1. The Commonwealth Fraud and Corruption Control Framework 2024 supports government entities to effectively manage the risks of fraud and corruption. The Framework consists of the Public Governance, Performance and Accountability Act 2013 (the PGPA Act), section 10 of the PGPA Rule 2014 (the Rule) and the Commonwealth Fraud and Corruption Policy.

2. Under the Rule, the Auditor-General (as accountable authority) ‘must take all reasonable measures to prevent, detect and respond to fraud and corruption relating to the [ANAO]’.¹ These obligations are discussed in more detail in Appendix 1: Key roles and responsibilities in the ANAO Fraud and Corruption Framework and, Appendix 2: Roles of specific governance and assurance committees in the ANAO Fraud and Corruption Framework.

What is fraud?

3. The Commonwealth Fraud and Corruption Control Framework 2024 defines fraud as ‘dishonestly obtaining (including attempting to obtain) a gain or benefit, or causing a loss or risk of loss, by deception or other means. The conduct does not need to represent a breach of criminal law.’²

4. The benefit or loss is not restricted to a material benefit or loss, and may be tangible or intangible. A benefit may also be obtained by a third party.

What is corruption?

5. Corruption is defined in the Commonwealth Fraud and Corruption Framework 2024 as ‘ any conduct that does or could compromise the integrity, accountability and probity of public administration.’³

6. As set out in section 8 of the National Anti-Corruption Commission Act 2022 (the NACC Act), each of the following is corrupt conduct:

1. any conduct of any person (whether or not a public official) that adversely affects, or that could adversely affect, either directly or indirectly:
   
   1. the honest or impartial exercise of any public official’s powers as a public official; or
   2. the honest or impartial performance of any public official’s functions or duties as a public official;
2. any conduct of a public official that constitutes or involves a breach of public trust;
3. any conduct of a public official that constitutes, involves or is engaged in for the purpose of abuse of the person’s office as a public official; and
4. any conduct of a public official, or former public official, that constitutes or involves the misuse of information or documents acquired in the person’s capacity as a public official.⁴

7. The ANAO faces fraud and corruption risks in its day-to-day operations and has a zero tolerance towards fraud and corruption. Examples of potential fraud by staff, contractors or third-party suppliers may include:

• the unlawful or unauthorised release of information (e.g. using position to provide information to a tenderer to help them win a contract);
• the provision of misleading information or falsified documentation (e.g. time-recording does not reflect hours worked);
• the theft of goods, intellectual property, or sensitive information;
• the intentional violation of delegations;
• the use of position to misdirect/quash questions about irregular/suspicious conduct or to gain a personal benefit;
• the misuse/misappropriation of property, assets, equipment or facilities (e.g. the misuse of ANAO car parking arrangements); and
• the provision of false details in résumés or job applications to influence employment decisions.

8. The ANAO’s Fraud and Corruption Framework outlines the ANAO’s approach to managing fraud and corruption risks and complies with the Commonwealth Fraud and Corruption Framework. The framework is a key component of the ANAO’s integrity and security control environment in maintaining an enduring focus on addressing fraud and corruption risks. It supports a range of prevention, detection, and response measures to ensure a systemic and integrated approach across the ANAO.

9. The ANAO Fraud and Corruption Framework supports the ANAO to effectively manage the risks of fraud and corruption. The ANAO’s framework has three elements:

• the ANAO Fraud and Corruption Strategy (the Strategy) – the Strategy defines the ANAO’s principles of effective fraud and corruption control, key roles and responsibilities and how the ANAO expects to mitigate and manage risks. The Strategy informs staff how they can report fraud and corruption.
• the ANAO Fraud and Corruption Control Plan (the Plan) – the Plan is the ANAO’s detailed response to fraud and corruption risks, identified as part of the biennial risk assessments. The Plan allocates risks to control owners ensuring there is oversight and management of identified risks.
• the ANAO Fraud and Corruption Risk Assessment (risk assessments) – Enterprise-level fraud and corruption risk assessments are undertaken at least every two years. Fraud and corruption risks are reviewed as part of the risk discussions at the Executive Board of Management (EBOM) and its sub-committees.

10. The ANAO’s Fraud and Corruption Strategy (the Strategy) is informed by the principles of prevention, detection, response and evaluation.

Prevention

11. Fraud and corruption prevention is the responsibility of all ANAO staff and contractors associated with the delivery of ANAO’s outcomes. Prevention strategies focus on establishing and maintaining sound governance systems, systems of control and ethical organisational culture.

12. Prevention strategies include proactive measures designed to reduce the risk of fraud and corruption occurring by increasing fraud prevention awareness, encouraging reporting of suspected incidents, and ensuring the right mitigation controls are in place.

13. The key elements of the ANAO’s fraud and corruption prevention activities are:

• implementing the ANAO Fraud and Corruption Framework;
• having a strong organisational culture that does not tolerate fraud or corruption;
• having engagement and education strategies, including mandatory training, to build strong awareness of fraud among staff, contractors and suppliers;
• having requirements and protocols for personal interest disclosures/conflicts of interest;
• undertaking regular integrity reviews and reporting;
• communicating to staff about what fraud and corruption is and how to report suspected instances of fraud and corruption, including updates on MyANAO, and
• having policies, guidance and procedures on information management, IT, financial and workforce requirements and relevant assets.

Detection

14. Even if strong preventive strategies are in place, not all fraud risks can be eliminated. Staff must report any instances of suspected fraud, corruption, or misconduct, regardless of formal reporting lines. The ANAO has measures designed to uncover incidents of fraud and corruption when they occur.

15. Detection activities include:

• IT system monitoring and scanning including IT security control review and reporting;
• regular management reviews such assurance activities undertaken by the Internal Auditor;
• quality assurance reviews;
• Public Interest Disclosures (PIDs);
• disclosures about changes in circumstances and external interests for security clearances;
• annual compliance reporting;
• ANAO Integrity Framework
• monitoring of the ANAO fraud inbox – fraud@anao.gov.au; and
• external reporting/‘tip-offs’ through ANAO website or information provided by other entities.

Response

16. The ANAO will respond to any fraud or corrupt behaviour that is reported or detected as appropriate. Staff observing potential fraud or corruption are not to undertake their own investigations. All staff and contractors are reminded that natural justice applies. Action taken outside of an official investigation may lead to potential code of conduct breaches for any staff undertaking their own enquiries.

17. The ANAO’s response activities include:

• assessing all reports to decide an appropriate response;
• pursuing disciplinary, administrative, civil or criminal actions as appropriate;
• taking all reasonable measures for recovery of fraud losses;
• undertaking post incident reviews, reviews of investigations or incidents related to fraud and corruption to identify any control weaknesses or deficiencies that require treatment; and
• fulfilling appropriate reporting requirements, including externally where appropriate.

Evaluation

18. The ANAO’s monitoring, evaluation and reporting includes:

• reviewing the ANAO Fraud Control Plan and risk assessments on a biennial basis;
• reviewing the fraud management arrangements;
• annual reporting on IT controls through PSPF reporting;
• reporting to EBOM;
• reporting to the ANAO Audit Committee annually, and
• including relevant topics in the ANAO internal audit work program.

19. The ANAO has established and documented governance arrangements in place to support the effective oversight and management of fraud and corruption risks to the ANAO.

20. These arrangements are discussed below.

ANAO Fraud and Corruption Strategy

21. The ANAO Fraud and Corruption Strategy:

• sets out the roles and responsibilities of all ANAO staff and identifies positions with key roles;
• documents the ANAO’s fraud and corruption prevention, detection and response processes;
• outlines the ANAO’s approach to fraud and risk assessment and management planning; and
• includes processes for reporting fraud and corruption.

22. All ANAO staff including contractors are expected to behave in accordance with the APS Values and Code of Conduct and identify and report fraud and corruption in line with our zero appetite for fraud and corruption.

23. To support this, all ANAO staff including contractors have responsibilities to understand the Strategy and be alert to and understand potential fraud and corruption risks. Everyone is responsible for active fraud and corruption control which is achieved by developing, encouraging, insisting upon and implementing sound financial, legal and ethical decision making in day-to-day responsibilities.

24. To assist ANAO staff and contractors to be aware of and address their responsibilities, the ANAO has established mandatory training in fraud and corruption awareness as part of our induction program and mandatory annual refresher training.

25. Specific roles and responsibilities for key ANAO staff in relation to preventing, detecting, responding, and evaluating fraud and corruption are listed below with further detail in Appendix 1.

• The Auditor-General is the accountable authority responsible for taking all reasonable steps to prevent, detect and respond to fraud and corruption.
• The Deputy Auditor-General is the Chief Risk Officer for the ANAO and the risk owner for all risk below extreme.
• The Chief Operating Officer develops, implements and manages the Strategy in consultation with key stakeholders.
• The Chief Finance Officer provides guidance and oversight of key financial and accounting risks and administers the ANAO’s annual compliance survey.
• The Chief Security Officer is responsible for ANAO security policies and activities including oversight of the ANAO protective security framework.
• The Integrity Advisor is responsible for matters associated with integrity, supporting the effective and ongoing application of the ANAO Integrity Framework and providing annual reporting to EBOM.
• ANAO Authorised Officers are appointed ANAO staff who can receive disclosures under the ANAO Public Interest Disclosure Procedures.
• Risk and control owners are responsible for identifying and monitoring the effectiveness of arrangements to prevent, detect and respond to fraud and corruption attempts.
• The ANAO SES model the ethical tone of the work environment and maintain an appropriate internal control culture.
• The ANAO Audit Committee provides independent assurance and advice to the Auditor-General, including reviewing the appropriateness of the ANAO’s systems of risk and fraud oversight and management, and systems of internal control.

ANAO Fraud and Corruption Control Plan and Risk Assessments

26. The ANAO has a risk-based approach to mitigating potential fraud and corruption, incorporating both preventative and detective elements.

27. The ANAO’s detailed response to fraud and corruption risk is guided by the Fraud and Corruption Control Plan, which presents the key fraud and corruption risks identified in the fraud and corruption risk assessments. The Plan also allocates risks to control owners, to ensure that there is sufficient oversight and management of these.

28. The enterprise-level fraud and corruption risk assessments are undertaken every two years. The outcomes of these assessments are documented in the Fraud and Corruption Control Plan. The Plan is reviewed by EBOM and its sub-committees and approved by Chief Risk Officer.

29. Suspected fraud and corruption in the ANAO can be reported in several ways.

• Current staff can discuss or report to their manager, Executive Director (SES) or the ANAO Integrity Advisor.
• Reports can be made in person to the COO, Deputy Auditor-General and Auditor-General for consideration.
• Reports can be made via email and will be confidentially triaged by the Governance team in Corporate Management Group (CMG) or via the ‘contact us’ form on the ANAO website.
• Reports can also be made to an ANAO PID officer, who will take steps as outlined in the ANAO PID Procedures.
• Make a complaint to the Commonwealth Ombudsman.

30. Reports will be assessed by the ANAO and investigated as appropriate, which may involve referral to agencies such as the National Anti-Corruption Commission (NACC) or the Australian Federal Police.

Corruption: Referral to the National Anti-Corruption Commission

31. The NACC is an independent Commonwealth agency that detects, investigates and reports on serious or systemic corrupt conduct in the Commonwealth public sector.

32. The NACC can consider reports made by anyone in relation to a Commonwealth public official who is alleged to have engaged in corrupt conduct.

33. ANAO staff can refer matters to the NACC where they think there is corrupt conduct in the ANAO.

34. Under the National Anti-Corruption Commission Act 2022, the Auditor-General and PID Authorised Officers have mandatory reporting obligations if they become aware of a corruption issue within the ANAO.⁵

Fraud: Referral to the Australian Federal Police

35. The Australian Federal Police (AFP) has the primary law enforcement responsibility for investigating criminal offences against Commonwealth laws. Under the Commonwealth Fraud and Corruption Control Framework, the ANAO must report all instances of potential serious/complex fraud to the AFP. If the AFP declines to accept the matter, the Auditor-General will determine the most appropriate option for resolving the matter.⁶

Reporting investigation outcomes

36. Due to a range of reasons, including confidentiality, privacy restrictions and maintaining the integrity of the investigation, feedback or the outcome of any investigation may not be provided to the individual making the report.

Appendix 1: Key roles and responsibilities in the ANAO Fraud and Corruption Framework

Auditor-General

As the ANAO’s accountable authority, the Auditor-General is responsible for implementing the ANAO’s Fraud and Corruption Framework in accordance with the Commonwealth Fraud and Corruption Control Framework.⁷ This responsibility includes fostering an environment that makes active fraud and corruption control a responsibility of all staff.

The Auditor-General is responsible for certifying (in the ANAO’s Annual Report) that the ANAO:

• has appropriately assessed its fraud and corruption risk; and
• has a fraud and corruption control plan in place to help prevent, detect and investigate instances of fraud and corruption.

The Auditor-General also has mandatory reporting obligations under the NACC Act.⁸

Deputy Auditor-General

The Deputy Auditor-General is the ANAO’s Chief Risk Officer and the risk owner for all risks below ‘extreme’.⁹ As the Chief Risk Officer, the Deputy Auditor-General:

• champions and facilitates objectivity in risk identification and management; and
• drives best practice and innovation to improve the risk culture.

This role has key responsibilities for enterprise risks, including fraud and corruption risks, such as:

• considering current and emerging risks, which may include fraud and corruption, in the context of the ANAO’s strategic objectives;
• demonstrating and promoting a positive risk management culture through communication and consultation; and
• overseeing the continuous improvement of risk management capability and awareness across the ANAO.

Chief Operating Officer

The Chief Operating Officer (COO) has corporate responsibility for overseeing implementation of fraud and corruption control frameworks, with the support of the CMG Governance team. COO duties include:

• leading the design, implementation and embedding of the ANAO fraud and corruption framework;
• supporting the Auditor-General and the Deputy Auditor-General in reporting responsibilities on the ANAO’s compliance with the Fraud Rule;
• operational responsibility for the delivery and implementation of a fit for purpose fraud and corruption control plan including maintaining reporting procedures;
• capturing and reporting fraud data annually to the Australian Institute of Criminology;
• reporting to the ANAO Audit Committee at least every 12 months on fraud control matters including the implementation of activities and arrangements outlined in the ANAO Fraud and Corruption Framework, and
• providing facilities, training, and communication activities to assist employees in complying with their risk management and fraud awareness obligations, including ensuring the delivery of the annual online eLearning module.

Chief Finance Officer

The Chief Finance Officer (CFO) is responsible for implementing the ANAO’s financial framework and ensuring that risks associated with the ANAO’s appropriations and expenditure are addressed. The CFO will ensure the appropriate level of insurance cover is maintained for all identified risks where there is an insurable consequence. The CFO reports directly to EBOM bi-annually on the results of the compliance survey which includes fraud matters.

Chief Security Officer

The Chief Security Officer (CSO) is responsible for the establishment and maintenance of the ANAO’s security policy, the oversight of ANAO protective security and the provision of advice. The CSO is responsible for the management of IT Security activities, and the approval of strategic information security policies. The CSO provides strategic-level guidance for the ANAO security program ensuring compliance with national policy, standards, regulations and legislation.

Integrity Advisor

The ANAO Integrity Framework provides an overarching structure for the ANAO integrity control system. The framework assists in ethical decision making and risk, fraud and misconduct management. The ANAO has an appointed Integrity Advisor. The Integrity Advisor’s responsibilities include:

• increasing integrity awareness across the ANAO;
• supporting the effective, ongoing application of the Integrity Framework; and
• reporting annually to EBOM on actions taken under the framework.

The Integrity Advisor is a point of contact for staff who are seeking advice and support on the application of the Integrity Framework. The Integrity Advisor is not responsible for determining if a matter is an integrity breach, or for making decisions about matters raised. Staff members seeking advice from the Integrity Advisor remain responsible for applying ANAO policies in the Framework and acting on the advice provided.

ANAO Public Interest Disclosure Authorised Officers

Under the ANAO’s PID Procedures, the ANAO’s Authorised Officers are able to accept a PID about the ANAO from ANAO staff which includes current and former staff and contractors. Authorised officers may deem a person as an ANAO public official if it is clear from the disclosure that it would be appropriate for the authorised official to receive and assess the disclosure as it is clearly an ANAO related disclosure. The authorised officers are listed on the ANAO’s website.

Risk and control owners

Using the fraud risk assessment process, owners will be identified for fraud and corruption risks and their controls. Collectively, these are the first line of defence. The ANAO has many processes and procedures that serve as safeguards against fraud and corruption. These are identified in the accompanying Fraud and Corruption Control Plan.

Under the ANAO’s Risk Management Framework, risk owners are responsible for the day-to-day management of a risk, including completing a formal risk assessment of the identified risk. They also coordinate the management of the risk, provide assurance that the controls are effective, have mitigation plans progressing into controls, and monitor the environment to identify if there are any indicators the risk might eventuate.

ANAO SES

ANAO SES officers are responsible for ensuring their staff understand and comply with relevant legislation, regulations, procedures and policies. The SES must consider current and emerging risks, which may include fraud and corruption, in the context of the ANAO’s strategic and operating environment.

SES officers are also responsible for fostering an environment that makes active fraud and corruption control a responsibility of all staff.

Appendix 2: The roles of specific governance and assurance committees in the ANAO Fraud and Corruption Framework

Executive Board of Management Subcommittees

The ANAO has established subcommittees to support EBOM. These subcommittees ensure organisational accountability and transparency, providing oversight and risk management in specific areas of operations. The subcommittees report to EBOM through summary reports and meeting minutes, and their terms of reference are reviewed annually.

Finance Committee

The Finance Committee is responsible for ‘considering, and recommending to the Auditor-General, the biennial Fraud Control Policy and Plan.’¹⁰

The committee will receive major reviews of the Fraud and Corruption Strategy and Control Plan at least every two years. After the Committee approves the documents, they can be presented to EBOM for final approval. In this way, the committee provides assurance.

The Finance Committee also reviews financial risks and controls by ‘reviewing strategies for improving the ANAO’s financial management, compliance and reporting capabilities.’ The Committee is ‘responsible for monitoring the strategic and operational risks associated with ANAO resources. This function includes biannual consideration of the existing controls, consequence and likelihood ratings, and evaluating risk level ratings.’¹¹ In undertaking these functions, the committee will consider the goals of the Fraud and Corruption Strategy and the Fraud and Corruption Controls Plan.

Advice about financial-related fraud and corruption risks and controls will be received by EBOM through the Finance Committee’s minutes.

People and Change Committee

The People and Change Committee is ‘responsible for monitoring the strategic and operational risks associated with people and change. This function includes consideration at each meeting of the existing controls, consequence, and likelihood ratings, and evaluating risk level ratings.’ ¹² At the enterprise level, enterprise risk 7 — ANAO staff behave inconsistently with ANAO values and behaviours — is the risk that includes statements about fraud. Given the potential role of human resource factors in fraud risks, this committee must consider fraud and corruption in more detail than other committees. Like the other Committees, it will have a standing agenda item on Fraud and Risk, and report to EBOM through summary reporting that attaches meeting minutes.

Security Committee

The Security Committee supports the Chief Security Officer in achieving protective security objectives and monitoring performance. The Committee provides advice, assurance and assistance to the Auditor-General and EBOM on the ANAO’s security framework.¹³

Audit Committee

The Audit Committee provides independent assurance and advice to the Auditor-General, including reviewing the appropriateness of the ANAO’s financial and performance reporting, systems of risk and fraud oversight and management, and systems of internal control.

The ANAO Audit Committee has specific fraud-related responsibilities including¹⁴:

• reviewing whether the ANAO ‘has a current and comprehensive enterprise risk management framework and associated internal controls for effective identification and management of the entity’s business and financial risks, including fraud and security;
• satisfying itself that a sound approach has been followed in managing the ANAO’s highest risks including those associated with individual projects, program implementation, and activities;
• reviewing the process of developing and implementing the ANAO’s fraud control arrangements and satisfying itself that the entity has appropriate processes and systems in place to detect, capture and effectively respond to fraud risks;
• reviewing reports on fraud from management that outline any significant or systemic allegations of fraud, the status of any ongoing investigations and any changes to identified fraud risk in the ANAO; and
• reviewing the system of internal control.