Introduction

1. Fraud against the Commonwealth is defined as ‘dishonestly obtaining a benefit, or causing a loss, by deception or other means.’¹ Fraud against the Commonwealth can be broadly categorised as being either external (fraud committed by clients or customers, service providers and members of the public) or internal (fraud committed by employees and contractors). In some cases, fraud against the Commonwealth may involve collusion between external and internal parties, which may not only result in loss for the Commonwealth, but may also involve corrupt conduct such as bribery and secret commissions.

2. The consequences of fraud against the Commonwealth include financial and material loss which can impact on the Australian Government’s ability to deliver services and achieve its policy objectives. More broadly, fraud can result in reputational damage to government and responsible entities, and potential loss of confidence in Australian Government administration.

3. Fraud threats are ongoing and can affect any Australian Government entity. In 2010–11, external and internal fraud losses against the Commonwealth were estimated at $119 million.² Approximately $116 million of these estimated losses related to external fraud, while some $3 million related to internal fraud.

The Australian Government’s fraud control framework

4. Australian Government entities have long been required to establish arrangements to manage the risks of fraud. The Financial Management and Accountability Act 1997 (FMA Act), which operated during the course of fieldwork for this audit³, placed a number of ‘special responsibilities’ on the Chief Executives of FMA Act agencies. For example, section 44 of the FMA Act required Chief Executives to promote the proper use of Commonwealth resources, while section 45 required the implementation of a fraud control plan. In addition, section 64 and FMA Regulation 16A made provision for the responsible minister⁴ to issue Fraud Control Guidelines.^5,6

The Commonwealth Fraud Control Guidelines

5. At the time of the audit fieldwork, the Australian Government’s framework for fraud control was set out in the 2011 Commonwealth Fraud Control Guidelines (the Guidelines). The Guidelines established the fraud control policy framework within which entities were expected to determine their own specific practices, plans and procedures to manage the prevention and detection of fraudulent activities.

6. The Guidelines contained a mix of mandatory fraud control requirements and other recommended practices as a basis for sound fraud control. Specifically, the Guidelines contained requirements (and other practices) dealing with:

• obligations of chief executives⁷;
• assessment of the risks of fraud;
• development of fraud control policies, plans and procedures;
• implementation of a program of general fraud awareness training for employees and contractors, and more specialised training for those people engaged in fraud control activities;
• approaches to detecting and responding to fraud events, including the conduct of investigations; and
• gathering, monitoring and reporting information about fraud.

7. A key feature of the 2011 Guidelines was the promotion of an approach focused on embedding fraud control and prevention as part of an entity’s culture and governance arrangements⁸; a senior leadership responsibility. The ANAO’s 2011 Better Practice Guide on Fraud Control in Australian Government Entities (the Fraud Control BPG) described this as a ‘contemporary’ management approach to fraud control⁹, in contrast to the more traditional approach focusing primarily on compliance with requirements, detection and investigation.¹⁰ The Fraud Control BPG observed that sound and effective fraud control requires commitment at all organisational levels within an entity. Just as governance and project management arrangements have evolved to become common practice in government entities, fraud control strategies need to mature and become an accepted part of the day-to-day running of entities.¹¹

8. All FMA Act agencies were subject to the requirements of the 2011 Guidelines. In addition, a number of Commonwealth Authorities and Companies Act 1997 (CAC Act) entities, including Comcare¹², chose to apply the Guidelines as a matter of good practice.^13,14

9. The fraud control policy framework and 2011 Guidelines were administered by the Attorney-General’s Department (AGD), which provided advice to agencies on the Guidelines and had responsibility for advising and reporting to ministers on whole-of-government fraud control arrangements.

Public Governance, Performance and Accountability Act 2013

10. The basis of the fraud control framework altered from 1 July 2014, when the FMA Act and Regulations were replaced by a new Fraud Rule made pursuant to the Public Governance, Performance and Accountability Act 2013 (PGPA Act).¹⁵ The 2011 Guidelines were also replaced on 1 July 2014 by a Guide¹⁶ issued by the Minister for Justice under the Fraud Rule, and a Commonwealth Fraud Control Policy.¹⁷ AGD continues to administer the fraud control framework.

Selected entities in this audit

11. The entities selected for this audit were: the Australian Trade Commission (Austrade); Comcare; and the Department of Veterans’ Affairs (DVA). The overall administration of the fraud control framework by the Attorney-General’s Department was also examined as part of the audit.

12. Further contextual information on the selected entities is provided in Table S.1.

Table S.1 Contextual information about the selected entities

Source: ANAO summary from agencies’ Portfolio Budget Statements, Submissions to the AIC and Annual Reports.

Notes: A: Comcare was not directly appropriated due to its status as a CAC Act entity. Appropriations were made to the Department of Education, Employment and Workplace Relations, and subsequently paid to Comcare.

Audit objective, criteria and scope

13. The audit objective was to examine the selected entities’ effectiveness in implementing entity-wide fraud control arrangements, including compliance with the requirements of the 2011 Commonwealth Fraud Control Guidelines (2011 Guidelines), and the overall administration of the fraud control framework by the Attorney-General’s Department (AGD).

14. To form a conclusion against the audit objective, the ANAO adopted the following high-level criteria:

• the selected entity implemented the applicable mandatory requirements of the 2011 Guidelines;
• the selected entity implemented, on a risk basis, appropriate:
• strategies to prevent fraud, train staff and raise internal awareness; and
• processes to monitor, evaluate and report on fraud control arrangements; and
• AGD effectively administered the fraud control framework and supported entities, as required by the Guidelines, following release of the 2011 Guidelines.

15. In addition to examining AGD’s overall administration of the fraud control framework, the ANAO examined the department’s implementation of the ANAO’s most recent performance audit on fraud control.¹⁸ Further, the ANAO examined the relationship between AGD and the Australian Institute of Criminology (AIC)¹⁹, relating to the production of two annual reports to government: Fraud Against the Commonwealth (Fraud Report); and Compliance with the Commonwealth Fraud Control Guidelines (Compliance Report).

16. The audit did not examine the selected entities’ actions following a decision to investigate possible fraudulent activities. Nor did the audit examine the role of the Australian Federal Police (AFP) or the Commonwealth Director of Public Prosecutions in investigating allegations of fraud and conducting prosecutions.²⁰

17. Separately, the ANAO is conducting a performance audit of Austrade’s Export Management Development Grants (EMDG) program, including its specific fraud control arrangements. The current audit is focussed on Austrade’s entity-wide arrangements, and did not examine the administration of the EMDG except to the extent of its alignment with Austrade’s overarching governance framework for fraud control.

18. In conducting this audit, the ANAO: interviewed relevant officers in each of the selected entities, AGD and the AIC; examined relevant documentation, controls and systems; and examined whether entities had regard to better practice as discussed in the ANAO’s 2011 Fraud Control BPG.

Overall conclusion

19. Fraud control is an ongoing responsibility for Australian Government entities, providing a safeguard against: financial and material losses which can impact on the Government’s ability to deliver services and achieve its policy objectives; reputational damage to government and responsible entities; and loss of confidence in Australian Government administration. Government expectations relating to fraud control have been promulgated over many years in successive Fraud Control Guidelines (the Guidelines) administered by the Attorney-General’s Department (AGD). Since 2011, the Guidelines have focused on embedding fraud control as part of an entity’s culture and governance arrangements; an approach which has highlighted the importance of risk management, fraud prevention, awareness-raising and shared responsibility by entity staff and management. This contemporary approach to fraud control contrasts with the more traditional approach focusing on compliance with requirements and the detection and investigation of fraud after it has occurred.

20. Overall, the selected entities—Comcare, the Australian Trade Commission (Austrade) and the Department of Veterans’ Affairs (DVA)—were generally compliant with the applicable mandatory requirements of the 2011 Fraud Control Guidelines (2011 Guidelines) in effect during the course of the audit, and had implemented a range of strategies and fraud control measures relevant to their specific circumstances. The strategies and measures implemented by the selected entities had regard to the key focus areas identified in the 2011 Guidelines: risk assessment; the preparation of fraud control plans; fraud awareness and training, including for third party service providers; and detection, investigation and response. However, the selected entities’ progress in transitioning to the more contemporary and preventive approach has varied, with Comcare establishing an internal framework generally aligned with the 2011 Guidelines, while DVA and Austrade were at different stages of transition.

21. AGD’s overall administration of the fraud control framework has been generally effective. The department administers a well-developed framework comprising: documented policy and guidance; clear assignment of roles and responsibilities between AGD and entities; identified points of co-ordination; and the provision of support to entities through networking, communication and training arrangements. However there remains scope for improvement in the preparation of annual whole-of-government Fraud and Compliance Reports to government²¹, which have only been submitted on time to ministers on three occasions in the past 10 years. Entities have continued to face compliance costs in providing annual information updates for inclusion in the reports, while the Australian Government and its entities have not had the benefit of annual reporting on key trends and developments. AGD should establish a formal arrangement with the AIC to facilitate the timely preparation and submission of the reports, to inform ministers of the extent of fraud against the Commonwealth and entities’ compliance with government requirements.

22. The networking, communication and training activities sponsored by AGD and discussed above, were intended to support entities in transitioning to a more contemporary risk-based approach to fraud control. AGD established dedicated Govdex and Govspace websites to assist the whole-of-government Fraud Control Network and individual entities, and hosted workshops and seminars during 2011–13 to provide training for key entity personnel and support the introduction of the 2011 Guidelines.

23. Among the selected agencies, those which most actively engaged with the ‘community of practice’ sponsored by AGD had also moved further along the road towards adopting a more contemporary approach to fraud control. Comcare participated actively in AGD networks and events, including hosting and chairing some events, while DVA had only occasional involvement. At least since 2010, Austrade and DVA did not participate in AGD-sponsored forums and the Fraud Control Network. Austrade advised that it started to access the Govdex website during the course of the audit. Given the change in approach sought by the Australian Government with the release of the 2011 Guidelines, limited entity engagement with the wider community of practice was a lost opportunity to keep abreast of better practice and key developments in fraud control.

24. The ANAO has made one recommendation aimed at supporting the timely preparation of whole-of-government fraud control reports to government by AGD and the AIC. This audit has also highlighted scope for some entities to focus more strongly on transitioning to the more contemporary approach to fraud control.²² Entities in transition can derive particular benefit from ongoing engagement with wider Commonwealth networks, promoting shared responsibility amongst staff and management, and continued senior management attention to drive implementation.

Key findings by chapter

Whole-of-government arrangements for fraud control (Chapter 2)

25. AGD’s overall administration of the Australian Government’s fraud control framework has been generally effective. The department administers a well-developed whole-of-government framework for fraud control which includes: documented policy and guidance which has been regularly updated; clear assignment of the respective roles and responsibilities of AGD and entities; and identified points of co-ordination. The framework is supported by whole-of-government advisory arrangements intended to inform government and entities of key developments, and formal mechanisms to support and maintain communication with entities on policy and other developments.

26. Key communication and advisory mechanisms include the Commonwealth Fraud Control Network and Fraud Liaison Forum, as well as online channels such as dedicated fraud control Govdex and Govspace websites. During 2011-13, AGD conducted training workshops for key personnel and seminars to assist entities with establishing and maintaining appropriate fraud control arrangements; an approach intended to support entities in transitioning to the more contemporary, risk-based and preventive approach to fraud control promoted in the 2011 Guidelines.

27. The 2011 Guidelines required AGD, in cooperation with the Australian Institute of Criminology (AIC), to produce two key reports annually—Fraud Against the Commonwealth and Compliance with the Commonwealth Fraud Control Guidelines.²³ These whole-of-government reports are intended to inform government and relevant entities²⁴ of: the level of fraud detected within the Commonwealth; entities’ compliance with the 2011 Guidelines; and the effectiveness of fraud control policies and measures. While the reports are meant to be submitted annually, AGD has only done so three times in the past ten years²⁵; and the remaining reports were submitted between two and 26 months late. Further, the Fraud Against the Commonwealth report due in 2010-11 has not yet been submitted—some three years after the due date—and at the time of this audit there was no indication when it (and the reports for 2011-12 and 2012-13) would be made available to government. A consolidated Compliance with the Commonwealth Fraud Control Guidelines report for 2010-13 was submitted in March 2014, during the course of this audit. Nonetheless, entities have continued to face compliance costs involved in providing annual information updates for inclusion in the reports, while the Australian Government and its entities have not had the benefit of annual reporting on key trends and developments.

28. AGD and AIC should establish a formal arrangement to facilitate the timely preparation and submission of the Fraud and Compliance Reports to government.

Preventing fraud (Chapter 3)

29. Fraud control within the Commonwealth public sector has evolved in recent years, with a move away from the more traditional approach focused on compliance, detection and investigation towards a more contemporary approach which treats fraud control and prevention as core elements of corporate governance. The shift in orientation was strongly promoted through the 2011 Guidelines and was also reflected in the Fraud Control BPG. A key feature of the contemporary approach is prevention, with well-designed and implemented strategies to prevent fraud considered the most cost-effective approach to managing fraud risks.

30. Comcare approached fraud control as a key governance function. This approach was reflected in its adoption of an internal fraud prevention framework which included a fit-for-purpose and integrated fraud risk assessment process, and the development of a fraud control plan with a strategic focus on Comcare’s key fraud risks. As part of its prevention strategy, Comcare also implemented a compulsory and well-developed fraud awareness training program, which met the requirements of the Guidelines and provided staff and contractors with regular training to ensure skills and knowledge were up-to-date.

31. DVA’s and Austrade’s approach to fraud control was in transition during the course of the audit. DVA had historically focused largely on compliance, with a heavy emphasis on investigating fraud after it had occurred rather than prevention. The department commenced a significant restructure of its fraud control operations and governance in August 2013, rebalancing its approach to include more prevention and deterrence strategies alongside its existing detection strategies, in line with the more contemporary approach. However, DVA’s approach to date in communicating its revised expectations and raising fraud awareness among staff, has not been fully effective. The relevant education online module was out of date and had not been promoted to staff; however, at the time of the audit, DVA had already commenced developing a new training framework to address this.

32. Austrade has made more limited changes to its entity-wide fraud control arrangements since the introduction of the 2011 Guidelines, and aspects of Austrade’s internal management arrangements relating to fraud control have created a risk of fragmentation. In addition to a whole-of-entity fraud unit located in its Corporate Services Group, Austrade has established a dedicated fraud team within its Export Market Development Grants (EMDG) program, where significant fraud risk has been assessed. The establishment of a dedicated fraud team in a high risk program area is a legitimate risk mitigation strategy; however, there was limited communication or coordination between the two units. Austrade advised the ANAO that the fraud control function and the reporting of fraud is centralised to the role of a senior executive. Nonetheless, Austrade continues to report separately, to the Audit Committee and CEO, on the EMDG program and other entity activities, and there would be benefit in considering an approach involving more structured cross-communication between fraud units to strengthen coordination arrangements. In the course of the audit, Austrade advised the ANAO that an internal review of fraud control arrangements will examine consistency with the Guidelines and ANAO Better Practice Guide, and the risk of fragmentation between fraud management arrangements for EMDG and other parts of Austrade.

33. Austrade’s biennial risk assessment process was conducted on a two-yearly basis consistent with the 2011 Guidelines. As part of that process, Austrade required its 12 business units to identify fraud risks and possible treatments; however, only two business units contributed. Austrade has advised that while the initial processes to develop the draft plan were not ideal, senior management intervention led to broader consultation and improvements in the process. It is by creating a shared responsibility for fraud control amongst staff and management at all levels that an entity is better placed to embed fraud control as part of its governance arrangements and culture.

34. Limitations were also identified in Austrade’s approach to fraud awareness training, with only one question on fraud appearing in the context of an on-line security training module. Staff responses to a 2013 internal survey indicated that less than one in four staff could correctly identify all the potentially fraudulent or corrupt behaviours canvassed.

Detecting and responding to fraud (Chapter 4)

35. Fraud prevention strategies can help reduce, but not entirely eliminate, an entity’s fraud risk. Effective fraud detection and response measures are necessary to provide assurance that perpetrators of fraudulent acts are identified, and appropriate action is taken.

36. Broadly speaking, fraud detection methods can be passive or active. The ANAO examined the selected entities’ implementation of the passive detection measures discussed in the Fraud Control BPG and found that all selected entities had introduced fraud reporting mechanisms for staff and the public. Comcare and DVA adopted a centralised and coordinated approach to the processing of fraud allegations, whereas tip-offs received by Austrade were processed by individual business units. Reflecting Austrade’s administrative arrangements discussed above, Austrade’s central fraud control unit did not always have visibility of the review processes adopted by business units or responses to fraud across the entity. This approach further fragmented internal fraud control arrangements; introducing a risk of inconsistent handling and processing of tip-offs, and a situation where fraud risks were not necessarily monitored or communicated within Austrade.

37. Each of the selected entities employed a range of active detection methods; with the specific measures adopted by entities reflecting their differing business operations. The two payment entities, Comcare and DVA, regularly undertook a wide variety of statistical analysis aimed at detecting anomalies in payment patterns to service providers and beneficiaries that might indicate potential non-compliance or fraudulent practice. Austrade also undertook statistical analysis from time-to-time, to inform its fraud prevention activities, and fraud control was a key focus of its internal audit work program.

38. DVA is required, by the Data-matching Program Act 1990, to perform data matching analysis. Comcare has also added data matching to its range of active detection measures, although it is not mandated. The use of data matching by DVA and Comcare has identified potential cases of fraud.

39. Consistent with the 2011 Guidelines, Comcare and DVA maintained fraud incident registers which were used to inform their CEO of the level of fraud within the entity and to prepare external reporting to AGD. Austrade maintained two separate registers, reflecting the administrative arrangements discussed in paragraph 32 above.

40. The ANAO examined the availability and content of guidance and tools available to fraud investigators in the selected entities. Comcare had a detailed investigation manual, standardised assessment templates and a case prioritisation model to assess and prioritise fraud allegations. DVA had an out-of-date investigation manual and the department advised it was in the process of updating the manual. DVA had implemented a case prioritisation model, which will include assessment templates. Austrade did not have an entity-wide investigation manual, but advised the ANAO that it was drafting such a document.

Monitoring and reviewing fraud arrangements (Chapter 5)

41. In the context of an evolving business and operating environment, entities can help manage their risks by employing a flexible rolling program of reviews, audits and evaluations, and by actively looking for opportunities to improve fraud control arrangements.

42. The selected entities reviewed their risk assessments every two years, and their Fraud Control Plans were updated following those exercises. Comcare and DVA also had established processes to review poorly performing controls, and liaised with their relevant business areas to identify scope for improvement in the control framework.

43. Effective internal reporting can inform an entity’s management of fraud control arrangements by identifying trends, weaknesses and opportunities for improvement. The selected entities’ internal reporting to their respective audit committees (and through the audit committee to the CEO) were generally aligned, in terms of process and content, to the 2011 Guidelines and better practice discussed in the ANAO’s Fraud Control BPG. However, Austrade did not adopt a centralised recording system, and its individual fraud units reported separately to its audit committee and executive, albeit through a nominated senior officer. Further, Austrade’s audit committee received limited information on the outcome of investigations, prosecutions and civil actions.

44. External reporting promotes accountability, informs government and stakeholders of developments, and facilitates whole-of-government monitoring and responses to fraud risks. The selected entities generally complied with the external reporting requirements in the 2011 Guidelines, reported internally and externally on fraud risk and fraud control measures, and certified compliance with the Guidelines in their Annual Reports. However none of the selected entities provided an evaluation, in their external reporting, of the effectiveness of fraud initiatives undertaken by the entity, as required by the Guidelines, to inform stakeholders of the effectiveness of their control arrangements.

Summary of entities’ responses

45. The audited entities’ summary responses are provided below. Appendix 1 contains the entities’ full response to the audit report.

Attorney-General’s Department

The Attorney-General’s Department (AGD) welcomes the Australian National Audit Office’s (ANAO) audit of Fraud Control Arrangements. AGD accepts the ANAO’s recommendation to formalise its business arrangements with the Australian Institute of Criminology (AIC).

The Government remains committed to protecting Commonwealth resources from fraud. Fraud control and risk management should be integrated into each entity’s culture and practices, and reflect the individual circumstances of each entity.

AGD is pleased to note the ANAO’s acknowledgement of the effectiveness of AGD’s networking, communication and training activities, and its well-developed Commonwealth fraud control framework. In particular, AGD notes the link between engagement with the AGD-run Fraud Control Network and entities keeping abreast of best practice and key fraud control developments.

AGD believes that the findings of the audit will assist Commonwealth entities in strengthening their fraud control arrangements and minimising fraud. The performance audit will make a valuable contribution to the future development of Commonwealth fraud control arrangements.

Australian Trade Commission

The ANAO’s observations provide helpful guidance to enable Austrade to further improve its fraud control and management arrangements, develop greater consistency with the ANAO Better Practice Guide for Fraud Control, and further strengthen fraud reporting within Austrade.

As recognised in the ANAO’s report, the Export Market Development Grant (EMDG) scheme represents Austrade’s highest fraud risk. While the ANAO’s performance audit of the EMDG scheme will cover specific fraud control arrangements within that scheme, given that audit is still being conducted, it is worth noting here that on balance, a considerable proportion of Austrade’s fraud control effort is directed toward that scheme.

I also can advise that since the audit Austrade has:

established a centralised fraud management database to capture data and facilitate reporting of fraud related matters;

implemented a comprehensive fraud investigation procedures manual;

established a fraud whistle-blower hotline, with reporting information now published on the agency website and the intranet; and

reviewed the annual fraud awareness training module which all staff are required to undertake.

Comcare

The findings and recommendations of the report are noted and accepted by Comcare.

Following a recent internal restructure, Comcare’s Claims and Liability Management and Scheme Management and Regulation divisions are working closely together and with Comcare’s Chief Finance Officer, to further refine Comcare’s approach to managing risk, fraud control and investigation. The approach will be in accordance with the provisions of the Public Governance, Performance and Accountability Act 2013 and the associated best practice guidance.

Department of Veterans’ Affairs

It is pleasing that the report concludes that agencies involved in the audit are generally compliant with the mandatory requirements under the 2011 Fraud Control Guidelines.

DVA agrees with the audit findings and acknowledges the recommendation.

The report acknowledges that DVA is in a transition phase with the implementation of its fraud and non-compliance reform programme.

Recommendations

What is fraud?

1.1 Fraud against the Commonwealth is defined as ‘dishonestly obtaining a benefit, or causing a loss, by deception or other means’.²⁶ Fraud against the Commonwealth can be broadly categorised as being either external (fraud committed by clients or customers, service providers and members of the public) or internal (fraud committed by employees and contractors). In some cases, fraud against the Commonwealth may involve collusion between external and internal parties, which may not only result in loss for the Commonwealth, but may also involve corrupt conduct such as bribery and secret commissions.

1.2 The consequences of fraud against the Commonwealth include financial and material loss which can impact on the Australian Government’s ability to deliver services and achieve its policy objectives. More broadly, fraud can result in reputational damage to government and responsible entities, and potential loss of confidence in Australian Government administration.

1.3 Fraud threats are ongoing and can affect any Australian Government entity. In 2010–11, external and internal fraud losses against the Commonwealth were estimated at $119 million. ²⁷ Approximately $116 million of these estimated losses related to external fraud, while some $3 million related to internal fraud.

1.4 Effective fraud control involves a continuum of mutually reinforcing activities, including:

• identifying (and assessing) the risks of fraud occurring;
• developing and implementing measures to prevent, detect and respond to instances of fraud;
• establishing (and maintaining) a sufficient level of awareness and understanding among staff and contractors, and as appropriate, external stakeholders, about the entity’s approach to fraud control;
• providing (or acquiring) specialised fraud training for key staff;
• appropriately responding to fraud events, including taking corrective action; and
• monitoring, reporting and evaluating fraud control strategies.

The Australian Government’s fraud control framework

1.5 Australian Government agencies have long been required to establish arrangements to deal with the risks of fraud. The Financial Management and Accountability Act 1997 (FMA Act), which operated during the course of fieldwork for this audit, placed a number of ‘special responsibilities’ on the Chief Executives of FMA Act agencies. For example, section 44 of the FMA Act required Chief Executives to promote the proper use of Commonwealth resources, while section 45 required the implementation of a fraud control plan. In addition, section 64 and FMA Regulation 16A made provision for the responsible minister (the Minister for Justice) to issue Fraud Control Guidelines.

The Commonwealth Fraud Control Guidelines

1.6 At the time of the audit fieldwork, the Australian Government’s framework for fraud control was set out in the 2011 Commonwealth Fraud Control Guidelines (2011 Guidelines). The 2011 Guidelines established the fraud control policy framework within which entities were expected to determine their own specific practices, plans and procedures to manage the prevention and detection of fraudulent activities.

1.7 The 2011 Guidelines contained a mix of mandatory fraud control requirements and other recommended practices as a basis for sound fraud control. Specifically, the 2011 Guidelines contained requirements (and other practices) dealing with:

• obligations of chief executives;
• assessment of the risks of fraud;
• development of fraud control policies, plans and procedures;
• implementation of a program of general fraud awareness training for employees and contractors, and more specialised training for those people engaged in fraud control activities;
• approaches to detecting and responding to fraud events, including the conduct of investigations; and
• gathering, monitoring and reporting information about fraud.

1.8 A key feature of the 2011 Guidelines was the promotion of an approach focused on embedding fraud control and prevention as part of an entity’s culture and governance arrangements; a senior leadership responsibility. The ANAO’s 2011 Better Practice Guide on Fraud Control in Australian Government Entities (the Fraud Control BPG) described this as a ‘contemporary’ management approach to fraud control, in contrast to the more traditional approach focusing primarily on compliance with requirements, detection and investigation. The Fraud Control BPG observed that sound and effective fraud control requires commitment at all organisational levels within an entity. Just as governance and project management arrangements have evolved to become common practice in government entities, fraud control strategies need to mature and become an accepted part of the day-to-day running of entities.

1.9 All FMA Act entities were subject to the requirements of the 2011 Guidelines. In addition, a number of Commonwealth Authorities and Companies Act 1997 (CAC Act) entities, including Comcare, chose to apply the Guidelines as a matter of good practice.

1.10 The fraud control policy framework and 2011 Guidelines were administered by the Attorney-General’s Department (AGD), which provided advice to agencies on the Guidelines and had responsibility for advising and reporting to ministers on whole-of-government fraud control arrangements.

Public Governance, Performance and Accountability Act 2013

1.11 The basis of the fraud control framework altered from 1 July 2014, when the FMA Act and Regulations were replaced by a new Fraud Rule made pursuant to the Public Governance, Performance and Accountability Act 2013 (PGPA Act). The 2011 Guidelines were also replaced on 1 July 2014 by a Guide issued by the Minister for Justice under the Fraud Rule, and a Commonwealth Fraud Control Policy. AGD continues to administer the fraud control framework.

Previous ANAO audits and the Better Practice Guide

1.12 This audit continues the Australian National Audit Office’s (ANAO) examination of Commonwealth entities’ fraud control arrangements. The ANAO has conducted several audits in recent years on fraud control²⁸, with the most recent audit tabled in 2009–10.²⁹ In 2011, the ANAO also released its updated Better Practice Guide on Fraud Control in Australian Government Entities (the Fraud Control BPG).

Audit objective and approach

1.13 The audit objective was to examine the selected entities’ effectiveness in implementing entity-wide fraud control arrangements, including compliance with the requirements of the 2011 Commonwealth Fraud Control Guidelines (2011 Guidelines), and the overall administration of the fraud control framework by the Attorney-General’s Department (AGD).

1.14 To form a conclusion against the audit objective, the ANAO adopted the following high-level criteria:

• the selected entity implemented the applicable mandatory requirements of the 2011 Guidelines;
• the selected entity implemented, on a risk basis, appropriate:
• strategies to prevent fraud, train staff and raise internal awareness; and
• processes to monitor, evaluate and report on fraud control arrangements; and
• AGD effectively administered the fraud control framework and supported entities, as required by the Guidelines, following release of the 2011 Guidelines.

1.15 In addition to examining AGD’s overall administration of the fraud control framework, the ANAO examined the department’s implementation of the ANAO’s most recent performance audit on fraud control (Table 1.1).³⁰ Further, the ANAO examined the relationship between AGD and the Australian Institute of Criminology (AIC)³¹, relating to the production of two annual reports to government: Fraud Against the Commonwealth (Fraud Report); and Compliance with the Commonwealth Fraud Control Guidelines (Compliance Report).

Table 1.1 Recommendations from ANAO Audit Report No.42 2009–10

Source: ANAO Audit Report No.42 2009–10 Fraud Control in Australian Government Agencies.

1.16 The audit did not examine the selected entities’ actions following a decision to investigate possible fraudulent activities. Nor did the audit examine the role of the Australian Federal Police (AFP) or the Commonwealth Director of Public Prosecutions in investigating allegations of fraud and conducting prosecutions.

1.17 Separately, the ANAO is conducting a performance audit of Austrade’s Export Management Development Grants (EMDG) program, including its fraud control arrangements. The current audit is focussed on Austrade’s entity-wide arrangements, and did not examine the administration of the EMDG except to the extent of its alignment with Austrade’s overarching governance framework for fraud control.

1.18 In conducting this audit, the ANAO: interviewed relevant officers in each of the selected entities, AGD and the AIC; examined relevant documentation, controls and systems; and examined whether entities had regard to better practice as discussed in the ANAO’s 2011 Fraud Control BPG.

1.19 The audit was conducted in accordance with the ANAO auditing standards at an approximate cost to the ANAO of $491 296.

The selected entities

1.20 The audit was conducted in four Australian Government entities:

• Austrade;
• Comcare;
• DVA; and
• AGD.

1.21 Table 1.2 summarises the roles and activities of the selected entities.

Table 1.2 Role of selected entities

Source: ANAO summary from entities’ Portfolio Budget Statements and Annual Reports.

1.22 Table 1.3 provides further information about Austrade, Comcare and DVA, to establish the context in which their fraud control arrangements operate.

Table 1.3 Contextual information about the selected entities

Source: ANAO summary from agencies’ Portfolio Budget Statements, Submissions to the AIC and Annual Reports.

Notes: A: Comcare was not directly appropriated due to its status as a CAC Act entity. Appropriations were made to the Department of Education, Employment and Workplace Relations, and subsequently paid to Comcare.

Structure of the report

1.23 The discussion of the audit findings in this report are presented in the four chapters as outlined in Table 1.4.

Table 1.4 Structure of the report

Source: ANAO.

Introduction

2.1 The Commonwealth Fraud Control Guidelines (the Guidelines) were issued by the then Minister for Justice in 2011. The Guidelines set out the following whole-of-government roles³²:

• the Australian Federal Police are responsible for investigating serious or complex crime against the Commonwealth, which can include both internal and external fraud;
• the Commonwealth Director of Public Prosecutions is responsible for conducting the prosecution of offences relating to breaches of Commonwealth law; and
• the Attorney-General’s Department (AGD) is responsible for developing high-level policy advice to government in relation to the Commonwealth’s fraud control arrangements, and for the whole-of-government administration of the Guidelines. These responsibilities include producing an Annual Compliance Report and in conjunction with the Australian Institute of Criminology (AIC), producing the Annual Report to Government: Fraud Against the Commonwealth—both reports are mandated by the Guidelines and are to be provided to the Minister for Home Affairs.³³,³⁴

The Attorney-General’s Department

2.2 As discussed, AGD is responsible for administering the Guidelines and whole-of-government fraud control policy, including:

• providing policy advice to government on fraud control issues;
• advising entities on fraud control; and
• reporting to government on fraud control.

Advice to government

2.3 The whole-of-government framework for fraud control is documented in policy and guidance which has been regularly updated. The responsible Minister issued fraud control Guidelines under the FMA Act and Regulations in 2002 and again in 2011, and as discussed below, revised guidance was released in 2014 to coincide with the operation of the new fraud control framework under the PGPA Act and rules.

2.4 The department has also sought to address specific issues relating to the operation of the framework. For example, the ANAO’s 2009–10 performance audit of Fraud Control in Australian Government Agencies recommended that AGD continue to work with the Department of Finance to clarify which Commonwealth Authorities and Companies Act 1997 (CAC Act) bodies were subject to the Guidelines.³⁵ AGD agreed to the recommendation and initiated a review in 2011 relating to the application of the Guidelines to CAC Act entities. In the course of this audit, AGD advised the ANAO that it commenced work to develop a Government Policy Order aimed at enabling the mandatory application of the Guidelines to CAC Act entities; an initiative with the potential to close a gap in the Commonwealth’s fraud control framework, as CAC Act entities were not subject to the Guidelines.

2.5 Work on the draft General Policy Order was suspended in 2012 due to the development of a revised Commonwealth resource management framework, later introduced by the PGPA Act, and related work on the fraud control framework in that context. In December 2013, AGD advised the ANAO that:

AGD has been an active participant in the development of a draft framework to address fraud control under the PGPA Act. This has involved consultation across a wide range of agencies including through the governance framework of committees established by [the Department of Finance] to oversee the development of the Commonwealth’s new financial management framework. Finance has also publically consulted on the draft fraud rule which will underpin fraud control under the PGPA framework. The rule sets out the key principles of fraud control from the Guidelines to ensure continued appropriate fraud control measures. The rule is supported by guidance material drawn from the detail of the Guidelines. The rule and guidance material have gone to the Joint Committee on Public Accounts and Audit as part of its enquiry into the PGPA Act.³⁶

Work on the new fraud framework is continuing. AGD is reviewing the content of the Guidelines in developing guidance material to support the new fraud rule. AGD is consulting with PGPA Act and fraud stakeholders in the development of this guidance. Consideration may also be given to elements of the guidance which would benefit from elevation to a policy.

2.6 The basis of the fraud control framework altered from 1 July 2014, when the FMA Act and Regulations were replaced by a new Fraud Rule made pursuant to the Public Governance, Performance and Accountability Act 2013 (PGPA Act).³⁷ The 2011 Guidelines were also replaced on 1 July 2014 by a Guide³⁸ issued by the Minister for Justice under the Fraud Rule, and a Commonwealth Fraud Control Policy.³⁹ AGD continues to administer the fraud control framework.

2.7 In the context of the new resource management framework operating from 1 July 2014, and related changes to government policies such as the Fraud Control Guidelines, a key responsibility for AGD will be to support entities’ transition to the revised fraud control framework.

Advising entities

2.8 To date, providing advice on fraud control to entities and collaborating across Commonwealth and law enforcement agencies has been a means for AGD to share information and resources and inform its whole-of-government policy advising and reporting roles.

2.9 In its 2009–10 audit on Fraud Control in Australian Government Agencies, the ANAO recommended that AGD consider establishing an approach for the provision of fraud control advice and information to entities, particularly to smaller sized entities, that facilitates the provision and exchange of practical fraud control advice.⁴⁰ AGD agreed to the recommendation and subsequently developed two websites to support and advise entities: Govspace and Govdex. AGD also maintains a specific fraud enquiry email address which facilitates entity requests for advice on fraud control matters.

2.10 Govspace is a publicly available website which aims to: provide advice on how to report fraud against the Commonwealth; promote awareness among public sector employees and the public on fraud issues; and provide links to fraud related publications.

2.11 The Govdex website is password protected, and can only be accessed by Australian Government staff involved in fraud control. The website aims to: provide a platform for entities to share information not suitable for the public domain such as fraud risk assessments and fraud control plans; to identify key fraud control contacts across entities; and allow fraud control staff to access classified advice on fraud control.

2.12 AGD advised the ANAO that that Govdex will be updated to reflect the revised fraud control framework, including the Fraud Rule, Fraud Policy and Fraud Guidance and an explanation of how elements of the framework interact and apply to entities. AGD also advised that it would be using Govdex to release an electronic whole-of-Government e-learning fraud awareness package for all Commonwealth entities.

2.13 The fraud managers at Comcare and DVA advised the ANAO that they had found the Govdex and Govspace websites useful, and had used the websites to: obtain contact details for other entities; review fraud control plans; and review other entities’ fraud control arrangements. While Austrade had not previously utilised the Govdex or Govspace websites, it established access to Govdex on 19 June 2014.

2.14 AGD has also established several useful channels to enable collaboration across government on fraud control issues, including:

• the Commonwealth Fraud Control Network—a cross-entity network of fraud control officers. The Network aims to assist with communication between entities on fraud control matters and communication on fraud matters; and
• the Fraud Liaison Forum—an annual forum open to all fraud control officers, co-hosted by AGD and the Australian Federal Police. The forum aims to provide a vehicle for discussing key fraud control issues, and networking between fraud control officers.

2.15 Effective use of the communication and networking channels will help support entities in their transition to the revised fraud control framework under the PGPA Act.

2.16 AGD has provided further support and training to entities through workshops and seminars on fraud control matters, as well as participating in fraud control groups formed by other entities. These initiatives have included:

• CAC Act entity awareness raising (December 2011)—as part of the development of the Government Policy Order to apply the Guidelines to CAC Act entities (see paragraph 2.4);
• a fraud control plan workshop (March 2012)—targeting smaller entities with limited resources to develop fraud control plans;
• a risk assessment workshop (May 2012)—targeting small to medium size entities with existing but limited fraud control capacity. The aim of the workshop was to identify best practice and facilitate sharing of information and practices within similar entities;
• multiple workshops to review investigator training under the Certificate IV in Government investigations in 2012–13;
• information sessions and workshops on the new Commonwealth Fraud Control Framework;
• assistance to the Australian Federal Police to run Commonwealth Agency Investigator Workshops; and
• a whole-of-Government e-learning fraud awareness training package to assist entities to understand the new fraud framework and meet their obligations under the PGPA Act.

2.17 Of the selected entities, Comcare advised the ANAO that its personnel had attended some of the workshops and sessions provided by AGD and stated that these sessions had been

… useful to understand the approaches that other agencies adopted to develop risk assessments. [The workshop] enabled us to build ongoing relationships with other agencies and share information on common risks and controls.

2.18 DVA and Austrade advised that they had not attended any of the workshops or sessions provided by AGD.

Reporting to government

2.19 AGD’s whole-of-government role includes administering the collection, analysis and reporting of key information to government on the level of fraud within entities; and the effectiveness of fraud control policy and measures. The engagement activities discussed in the previous section provide a basis for AGD to keep abreast of developments within entities and in the broader environment, so as to advise entities and government. In addition, the Guidelines provide for the preparation of annual fraud and compliance reports⁴¹ which are the main channel through which the Government is informed of the current status of fraud control arrangements, including entities’ compliance with the Guidelines and the level of fraud detected within entities.

2.20 Preparation of the reports is partly a shared responsibility between AGD and AIC. The Guidelines state that:

The AIC, in consultation with the AGD and AFP, will provide an annual report on fraud against the Commonwealth and fraud control arrangements in Australian Government agencies to the Minister for Home Affairs.⁴² This report will also be provided to Ministers, Presiding Officers and Chief Executives…

The AGD will also provide an annual compliance report to Government, through the Minister for Home Affairs, on whole-of-Government compliance with the requirements of the Guidelines.⁴³

2.21 Preparation of the annual fraud and compliance reports is discussed in the following section.

Annual fraud and compliance reports

Fraud against the Commonwealth Report

2.22 To support AGD and AIC in producing the Fraud Against the Commonwealth Report, the Guidelines require entities to:

... collect information on fraud and provide it to the AIC by 30 September each year to facilitate the process of annual reporting to Government…This includes incidents of suspected fraud, incidents under investigation, and completed incidents, whether the fraud was proved or not, and whether the incident was dealt with by a criminal, civil or administrative remedy.⁴⁴

2.23 The Guidelines also require AGD and AIC to work in consultation with each other, and other entities, to develop the survey material sent to the entities to collect data for the Report.⁴⁵ However, there is no formal agreement between AGD and AIC to support the preparation of the annual report, and there would be benefit in the entities entering into such an arrangement to support the timely preparation of the report—which has been problematic in recent years.

2.24 The ANAO examined the release date of the Fraud Against the Commonwealth Report since its inception, and found that there was not a consistent annual cycle for the publication of the report (Table 2.1).

Table 2.1 Release dates of previous ‘Fraud Against the Commonwealth Reports’

Source: ANAO summary of data from AGD.

Notes:

A: In 2007, responsibility for preparing the annual Fraud Against the Commonwealth Report was transferred from the Attorney-General’s Department (AGD) to the Australian Institute of Criminology (AIC).

B: AGD advised the ANAO that it would be releasing the findings for these two financial years in one report.

2.25 Further, AIC has not produced the report since the introduction of the 2011 Guidelines, and subsequently the Government has not had the benefit of a consolidated report—including information on the number of suspected fraud incidents, the response to these incidents by reporting entities, and if any legal remedies had been sought in response to these incidents—for three consecutive years. AGD advised the ANAO on 7 December 2013, that the report had not been produced due to ‘new reporting requirements and changes to the survey in 2011 [which] led to delays in the AIC collecting and collating data on the survey.’

2.26 Notwithstanding the continued delays in releasing the report, entities were required to annually submit information to AGD for inclusion in the report. The three entities examined in this audit advised the ANAO that the annual compilation of this information was a significant administrative task, particularly in a resource constrained environment.

2.27 The annual consolidation of current and reliable information on fraud was intended to enable the Government and entities to monitor and respond to emerging risks, threats and other developments in a timely manner. The failure to provide the Minister for Home Affairs and Parliament with the Fraud Against the Commonwealth Report for some three years, is a shortcoming in the overall administration of the fraud control framework. Delays have come at a cost to all entities which are required to provide annual input to the report, and have meant that the government has not had the benefit of annual reporting on key trends and developments.

2.28 In its 2009–10 audit report, the ANAO recommended that AGD consult with the AIC and consider approaches that will allow the AIC to collect, analyse and disseminate fraud trend data on a more consistent basis. In the context of the current audit, AGD advised the ANAO that:

… it had consulted with AIC which has led to improvements in the fraud control survey and the analysis of fraud data.⁴⁶

Annual Compliance Report

2.29 The Guidelines also require AGD to provide the Government, through the responsible Minister⁴⁷, with an ‘annual compliance report…on whole-of-government compliance with the requirements of the Guidelines’.⁴⁸ As with the Fraud Against the Commonwealth Report, the compliance report has not been prepared annually as required by the Guidelines. In the absence of a current publicly available report, on 28 February 2014 AGD provided the ANAO with a draft Annual Compliance Report, which contained a summary of some findings taken from the 2010–11 and 2011–12 AIC survey response (see Appendix 4).

2.30 A significant finding reported in the draft Annual Compliance Report (2010–11 and 2011–12) is that, in 2011–12, most entities which were non-compliant with the risk assessments or fraud control plan requirements were either new entities or entities that were previously CAC Act entities. The draft Annual Compliance Report also identifies that between 2010–11 and 2011–12, the percentage of FMA Act entities responding to the AIC survey had dropped from 94.2 per cent to 87.4 per cent, but does not specify any reason for the decrease in the response rate by entities.

2.31 On 8 July 2014, AGD advised the ANAO that:

… the Compliance Report was delayed and not prepared annually for the years from 2011–13 as [AGD] did not received the necessary data from the AIC in order to produce the report on time. When [AGD] received the relevant data in 2013 for the 2010–11 and 2011–12 financial years, [AGD] combined it to produce a report for those years. [AGD] are yet to receive data for the 2012–13 financial year.

2.32 As discussed, no formal business arrangements exist between AGD and AIC relating to the preparation of the two reports. To strengthen their relationship, AGD should consider negotiating formal arrangements with AIC focussing on the timely preparation of the reports on an annual basis.

Recommendation No.1

2.33 To facilitate the timely preparation of the annual Fraud Against the Commonwealth Report and the annual Compliance Report to Government, the ANAO recommends that the Attorney-General’s Department formalises its business arrangements with the Australian Institute of Criminology.

AGD response:

2.34 Agreed. AGD recognises the importance of the trend data in the Annual Fraud Against the Commonwealth Report and the Report on Compliance with the Commonwealth Fraud Control Guidelines for informing policy and program approaches to fraud at an entity and whole of government level. AGD is working with the AIC to formalise arrangements for the production of these reports and provision of relevant data from the AIC to AGD.

Conclusion

2.35 AGD’s overall administration of the Australian Government’s fraud control framework has been generally effective. The department administers a well-developed whole-of-government framework for fraud control which includes: documented policy and guidance which has been regularly updated; clear assignment of the respective roles and responsibilities of AGD and entities; and identified points of co-ordination. The framework is supported by whole-of-government advisory arrangements intended to inform government and entities of key developments, and formal mechanisms to support and maintain communication with entities on policy and other developments.

2.36 Key communication and advisory mechanisms include the Commonwealth Fraud Control Network and Fraud Liaison Forum, as well as online channels such as dedicated fraud control Govdex and Govspace websites. During 2011-13, AGD conducted training workshops for key personnel and seminars to assist entities with establishing and maintaining appropriate fraud control arrangements; an approach intended to support entities in transitioning to the more contemporary, risk-based and preventative approach to fraud control promoted in the 2011 Guidelines.

2.37 The 2011 Guidelines required AGD, in cooperation with the Australian Institute of Criminology (AIC), to produce two key reports annually—Fraud Against the Commonwealth (the Fraud Report) and Compliance with the Commonwealth Fraud Control Guidelines (the Compliance Report).⁴⁹ These whole-of-government reports are intended to inform government and relevant entities of: the level of fraud detected within the Commonwealth; entities’ compliance with the Guidelines; and the effectiveness of fraud control policies and measures. While the reports are meant to be submitted annually, AGD has only done so three times in the past ten years; and the remaining reports were submitted between two and 26 months late. Further, the Fraud Report due in 2010-11 has not yet been submitted—some three years after the due date—and at the time of this audit there was no indication when it (and the reports for 2011–12 and 2012–13) would be made available to government. Nonetheless, entities have continued to face compliance costs involved in providing annual information updates for inclusion in the reports, while the Australian Government and its entities have not had the benefit of annual reporting on key trends and developments.

2.38 AGD and AIC should establish a formal arrangement to facilitate the timely preparation and submission of the Fraud and Compliance Reports to government.

Introduction

3.1 Well designed and implemented strategies to prevent fraud are the first line of defence and provide the most cost-effective method of fraud control in an organisation.⁵⁰ A number of elements are necessary for effective fraud prevention, including: senior leadership which promotes an ethical internal culture; an appropriate level of awareness about fraud-related issues among staff and contractors; a risk-based approach to identifying, assessing and treating risks; and well-designed and implemented internal control measures.

3.2 Fraud control within the Commonwealth public sector has evolved in recent years from having a largely compliance focus to now being considered a core element of corporate governance. The Commonwealth Fraud Control Guidelines (the Guidelines), for example, highlight the role of entity Chief Executive Officers (CEOs) in developing a ‘strong fraud prevention culture within their agencies.’⁵¹ Similarly, the ANAO’s Better Practice Guide on Fraud Control in Australian Government Entities (the Fraud Control BPG) highlights the importance of leadership and organisational culture to the success of fraud control, and identifies the benefits of moving from the more traditional compliance-based approach to fraud control, to a contemporary approach.⁵²

3.3 The traditional approach views fraud control as a compliance function, where a series of mandatory processes are undertaken by the entity in isolation of one another. The more contemporary approach recognises that an entity’s fraud control framework is most effective if fraud control strategies are integrated, supported by an entity’s culture, and effectively overseen. Table 3.1 contrasts the traditional and contemporary approaches.

Table 3.1 Traditional vs. contemporary fraud control approaches

Source: ANAO Better Practice Guide—Fraud Control in Australian Government Entities, March 2011, Canberra.

3.4 Central to the contemporary approach are four key fraud control strategies: prevention; detection; response; and monitoring, evaluation and reporting. These strategies are interdependent and should be subject to a cyclic process of review and enhancement (see Figure 3.1).⁵³

Figure 3.1 Commonwealth fraud control framework

Source: ANAO Better Practice Guide, Fraud Control in Australian Government Entities, March 2011, Canberra.

3.5 The ANAO examined whether the selected entities had:

• an effective governance structure in place for the administration of the organisation’s fraud control arrangements, including that roles and responsibilities for fraud issues were clearly articulated;
• regularly assessed and monitored fraud risks;
• developed and implemented a comprehensive and contemporary Fraud Control Plan;
• developed and widely communicated, an informative fraud policy statement;
• promoted fraud awareness and provided relevant training to key personnel; and
• implemented key internal controls designed to prevent fraud or reduce the risks of fraud, and assessed whether the controls were operating as intended.

Governance

3.6 A contemporary approach to fraud control places effective governance at the centre of an entity’s fraud control arrangements. The 2011 Guidelines emphasised the role of the CEO in building a strong fraud prevention culture and making fraud control strategies an integrated part of their entity’s processes and practices.⁵⁴ The Guidelines also highlighted the need for CEOs to satisfy themselves that their entity complied with the mandatory requirements of the Guidelines; a process generally relying on effective governance, administrative and oversight arrangements.

3.7 The importance of appropriate governance arrangements and leadership oversight are also key themes of the Fraud Control BPG. An entity’s executive leadership should ensure business processes, internal and external controls are established which reflect the entity’s risk exposure. These should be complemented by frameworks which allow for the effective monitoring and reporting of fraudulent activities, and the entity’s response.⁵⁵ Figure 3.2 illustrates an example of an effective fraud governance structure.⁵⁶

Figure 3.2 Fraud control governance structure

Source: ANAO Better Practice Guide—Fraud Control in Australian Government Entities, March 2011, Canberra.

Governance and administrative arrangements

3.8 The selected entities’ governance and administrative arrangements are discussed in the following paragraphs.

Austrade

3.9 Austrade has implemented governance and internal administrative arrangements intended to address specific risks within the entity. At a whole-of-entity level, the fraud control function is administered by the Fraud Control Section located in the Legal, Procurement and Fraud Branch. In addition, the Export Management Development Grant (EMDG)⁵⁷ branch had its own specific fraud control unit. Austrade advised the ANAO that EDMG had its own fraud control function due to the high fraud risk associated with this program (Figure 3.3).

Figure 3.3 Austrade’s fraud control governance and administrative arrangements

Source: ANAO summary of Austrade Organisation Chart.

Notes: A: Until 1 July 2014, Group Manager, Legal, Security and Procurement.

3.10 Austrade considers EMDG to be its major fraud risk, an assessment arising from the nature of the scheme, which involves the payment of grants to Australian businesses to develop export markets for their products. ⁵⁸ Austrade further advised that EMDG has a dedicated Special Investigation Unit which is used on occasion to investigate suspected fraud in other areas of Austrade.⁵⁹

3.11 While the split of fraud control functions between the EMDG Branch and the entity’s Fraud Control Section is deliberate, and is intended to help manage specific risks relating to the EMDG scheme, such an arrangement can present challenges in developing and implementing an integrated fraud control strategy across the entity. Austrade advised the ANAO that the fraud control function and the reporting of fraud is centralised to the role of Chief Counsel, Legal, Procurement and Fraud. Nonetheless, Austrade continues to report separately, to the Audit Committee and CEO, on the EMDG program and other entity fraud activities. Further, the ANAO’s interviews with Austrade’s fraud control staff, indicated that the central Fraud Control Section—which is responsible for Austrade’s overall fraud control strategy—was often not aware of fraud issues within the EMDG, contributing further to the risk of fragmentation in fraud control arrangements. There would be benefit in considering an approach involving more structured cross-communication between fraud units, to strengthen coordination arrangements.

3.12 Austrade’s CEO set out the entity’s approach to fraud control through the Chief Executive’s Instructions (CEIs)⁶⁰, and the Fraud Control Plan is endorsed by the Audit and Risk Committee, prior to final approval by the CEO. At present, Austrade’s Executive is informed of the entity’s fraud issues through the Audit and Risk Committee which, as discussed, obtains separate reports on fraud from both the EMDG branch and the Fraud Control Section.⁶¹

3.13 In the course of the audit, Austrade advised the ANAO that an internal review of fraud control arrangements will examine consistency with the Guidelines and ANAO Better Practice Guide, and addressing the risk of fragmentation between fraud management arrangements for EMDG and other parts of Austrade.

Comcare

3.14 In 2012, Comcare commenced a restructure of its fraud control governance and operations to better reflect the more contemporary approach to fraud management. At the time of the ANAO’s fieldwork for this audit, Comcare was in the final stages of this restructure (Figure 3.4).

Figure 3.4 Comcare’s fraud control governance and administrative arrangements

Source: Comcare Fraud Control Plan 2013–15.

3.15 Comcare advised the ANAO that its restructure was driven by the entity’s CEO and senior executives, and aimed to establish a culture of fraud awareness at all levels of the entity, with fraud control forming a key component of Comcare’s governance structure.

3.16 Under the revised arrangements, overall coordination of fraud control within Comcare is the responsibility of the Director of Governance, Audit and Risk, and the entity’s Fraud Prevention Officer reports to the Director. Fraud Operations Teams are located in all of Comcare’s Divisions and are responsible for fraud prevention; detection; investigation and monitoring activities. The Fraud Prevention Officer has the role of coordinating and assisting Fraud Operations Teams in identifying fraud risks and implementing controls. Overall, the new structure facilitates a coordinated and entity-wide approach to fraud control.

3.17 While day-to-day responsibility for fraud control within Comcare is delegated to the Director of Governance, Audit and Risk, the CEO and Executive continue to play a key role. Comcare’s Executive Committee is responsible for endorsing the entity’s Fraud Control Plan, prior to presenting it to the CEO for final approval. Fraud Operations Teams are also required to report directly to the CEO and Deputy CEO on sensitive fraud related issues as they arise.

DVA

3.18 DVA commenced a significant restructure of its fraud control governance and operational arrangements in August 2013. During the ANAO’s fieldwork, the restructure was still in its initial stages, although significant progress was being made by DVA to reform its fraud control operations. DVA’s revised structure for fraud control is illustrated in Figure 3.5.

Figure 3.5 DVA’s fraud control governance and administrative arrangements

Source: Department of Veterans’ Affairs Fraud Control Plan 2012–14.

3.19 Prior to commencing the restructure of fraud control arrangements, DVA’s fraud control functions were heavily focused on investigating fraud, with scope for an improved balance between the investigation function and the prevention and monitoring functions. DVA advised the ANAO that ‘there were opportunities to improve fraud control by working more closely with business units to harness operational intelligence’—an essential first step in developing effective fraud control strategies, particularly in relation to fraud prevention.

3.20 DVA advised the ANAO that the restructure of its fraud operations was driven by its Senior Executive, and Audit and Risk Committee. The restructure aims to incorporate fraud control as a key element of DVA’s governance structure, with an emphasis on fraud prevention aligned with the entity’s key business risks. DVA’s Audit and Risk Committee is responsible for endorsing the entity’s Fraud Control Plan, prior to presenting it to the Secretary for final approval. The Compliance Section is required to report directed to the Secretary, Deputy Secretary, and other senior executives on sensitive fraud related issues as they arise.

The fraud manager

3.21 A designated fraud manager provides a clear line of responsibility for the coordination, monitoring, review and promotion of an entity’s fraud control framework. Entities with considerable fraud risk may also establish a specialist fraud unit, under the direction of the fraud manager, to assist in such activities as fraud prevention and response.⁶² The ANAO examined the role of the fraud manager in each of the selected entities.

Table 3.2 The role of the fraud manager in the selected entities

Source: ANAO.

3.22 Each entity had a designated fraud manager. The fraud managers for Comcare and DVA had overarching responsibility for coordinating and monitoring their entity’s fraud risk. In contrast, Austrade’s arrangements had two fraud managers in respect to the EMDG program and Legal, Procurement and Fraud Division, reflecting the administrative arrangements outlined in paragraphs 3.10–3.12 above. As discussed, the risk of fragmentation in fraud control arrangements requires ongoing management, including through appropriate consultative and communication processes between internal fraud units and managers.

The audit committee

3.23 The role of the audit committee in relation to fraud includes: reviewing the entity’s risk management framework to provide assurance that it addresses the entity’s business risks—including fraud risks; and providing oversight of the development of the entity’s fraud control plan.⁶³ The ANAO examined the selected entities’ audit committee charters in respect to fraud control.

Table 3.3 Audit committee arrangements within entities

Source: ANAO analysis.

3.24 In summary, each of the audit committee charters made provision for the committee to review and advise on risk management, including in relation to fraud control. In addition, the Austrade, Comcare and DVA committees were asked to provide regular reports to the CEO or Secretary on fraud matters.

Risk management

3.25 The identification, assessment and treatment of risks is a core element of effective fraud control, and can provide a sound basis for the development of a fraud control plan and associated strategies and activities to minimise the opportunities for fraud to occur.⁶⁴ A risk-based approach enables an entity to target its resources, both in prevention and detection, at key problem areas.⁶⁵

3.26 An entity’s potential exposure to fraud is affected by the size of the entity, and the nature of the entity’s business⁶⁶; as a consequence entities will generally face different fraud control issues and risks. The approach adopted to undertaking their fraud risk assessment can also influence the robustness of the outcome.

3.27 The ANAO examined whether:

• fraud risk assessments are conducted at least every two years, and also whenever the entity undergoes substantial change in structure or function, as required by the Guidelines;
• the process for developing the fraud risk assessment was well-designed, including being integrated into the entity’s enterprise or business risk management processes⁶⁷; and
• accountabilities are in place for the management of fraud risks and each of the associated controls and risk mitigation measures.

Fraud risk assessments

3.28 Table 3.4 summarises the key findings for each entity’s fraud risk assessment process.

Table 3.4 Processes and outcomes of fraud risk assessments

Source: ANAO analysis.

Notes: A: The current fraud risk assessments (as documented in the Fraud Control Plans) for the selected entities are: Austrade (2013–15); Comcare (2013–15); and DVA (2012–14).

3.29 Austrade and DVA’s risk assessment processes limited the potential effectiveness of their respective risk assessments. Austrade’s biennial risk assessment process was conducted on a two-yearly basis consistent with the 2011 Guidelines. As part of that process, Austrade required its 12 business units to identify fraud risks and possible treatments; however only two business units contributed. Austrade has advised that while the initial processes to develop the draft plan were not ideal, senior management intervention led to broader consultation and improvements in the process. It is by creating a shared responsibility for fraud control amongst staff and management at all levels that an entity is better placed to embed fraud control as part of its governance arrangements and culture.

3.30 DVA’s assessment processes, which did not include follow-up risk assessment workshops after an agency restructure, resulted in inconsistencies in measuring and compiling the entity’s risks. DVA advised the ANAO that it is developing a process to standardise the risk assessment process.

3.31 The whole-of-entity approach adopted by Comcare produced an integrated risk assessment, which identified and documented key risk mitigation activities, and clearly assigned accountability for managing risks.

Fraud Control Plans

3.32 The 2011 Guidelines required that, following their fraud risk assessments, entities develop a fraud control plan that addresses identified risks. Entities were also expected to have in place effective oversight arrangements for the development of their fraud control plans. Fraud control plans are not necessarily standalone documents, but can also be integrated into entities’ risk management plans or strategic business plans.

3.33 The Guidelines indicated that entity fraud control plans should address the individual needs of entities, and identify the strategic, tactical, and operational approach to fraud control; while the Fraud Control BPG identified key features of an effective fraud control plan.

3.34 The ANAO examined the selected entities’ fraud control plans against the mandatory requirements of the 2011 Guidelines and better practice as set out in the Fraud Control BPG (Table 3.5).

Table 3.5 Content of Fraud Control Plans

Source: The Guidelines and Fraud Control BPG.

3.35 In summary, each of the selected entities developed and widely distributed a fraud control plan to employees and contractors, which generally reflected the entity’s identified overall business risks.

Austrade

3.36 Austrade’s Fraud Control Plan covered the period 2013–15, and addressed the mandatory requirements of the 2011 Guidelines. The Austrade document continued to adopt a traditional approach focussing primarily on compliance with the mandatory requirements of the Guidelines, with relatively limited consideration of prevention measures.

Comcare

3.37 Comcare prepared a concise fraud control plan covering 2013–15. It addressed the mandatory requirements of the 2011 Guidelines and the key better practice elements of the Fraud Control BPG. Overall, the Comcare Fraud Control Plan clearly articulated the entity’s approach to fraud control.

DVA

3.38 The DVA Fraud Control Plan covered the period 2012–14. It largely addressed the mandatory requirements of the 2011 Guidelines, but it did not include a summary of awareness and training initiatives. The document reflected DVA’s former approach to fraud control, with a heavy emphasis on the entity’s compliance framework. The document also incorporated the Enterprise Fraud Risk Assessment, and identified key strategic and tactical risks of the entity.

3.39 DVA advised the ANAO that it intended to base its future Fraud Control Plan on a more contemporary and strategic approach to fraud control. The department further advised that when combined with recent reforms to its fraud control operations, the revised Fraud Control Plan would support DVA’s transition from an approach focussing primarily on compliance and investigation, to a more balanced approach of addressing prevention, deterrence and detection.

Communicating fraud policies

Fraud Policy Statements

3.40 To foster an internal culture and environment that encourages fraud prevention and control, the 2011 Guidelines required entities to ‘prepare and widely distribute a fraud policy statement’.⁶⁸ The Fraud Control BPG states that a fraud policy statement is typically part of other corporate documentation, such as Chief Executive Instructions⁶⁹, and would assist employees to understand:

• what fraud is;
• their entity’s attitude to fraud; and
• what to do if they suspect fraud is being perpetrated.

3.41 The 2011 Guidelines also provided a list of typical inclusions of a fraud policy statement. The ANAO examined whether the selected entities had a current fraud policy statement, and whether entity statements in the fraud policy statement and other corporate documentation included the recommended elements of the Guidelines (Table 3.6).

Table 3.6 Content of fraud policy statements and other corporate documentation

Source: ANAO analysis.

Notes:

A: Austrade’s fraud policy statement was contained in Chief Executive Instruction No.13.

B: Comcare’s fraud policy statement was contained in the 2013–15 Fraud Control Plan.

3.42 Austrade and Comcare developed and distributed a fraud policy statement which was available to all employees and contractors. During the course of this audit DVA also developed a fraud policy statement, and advised the ANAO in June 2014 that it was available on the DVA intranet. Where the selected entities’ fraud policy statements did not contain all the recommended inclusions of the 2011 Guidelines, the missing details were included in other corporate documents such as the Fraud Control Plan and Chief Executive Instructions.

3.43 While acknowledging that an entity’s broader corporate documentation may usefully include information on fraud control, there is benefit in consolidating key policies and messages in a single fraud policy statement. A single, readily-accessible document is an effective means of communicating to staff the entity’s expectations and approach to fraud control.

Promoting fraud awareness

3.44 In his foreword to the 2011 Guidelines, the then Minister for Justice observed that ‘at the heart of the new Guidelines is an obligation on agency CEOs to build a strong fraud prevention culture within their agencies.’⁷⁰ The development of a strong ethical culture goes hand-in-hand with other fraud prevention measures, and can be promoted through fraud awareness-raising and training:

While the legal and compliance obligations of FMA Act agencies and CAC Act bodies differ, the Australian community expects business in the public sector to be conducted ethically, displaying honesty, integrity, diligence, fairness, trust, and respect when dealing with others. For these reasons it is advisable that agencies, whether FMA Act or CAC Act, put mechanisms in place to assist and train their staff to understand ethical issues and develop the judgement and skills needed to deal appropriately with fraud or other misconduct. ⁷¹

3.45 The 2011 Guidelines mandated that:

… all agency employees and contractors must take into account the need to prevent and detect fraud …

… agencies must implement a rolling program of regular fraud awareness raising and prevention training for all employees …

… fraud awareness should be included in all induction training programs …⁷²

Training and information initiatives

3.46 A number of different approaches can be used by entities to deliver effective fraud awareness training and information.⁷³ The Fraud Control BPG indicated that these approaches should be implemented on a ‘fit-for-purpose’ basis, taking into account the individual circumstances of the entity.⁷⁴

3.47 Each of the selected entities had developed fraud awareness programs, including training and information for key internal staff. The approaches used by the selected entities are summarised in Table 3.7.

Table 3.7 Entities’ approaches to raise awareness of fraud control

Source: ANAO analysis.

3.48 Austrade included fraud awareness training in the context of a broader annual policy refresher for staff, delivered through an online learning module, which all staff had completed during 2013. While a sound approach in principle, the online module contained one slide that related only indirectly to fraud control within Austrade, and was therefore an opportunity missed. Similarly, Austrade’s induction program for new staff provided limited coverage on aspects of fraud control and prevention within the entity, although the topic was also referenced in the ‘working ethically’ and ‘anti-bribery’ modules of the induction program.

3.49 In addition, Austrade usefully conducted a fraud awareness survey in late 2013, which resulted in three recommendations being made to improve training:

• review the fraud control awareness training currently provided by Austrade to ensure sufficient focus on the nature of fraud and corruption relevant to Austrade;
• include an emphasis in training and communications on the importance of reporting suspected fraud, even without complete evidence or where not completely sure if the matter is fraud; and
• consider conducting a review of training material, guidance and other information available to staff on fraud control with a view to consolidating this material and improving usability.

3.50 Austrade advised the ANAO that in response to the fraud awareness survey, it planned to develop a training package aimed at all staff to increase fraud awareness. Austrade also advised that the training would be delivered to both local and internationally based staff, and would aim to address the key issues identified by the survey, including the definition of fraud, Austrade’s fraud control framework, and presenting a range of fraud scenarios. In addition, Austrade indicated that it conducts anti-bribery training specifically targeted at staff involved in areas of the entity which engage with both Australian and foreign businesses, and as at 20 June 2013, 105 Austrade staff had received this training during the 2013 calendar year.

3.51 Comcare had developed a comprehensive and multi-faceted strategy for promoting awareness of fraud control strategies within the entity. The Comcare induction program included a section on fraud awareness, and new employees were then required to complete the mandatory e-learning fraud module. In addition, Comcare’s fraud control plan indicated that the fraud-related content on the entity’s internet and intranet would be updated every six months and that fraud awareness forums would be provided to Comcare teams.

3.52 In previous years, DVA had a largely ad hoc approach to fraud awareness training. While the department had developed a non-mandatory e-learning course specifically aimed at raising fraud awareness in DVA staff, it was out-of-date and not promoted and, as a result, a low percentage of DVA employees have completed the course. Further, the fraud awareness training was not part of a ‘rolling program’ as mandated by the Guidelines. Of particular concern, DVA’s National Induction Program for new staff did not refer to fraud or any control measures for fraud prevention.

3.53 In the past year, DVA has sought to strengthen its fraud awareness program. It developed a three year fraud awareness training framework, aimed at developing, implementing and reviewing fraud awareness training including:

• a new fraud awareness e-learning module;
• a review of other e-learning modules that could contain fraud awareness topics (eg: Code of Conduct, Procurement and Purchasing and Financial Management);
• face-to-face training sessions when required; and
• fraud awareness as part of DVA’s National Induction Program.

3.54 While some of these new initiatives have now been implemented, most were still being developed during the course of the audit. Full implementation would improve and strengthen DVA’s approach to raising internal fraud awareness.

Training for fraud control employees

3.55 In addition to providing training to employees as a whole, entities must ensure that employees who are primarily engaged in detecting or investigating fraud meet the required fraud control competency requirements.⁷⁵ It is also better practice that employees primarily engaged in risk assessments and planning activities acquire or possess relevant qualifications.⁷⁶

3.56 The ANAO assessed whether relevant employees possessed the qualifications and credentials recommended in the 2011 Guidelines (Table 3.8).⁷⁷

Table 3.8 Qualifications of key fraud control employees

Source: ANAO analysis.

3.57 As at December 2013, key staff involved in detecting or investigating fraud allegations in the selected entities could demonstrate that they held the minimum level of qualification.

3.58 Comcare and Austrade advised that key personnel in the Fraud Response Unit had undertaken further training and development to ensure the currency of their skills. This training included attendance at relevant conferences and additional interviewing, evidence gathering and case management training. DVA advised that profession development for its fraud investigators needed to be more tailored and specific to their needs, and the department was in the process of developing and implementing a training program to address this.

Key controls and other risk mitigation measures

3.59 ANAO audits of financial statements involve an independent examination of the financial accounting and reporting of public sector entities, including for each of the entities examined in this audit report. ANAO financial statements audits examine the key elements of internal control including entities’:

• control environment—to establish whether entities have implemented measures that contribute to sound corporate governance in relation to the preparation of financial statements;
• risk assessment processes—to establish whether entities are managing key risks specific to their environment, including fraud control;
• information systems—to establish the effectiveness of key information technology (IT) controls, including their design and operation;
• control activities—to establish the effectiveness of the operation of selected controls and practices designed to prevent fraud, or to mitigate against or reduce the risks of fraud, and
• monitoring of controls—to establish whether entities have implemented effective quality assurance arrangements, review processes and internal audit activities.

ANAO financial statements audit findings for Austrade, Comcare and DVA

3.60 In the 2012–13 financial statements audits, the ANAO found that there were no new significant or moderate audit issues in Austrade, Comcare, or DVA. However, in DVA, the ANAO reported two moderate issues which were ongoing from 2011–12, that, as of June 2014, had not yet been resolved (see Table 3.9).⁷⁸

Table 3.9 ‘Moderate’ rated issues in DVA

Source: ANAO Audit Report No.44 2013–14 Interim Phase of the Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2014.

Conclusion

3.61 Fraud control within the Commonwealth public sector has evolved in recent years, with a move away from the more traditional approach focused on compliance, detection and investigation towards a more contemporary approach which treats fraud control and prevention as core elements of corporate governance. The shift in orientation was strongly promoted through the 2011 Guidelines and was also reflected in the Fraud Control BPG. A key feature of the contemporary approach is prevention, with well-designed and implemented strategies to prevent fraud considered the most cost-effective approach to managing fraud risks.

3.62 Comcare approached fraud control as a key governance function. This approach was reflected in its adoption of an internal fraud prevention framework which included a fit-for-purpose and integrated fraud risk assessment process, and the development of a fraud control plan with a strategic focus on Comcare’s key fraud risks. As part of its prevention strategy, Comcare also implemented a compulsory and well-developed fraud awareness training program, which met the requirements of the Guidelines and provided staff and contractors with regular training to ensure skills and knowledge were up-to-date.

3.63 DVA’s and Austrade’s approach to fraud control was in transition during the course of the audit. DVA had historically focused largely on compliance, with a heavy emphasis on investigating fraud after it had occurred rather than prevention. The department commenced a significant restructure of its fraud control operations and governance in August 2013, rebalancing its approach to include more prevention and deterrence strategies alongside its existing detection strategies, in line with the more contemporary approach. However, DVA’s approach to date in communicating its revised expectations and raising fraud awareness among staff, has not been fully effective. The relevant education online module was out of date and had not been promoted to staff; however, at the time of the audit, DVA had already commenced developing a new training framework to address this.

3.64 Austrade has made more limited changes to its entity-wide fraud control arrangements since the introduction of the 2011 Guidelines, and aspects of Austrade’s internal management arrangements relating to fraud control have created a risk of fragmentation. In addition to a whole-of-entity fraud unit located in its Corporate Services Group, Austrade has established a dedicated fraud team within its Export Market Development Grants program, where significant fraud risk has been assessed. The establishment of a dedicated fraud team in a high risk program area is a legitimate risk mitigation strategy; however, there was limited communication or coordination between the two units. Austrade advised the ANAO that the fraud control function and the reporting of fraud is centralised to the role of a senior executive. Nonetheless, Austrade continues to report separately, to the Audit Committee and CEO, on the EMDG program and other entity activities, and there would be benefit in considering an approach involving more structured cross-communication between fraud units to strengthen coordination arrangements. In the course of the audit, Austrade advised the ANAO that an internal review of fraud control arrangements will examine consistency with the Guidelines and ANAO Better Practice Guide, and the risk of fragmentation between fraud management arrangements for EMDG and other parts of Austrade.

3.65 Austrade’s biennial risk assessment process was conducted on a two-yearly basis consistent with the 2011 Guidelines. As part of that process, Austrade required its 12 business units to identify fraud risks and possible treatments; however, only two business units contributed. Austrade has advised that while the initial processes to develop the draft plan were not ideal, senior management intervention led to broader consultation and improvements in the process. It is by creating a shared responsibility for fraud control amongst staff and management at all levels that an entity is better placed to embed fraud control as part of its governance arrangements and culture.

3.66 Limitations were also identified in Austrade’s approach to fraud awareness training, with only one question on fraud appearing in the context of an on-line security training module. Staff responses to a 2013 internal survey indicated that less than one in four staff could correctly identify all the potentially fraudulent or corrupt behaviours canvassed.

Introduction

4.1 All Australian government entities were susceptible to fraud, and a system of preventive measures will not provide absolute assurance that a fraudulent event will be avoided.⁷⁹ Detection activities are designed to identify fraud that is occurring, or has occurred. They are different to prevention activities and control, which are designed to reduce the risk of fraud from occurring.⁸⁰

4.2 Fraud detection, investigation and response were key elements of the 2011 Commonwealth Fraud Control Guidelines (the 2011 Guidelines).⁸¹ The Guidelines stated that Australian government entities must have appropriate systems in place to ensure they are able to detect internal or external fraud, or attempted fraud.⁸² As part of a risk-based approach, entities are expected to implement appropriate measures aimed at detecting and managing fraud, informed by their particular risks.

Detection measures

4.3 The ANAO Better Practice Guide, Fraud Control in Australian Government Entities (Fraud Control BPG), describes fraud detection measures as being either passive or active.⁸³ Passive detection measures include the day-to-day controls or activities in place to protect the integrity, accuracy and completeness of business decisions and financial transactions. Active fraud detection measures are those that require the assertive involvement of the organisation’s management.⁸⁴ Active measures tend to be more sophisticated, and are generally more reliant on examining databases and employing statistical analysis than are passive detection methods (Table 4.1).

Table 4.1 Examples of passive and active detection measures

Source: ANAO summary from Fraud Control in Australian Government Agencies, March 2011, pp. 51–60.

4.4 The selected mix of detection measures should be appropriate to the entity’s risk profile and business functions.

Passive detection measures

4.5 The ANAO examined a selection of the passive detection measures adopted by the selected entities (Table 4.2). The entities’ fraud allegation reporting mechanisms and whistleblowing arrangements are discussed in the paragraphs below, while IT controls were discussed in paragraphs 3.59–3.60.

Table 4.2 Passive detection measures used by selected entities

Source: ANAO analysis based on the requirements and better practice suggestions from the Commonwealth Fraud Control Guidelines and the Fraud Control BPG. (data collected from Test Program section 2.1 and 2.2)

Notes: A: The Public Interest Disclosure Act 2013 replaced the APS Whistleblowing scheme on 15 January 2014.

Fraud allegation reporting mechanisms

4.6 Australian government entities must provide employees, clients and members of the public with an appropriate channel for reporting fraud.⁸⁵ In each of the selected entities, there were pathways for staff, service providers and members of the public to access tip-off facilities, and entities had appropriate processes in place to handle and process tip-offs.⁸⁶ Within Comcare and DVA, tip-offs are sent directly to the fraud control section of the entity, an approach which facilitates the consistent handling and processing of tip-offs in line with entity procedures.

4.7 Within Austrade, tip-offs not related to Export Management Development Grants (EMDGs) are made to the relevant manager and/or the Chief Counsel Legal, Procurement and Fraud. In the case of EMDG, tip-offs are made to the relevant manager, Special Investigations Unit, or Grants State Manager. Austrade’s central fraud control unit did not always have visibility of the review processes adopted by business units or responses to fraud across the entity. This approach, which reflected Austrade’s administrative arrangements discussed in Chapter 3, further fragmented internal fraud control arrangements—introducing a risk of inconsistent handling and processing of tip-offs, and a situation where fraud risks were not necessarily monitored or communicated within Austrade.

4.8 The 2011 Guidelines also highlighted the benefit of mechanisms to enable public reporting of fraud, and recommended that:

agencies that deliver services and payments to the community should consider putting in place mechanisms to enable members of the public to report suspected fraudulent activity by an agency’s clients, employees, contractors or agents.⁸⁷

4.9 Comcare and Austrade facilitated public reporting on fraud by maintaining a dedicated webpage for this purpose.⁸⁸,^89,90 This facility was more difficult to locate on DVA’s public website.⁹¹ Additionally, information provided to the public by DVA and Austrade did not make clear that members of the public could use DVA’s and Austrade’s general enquiries phone number to report an allegation of fraud.⁹²,⁹³

Whistleblowing and Public Interest Disclosures

4.10 While employees and members of the public must have the ability to provide tip-offs, it is also good practice that Australian Public Service employees are aware of the protection available for whistleblowers or Public Interest Disclosures.⁹⁴ While not required by the 2011 Guidelines, Austrade and DVA provided information about whistleblowing in their Fraud Control Plans and all the entities had whistleblowing policies available on their intranet sites, for the information of staff. In addition, DVA had updated its Fraud Control Plan to reflect the introduction of the Public Interest Disclosure Scheme from January 2014.

Active detection measures

4.11 The 2011 Guidelines recommended that entities should not rely solely on passive detection measures for fraud detection:

agencies should also consider techniques which may include monitoring high risk jobs or areas, conducting reviews or internal audits, intrusion detection systems, review activity focussed on clients at risk or data mining and data matching.⁹⁵

4.12 The Fraud Control BPG describes such measures as ‘active detection mechanisms’.⁹⁶ The ANAO examined a selection of the active detection mechanisms used by the three entities (Table 4.3).

Table 4.3 Active detection measures used by selected entities

Source: ANAO analysis based on the requirements and better practice suggestions from the Guidelines and the Fraud Control BPG.

Notes: 

A: Austrade and Comcare are not defined as a ‘participating assistance agency that holds personal data’ by the Data-matching Program Act 1990. Therefore they are not required to perform data matching. However, Comcare undertakes data matching as part of its fraud detection measures.

B: DVA maintains and monitors staff access to multiple IT systems that present a high fraud risk. For example, this could include a user that can access both the system to create a new client and the system to commence payments to the new client. The segregation of duties within key payment systems is an important IT control and was discussed further in Table 3.9.

Statistical analysis of payments and processes

4.13 Each of the entities implemented active detection mechanisms. Comcare and DVA shared similar business risks—both were responsible for payments to individuals and service providers where certain criteria are met—and therefore performed a variety of statistical analysis tasks as part of their day-to-day business. For DVA, analysis results are provided to the relevant business areas in an easily interpreted format, and both the fraud control section and the relevant business areas meet to assess and act on issues identified by the analysis.

4.14 Austrade was mainly responsible for administering grants to business, and operating a network of overseas representatives. In 2013, Austrade engaged its internal auditor to undertake a data analytics project covering key operational data including expenditure, financial transactions and cost of overseas residential property. Austrade advised the ANAO that it used the findings of this analysis to inform its offshore programs, and develop its future review programs.

4.15 Comcare and DVA are responsible for the regular payment of public money to individuals and service providers, and therefore operate in an environment of higher risk exposure to fraud than most Commonwealth entities. Both entities have implemented post-payment monitoring activities to detect possible fraud, involving the analysis of data relating to payments made to service providers⁹⁷, to detect unusual payments. This could include payments which appear higher than normal for a particular service, or high volumes of smaller payments to the same service provider.

Data matching

4.16 As a ‘listed participating assistance agency that holds personal data’, the Data-matching Program Act 1990 requires DVA to perform data matching, and report annually to the Parliament on any activity carried out under the Datamatching Program (Assistance and Tax) Act 1990 (the Data Matching Program Act). Data matching⁹⁸ is the process of comparing large data sets of personal information from different sources to identify discrepancies.⁹⁹ The objectives of this program are to detect:

• invalid Tax File Numbers;
• fictitious or assumed identities (identity matching);
• instances where people are receiving incorrect or dual payments from one or more assistance agencies (payment matching);
• instances where the income declared to the Australian Taxation Office (ATO) varies from the income disclosed to the assistance agencies (income matching); and
• instances of tax evasion.

4.17 At DVA, the types of discrepancies that can be detected by payment and income matching include:

• non-entitlement of a client, partner, parent or child to a Department of Human Services (DHS) or DVA payment, where receipt of a payment from one entity would preclude or limit payments from one or both agencies; and
• income disclosed to DHS and/or DVA which has been used to calculate an income support payment is different from that reported to the ATO.

4.18 As required by the Data Matching Program Act, DVA reported annually on most of the suggested data matching activities in 2011–12 and 2012–13.

4.19 While Comcare is not required to perform data matching activities under the Data Matching Program Act, the entity has conducted one round of data matching, for the period 2009–10 to 2011–12. This exercise was conducted in 2013, in conjunction with the ATO, to inform future Comcare investigations and to identify incorrect client information.

4.20 Entity records indicate that the use of data matching by DVA and Comcare has identified potential cases of fraud. Table 4.4 identifies the documented outcomes of data matching activities in Comcare and DVA.

Table 4.4 Outcomes of data matching in Comcare and DVA

Source: ANAO analysis of Comcare and DVA data matching reports. Rounding errors are present in the percentages given for ‘proportion of matches that resulted in discrepancies’

Notes: 

A: Total of gross savings (from corrected payments), minus departmental expenses.

B: A rolling total, since the commencement of the data matching program.

C: Comcare has recently commenced data matching analysis, and has not yet calculated any net cumulative savings.

Internal audit

4.21 The internal audit function can assist an entity to manage fraud control arrangements by advising on the risk of fraud, and the design or adequacy of internal controls. It can also assist in detecting fraud by considering fraud risks as part of its audit program and being alert and communicating indicators that fraud may have occurred.¹⁰⁰

4.22 The selected entities had internal audit units that were tasked to contribute to the entity-wide fraud control effort, as expected in the 2011 Guidelines. The ANAO found that fraud comprised a key element of Austrade’s internal audit program, and Austrade had conducted numerous audits since the introduction of the Guidelines focussing on fraud. The findings of these audits were presented to the Audit and Risk Committee through Austrade’s Quarterly Risk Report.

4.23 Comcare advised the ANAO that its Audit Committee reviewed draft internal audit reports and, if approved, the report was considered the final version. After each meeting, Comcare’s Audit Committee also provided the CEO with reports, which included comments on internal audit reports and the status of outstanding audit findings.

Responding to allegations of fraud

4.24 Fraud investigators should be appropriately trained and conduct investigations in accordance with the Australian Government Investigative Standards 2011 (AGIS).¹⁰¹,¹⁰² While the investigative practices of the selected entities were not examined in this audit, the ANAO considered the availability and content of guidance and tools available to fraud investigators.

4.25 A number of the key tools for supporting fraud investigations are summarised in Table 4.5 and discussed in the paragraphs below.

Table 4.5 Key tools for supporting a fraud investigation

Source: ANAO analysis, based on the Australian Government Investigative Standards 2011 and ANAO Better Practice Guide—Fraud Control in Australian Government Entities, March 2011, Canberra.

Notes:

A: See also Table 4.6.

B: See also Table 3.8

C: Austrade advised that the EMDG program has an investigation manual and case prioritisation model.

D: DVA has an investigation manual, which was being updated during the audit. This is the first update since the Commonwealth Fraud Control Guidelines were released in March 2011.

E: Austrade advised that, except for the EMDG program, it does not have a fraud case-load that would warrant the implementation of a case prioritisation model.

Documented investigation procedures and case prioritisation models

4.26 The 2011 Guidelines stated that entities must have appropriately documented procedures, setting out the criteria for making decisions during a fraud investigation.¹⁰³ The processes and procedures must be consistent with, or exceed, the model procedures outlined in the AGIS.¹⁰⁴ A case prioritisation model also aids the decision-maker in making the initial assessment, and helps drive transparency and consistency in decision-making.¹⁰⁵

4.27 Austrade does not have an investigation manual, except for investigations conducted by the EMDG fraud investigations team. It provides managers with guidance in the form of brief policy and procedure papers titled ‘Dealing with Misconduct—Code of Conduct breaches’. While a source of advice in respect to internal misconduct, the papers do not address external fraud. Further, Austrade’s policy and procedures papers do not provide guidance to fraud investigators on how to conduct an investigation, as required by the Guidelines.¹⁰⁶

4.28 Comcare has developed documented investigation procedures to guide the process of an investigation. The investigation procedures indicate that during the assessment process, Comcare investigators are expected to:

• gather the required information;
• compare information to other data already on file;
• calculate the potential loss to the Commonwealth; and
• prioritise the allegation.

4.29 In addition, Comcare has developed assessment templates to support the consistent analysis of allegations. As part of the investigation process, each allegation is assigned a rank, which indicates the relative priority of cases. This process is part of Comcare’s operational case prioritisation model¹⁰⁷, which is used to process and prioritise every allegation of fraud or non-compliance.

4.30 DVA has a fraud investigation manual and advised the ANAO that it was in the process of updating the manual as part of its reform process. The manual was last updated in May 2010, before the Fraud Control Guidelines were released in March 2011, and had not been a source of up-to-date advice in recent years.

4.31 DVA has also taken a risk-based approach to its fraud investigation procedures, by implementing a Case Prioritisation Model to identify high priority cases for the department to investigate. Prior to this, DVA was investigating every allegation of fraud in the order that allegations were reported. This was not necessarily the most efficient or risk-based approach, as allegations made to DVA are generally found to relate to non-compliant, rather than fraudulent, behaviour. The department’s case prioritisation model has been in operation since February 2014, and has recently undergone some minor alterations to the thresholds used to prioritise potential fraud cases.

4.32 The ANAO’s Fraud Control BPG sets out a decision tree tool intended to provide guidance on the process for fraud investigations and responses. Entities can encourage fraud investigators to follow a standardised process by establishing a similar tool as a guide to better understand the critical decisions that need to be made and documented, from the initial assessment of the allegation and throughout the fraud investigation and response process. Fraud operations at Austrade, Comcare and DVA were mapped out in a decision tree, for the guidance of investigators.

4.33 The AGIS mandates that entities employ investigation management procedures, which are based on the project management principles of managing: resources; process; work to be undertaken; time; and outcomes. Entities should have an electronic investigation management system and provide training in its use. The 2011 Guidelines added that entities must have systems in place to manage information gathered about fraud against the entity, as this would provide an overview of the nature, extent and location of fraud.¹⁰⁸ Similarly, the Fraud Control BPG discusses the benefit of implementing a formal reporting system, where all instances or allegations of internal or external fraud, and any subsequent investigations and outcomes, can be securely stored, recorded, analysed and monitored.¹⁰⁹

Fraud incident registers

4.34 A reporting system that records all allegations of fraud, and any subsequent investigation actions and their outcomes, can provide a valuable overview of the nature, extent and location of fraud within an entity. It can also: form the basis for developing an intelligence capability; provide the data necessary for reporting and the identification of trends; and provide a deterrent effect which will assist an entity in minimising the impact of fraud on its operations.^110,111

4.35 The Fraud Control BPG details a list of inclusions in a fraud incident register, as recommended in the Australian Standard AS 8001-2008 Fraud and Corruption Control (Australian Standard).¹¹² The ANAO examined the incident registers of the selected entities against the suggestions made in the Australian Standard (see Table 4.6).

Table 4.6 Information recommended for inclusion in a fraud incident register

Source: ANAO analysis.

Note: A: While Austrade records the date of the report and incident detection, it does not record the time of the report and incident detection. Austrade’s central fraud incident register also does not contain any records of EMDG fraud incidents.

4.36 Comcare and DVA had fraud incident management registers containing all the fields recommended for inclusion in the Australian Standard, while Austrade’s register contained only limited information and did not include EMDG fraud incidents; further, Austrade’s register was not entirely consistent with the suggestions for better practice made in the Australia Standard, which are referenced in the AGIS and Fraud Control BPG.

Responding to identified fraud

4.37 After an investigation is completed, an entity must decide if there is sufficient evidence to justify further legal action. A case for fraud can be handled at a civil level (between the entity and the defendant) or the matter can be referred to the Australian Federal Police or Commonwealth Director of Public Prosecutions (CDPP). Prosecutions and civil litigation are one means of deterring future fraud, and in educating the public about the seriousness of fraud.¹¹³ If it is determined that there is not sufficient evidence for a prosecution or civil litigation, entities may consider alternative options, such as administrative action, the recovery of losses, education activities and/or a reconsideration of internal controls.

4.38 The ANAO examined the selected entities’ responses to allegations of fraud or non-compliance and found that the majority of allegations are dealt with internally, or not pursued further (Table 4.7).¹¹⁴

Table 4.7 Responses to fraud allegations in 2012–13

Source: ANAO analysis of entities’ Annual Reports and their submissions to the AIC for 2012–13.

Notes:

A: In 2012–13, DVA started reporting non-compliance and fraud separately.

B: These cases were ongoing during the audit.

Conclusion

4.39 Fraud prevention strategies can help reduce, but not entirely eliminate, an entity’s fraud risk. Effective fraud detection and response measures are necessary to provide assurance that perpetrators of fraudulent acts are identified, and appropriate action is taken.

4.40 Broadly speaking, fraud detection methods can be passive or active. The ANAO examined the selected entities’ implementation of the passive detection measures discussed in the Fraud Control BPG and found that all selected entities had introduced fraud reporting mechanisms for staff and the public. Comcare and DVA adopted a centralised and coordinated approach to the processing of fraud allegations, whereas tip-offs received by Austrade were processed by individual business units. Reflecting Austrade’s administrative arrangements discussed above, Austrade’s central fraud control unit did not always have visibility of the review processes adopted by business units or responses to fraud across the entity. This approach further fragmented internal fraud control arrangements; introducing a risk of inconsistent handling and processing of tip-offs, and a situation where fraud risks were not necessarily monitored or communicated within Austrade.

4.41 Each of the selected entities employed a range of active detection methods; with the specific measures adopted by entities reflecting their differing business operations. The two payment entities, Comcare and DVA, regularly undertook a wide variety of statistical analysis aimed at detecting anomalies in payment patterns to service providers and beneficiaries that might indicate potential non-compliance or fraudulent practice. Austrade also undertook statistical analysis from time-to-time, to inform its fraud prevention activities, and fraud control was a key focus of its internal audit work program.

4.42 DVA is required, by the Data-matching Program Act 1990, to perform data matching analysis. Comcare has also added data matching to its range of active detection measures, although it is not mandated. The use of data matching by DVA and Comcare has identified potential cases of fraud.

4.43 Consistent with the 2011 Guidelines, Comcare and DVA maintained fraud incident registers which were used to inform their CEO of the level of fraud within the entity and to prepare external reporting to AGD. Austrade maintained two separate registers, reflecting its internal administrative arrangements.

4.44 The ANAO examined the availability and content of guidance and tools available to fraud investigators in the selected entities. Comcare had a detailed investigation manual, standardised assessment templates and a case prioritisation model to assess and prioritise fraud allegations. DVA had an out-of-date investigation manual and the department advised it was in the process of updating the manual. DVA had implemented a case prioritisation model, which will include assessment templates. Austrade did not have an entity-wide investigation manual, but advised the ANAO that it was drafting such a document.

Introduction

5.1 Effective monitoring and review can provide assurance that fraud control arrangements are operating as intended and can also promote accountability and fraud awareness within entities. In addition, after any incidence of fraud, an entity should investigate the situation which allowed the fraud to occur, to determine the cause and establish recommendations for change in future activities.¹¹⁵

5.2 More specifically, regular monitoring and review of fraud control strategies can inform an entity’s assessment of the:

• ongoing effectiveness of the design and operation of fraud controls or risk mitigation measures;
• relative priorities of fraud control strategies in light of the current and emerging threats and risks;
• strength of the organisation’s fraud culture and the levels of fraud awareness;
• cost-effectiveness of different methods of combating fraud; and
• appropriate balance between fraud prevention and detection strategies.

5.3 In its 2009–10 report on fraud control, the ANAO indicated that a key area for improvement in Australian government entities was the evaluation of specific fraud control strategies.¹¹⁶

5.4 In the current audit, the ANAO examined the selected entities’ procedures and frequency for assessing the effectiveness of their respective fraud control arrangements against the requirements of the 2011 Guidelines and the suggestions for better practice in the ANAO’s Fraud Control BPG.

Monitoring and review

5.5 The 2011 Guidelines contained a number of mandatory requirements relating to the monitoring and review of fraud control arrangements by entities, including:

• entities must undertake a fraud risk assessment at least once every two years¹¹⁷;
• fraud risk assessments must be followed by the development (or updating) and implementation of a fraud control plan to manage the risks¹¹⁸; and
• where an entity undergoes a substantial change in structure, function, or where there is a significant transfer in function…the entity must undertake another fraud risk assessment in relation to the changed functions.¹¹⁹

5.6 The selected entities’ processes to monitor and review their fraud control arrangements, as mandated by the 2011 Guidelines, are summarised in (Table  5.1).

Table 5.1 Selected entities’ processes to monitor and review their fraud control arrangements—2011 Fraud Control Guidelines

Source: ANAO analysis.

Review of risk assessments and fraud control plans

5.7 Each of the selected entities has established processes to review its fraud risk assessment every two years, and to subsequently review and update its fraud control plan.

5.8 In addition to the two-yearly review of the fraud risk assessment, entities should establish processes to continuously monitor the risks identified in the risk assessment, to assist in the effective selection of risk treatments. Consistent with this approach, the selected entities had established processes for the continuous review of their risk assessments, and risk treatments. For example¹²⁰:

• DVA identified 15 moderate risks in its 2012–14 Fraud Control Plans and listed 12 action items to be implemented as risk mitigation. The department’s Fraud Control Section must report on the implementation of these risk mitigations to the DVA Audit and Risk Committee every six months;
• Comcare undertakes a review of its fraud prevention activities as part of its annual business planning cycle. Comcare also re-assesses its investigative priorities biannually, to address emerging issues and opportunities; and
• Austrade advised the ANAO that it was reviewing its Fraud Control Plan, using the ‘better practice’ checklist questions from the Fraud Control BPG.¹²¹

Review of fraud control arrangements after a major restructure

5.9 Austrade, Comcare and DVA advised that they reviewed their fraud control arrangements when they had undergone significant internal restructuring. For example, as part of the September 2013 machinery-of-government changes, the Tourism Division of the former Department of Resources, Energy and Tourism was transferred to Austrade. The Austrade Fraud Liaison Officer met with the Tourism Division representatives to discuss the integration of the fraud risk assessments and Fraud Control Plans. Austrade’s Fraud Control Plan and Enterprise Risk Assessments were subsequently reviewed and updated. Austrade advised the ANAO that the revised Fraud Control Plan was scheduled to be approved by the CEO by October 2014.

Application of better practice

5.10 The Fraud Control BPG sets out additional suggestions to support the monitoring and review requirements of the Guidelines, including: reviewing an entity’s work processes; and measuring fraud losses. The ANAO examined the methods used by the selected entities when reviewing and responding to identified incidences of fraud within their entity (Table 5.2).

Table 5.2 Entities’ implementation of better practice in monitoring and reviewing

Source: ANAO analysis, based on ANAO Better Practice Guide—Fraud Control in Australian Government Entities, March 2011, Canberra.

Review the situation that allowed fraud to occur

5.11 Reviewing work processes after potential fraud is identified allows an entity to determine whether its processes are effective in addressing its current and emerging fraud risks. The Fraud Control BPG gives two examples of fraud-related incidents, and possible responses (Table 5.3).

Table 5.3 Review and possible responses to an incident of fraud

Source: ANAO summary of paragraph 8.1.3 in the ANAO Fraud Control BPG.

5.12 Quarterly risk reports are provided to Austrade’s Audit and Risk Committee to monitor fraud or non-compliance. Progress on fraud investigations are progressively reported to the Committee on the detail of the fraud, current actions taken and final outcome. These reports are also provided to Austrade’s CEO and Executive. At the completion of a fraud investigation, processes are reviewed by the internal auditor to provide assurance on controls and prevent recurrence of the fraud.

5.13 Comcare and DVA both have processes in place to review work processes after fraud is detected. Comcare’s Fraud Operations team consists of a Fraud Prevention Officer, Fraud Detection Officer and a Fraud Response Unit. One of the roles of the Fraud Detection Officer is to

… identify which controls should have operated to prevent the non-compliance and liaises with teams to identify improved controls if necessary.¹²²

5.14 DVA’s Business Compliance Section has, in part, a similar role to Comcare’s Fraud Detection Officer. DVA advised the ANAO that as part of its redevelopment of fraud operations, a major focus has been on identifying the controls and business processes that need strengthening, to prevent opportunities for fraudulent and non-compliant behaviour to occur. For example, in June 2011, DVA’s analysis of the claiming patterns of Exercise Physiologists (EPs) identified a rapid increase in the expenditure for this service since the introduction of rebates in 2008¹²³ and the need to implement additional controls to manage risk.¹²⁴ DVA’s response included introducing policy controls around the delivery of this service, providing education to service providers, updating guidance to all EPs, and creating a DVA position to advise EPs and implement the changes.

Methods to measure loss from fraud

5.15 Methods to measure losses due to fraudulent activity are closely linked to active fraud detection methods (see discussion in Chapter 4). Using statistical analysis, fraud events can be analysed to identify the key controls that need to be reviewed to address identified deficiencies. This type of analysis can also enable the entity to perform a cost-benefit analysis of the control framework and remediation activity, and monitor the effectiveness of its fraud control activities.¹²⁵ For example, in its 2012–13 Annual Report, Comcare reported that:

… outcomes from [fraud] cases already achieved for the financial year amount to a reduction of $7 400 000 in ongoing liabilities. This amount is expected to rise to over $10 000 000 when all administrative action is completed.¹²⁶

5.16 DVA reports on the known value of fraud identified, the suitability of controls, and whether they can be strengthened. Austrade reports on the estimated value of fraud at the time it is identified. The Guidelines do not mandate a specific method for entities to measure and report fraud losses, so it is up to each entity to select the appropriate method that is appropriate for them.

5.17 As discussed in paragraphs 4.11–4.20, Comcare and DVA have adopted a broad variety of active detection methods, which are also used to identify the root causes of the fraudulent actions, and possible solutions, as suggested by the Fraud Control BPG. Austrade also undertakes active detection activities including its data analytics program.¹²⁷ The results of this program are used to focus internal audit activity on areas which represent a relatively higher risk of fraud, such as credit cards, procurement, bribery, corruption and the EMDG program.

Reporting

5.18 The Fraud Control BPG indicates that ‘for a fraud control framework to be effectively implemented, both internal and external stakeholders need to be aware of the outcomes of the fraud control activities undertaken.’¹²⁸,¹²⁹ Under the 2011 Guidelines, entities were required to report externally on fraud control arrangements and to certify adherence with the Guidelines to their Minister, the Minister for Justice, and to the Australian Institute of Criminology (AIC).^130,131 The requirement for regular external reporting underlines the importance of fraud control activity within entities and is intended to reinforce entity responsibilities in this respect.

5.19 The ANAO examined the selected entities’ practices for reporting on the occurrence of fraud against them.

Reporting internally

5.20 While the 2011 Guidelines did not set out internal reporting requirements, effective internal reporting is generally a necessary first step in complying with external reporting requirements. Further, effective internal reporting arrangements facilitate the management of fraud risks within an entity.^132,133

Selected entities’ reporting to their Audit Committee

5.21 Audit committees can play a valuable role in providing independent assurance and advice to the CEO on the outcomes of fraud control activities, including: monitoring; review and evaluation; and follow-up action (including investigations underway and/or the outcomes of prosecutions or civil action).¹³⁴ The ANAO examined the selected entities’ reporting to their audit committees on fraud control arrangements (Table 5.4).¹³⁵

Table 5.4 Entity reporting to their audit committee

Source: ANAO analysis.

5.22 In summary, the fraud control sections of Austrade, Comcare and DVA reported quarterly to their audit and risk committees on the three matters suggested in the Fraud Control BPG.

Other internal reporting activities

5.23 Internal reports regarding fraud control activities should be distributed to relevant fraud control areas to allow an organisation-wide reporting profile to be compiled, and to facilitate effective follow-up.¹³⁶

5.24 As discussed, while Austrade has established internal reporting processes to the senior executive and audit committee through the Chief Counsel, Legal, Procurement and Fraud, separate upwards reporting by the two fraud units within the entity runs the risk of an uncoordinated approach. For example, the fraud investigators within the EMDG branch do not report on fraud control initiatives or current activities through Austrade’s Fraud Liaison Officer, and operate independently of the entity’s overall fraud operations.

5.25 Comcare advised the ANAO that the Director responsible for fraud prevention provides monthly reports to the Executive through the Corporate Operations Division Report. In addition, the Fraud Response Unit reports to a variety of internal committees and forums.

5.26 DVA advised the ANAO that when fraudulent or non-compliant activity is identified, the Business Compliance Section will meet with the relevant business areas to discuss the incident, and encourage the business areas to review relevant controls and/or business processes to decrease the likelihood of similar fraudulent activity in the future. DVA’s Business Compliance Section also releases ‘traffic light’ reports to all business areas to highlight areas of unusual claiming patterns, as identified by Post Payment Monitoring processes.

Reporting externally

5.27 The public reporting of fraud statistics and fraud control activities serves to inform Parliament and the community of trends and entity responses to the threat of fraud. More specifically, public reporting of fraud helps to:

• illustrate contemporary ethical issues;
• demonstrate that disciplinary decisions are regarded seriously; and
• demonstrate the commitment of the entity to investigate allegations of fraud.¹³⁷

5.28 The 2011 Guidelines mandated three external reporting requirements:

• 1. CEOs must report annually to their Minister or Presiding Officers, in a format to be determined by the entity, on fraud risk and fraud control measures, including:
  • fraud initiatives undertaken by the entity in the reporting period, including an evaluation of their effectiveness;
  • planned fraud initiatives not yet in place;
  • information regarding significant fraud risks for the entity; and
  • significant fraud incidents which occurred during the reporting period.
• 2. CEOs must certify in their Annual Reports that they are satisfied that:
  • their entity has prepared fraud risk assessments and fraud control plans;
  • their entity has in place appropriate fraud prevention, detection, investigation, reporting and data collection procedures and processes that meet the specific needs of the entity; and
  • they have taken all reasonable measures to minimise the incidence of fraud in their entity and to investigate and recover the proceeds of fraud against their entity.
• 3. Agencies must collect information on fraud and provide it to the AIC by 30 September each year. Agencies are required to provide the information by responding to an online survey hosted by the AIC.¹³⁸

5.29 The ANAO examined whether the selected entities met the external reporting requirements (Table 5.5).

Table 5.5 Entities’ compliance with external reporting requirements

Source: ANAO analysis of requirements in the 2011 Commonwealth Fraud Control Guidelines.

Notes: A: As a CAC Act agency, Comcare was not required to meet these reporting requirements, but had ‘fully committed’ to complying with the Guidelines ‘in order to minimise the incidence of fraud’ and certified compliance in its 2012–13 Annual Report.

 B: This requirement was also included in the ‘Requirements for Annual Reports for Departments, Executive Agencies and FMA Act Bodies’ prepared by the Department of the Prime Minister and Cabinet, and approved by the Joint Committee of Public Accounts and Audit.

 C: In respect to the second mandatory reporting requirement, DVA did not certify the third sub-requirement— that ‘they had taken all reasonable measures to minimise the incidence of fraud in their agency and to investigate and recover the proceeds of the fraud’ in their Annual Report.

5.30 In summary, the ANAO found that:

• for the first mandatory external reporting requirement, the selected entities complied with three of the four sub-requirements;
  • the selected agencies reported on fraud initiatives in their Annual Reports, but they did not include an evaluation on the effectiveness of their fraud initiatives;
• Austrade and Comcare certified compliance with all the requirements of the 2011 Guidelines, as required in the second mandatory reporting requirement; while DVA did not certify in its 2011–12 and 2012–13 Annual Reports that it had ‘taken all reasonable measures to minimise the incidence of fraud in their entity and to investigate and recover the proceeds of fraud against the entity’^139,140; and
• each of the selected entities completed the 2012–13 AIC fraud survey.¹⁴¹

Conclusion

5.31 In the context of an evolving business and operating environment, entities can help manage their risks by employing a flexible rolling program of reviews, audits and evaluations, and by actively looking for opportunities to improve fraud control arrangements.

5.32 The selected entities reviewed their risk assessments every two years, and their Fraud Control Plans were updated following those exercises. Comcare and DVA also had established processes to review poorly performing controls, and liaised with their relevant business areas to identify scope for improvement in the control framework.

5.33 Effective internal reporting can inform an entity’s management of fraud control arrangements by identifying trends, weaknesses and opportunities for improvement. The selected entities’ internal reporting to their respective audit committees (and through the audit committee to the CEO) were generally aligned, in terms of process and content, to the 2011 Guidelines and better practice discussed in the ANAO’s Fraud Control BPG. However, Austrade did not adopt a centralised recording system, and its individual fraud units reported separately to its audit committee and executive, albeit through a nominated senior officer. Further, Austrade’s audit committee received limited information on the outcome of investigations, prosecutions and civil actions.

5.34 External reporting promotes accountability, informs government and stakeholders of developments, and facilitates whole-of-government monitoring and responses to fraud risks. The selected entities generally complied with the external reporting requirements in the 2011 Guidelines, reported internally and externally on fraud risk and fraud control measures, and certified compliance with the Guidelines in their Annual Reports. However none of the selected entities provided an evaluation, in their external reporting, of the effectiveness of fraud initiatives undertaken by the entity, as required by the Guidelines, to inform stakeholders of the effectiveness of their control arrangements.

Appendices

Please refer to the attached PDF for the Appendices:

• Appendix 1: Entities’ responses
• Appendix 2: Previous ANAO Fraud Control Audit Coverage
• Appendix 3: AGD Response—Implementation of Recommendations from ANAO Report No.42 2009–10
• Appendix 4: Draft Commonwealth Fraud Control Guidelines Compliance Report, 2010–11 and 2011–12
• Appendix 5: Results from Austrade’s 2013 Fraud Awareness Survey

Abbreviations

Glossary