are managed through additional policy, processes and guidance. The risk management guide categorises fraud risk as a risk policy area, and as such, departmental officials must consider fraud risk when conducting risk assessments if they consider fraud risk to be relevant.

DFAT’s fraud control plan

2.8 Subsection 10(b) of the fraud rule states that the accountable authority must develop and implement ‘a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment’.⁴³

2.9 In accordance with the fraud rule the department undertook a fraud risk assessment and then developed its fraud control plan. The department undertook its fraud risk assessment in November 2017 (this process is reviewed from paragraph 2.27) and the current fraud control plan was issued by the Secretary on 1 September 2018. The fraud control plan contains the department’s fraud control framework; sets out the department’s strategies to meet the mandatory requirements for fraud control in the Commonwealth Fraud Control Framework; and documents the Secretary’s expectation that work areas control for fraud in their activities.

2.10 To assist staff to carry out their responsibilities under the fraud control plan, the department has developed a fraud control toolkit. The toolkit addresses how staff can comply with their obligations to prevent and detect fraud.

2.11 The fraud guidance suggests that fraud control plans can:

Document the entity’s approach to controlling fraud at a strategic, operational and tactical level, and encompass awareness raising and training, prevention, detection, reporting and investigation measures.⁴⁴

2.12 The department’s fraud control plan contains all of the components suggested by the fraud guidance (Table 2.1).

Table 2.1: Content of DFAT’s fraud control plan

Note a: Fraud risks are summarised into nine fraud risk domains and included in the fraud control plan. Fraud risk domains are intended to identify systemic risks in the department.

Note b: Fraud controls are organised into the nine fraud risk domains, and then further organised into strategic and operational controls, and governance owners. Organising fraud controls in this way is intended to help identify vulnerabilities in controls from a strategic perspective.

Note c: Appendix 3 of this audit report outlines roles and responsibilities for fraud control within DFAT as detailed in the department’s fraud control plan.

Source: Commonwealth Fraud Control Framework and ANAO analysis of DFAT documentation.

Are fraud risks identified and are assessments conducted at regular intervals?

2.13 Subsection 10(a) of the fraud rule requires the accountable authority of a Commonwealth entity to conduct ‘fraud risk assessments regularly and when there is a substantial change in the structure, functions or activities of the entity.’⁴⁵ The fraud guidance encourages entities to conduct fraud risk assessments at least every two years.⁴⁶

2.14 The fraud policy requires that:

Entities must ensure officials primarily engaged in fraud control activities possess or attain relevant qualifications or training to effectively carry out their duties.⁴⁷

2.15 The fraud guidance identifies that relevant training can include a Certificate IV in Government (Fraud Control) or equivalent qualification for officials implementing fraud control, or a Diploma of Government (Fraud Control) or equivalent qualification for officials managing fraud control.⁴⁸

2.16 The ANAO reviewed when fraud risk assessments had been undertaken and examined the department’s process for identifying fraud risks, including whether staff conducting these assessments are appropriately trained.

2.17 The department’s fraud control plan states that the department’s fraud control section conducts regular fraud risk assessments to identify areas vulnerable to fraud.

2.18 In November 2017, the department undertook a fraud risk assessment of all departmental corporate functions and departmental programs⁴⁹, which identified 91 fraud risks. It also:

• described the fraud risk and provided examples of potential sources of fraud as a result of the fraud risk;
• identified whether the fraud risk is an internal or external (or both) fraud risk;
• documented relevant policies and procedures applicable to the fraud risk;
• identified existing controls;
• rated the fraud risk on the basis of the likelihood of the risk occurring and the consequence;
• identified the risk owner;
• presented potential treatment option(s); and
• detailed who was consulted as part of the fraud risk assessment process. In total, 28 meetings were held with relevant areas across the department.

2.19 The 91 fraud risks identified in the 2017 fraud risk assessment have been summarised by DFAT into nine fraud risk domains and these risk domains are included in the fraud control plan.⁵⁰

2.20 In 2019, the department reviewed⁵¹ the existing fraud risk assessment in relation to three of the nine fraud risk domains: finance systems; human resources processes; and corporate assets. These domains were selected due to the high number of ‘medium risks’ identified in the 2017 assessment. Overall the review assessed 48 of the 91 fraud risks identified in 2017 and covered seven business processes: 1) accounts payable; 2) accounts receivable; 3) vendor creation; 4) corporate credit cards; 5) procurement; 6) consular; and 7) information technology.The 2019 fraud risk assessment included consultation with departmental officials who undertake these business processes.

2.21 The risk assessment identified fraud risks across the seven business processes. It also described the risk; identified sources/causes; provided an initial risk rating; listed existing key controls; provided a residual risk rating; listed the fraud tolerance level based on the fraud risk domain; identified the risk owner; and provided additional comments/suggested treatment actions.

2.22 A further whole of department fraud risk assessment has been approved and is expected to be undertaken in August 2020. The department advised the ANAO that the overall approach is being developed and that it intends to finalise, by 30 June 2020, an approach to market to procure support services, subject to the operational impacts of COVID-19.

2.23 In addition to managing the 2017 fraud risk assessment and the 2019 fraud risk assessment review, the department’s Fraud Control Section prepares a Vulnerabilities and Treatments report⁵² for the Audit and Risk Committee and departmental executive. The first Vulnerabilities and Treatments report covered the period 1 July 2017 to 30 June 2018. Subsequent reports have been prepared twice yearly (covering a six-month period). The report highlights fraud vulnerabilities identified in the fraud risk assessments, including strategic and operational risks. The report collates data about suspected or known fraud and identifies areas where fraud may be under-reported. The report also identifies key themes across these areas of fraud risk and suggests ways to strengthen the department’s fraud control arrangements. Actions undertaken by the department to improve fraud control arrangements are included in subsequent reports.

2.24 To compile content for the Vulnerabilities and Treatments report, the Fraud Control Section liaises with two other business areas — internal fraud and passport fraud.⁵³

2.25 The department’s fraud control section staff have appropriate qualifications in fraud control in line with the fraud guidance, or are awaiting training to be delivered.

Are fraud risks assessed and addressed?

2.26 In order for entities to effectively respond to fraud risks it is important for the significance of the risks to be assessed and to determine whether treatments are required. The ANAO examined how the department assesses its risk exposure and identified the mechanisms the department uses to address fraud risks.

2.27 The department’s November 2017 fraud risk assessment identified 91 fraud risks and determined a fraud risk exposure rating for each risk on the basis of the likelihood of the risk occurring and the consequence if the risk occurred. Table 2.2 shows the department’s risk matrix used to determine the risk exposure rating for each fraud risk based on this assessment.

Table 2.2: Risk matrix of fraud risks to determine fraud risk exposure rating

Note: DFAT’s risk matrix uses the term ‘very high’ to describe its highest fraud risk exposure, while the other entities in this audit series use the term ‘extreme’. The definitions are broadly equivalent.

Source: ANAO analysis of departmental documentation.

2.28 The assessment allocated a fraud risk exposure rating for each of the 91 fraud risks (Table 2.3).

Table 2.3: 2017 fraud risk assessment ratings after assessment

Source: ANAO analysis of departmental documentation.

2.29 The seven fraud risks with a fraud risk exposure rating of ‘high’ were identified as ‘critical fraud risks’ within the department’s Vulnerabilities and Treatments report in June 2018, on the basis that they were ‘high’ risks. The report set out recommendations to address these critical fraud risks. The department considered that these risks reflected systemic issues and gaps that could be repeated through multiple programs. The report therefore recommended addressing these critical fraud risks ‘in a systematic way’ to ‘improve practices more broadly, with a treatment capable of remedying several risks’.

2.30 In 2019 the department undertook a further fraud risk assessment, focussed on six different business processes. This assessment identified 15 fraud risks all of which had a residual risk rating of ‘medium’ or ‘low’ after the application of treatments. Seven of the risks with a residual rating of ‘medium’ were assessed as being outside the department’s tolerance level. One new ‘critical risk’ was identified.

2.31 The ANAO viewed evidence that action was taken by the department to improve departmental practices to address the critical fraud risks and risks that were outside its tolerance level. These actions, which included progress towards implementing policies, frameworks and procedures, continued over 2018 and 2019. By the end of 2019 the department considered that these risks were no longer ‘critical’ as the risks had been addressed (see also paragraph 2.42).

2.32 The actions taken to address the ‘critical’ fraud risks were reported in the two Vulnerability and Treatments reports covering the period 1 July 2018 to 30 June 2019.

2.33 The department has in place a number of operational processes and activities to address identified and assessed fraud risks. These include:

• allocating a fraud risk owner to each identified fraud risk, who is responsible for managing and mitigating the fraud risk;
• a risk management guide for aid investments⁵⁴ which includes better practice information for departmental staff to design and implement aid investments;
• assisting funding recipients to meet their contractual requirements to develop and implement fraud control strategies through the fraud control toolkit developed for funding recipients;
• considering fraud risks and detected incidences of fraud when developing the department’s internal audit work program; and
• conducting internal audits to provide assurance on whether the department’s controls contribute to the management of fraud risks.

Does the department’s internal control environment include preventive controls and are these adequately assessed?

2.34 Preventive controls can help entities to prevent fraud from occurring in the first place or to reduce the consequences when it occurs. The fraud guidance states that:

Controls and strategies outlined in fraud control plans are ideally commensurate with assessed fraud risks. Testing controls may indicate that not all controls and strategies are necessary or that different approaches may have more effective outcomes. Controls can often be reviewed on a regular basis to make sure they remain useful.⁵⁵

2.35 The ANAO examined whether DFAT has documented preventive controls to manage its identified fraud risks and whether it has established mechanisms to assess and provide assurance over the control’s effectiveness. The ANAO did not test the design or operational effectiveness of individual controls.⁵⁶

Preventive controls

2.36 The Australian Government’s Risk Management Policy defines an internal control as:

Any process, policy, device, practice or other actions within the internal environment of an organisation which modifies the likelihood or consequences of a risk.⁵⁷

2.37 Broadly, there are two types of controls — preventive controls which are put in place to prevent fraud before it occurs, and detective controls which are put in place to identify when fraud has occurred (detective controls are discussed in chapter three).

2.38 The department’s fraud risk assessments (conducted in 2017 and 2019) identified groupings of existing controls against each of the fraud risks. These controls are largely preventive and reflect standard departmental business processes subject to testing and assurance.⁵⁸

2.39 The department’s fraud control plan organises fraud controls into a matrix based on the nine fraud risk domains (discussed in paragraph 2.19). Fraud controls are divided between strategic controls (controls applicable to all Commonwealth entities such as Commonwealth legislation) and operational controls (controls specific to the department such as training requirements and internal policies).

Assessment of controls

2.40 The department’s Fraud Control Toolkit for Staff and Fraud Control Toolkit for Funding Recipients contain a list of possible controls that can be drawn upon by staff and funding recipients to treat identified fraud risks. Assessment of these controls is the responsibility of business areas.

2.41 The department’s Vulnerabilities and Treatments reports provide a mechanism to identify any potential enhancements to existing ‘critical’ controls following the receipt of an allegation of fraud. These reports detail the fraud risk and suggested improvements to existing controls, with the resulting actions and completion dates tracked. This approach is intended to ensure risks are within tolerance as soon as possible.

2.42 Key business processes considered in the 2019 fraud risk assessment have since been subject to control effectiveness reviews to examine the control environment for these business areas. The results of these reviews were reported in the December 2019 Vulnerabilities and Treatment report.

2.43 Operational areas across DFAT have put in place operational and program assurance frameworks. The Aid Governance Board approved a framework and further development for the Official Development Assistance program at the end of 2019. The first Vulnerabilities and Treatments report (June 2018) identified that a department-wide program assurance framework should be developed and implemented ‘to monitor compliance with the department’s contractual requirements, enhancing the department’s oversight.’ The department advised the ANAO that the intention of this whole of department framework is to look at the effectiveness and efficacy of controls, as well as clarifying individual accountability for the oversight of key controls. Development of a department-wide framework had not commenced as at March 2020.⁵⁹

2.44 The department’s 2018 risk management guide⁶⁰ states that each control ‘should have a control owner who is accountable for managing the control’. The guide also states that departmental controls should be assessed. Controls may be assessed as ‘effective’, ‘partially effective’ or ‘ineffective’. For a control to be ‘effective’ the guide requires that the control is assigned and ‘forms part of the officer(s) duty statement and/or performance agreement’. Controls may be ‘ineffective’ if ‘no specific officers have been identified to operate the control’.

2.45 Control owners were not listed for controls identified in both the 2017 and 2019 fraud risk assessments. Control owners in the department’s fraud control plan are listed as the branches and sections in the department which are responsible for the control, rather than an identified position or person in the department.

2.46 To assist the department to oversight its fraud controls at a business area level and at the whole of department level, responsibility for controls should be assigned by position, in line with internal guidance.

3.1 Section 10 of the Public Governance, Performance and Accountability Rule 2014 (the fraud rule) requires the accountable authority of a Commonwealth entity to take all reasonable measures to detect and deal with fraud.⁶¹ In order to detect and deal with fraud, entities must take active steps to find fraud when it occurs and investigate or otherwise respond to it.

3.2 The ANAO examined the department’s compliance with relevant mandatory requirements of the Commonwealth Fraud Control Framework and the extent to which arrangements are consistent with Resource Management Guide No. 201 — Preventing, detecting and dealing with fraud (the fraud guidance) to assess whether:

• detective controls are identified; and
• the department’s investigations procedures are consistent with the Australian Government Investigations Standards.

Are detective controls identified?

3.3 Detective controls are used to manage fraud risks and find fraud. Detecting fraud in an entity can highlight any vulnerabilities in existing preventive controls.

3.4 Subsection 10(d) of the fraud rule requires entities to have ‘a process for officials of the entity and other persons to report suspected fraud confidentially’.⁶²

3.5 The fraud guidance notes that reporting suspected fraud is a common means of detection, and therefore it is important for entities to appropriately publicise fraud reporting mechanisms. Under the fraud guidance entities should encourage and support reporting of suspected fraud through proper channels, and this can include measures to protect those making such reports from adverse consequences.⁶³

3.6 The ANAO examined the controls the department has in place to detect fraud with reference to the requirements of the Commonwealth Fraud Control Framework.

Detective controls

3.7 The department has channels for suspected fraud to be reported by officials of the entity and others (such as the general public and funding recipients). These channels are advertised on the department’s website and for staff, on the intranet. These channels include:

• a fraud referral form⁶⁴; and
• three fraud reporting email addresses (one each for external fraud, passport fraud and internal fraud).⁶⁵

3.8 The department also includes information about reporting suspected fraud in its Fraud Control Toolkit for Staff Funding Recipients (available on its website) and Fraud Control Toolkit for Staff (available to all staff on its intranet).⁶⁶

3.9 Public Interest Disclosures are allegations made by public officials (disclosers) under the Public Interest Disclosure Act 2013 to an authorised officer because they suspect wrongdoing within the Commonwealth public sector.⁶⁷ The department has procedures for handling Public Interest Disclosures, including: protection for disclosers; roles and responsibilities; details of how to make a disclosure; procedures for supervisors and managers; procedures for authorised officers; procedures for investigators; confidentiality and record keeping; and monitoring and evaluation requirements.⁶⁸

3.10 The department’s website states that all fraud allegations are handled in a confidential manner,⁶⁹ and the privacy webpage states that the department must comply with the Australian Privacy Principles contained in the Privacy Act 1988 (Cth).⁷⁰ The website further states that the department will only use and disclose personal information for the purpose for which it was collected unless it is reasonably necessary for enforcement activities conducted by or on behalf of an enforcement body.

3.11 The Australian Institute of Criminology’s (AIC) annual fraud questionnaire asks entities to identify the detection method for finalised fraud investigations using categories provided by the AIC. In its response to the 2018–19 questionnaire the department reported that its main source of fraud detection for internal fraud was via tip offs, with 100 per cent of investigations finalised in 2018–19 detected via tip offs internal to the department. For external fraud, 72 per cent of investigations finalised in 2018–19 were detected via tip offs external to the department.⁷¹

3.12 Other sources of fraud detection during 2018–19 for external fraud include⁷²:

• information technology controls (10 per cent);
• law enforcement notification to entity (7 per cent);
• staff member detection (6 per cent);
• external audit (3 per cent);
• tip off within the department (0.5 per cent); and
• self-reporting/confession (0.5 per cent).

3.13 The department has in place other detective controls, including:

• internal audits — internal audit planning includes consideration of fraud risks, and internal audits have considered fraud arrangements including program fraud frameworks and fraud arrangements at posts;
• data analytics — for example, the department’s passport fraud unit uses data analytics to assess documentation provided by passport applicants; and
• forensic examination — for example, the department’s passport fraud unit operates controls such as facial recognition.

Are the department’s investigation procedures consistent with the Australian Government Investigations Standards?

3.14 Once fraud is detected it is necessary to take action. Taking action shows that incidences of suspected fraud are not only identified but are responded to. Any investigation undertaken needs to be handled in a manner that will gather evidence to allow for subsequent responses, including criminal prosecution.

3.15 The Commonwealth Fraud Control Policy (the fraud policy) requires entities to have investigation processes and procedures consistent with the Australian Government Investigations Standards (AGIS) (see details in Box 1).⁷³

Note: Australian Government, Australian Government Investigations Standards 2011 [Internet], Attorney-General’s Department, available from https://www.ag.gov.au/Integrity/counter-fraud/fraud-australia/Documents/ AGIS%202011.pdf [accessed 12 February 2020]. Following a machinery of government change in 2017, responsibility for the AGIS transferred to the Home Affairs portfolio.

Departmental requirements for external fraud investigations undertaken by funding recipients

3.16 The department requires funding recipients to prevent, detect and correct fraud in accordance with the obligations specified in their contract. In accordance with contractual arrangements, funding recipients must report any suspected fraud or incidents of fraud to the department within five business days, and to investigate the matter in accordance with the AGIS. The department provides guidance and written procedures to assist funding providers to conduct investigations. Under the contract, the department retains the right to conduct an investigation, along with the right to conduct an audit or review of the funding recipient’s compliance with its fraud control strategy and policies, including fraud prevention, reporting and investigation obligations.

3.17 The ANAO viewed evidence that the department is providing guidance to funding providers when they are conducting investigations. The department has procedures and a case management system to guide departmental monitoring of investigations being conducted by funding recipients. The ANAO reviewed the records retained in the case management system and found these records were complete, and included guidance from the department to funding providers about the conduct of investigations. The ANAO also saw evidence that the department uses this information to analyse trends, monitor and adjust the preventive control environment, track methods of fraud detection and report regularly to its executive and audit committee.

3.18 The department conducts due diligence checks of contractual arrangements and checks that the funding provider has the requisite fraud control arrangements in place.

3.19 There is evidence that the department has actively monitored the external fraud investigations brought to its attention. The department does not have a mechanism to assure itself that all funding recipients who are required to investigate a fraud matter are conducting investigations, or whether investigations are conducted in accordance with the AGIS (for example, whether the person undertaking the investigation holds the necessary qualification in accordance with the AGIS).⁷⁴ In addition, as at March 2020 only two of the DFAT staff responsible for monitoring external fraud investigations met the minimum level of qualification to conduct investigations, with no staff holding the minimum qualification for staff primarily engaged in coordinating and supervising investigations.⁷⁵

3.20 The ANAO examined whether the department’s investigation procedures for passport fraud and internal fraud investigations met the mandatory requirements listed in the AGIS (Table 3.1)

Table 3.1: Department of Foreign Affairs and Trade investigation procedures and the AGIS mandatory requirements

Source: ANAO analysis of departmental documentation.

3.21 Details of the ANAO’s assessment against the AGIS requirements are set out below — grouped as written procedures, case selection and referral, and investigation management. Departmental responses to the 2018–19 AIC fraud questionnaire are also included.⁷⁶

AGIS requirements for written procedures

3.22 The department has a manual for departmental officials to assist them to carry out their duties as investigators of allegations of potential internal fraud. The manual is out-of-date and contains references to superseded legislation and Australian Government frameworks. Therefore this manual cannot be fully relied upon to assist investigators to perform their duties.⁷⁷

3.23 There is scope for DFAT to update its policy and processes for fraud investigations to fully meet AGIS requirements.

Case selection and referral

3.25 The department has an up-to-date case prioritisation policy (dated January 2019) to assess and prioritise reports of misconduct by departmental employees (including potential cases of internal fraud). The factors taken into account when making a decision to investigate are detailed in the policy, and include:

• whether a formal investigation is required;
• the complexity and size of the potential case; and
• any risks and/or threats, and the seriousness of the potential case.

3.26 The department has procedures, including templates and an evaluation matrix, to assess cases of potential passport fraud. The assessment procedures include a decision on whether to proceed with a criminal or administrative investigation.

3.27 In its response to the 2018–19 AIC fraud questionnaire, the department reported that five internal fraud cases and 66 external fraud cases did not meet the threshold to warrant an investigation.⁷⁸

3.28 The department has procedures for referring serious cases of fraud to law enforcement, including the Australian Federal Police and overseas agencies. In its response to the 2018–19 AIC fraud questionnaire the department identified that: 9 of the 10 internal fraud investigations finalised in 2018–19 were conducted solely by the department and one was conducted by a consultant investigator; and 105 of the 195 external fraud investigations were conducted by funding recipients, with the remaining 90 external fraud investigations conducted solely by the department.

Investigation management

3.29 As required by the AGIS, the department has procedures for the investigation of allegations of suspected passport fraud. These procedures cover all steps in the investigation management process from receiving an allegation through to finalising an investigation, and include preparing briefs of evidence for the Commonwealth Director of Public Prosecutions.

3.30 The department has an electronic investigation management system for the investigation of allegations of suspected internal fraud, but does not have up-to-date procedures (see paragraph 3.22).

3.31 The ANAO reviewed records contained within the separate electronic investigation management systems established for passport fraud and internal fraud, and found records of all steps undertaken in an end-to-end investigation process.⁷⁹

3.32 The department’s response to the AIC questionnaire reported that it commenced a total of 235 investigations during 2018–19, the majority of which were investigations of external fraud (Table 3.2).

Table 3.2: Number of investigations commenced in 2018–19

Note a: External fraud includes passport fraud and external fraud investigations.

Source: ANAO analysis of departmental documentation.

3.33 The department records the outcomes of investigations. In 2018–19, 50 per cent of internal fraud investigations and 43 per cent of external fraud investigations had allegations substantiated in full or in part (Table 3.3).

Table 3.3: Outcomes of investigations finalised in 2018–19

Note a: External fraud includes passport fraud and external fraud investigations.

Note b: DFAT advised the ANAO that these are allegations of fraud where the fraud is substantiated, although the fraud has not been committed directly against DFAT. This will include pooled funds and funding being used by delivery partners to enter into agreements in the supply chain.

Source: ANAO analysis of departmental documentation.

3.34 For those investigations of internal fraud finalised in 2018–19, where allegations were substantiated (in full or in part), all received an administrative sanction. There was a range of results for investigations of external fraud where allegations were substantiated, the most common being referral to non-Australian law enforcement (Table 3.4).

Table 3.4: Result of investigations finalised in 2018–19 where allegations were substantiated (in full or in part)

Note a: External fraud includes passport fraud and external fraud investigations.

Source: ANAO analysis of departmental documentation.

Recovery of financial losses

3.35 The fraud policy states that:

… entities must take all reasonable measures to recover financial losses caused by illegal activity through proceeds of crime and civil recovery processes or administrative remedies.⁸⁰

3.36 The 2018–19 AIC annual fraud questionnaire asked entities to estimate the recoveries over the time period, regardless of when the fraud was committed, when the losses were incurred, or when the investigation was completed. In its response to the questionnaire, the department estimated recoveries of $7,345 for internal fraud and $90,903 for external fraud.⁸¹ These amounts were recovered through administrative action.

3.37 The department has a debt management policy to guide recovery of losses for internal and external fraud. The department advised the ANAO that the passport fraud section does not recover losses ‘due to the nature of their work’⁸² and that recovery of funding exposed by external fraud is ‘influenced by the local environment and overseas jurisdiction where the fraud has occurred’.

4.1 Under the Public Governance, Performance and Accountability Act 2013 (PGPA Act) the accountable authority must promote the proper⁸³ use and management of public resources (section 15). The accountable authority must also establish and maintain an appropriate system of risk oversight and management for the entity, and an appropriate system of internal control for the entity, including by implementing measures directed at ensuring officials of the entity comply with the finance law (section 16).⁸⁴

4.2 Preventing, detecting and dealing with fraud requires an ongoing effort. That effort will be more effective in an environment with a fraud aware culture that includes transparent reporting because staff will be alert to fraud and better able to develop dynamic responses based on evidence.

4.3 To inform the ANAO’s review of the effectiveness of DFAT’s fraud control arrangements, the ANAO considered whether:

• the department promotes and supports a fraud aware culture; and
• the department provides assurance about entity fraud control arrangements through reporting.

Does the department promote and support a fraud aware culture?

4.4 Resource Management Guide No. 201 — Preventing, detecting and dealing with fraud (the fraud guidance) states that:

Accountable authorities play a key role in setting the ethical tone within their entities, and fostering and maintaining a culture of fraud awareness and prevention.⁸⁵

Fraud prevention involves … fostering an ethical culture that encourages all officials to play their part in protecting public resources. Establishing an ethical culture is an important factor in preventing and detecting fraud. Accountable authorities are strongly encouraged to foster this culture in their senior leadership specifically, as well as across staff more generally.⁸⁶

4.5 Culture in the context of this audit is the set of shared attitudes, values and behaviours that characterise how an entity considers fraud risk in its day-to-day activities.⁸⁷ Evidence of certain behaviours and practices operating in the organisation can indicate that a particular type of culture is being promoted.⁸⁸

4.6 To assess whether the department promotes a fraud aware culture the ANAO examined departmental governance arrangements, departmental activities and completion rates for mandatory fraud awareness training.

Departmental governance arrangements to promote and support a fraud aware culture

4.7 The Secretary’s Instructions⁸⁹ set expectations by requiring all staff to comply with the Commonwealth Fraud Control Framework and act in accordance with the department’s fraud control plan.⁹⁰

4.8 The Secretary issued DFAT’s fraud control plan on 1 September 2018. It is the framework for the management of fraud risk within the department. The fraud control plan is available to all staff on the department’s intranet. In addition, the following documents are publicly available on the department’s website⁹¹:

• fraud policy statement;
• Risk Management for Aid Investments Guide (incorporating fraud risk)⁹²;
• Fraud Control Toolkit for Funding Recipients;
• fraud referral form; and
• conduct and ethics manual for departmental staff.

4.9 The Secretary has set expectations in the department’s fraud control plan and the Secretary’s Instructions⁹³ for staff to be responsible for the day to day management of fraud risks. This means staff are required to identify areas vulnerable to fraud, and implement controls to address vulnerabilities within their work area in accordance with the fraud control plan. The fraud control plan specifies that the Senior Executive Service, Heads of Mission and Heads of Post are required to lead by example and demonstrate a commitment to controlling fraud.

4.10 The Secretary has established departmental governance arrangements intended to provide leadership and strategic direction to the department, and to facilitate the flow of information from the department to the executive. These arrangements are summarised in Figure 4.1.

Figure 4.1: Departmental governance arrangements

 

 

Note: DFAT’s operations committee is responsible for overseeing the management and effective delivery of the department’s enabling services, including financial information.

Source: ANAO analysis of departmental documentation.

4.11 The structure of the department’s governance arrangements support a fraud aware culture as follows:

• they allow for executive oversight of risks, including fraud, and regular reporting on fraud related matters; and
• the department’s audit and risk committee is engaged in reviewing the department’s fraud control arrangements and providing advice to the Secretary on these arrangements.

4.12 The whole of government fraud guidance suggests that the outcomes of fraud risk assessments can be provided to an entity’s audit committee for consideration.⁹⁴ Entities are also encouraged to ensure appropriate monitoring and evaluation of fraud control plans.⁹⁵

4.13 The department’s audit and risk committee charter and work plan allow for the review of fraud risk, and the committee has regularly discussed and engaged with fraud risk during its meetings. The audit and risk committee reviewed and endorsed the department’s fraud control plan, and has reviewed the department’s six monthly Vulnerabilities and Treatment report on fraud vulnerabilities and recommended controls.

Departmental activities to promote and support a fraud aware culture

4.14 DFAT has taken steps to promote and support a fraud aware culture within the department by implementing a range of departmental activities in accordance with the fraud rule and fraud guidance (Table 4.1).

Table 4.1: Activities undertaken to promote and support a fraud aware culture

Note a: Attorney-General’s Department, Commonwealth Fraud Control Framework 2017, AGD, 2017, p. A1.

Note b: Department of Foreign Affairs and Trade, Fraud Control Toolkit for Funding Recipients [Internet], available from https://dfat.gov.au/about-us/publications/Pages/fraud-control-toolkit-for-funding-recipients.aspx [accessed 10 February 2020].

Note c: Department of Foreign Affairs and Trade, Conduct and Ethics Manual [Internet], available from https://dfat.gov.au/about-us/publications/corporate/conduct-ethics-manual/Pages/conduct-and-ethics-manual.aspx [accessed 14 February 2020].

Note d: Attorney-General’s Department, Commonwealth Fraud Control Framework 2017, AGD, 2017, para. 44, p. C12.

Note e: ibid., para 43, p. C12. This paragraph states that Fraud Control Statements can include: the definition of fraud; a statement of the entity’s commitment to preventing and controlling fraud; a statement of officials’ and contractors’ responsibilities; a summary of the consequences of fraud; an assurance that allegations and investigations will be handled confidentially; directions on how allegations and incidents of fraud are to be reported and managed; and advice on where further information can be found.

Note f: Department of Foreign Affairs and Trade, Fraud Control [Internet], DFAT, available from https://dfat.gov.au/about-us/corporate/fraud-control/Pages/fraud-control.aspx [accessed 6 February 2020].

Note g: Attorney-General’s Department, Commonwealth Fraud Control Framework 2017, AGD, 2017, para. 50, p. C13.

Note h: The department’s Direct Aid Program (DAP) is a small grants program funded from Australia’s aid budget. DAP projects engage a wide range of partners including community groups, non-government organisations, education institutions and local governments. Department of Foreign Affairs and Trade, Direct Aid Program [Internet], DFAT, available from https://dfat.gov.au/people-to-people/direct-aid-program/pages/direct-aid-program.aspx [accessed 10 February 2020].

Source: ANAO analysis of departmental documentation.

4.15 In November 2019 the department conducted a range of awareness activities as part of International Fraud Awareness Week.⁹⁶ These included a staff message from the Secretary, fraud information on the intranet, office posters, workshops targeted at middle managers, and specialised fraud training for overseas posts identified by the department as high risk.

Completion rates for mandatory fraud awareness training

4.16 The fraud rule requires the accountable authority to ensure that officials in the entity are made aware of what constitutes fraud.⁹⁷ The fraud guidance states that:

Entities are encouraged to have all officials take into account the need to prevent and detect fraud as part of their normal responsibilities. Appropriate mechanisms could include fraud awareness and integrity training in all induction programs and a rolling program of regular fraud awareness and prevention training for all officials.⁹⁸

4.17 The department requires all staff⁹⁹ to complete eLearning in ‘Fraud Awareness’ every three years. In addition, non-compulsory face to face training in fraud awareness is offered to all staff, and face to face training in fraud awareness is conducted at Posts.

4.18 The department offers additional online training modules relevant to fraud control covering areas such as accountability and ethics, risk management, cyber security and protective security.

4.19 As shown in Table 4.2, completion rates for the department’s mandatory fraud awareness training are consistently low — in the range of 31 to 65 percent between 2018 and 2020.¹⁰⁰

Table 4.2: Mandatory fraud awareness training — completion rates

Note a: Includes new staff and staff due to update three-yearly training.

Note b: The department could not report completion rates for this period due to a system error. This error had no impact on previously reported completion rates.

Source: ANAO analysis of departmental documentation.

4.20 The department has reported internally that it has introduced a range of measures to increase completion rates, including:

• messaging from senior executives to their staff on their accountability for fraud prevention;
• ongoing redesign of fraud control training content; and
• restrictions on staff taking up a posting until they have completed all mandatory training.

4.21 These measures are considered to have resulted in some improvement in completion rates for mandatory training.

4.22 Mandatory fraud awareness training educates and empowers staff to take action against potential fraud. Failure to adequately address non-compliance with mandatory requirements communicates to staff that compliance is optional.

Is assurance about the department’s fraud control arrangements provided through reporting?

Annual report requirements

4.24 Accountable authorities are required, under subsection 17AG(2) of the Public Governance, Performance and Accountability Rule 2014, to include information in their annual report on compliance with section 10 of the Rule, which deals with preventing, detecting and dealing with fraud. The accountable authority is also required to certify in the annual report that:

• fraud risk assessments and fraud control plans have been prepared for the entity;
• appropriate mechanisms for preventing, detecting incidents of, investigating or otherwise dealing with, and recording or reporting fraud that meet the specific needs of the entity are in place for the entity; and
• all reasonable measures have been taken to deal appropriately with fraud relating to the entity.

4.25 The ANAO’s review of DFAT’s annual report for the past three years indicates that the department satisfied the annual report requirements specified in the PGPA Rule (Table 4.3).

Table 4.3: Compliance with subsection 17AG(2) of the PGPA Rule 2014

Source: Department of Foreign Affairs and Trade, Annual Report 2016–17, DFAT, 2017; Department of Foreign Affairs and Trade, Annual Report 2017–18, DFAT, 2018; Department of Foreign Affairs and Trade, Annual Report 2018–19, DFAT, 2019.

4.26 In its 2018–19 annual report the department also reported on the following performance measure for prosecuting passport fraud:¹⁰¹

95 per cent of referrals to prosecuting authorities are accepted for prosecution.

4.27 This performance measure was reported as ‘met’ for 2018–19.¹⁰² Further contextual information is detailed in the annual report about passport fraud detection measures and the status of five referrals made by DFAT to the Commonwealth Director of Public Prosecutions.

Information provided to the Australian Institute of Criminology

4.28 The fraud policy requires entities to provide information to the Australian Institute of Criminology (AIC) in the form requested, to facilitate the AIC’s annual report to the Attorney-General’s Department on fraud against the Commonwealth and fraud control arrangements.¹⁰³

4.29 DFAT has provided the information requested by the AIC, in the form requested, by the required due date. Data collection on fraud and fraud control activities is undertaken by three areas within the department (internal fraud, external fraud and passport fraud). The department collates information from these areas prior to submitting information to the AIC.

Informing the Minister about the entity’s fraud control arrangements and significant issues

4.30 The fraud guidance states that:

… while there is no specific mention of reporting fraud matters to an entity’s Minister in the Fraud Rule or Fraud Policy, section 19 of the PGPA Act requires an accountable authority to keep their Minister informed about the activities of the entity and significant issues that may affect the entity.¹⁰⁴

4.31 The department provides an annual fraud control report to the responsible Minister that includes all of the suggested content detailed in the fraud guidance (Table 4.4).

Table 4.4: Suggested content for reporting to the responsible Minister

Source: ANAO analysis of departmental documentation and Attorney General’s Department, Commonwealth Fraud Control Framework 2017, AGD, 2017, para. 94, p.C19.

Appendix 1 Entity response

 

 

Appendix 2 Desktop review: fraud control frameworks, estimates of fraud losses and fraudster personas

Fraud control frameworks

1. The ANAO conducted a desktop review of the fraud control frameworks for New South Wales; Victoria; Queensland; South Australia; Tasmania, the Australian Capital Territory; and the Northern Territory. International counterparts examined included the United Kingdom, New Zealand, South Africa and the United States of America.

2. The comparison of the current Commonwealth Fraud Control Framework¹⁰⁵ with arrangements applying in other jurisdictions identified common approaches to some key aspects, including the requirement for:

• regular fraud risk assessments;
• a fraud control plan with an emphasis on fraud prevention;
• clearly documented roles and responsibilities with an explicit statement that fraud prevention is the responsibility of all staff;
• all staff to complete fraud awareness training (this is encouraged, but not a mandatory requirement for all jurisdictions);
• clear reporting channels for reporting suspected fraud and agreed responses for dealing with detected fraud; and
• policies and processes for detecting, investigating and responding to suspected fraud.

3. The comparison identified six key differences to the Commonwealth Fraud Control Framework (which is broadly consistent with other Australian jurisdictions):

• Publicising antifraud efforts and successfully resolved cases to raise awareness about program integrity and antifraud efforts (USA).
• The requirement for a fraud control policy to reflect the conditions associated with fraud, including incentives/pressure, opportunities, and attitudes, to assist employees to identify potential fraud (the ‘fraud triangle’ discussed in more detail in paragraph 10) (South Africa and NZ).
• Distinguishing between the government’s fraud policy and other government policies such as the public servant code of conduct, noting the policies can be closely aligned, often overlap and may operate concurrently (NZ).
• Setting clear requirements for separate documents to meet strategic and operational purposes. For example, a fraud control strategy can communicate a commitment to combatting fraud and present the entities’ strategic approach to fraud control (the ‘why’ of fraud control); separate and distinct from fraud control plans which can take a more operational view (the ‘how’ of fraud control) (South Africa, UK and USA).
• The use of outcome based metrics summarising what the organisation is seeking to achieve and, for those organisations with ‘significant estimated’ fraud loss, metrics with a financial impact (UK).
• Focusing on finding fraud, including through the use of data analytics (UK and USA).

Estimating fraud losses — survey responses

4. Estimates of fraud losses against the Australian Government developed by the Australian Institute of Criminology (AIC) are based on responses by Commonwealth entities to its annual online questionnaire.¹⁰⁶

5. The AIC publishes an estimate of fraud losses on the basis of completed investigations where fraud could be quantified. In 2018–19 (the most up-to-date data available from the AIC reports), the AIC estimated fraud losses of $149.7m on this basis.¹⁰⁷

6. The AIC notes there are a number of limitations associated with developing estimates of fraud losses on the basis of entity responses:

• Not all entities invited to respond to the online questionnaire provided a response. In 2018–19, 156 (83 per cent) of invited entities provided a response. One of these entities however did not provide data to the AIC due to security reasons.
• Undetected or unreported fraud is excluded, as is fraud that was detected but written off, either due to the low value of the fraud, or because resources were not allocated to undertake an investigation.
• Incomplete survey responses; a respondent may be unable or unwilling to answer a question, or the relevant information was not collected during the investigation and therefore cannot be provided to the AIC.
• Fraud losses include intangible costs such as reputational damage. Intangible costs are not captured in the AIC estimates of fraud losses.¹⁰⁸

7. The Association of Certified Fraud Examiners (CFEs) publishes an annual Report to the Nations on the basis of survey responses by CFEs in 125 countries.¹⁰⁹ The 2020 report contains an analysis of 2,504 cases of occupational fraud investigated between January 2018 and September 2019 by CFEs.¹¹⁰ The survey respondents were asked the percentage of revenue they believe a typical organisation loses to fraud each year, with the median response being 5 per cent of annual revenues.

Estimating fraud losses — cost measurements

8. Since 2014 the UK Government’s Counter Fraud Centre of Expertise has been building its evidence base of public sector fraud¹¹¹ and error loss estimates for central government spending¹¹² by developing cost measurement estimates.¹¹³ To develop a cost measurement estimate, the level of irregularity (fraud and error) in an area of government spending is tested. The UK Government has undertaken 53 cost measurement exercises in various categories of government expenditure, and on the basis of these estimates the fraud and error loss for government expenditure is 0.5 to 5.0 per cent.

9. The Financial Cost of Fraud report published in the UK by Crowe and the Centre for Counter Fraud Studies at the University of Portsmouth updates research first undertaken in 2009 to collate information from around the world on the financial cost of fraud and error. Analysis of 690 loss measurement exercises from 10 countries undertaken between 1997 and 2018 found that losses are usually in the range of 3 per cent to 10 per cent, with a likely average of 6.05 per cent.¹¹⁴

The fraud diamond and fraudster personas

10. The seminal ‘fraud triangle’ was developed in the 1950s on the basis of in-depth interviews with those convicted of trust violations. The fraud triangle posits that individuals are motivated to commit fraud when three elements come together: some kind of perceived pressure; some perceived opportunity; and some way to rationalise the fraud.¹¹⁵

11. The fraud triangle was expanded in 2004 to include a fourth element, the individual’s capability; those personal traits and abilities that play a major role in whether fraud may actually occur even with the presence of the other three elements from the fraud triangle (Figure A1).¹¹⁶ The personal traits and abilities identified by the research that are key for the capability to commit fraud include:

• a position or function in the organisation that furnishes the ability to create or exploit an opportunity for fraud;
• the person is smart enough to understand and exploit internal control weaknesses and to use position, function or authorised access to the greatest advantage;
• the person has a strong ego and great confidence that they will not be detected, or they believe they could easily talk themselves out of trouble if caught; and
• the person can coerce others to commit or conceal fraud.¹¹⁷

Figure A.1: The fraud diamond

 

 

Source: Wolfe, D., and Hernanson, D., The Fraud Diamond: Considering the Four Elements of Fraud.

12. One focus of international research concerns the key characteristics of those who commit fraud, with these characteristics identified and distilled by undertaking case study analysis.

13. The AIC’s annual report to government includes more detailed questions about the one matter that resulted in the greatest financial loss or impact to the responding entity.¹¹⁸ In the 2018–19 report, 19 entities provided details about the most costly internal frauds. The AIC reported that the most costly internal fraud perpetrators were most commonly aged between 25 and 34 years, with 8 men and 7 women (not every entity which provided details about the most harmful fraud was able to provide this demographic information). Seven of the 16 internal fraud perpetrators (44 per cent) had been employed by the entity for 85 months or longer. In contrast to other international research discussed below, the AIC reported that internal fraud perpetrators were employed at more junior levels (APS1–4) rather than at the senior executive level. The principal target for internal fraud was financial gain, either through employee entitlements or internal financial fraud.

14. The KMPG 2016 report Global profiles of the fraudster is based on analysis of 750 fraudsters with data collected from KPMG forensic professionals in response to a questionnaire about the fraudsters they investigated between March 2013 and August 2015. KMPG reported:

• a perpetrator of fraud tends to be male between the ages of 36 and 55, working with the organisation for more than six years and holds an executive position;
• 44 per cent of perpetrators had unlimited authority in their company and were able to override controls; and
• in 62 per cent of frauds, the perpetrator colluded with others.¹¹⁹

15. The Association of Certified Fraud Examiners (ACFE) 2020 Report to the Nations found — on the basis of 2,504 cases of occupational fraud investigated between January 2018 and September 2019 — that the ‘typical fraudster’ is more likely to be:

• in the 36 to 45 year age group, but those aged over 60 cause the largest median losses;
• male, with males causing much larger median losses than females;
• employed within the organisation for between one and five years;
• working in the accounting and operations areas of the organisation; and
• a low-level employee. However, if they are in an executive position, they will cause a median loss that far exceeds the losses caused by managers and staff-level employees.¹²⁰

16. The PwC’s 2020 Global Economic Crime and Fraud Survey report compiled over 5,000 survey responses from organisations about who has perpetrated fraud against them. The report highlights that:

• third party providers committed 19 per cent of fraud, with only half of organisations surveyed having a third-party risk program in place;
• senior management committed 26 per cent of fraud, in part because of their ability to override internal controls.¹²¹

17. In 2018, PwC drew out key findings for Australia from the 158 Australian respondents to the 2018 global survey in the PwC 2018 Global Economic Crime and Fraud Survey: Australian Report. The report shows that ‘frenemies’, or those close to the organisation committed 60 per cent of economic crime in Australia. ‘Frenemies’ are defined as employees, customers, suppliers, consultants and agents.¹²²

18. The Attorney-General’s Department Commonwealth Fraud Prevention Centre has used recent case studies of those found guilty of fraudulent acts to develop a series of eight fraudster personas on the basis of the methods they commonly employ to commit fraud. The aim is to assist Commonwealth entities to:

• evaluate exposure to the methods of these types of fraudsters; and
• assess current capability in countering these types of fraudsters.¹²³

Appendix 3 Department of Foreign Affairs and Trade: Roles and responsibilities for fraud control

Source: DFAT Fraud Control Plan 2018.

Appendix 4 Commonwealth Fraud Control Framework procedural requirements for investigations mapped to the Australian Government Investigations Standards

The Commonwealth Fraud Control Policy (fraud policy)¹²⁴ details procedural requirements for investigations. The ANAO has mapped these requirements to the Australian Government Investigations Standards (AGIS) for the purpose of ensuring that by undertaking an assessment of whether a department’s investigation procedures are consistent with the AGIS, all procedural requirements for investigations detailed in the fraud policy have also been assessed.

Note a: Extracts of the relevant wording from the AGIS is provided.

Source: Commonwealth Fraud Control Framework and the Australian Government Investigations Standards.