Background

1. The Australian Government (the government) defines fraud as:

Dishonestly obtaining a benefit or causing a loss by deception or other means.¹

2. Fraud requires intent, and is more than carelessness, accident or error. Without intent, an incident may indicate non-compliance rather than fraud.²

3. Fraud against the Commonwealth can be committed by Commonwealth officials or contractors (internal fraud) or by external parties such as clients, service providers, members of the public or organised criminal groups (external fraud).³ In some cases fraud against the Commonwealth may involve collusion between external and internal parties, and can include corrupt conduct such as bribery. However, not all corrupt conduct meets the definition of fraud.⁴

4. Australian Government entities have long been required to establish arrangements to manage fraud risks. The government’s requirements for fraud control are contained in the 2017 Commonwealth Fraud Control Framework⁵ (the Framework) pursuant to the Public Governance, Performance and Accountability Act 2013 (PGPA Act). The Framework comprises three tiered documents — the fraud rule, fraud policy and fraud guidance — with different binding effects for corporate and non-corporate Commonwealth entities.⁶ The Attorney-General’s Department is responsible for administering the Framework.

5. As non-corporate Commonwealth entities, Australian Government departments must comply with the fraud rule and fraud policy. While the fraud guidance is not binding, the government considers the guidance to be better practice and expects entities to follow it where appropriate.⁷

6. This audit is one in a series of three performance audits reviewing fraud control arrangements in selected departments — the Department of Social Services, the Department of Foreign Affairs and Trade and the Department of Home Affairs. The focus of this audit report is the Department of Social Services.

Rationale for undertaking the audit

7. This audit series is intended to provide assurance to the Parliament regarding the fraud control arrangements of selected Australian Government departments. All Commonwealth entities are required to have fraud control arrangements in place because preventing, detecting and responding to fraud against the Commonwealth is necessary to ensure the proper use of public resources, financial and material losses are minimised, and public confidence is maintained. In addition, this audit series aims to assist all Commonwealth entities to consider the effectiveness of their fraud control arrangements, including areas where additional effort would improve consistency with whole of government better practice fraud guidance (discussed in paragraph 5) and the take-up of whole of government advice on new and emerging fraud risks (discussed in paragraph 10).

Audit objective and criteria

8. The objective of the audit was to assess the effectiveness of the Department of Social Services’ fraud control arrangements. The high level audit criteria were that the department:

• complies with the mandatory requirements set out in the Commonwealth Fraud Control Framework and arrangements are consistent with the government’s better practice guidance; and
• promotes a fraud aware culture.

9. The ANAO did not assess whether specific controls are in place or the effectiveness of such controls in the selected entity.⁸

10. The ANAO reviewed fraud control arrangements in place within the department during the period of audit fieldwork, September 2019 to early February 2020. On 18 February 2020 the Australian Government activated the Emergency Response Plan for Novel Coronavirus (COVID-19).⁹ On 27 March 2020 the Australian Federal Police’s Operation Ashiba and the Commonwealth Counter Fraud Prevention Centre in the Attorney-General’s Department established the Commonwealth COVID-19 Counter Fraud Taskforce intended to support Commonwealth agencies to prevent fraud against the COVID-19 economic stimulus measures.¹⁰ The Commonwealth Fraud Prevention Centre circulated the Fraud Control in COVID-19 Emergency and Crisis Management fact sheet to Commonwealth entities, with information about key fraud risks related to COVID-19 response efforts.

11. The Department of Social Services was invited by the ANAO to make a representation in relation to its current or planned arrangements to address increased fraud risks resulting from the COVID-19 response. The department advised the ANAO in May 2020 that:

The department has been assessing and monitoring the increased fraud risk as a result of the COVID-19 response. The department is continuing to work with the Commonwealth Fraud Prevention Centre and COVID-19 Counter Fraud Taskforce to strengthen the department’s control environment and implement new countermeasures to prevent fraud.

Guidance provided by the COVID-19 Counter Fraud Taskforce to assist in implementing fraud countermeasures during COVID-19 has informed the department’s approach to addressing the increased fraud risk. This includes building awareness of fraud risks, implementing low friction countermeasures to prevent fraud where possible and carrying out targeted assurance checks to identify instances of fraud.

Conclusion

12. Fraud control arrangements in the Department of Social Services are largely effective. The department’s arrangements comply with the mandatory requirements of the Commonwealth Fraud Control Framework, are largely consistent with the whole of government better practice fraud guidance, and the accountable authority has taken steps to promote a fraud aware culture. Further attention is required to document a formal assurance mechanism between fraud risk and control owners, and to provide the expected level of assurance in the department’s annual fraud certification.

13. The department has developed and implemented a fraud control framework, conducted fraud risk assessments, and has guidance and procedures to assist departmental staff to understand what constitutes fraud and to carry out their fraud prevention responsibilities. The department has also included performance indicators and an annual work program in its fraud control framework to assist it to monitor and review its fraud control arrangements.

14. The department has mechanisms in place to assess its fraud risks but has not fully addressed all fraud risks assessed as ‘high’ risk. The department’s oversight of its fraud controls would be strengthened by documenting fraud control and treatment owners in its fraud risk assessments, and documenting a process for control owners to provide assurance to risk owners about control effectiveness.

15. The department has put in place controls to detect fraud, including reporting channels for use by staff and members of the public and the use of data analytics. The department’s fraud investigation procedures are consistent with the Australian Government Investigations Standards.

16. The department has taken steps to promote a fraud aware culture and met the reporting requirements set out in the framework. The department’s certification in the two most recent annual reports provided a lower level of assurance to Parliament than is expected under the PGPA Rule.

Supporting findings

Risk management, planning and prevention

17. Fraud risk is considered within the context of the department’s overarching enterprise risk management framework. Fraud risk is categorised as a ‘specialist risk’. This means fraud risks need to be considered by officers with a thorough understanding of the subject matter. The department’s fraud control officers assist policy and program areas to consider fraud risk and to conduct fraud risk assessments. The department’s fraud control arrangements are set out in a fraud control framework that includes a fraud control plan, an annual work program and performance indicators intended to measure the success of its fraud control arrangements.

18. The department could more closely align to the whole of government fraud guidance by including a summary of the department’s fraud risks in its fraud control plan. Having this summary would assist staff to fulfil their responsibilities under the fraud control plan to report suspected fraud by providing a departmental-level overview of such risks.

19. The department has identified fraud risks and conducted fraud risk assessments at regular intervals. Fraud risk assessments cover risks related to internal operations that occur across the department, such as financial management and procurement, as well as risks specific to individual programs. The department’s fraud control officers, who assist departmental staff to undertake fraud risk assessments, have or are working towards acquiring qualifications in fraud investigations and fraud control.

20. Fraud risks are assessed and given a fraud risk exposure rating based on the likelihood and consequences of the risk occurring but the department has not fully addressed all fraud risks assessed as ‘high’ risk. The department determines whether risks are ‘acceptable’ or ‘unacceptable’ but does not document the rationale for deciding that certain ‘high’ risks are ‘acceptable’. Eight of the department’s 15 ‘high’ fraud risks that it had assessed as ‘unacceptable’ either did not have treatments identified to reduce the risk or those treatments were insufficient to reduce the risk exposure rating. The department has identified fraud risks that are shared with Services Australia and, in its capacity as administrator of the government’s Community Grants Hub, has drafted but not yet finalised protocols for the management of fraud risks by client services.

21. The department has a range of preventive controls in place and tests its controls to ensure they are operational. The department’s risk framework sets out responsibilities for risk, control and treatment owners but does not document either the control or treatment owner in the risk assessment. While the department has a process to identify improvements to existing controls, to meet the fraud guidance it should document a process for control owners to provide assurance to risk owners that the controls in place are useful, necessary and effective.

Detection, investigation and response

22. The department uses a range of detective controls to find fraud. These include processes for departmental staff and members of the public to confidentially report allegations of fraud. The main detection method for internal and external fraud investigations, finalised in 2018–19, was through staff member detection. The department also identifies fraud through other detective controls such as internal audits and data analytics. These detective controls have identified suspected fraud that has then been subject to assessment and investigation.

23. The department’s investigation procedures are consistent with the Australian Government Investigations Standards.

Culture, assurance and reporting

24. The department has set expectations and promotes a fraud aware culture through: the Secretary’s instructions; its fraud control framework; internal events during International Fraud Awareness week; and internal messaging to staff about fraud control and outcomes from significant fraud-related prosecutions. The department’s audit and assurance committee charter allows the committee to review the department’s fraud risks, and it has done so.

25. Completion of online fraud awareness training has been mandatory for all staff since August 2019. As of 1 November 2019, 96.8 per cent of staff had completed the training. As this mandatory requirement has recently been introduced there is value in the department closely monitoring completion rates to inform its approach to achieving full compliance.

26. In its 2017–18 and 2018–19 annual reports, the department provided a lesser level of assurance to the Parliament than is expected by the PGPA Rule. The Secretary’s certification in those annual reports did not meet the expectations of the PGPA Rule because it did not state that all reasonable measures had been taken to deal appropriately with fraud relating to the entity, or identify what, if any, further measures needed to be implemented.

27. The department has complied with the mandatory reporting obligation in the Commonwealth Fraud Control Policy to provide information to the Australian Institute of Criminology annually, and has briefed its Minister twice on specific fraud risks or issues since 2016.

Recommendations

Summary of entity response

The Department of Social Services (the department) acknowledges the report and the opportunities the audit provides to strengthen our fraud control operations.

The department places a high priority on reviewing and improving fraud risk arrangements to protect the integrity of the department and our programs. The department has already begun taking steps that will address the recommendations identified in the report.

Key messages from this audit for all Australian Government entities

28. This audit is one in a series of three performance audits reviewing fraud control arrangements in selected non-corporate Commonwealth entities:

• the Department of Social Services;
• the Department of Foreign Affairs and Trade; and
• the Department of Home Affairs.

29. Key messages from this audit series will be outlined in an ANAO Insights product available on the ANAO website.

Introduction

1.1 Fraud against the Commonwealth causes financial and material loss, reducing the amount of money available for public goods and services and impacting on government’s ability to achieve its objectives. Fraud can also damage trust in government. Managing fraud risk is a responsibility shared by all Commonwealth officials, with ongoing effort commensurate to the scale of fraud risk required to effectively prevent, identify and respond to fraud. Fraud threats are constantly evolving, meaning responses need to be dynamic.

1.2 The Australian Government (the government) defines fraud as:

Dishonestly obtaining a benefit or causing a loss by deception or other means.¹¹

1.3 Fraud requires intent, and is more than carelessness, accident or error. Without intent, an incident may indicate non-compliance rather than fraud.¹² Fraud against the Commonwealth may include (but is not limited to):

• theft;
• accounting fraud (for example, false invoices, misappropriation);
• misuse of Commonwealth credit cards;
• unlawful use of, or unlawful obtaining of, property, equipment, material or services;
• causing a loss, or avoiding and/or creating a liability;
• providing false or misleading information to the Commonwealth, or failing to provide information when there is an obligation to do so;
• misuse of Commonwealth assets, equipment or facilities;
• cartel conduct;
• making or using, false, forged or falsified documents; and/or
• wrongfully using Commonwealth information or intellectual property.¹³

1.4 Fraud against the Commonwealth can be committed by Commonwealth officials or contractors (internal fraud) or by external parties such as clients, service providers, members of the public or organised criminal groups (external fraud).¹⁴ In some cases fraud against the Commonwealth may involve collusion between external and internal parties, and can include corrupt conduct such as bribery. However, not all corrupt conduct meets the definition of fraud.¹⁵

The Australian Government’s fraud control framework

1.5 Australian Government entities have long been required to establish arrangements to manage fraud risks. At the time of this audit, the government’s requirements for fraud control are contained in the 2017 Commonwealth Fraud Control Framework¹⁶ (the Framework) pursuant to the Public Governance, Performance and Accountability Act 2013 (PGPA Act). A desktop review conducted by the ANAO of state and territory and international fraud control frameworks is presented at Appendix 2.

1.6 The Framework is intended to: allow Commonwealth entities to manage their fraud risks in a way which best suits the individual circumstances of the entity; and support the accountable authority¹⁷ to effectively discharge their responsibilities under the PGPA Act. The Framework comprises three tiered documents with different binding effects:¹⁸

• Section 10 of the Public Governance, Performance and Accountability Rule 2014 (the fraud rule): A legislative instrument binding all Commonwealth entities and setting out the key requirements of fraud control.
• The Commonwealth Fraud Control Policy (the fraud policy): An Australian Government policy binding non-corporate Commonwealth entities¹⁹ setting out procedural requirements for specific areas of fraud control such as investigations and reporting.
• Resource Management Guide No. 201 — Preventing, detecting and dealing with fraud (the fraud guidance): A better practice document setting out the government’s expectations in detail for fraud control arrangements within all Commonwealth entities.

1.7 As non-corporate Commonwealth entities, Australian Government departments must comply with the fraud rule and fraud policy. While the fraud guidance is not binding, the government considers it to be better practice and expects entities to follow it where appropriate.²⁰

1.8 The Attorney-General’s Department (AGD) administers the Framework. The Australian Government is providing $16.4 million over two years from 2019–20 to AGD ($6.6 million) and the Australian Federal Police (AFP) ($9.8 million) to pilot and continue measures to strengthen Commonwealth counter-fraud arrangements.²¹ The AGD established the Commonwealth Fraud Prevention Centre, and is piloting measures to improve the sharing of data, information and knowledge across government. The AFP established Operation Ashiba to lead a Commonwealth multi-agency taskforce intended to support and strengthen whole of government efforts to detect, disrupt and respond to serious and complex fraud.

Responsibilities of accountable authorities

1.9 The PGPA Act and the PGPA Rule contain specific duties and requirements for the accountable authority of a Commonwealth entity pertaining to internal control arrangements, including for fraud control and relevant reporting (Table 1.1).

Table 1.1: Responsibilities of accountable authorities (PGPA Act and PGPA Rule)

Note a: In respect to ‘proper use’, section 8 of the PGPA Act provides that ‘proper, when used in relation to the use or management of public resources, means efficient, effective, economical and ethical’.

Source: PGPA Act and PGPA Rule.

Extent of fraud against the Commonwealth

1.10 The Australian Government has reported that the extent of fraud against the Commonwealth, including the exact cost and impact, is unknown.²² Fraud can be hidden, difficult to detect or remain unreported. The Australian Institute of Criminology (AIC) produces an annual report measuring levels of fraud detected and investigated across the Commonwealth on the basis of data self-reported by Commonwealth entities via an online questionnaire.²³ The Commonwealth fraud investigations 2017–18 and 2018–19 report²⁴ stated that of 155 entities with responses, 30 (19 per cent) commenced internal fraud investigations and 37 (24 per cent) commenced external fraud investigations. In total, 52 (34 per cent) different entities commenced investigations. In 2018–19, 27 (17 per cent) entities finalised internal fraud investigations and 34 (22 per cent) entities finalised external fraud investigations. In total, 44 (28 per cent) different entities finalised fraud investigations in the 2018–19 financial year. The AIC estimated fraud losses during 2018–19 of $149,680,728 ($2,775,917 from internal fraud; $146,904,811 from external fraud), on the basis of completed investigations where fraud could be quantified.²⁵

1.11 The results of a desktop review by the ANAO of international research to estimate fraud losses is presented in Appendix 2.

Previous audits

1.12 The interim audit phase of the ANAO’s annual program of financial statements audits includes an assessment of the effectiveness of each entity’s internal controls as they relate to the risk of misstatement in the financial statements. Auditor-General Report No.46 2018–19 Interim Report on Key Financial Controls of Major Entities (the controls report) reported that at the completion of the ANAO’s interim audits for the 26 major entities included in that report, the key elements of internal control were operating effectively for 19 entities²⁶, including the three departments selected for this performance audit series.²⁷ In the context of the ANAO’s review of entity internal controls, the controls report included a focus on and an analysis of, payment card and fraud control policies together with a continued review of compliance with the Commonwealth’s finance law.²⁸

1.13 Australian Government fraud control arrangements have also been the subject of previous ANAO performance audits. The most recent relevant audit was tabled in 2018–19 and examined the fraud control arrangements of the National Disability Insurance Agency (NDIA). The audit found that while the NDIA was largely compliant with the requirements of the Commonwealth Fraud Rule²⁹ there was scope to improve: fraud prevention strategies; measures to detect potential fraud; and the effectiveness of fraud control governance and reporting arrangements.³⁰ A key learning for other government entities arising from the audit was that the Commonwealth Fraud Control Framework (not just the Fraud Rule) provides a robust framework for all government entities to manage fraud risk. In the absence of it being mandatory for corporate entities to comply with all elements of the framework, corporate entities should see its implementation as good practice.³¹

1.14 An ANAO audit tabled in 2014–15 of the fraud control arrangements of selected entities³² found that overall these entities were generally compliant with the applicable requirements of the 2011 Fraud Control Guidelines (the Guidelines) that were in effect during the course of the audit. The audit included one recommendation:

To facilitate the timely preparation of the annual Fraud Against the Commonwealth Report and the annual Compliance Report to Government, the ANAO recommends that the Attorney-General’s Department formalises its business arrangements with the Australian Institute of Criminology.³³

1.15 From 1 July 2014, the Guidelines were replaced with the Commonwealth Fraud Control Framework pursuant to the PGPA Act. The fraud policy was reissued in August 2016, with new provisions implementing the ANAO recommendation detailed in paragraph 1.14 by formalising the requirement for entities to provide information to the AIC to facilitate the AIC annual fraud report.³⁴ The fraud guidance was reissued in August 2017.³⁵

Selected entities in this audit series

1.16 This audit is one in a series of three performance audits reviewing fraud control arrangements in selected departments — the Department of Social Services, the Department of Foreign Affairs and Trade and the Department of Home Affairs. The focus of this audit report is the Department of Social Services.

1.17 Other audits in the series are:

• Auditor-General Report No.42 2019–20 Fraud Control Arrangements in the Department of Foreign Affairs and Trade; and
• Auditor-General Report No.43 2019–20 Fraud Control Arrangements in the Department of Home Affairs.

1.18 Contextual information about the Department of Social Services (DSS) is provided at Table 1.2.

Table 1.2: Contextual information about the Department of Social Services

Note a: ‘Fraud-related duties’ as defined within the 2018–19 AIC fraud questionnaire, could include work in fraud control policy, fraud risk management, prevention, detection, investigation, delivery of training and/or fraud reporting.

Source: ANAO, drawing on the Department of Social Services 2018–19 Annual Report, 2019–20 Portfolio Budget Statements and entity responses to the AIC 2018–19 fraud questionnaire.

Rationale for undertaking the audit

1.19 This audit series is intended to provide assurance to the Parliament regarding the fraud control arrangements of selected Australian Government departments. All Commonwealth entities are required to have fraud control arrangements in place because preventing, detecting and responding to fraud against the Commonwealth is necessary to ensure the proper use of public resources, financial and material losses are minimised, and public confidence is maintained. In addition, this audit series aims to assist all Commonwealth entities to consider the effectiveness of their fraud control arrangements, including areas where additional effort would improve consistency with whole of government better practice fraud guidance (discussed in paragraphs 1.6 and 1.7) and the take-up of whole of government advice on new and emerging fraud risks (discussed in paragraph 1.22).

Audit approach

Audit objective, criteria and scope

1.20 The objective of the audit was to assess the effectiveness of the Department of Social Services’ fraud control arrangements. The high level audit criteria were that the department:

• complies with the mandatory requirements set out in the Commonwealth Fraud Control Framework and arrangements are consistent with the government’s better practice guidance; and
• promotes a fraud aware culture.

1.21 The ANAO did not assess whether specific controls are in place or the effectiveness of such controls in the selected entity.³⁶

1.22 The ANAO reviewed fraud control arrangements in place within the department during the period of audit fieldwork, September 2019 to early February 2020. On 18 February 2020 the Australian Government activated the Emergency Response Plan for Novel Coronavirus (COVID-19).³⁷ On 27 March 2020 the Australian Federal Police’s Operation Ashiba and the Commonwealth Counter Fraud Prevention Centre in the Attorney-General’s Department established the Commonwealth COVID-19 Counter Fraud Taskforce intended to support Commonwealth agencies to prevent fraud against the COVID-19 economic stimulus measures.³⁸ The Commonwealth Fraud Prevention Centre circulated the Fraud Control in COVID-19 Emergency and Crisis Management fact sheet to Commonwealth entities, with information about key fraud risks related to COVID-19 response efforts.

1.23 The Department of Social Services was invited by the ANAO to make a representation in relation to its current or planned arrangements to address increased fraud risks resulting from the COVID-19 response. The department advised the ANAO in May 2020 that:

The department has been assessing and monitoring the increased fraud risk as a result of the COVID-19 response. The department is continuing to work with the Commonwealth Fraud Prevention Centre and COVID-19 Counter Fraud Taskforce to strengthen the department’s control environment and implement new countermeasures to prevent fraud.

Guidance provided by the COVID-19 Counter Fraud Taskforce to assist in implementing fraud countermeasures during COVID-19 has informed the department’s approach to addressing the increased fraud risk. This includes building awareness of fraud risks, implementing low friction countermeasures to prevent fraud where possible and carrying out targeted assurance checks to identify instances of fraud.

Audit methodology

1.24 The audit methodology involved:

• assessing entity arrangements against the mandatory requirements of the Commonwealth Fraud Control Framework;
• reviewing entity records;
• reviewing entity procedures for planning, prevention, detection, investigation and responding to fraud and allegations of fraud, against the fraud guidance; and
• discussions with relevant entity staff.

1.25 To assess the department’s compliance with the Commonwealth Fraud Control Framework, the ANAO has read the fraud rule in conjunction with the fraud guidance, and has based its assessment and findings on the suite of documents produced by the department to support fraud control planning.

1.26 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $215,000.

1.27 The team members for this audit were Tracy Cussen, Ailsa McPherson, Hannah Climas, Michael Fitzgerald and Michelle Page.

2.1 Section 10 of the Public Governance, Performance and Accountability Rule 2014 (the fraud rule) requires the accountable authority of a Commonwealth entity to take all reasonable measures to prevent fraud relating to the entity.³⁹ In order to prevent fraud, entities must understand their fraud risks and ensure arrangements are in place to prevent fraud from occurring.

2.2 The ANAO examined entity compliance with the mandatory requirements of the Commonwealth Fraud Control Framework and the extent to which entity arrangements are consistent with Resource Management Guide No. 201 — Preventing, detecting and dealing with fraud (the fraud guidance), to assess:

• whether the entity has considered fraud risk management within the context of its overall risk management process, including the content of the entity’s fraud control plan;
• how fraud risks are identified and whether these assessments are conducted at regular intervals;
• how identified fraud risks are assessed and addressed; and
• whether preventive controls to manage fraud risks have been identified and are being adequately assessed.

Is fraud risk considered within the context of the overall risk management process?

2.3 As a non-corporate Commonwealth entity, the Department of Social Services (DSS or the department) is bound by the Australian Government’s Commonwealth Fraud Control Policy (fraud policy), which states that:

Non-corporate Commonwealth entities must ensure that their fraud control arrangements are developed in the context of the entity’s overarching risk management framework as described in the Commonwealth Risk Management Policy.⁴⁰

2.4 In addition, the fraud guidance states that:

It is important to avoid looking at fraud in isolation from the general business of the entity. Entities are strongly encouraged to develop dynamic fraud risk assessment procedures integrated within an overall business risk approach rather than in a separate program.⁴¹

2.5 To assess whether fraud risk is considered within the context of DSS’s overarching risk management process, the ANAO reviewed how fraud is considered in the department’s risk management guide and assessed whether the contents of the department’s fraud control plan contained the components suggested in the fraud guidance.

DSS’s risk management framework

2.6 The department’s Enterprise Risk Management Framework (the risk framework) was issued in December 2018. The risk framework states that it is intended to provide a common-sense and pragmatic approach to risk management.

2.7 The department’s risk framework includes an enterprise risk management model. This model structures risks around five perspectives intended to reflect the department’s approach to managing its risks. The five perspectives presented in the risk model are:

• enterprise risks — critical risks identified by DSS’s Executive Management Group which are of strategic importance;
• group risks — identified as part of delivering group business plans;
• policy and program risks — identified in the design, development and implementation of policy or programs;
• program and project risks — identified in the delivery of transformation and ICT programs and projects; and
• specialist risks — identified in the delivery of common corporate/operational areas.

2.8 Fraud risk is categorised as a ‘specialist’ risk within the department’s risk framework. As a specialist risk, the framework indicates that managing fraud risks requires: the person undertaking the risk assessment to have a thorough understanding of the subject matter; and that staff required to consider these risks seek support from the relevant business functions. The department has a fraud control section responsible for facilitating the completion of risk assessments.

2.9 The risk framework identifies that management of specialist risks is guided by specific documents. For fraud risks these documents include the department’s fraud control framework.

DSS’s fraud control framework

2.10 Subsection 10(b) of the fraud rule states that the accountable authority must develop and implement ‘a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment’.⁴²

2.11 A strict interpretation of the fraud rule would require the department to undertake a linear process: first conduct a risk assessment and then, as soon as practicable, develop and implement a fraud control plan that specifically addresses the identified risks. To assess the department’s compliance with the Commonwealth Fraud Control Framework, the ANAO has read the fraud rule in conjunction with the fraud guidance, and has based its assessment and findings on the suite of documents produced by the department to support fraud control planning (rather than whether the department strictly adheres to the linear process identified in the fraud rule).

2.12 The fraud guidance suggests that fraud control plans can:

Document the entity’s approach to controlling fraud at a strategic, operational and tactical level, and encompass awareness raising and training, prevention, detection, reporting and investigation measures.⁴³

2.13 The department’s fraud control arrangements are set out in its Fraud Control Framework (the fraud framework) signed by the Chief Operating Officer on 28 June 2019.⁴⁴ The fraud framework outlines the strategies the department has in place for identifying and managing fraud risk and comprises the Secretary’s Instruction 2.2—Fraud Risk Management and Control, DSS’s Fraud Control Plan 2019–21 and Fraud Control Annual Work Program 2019–20.

2.14 The department’s fraud control plan contains most of the components suggested by the fraud guidance. The department’s fraud control plan does not contain a summary of the fraud risks and treatment strategies. The department’s fraud risks and the treatment strategies to manage these risks are identified and assessed through the department’s risk assessment process, and are detailed in the fraud risk assessments.

2.15 When considered together, the department’s fraud framework and risk assessment documentation encompass all of the components recommended by the fraud guidance (Table 2.1).

Table 2.1: Content of DSS’s fraud control documentation

Note a: Fraud risks and treatment strategies are contained in the department’s fraud risk assessments, rather than within the department’s fraud framework.

Note b: Appendix 3 of this audit report outlines roles and responsibilities for fraud control within DSS as detailed in the department’s fraud control documentation.

Source: Commonwealth Fraud Control Framework and ANAO analysis of DSS documentation.

2.16 The department’s fraud documentation at a program level identifies identity fraud and identity theft as fraud risks. However, the department’s fraud control framework does not identify or include strategies to mitigate the risk of identity fraud.

2.17 The department could more closely align to the Australian Government’s fraud guidance requirements for the content of fraud control plans, by including a summary of its fraud risks, including identity fraud, and the treatments in place to manage these risks. Having this summary would assist staff to fulfil their responsibilities under the fraud control plan to report suspected fraud by providing a departmental-level overview of the risks to be aware of.

2.18 The department’s fraud control plan sets out ‘measures of success’ intended to assist the department to monitor and review its fraud prevention, detection and response strategies. These measures include quantitative indicators (for example, reduced length of time between risk being identified and response) and monitoring results from the annual APS Employee Census questions relating to fraud and/or corruption.

Are fraud risks identified and are assessments conducted at regular intervals?

2.19 Subsection 10(a) of the fraud rule requires the accountable authority of a Commonwealth entity to conduct ‘fraud risk assessments regularly and when there is a substantial change in the structure, functions or activities of the entity.’⁴⁵ The fraud guidance encourages entities to conduct fraud risk assessments at least every two years.⁴⁶

2.20 The fraud policy requires that:

Entities must ensure officials primarily engaged in fraud control activities possess or attain relevant qualifications or training to effectively carry out their duties.⁴⁷

2.21 The fraud guidance identifies that relevant training can include a Certificate IV in Government (Fraud Control) or equivalent qualification for officials implementing fraud control, or a Diploma of Government (Fraud Control) or equivalent qualification for officials managing fraud control.⁴⁸

2.22 The ANAO reviewed when fraud risk assessments had been undertaken and examined the department’s process for identifying fraud risks, including whether staff conducting these assessments are appropriately trained.

2.23 The department has regularly conducted fraud risk assessments in accordance with the fraud rule. It has completed: fraud risk assessments for internal operations that span the department⁴⁹ so as to address fraud risks across the department; and ten fraud risk assessments for individual programs it has identified as ‘high risk’.⁵⁰

2.24 The process to determine whether a program requires a fraud risk assessment is set out in a matrix, which requires staff to consider the risk exposure based on known information such as program payment/funding types and potential program expenditure. A fraud risk assessment is undertaken for programs identified as ‘high risk’ using this matrix.⁵¹

2.25 Consistent with the requirements set out in its risk framework, DSS uses a risk assessment eTool template to complete its fraud risk assessments. The template includes explanatory information to assist program areas completing the assessments to understand the steps required. These steps are: establish the context; identify fraud risk; assess fraud risk; evaluate fraud risk; implement control measures; re-assess fraud risk; and monitor and review.

2.26 The template identifies five categories of known fraud risk (corruption, fraudulent statements, asset misappropriation, employment and entitlements fraud, and contract/grant payment/service program misappropriation) with a standard set of preventive controls that apply. Program areas are responsible for incorporating relevant fraud risks and controls from these five categories into their fraud risk assessment, and for adding any program-specific fraud risks. Fraud control officers facilitate the process and provide the program area with subject matter expertise, however they are not responsible for completing fraud risk assessments.

2.27 The department has three fraud control officers who assist program areas to conduct fraud risk assessments. At the commencement of this audit these officers held or were undertaking qualifications in fraud investigations and the department considered that these qualifications fulfilled the fraud guidance as they are ‘equivalent qualifications’ (see paragraph 2.21). These officers completed a Diploma of Government (Fraud Control), in line with the fraud guidance, in April 2020.

2.28 As the department has identified fraud as a ‘specialist’ risk under its risk framework (see paragraph 2.8) and has designated specific officers to facilitate the development of fraud risk assessments, it should consider documenting its expectations around fraud control officer qualifications, including what it accepts as ‘equivalent qualifications’.

Are fraud risks assessed and addressed?

2.29 In order for entities to effectively respond to fraud risks it is important for the significance of the risks to be assessed and to determine whether treatments are required. The ANAO examined how the department assesses its risk exposure and identified the mechanisms the department uses to address fraud risks.

2.30 The ANAO examined the eight fraud risk assessments the department advised its audit committee were in place in November 2019. These eight assessments identified 110 fraud risks and indicated a fraud risk exposure rating for each risk on the basis of the likelihood of the risk occurring and the consequence if the risk occurred. Table 2.2 shows the department’s risk matrix used to determine the risk exposure rating for each fraud risk based on this assessment.

Table 2.2: Risk matrix of fraud risks to determine fraud risk exposure rating

Source: ANAO analysis of departmental documentation.

2.31 The department’s assessment process also takes into account the department’s tolerance for each of the identified fraud risks⁵², leading to the allocation of a fraud risk response rating of ‘acceptable’ or ‘unacceptable’. The ANAO’s review of DSS fraud risk assessments identified that all assessments included a description of the risk, current controls, control effectiveness rating, and a risk rating. They also documented whether the risk was considered ‘acceptable’ or ‘unacceptable’. The ANAO saw evidence that assessments covering fraud risks rated as ‘high’ were signed off by the appropriate senior executive as required under the department’s guidelines.

2.32 Of the 110 identified fraud risks, 29 (26.4 per cent) were rated by the department as ‘high’ (none were rated as ‘extreme’). The department’s risk management process guidelines state that risks rated as ‘high’ or ‘extreme’ (see Figure 2.1) are ‘…generally considered unacceptable and require further action via escalation to, and treatment by, the appropriate level of senior executive management’. The ANAO reviewed how risks rated as ‘high’ were addressed and documented in the fraud risk assessments. Of the 29 ‘high’ risks, 14 were considered ‘acceptable’ and 15 as ‘unacceptable’. The rationale for assessing these 14 ‘high’ risks as ‘acceptable’ was not recorded in the assessment.

2.33 The ANAO found inconsistencies in whether treatments for ‘high’ risks were documented and whether, if a treatment was documented, the residual risk rating was reduced. Overall, of the 15 ‘high’ risks recorded as ‘unacceptable’, eight were not adequately addressed through treatments —treatments for these risks were either not identified (6 risks) or the documented residual risk rating was not reduced in spite of treatment (2 risks).⁵³

2.34 In July 2019 the department advised its audit committee that a ‘refresh of the department’s fraud risk assessments commenced in May 2019 to identify any changes to the risk profile and to determine the effectiveness of controls’. The department’s fraud control annual work program 2019–20 indicated that this bulk review of all fraud risk assessments would be completed by December 2019. The department advised the ANAO in May 2020 that of the 13 fraud risk assessments being reviewed: eight had been finalised or were awaiting sign-off; and the five remaining reviews had commenced.

2.35 In the context of its review, the department could improve the fraud risk management process by recording the following in its fraud risk assessments:

• the rationale for any decision to consider a ‘high’ risk as ‘acceptable’;
• the rationale for not applying a risk treatment(s) to ‘unacceptable’ risks; and
• a final assessment of whether a risk is considered ‘acceptable’ after an additional risk treatment has been applied.

2.36 In addition to program-level fraud risk assessments, the department has program-level fraud control plans outlining the approach for preventing, detecting and responding to fraud in specific programs. This approach is intended to assist staff in program areas.⁵⁴ These plans summarise fraud risks and risk ratings detailed in the fraud risk assessment, and identify key preventive and detective actions.

2.37 The department’s risk framework sets out how it contributes to managing any shared or cross jurisdictional risks, which it defines as those risks ‘which extend beyond the department and require shared oversight and management with stakeholders’. The department also has Bilateral Management Agreements with other Commonwealth entities. The ANAO’s review of program-level fraud risk assessments indicated that the department has identified shared risks with Services Australia.⁵⁵

2.38 The department administers the Community Grants Hub (CGH), which provides grants administration services on behalf of other government entities.⁵⁶ The CGH operational risk management plan 2019–20 and draft ‘Hub Fraud Protocols—Interagency Shared Services Obligations’ outline the accountabilities, roles and responsibilities of the CGH and client entities in relation to the management of fraud risks in the delivery of grants administration services. As the CGH administered over 44,000 funding arrangements worth over $10 billion during 2018–19, the draft Hub Fraud Protocols (which were due to be completed by December 2019) should be finalised as a matter of priority.

Does the department’s internal control environment include preventive controls and are these adequately assessed?

2.39 Preventive controls can help entities prevent fraud from occurring in the first place or reduce the consequences when it occurs. The fraud guidance states that:

Controls and strategies outlined in fraud control plans are ideally commensurate with assessed fraud risks. Testing controls may indicate that not all controls and strategies are necessary or that different approaches may have more effective outcomes. Controls can often be reviewed on a regular basis to make sure they remain useful.⁵⁷

2.40 The ANAO examined whether DSS has documented preventive controls to manage its identified fraud risks and whether it has established mechanisms to assess and provide assurance over the control’s effectiveness. The ANAO did not test the design or operational effectiveness of individual controls.⁵⁸

Preventive controls

2.41 The Australian Government’s Risk Management Policy defines an internal control as:

Any process, policy, device, practice or other actions within the internal environment of an organisation which modifies the likelihood or consequences of a risk.⁵⁹

2.42 Broadly, there are two types of controls — preventive controls which are put in place to prevent fraud before it occurs, and detective controls which are put in place to identify when fraud has occurred (detective controls are discussed in chapter three).

2.43 The ANAO’s review of the department’s fraud risk assessments identified that preventive controls are included, although the department does not categorise its controls as preventive or detective. Categorising controls in the fraud risk assessments would assist the department to assess whether the suite of controls provides end-to-end coverage — to prevent, detect and deal with identified fraud risks.

Assessment of controls

2.44 The department’s risk framework identifies responsibilities for managing risk as follows:

Risk or issue owner — accountable for managing a particular risk or issue;

Control owner — responsible for maintaining the effectiveness of controls intended to modify the risk or issue; and

Treatment owner — responsible for implementing actions and strategies to treat/mitigate the risk to an acceptable level.

2.45 The department advised the ANAO that program areas are responsible for assessing controls. The ANAO viewed evidence that controls are assessed by program areas and that mechanisms exist for the regular review of controls—through internal audits, use of data analytics, compliance testing and financial reconciliations. In 2019–20 the department commenced a project to review and test controls and control methodology in the Community Grants Hub (see paragraph 2.38), and has developed a control testing plan template.⁶⁰

2.46 While there is evidence that business areas have tested controls, the department has not provided a formal mechanism for use by control owners to provide assurance to risk owners on the effectiveness of controls. Further, the department’s fraud risk assessments do not always include sufficient detail to demonstrate to a risk owner that the controls in place are sufficient to manage the risk.

2.47 The department’s fraud risk assessments record a risk owner (or are signed off by the risk owner) but do not record a control or treatment owner. The staff position accountable for maintaining control effectiveness is therefore not clear.

2.48 DSS’s fraud risk assessments document controls against risks that have been grouped into categories, rather than against individual risks, and control effectiveness ratings are documented for each individual risk. This approach suggests that each full suite of controls is equally necessary and effective (or not effective) in addressing individual risks. This approach does not facilitate an assessment of whether identified controls are commensurate with the fraud risk, as detailed in the fraud guidance (paragraph 2.39).

2.49 To provide greater transparency to risk owners that controls are useful, necessary and effective, the department should identify control and treatment owners in its fraud risk assessments and document the process to be used for control owners to give assurance to risk owners on the effectiveness of controls.

3.1 Section 10 of the Public Governance, Performance and Accountability Rule 2014 (the fraud rule) requires the accountable authority of a Commonwealth entity to take all reasonable measures to detect and deal with fraud.⁶¹ In order to detect and deal with fraud, entities must take active steps to find fraud when it occurs and investigate or otherwise respond to it.

3.2 The ANAO examined the department’s compliance with relevant mandatory requirements of the Commonwealth Fraud Control Framework and the extent to which arrangements are consistent with Resource Management Guide No. 201 — Preventing, detecting and dealing with fraud (the fraud guidance) to assess whether:

• detective controls are identified; and
• the department’s investigations procedures are consistent with the Australian Government Investigations Standards.

Are detective controls identified?

3.3 Detective controls are used to manage fraud risks and find fraud. Detecting fraud in an entity can highlight any vulnerabilities in existing preventive controls.

3.4 Subsection 10(d) of the fraud rule requires entities to have ‘a process for officials of the entity and other persons to report suspected fraud confidentially’.⁶²

3.5 The fraud guidance notes that reporting suspected fraud is a common means of detection, and therefore it is important for entities to appropriately publicise fraud reporting mechanisms. Under the fraud guidance entities should encourage and support reporting of suspected fraud through proper channels, and this can include measures to protect those making such reports from adverse consequences.⁶³

3.6 The ANAO examined the controls the department has in place to detect fraud with reference to the requirements of the Commonwealth Fraud Control Framework.

Detective controls

3.7 Suspected fraud can be reported by departmental staff and others (such as the general public) by phone, email or post.⁶⁴ These reporting channels are advertised on the department’s website⁶⁵ and for staff, on the intranet.

3.8 The department’s website states that if a person reports suspected fraud or misconduct, their ‘privacy and confidentiality will be respected.’⁶⁶ The website also provides information on how to make an anonymous report and instructions on how to arrange a secure transmission for sensitive information.⁶⁷ The department has policies and procedures for managing the confidentiality of those making reports, which include internal systems access controls to manage the information received through reporting channels.

3.9 Public Interest Disclosures are allegations made by public officials (disclosers) under the Public Interest Disclosure Act 2013 to an authorised officer because they suspect wrongdoing within the Commonwealth public sector.⁶⁸ The department has procedures for handling Public Interest Disclosures, including: protection for disclosers; roles and responsibilities; details of how to make a disclosure; procedures for supervisors and managers; procedures for authorised officers; procedures for investigators; and confidentiality and record keeping.⁶⁹

3.10 The department’s procedures for handling Public Interest Disclosures identify that:

• if a disclosure relates to conduct that may need to be addressed under the department’s fraud control plan, the authorised officer may refer the matter to be dealt with in accordance with the relevant policy; and
• if a disclosure relates to conduct that would require the department to take steps under the fraud control plan, the processes set out in the fraud control plan must be complied with in the conduct of an investigation under these procedures.

3.11 The Australian Institute of Criminology’s (AIC) annual fraud questionnaire asks entities to identify the detection method for finalised fraud investigations using categories provided by the AIC. In its response to the AIC’s 2018–19 questionnaire, the department reported ‘staff member detected’ as the most common detection method across both internal and external frauds. For the six internal fraud investigations finalised, the department reported that detection occurred through:

• ‘staff member detected’ in four cases;
• a ‘tip off within the entity’ in one case; and
• ‘information technology controls’ in one case.

3.12 For the eight external fraud investigations finalised in 2018–19, detection was reported as occurring through:

• ‘staff member detected’ in four cases;
• ‘tip offs external to the department’ in three cases; and
• ‘information technology controls’ in one case.

3.13 The department has in place other detective controls, consisting of: internal audits intended to identify vulnerabilities in the fraud control environment; data analytics (including operationalised machine learning models to detect fraud in high risk programs); and probity checks. The department has undertaken random sampling activities to identify records, transactions or entities that do not conform to expected patterns or that display characteristics or behaviours consistent with previous fraud events, and has reported to the Audit and Assurance Committee that results have led to the detection of suspected fraud, non-compliance and subsequent investigations.

Are the department’s investigation procedures consistent with the Australian Government Investigations Standards?

3.14 Once fraud is detected it is necessary to take action. Taking action shows that incidences of suspected fraud are not only identified but are responded to. Any investigation undertaken needs to be handled in a manner that will gather evidence to allow for subsequent responses, including criminal prosecution.

3.15 The Commonwealth Fraud Control Policy (the fraud policy) requires entities to have investigation processes and procedures consistent with the Australian Government Investigations Standards (AGIS) (see details in Box 1).⁷⁰

Note: Australian Government, Australian Government Investigations Standards 2011 [Internet], Attorney-General’s Department, available from https://www.ag.gov.au/Integrity/counter-fraud/fraud-australia/Documents/AGIS %202011.pdf [accessed 12 February 2020]. Following a machinery of government change in 2017, responsibility for the AGIS transferred to the Home Affairs portfolio.

3.16 The ANAO examined whether the department’s investigation procedures for internal and external fraud met the mandatory requirements listed in the AGIS (Table 3.1).

Table 3.1: Department of Social Services investigation procedures and the AGIS mandatory requirements

Note a: Complaints about the conduct of an investigation are managed through existing departmental policies and are not specifically referenced in the current investigations manual.

Source: ANAO analysis of departmental documentation.

3.17 Details of the ANAO’s assessment against the AGIS requirements are set out below — grouped as written procedures, case selection and referral, and investigation management. Departmental responses to the 2018–19 AIC fraud questionnaire are also included.⁷¹

AGIS requirements for written procedures

3.18 The department has a policy for its investigative functions that sets out the objective, activities, responsibilities and referral processes relevant to investigations, as required by the AGIS. The department also has an Investigations Manual developed in April 2014 and which is currently being updated. Procedures for liaising with the media and exhibit handling are documented in the manual. Complaints about the conduct of investigations are managed through departmental processes documented in separate policies and procedures. DSS advised the ANAO that the benefits of having a dedicated section in the manual on managing confidentiality and complaint handling have been identified and are planned for inclusion in the updated version of the manual.

Case selection and referral

3.19 The department has a case prioritisation model and assessment tool to inform its decisions about matters referred for investigation. The factors taken into account when making a decision to investigate include:

• the nature and value of the alleged fraud;
• the prospect of sufficient evidence for prosecution; and
• likely costs and benefits of investigation.

3.20 In its response to the 2018–19 AIC fraud questionnaire, the department reported that five internal fraud cases and 18 external fraud cases did not meet the threshold to warrant an investigation.⁷²

3.21 The department has a written policy which includes its responsibility to refer ‘sufficiently serious and/or complex’ matters to the Australian Federal Police (AFP) in accordance with AGIS. Such referrals may be made for either full transfer of the investigation or in pursuit of joint investigation arrangements. In its response to the 2018–19 AIC fraud questionnaire the department reported that all fraud investigations were handled internally.

Investigation management

3.22 As required by the AGIS, the department has procedures for investigating allegations of suspected fraud. These are documented in the Investigations Manual and recorded in an electronic investigation management system. These procedures start from receiving an allegation through to finalising an investigation, including preparing briefs of evidence for the Commonwealth Director of Public Prosecutions (CDPP). The department has also developed flow charts to assist officials to identify procedural steps in internal and external investigations.

3.23 The ANAO reviewed records contained within the department’s electronic investigation management system and found records of all steps undertaken in an end-to-end investigation process.⁷³

3.24 The department reported to the AIC that it commenced a total of 12 investigations during 2018–19, related to seven suspected internal frauds and five suspected external frauds.⁷⁴

3.25 The department records the outcomes of investigations. In 2018–19, around 16 per cent of internal fraud investigations and 37 per cent of external fraud investigations had allegations substantiated in full or in part (Table 3.2).

Table 3.2: Outcomes of investigations finalised in 2018–19

Source: ANAO analysis of departmental documentation.

3.26 For those investigations of internal fraud and external fraud finalised in 2018–19, where allegations were substantiated (in full or in part), all were referred to the CDPP.

Recovery of financial losses

3.27 The fraud policy states that:

… entities must take all reasonable measures to recover financial losses caused by illegal activity through proceeds of crime and civil recovery processes or administrative remedies.⁷⁵

3.28 The 2018–19 AIC annual fraud questionnaire asked entities to estimate the recoveries over the time period, regardless of when the fraud was committed, when the losses were incurred, or when the investigation was completed. In its response to the questionnaire, the department did not quantify the estimated recovery amounts for fraud and advised the ANAO that recovery actions had not yet been completed.⁷⁶

3.29 The department has debt recovery policies and procedures to provide guidance to staff when undertaking accounts receivable, debt management and recovery processes, including raising, collecting, receipting, reporting and acquitting debts owing to the department.

4.1 Under the Public Governance, Performance and Accountability Act 2013 (PGPA Act) the accountable authority must promote the proper use and management of public resources (section 15).⁷⁷ The accountable authority must also establish and maintain an appropriate system of risk oversight and management for the entity, and an appropriate system of internal control for the entity, including by implementing measures directed at ensuring officials of the entity comply with the finance law (section 16).⁷⁸

4.2 Preventing, detecting and dealing with fraud requires an ongoing effort. That effort will be more effective in an environment with a fraud aware culture that includes transparent reporting because staff will be alert to fraud and better able to develop dynamic responses based on evidence.

4.3 To inform the ANAO’s review of the effectiveness of DSS’s fraud control arrangements, the ANAO considered whether:

• the department promotes and supports a fraud aware culture; and
• the department provides assurance about entity fraud control arrangements through reporting.

Does the department promote and support a fraud aware culture?

4.4 Resource Management Guide No. 201 — Preventing, detecting and dealing with fraud (the fraud guidance) states that:

Accountable authorities play a key role in setting the ethical tone within their entities, and fostering and maintaining a culture of fraud awareness and prevention.⁷⁹

Fraud prevention involves … fostering an ethical culture that encourages all officials to play their part in protecting public resources. Establishing an ethical culture is an important factor in preventing and detecting fraud. Accountable authorities are strongly encouraged to foster this culture in their senior leadership specifically, as well as across staff more generally.⁸⁰

4.5 Culture in the context of this audit is the set of shared attitudes, values and behaviours that characterise how an entity considers fraud risk in its day-to-day activities.⁸¹ Evidence of certain behaviours and practices operating in the organisation can indicate that a particular type of culture in being promoted.⁸²

4.6 To assess whether the department promotes a fraud aware culture the ANAO examined departmental governance arrangements, departmental activities and completion rates for mandatory fraud awareness training.

Departmental governance arrangements to promote and support a fraud aware culture

4.7 The Secretary’s Instructions⁸³ — an extract of which is in the department’s Fraud Control Framework (the fraud framework) — set expectations by requiring all officials to act in accordance with the department’s fraud control plan.⁸⁴

4.8 The department’s Chief Operating Officer issued the department’s fraud control framework in June 2019.⁸⁵ It is the framework for the management of fraud risk within the department. The fraud control plan, contained within the fraud control framework, states that all staff are responsible for managing the department’s exposure to fraud and details their roles and responsibilities. The fraud framework and plan are available to all staff via the intranet. The department’s tolerance levels for fraud risk are publicly available through the annual report.

4.9 The Secretary has established departmental governance arrangements intended to provide leadership and strategic direction to the department, and to facilitate the flow of information from the department to the executive. These arrangements are summarised in Figure 4.1.

Figure 4.1: Departmental governance arrangements

 

 

Note: The Executive Management Group oversees the department’s financial position by allocating resources, monitoring performance and risk, and ensuring regulatory requirements are met.

Source: ANAO analysis of departmental documentation.

4.10 The structure of the department’s governance arrangements support a fraud aware culture as they allow for:

• regular reporting on fraud and corruption control activities to executive-led governance committees; and
• oversight and review by the audit and assurance committee.

4.11 The whole of government fraud guidance suggests that the outcome of fraud risk assessments can be provided to an entity’s audit committee for consideration.⁸⁶ Entities are also encouraged to ensure appropriate monitoring and evaluation of fraud control plans.⁸⁷

4.12 The audit and assurance committee’s charter allows for the review of fraud risk, and the committee has regularly discussed and engaged with fraud risk during committee meetings. The audit and assurance committee has reviewed the department’s fraud control plan.

Departmental activities to promote and support a fraud aware culture

4.13 DSS has taken steps to promote and support a fraud aware culture within the department by implementing a range of activities in accordance with the fraud rule and fraud guidance (Table 4.1).

Table 4.1: Activities undertaken to promote and support a fraud aware culture

Note a: Attorney-General’s Department, Commonwealth Fraud Control Framework 2017, AGD, 2017, p. A1.

Note b: ibid., para. 44, p. C12.

ibid., para 43, p. C12. This paragraph states that Fraud Control Statements can include: the definition of fraud; a statement of the entity’s commitment to preventing and controlling fraud; a statement of officials’ and contractors’ responsibilities; a summary of the consequences of fraud; an assurance that allegations and investigations will be handled confidentially; directions on how allegations and incidents of fraud are to be reported and managed; and advice on where further information can be found.

Source: ANAO analysis of departmental documentation.

4.14 The department has also promoted fraud awareness by participating in International Fraud Awareness Week 2019⁸⁸, which included a range of internal events. The department advised the ANAO that it is planning its participation in International Fraud Awareness Week 2020, which will include a push for staff to recomplete fraud awareness training.

Completion rates for mandatory fraud awareness training

4.15 The fraud rule requires the accountable authority to ensure that officials in the entity are made aware of what constitutes fraud.⁸⁹ The fraud guidance states that:

Entities are encouraged to have all officials take into account the need to prevent and detect fraud as part of their normal responsibilities. Appropriate mechanisms could include fraud awareness and integrity training in all induction programs and a rolling program of regular fraud awareness and prevention training for all officials.⁹⁰

4.16 The department offers the online fraud awareness training module developed by the Attorney-General’s Department to all staff. Prior to August 2019 completion of this module was not mandatory and was not monitored. In August 2019 the Secretary set an expectation that this training be completed by all staff annually. As at November 2019, 96.8 per cent of staff had completed the training.⁹¹ As this mandatory requirement was only recently introduced, there would be benefit in the department continuing to monitor compliance rates to inform its approach to achieving full compliance.

4.17 The department offers additional online training modules relevant to fraud control that cover security (protective security, personnel security, physical security and information security), APS values and principles (employment principles, Code of Conduct expectations, and applying ethical standards), and risk management modules.

4.18 Multiple face-to-face fraud awareness training sessions for staff were offered during International Fraud Awareness Week 2019. These sessions were facilitated by the department’s Audit and Assurance Branch and each session was targeted towards a particular program (for example, the National Rental Affordability Scheme) or towards a particular area of work (for example, grant-related roles or community-related roles).

4.19 The whole of government fraud guidance states that it is beneficial for awareness-raising programs for third-party providers to take into account the work they do directly for entities and the services they deliver on behalf of the entity.⁹² Fraud awareness training for third-party providers is not currently offered by DSS.

Is assurance about the department’s fraud control arrangements provided through reporting?

Annual report requirements

4.20 Accountable authorities are required, under subsection 17AG(2) of the Public Governance, Performance and Accountability Rule 2014, to include information in their annual report on compliance with section 10 of the Rule, which deals with preventing, detecting and dealing with fraud. The accountable authority is also required to certify in the annual report that:

• fraud risk assessments and fraud control plans have been prepared for the entity;
• appropriate mechanisms for preventing, detecting incidents of, investigating or otherwise dealing with, and recording or reporting fraud that meet the specific needs of the entity are in place for the entity; and
• all reasonable measures have been taken to deal appropriately with fraud relating to the entity.

4.21 The ANAO’s review of DSS’s annual report for the past three years (Table 4.2) indicates that the department has not fully satisfied the annual report expectations of the PGPA Rule. In particular, there is an expectation to certify that ‘all reasonable measures have been taken to deal appropriately with fraud relating to the entity’. The Secretary’s certification, in the 2017–18 and 2018–19 annual reports, omitted the word ‘all’, providing a lower level of assurance to the Parliament than is expected by the PGPA Rule (Table 4.2, Note a).

Table 4.2: Compliance with subsection 17AG(2) of the PGPA Rule 2014

Note a: The word ‘all’ is omitted from the certification in the 2017–18 and 2018–19 annual reports.

Source: Department of Social Services, Annual Report 2016–17, DSS, 2017; Department of Social Services, Annual Report 2017–18, DSS, 2018; Department of Social Services, Annual Report 2018–19, DSS, 2019.

4.22 In addition to the annual report requirements detailed above, the department provides an overview of fraud control strategies and investigations in the annual report.

4.23 For future annual reports, the annual report certification should meet the expectations of the PGPA Rule and indicate whether all reasonable measures have been taken to deal appropriately with fraud relating to the entity, or identify what measures have not been implemented.

Information provided to the Australian Institute of Criminology

4.27 The fraud policy requires entities to provide information to the Australian Institute of Criminology (AIC) in the form requested, to facilitate the AIC’s annual report to the Attorney-General’s Department on fraud against the Commonwealth and fraud control arrangements.⁹³

4.28 DSS has provided the information requested by the AIC, in the form requested, by the required due date. The department has documented the areas responsible for providing input and individuals responsible for review, clearance and sign-off of the department’s response.

Informing the Minister about the entity’s fraud control arrangements and significant issues

4.29 The fraud guidance states that:

… while there is no specific mention of reporting fraud matters to an entity’s Minister in the Fraud Rule or Fraud Policy, section 19 of the PGPA Act requires an accountable authority to keep their Minister informed about the activities of the entity and significant issues that may affect the entity.⁹⁴

4.30 The department has briefed the Minister twice on specific fraud risks or issues since 2016.

4.31 The department could usefully consider providing an annual fraud control report to the responsible Minister that includes the suggested content detailed in the fraud guidance (Table 4.3).

Table 4.3: Suggested content for reporting to the responsible Minister

Source: Attorney General’s Department, Commonwealth Fraud Control Framework 2017, AGD, 2017, para. 94, p.C19.

Appendix 1 Entity response

 

 

Appendix 2 Desktop review: fraud control frameworks, estimates of fraud losses and fraudster personas

Fraud control frameworks

1. The ANAO conducted a desktop review of the fraud control frameworks for New South Wales; Victoria; Queensland; South Australia; Tasmania, the Australian Capital Territory; and the Northern Territory. International counterparts examined included the United Kingdom, New Zealand, South Africa and the United States of America.

2. The comparison of the current Commonwealth Fraud Control Framework⁹⁵ with arrangements applying in other jurisdictions identified common approaches to some key aspects, including the requirement for:

• regular fraud risk assessments;
• a fraud control plan with an emphasis on fraud prevention;
• clearly documented roles and responsibilities with an explicit statement that fraud prevention is the responsibility of all staff;
• all staff to complete fraud awareness training (this is encouraged, but not a mandatory requirement for all jurisdictions);
• clear reporting channels for reporting suspected fraud and agreed responses for dealing with detected fraud; and
• policies and processes for detecting, investigating and responding to suspected fraud.

3. The comparison identified six key differences to the Commonwealth Fraud Control Framework (which is broadly consistent with other Australian jurisdictions):

• Publicising antifraud efforts and successfully resolved cases to raise awareness about program integrity and antifraud efforts (USA).
• The requirement for a fraud control policy to reflect the conditions associated with fraud, including incentives/pressure, opportunities, and attitudes, to assist employees to identify potential fraud (the ‘fraud triangle’ discussed in more detail in paragraph 10) (South Africa and NZ).
• Distinguishing between the government’s fraud policy and other government policies such as the public servant code of conduct, noting the policies can be closely aligned, often overlap and may operate concurrently (NZ).
• Setting clear requirements for separate documents to meet strategic and operational purposes. For example, a fraud control strategy can communicate a commitment to combatting fraud and present the entities’ strategic approach to fraud control (the ‘why’ of fraud control); separate and distinct from fraud control plans which can take a more operational view (the ‘how’ of fraud control) (South Africa, UK and USA).
• The use of outcome based metrics summarising what the organisation is seeking to achieve and, for those organisations with ‘significant estimated’ fraud loss, metrics with a financial impact (UK).
• Focusing on finding fraud, including through the use of data analytics (UK and USA).

Estimating fraud losses — survey responses

4. Estimates of fraud losses against the Australian Government developed by the Australian Institute of Criminology (AIC) are based on responses by Commonwealth entities to its annual online questionnaire.⁹⁶

5. The AIC publishes an estimate of fraud losses on the basis of completed investigations where fraud could be quantified. In 2018–19 (the most up-to-date data available from the AIC reports), the AIC estimated fraud losses of $149.7m on this basis.⁹⁷

6. The AIC notes there are a number of limitations associated with developing estimates of fraud losses on the basis of entity responses:

• Not all entities invited to respond to the online questionnaire provided a response. In 2018–19, 156 (83 per cent) of invited entities provided a response. One of these entities however did not provide data to the AIC due to security reasons.
• Undetected or unreported fraud is excluded, as is fraud that was detected but written off, either due to the low value of the fraud, or because resources were not allocated to undertake an investigation.
• Incomplete survey responses; a respondent may be unable or unwilling to answer a question, or the relevant information was not collected during the investigation and therefore cannot be provided to the AIC.
• Fraud losses include intangible costs such as reputational damage. Intangible costs are not captured in the AIC estimates of fraud losses.⁹⁸

7. The Association of Certified Fraud Examiners (CFEs) publishes an annual Report to the Nations on the basis of survey responses by CFEs in 125 countries.⁹⁹ The 2020 report contains an analysis of 2,504 cases of occupational fraud investigated between January 2018 and September 2019 by CFEs.¹⁰⁰ The survey respondents were asked the percentage of revenue they believe a typical organisation loses to fraud each year, with the median response being 5 per cent of annual revenues.

Estimating fraud losses — cost measurements

8. Since 2014 the UK Government’s Counter Fraud Centre of Expertise has been building its evidence base of public sector fraud¹⁰¹ and error loss estimates for central government spending¹⁰² by developing cost measurement estimates.¹⁰³ To develop a cost measurement estimate, the level of irregularity (fraud and error) in an area of government spending is tested. The UK Government has undertaken 53 cost measurement exercises in various categories of government expenditure, and on the basis of these estimates the fraud and error loss for government expenditure is 0.5 to 5.0 per cent.

9. The Financial Cost of Fraud report published in the UK by Crowe and the Centre for Counter Fraud Studies at the University of Portsmouth updates research first undertaken in 2009 to collate information from around the world on the financial cost of fraud and error. Analysis of 690 loss measurement exercises from 10 countries undertaken between 1997 and 2018 found that losses are usually in the range of 3 per cent to 10 per cent, with a likely average of 6.05 per cent.¹⁰⁴

The fraud diamond and fraudster personas

10. The seminal ‘fraud triangle’ was developed in the 1950s on the basis of in-depth interviews with those convicted of trust violations. The fraud triangle posits that individuals are motivated to commit fraud when three elements come together: some kind of perceived pressure; some perceived opportunity; and some way to rationalise the fraud.¹⁰⁵

11. The fraud triangle was expanded in 2004 to include a fourth element, the individual’s capability; those personal traits and abilities that play a major role in whether fraud may actually occur even with the presence of the other three elements from the fraud triangle (Figure A1).¹⁰⁶ The personal traits and abilities identified by the research that are key for the capability to commit fraud include:

• a position or function in the organisation that furnishes the ability to create or exploit an opportunity for fraud;
• the person is smart enough to understand and exploit internal control weaknesses and to use position, function or authorised access to the greatest advantage;
• the person has a strong ego and great confidence that they will not be detected, or they believe they could easily talk themselves out of trouble if caught; and
• the person can coerce others to commit or conceal fraud.¹⁰⁷

Figure A.1: The fraud diamond

 

 

Source: Wolfe, D., and Hernanson, D., The Fraud Diamond: Considering the Four Elements of Fraud.

12. One focus of international research concerns the key characteristics of those who commit fraud, with these characteristics identified and distilled by undertaking case study analysis.

13. The AIC’s annual report to government includes more detailed questions about the one matter that resulted in the greatest financial loss or impact to the responding entity.¹⁰⁸ In the 2018–19 report, 19 entities provided details about the most costly internal frauds. The AIC reported that the most costly internal fraud perpetrators were most commonly aged between 25 and 34 years, with 8 men and 7 women (not every entity which provided details about the most harmful fraud was able to provide this demographic information). Seven of the 16 internal fraud perpetrators (44 per cent) had been employed by the entity for 85 months or longer. In contrast to other international research discussed below, the AIC reported that internal fraud perpetrators were employed at more junior levels (APS1–4) rather than at the senior executive level. The principal target for internal fraud was financial gain, either through employee entitlements or internal financial fraud.

14. The KMPG 2016 report Global profiles of the fraudster is based on analysis of 750 fraudsters with data collected from KPMG forensic professionals in response to a questionnaire about the fraudsters they investigated between March 2013 and August 2015. KMPG reported:

• a perpetrator of fraud tends to be male between the ages of 36 and 55, working with the organisation for more than six years and holds an executive position;
• 44 per cent of perpetrators had unlimited authority in their company and were able to override controls; and
• in 62 per cent of frauds, the perpetrator colluded with others.¹⁰⁹

15. The Association of Certified Fraud Examiners (ACFE) 2020 Report to the Nations found —on the basis of 2,504 cases of occupational fraud investigated between January 2018 and September 2019 — that the ‘typical fraudster’ is more likely to be:

• in the 36 to 45 year age group, but those aged over 60 cause the largest median losses;
• male, with males causing much larger median losses than females;
• employed within the organisation for between one and five years;
• working in the accounting and operations areas of the organisation; and
• a low-level employee. However, if they are in an executive position, they will cause a median loss that far exceeds the losses caused by managers and staff-level employees.¹¹⁰

16. The PwC’s 2020 Global Economic Crime and Fraud Survey report compiled over 5,000 survey responses from organisations about who has perpetrated fraud against them. The report highlights that:

• third party providers committed 19 per cent of fraud, with only half of organisations surveyed having a third-party risk program in place;
• senior management committed 26 per cent of fraud, in part because of their ability to override internal controls.¹¹¹

17. In 2018, PwC drew out key findings for Australia from the 158 Australian respondents to the 2018 global survey in the PwC 2018 Global Economic Crime and Fraud Survey: Australian Report. The report shows that ‘frenemies’, or those close to the organisation committed 60 per cent of economic crime in Australia. ‘Frenemies’ are defined as employees, customers, suppliers, consultants and agents.¹¹²

18. The Attorney-General’s Department Commonwealth Fraud Prevention Centre has used recent case studies of those found guilty of fraudulent acts to develop a series of eight fraudster personas on the basis of the methods they commonly employ to commit fraud. The aim is to assist Commonwealth entities to:

• evaluate exposure to the methods of these types of fraudsters; and
• assess current capability in countering these types of fraudsters.¹¹³

Appendix 3 Department of Social Services: Roles and responsibilities for fraud control

Appendix 4 Commonwealth Fraud Control Framework procedural requirements for investigations mapped to the Australian Government Investigations Standards

The Commonwealth Fraud Control Policy (fraud policy)¹¹⁴ details procedural requirements for investigations. The ANAO has mapped these requirements to the Australian Government Investigations Standards (AGIS) for the purpose of ensuring that by undertaking an assessment of whether a department’s investigation procedures are consistent with the AGIS, all procedural requirements for investigations detailed in the fraud policy have also been assessed.

Note a: Extracts of the relevant wording from the AGIS is provided.

Source: Commonwealth Fraud Control Framework and the Australian Government Investigations Standards.