Browse our range of reports and publications including performance and financial statement audit reports, assurance review reports, information reports and annual reports.
Take our Insights reader feedback survey
Help shape the future of ANAO Insights by taking our reader feedback survey.
Fraud Control Arrangements
Please direct enquiries through our contact page.
This edition of audit insights outlines key messages from a series of performance audits which examined the effectiveness of fraud control arrangements in three Australian Government departments. In addition to assessing compliance with the mandatory requirements of the 2017 Commonwealth Fraud Control Framework, the audits examined the application of the government’s better practice fraud guidance, and steps taken by the entities to promote a fraud aware culture. The key messages may be relevant for the operations of other Commonwealth entities, as fraud control is a key responsibility in Australian Government administration.
Audit insights — fraud control arrangements
The ANAO audit program includes topics that examine the implementation of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule).
The Commonwealth Fraud Control Framework 2017 (the Framework) outlines the Australian Government’s requirements for fraud control.
The Framework consists of three tiered documents:
- the Fraud Rule — section 10 of the Public Governance, Performance and Accountability Rule 2014 is a legislative instrument binding all Commonwealth entities setting out the key requirements of fraud control;
- the Commonwealth Fraud Control Policy — a government policy binding non-corporate Commonwealth entities and setting out procedural requirements for specific areas of fraud control such as investigations and reporting; and
- the Fraud Guidance—Resource Management Guide No. 201 — Preventing, detecting and dealing with fraud (August 2017) is a better practice document setting out the Australian Government’s expectations in detail for fraud control arrangements within all Commonwealth entities.
The Framework provides for Commonwealth entities to manage their fraud risks in a way which best suits the individual circumstances of the entity, in the context of a requirement that the accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity.
The Attorney-General’s Department is responsible for administering the Framework.
The Auditor-General presented a series of performance audit reports in June 2020 that assessed the effectiveness of fraud control arrangements in three Australian Government departments. The audits focussed on compliance with mandatory Framework requirements, the consistency of entity arrangements with the government’s better practice, and promotion of a fraud aware culture within the entities:
- Auditor-General Report No. 42 of 2019–20 Fraud Control Arrangements in the Department of Foreign Affairs and Trade — published on 19 June 2020.
- Auditor-General Report No. 43 of 2019–20 Fraud Control Arrangements in the Department of Home Affairs — published on 22 June 2020.
- Auditor-General Report No. 44 of 2019–20 Fraud Control Arrangements in the Department of Social Services — published on 23 June 2020.
This edition of audit insights outlines a number of the key messages from this series of audits that may assist other Commonwealth entities in their implementation of the Framework.
Audit observations
This series of reports concluded that fraud control arrangements in the Department of Home Affairs (Home Affairs) were effective, and arrangements in the Department of Social Services (DSS) and the Department of Foreign Affairs and Trade (DFAT) were largely effective. The relatively small number of recommendations, directed to DSS and DFAT, indicates a high level of compliance with the key requirements of the Framework.
In particular, the reports concluded that each of the audited entities met the mandatory requirements of the Framework, namely to:
- conduct fraud risk assessments regularly and when there is a substantial change;
- develop and implement a fraud control plan;
- have appropriate mechanisms to prevent, detect and investigate fraud;
- have appropriate mechanisms for recording and reporting incidents of fraud or suspected fraud; and
- meet procedural requirements set out in the fraud policy.
The reports further concluded that fraud control arrangements in Home Affairs were consistent with the whole of government better practice fraud guidance and internal requirements, and largely consistent in DSS and DFAT. In each of the audited entities, the accountable authority has taken steps to promote a fraud aware culture.
Audit insights — implementing effective fraud control arrangements
Each of the three tiers of the Framework has a different emphasis. The fraud rule is the minimum standard for managing the risk of fraud; the fraud policy sets out procedural requirements for specific areas of fraud control, concentrated towards procedural requirements for fraud investigations; and the fraud guidance is a better practice document that aims to assist accountable authorities to meet their obligations under the PGPA Act, fraud rule and fraud policy.
These audit insights are presented in nine focus areas — eight areas drawn from the fraud guidance, with the ninth area relating to culture. Audit examples are provided to demonstrate how the audited department(s) addressed these elements, including how the department(s) tailored fraud control arrangements to the individual circumstances of the entity.
The focus areas are:
- Risk assessment — Review fraud risks and conduct assessments regularly
- Planning — Plan both strategically and operationally
- Prevention, awareness and training —Build fraud awareness and expertise
- Third party arrangements — Oversee third party arrangements
- Detection — Look for fraud
- Investigation — Establish comprehensive procedures to support investigations
- Quality assurance and review — Develop the capacity to measure and evaluate performance
- Reporting — Ensure key personnel obtain the information and assurance they require
- Culture — Promote a fraud aware culture
1. Review fraud risks and conduct assessments regularly
Fraud risk assessments are an important first step in fraud control, as they allow the entity to understand how vulnerable it is to fraud and what business areas or programs are most susceptible. Thinking about how fraud could be committed against the entity can help build understanding of any vulnerable entry points, and how fraud can be prevented from occurring. The entity can then focus effort on areas at greatest risk.
Entities with a number of business processes and programs that are at risk of fraud, and which plan for a rolling program of fraud risk assessments, will be best placed to respond in a timely way to the dynamic nature of fraud and fraud risks. A clearly documented decision making tool or matrix that assesses the likely occurrence of fraud and its impact can help entities determine the order and priority for conducting fraud risk assessments.
Audit example
The Department of Home Affairs has drawn from a variety of internal documentation to identify and prioritise business areas requiring fraud risk assessments. A fraud risk schedule is used to prioritise fraud risk assessments of its business areas. The department has guidance to assist its fraud control section to conduct fraud risk assessment workshops with the business area. During the workshop fraud risks are identified, analysed and evaluated. Fraud risk treatments are then determined, if required, to reduce the likelihood and/or consequence of the risk occurring (see paragraphs 2.20 to 2.22 of the report).
2. Plan both strategically and operationally
Plans need to be strategic to communicate a commitment to combatting fraud and to provide enterprise-level information on the entity's approach to fraud control. Plans also need to have an operational focus to address the risks identified in fraud risk assessments and to assist staff to identify and manage fraud risk in their day-to-day work.
Operationalising a strategic fraud control plan can be achieved via an annual work plan detailing the entity's fraud control priorities and milestones to demonstrate how identified fraud risks will be addressed and by when. Regardless of how an entity decides to structure its fraud control documentation, it is essential to ensure there is clarity regarding who in the entity has responsibility for each fraud risk along with the controls and treatments adopted to reduce the fraud risk.
In addition to clearly setting out fraud control plan priorities to address identified fraud risks, entities need to maintain up-to-date documentation of progress in mitigating risk. Tracking progress towards reducing the entity's exposure to fraud risks provides transparency to the accountable authority and management. It also allows for a clear understanding of the current status of fraud risk exposure facing the entity. The entity should have a mechanism for the control owner to advise the fraud risk owner of the results of any assessment and/or testing of control effectiveness, to inform the fraud risk owner's management of the fraud risk.
Audit examples
The Department of Social Services' fraud control framework comprises a fraud control plan which sets out the department's strategic approach to fraud control and an operational annual work program that sets out key actions to be taken by the department during the year (see paragraph 2.13 of the report).
The Department of Home Affairs maintains a comprehensive fraud risk register, documenting each fraud risk identified from fraud risk assessments, with each fraud risk having a staff member (identifiable by position) allocated as the fraud risk owner. The decision of the fraud risk owner to either accept the fraud risk or undertake further treatment to reduce the fraud risk is also documented in the risk register. Additional fields that are regularly updated include the treatment owner, the implementation date and review date—allowing the department's fraud control section to monitor the progress of fraud risk treatments being undertaken to reduce fraud risk. The department's fraud risk assessment procedural instructions include responsibilities for control owners to assess and test control effectiveness, and for risk owners to evaluate control effectiveness, with a mechanism in place to facilitate the risk owner's evaluation of control effectiveness (see paragraphs 2.28; 2.30; 2.38–2.39 of the report).
3. Build fraud awareness and expertise
Good fraud prevention requires all staff to be aware of what constitutes fraud and the need to prevent and detect fraud as part of their normal responsibilities, as well as skilled fraud control officials who can provide specialist advice and expertise.
Where an entity has invested in providing training and mandated that such training is compulsory for all staff, the executive should provide a clear message of the importance of all staff complying. To fully realise the objectives of compulsory training there should also be a mechanism in place to monitor compliance and quickly address non-compliance.
Internationally, there is a move towards further professionalisation and skill building for officials tasked with fraud control responsibilities. Staff responsible for fraud control activities, including developing fraud risk assessments and preparing fraud control plans, should be supported to attend training. In cases where timely external training may not be available, entities should explore opportunities to meet the training needs of fraud control officers through other means, such as sharing knowledge and experience across entities. The Commonwealth Fraud Prevention Centre in the Attorney-General's Department could be consulted as part of its priority to establish a counter fraud profession. The Framework provides some flexibility for entities to determine the most appropriate qualifications for staff, and entities should document their expectations for fraud control officer qualifications.
Audit example
In addition to providing online and face to face training to all staff, the Department of Home Affairs provides a suite of guidance material and advice for staff, including case studies and videos. This additional supporting material helps staff connect the information provided during training to situations that may arise in their day to day work. The department also has arrangements to monitor staff compliance with mandatory training, including a requirement for direct line managers to monitor compliance on a monthly basis. Staff non-compliance is escalated to the executive via an executive dashboard (see paragraphs 4.18 to 4.21 of the report).
4. Oversee third party arrangements
A Commonwealth entity retains its fraud control responsibilities when entering into an arrangement for services to be delivered by a third party. Before engaging a third party provider, the entity should ensure sufficient due diligence is undertaken regarding the provider's capability to prevent, detect and respond to fraud. The Commonwealth entity should maintain oversight of fraud control arrangements, monitor these for the duration of the arrangement and report regularly to its management and senior executive as necessary.
Audit example
The Department of Foreign Affairs and Trade requires funding recipients (third parties) to prevent, detect and correct fraud in accordance with contract obligations. The department conducts due diligence checks and confirms that the funding recipient has fraud control arrangements in place prior to commencing funding. Funding recipients must report any suspected fraud or incidents of fraud to the department within five business days, and investigate the matter in accordance with the Australian Government Investigations Standards 2011. To assist funding providers, the department provides guidance, written procedures and training. The department also has procedures and a case management system for monitoring, and reports regularly to its executive and audit committee (see paragraphs 3.16 to 3.18 of the report).
5. Look for fraud
The most common method of detecting fraud for the entities selected for this audit series was via a staff member or member of the public providing information to the entity about suspected fraud. This aligns with international experience. Internationally, there is a shift towards other fraud detection methods, with data analytics emerging as the most common fraud detection method. Data analytics can assist an entity to identify patterns, anomalies and exceptions that could indicate fraud.
Audit example
In addition to providing a process for staff and the public to report suspected fraud, the Department of Social Services uses data analytics as a detective control. The department has operationalised machine learning models to detect fraud in high risk programs, and has also undertaken random sampling activities to detect patterns, anomalies and exceptions in records and transactions that are then subject to further investigation (see paragraph 3.13 of the report).
6. Establish comprehensive procedures to support investigations
The Australian Government Investigations Standards 2011 require departments to have in place policies and procedures for the various stages of an investigation into suspected fraud. Having clear documented procedures can assist entities to apply a consistent approach and gather the necessary information to support successful investigation outcomes.
Audit example
The Department of Home Affairs procedures for investigations of suspected fraud are consistent with the Australian Government Investigations Standards 2011. The department's procedures provide clear guidance to assist staff to assess and prioritise cases and to document and report on outcomes. (see paragraphs 3.18 to 3.22 of the report).
7. Develop the capacity to measure and evaluate performance
All entities are expected to review their fraud control arrangements and provide quality assurance over their fraud investigations. Establishing metrics to evaluate performance will assist entities to assess whether the actions they are taking are improving fraud prevention, detection and responses.
Audit example
The Department of Social Service's fraud control plan contains 'measures of success' intended to assist the department to monitor and review its fraud control arrangements (see paragraph 2.18 of the report).
8. Ensure key personnel obtain the information and assurance they require
The fraud guidance advises that while reporting to an entity's minister is not mandatory under the fraud rule or fraud policy, section 19 of the PGPA Act establishes a duty that the accountable authority keep the minister informed of the activities of the entity. An annual report to the minister is a means of doing so in respect to fraud control. Such a report could address the suggested content in the fraud guidance: the entity's fraud control arrangements currently in place; planned future initiatives; any significant fraud risks identified by the entity as a result of conducting fraud risk assessments; and information about the significant fraud incidents that occurred during the reporting period, including recovery processes to recover funds lost due to fraud.
The entity's audit committee has a key role in reviewing the appropriateness of the entity's system of risk oversight and management. By regularly discussing and engaging with fraud risk in its work, the audit committee is able to provide independent advice and assurance to the accountable authority on the appropriateness of fraud control arrangements and suggest areas for improvement. Regular reports from the entity to the audit committee facilitate informed review by the committee.
Audit examples
The Department of Foreign Affairs and Trade provides an annual fraud control report to the responsible minister, containing all of the suggested content detailed in the fraud guidance, including fraud initiatives planned and undertaken, information about significant fraud risks, and significant fraud incidents which occurred during the reporting period (see paragraph 4.31 of the report).
The Department of Home Affairs has in recent years progressed a number of initiatives to improve its internal reporting, and now produces a quarterly Fraud in Home Affairs report for the audit committee and enterprise operations committee. This report includes details of fraud instances and related analysis, details on all fraud and corruption activities within the department during the quarter, and staff completion rates for compulsory fraud awareness training (see paragraphs 2.23 and 4.21 of the report).
9. Promote a fraud aware culture
The fraud guidance advises that accountable authorities play a key role in setting the ethical tone within their entities, and fostering and maintaining a culture of fraud awareness and prevention. Accountable authorities are strongly encouraged to foster this culture in their senior leadership specifically, as well as across their staff more generally.
Governance arrangements can also be structured to support a fraud aware culture, and an entity's audit committee can provide independent advice and assurance to the accountable authority on fraud control arrangements — specifically the appropriateness of the entity's system of risk oversight and management and system of internal control.
Audit examples
In each of the audited entities, the accountable authority has taken steps to promote a fraud aware culture. The following organisational practices were evidenced in each audited entity:
- Clear expectations — each accountable authority had issued Secretary's instructions clearly setting expectations for staff to act in accordance with the departmental fraud control plan.
- Accountable authority messaging to staff — each accountable authority had communicated with staff about fraud risk, and the responsibility of staff to prevent and detect fraud in the entity.
- Making fraud awareness information easily available for staff to access — each audited entity had a suite of fraud awareness information available for staff that was easy to access.
- Departmental activities — each audited entity had undertaken departmental activities to promote fraud awareness, such as participating in International Fraud Awareness week.
- Governance arrangements structured to support a fraud aware culture — each audited entity had governance arrangements that supported executive oversight of fraud risks, and allowed for review and oversight of fraud risks by the entity's audit committee.
See the following references for more information:
- Auditor-General Report No. 42 of 2019–20 Fraud control arrangements in the Department of Foreign Affairs and Trade paragraphs 4.7 to 4.15
- Auditor-General Report No. 43 of 2019–20 Fraud control arrangements in the Department of Home Affairs paragraphs 4.7 to 4.16
- Auditor-General Report No. 44 of 2019–20 Fraud control arrangements in the Department of Social Services paragraphs 4.7 to 4.14.
Further insights from related audit activity
For further insights from the ANAO’s multiyear audit program relating to implementation of the PGPA Act and the PGPA Rule, see:
- Commonwealth Resource Management Framework and the Clear Read Principle, November 2019.
- Audit insights — board governance, May 2019.
- Corporate planning and performance statements under the PGPA Act, August 2018.
- Corporate planning, performance statements and risk management under the PGPA Act, November 2017.