The ANAO audit program includes topics that examine the implementation of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule).

The Commonwealth Fraud Control Framework 2017 (the Framework) outlines the Australian Government’s requirements for fraud control.

The Framework consists of three tiered documents:

• the Fraud Rule — section 10 of the Public Governance, Performance and Accountability Rule 2014 is a legislative instrument binding all Commonwealth entities setting out the key requirements of fraud control;
• the Commonwealth Fraud Control Policy — a government policy binding non-corporate Commonwealth entities and setting out procedural requirements for specific areas of fraud control such as investigations and reporting; and
• the Fraud Guidance—Resource Management Guide No. 201 — Preventing, detecting and dealing with fraud (August 2017) is a better practice document setting out the Australian Government’s expectations in detail for fraud control arrangements within all Commonwealth entities.

The Framework provides for Commonwealth entities to manage their fraud risks in a way which best suits the individual circumstances of the entity, in the context of a requirement that the accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity.

The Attorney-General’s Department is responsible for administering the Framework. 

The Auditor-General presented a series of performance audit reports in June 2020 that assessed the effectiveness of fraud control arrangements in three Australian Government departments. The audits focussed on compliance with mandatory Framework requirements, the consistency of entity arrangements with the government’s better practice, and promotion of a fraud aware culture within the entities:

• Auditor-General Report No. 42 of 2019–20 Fraud Control Arrangements in the Department of Foreign Affairs and Trade — published on 19 June 2020.
• Auditor-General Report No. 43 of 2019–20 Fraud Control Arrangements in the Department of Home Affairs — published on 22 June 2020.
• Auditor-General Report No. 44 of 2019–20 Fraud Control Arrangements in the Department of Social Services — published on 23 June 2020.

This edition of audit insights outlines a number of the key messages from this series of audits that may assist other Commonwealth entities in their implementation of the Framework.

Audit observations

This series of reports concluded that fraud control arrangements in the Department of Home Affairs (Home Affairs) were effective, and arrangements in the Department of Social Services (DSS) and the Department of Foreign Affairs and Trade (DFAT) were largely effective. The relatively small number of recommendations, directed to DSS and DFAT, indicates a high level of compliance with the key requirements of the Framework.

In particular, the reports concluded that each of the audited entities met the mandatory requirements of the Framework, namely to:

• conduct fraud risk assessments regularly and when there is a substantial change;
• develop and implement a fraud control plan;
• have appropriate mechanisms to prevent, detect and investigate fraud;
• have appropriate mechanisms for recording and reporting incidents of fraud or suspected fraud; and
• meet procedural requirements set out in the fraud policy.

The reports further concluded that fraud control arrangements in Home Affairs were consistent with the whole of government better practice fraud guidance and internal requirements, and largely consistent in DSS and DFAT. In each of the audited entities, the accountable authority has taken steps to promote a fraud aware culture.

Each of the three tiers of the Framework has a different emphasis. The fraud rule is the minimum standard for managing the risk of fraud; the fraud policy sets out procedural requirements for specific areas of fraud control, concentrated towards procedural requirements for fraud investigations; and the fraud guidance is a better practice document that aims to assist accountable authorities to meet their obligations under the PGPA Act, fraud rule and fraud policy.

These audit insights are presented in nine focus areas — eight areas drawn from the fraud guidance, with the ninth area relating to culture. Audit examples are provided to demonstrate how the audited department(s) addressed these elements, including how the department(s) tailored fraud control arrangements to the individual circumstances of the entity.

The focus areas are:

1. Risk assessment — Review fraud risks and conduct assessments regularly
2. Planning — Plan both strategically and operationally
3. Prevention, awareness and training —Build fraud awareness and expertise
4. Third party arrangements — Oversee third party arrangements
5. Detection — Look for fraud
6. Investigation — Establish comprehensive procedures to support investigations
7. Quality assurance and review — Develop the capacity to measure and evaluate performance
8. Reporting — Ensure key personnel obtain the information and assurance they require
9. Culture — Promote a fraud aware culture

1. Review fraud risks and conduct assessments regularly

Fraud risk assessments are an important first step in fraud control, as they allow the entity to understand how vulnerable it is to fraud and what business areas or programs are most susceptible. Thinking about how fraud could be committed against the entity can help build understanding of any vulnerable entry points, and how fraud can be prevented from occurring. The entity can then focus effort on areas at greatest risk.

Entities with a number of business processes and programs that are at risk of fraud, and which plan for a rolling program of fraud risk assessments, will be best placed to respond in a timely way to the dynamic nature of fraud and fraud risks. A clearly documented decision making tool or matrix that assesses the likely occurrence of fraud and its impact can help entities determine the order and priority for conducting fraud risk assessments.

2. Plan both strategically and operationally

Plans need to be strategic to communicate a commitment to combatting fraud and to provide enterprise-level information on the entity's approach to fraud control. Plans also need to have an operational focus to address the risks identified in fraud risk assessments and to assist staff to identify and manage fraud risk in their day-to-day work.

Operationalising a strategic fraud control plan can be achieved via an annual work plan detailing the entity's fraud control priorities and milestones to demonstrate how identified fraud risks will be addressed and by when. Regardless of how an entity decides to structure its fraud control documentation, it is essential to ensure there is clarity regarding who in the entity has responsibility for each fraud risk along with the controls and treatments adopted to reduce the fraud risk.

In addition to clearly setting out fraud control plan priorities to address identified fraud risks, entities need to maintain up-to-date documentation of progress in mitigating risk. Tracking progress towards reducing the entity's exposure to fraud risks provides transparency to the accountable authority and management. It also allows for a clear understanding of the current status of fraud risk exposure facing the entity. The entity should have a mechanism for the control owner to advise the fraud risk owner of the results of any assessment and/or testing of control effectiveness, to inform the fraud risk owner's management of the fraud risk.

3. Build fraud awareness and expertise

Good fraud prevention requires all staff to be aware of what constitutes fraud and the need to prevent and detect fraud as part of their normal responsibilities, as well as skilled fraud control officials who can provide specialist advice and expertise.

Where an entity has invested in providing training and mandated that such training is compulsory for all staff, the executive should provide a clear message of the importance of all staff complying. To fully realise the objectives of compulsory training there should also be a mechanism in place to monitor compliance and quickly address non-compliance.

Internationally, there is a move towards further professionalisation and skill building for officials tasked with fraud control responsibilities. Staff responsible for fraud control activities, including developing fraud risk assessments and preparing fraud control plans, should be supported to attend training. In cases where timely external training may not be available, entities should explore opportunities to meet the training needs of fraud control officers through other means, such as sharing knowledge and experience across entities. The Commonwealth Fraud Prevention Centre in the Attorney-General's Department could be consulted as part of its priority to establish a counter fraud profession. The Framework provides some flexibility for entities to determine the most appropriate qualifications for staff, and entities should document their expectations for fraud control officer qualifications.

4. Oversee third party arrangements

A Commonwealth entity retains its fraud control responsibilities when entering into an arrangement for services to be delivered by a third party. Before engaging a third party provider, the entity should ensure sufficient due diligence is undertaken regarding the provider's capability to prevent, detect and respond to fraud. The Commonwealth entity should maintain oversight of fraud control arrangements, monitor these for the duration of the arrangement and report regularly to its management and senior executive as necessary.

5. Look for fraud

The most common method of detecting fraud for the entities selected for this audit series was via a staff member or member of the public providing information to the entity about suspected fraud. This aligns with international experience. Internationally, there is a shift towards other fraud detection methods, with data analytics emerging as the most common fraud detection method. Data analytics can assist an entity to identify patterns, anomalies and exceptions that could indicate fraud.

6. Establish comprehensive procedures to support investigations

The Australian Government Investigations Standards 2011 require departments to have in place policies and procedures for the various stages of an investigation into suspected fraud. Having clear documented procedures can assist entities to apply a consistent approach and gather the necessary information to support successful investigation outcomes.

7. Develop the capacity to measure and evaluate performance

All entities are expected to review their fraud control arrangements and provide quality assurance over their fraud investigations. Establishing metrics to evaluate performance will assist entities to assess whether the actions they are taking are improving fraud prevention, detection and responses.

8. Ensure key personnel obtain the information and assurance they require

The fraud guidance advises that while reporting to an entity's minister is not mandatory under the fraud rule or fraud policy, section 19 of the PGPA Act establishes a duty that the accountable authority keep the minister informed of the activities of the entity. An annual report to the minister is a means of doing so in respect to fraud control. Such a report could address the suggested content in the fraud guidance: the entity's fraud control arrangements currently in place; planned future initiatives; any significant fraud risks identified by the entity as a result of conducting fraud risk assessments; and information about the significant fraud incidents that occurred during the reporting period, including recovery processes to recover funds lost due to fraud.

The entity's audit committee has a key role in reviewing the appropriateness of the entity's system of risk oversight and management. By regularly discussing and engaging with fraud risk in its work, the audit committee is able to provide independent advice and assurance to the accountable authority on the appropriateness of fraud control arrangements and suggest areas for improvement. Regular reports from the entity to the audit committee facilitate informed review by the committee.

9. Promote a fraud aware culture

The fraud guidance advises that accountable authorities play a key role in setting the ethical tone within their entities, and fostering and maintaining a culture of fraud awareness and prevention. Accountable authorities are strongly encouraged to foster this culture in their senior leadership specifically, as well as across their staff more generally.

Governance arrangements can also be structured to support a fraud aware culture, and an entity's audit committee can provide independent advice and assurance to the accountable authority on fraud control arrangements — specifically the appropriateness of the entity's system of risk oversight and management and system of internal control.

For further insights from the ANAO’s multiyear audit program relating to implementation of the PGPA Act and the PGPA Rule, see:

• Commonwealth Resource Management Framework and the Clear Read Principle, November 2019.
• Audit insights — board governance, May 2019.
• Corporate planning and performance statements under the PGPA Act, August 2018.
• Corporate planning, performance statements and risk management under the PGPA Act, November 2017.