Introduction

1.1 The Australian Taxation Office (ATO) administers the Goods and Services Tax (GST). In accordance with paragraph 25 of the Intergovernmental Agreement on Federal Financial Relations (IGAFFR), the Commonwealth makes GST payments equivalent to the revenue received from the GST to the states and territories for any purpose, with the states and territories reimbursing the Commonwealth for the ATO’s cost of administering the GST.³ The accountability and performance arrangements between the ATO and the Council on Federal Financial Relations as required under the IGAFFR have been established under the GST Administration Performance Agreement.⁴ The framework enabling the ATO to administer the GST is detailed in Appendix 3.

1.2 In 2022–23 the ATO collected $81.4 billion of GST and raised an additional $6.1 billion in GST liabilities.⁵ The ATO’s cost of administering the GST for 2022–23 was $653.3 million.

1.3 The Australian Government defines fraud as:

Dishonestly obtaining a benefit or causing a loss by deception or other means.⁶

1.4 Fraud against the Commonwealth can be committed by officials or contractors (internal fraud) or by external parties such as clients, service providers, other members of the public or organised criminal groups (external fraud). All Commonwealth entities are required to have fraud control arrangements in place to ensure proper use of public resources, minimise losses and maintain public confidence.⁷

1.5 GST fraud can undermine the integrity of the tax system, reduce the revenue available for the Commonwealth to make GST payments to the states and territories and penalise taxpayers who do the right thing. Preventing and detecting GST fraud may contribute to the ATO’s purpose of ‘fostering willing participation in the taxation and superannuation system’.⁸

Key Commonwealth requirements on fraud control

1.6 The requirements for Australian Government entities to have fraud control arrangements in place are contained in the Commonwealth Fraud Control Framework (the Framework), developed under the Public Governance, Performance and Accountability Act 2013 (PGPA Act).⁹

1.7 The Framework comprises three tiered documents, section 10 of the Public Governance, Performance and Accountability Rule 2014 (the fraud rule¹⁰), the Commonwealth Fraud Control Policy (the fraud policy) and Resource Management Guide No. 201, Preventing, detecting and dealing with fraud (the fraud guidance), with different requirements for corporate and non-corporate Commonwealth entities.¹¹ The Attorney-General’s Department is responsible for the Framework. On 1 February 2024 the Australian Government released the new Commonwealth Fraud Corruption and Control Framework which will come into effect on 1 July 2024.

1.8 The ATO is a non-corporate Commonwealth entity, and therefore must comply with the fraud rule and fraud policy. The Australian Government considers the fraud guidance as better practice, and entities are expected to follow the guidance where appropriate.¹²

1.9 Estimates of fraud losses against the Australian Government are based on responses by Commonwealth entities to the Australian Institute of Criminology’s (AIC) annual online questionnaire. The AIC estimates show the total amount lost to internal fraud has risen from $907,657 in 2016–17 to $3.4 million in 2020–21. The ATO reported to the AIC that the total amount lost to internal fraud each year from 2016–17 to 2021–22 is not able to be quantified. The AIC estimates show the total amount lost to external fraud against the Commonwealth for completed investigations has also risen from $91.9 million in 2016–17 to $198.4 million in 2021–22. For the ATO, the estimated total amount lost to external fraud for completed investigations has increased from $4.7 million in 2016–17 to $173.0 million in 2021–22 (Figure 1.1).

Figure 1.1: Total estimated amount lost to external fraud against the Australian Government and the ATO, completed investigations, 2016–17 to 2021–22

Source: Australian Institute of Criminology annual fraud census reports to Government, 2016–17 to 2021–22 and ANAO analysis of ATO documentation.

The Goods and Services Tax

1.10 The GST came into effect in Australia on 1 July 2000, and is an indirect broad-based consumption tax of 10 per cent, levied on most goods and services in Australia.¹³ The A New Tax System (Goods and Services Tax) Act 1999 provides the administration framework for GST law.

1.11 The total net GST collected by the ATO has increased from $48.4 billion in 2012–13 to $81.4 billion in 2022–23, and the cost to administer the GST has decreased from $705.3 million in 2012–13 to $653.3 million in 2022–23. The ATO’s cost to administer the GST as a proportion of total net GST collected has decreased from 1.46 per cent in 2012–13 to 0.80 per cent in 2022–23 (Figure 1.2).

Figure 1.2: The ATO’s cost to administer the GST as a proportion of total net GST collected, 2012–13 to 2022–23

Note: Net GST is gross GST payable, excluding input tax credits and including deferred GST payments on imports and GST collections by the Department of Home Affairs. Input tax credits are credits for any GST included in the price paid for goods and services a business or organisation registered for GST buys for their business. Deferred GST payments on imports is GST payable on taxable imports that can be paid via a monthly business activity statement rather than to the Department of Home Affairs at the time of importation.

Source: Australian Taxation Office, Taxation Statistics, GST Table 1 [Internet], available from https://data.gov.au/data/dataset/taxation-statistics-2019-20 [accessed 15 May 2023]. Data for 2021–22 sourced from the Australian Taxation Office Annual Report 2021–22, ATO, 2022, Table 3.1 and the Australian Taxation Office, GST administration annual performance report 2021–22, ATO, 2023. Data for 2022–23 sourced from the Australian Taxation Office, Annual Report 2022–23, ATO, 2023, Table 4.1 and ANAO analysis of ATO documentation.

1.12 Information about the ATO’s administration of the GST is at Table 1.1.

Table 1.1: Information about the ATO’s administration of GST 2022–23

Source: ANAO from ATO documentation.

Rationale for undertaking the audit

1.13 All Commonwealth entities are required to have fraud control arrangements in place in accordance with the Commonwealth Fraud Control Framework. Preventing and detecting GST fraud is integral for minimising loss of GST revenue available for the Commonwealth to make payments to the states and territories and maintaining public confidence in the tax system to support voluntary compliance.

1.14 This audit provides assurance to the Parliament that the ATO has effective management and oversight of fraud control arrangements for the administration of GST to protect the integrity of the tax system.

Previous scrutiny

1.15 Auditor-General Report No. 55 of 2002–03 Goods and Services Tax Fraud Prevention and Control observed that the ATO had systems and processes in place to prevent, detect, investigate and report GST fraud, with these activities undertaken and implemented across business lines. It made eight recommendations aimed at improving these systems and processes to strengthen its GST fraud control framework.¹⁴

1.16 The ATO agreed to all of the recommendations. Noting the significant timeframe (20 years) since this previous audit, along with subsequent changes to the Commonwealth fraud control requirements, this audit has not examined if the ATO implemented these recommendations. However, during the conduct of this audit, areas of the ATO’s GST fraud control framework identified as requiring strengthening were considered.

1.17 In 2018 the Inspector-General of Taxation undertook a review into the ATO’s fraud control management at the request of the Senate Economics References Committee, following events including those relating to Operation Elbrus and allegations of tax fraud. The review did not find evidence of systemic internal fraud or corruption and found that the ATO in general had sound systems in place to manage internal fraud, however there were areas requiring improvement. The Inspector-General of Taxation also made recommendations to improve processes aimed at the prevention of external fraud.¹⁵

1.18 In accordance with audit arrangements specified in the GST Administration Performance Agreement, the ANAO conducts an annual special purpose audit of GST costs and the systems of control of GST costs. Under Schedule C of the Agreement, the ANAO is required to provide all reports emanating from the special purpose audit directly to the ATO. The audit finding for the year ended 2023 was that ‘the ATO has suitably designed controls relating to the monitoring and reviewing of GST administration costs, as specified in Schedule B of the GST Administration Performance Agreement’.

Audit approach

Audit objective, criteria and scope

1.19 The objective of the audit was to assess the effectiveness of the Australian Taxation Office’s management and oversight of fraud control arrangements for the Goods and Services Tax.

1.20 To form a conclusion against the objective, the following criteria were adopted:

• Has the ATO implemented effective strategies to prevent GST fraud?
• Has the ATO effectively implemented strategies to detect and respond to GST fraud?
• Has the ATO implemented effective arrangements to oversee, monitor and report on fraud control arrangements for the administration of GST?

1.21 The audit focused on the ATO’s effectiveness of fraud control arrangements. The audit did not examine the effectiveness of the:

• ATO’s management and oversight for the risk of corruption;
• ATO’s management and oversight of conflict-of-interest arrangements; and
• the management and oversight of fraud control arrangements for the administration of GST by the Department of Home Affairs.

Audit methodology

1.22 The audit methodology involved:

• reviewing ATO records, including fraud risk assessments, fraud control plans, ATO committee papers and minutes, ATO reporting and internal briefings;
• reviewing the ATO’s procedures against the fraud guidance;
• meetings with ATO staff;
• analysis of relevant data provided by the ATO; and
• walkthroughs of ATO systems, including the Contemporising GST Risk Models project at the ATO office in Brisbane.

1.23 The audit was open to contributions from the public along with state and territory Treasury departments, as official members of the GST Administration Sub-Committee. The ANAO received and considered two submissions from the public and input from one state/territory.

1.24 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $519,371.

1.25 The team members for this audit were Ailsa McPherson, Kim Murray, Kayla Hurley, Hazel Ferguson, Dale Todd, Afreen Shaik and David Tellis.

2.1 Section 10 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) requires the accountable authority of a Commonwealth entity to take all reasonable measures to prevent fraud relating to the entity, including by conducting fraud risk assessments regularly, developing and implementing a fraud control plan that deals with identified risks, and ensuring that officials of the entity are made aware of what constitutes fraud.¹⁶

2.2 Leading practice in fraud risk assessment requires accountable fraud risk owners to monitor and report on fraud risks and to ensure controls are developed and implemented in a timely manner, including controls that are the responsibility of other officials in different business areas.¹⁷ To assist entities prevent fraud, the fraud guidance encourages entities to provide information to external parties about their rights and obligations with regards to fraud.¹⁸

Has the ATO established a fit for purpose framework for GST fraud risk?

ATO fraud risk owners

2.3 The ATO does not have a single GST fraud risk owner and relies on each of its business lines to identify, assess and manage GST fraud risks within its area of responsibility. At the enterprise level, the ATO considers GST fraud risks as part of its external and internal fraud risk arrangements.

2.4 The ATO’s Fraud and Corruption Control Plan 2023 identifies the Deputy Commissioner (Senior Executive Service (SES) Band 2) of Integrated Compliance as the risk owner for the ATO’s external fraud risk and the Assistant Commissioner (SES Band 1) of Fraud Prevention and Internal Investigations as the risk owner for the ATO’s internal fraud risk. ATO fraud control and corruption plans have consistently identified these two positions as the risk owners of external fraud and internal fraud since 2019–20. In mid-2023, as part of a restructure of its business lines, the Deputy Commissioner of Integrated Compliance was appointed the Deputy Commissioner of Fraud and Criminal Behaviours and retained responsibility as the risk owner for the ATO’s external fraud risk.¹⁹

2.5 Under the ATO’s Risk Management Framework, as set out in the accountable authority’s Chief Executive Instruction (CEI)²⁰ on risk management, ATO risk owners:

• are personally accountable for identified risks;
• are responsible for providing direction on relevant risk management activities within their area of responsibility and across business lines where appropriate; and
• oversee the status of risks, controls, and treatment strategies.

ATO Chief Executive Instructions on fraud

2.6 The Commissioner of Taxation, as the ATO’s accountable authority, has issued two CEIs that set out the requirements for all ATO employees and contracted individuals (subject to the terms of the individual’s contract) for preventing, detecting, and dealing with fraud.²¹ The CEIs also identify roles within the ATO that have specific responsibilities for assessing fraud risk and managing fraud in the ATO. One CEI covers external fraud (fraud committed by those outside of the ATO) and the other covers internal fraud (fraud committed by ATO employees or contracted individuals).

2.7 The ATO’s external fraud CEI requires ‘Senior Responsible Officers’ (senior responsible officers) to ‘actively manage external fraud by conducting and reviewing risk assessments regularly to ensure appropriate external fraud risk tolerances, treatments and controls are in place and documented for their program’. The ATO advised the ANAO in July 2023 that the CEI refers to a position title that does not exist within the ATO but the function is generally carried out by Executive Level or SES personnel responsible for managing a program of work.

2.8 The external fraud CEI further requires ‘National Program Managers’ to ‘manage external fraud risk within their business line’ and ‘provide assurance on the management of external fraud risk within their business line to the external fraud risk owner via the external fraud conformance process’ (discussed in paragraphs 2.11 to 2.17). The ATO advised the ANAO in July 2023 that the term ‘National Program Manager’ (national program manager) is no longer used in the ATO but had been used to describe those members of the SES that are responsible for large programs of work and collectively it refers to the Deputy Commissioner (SES Band 2) positions within the ATO.

2.9 The ATO’s internal fraud CEI does not mention senior responsible officers and does not identify who is responsible for conducting and reviewing internal fraud risk assessments. The ATO advised the ANAO in October 2023 that the ATO’s Assistant Commissioner of Fraud Prevention and Internal Investigations, in their capacity as the risk owner for the ATO’s internal fraud risk (see paragraph 2.4) is responsible for conducting and reviewing internal fraud risk assessments regularly. Similar to the external fraud CEI, the internal fraud CEI assigns responsibility for managing internal fraud and corruption risks within business lines to national program managers. National program managers are also required to ‘actively support’ internal fraud risk assessment activity within their business line. As noted in paragraph 2.8, the term national program manager is an outdated term for what are now Deputy Commissioner (SES Band 2) positions within the ATO.

2.10 The ATO is reviewing the roles and responsibilities including those of senior responsible officers and what were formerly known as national program managers. The CEIs will then be updated accordingly. In November 2023, the ATO updated its internal fraud CEI. The updated CEI refers to Deputy Commissioners instead of national program managers. In July 2023, the ATO advised the ANAO that the changes to the external fraud CEI would occur in three phases with phase one (‘minor changes’) being a revised CEI issued ‘within the next few months’, phase 2 changes by June 2024 and phase three post July 2024. The phase two changes include clarifying the roles and responsibilities of senior responsible officers which ATO documents state ‘will involve identifying and confirming SROs [senior responsible officers] with existing responsibilities for key controls and treatments.’ Phase three changes are undefined but the ATO advised the ANAO in July 2023 that they are in ‘recognition that a further revision may be required’.

The ATO’s external fraud conformance process

2.11 The ATO’s external fraud conformance reporting processes is the basis for the ATO’s external fraud risk owner’s reporting to the ATO Audit and Risk Committee (ARC) on the effectiveness of the ATO’s management of its external fraud risks.²² It is the mechanism for providing the risk owner with an ATO wide view of the entity’s external fraud risk, the administration of which is dispersed throughout various ATO business lines.

2.12 Each quarter, the ATO’s Integrated Compliance business line requests selected ATO business lines to complete a conformance questionnaire to self-assess whether the business line has conformed with the ATO’s obligations for managing external fraud, including the requirements of the external fraud CEI, during the relevant quarter. The ATO does not have a systematic process for selecting business lines each quarter to ensure timely and regular coverage of all ATO business lines, but informed the ANAO in August 2023 it is developing one. The ATO described its process of selecting business lines to the ANAO as follows:

The Fraud and Criminal Behaviours (FCB) conformance team maintains a list of previous conformance reviews for the prior three years and selects business lines for each quarter based on an area’s external fraud risk exposure and period of time since the last conformance review. To improve selection decisions, the FCB conformance team are in the process of preparing a forward plan for the 2023–24 year.

2.13 The business lines’ self-assessments then form the basis for quarterly reports of the ATO’s conformance with its external fraud obligations to the external fraud risk owner which in turn underpins the risk owner’s reporting to the ARC.

2.14 The ANAO examined the ATO’s external fraud conformance reporting records for the quarters from June 2021 to June 2023 inclusive (nine quarters). Quarterly conformance reporting during this period was incomplete, not timely, and did not provide adequate assurance of the ATO’s compliance with its external fraud obligations.

• The quarterly statements of conformance to the external fraud risk owner are based on completed questionnaires requested from a selection of ATO business lines for that quarter. Coverage of the ATO’s business lines during the June 2021 to June 2023 period examined by the ANAO was limited to a total of ten²³ of the ATO’s business lines, the number of which has changed from 24 in late 2022/early 2023, to 32 as at mid-2023.
• The highest coverage of the ATO’s business lines in the nine reporting quarters from June 2021 to June 2023 (inclusive) was in the June 2021 and September 2021 quarters where three of the ATO’s 24 business lines were selected for review in each quarter.
• The ATO does not have a systematic process for selecting business lines each quarter to ensure timely and regular coverage of all ATO business lines.
• The statement of conformance for the March 2022, June 2022 and March 2023 quarters do not identify which business lines responded to the questionnaire.

2.15 The ATO further advised the ANAO in July 2023 that each business line is examined, approximately, on an annual basis. However, the ATO’s records of the quarterly external fraud conformance reporting processes shows that the ATO has not:

• examined each business line annually during the nine reporting periods reviewed as part of this audit (June 2021 to June 2023 quarters);
• examined every business line in the two year period reviewed as part of this audit (June 2021 to June 2023); and
• examined any business line more than once during this time (June 2021 to June 2023), with one exception (the individuals and intermediaries business line).

2.16 An example of the realisation of the risk associated with the external fraud conformance process being incomplete and not timely occurred in June 2023 when the ATO’s Small Business line reported in its quarterly self-assessment questionnaire that it had not documented an assessment of its external fraud risks, including GST fraud risks, since April 2019. The ARC was advised of this non-conformance with the ATO’s obligations at its 31 August 2023 meeting. The ATO’s Small Business line has further advised the ARC that it intends to complete a fraud risk assessment by December 2023, advising the ‘consequence of not addressing this matter in a timely manner may bring adverse findings and criticism from targeted internal or external reviews’.

2.17 In its March 2023 and June 2023 quarter conformance reports, the ATO assessed the conformance of its senior responsible officers with the external fraud CEI as ‘partially effective’, concluding that:

Whilst accountability of external fraud rests with [Deputy Commissioner] DC Fraud and Criminal Behaviours, and is partially effective, reviews have revealed the role of Senior Responsible Officers across ATO business areas in fraud prevention, detection and treatment in context of their business areas are not clear and could lead to gaps in actively managing external fraud (top down and bottom up).

In response, the ATO is developing a new Governance framework including clarifying external fraud roles and responsibilities. This Governance framework is being considered for endorsement at senior levels as part of internal conversations on how external fraud is better managed across the ATO (particularly as a shared risk).

The External Fraud Roles and Responsibilities Framework will be agnostic of tax product and client experience.

The External Fraud conformance process will be redesigned to support the revised roles and responsibilities framework.

The ATO’s internal fraud conformance process

2.18 The ATO’s internal fraud risk owner (Assistant Commissioner (SES Band 1) of Fraud Prevention and Internal Investigations) reports the level of conformance with the ATO’s obligations for managing internal fraud to the ARC quarterly. In October 2023, the ATO advised the ANAO that the quarterly conformance process for internal fraud changed to an annual process from February 2023 consistent with the ATO’s requirement for annual conformance reporting where the risk consequence in the conformance report is assessed as ‘major’ and its likelihood ‘rare’.

Has the ATO assessed GST fraud risks and established and implemented an appropriate fraud control plan?

ATO GST fraud risk assessments

2.21 Part five of the fraud guidance encourages entities to conduct fraud risk assessments at least every two years and further suggests that ‘entities responsible for activities with high fraud risk may wish to assess fraud risk more frequently’.²⁴ The Commonwealth Fraud Prevention Centre’s Fraud Risk Assessment Leading Practice Guide states ‘risk assessments provide assurance that public funds are being managed in an accountable manner and that the potential harms of fraud are being actively mitigated’.²⁵

2.22 The GST is administered by ATO business lines that are structured around taxpayer types.²⁶ The ATO does not develop GST specific fraud risk assessments. Each of its business lines is required to identify, assess and manage GST fraud risks within its area of responsibility. At the enterprise level, the ATO considers GST fraud risks as part of its external and internal fraud risk assessments. The ATO’s framework for assessing and managing external and internal fraud risk is examined in paragraphs 2.3 to 2.20.

2.23 In November 2020, the Assistant Commissioner of the GST Program established the GST Program Risk Assurance project to increase and maintain confidence that compliance risks to the GST system are being managed efficiently and effectively. In a presentation to the May 2021 meeting of the GST Integrated Risk Forum²⁷ the project team (comprising ATO officials at the EL2, EL1 and APS 6 levels) reported a ‘lack of evidence of current key risk artefacts²⁸ required to demonstrate that GST compliance risks are being managed efficiently and effectively across the ATO’. Further, the ATO’s Chief Internal Auditor’s report of their review of Operation Protego²⁹ (April 2023) states that the ATO’s analysis and assessment of its GST fraud risks is ‘not holistic or based on robust evidence’. As of June 2023, the ATO was working towards clarifying the roles and responsibilities for assessing and managing GST fraud risks. This work was ongoing as of 2 November 2023.

ATO business line risk assessments relevant to GST fraud risk

2.24 Between 2017 and 2020 three ATO business lines responsible for managing the ATO’s engagement with different groups of taxpayers (Small Business, Privately Owned and Wealthy Groups, and Public and Multinational Businesses³⁰) documented a total of eight risk assessments incorporating GST fraud risks relevant to their business line, three of which are marked as drafts. Of the remaining five, four contain no indication that they were approved, and one states that it was ‘endorsed/approved with qualification’ by the Risk Manager (the qualification is not specified). The authority and utility of these risk assessments is unclear given they are either in draft form or not approved by the risk owners.

2.25 No ATO business line has completed a business line level fraud risk assessment relevant to GST fraud since 2020. ATO documents indicate that the ATO is planning to complete three separate risk assessments to assess and determine the risk ratings and tolerances associated with GST refund integrity, Small Business GST, and GST registration. As of October 2023, the ATO had started work on the risk assessment for GST refund integrity — defined by the ATO as ‘incorrect GST refunds occurring because of failure to correctly report GST due to errors, deliberate misreporting of GST on sales or purchases, and/or incorrect GST registrations by those not entitled to be registered’.

ATO external fraud risk assessments

2.26 At the enterprise level, the ATO considers the risk of GST fraud perpetrated by individuals outside of the ATO as part of its external fraud risk assessments.³¹ The ATO’s External Fraud Governance Framework requires external fraud risk assessments to be completed every two years.

2.27 Since 2017, the ATO has finalised three external fraud risk assessments — in November 2018, in May 2021, and in October 2023³² (see Table 2.1). Neither of the two most recent risk assessments were completed within the two year timeframe required by the ATO’s External Fraud Governance Framework. Table 2.1 sets out the ATO’s assessment of its external fraud risk as documented in its primary risk assessment artefacts since 2017.

Table 2.1: ATO’s assessment of its external fraud risk since 2017

Note a: Risk tolerance levels operationalise an entity’s risk appetite by specifying the levels of risk taking that are acceptable. Source: Commonwealth Risk Management Policy, last updated 29 November 2022, available from https://www.finance.gov.au/government/comcover/risk-services/management/commonwealth-risk-management-policy. The ATO’s Risk Tolerance Guide states that risk tolerance is ‘the level of risk which is acceptable and where no further treatment action is required. In most cases, a risk that is not within tolerance must undergo further treatment action or a decision to accept the risk level would be documented’. Within the ATO, Risk Owners are responsible for setting the risk tolerance for the risk they own.

Note b: The ATO’s risk matrix comprises six risk levels — low, moderate, significant, high, severe, and catastrophic (see Appendix 4).

Note c: ATO documents indicate that it has been unable to locate ‘detailed written explanation for the change in risk level’ from ‘severe’ in the 2018 risk assessment to ‘low’ in the 2020 risk assessment.

Source: ANAO analysis of ATO documents.

The 2020 external fraud risk assessment (ATO’s extant fraud risk assessment until October 2023)

2.28 The ATO’s 2020 external fraud risk assessment was approved by the Deputy Commissioner of Integrated Compliance in May 2021 and was extant until October 2023. The ATO described its method for compiling its 2020 external fraud risk assessment as follows:

The 2020 Risk Assessment commenced in November 2020. The control framework was considered through a series of workshops with key stakeholders and the assessment of key programs including the Integrated Compliance managed, high-risk population programs following the ATO Enterprise Risk Management Framework and the AGD [Attorney-General’s Department] Control Assessment Guidelines. The final control and risk assessments were agreed to with the participants from key programs across the Compliance Engagement Group. These products were aggregated into the final assessment.

The assessment was approved 26 May 2021.

2.29 In this assessment, the ATO assigned an overall risk rating of ‘low’ to its external fraud risk and assessed the risk as being within tolerance. In consequence, the risk assessment states that the management responsibility for the risk of external fraud was assigned to the APS Executive Level 2, in accordance with the ATO’s scale of management actions.

2.30 As Table 2.1 shows, the ATO’s assessment of its risk of external fraud changed from ‘severe’ in 2018 to ‘low’ in 2020, and is rated as ‘severe’ in the ATO’s 2023 external fraud risk assessment. ATO documents state that the ATO has been unable to locate any ‘detailed written explanation for the change in risk level’ between the 2018 and 2020 external fraud risk assessments. The ATO described its rationale for this downgrading of its external fraud risk rating to the ANAO as follows:

The 2020 assessment (formally endorsed in 2021…) focussed on the effectiveness of the ATO’s existing controls. It also recognised the approach taken in the ATO’s rapid implementation of the economic stimulus measures to ensure the controls were as robust as could be and resulting occurrence of little fraud and immaterial revenue loss in relation to the total payments made. The likelihood of the controls failing was assessed as rare, supported with system-based analysis demonstrating the level of robustness of the holistic approach the ATO takes. The consequence should the controls fail was assessed as medium, resulting in the risk being assessed as within tolerance at low.

The data in 2020 did not indicate systemic fraud and the environment at the time had not changed.

2.31 The 2020 external fraud risk assessment also includes the ATO’s assessment of the effectiveness of its controls³³ on 13 external fraud risks, which the ATO has assessed as being ‘generally reliable’ and ‘partially effective’ overall. The 2020 external fraud risk assessment also lists 13 preventative, detective and correction controls that require improvement to raise the effectiveness of the ATO’s control assessment above ‘partially effective’. The controls are not attributed in the document to the 13 external fraud risks. The ATO’s external fraud risk assessment is not underpinned by a documented record (such as a risk register) of specific risks and corresponding controls for each of the broad 13 external fraud risks identified in the risk assessment document.

The 2023 external fraud risk assessment

2.32 In May 2023, the ATO’s Integrity Steering Committee³⁴ considered an overview of the ATO’s draft 2023 external fraud risk assessment and endorsed the proposed risk rating of ‘severe’ with the risk rating being ‘out of tolerance’. An action item from that meeting was for the ATO to finalise the 2023 external fraud risk assessment by 30 June 2023 for consideration by the committee at its next meeting on 1 August 2023. The ATO Integrity Steering Committee endorsed the 2023 External Fraud Risk Assessment and Treatment Plan, dated 28 September 2023 on 5 October 2023.

2.33 As Table 2.1 shows the ATO’s assessment of its risk of external fraud changed from ‘low’ in 2020 to ‘severe’ in 2023 and that the ATO considers this to be ‘above tolerance’. In consequence, the risk assessment states the required risk manager level for the ATO’s external fraud risk is SES Band 3. In its 2023 external fraud risk assessment document the ATO has:

• identified 10 external fraud sub-risks (these are different risks to the 13 risks listed in the 2020 external fraud risk assessment);
• assessed its controls³⁵ against the 10 sub-risks as being ‘partially effective’ overall;
• identified the requirements of section 10 of the PGPA Rule as further controls and assessed these controls as ‘partially effective’;
• determined that risk treatment is required to bring the external fraud risk within tolerance;
• determined that the required risk treatment is to add or modify controls (to reduce the likelihood or consequence of the risks) and bring the external fraud risk within tolerance; and
• stated that the risk treatment plan is ‘pending’.

2.34 In June 2023, the ATO requested ministerial approval to seek additional funding for its counter fraud activities to bring its fraud risk back into tolerance. The ATO advised the Minister for Financial Services that this was the first time this risk has been out of tolerance. Table 2.1 shows the ATO had assessed the fraud risk as being out of tolerance from 2018 until it reassessed the risk in 2020 as being within tolerance.

ATO’s internal fraud and corruption risk assessments

2.35 At the enterprise level, the ATO considers the risk of GST fraud perpetrated by individuals inside of the ATO as part of its broader internal fraud and corruption risk assessments.³⁶ Since 2017, the ATO has completed five enterprise-wide internal fraud and corruption risk assessments, largely within the two-year timeframe suggested in the Commonwealth fraud guidance. Table 2.2 sets out the ATO’s assessment of its internal fraud risk as documented in its primary risk assessment artefacts since 2017.

Table 2.2: ATO internal fraud and corruption risk assessment ratings since 2017

Note a: Risk tolerance levels operationalise an entity’s risk appetite by specifying the levels of risk taking that are acceptable. Source: Commonwealth Risk Management Policy, last updated 29 November 2022, available from https://www.finance.gov.au/government/comcover/risk-services/management/commonwealth-risk-management-policy. The ATO’s Risk Tolerance Guide states that risk tolerance is ‘the level of risk which is acceptable and where no further treatment action is required. In most cases, a risk that is not within tolerance must undergo further treatment action or a decision to accept the risk level would be documented.’ Within the ATO, Risk Owners are responsible for setting the risk tolerance for the risk they own.

Note b: The ATO’s risk matrix comprises six risk levels — low, moderate, significant, high, severe, and catastrophic (see Appendix 4).

Source: ANAO analysis from ATO documents.

Fraud Control and Corruption Plan 2023

2.38 Each year in the ATO’s annual report from 2017–18 (the timeframe covered in the scope of this performance audit), the Commissioner of Taxation, as the accountable authority for the ATO, certifies that the ATO has prepared fraud risk assessments and fraud control plans as required by section 10 of the PGPA Rule. The ATO has developed an enterprise-wide fraud and corruption control plan for each financial year from 2017–18.

2.39 The ANAO examined the ATO’s Fraud and Corruption Control Plan 2023 (the current plan at the time of this performance audit) to determine the extent to which the plan meets the requirements of paragraph 10(b) of the PGPA Rule and part six of the fraud guidance with regards to the plan emphasising prevention, being available to all officials, and dealing with identified fraud risks.

2.40 Part six of the fraud guidance states that it is important for fraud control plans to emphasise prevention and encourages entities to make their fraud control plans available and accessible to all officials.³⁷ The ATO’s Fraud and Corruption Control Plan 2023 is available on the ATO’s external website³⁸ and intranet. The plan identifies prevention as one of three elements of the ATO’s fraud and corruption control framework (prevention, detection, response). The plan also states that the ‘ATO promotes prevention of fraud and corruption risks’, and includes the following statements on the ATO’s view of fraud prevention:

• Prevention strategies are the first line of defence, and these include proactive measures designed to help reduce the risk of fraud and corruption.
• Preventing fraud minimises the need for the ATO to detect and respond to fraud.

2.41 The fraud guidance further suggests seven elements that entities may include in their fraud control plans, none of which are mandatory.³⁹ The ATO’s Fraud Control and Corruption Plan 2023 includes these seven elements.

2.42 Paragraph 10(b) of the PGPA Rule requires the accountable authority of a Commonwealth entity to take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by developing and implementing a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment.⁴⁰ Part six of the fraud guidance states that controls and strategies outlined in fraud control plans are ideally commensurate with assessed fraud risks.⁴¹

2.43 At the time that the ATO finalised its Fraud and Corruption Control Plan 2023 in early 2023⁴², the ATO’s most recent external fraud risk assessment was a 2020 external fraud risk assessment that was approved in May 2021.⁴³ The ANAO examined the alignment of the external fraud risks identified in the ATO’s Fraud and Corruption Control Plan 2023 with those in the ATO’s 2020 external fraud risk assessment.

2.44 The Fraud and Corruption Control Plan 2023 lists six ‘priority behavioural risks’ for external fraud:

• identity crime enabled fraud;
• refund fraud;
• serious and organised crime in the tax and super systems;
• offshore tax evasion;
• illegal phoenix; and
• black economy.⁴⁴

2.45 The plan also lists examples of the ATO’s fraud and corruption prevention, detection and response activities. The plan does not attribute these activities to the six behavioural risks. Four of these behavioural risks (identity crime enabled fraud, serious and organised crime, offshore tax evasion, and illegal phoenix) are common to the list of 13 external fraud risks identified in the 2020 external fraud risk assessment (see paragraph 2.31). It is not evident how the plan deals with the ATO’s identified external fraud risks, as required under paragraph 10(b) of the PGPA Rule, or whether the ATO’s controls and strategies for external fraud are commensurate with assessed fraud risks as suggested in the fraud guidance because the identified risks in the two documents cannot be reconciled.

2.46 In June 2023 the ATO informed the ANAO that:

• its publicly available fraud and corruption control plans are framework documents rather than detailed plans as they necessarily only include the ATO’s high level assessment of controls for addressing fraud risks and not the details of specific fraud risks and associated controls;
• the ATO does not prepare a more detailed non-public version of its annual fraud control and corruption plan; and
• each ATO business line maintains its own risk register and risk treatment plans.

2.47 As noted in paragraph 2.23, ATO internal reviews of its management of GST risks have identified gaps in the ATO’s records of current key risk artefacts (including risk assessments and treatment plans) and the ATO’s work on clarifying the roles and responsibilities for assessing and managing GST fraud risks is ongoing.

2.48 The ATO’s Fraud and Corruption Control Plan 2023 lists three areas of ‘priority internal fraud risk’ as:

• corruption and insider threat;
• working arrangements in a hybrid work environment; and
• spending of public monies.

2.49 As noted in paragraph 2.45, the plan also lists examples of the ATO’s fraud and corruption prevention, detection and response activities. The plan does not attribute these activities to the three areas of ‘priority internal fraud risk’ listed in the plan.

2.50 The ATO’s most recent enterprise-wide internal fraud and corruption risk assessment is dated 30 June 2023. This risk assessment lists five ‘risk drivers’: financial advantage, disclosure of information, poor implementation of a new program, restructure of a process or function, and conflicts of interest. The risk assessment also includes the ATO’s assessment of the effectiveness of 10 controls that the ATO relies on to manage its single identified risk (internal fraud and corruption) and rates all 10 controls as being ‘effective’.

Changes to the ATO’s GST risk assessment strategies after the 2022 GST fraud events

2.53 Part five of the fraud guidance states that ‘it is important for risk assessment strategies to be reviewed and refined on an ongoing basis in light of experience with continuing or emerging fraud vulnerabilities’.⁴⁵ In 2023 the ATO initiated activities intended to address the shortcomings in its GST fraud risk management that the Operation Protego GST fraud event⁴⁶ exposed. These include the following.

• The ATO has added ‘registration’ and ‘external fraud’ as new enterprise risks⁴⁷ in its corporate plan for 2023–24.
• In April 2023, the ATO’s Chief Internal Auditor completed an audit insights paper which includes observations and suggestions that the paper states are considered ‘critical to embedding GST fraud risk management as an enduring capability’.⁴⁸ The ATO Audit and Risk Committee considered the paper at its June 2023 meeting. The minutes from that meeting state that the committee observed the ‘ambiguity around accountability for each of the suggestions’.

Has the ATO implemented appropriate fraud awareness and training for officials to prevent and detect GST fraud?

The ATO’s definition of GST fraud

2.54 To assist with raising awareness of what constitutes fraud, part seven of the fraud guidance encourages entities to have a widely distributed fraud strategy statement. Guidance published by the Commonwealth Fraud Prevention Centre within the Attorney-General’s Department (AGD) explains that a fraud strategy statement helps people understand what fraud is, an entity’s views about fraud, and what staff and contractors should do if they suspect fraud.⁴⁹ The guidance states that the fraud strategy statement can be part of an entity’s fraud control plan.

2.55 The ATO’s Fraud and Corruption Control Plan 2023 quotes the definition of fraud from the Commonwealth Fraud Control Policy. The plan provides further guidance on the nature of fraud and includes examples of what internal and external fraud might look like in the context of the ATO’s activities, including an example of GST fraud. The plan is publicly available on the ATO’s external website.

Fraud awareness training in the ATO

2.56 Part seven of the fraud guidance encourages entities to have all officials take into account the need to prevent and detect fraud as part of their normal responsibilities. The guidance suggests entities establish fraud awareness and integrity training in all induction programs and a rolling program of regular fraud awareness and prevention training for all officials.⁵⁰

Mandatory training

2.57 The ATO’s Fraud and Corruption Control Plan 2023 identifies mandatory online⁵¹ training for ATO staff as one element of the ATO’s fraud and corruption prevention activity. The ATO’s external and internal fraud CEIs require ATO employees and contracted individuals to complete ‘mandatory training’, which includes three courses first introduced during the June 2020 quarter⁵² that include content covering fraud awareness, ethics, privacy and the APS Code of Conduct, as suggested by the fraud guidance.

• ‘Working in the ATO’ (mandatory for all new staff).
• ‘Safe, secure and inclusive’ (mandatory for all new staff and as an annual refresher).
• ‘Managing safety and integrity’ (which is mandatory for all new managers⁵³ and all existing managers as an annual refresher).⁵⁴

2.58 The ANAO found that that the ‘Managing safety and integrity’ course:

• does not refer to the current version of the ATO’s external fraud CEI; and
• includes a scenario titled ‘reporting external fraud’ that is about document security when working from home and not about reporting external fraud.

2.59 The ATO advised the ANAO that certain cohorts of ATO staff are not granted access to ATO systems as their work requirements do not include the requirement for ATO system access to complete work tasks (for example some contractors or labour hire personnel). These cohorts of ATO staff are required to complete the ‘Working in the ATO’ course through a commercially available mobile application (EdApp) which can be downloaded to an individual’s personal device.

2.60 The ANAO reviewed the ‘Working in the ATO’ training available through EdApp and found that the fraud awareness content is materially the same as the ATO’s intranet based version of this ATO training. The ANAO found that the EdApp training refers the trainee to documents that the trainee cannot access without access to ATO systems (for example, the ATO external fraud CEI). If the information in such documents is important, then the content should be available to the trainee within EdApp, or through alternative means.

Monitoring completion of mandatory training

2.62 The ATO monitors compliance with its requirement that staff complete mandatory training and issues reminder emails to staff and their manager if training is not completed within the expected timeframes. Where staff have not completed the required mandatory training, the ATO may remove an individual’s access to some systems.

2.63 ATO managers are responsible for ensuring that their team members are up to date with their mandatory training. Completion rates for mandatory training courses are reported to the ATO Audit and Risk Committee quarterly. In November 2023 the ATO reported completion rates of 90 per cent or more for each of the three mandatory training courses as at September 2023.

Has the ATO appropriately raised GST fraud awareness among external stakeholders?

2.64 The ATO’s Fraud and Corruption Control Plan 2023 identifies the ATO’s external communications program as one of its fraud and corruption prevention activities.

2.65 The ATO has a ‘the-fight-against-tax-crime’ website which includes:

• an explanation of what tax crime is and what the ATO is doing to prevent and respond to tax crime;
• a statement that the ATO takes all forms of tax crime seriously and will take firm action, including seizing the profits, of those participating in tax crime;
• warnings about becoming involved in tax fraud (including GST fraud);
• ATO media releases about GST fraud cases and prosecutions; and
• outcomes of successful prosecutions for tax crime, including case studies of prosecutions for GST fraud.

2.66 The ATO provides information for businesses about what they need to do to meet their Business Activity Statement obligations on the ATO website and social media posts.

2.67 The ATO also posts information on social media (on Facebook, Twitter, and LinkedIn) and conducts advertising campaigns (on social media and internet search engines) with warnings about GST fraud and the risks and consequences of becoming involved in GST fraud. The ATO uses emails and its website to communicate with applicants for new Australian Business Numbers (ABN) to inform them about eligibility for an ABN and warning against becoming involved in GST fraud.

2.68 The ATO raises awareness of GST fraud among tax agents through, for example:

• meetings of, and emails to, ATO Stewardship groups (including the Tax Practitioner Stewardship Group⁵⁵ and the GST Stewardship Group⁵⁶); and
• the ATO’s ‘Tax professionals newsroom’ on the ATO website.⁵⁷

3.1 Section 10 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) requires the accountable authority of a Commonwealth entity to take all reasonable measures to detect and deal with fraud.⁵⁸ In order to detect and then investigate and respond to fraud, entities must take active steps to find fraud when it occurs.

Does the ATO have appropriate processes for suspected GST fraud to be confidentially reported?

ATO processes for reporting suspected external fraud (including GST fraud)

3.2 Paragraph 10(d) of the PGPA Rule requires entities to have ‘a process for officials of the entity and other persons to report suspected fraud confidentially’.⁵⁹ The fraud guidance notes that reporting suspected fraud is a common means of detection, and therefore it is important for entities to appropriately publicise fraud reporting mechanisms. Under the fraud guidance entities should encourage and support reporting of suspected fraud through proper channels, and this can include measures to protect those making such reports from adverse consequences.⁶⁰

3.3 The ATO has channels for suspected fraud to be reported by the general public.⁶¹ These channels are advertised on the ATO’s website, including:

• tip-off hotline;
• tip-off form (the ATO tip-off form is also accessible through the ATO mobile app); and
• postal address.

3.4 From 1 July 2019, amendments to the Taxation Administration Act 1953 created a whistleblower protection regime for the protection of individuals who report breaches of the tax laws or misconduct. The ATO advertises these arrangements on the ATO website.⁶²

3.5 The ATO also has channels for ATO officials to report suspected external fraud and internal fraud, with details available in the ATO Fraud and Corruption Control plan, the external fraud and internal fraud Chief Executive Instructions (CEI), on the ATO intranet, and in staff mandatory training. From 2019–20 to 2022–23 the ATO received a total of 199,007 tip-offs from the general public and ATO officials, with 4,745 tip-offs (2.4 per cent) related to GST fraud (Table 3.1).

Table 3.1: Number and proportion of tip-offs from the general public and ATO officials received by the ATO related to GST fraud, 2019–20 to 2022–23

Source: ANAO from ATO documentation.

3.6 The ATO has documented processes for ATO officials responsible for assessing tip-offs to determine if the allegation requires a rapid response from the relevant ATO business line, or referral to other government departments/agencies. The ATO maintains a list of current and emerging risks to assist with determining if a rapid response is required.

3.7 In November 2021, the ATO Tax Integrity Centre (which is responsible for managing ATO ‘tip-offs’) identified a trend in tip-offs concerning GST refund fraud through its daily manual review of tip-offs. From January 2022 escalation pathways for GST fraud tip-offs were established, and between November 2021 and May 2022 1,169 tip-offs were escalated to the ATO’s Small Business line for action.

3.8 The ATO Tax Integrity Centre holds discussions and provides reports of tip-off data to business lines if requested. The ATO’s System Integrity Management Group⁶³ April 2023 meeting discussed insights into the ATO’s fraud maturity, and noted the ATO is:

Not leveraging intelligence from AUSTRAC [Australian Transaction Reports and Analysis Centre] and TIC referrals.

3.9 The ATO Tax Integrity Centre developed a database solution to make data gathered from ‘tip-offs’ available on-demand for use in data analytics and risk models from July 2023.

Does the ATO have appropriate methods to detect potential GST fraud?

3.10 Paragraph 10(d) of the PGPA Rule states that the accountable authority must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by ‘having an appropriate mechanism for detecting incidents of fraud or suspected fraud’.⁶⁴

3.11 The ATO Fraud and Corruption Control Plan 2023 states:

The ATO employs measures designed to uncover incidents of fraud and corruption when they occur.⁶⁵

3.12 The ATO does not maintain a centralised GST fraud risk register or a central record of controls used to detect GST fraud. The ATO advised the ANAO that control records are maintained by the ATO business lines.

Detecting potentially incorrect GST refunds

3.13 Since the introduction of the GST in 2000, the ATO has used risk assessment tools and models to detect potentially incorrect GST refunds in a ‘real time environment’ at the time of Business Activity Statement (BAS) lodgment and prior to the issue of any refund. All BAS refunds are risk assessed as part of the refund processing system. In 2021–22, of the $5.41 billion raised by the ATO in GST compliance liabilities, 59 per cent ($3.19 billion) was for refund integrity.⁶⁶

3.14 In 2022–23 the ATO processed 11.2 million BAS and issued 2.1 million refunds. Of the 10.9 million BAS lodged in 2022–23, 92.7 per cent were lodged electronically.⁶⁷

3.15 In the 2010–11 Federal Budget the ATO received $337.5 million over four years under the GST Compliance Program to fund additional GST compliance activities.⁶⁸ The GST Compliance Program was extended by two years (2014–15 and 2015–16) with $195.3 million provided to the ATO to continue activities to promote voluntary GST compliance.⁶⁹ In the 2015–16 Federal Budget the ATO GST Compliance Program was extended with $265.5 million provided over three years from 2016–17 to continue activities to promote GST compliance.⁷⁰ The GST Compliance Program was extended again in the 2018–19 Mid-Year Economic and Fiscal Outlook with funding totalling $466.9 million over four years, including funding to assist the ATO develop more analytical tools to combat emerging risks in the GST system (the Contemporising GST Risk Models [CGRM] project).⁷¹ The CGRM project ran 12 months behind schedule, due to the impact of resource reallocations from the ATO’s response to COVID-19. This required the ATO to move allocated CGRM project funding from 2019–20 to 2020–21.

3.16 The intent of the CGRM project is to modernise and improve the ATO’s capability to manage GST compliance risks by replacing or updating existing risk models. The ATO commenced deployment of the CGRM project risk models in May 2021, with the suspect refunds overlay model (SR2) replacing the existing suspect refunds model. An internal ATO evaluation finalised in June 2022 examining the effectiveness of the CGRM project showed the SR2 model has resulted in:

• a reduction in the number of cases created in error;
• a reduction in the number of duplicate cases; and
• an improvement in the ‘strike rate’ from an average of 83 per cent (2018–19 to 2020–21) to 94 per cent in 2021–22.⁷²

3.17 Two additional models were deployed into production in June 2021 to enable automated real time ‘nudge’ messaging during the online BAS lodgment process, allowing the taxpayer to self-correct the BAS prior to lodgment. Two further ‘nudge’ messaging models were deployed in September 2021 and March 2022.⁷³

3.18 In January 2022 the ATO deployed two post-lodgment models, the identity crime model and the incorrect reporting model. After deployment these models identified increasing numbers of outputs with a risk likelihood score of 0.8 or above (Table 3.2).⁷⁴ The likelihood score of 0.8 was categorised as ‘high risk’ for the purpose of Operation Protego.

Table 3.2: Monthly risk models output with a risk likelihood score of 0.8 or abovea (categorised as high risk for Operation Protego), January 2022 to July 2022, number

Note a: The risk likelihood score is a number between 0 (low likelihood) and 1 (high likelihood) determining the likelihood that the refund is incorrect.

Source: ANAO from ATO documentation.

3.19 Once a refund has been identified by the CGRM models as requiring review based on the likelihood score, the ATO undertakes risk treatment. The number of cases actioned by the ATO is determined by the number of risk treatments planned to be undertaken by each business line, not by the model outputs. A case can be treated pre-issue (before the GST refund is issued) or post-issue (after the GST refund is issued). In 2022–23 the ATO undertook 43,103 pre-issue refund checks and 26,796 post-issue refund checks (Table 3.3).

3.20 The increase in case numbers for 2021–22 and 2022–23 compared to prior years reflects the treatment of suspected fraudulent GST refund lodgments under Operation Protego (see discussion of Operation Protego at Appendix 5). During Operation Protego (April 2022 to October 2023) the ATO implemented additional risk treatments to disrupt the behaviour and stop revenue leakage.

Table 3.3: Number of GST refund checks for cases and audits performed pre-issue and post-issue, 2017–18 to 2022–23a

Note a: ‘Cases’ are work items created in the ‘Siebel’ work management system. ‘Audits’ are cases that have moved into the ‘audit and review’ classification in Siebel. Case numbers include audits. The increase in cases and audits for 2021–22 and 2022–23 is the result of activities relating to Operation Protego.

Source: ANAO from ATO documentation.

3.21 The GST refund ‘strike rate’ measures the percentage of pre-issue and post-issue cases and audits which achieved a result (which may or may not change net GST⁷⁵) divided by the number of audit and enforcement cases completed. The strike rate for pre-issue cases and audits and post-issue cases and audit have all increased from 2017–18 to 2022–23 (Table 3.4).

Table 3.4: GST refund cases and audits strike ratea pre-issue and post-issue, per cent, 2017–18 to 2022–23

Note a: The ATO defines the GST refund ‘strike rate’ as the number of audit and enforcement cases completed which achieved a result (which may or may not change net GST) as a percentage of the number of all audit and enforcement cases completed.

Source: ANAO from ATO documentation.

3.22 The ATO commenced a program of work in November 2022 to improve risk identification by two of the post-lodgment risk models deployed in January 2022 under the CGRM project (the identity crime model and the incorrect reporting model). This work program is testing the risk model outputs by randomly selecting cases from a set of risk bands based on scores generated by the model for further testing. Existing treatment pathways (reviews and audits) for selected cases are being utilised. A risk guide was prepared for ATO officials undertaking reviews and audits to provide guidance and detail the required steps to be undertaken, with a separate form to be completed by ATO officials for intelligence capture purposes. This program of work was scheduled to be completed by August 2023 but is running eight months behind schedule. ATO documents state the delay is due to resourcing issues, the time required to build proficiency for case officers and the impact of case complexity. The ATO intends to finalise this work by April 2024.

3.23 In the 2023–24 Federal Budget, the GST Compliance Program was extended, with $588.8 million provided to the ATO over four years from 1 July 2023. The funding provided through this extension is intended to ‘also help the ATO develop more sophisticated analytical tools to combat emerging risks to the GST system’.⁷⁶ Phase 2 of the CGRM project commenced in 2023 and is a four-year project to build on Phase 1 by developing new risk models to:

• further identify risks of incorrect reporting;
• identify high-risk registrants; and
• enhance model outputs to allow for differentiated treatments.

Other methods to detect potential GST fraud

3.24 In addition to detection methods to identify potentially incorrect GST refunds, the ATO utilises other methods to detect potential GST fraud, including referrals from financial institutions of potentially suspicious refunds (including GST refunds), data-matching for property transactions, off-shore suppliers of low value imported goods and non-lodgment. The ATO also uses the justified trust regime to obtain assurance that large businesses are paying the correct amount of GST.

Referrals from financial institutions of potentially suspicious refunds

3.25 The ATO has an established process to assess referrals from the Reserve Bank of Australia (RBA) of potentially suspicious refunds (including GST refunds) identified by financial institutions. After identifying a potentially suspicious refund, the financial institution notifies the RBA. The RBA refers the potentially suspicious refund to the ATO, which conducts an audit, review or risk assessment and then advises the financial institution of the ATO’s decision to either retain or release the refund. The ATO’s data shows an increase in referrals from financial institution between October 2021 and March 2022 (see discussion of Operation Protego at Appendix 5) (Figure 3.1).

Figure 3.1: Percentage change in referrals from financial institutions to the ATO compared to prior month, July 2021 to June 2022

Source: ANAO from ATO documentation.

Property transactions with GST implications

3.26 The ATO detects potentially fraudulent property transactions using risk detection models including the CGRM project risk detection models, along with rule-based case selection models to identify high-risk refunds and other potentially fraudulent behaviour.

3.27 The ATO sources property data from the states and territories along with other relevant taxation and financial data including data from the Australian Securities and Investments Commission, and uses ‘data matching’ within case selection models to identify potential non-compliance, including potential fraud. The ATO has a case selection pathway that determines the allocation of the case for audit, review or other actions. Between 2017–18 and 2022–23 the ATO completed an average of 3,023 cases and 274 audits annually of potentially fraudulent property transactions. The average percentage of cases and audits resulting in a GST adjustment increased from 57 per cent in 2017–18 to 70 per cent 2022–23. The ATO advised the ANAO in January 2024 the combination of new or improved data sources and technical training for ATO staff have led to increased GST adjustments over this time period. For ‘disengaged’ property developers⁷⁷, the ATO completed an average of 1,071 cases and 169 audits annually between 2017–18 and 2022–23, with the average percentage of cases and audits resulting in a GST adjustment increasing from 67 per cent in 2017–18 to 78 per cent in 2022–23 (Table 3.5).

Table 3.5: Average percentage of cases and audits of potentially fraudulent property transactions resulting in a GST adjustment, per cent, 2017–18 to 2022–23

Source: ANAO from ATO documentation.

Low value imported goods (LVIG)

3.28 Since 1 July 2018, offshore suppliers of low value imported goods (value AUD $1000 or less) are subject to GST once taxable supplies exceeds the AUD $75,000 GST registration threshold.⁷⁸

3.29 The ATO utilises data collection (via the ATO and third parties) and exchange of information with other tax jurisdictions to detect potential non-compliance with GST obligations by offshore suppliers. The ATO undertook 64 cases of compliance action for offshore supplies of low value imported goods and inbound intangible consumer supplies⁷⁹, which resulted in GST revenue of $38.6 million in 2022–23 (Table 3.6).

Table 3.6: ATO planned and actual cases and GST revenue from compliance actions for offshore supplies of low value imported goods and inbound intangible consumer suppliesa, 2019–20 to 2023–24

Note a: ‘Inbound intangible consumer supply’ means sales of anything other than goods or real property to an Australian consumer (for example, digital products and other services) that are made to an Australian consumer and not wholly done in Australia or through a business run in Australia.

Source: ANAO from ATO documentation.

Non-lodgment

3.30 The ATO undertakes direct contact with taxpayers who are registered and have not met their lodgment obligations. The ATO has two models to prioritise direct contact and lodgment compliance action based on the risk to revenue. The ATO also utilises ‘data matching’ with other taxation data to identify non-lodgers. For example, the ATO compares entities that declare business income in their income tax returns but do not lodge a BAS. Lodgment compliance activities undertaken by the ATO raised $743.0 million of GST liabilities in 2021–22.⁸⁰

Justified trust

3.31 The ATO’s justified trust regime ‘seeks objective evidence that would lead a reasonable person to conclude a particular taxpayer paid the right amount of tax’ by confirming the existence, application and testing of a tax risk management and governance framework for large businesses.⁸¹ To provide GST assurance from justified trust, the ATO seeks objective evidence of the existence of policies and procedures, system rules and IT systems that reliably determine the correct GST treatment of sales and purchases. In 2019–20, 1.1 per cent of the GST base was assured by justified trust compared to 1.2 per cent, 8.1 per cent and 5.8 per cent in 2016–17, 2017–18 and 2018–19 respectively.⁸² The ATO advised the ANAO in January 2024 that ‘the proportion of the GST base assured varies each year depending on the amount of GST payable by the GST reporters (or divisions of reporters) assured in that year’.

3.32 In 2021–22, the ATO raised $146.4 million of GST liabilities attributed to the justified trust regime.⁸³

Consideration of fraud detection method outputs from a ‘whole of GST’ product perspective

3.33 The ATO does not collate or aggregate data from the various fraud detection methods in each ATO business line to develop a ‘whole of GST’ product perspective of fraud. The ATO internal committees responsible for GST administration receive reporting, including data on the results from the various methods used to detect fraud. The ATO advised the ANAO in July 2023 that there is discussion of risks across the committees, and that urgent issues would not wait for the committee to meet but would be escalated immediately. The ATO’s arrangements to oversee, monitor and report on fraud control arrangements for the administration of GST are examined in Chapter 4.

Are there appropriate processes in place for investigating suspected fraud and taking appropriate action?

3.34 Paragraph 10(e) of the PGPA Rule requires the accountable authority to have an appropriate mechanism for investigating or otherwise dealing with incidents of fraud or suspected fraud.⁸⁴ The fraud guidance states:

Entities are encouraged to take a common sense approach to non-compliance, misconduct and trivial fraud by having graduated and proportionate responses based on their risk tolerance and risk environment.⁸⁵

ATO external fraud referrals process

3.35 The ATO Tax Integrity Centre (TIC) is the central point within the ATO for the collection, storage, analysis and sharing of external fraud allegations (‘tip-offs’). These allegations are recorded and managed in a centralised system.

3.36 TIC officials assess these allegations to determine whether further action is required and if so refer them to the relevant ATO business lines (including Integrated Compliance). The ATO has documented procedures to assist TIC officials make decisions about which ATO business line should receive external fraud allegations. In 2022–23, 3.1 per cent of tip-offs were assessed by TIC officials as requiring no further action (Table 3.7).

Table 3.7: ATO action taken for external fraud allegations ‘tip offs’

Source: ANAO from ATO documentation.

3.37 The ATO’s external fraud CEI requires ATO officials to report any suspicion of external fraud detected to the ATO’s Integrated Compliance business line (Integrated Compliance) and include advice on whether further investigation is required and why. The CEI mandates a fraud referral to Integrated Compliance when the ATO has decided to impose an administrative penalty⁸⁶ of 75 per cent of the shortfall amount (for intentional disregard of the law); or 50 per cent of the shortfall amount (for recklessness) and where fraud is suspected. ATO officials within ATO business lines can report suspected GST fraud to Integrated Compliance using the ATO’s online fraud referral form available in the ATO’s work management system, or via email.

3.38 Integrated Compliance officials assess the referrals to determine whether further action is required. The ATO has documented procedures to assist Integrated Compliance officials with this activity. Figure 3.2 summarises the process Integrated Compliance uses to assess referrals of suspected external fraud received from ATO officials.

Figure 3.2: ATO’s external fraud referrals process

Source: ANAO from ATO documents.

3.39 Table 3.8 presents the number of referrals received by Integrated Compliance annually from 2020–21 to 2022–23. In 2021–22 (90.2 per cent) and in 2022–23 (91.3 per cent), the majority of referrals received by Integrated Compliance were Operation Protego referrals that were actioned by the Small Business line but reported to Integrated Compliance to comply with the external fraud CEI requirements.

Table 3.8: Number of referrals received by Integrated Compliance, 2020–21 to 2022–23a

Note a: Prior to 2019 all case work was generally actioned within the Indirect Tax business line, which was disbanded in 2019. Integrated Compliance replaced a multitude of different referral pathways into a single referral pathway in August 2019, and this was incrementally rolled out for all referrals to Integrated Compliance from February 2020. Data is comparable from 2020–21 onwards.

Source: ANAO from ATO documentation.

3.40 The proportion of Integrated Compliance cases and audits resulting in a GST adjustment was 27.6 per cent of cases and 87.9 per cent of audits completed in 2019–20, and 32.4 per cent of cases and 81.9 per cent of audits completed in 2022–23 (Table 3.9).

Table 3.9: Integrated Compliance cases and audits resulting in a GST adjustment, 2019–20 to 2022–23

Source: ANAO from ATO documentation.

ATO internal fraud referrals process

3.41 The ATO’s internal fraud CEI requires ATO officials to report any suspicion of internal fraud through the ‘Speak Up’ channels (phone, email or an anonymous fraud alert form on the ATO intranet). The ATO’s process for assessing and actioning suspected internal fraud referrals is at Figure 3.3.

3.42 The ATO’s Fraud Prevention and Internal Investigations (FPII) Branch assesses all matters received via these channels. The FPII will convene a Tasking and Coordination Committee (a leadership team) to assess and prioritise allegations if the intake and assessment team requires further advice. The decision to undertake or not to undertake an investigation is made by an SES or Executive Level 2 ATO official.

Figure 3.3: ATO’s internal fraud referrals process

Source: ANAO from ATO documents.

3.43 During 2022–23, FPII triaged and assessed 798 allegations or reports via the ATO’s ‘Speak Up’ integrity channel. Of these 798 allegations, 184 identified potential internal fraud, corruption or serious misconduct risk that required further investigation. In 2022–23 the ATO commenced 71 internal fraud investigations, commenced 44 alternative actions and did not proceed with 69 investigations or alternative actions.

ATO investigation procedures

3.44 The Australian Government Investigations Standard (AGIS) was updated in October 2022.⁸⁷ Entities are required to proactively transfer their approaches from the requirements of the AGIS 2011 (the previous standard) to the updated requirements of AGIS 2022 ‘within a reasonable timeframe’.⁸⁸ The ATO is in the process of updating the internal fraud investigation procedures to the AGIS 2022 and expects the draft to be available by end January 2024. The ATO is also in the process of updating the investigation procedures for external fraud to align with AGIS 2022 and expects to complete the updates by 29 February 2024.

The Integrated Compliance integrity incident response framework

3.45 In 2022 Integrated Compliance developed an integrity incident response to supplement the existing ‘rapid response groups’ mechanism to respond to fraud events during ‘Tax Time’.⁸⁹ Rapid response groups are invoked ‘only in instances where there are known existing fraud behaviours identified’. The integrity incident response is intended to supplement the business line rapid response groups, and applies to ‘new third party fraud not detected by existing controls’.

3.46 The ATO advised the ANAO in July 2023 that an integrity incident response was not utilised in response to the fraud events leading up to Operation Protego as:

The incidents and instances of potential fraud that led to Operation Protego resulted from known fraud risks. [The Framework] is only initiated in instances of new, third-person frauds to identify systemic vulnerabilities and formulate proposals to mitigate those vulnerabilities.

3.47 The ATO’s Chief Internal Auditor report (April 2023) on the ATO’s learnings from Operation Protego identified that while the business lines were monitoring early warning signals of potential GST fraud, the ‘whole of GST fraud risk’ was not sufficiently measured and managed, and the ATO did not have an escalation and rapid response approach to respond to alerts that had raised the prospect of a systemic issue. The report notes that the ATO could experience a large-scale fraud event at any time. The report also notes that capabilities and controls should be in place to respond to events rather than reacting, and large-scale fraud treatment actions, roles and responsibilities could have been arranged ahead of time to allow for a timelier management response.

3.50 The ATO publicly reports on its website the annual collation of results for prosecutions and tax crime prosecutions.⁹⁰ The ATO also issues media releases of the results of tax crime prosecutions, including prosecutions for GST fraud on the ATO website. The ATO’s media release webpage includes a search function to allow for filtering of media releases by keywords.

4.1 Paragraph 10(f) of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) states that the accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by having an appropriate mechanism for recording and reporting incidents of fraud or suspected fraud.⁹¹ Paragraph 14 of the fraud policy sets out requirements for entities to provide information to the Australian Institute of Criminology (AIC) to facilitate the AIC’s annual report to the Attorney-General’s Department.⁹²

Does the ATO have effective governance and reporting arrangements for GST fraud control?

4.2 Effective governance arrangements drive accountability for performance by allowing appropriate oversight of program delivery, including how risks (including the risk of fraud) are being identified, reported and managed.

ATO-wide governance of fraud control arrangements

4.3 Key responsibilities specified in the ATO Fraud and Corruption Control Plan 2023 states the Commissioner of Taxation is the:

Accountable Authority responsible for taking all reasonable measures to prevent, detect and deal with fraud for the ATO, Tax Practitioners Board and the Australian Charities and Not-for-Profits Commission.⁹³

4.4 The ATO Fraud and Corruption Control Plan 2023 specifies five ATO committees with fraud control responsibilities (Table 4.1).

Table 4.1: Fraud control governance — ATO committee roles and responsibilities

Source: ANAO from Australian Taxation Office, ATO Fraud and Corruption Control Plan 2023, ATO, 2023.

4.5 The Integrity Steering Committee (an ATO SES Band 2 Committee) is central to the ATO’s governance of external fraud with responsibility for determining and directing the ATO’s response to external fraud risks and threats, as specified in the ATO Fraud and Corruption Control Plan 2023. The Integrity Steering Committee is co-chaired by the Deputy Commissioner, Integrated Compliance in the Client Engagement Group (the risk owner for external fraud), and the Deputy Commissioner, Client Account Services within the Service Delivery Group.⁹⁴

4.6 The Integrity Steering Committee supports the Security Committee (an ATO SES Band 2 Committee chaired by the ATO Chief Information Officer), which is responsible for ‘strategic oversight of the ATO’s security and business continuity management outcomes’. The Security Committee’s charter specifies Committee matters extend to ‘the internal and external fraud landscape’. The Deputy Commissioner Integrated Compliance (co-chair of the Integrity Steering Committee and risk owner for external fraud) is a member of the Security Committee. The Deputy Commissioner Integrated Compliance presents an external fraud biannual report to the Security Committee that includes the external fraud dashboard (see paragraph 4.21). The Security Committee reports to the ATO Executive Committee, an SES Band 3 Committee chaired by the Commissioner of Taxation. During 2022–23 the ATO Executive Committee received updates on Operation Protego including information on the timeline for key events, the governance framework to manage the Operation, and the debt recovery strategy of fraudulent GST refunds.

4.7 As specified in the ATO Fraud and Corruption Control Plan 2023, the Integrated Compliance business line is responsible for responding to serious tax evasion and financial crime and provides the ATO’s investigative and prosecutorial capability. This business line also conducts the system integrity program to ensure senior responsible officers have appropriate external fraud risk tolerances, treatments and controls in place for their programs. The Deputy Commissioner for Integrated Compliance is the risk owner for external fraud and four of the six priority behavioural risks where external fraud is prevalent as specified in the ATO Fraud and Corruption Control Plan 2023:

• identity crime enabled fraud;
• serious and organised crime;
• offshore tax evasion; and
• illegal phoenix.

4.8 The ATO Fraud Control and Corruption Plan 2023 does not identify the risk owners for the remaining two priority behavioural risk (refund fraud and black economy⁹⁵). The Deputy Commissioner for Integrated Compliance also manages the serious financial crime response across government and internationally for the ATO.

4.9 The ATO Fraud and Corruption Control Plan 2023 specifies the Fraud Prevention and Internal Investigations (FPII) Branch in the Enterprise Strategy and Corporate Operations Group is responsible for implementing measures to prevent, detect and respond to internal fraud and corruption. The Assistant Commissioner FPII (an SES Band 1 position) is the risk owner for internal fraud, and leads an independent function supporting the Commissioner on internal fraud control. The internal fraud risk owner provides reports to the ARC on the management of internal fraud and corruption risk. The Assistant Commissioner FPII maintains the role of ‘advisor’ to the ARC and holds the position of ‘advisor’ to the ISC.

Governance of GST administration

4.10 Schedule A of the Intergovernmental Agreement on Federal Financial Relations (paragraph A20)⁹⁶ provides that the GST Administration Sub-Committee (GSTAS) will monitor the operation and administration of the GST and make recommendations to Council on Federal Financial Relations (CFFR) regarding modifications to the GST and the administration of the GST.⁹⁷ GSTAS membership comprises Commonwealth, state and territory officials. In accordance with the terms of the Agreement, GSTAS delegates aspects of that role to the GST Policy and Administration Sub-group (GPAS) (Figure 4.1).⁹⁸

Figure 4.1: Committees governing the GST Administration Performance Agreement

Source: ANAO based on ATO documentation.

4.11 The ATO has established a committee structure for GST administration (Figure 4.2). This committee structure brings together the managers and senior executives responsible for GST administration from different business lines across the ATO. The GST Program Branch in the International, Support and Programs business line in the Client Engagement Group provides the secretariat function for this committee structure.

Figure 4.2: ATO committees governing GST administration

Source: ANAO based on ATO documents.

4.12 GST fraud-related matters regularly come before the internal ATO committees for GST administration for information and discussion. There is no formal process in place for these committees to report or escalate issues to the ATO-wide committees with responsibility for fraud control.

GST risk ownership within the ATO

4.13 The ATO has allocated responsibility for its six ‘endemic’ GST risks as follows:

• GST correct reporting and GST food classification to the Small Business line;
• GST real property to the Private Wealth business line;
• GST financial services and insurance, and GST International to the Public Groups and International business line⁹⁹; and
• GST evasion to the Integrated Compliance business line.

4.14 Committee records from 2021–22 to 2022–23 for the three GST committees in Figure 4.2 showed recurring discussions regarding the need to clarify governance structures and risk accountabilities, summarised as follows.¹⁰⁰

• Ownership and management of a GST endemic risk allocated to one business line, but the risk relates to responsibilities of different business lines to the risk owner.
• Incomplete artefacts include risk assessments and treatment strategies.

4.15 Since early 2021, the ATO has made attempts to clarify governance and accountabilities, however ownership and management of GST endemic risks and finalisation of artefacts (including risk assessments and treatment plans) continue to be discussed and are incomplete. At the 20 June 2023 meeting of the GST Product Committee (an SES Band 2 Committee) it endorsed renaming one endemic risk, ‘correct reporting’ to ‘GST refund integrity’, with the Small Business line to be the risk lead and having responsibility for the risk assessment, while treatment approaches remain the responsibility of individual business lines. The following items have been identified for further progression during 2024.

• A GST system vulnerability assessment for presentation to the GST Strategic Risk Committee (SRC) in December 2023, that is also intended to inform a deep dive into fraud in the GST system for presentation to the GST SRC in February 2024.
• Recommendations from the GST Strategic Risk Committee to the GST Product Committee to decommission the endemic GST evasion risk and establish the Assistant Commissioner, Phoenix and Evasion Program, Behaviours of Concern, as the GST Fraud Advisor were endorsed as ‘interim’ on 28 September 2023. The GST Product Committee will review this decision following a risk assessment on fraud in the GST system along with deep dive on fraud in the GST system, to be co-ordinated by the GST Program Branch and completed in early 2024.
• The GST SRC plans to discuss the endemic risks of GST real property, GST international and GST financial services and insurance in November and December 2023, and early 2024.

Reporting provided to the Audit and Risk Committee

Internal fraud

4.16 The ATO internal fraud risk owner provides reports to the ARC (also see paragraph 4.9) on activity during the relevant reporting period by presenting:

• a status update of the FPII’s Forward Work Program; and
• an ARC dashboard and dashboard report.

4.17 The ‘ARC dashboard’ for internal fraud reports the ATO’s compliance status across eight categories to accord with the Commonwealth Fraud Control Framework categories.¹⁰¹ The status of compliance for each category is rated green (fully compliant), amber (substantially compliance with low risk instance(s) of non-compliance) or red (one or more high risk areas of non-compliance). The dashboard status reporting for the six most recent ARC meetings (March 2022 to August 2023) was examined by the ANAO, with the internal fraud compliance status for each of the eight categories rated ‘green’ (fully compliant) for all reporting periods examined. The FPII team’s assessment that commenced in March 2023 determined the ATO’s internal response to Operation Protego ‘proactively mitigated any potential insider threat risk’, and ‘there have been no indicators that the internal fraud risk landscape is changing and we [the ATO] have not observed any identifiers of corruption which would shift this risk’.

4.18 The October 2023 FPII report to the ATO Audit and Risk Sub-committee (ARSC)¹⁰² on the 2022–23 Forward Work Program stated:

• three of the four risk reviews, assessments and health checks had been completed and one (ongoing contract management) had been deferred to the 2023–24 Forward Work Program;
• targeted detection scans and detection initiatives due June 2023 were ongoing; and
• of the eight prevention activities, six had been completed and two were ongoing (fraud and corruption awareness sessions and internal communications).

4.19 The status report presented to the October 2023 ARSC was for the 2022–23 Forward Work Program. An annual review undertaken by FPII of the ATO’s internal fraud and corruption environment for 2022–23 was presented to the October 2023 ARSC, including the FPII’s program of work for 2023–24. There are five work program categories in the work program, comprising projects and programs of work; fraud risk reviews; strategic intelligence assessments; fraud detection and prevention and engagement. Under the category ‘projects and programs of work’ is the activity ‘external fraud perpetrated by ATO officers’ scoped as ‘types of external fraud perpetrated by ATO officers’ with a delivery timeframe of August 2024.

4.20 The ARC dashboard and dashboard report provides information and analysis, including trend analysis of FPII activities.

External fraud

4.21 The ATO external fraud risk owner provides reports to the ARC on activity during the relevant reporting period though two dashboards, the first is titled the ‘ARC dashboard’ for external fraud and the second is titled the ‘external fraud dashboard’.¹⁰³ An extract of the ‘ARC dashboard’ was provided to the Security Committee in April 2022 and from May 2022, the Integrated Compliance Risk Management Committee received a copy of the ‘external fraud dashboard’ in the Committee meeting papers with the purpose listed as ‘update’.¹⁰⁴

4.22 The ‘ARC dashboard’ for external fraud reports the ATO’s compliance status across eight categories to accord with the Commonwealth Fraud Control Framework categories.¹⁰⁵ The status of compliance for each category is rated green (fully compliant), amber (substantial compliance with low risk instance(s) of non-compliance) or red (one or more high risk areas of non-compliance). The dashboard status reporting for the six most recent ARC meetings (March 2022 to August 2023) is at Table 4.2.

Table 4.2: Dashboard reporting to the ATO Audit and Risk Committee — external fraud

Key: The ATO provides the following definitions: ◆ Green: fully compliant ▲ Amber: substantially compliant with low risk instance(s) of non-compliance ■ Red: one or more high risk areas of non-compliance.

Note a: For the August 2023 ARC meeting, the External Fraud dashboard reported fraud risk assessments as ‘compliant’. However, the August 2023 ARC papers include a conformance and integrity report for the June 2023 quarter, and this report stated the external fraud conformance statement included a matter of non-conformance for ‘regularly conduct and review risk assessment in relation to GST risks’ as a new matter of non-conformance.

Note b: The rationale for an amber rating (substantially compliant) is provided in the dashboard report, but no information is provided when the rating changes from amber (substantially compliant) back to green (fully compliant). The information provided for the amber rating in the March 2023 dashboard for preventing, detecting and investigating fraud is replicated for June 2023 and August 2023, except in August 2023 the detail regarding mitigations had been removed.

Source: ANAO analysis of ATO documentation.

4.23 The ‘external fraud dashboard’ to the ARC includes two quarterly indicators for external fraud and GST fraud and shows an increase from March 2022 to September 2022 (during Operation Protego see Appendix 5), and another increase in March 2023 after Integrated Compliance received a bulk referral of income and GST refund work actioned by the Small Business line (Figure 4.3).¹⁰⁶ The dashboard notes provide the following definitions of these indicators.

• External fraud indicator is calculated by the count of referrals (based on activities recorded in the ATO external fraud case management system) divided by the count of lodgments (sum of all original tax returns, Fringe Benefits Tax, Excise and Activity Statement form lodgments) multiplied by 100 over a 12-month period.
• GST external fraud indicator is calculated by referrals with associated primary revenue product divided by the distinct lodgment type multiplied by 100 over a 12-month period.

Figure 4.3: ATO reporting to the ATO Audit and Risk Committee — quarterly external fraud indicator and quarterly GST fraud indicator (proportion of referrals to lodgments)a

Note a: Operation Protego commenced in April 2022. On 20 March 2023 Integrated Compliance received a bulk referral of income tax and GST refund work actioned by Small Business line (see paragraph 4.27).

Source: ANAO from ATO documentation.

4.24 The ATO also reports a year-to-date average for the external fraud indicator and the GST fraud indicator calculated from those quarters shown on the dashboard showing an increase in June 2022 (Operation Protego commenced in April 2022, see Appendix 5) and another increase in March 2023 after Integrated Compliance received a bulk referral of income and GST refund work actioned by the Small Business line (Figure 4.4).

Figure 4.4: ATO reporting to the ATO Audit and Risk Committee — year-to-date external fraud indicator and year-to-date GST fraud indicator (proportion of referrals to lodgments)a

Note a: Operation Protego commenced in April 2022. On 20 March 2023 Integrated Compliance received a bulk referral of income tax and GST refund work actioned by the Small Business line (see paragraph 4.27).

Source: ANAO from ATO documentation.

4.25 At the 8 June 2022 ARC, the ATO reported that:

The ATO’s fraud tolerance of 0.05 per cent is under pressure.¹⁰⁷

4.26 The same ATO report to the ARC stated that:

The level of fraud on the system is currently recorded as 0.0004 per cent as of 30 April 2022. This is under the benchmark of 0.5 per cent, however this figure does not include the suspected fraud related to Operation Protego which is not yet recorded in the reporting system.

4.27 At the 8 June 2023 ARC meeting, the ATO advised the increase in the annual overall level of suspected fraudulent transactions reported at 0.0942 per cent¹⁰⁸ is largely due to a bulk referral on 20 March 2023 of income tax and GST refund work actioned by the Small Business line and reported to Integrated Compliance to comply with the external fraud CEI requirements (see Table 3.8). At the same meeting, the ATO changed the reference in the external fraud dashboard reporting to the ARC from ‘the [Attorney-General’s Department] AGD fraud benchmark from 0.5 per cent to 5 per cent to ‘a range from 3 per cent to 5.95 per cent’.¹⁰⁹ No rationale for this change was provided to the ARC.

4.28 The ATO’s Fraud and Corruption Control Plan 2023 states that ‘the ATO has zero tolerance to any fraudulent or corrupt behaviour that may in any way impact the ATO’, while acknowledging that the ATO cannot avoid or prevent all fraud and corruption risks.¹¹⁰ The ATO’s 2020 Tax Crime Risk Assessment (finalised in May 2021) states that ‘the ATO accepts fraud will occur; but our risk appetite is that we will not tolerate it’. This assessment then states:

The AGD [Attorney-General’s Department] led Commonwealth Fraud Prevention Centre has issued benchmarking guidelines applicable to payment type programs administered by Government agencies that range from 0.05 per cent to 5.00 per cent.

4.29 The ATO’s 2020 Tax Crime Risk Assessment states that the ATO has low tolerance for its controls failing to mitigate fraud by more than an incidence rate ranging between 0.05 per cent to five per cent. The likelihood is set at RARE and it [the ATO] will not tolerate a consequence of more than MEDIUM. The risk was therefore determined to be within tolerance, with a note that continued improvements will be required to maintain tolerance.

4.30 The ATO reference to an AGD fraud benchmark is not accurate.

• The benchmark is referenced from a leading practice guide (the AGD guide) issued by the AGD’s Commonwealth Fraud Prevention Centre to provide Commonwealth officials with practical steps for developing counter fraud investment cases. The AGD Commonwealth Fraud Prevention Centre has not issued benchmarking guidelines and the 0.05 per cent to five per cent reference is not an ‘AGD fraud benchmark’¹¹¹; and
• The benchmark is presented in the AGD guide as a case study example of fraud loss measurement from exercises conducted by the United Kingdom (UK) Government to build an evidence base of fraud loss based on 60 fraud loss measurement exercises. As noted in the AGD guide, this evidence base is not conclusive.¹¹²

4.31 The ATO’s use of the benchmark is not appropriate.

• The benchmark is a measure of estimated fraud for government spending in the UK and is calculated using different numerators and denominators (amount of government spending lost to fraud and error divided by government spending) to the ATO’s external fraud indicator (number of referrals divided by the number of lodgments) or the GST fraud indicator (number of GST referrals divided by the number of lodgments) reported to the ARC as part of the external fraud risk dashboard.
• The benchmark in the AGD guide indicates fraud loss in UK government schemes is usually between 0.5 per cent to five per cent of spending.¹¹³ This benchmark is referenced inconsistently in ATO documents as either ‘0.5 per cent to 5 per cent’ or ‘0.05 per cent to 5 per cent’. The ATO’s 2020 Tax Crime Risk Assessment states ‘0.05 per cent to 5 per cent’. The ATO advised the ATO Audit and Risk Committee in September 2022 that ‘the ATO’s fraud tolerance is 0.05 per cent and the AGD fraud benchmark minimum is 0.5 per cent’. Using a benchmark of 0.05 per cent to 5 per cent against the estimated total net GST collected by the ATO in 2022–23 of $81.4 billion would result in an estimated range of fraud losses between $40.7 million (0.05 per cent), or $407 million (0.5 per cent) to $4.07 billion (5 per cent).

Reporting provided to the states and territories

4.34 In accordance with requirements contained in the GST Administration Performance Agreement, the ATO provides an annual performance report to the states and territories by providing a mid-year and annual report to GSTAS (through GPAS). The annual report is published on the ATO website.¹¹⁴

4.35 The ATO provides an annual briefing to states and territories. The ANAO sighted the 2022 briefing that included an agenda item relevant to the ATO’s fraud control arrangements for GST administration.

Does the ATO meet the external reporting requirements of the Commonwealth Fraud Control Framework?

Information provided to the Australian Institute of Criminology

4.36 Paragraph 14 of the fraud policy requires entities to provide information to the Australian Institute of Criminology (AIC) in the form requested to facilitate the AIC’s annual report to the Attorney-General’s Department on fraud against the Commonwealth and the fraud control arrangements.¹¹⁵

4.37 The ATO has provided the information requested by the AIC, in the form requested, by the required due date (which is not always set to 30 September).

4.38 The Fraud Prevention and Internal Investigations (FPII) Branch co-ordinates the ATO’s response. FPII Branch notifies (via email) relevant ATO areas who are responsible for answering the questions in the census related to their subject area. Each ATO area provides an SES approved/endorsed response to FPII who collate (but do not assure) and calculate the ATO response. The Assistant Commissioner of FPII Branch (SES Band 1) provides endorsement for the ATO response, and the AIC census is then uploaded online into the AIC portal.

4.39 The ATO advised the ANAO that there is no need to document its own procedures to respond to the AIC’s request as the AIC census contains explicit instructions on how to prepare the response.

Appendix 1 Australian Taxation Office’s response

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s Corporate Plan states that the ANAO’ s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

• The ATO is:
  • reviewing the roles and responsibilities for management of its fraud risk (paragraph 2.10);
  • reviewing and updating its external and internal fraud Chief Executive Instructions in line with its review of roles and responsibilities for fraud within the ATO (paragraph 2.10); and
  • planning to redesign its external fraud conformance process to support the revised roles and responsibilities (paragraph 2.17).
• The ATO is developing a systematic process for selecting business lines each quarter for its external fraud conformance process to ensure timely and regular coverage of all ATO business lines (paragraph 2.12).
• The ATO has added ‘registration’ and ‘external fraud’ as new enterprise risks¹¹⁶ in its corporate plan for 2023–24 (paragraph 2.53 and footnote 47).
• The ATO’s Chief Internal Auditor has developed an audit insights paper (April 2023) which includes observations and suggestions that the paper states are considered ‘critical to embedding GST fraud risk management as an enduring capability’ (paragraph 2.53).
• With regards to its mandatory training material, in October 2023 the ATO advised the ANAO of the following.
  • From May 2023, the ATO is reviewing its mandatory training material more regularly. The ATO advised the ANAO that, until recently, the material was reviewed every 12-months but from May 2023, the three mandatory training packages (including the EdApp content) are reviewed in April, August and December each year (footnote 54).
  • Consistent with the ANAO’s suggestion for improvement (paragraph 2.61) the ATO plans to make changes to EdApp to ensure participants have access to the content of ATO documents covered in the training (for example, the Chief Executive Instructions).
• The ATO Tax Integrity Centre developed a database solution to make data gathered from ‘tip-offs’ available on-demand for use in data analytics and risk models from July 2023 (paragraph 3.9).
• The ATO is in the process of updating the internal fraud investigation procedures to the Australian Government Investigations Standard (AGIS) 2022 and expects to endorse the revisions by 1 December 2023. The ATO is also in the process of reviewing and updating the investigation procedures for external fraud to align with AGIS 2022 and expects to finalise this review by 30 November 2023 (paragraph 3.44).
• The GST Product Committee endorsed at the 20 June 2023 meeting endorsed renaming one endemic risk, ‘correct reporting’ to ‘GST refund integrity’, with the Small Business line to be the risk lead and having responsibility for the risk assessment, while treatment approaches remain the responsibility of individual business lines (paragraph 4.15).
• Recommendations from the GST Strategic Risk Committee to the GST Product Committee to decommission the endemic GST evasion risk and establish the Assistant Commissioner, Phoenix and Evasion Program, Behaviours of Concern, as the GST Fraud Advisor were endorsed as ‘interim’ on 28 September 2023 (paragraph 4.15).

Appendix 3 The ATO’s administration arrangements for GST

1. The Intergovernmental Agreement on Federal Financial Relations provides for the ongoing provision of GST payments from the Australian Government to the states and territories.

Table A.1: Framework enabling the ATO’s administration of GST

Source: Extracts from listed documents.

Appendix 4 ATO risk matrix

Source: ATO documents.

Appendix 5 Operation Protego

Operation Protego — a multi-agency response to large-scale GST fraud

1. In April 2022 the ATO launched Operation Protego, a multi-agency rapid response to large-scale escalation of GST refund fraud.

Note a: The Serious Financial Crime Taskforce (SFCT) is an ATO-led joint-agency taskforce established on 1 July 2015. The SFCT includes the following Australian Government entities: ATO; Australian Federal Police; Australian Criminal Intelligence Commission; Attorney-General’s Department; Australian Transaction Reports and Analysis Centre; Australian Securities and Investments Commission; Commonwealth Director of Public Prosecutions; Department of Home Affairs, incorporating its operational arm, the Australian Border Force; and Services Australia. Source: Australian Taxation Office, Serious Financial Crime Taskforce [Internet], ATO, available from https://www.ato.gov.au/General/The-fight-against-tax-crime/Our-focus/Serious-Financial-Crime-Taskforce/ [accessed 8 November 2023].