Introduction

1.1 Fraud against Australian Government entities and corrupt conduct by Australian Government officials are serious matters that can constitute criminal offences. Fraud and corruption undermine the integrity of and public trust in government, including by reducing funds available for government program delivery and causing financial and reputational damage to defrauded entities.⁸

1.2 The Australian Government defines fraud as:

Dishonestly obtaining (including attempting to obtain) a gain or benefit, or causing a loss or risk of loss, by deception or other means.⁹

1.3 Fraud against the Australian Government can be committed by government officials or contractors (internal fraud) or by parties such as clients of government services, service providers, grant recipients, other members of the public or organised criminal groups (external fraud).¹⁰ In its annual report on fraud against the Commonwealth¹¹, the Australian Institute of Criminology reported that, for 2022–23:

• 378,033 fraud allegations were received, including 366,196 of external fraud¹²;
• 5,483 fraud investigations were commenced¹³, primarily in large (1,001–10,000 employees) and extra-large (greater than 10,000 employees) entities;
• 6,915 fraud investigations were finalised¹⁴, with 3,192 fraud allegations substantiated in full or in part¹⁵; and
• the quantified reported internal fraud losses were $2.9 million and the quantified reported external fraud losses were estimated at $158.1 million.¹⁶

1.4 The Australian Institute of Criminology notes that these reported fraud losses only include those which entities were able to quantify, and that losses and recoveries may be difficult to quantify due to system limitations, conduct of investigations by external agencies or confidential settlements.¹⁷

1.5 The Commonwealth Fraud Risk Profile identifies eight fraud risk areas across corporate and program and policy functions (Table 1.1).

Table 1.1: Fraud risk areas in the Commonwealth

Source: Attorney-General’s Department, Commonwealth Fraud Prevention Centre, The New Commonwealth Fraud Risk Profile, AGD, 2022.

The Commonwealth Fraud Control Framework

1.6 The Commonwealth Fraud Control Framework 2017 provided the Australian Government’s fraud control requirements through to 30 June 2024. It had three components (Table 1.2).

Table 1.2: 2017 Commonwealth Fraud Control Framework components

Source: ANAO summary of 2017 Commonwealth Fraud Control Framework components.

1.7 On 1 July 2024, the new Commonwealth Fraud and Corruption Control Framework 2024 came into effect. From 1 July 2024, non-corporate Commonwealth entities are required to adhere to the revised Fraud and Corruption Policy (see Table 1.3).¹⁸ The Fraud and Corruption Policy is considered better practice for corporate Commonwealth entities and Commonwealth companies. The revised framework includes provisions to mitigate corruption risk and complement the function of the National Anti-Corruption Commission.¹⁹ It introduces new requirements for fraud governance, oversight arrangements and controls testing.

Table 1.3: Comparison of the key elements of the 2024 Fraud and Corruption Rule to the 2017 Fraud Rule

Source: Adapted from Commonwealth Fraud Prevention Centre, Learn about the Fraud and Corruption Control Framework [Internet], Attorney-General’s Department, 2024, available from https://www.counterfraud.gov.au/learn-about-fraud-and-corruption-control-framework [accessed 25 June 2024].

1.8 The 2017 Fraud Rule and the 2024 Fraud and Corruption Rule apply to both the internal and external fraud risks identified in Table 1.1. The 2024 Commonwealth Fraud and Corruption Control Framework states that:

Fraud and corruption are risks that can undermine the objectives of every Australian Government entity in all areas of their business, including delivery of services and programs, policy-making, regulation, taxation, procurement, grants and internal procedures.²⁰

Responsibilities of accountable authorities

1.9 The Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the PGPA Rule contain specific duties and requirements for the accountable authority of a Commonwealth entity pertaining to internal control arrangements, including for fraud control and reporting (see Table 1.4).

Table 1.4: Fraud-related responsibilities of accountable authorities

Note a: In respect to ‘proper use’, section 8 of the PGPA Act provides that ‘proper, when used in relation to the use or management of public resources, means efficient, effective, economical and ethical’.

Source: PGPA Act and PGPA Rule.

1.10 The Commonwealth Grants Rules and Guidelines (CGRGs) — in place up until 30 September 2024 — note that probity and transparency in grants administration are achieved by ensuring that decisions are impartial, documented, and lawful; there is compliance with public reporting requirements; and there are appropriate safeguards against fraud. The CGRGs state that accountable authorities must ensure that the entity’s fraud procedures and practices comply with the Fraud Rule, including as they apply to grants administration. The CGRGs further note that officials undertaking grants administration should be aware of the procedures to follow if fraud is suspected.²¹

1.11 The APS Integrity Taskforce’s 2023 report Louder than Words: An APS Integrity Action Plan²² noted the need for entities to gain ‘reassurance that their integrity frameworks are effective and that their fraud and corruption risks are mitigated.’ The report contains a recommendation to ‘upscale institutional integrity (cultural and compliance) within agencies’.²³ One of the actions identified by the APS Integrity Taskforce to support implementation of this recommendation is for accountable authorities to complete a self-assessment against the Commonwealth Integrity Maturity Framework and report the results to the Secretaries Board by September 2024.

1.12 ‘Prevent, detect and manage fraud and corruption’ is one of the eight integrity principles identified by the National Anti-Corruption Commission (NACC) in the Commonwealth Integrity Maturity Framework.²⁴ The NACC identified in its Integrity Outlook 2023–24 that:

Minimising the incidence of internal fraud through the identification and management of fraud risks should continue to be an ongoing focus of agencies. This can be achieved through the development, implementation and regular review of fraud prevention and detection strategies.²⁵

Previous audits

1.13 The fraud control arrangements of Australian Government entities have been the subject of previous Auditor-General reports. The most recent was tabled in 2023–24 and examined the Australian Taxation Office’s (ATO’s) management and oversight of fraud control arrangements for the Goods and Services Tax (GST). The audit found that the ATO’s management and oversight of fraud control arrangements for the GST was partly effective.²⁶

1.14 A series of three Auditor-General reports on the fraud control arrangements of Australian Government entities was published in June 2020.²⁷ The reports concluded that:

• fraud control arrangements in the Department of Home Affairs were effective;
• fraud control arrangements in the Department of Social Services and the Department of Foreign Affairs and Trade were largely effective; and
• each of the audited entities met the mandatory requirements of the 2017 Commonwealth Fraud Control Framework.²⁸

Australian Skills Quality Authority

1.15 The Australian Skills Quality Authority (ASQA) is the Australian Government agency responsible for the regulation of around 90 per cent of vocational education and training (VET) providers operating in Australia. As a non-corporate Commonwealth entity and an independent statutory authority, ASQA regulates:

• providers that deliver VET qualifications and courses;
• providers that deliver VET courses to overseas students;
• accredited VET courses; and
• certain providers that deliver English language intensive courses to overseas students.

1.16 ASQA’s purpose is ‘to ensure quality VET, so that students, industry, governments and the community can have confidence in the integrity of national qualifications issued by training providers’.²⁹

1.17 ASQA’s budget and number of staff in 2023–24 are set out in Table 1.5.

Table 1.5: ASQA’s budget and average staffing levels 2024–25

Note a: Average staffing level is a method of counting that adjusts for casual and part-time staff to show the average number of full-time equivalent employees.

Source: Australian Government, Portfolio Budget Statements 2024–25, Employment and Workplace Relations Portfolio, Commonwealth of Australia, Canberra, 2024, p. 94.

1.18 ASQA is responsible for the regulation of 3,842 VET providers across the states and territories except for Western Australia and Victoria. As the national regulator for VET, ASQA has the responsibility to manage fraud and corruption internally as well as externally within its regulatory environment. The effectiveness of ASQA’s fraud control arrangements in conducting its regulatory functions is important to maintaining the integrity of the VET sector and Australia’s reputation as a provider of quality education and training. In 2022–23 ASQA received 52,273 enquiries from the sector relating to regulatory obligations. Table 1.6 sets out the number of ASQA’s key regulatory activities undertaken in 2022–23.

Table 1.6: ASQA’s regulatory activity data 2022–23

Note a: Registration and course accreditation consist of new provider registrations, provider registration renewals, changes of scope registration, course accreditations, course re-accreditations and amended course accreditations. Compliance actions include warning letters, providers entering an agreement to rectify (ATR), written directions, conditions on registration, sanctions which includes cancelling or not renewing registrations.

Source: ASQA Annual Report 2022–23.

Rationale for undertaking the audit

1.19 Fraud against Australian Government entities reduces available funds for public goods and services and causes financial and reputational damage to the Australian Government.³⁰ All Commonwealth entities are required to have fraud control arrangements in place to prevent, detect and respond to fraud. From 1 July 2024, this requirement also extends to corruption. This audit is intended to provide assurance to the Parliament regarding the fraud control arrangements in ASQA.

Audit approach

Audit objective, criteria and scope

1.20 The objective of the audit was to assess the effectiveness of ASQA’s fraud control arrangements as the national regulator of the vocational education and training sector.

1.21 To form a conclusion against this objective, the following high-level criteria were adopted.

• Have appropriate arrangements been established to oversee and manage fraud risks?
• Have appropriate mechanisms been established to prevent fraud and promote a culture of integrity?
• Have appropriate mechanisms been established to detect and respond to fraud?
• Has the Australian Skills Quality Authority appropriately prepared for the commencement of the revised Commonwealth Fraud and Corruption Control policy in July 2024?

Audit methodology

1.22 The audit methodology included:

• examination of ASQA’s strategies, frameworks, policies, procedures, guidelines and training;
• analysis of ASQA’s information relating to fraud and corruption prevention, detection, investigation and response (including risk assessments, control plans, confidential reporting mechanisms, and investigation, recording and reporting mechanisms);
• review of governance committee papers and minutes;
• review of internal and external reporting on fraud and corruption control activities;
• examination of management-initiated reviews, internal audits and assurance reports; and
• meetings with ASQA staff.

1.23 The ANAO examined ASQA’s fraud control framework from an internal fraud control and regulatory fraud control perspective, including ASQA’s review of controls. The audit did not test the effectiveness of those controls.

1.24 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $397,800.

1.25 The team members for this audit were Deloitte Touche Tohmatsu, Lauren Dell and Renina Boyd.

2.1 Section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) states that the accountable authority of a Commonwealth entity has a duty to establish and maintain systems relating to risk and control. The 2017 Commonwealth Fraud Control Framework, which was replaced by the Commonwealth Fraud and Corruption Control Framework 2024 from 1 July 2024, requires accountable authorities to conduct regular fraud risk assessments and, as soon as practicable, develop and implement fraud control plans to deal with the identified risks. The requirement was restated in the 2024 Commonwealth Fraud and Corruption Control Framework which requires fraud and corruption risk assessments to be undertaken at least every two years.³¹

Are there appropriate governance and oversight arrangements for fraud control?

ASQA’s fraud control framework

2.2 As the Commonwealth’s regulator for the Vocational Education and Training (VET) sector, ASQA considers fraud control from both an internal and regulatory perspective. ASQA’s fraud control framework consists of:

• ASQA’s Fraud Control Policy and Fraud Control Plan 2022–24 which addresses its internal environment; and
• ASQA’s regulatory model which addresses its regulatory environment and incorporates fraud control in exercising its functions.

Fraud Control Policy

2.3 ASQA’s current Fraud Control Policy was developed in April 2013 and was scheduled to be reviewed in April 2014. This review did not take place. The key elements of the policy are set out below.

• The policy includes a definition of fraud and its consequences, and references superseded legislation and guidelines including the Financial Management and Accountability Act 1997 and the Commonwealth Fraud Control Guidelines 2011.
• The policy applies a definition of corruption based on the outdated Commonwealth Fraud Control Guidelines 2011 and the former Australian Standard AS 8001–2008: Fraud and Corruption Control.³²
• The policy identifies responsibilities for fraud control within ASQA. The policy references former senior management roles within ASQA which no longer exist. The roles are not reflected in the Fraud Control Plan 2022–2024 and the policy does not include current roles set out in the Fraud Control Plan 2022–2024.

2.4 Since its Fraud Control Policy was developed in 2013, ASQA has undergone changes to its operations.

• In March 2020, the Australian Government released a rapid review into ASQA’s regulatory practices, presenting 24 agreed recommendations to reform ASQA’s operations in line with best practice, governance, regulation and engagement.
• In October 2023, the Australian Government announced a ‘$37.8 million investment to ensure [ASQA] is adequately equipped and has the technology and data matching capability to identify and respond proactively to unethical and potentially illegal activity’.³³
• In March 2024, amendments were made to the National Vocational Education and Training Regulator Act 2011. The amendments provide ASQA with the regulatory tools to address integrity risks, ensure greater scrutiny of new Registered Training Organisations (RTOs) and promote a quality VET sector.

2.5 ASQA’s Fraud Control Policy 2013 has not been reviewed or updated to reflect these changes.

Fraud Control Plan

2.6 ASQA’s Fraud Control Plan 2022–2024 was approved in 2022. The Plan addresses ASQA’s internal fraud arrangements and does not incorporate its regulatory fraud control environment or associated activities. ASQA’s Fraud Control Plan 2022–2024 is discussed further below at paragraph 2.42.

2.7 Activities relating to regulatory fraud control are undertaken as part of ASQA’s regulatory operations. ASQA’s approach to addressing regulatory non-compliance is detailed in its regulatory risk framework. The framework identifies that ASQA’s response to regulatory non-compliance is proportionate to the level of risk. ASQA utilises:

a range of regulatory tools to encourage, assist, deter or enforce compliance with the legislation, including the standards is represented in the regulatory pyramid. [ASQA] use[s] education, methods to direct compliance, sanctions and court actions. These tools and measures may be used individually or in combination, to respond in a way that is risk-based and proportionate.³⁴

2.8 ASQA’s regulatory model, illustrated in Figure 2.1 below, is contained within its regulatory risk framework. The model includes conducting risk assessments, which then inform the determination of responses and assignment of actions. There is no specific regulatory fraud control process within the model as ASQA considers fraud as part of its day-to-day regulatory activities.

Figure 2.1: ASQA’s regulatory model

Source: ASQA Regulatory Risk Framework, p. 7, available from https://www.asqa.gov.au/sites/default/files/2021-07/regulatory-risk-framework.pdf.

Roles and responsibilities

2.9 ASQA’s Fraud Control Plan 2022–2024 outlines the key ASQA staff and their respective responsibilities for the management of fraud within the entity.³⁵ ASQA’s roles and responsibilities for fraud control are set out in Figure 2.2 below.

Figure 2.2: ASQA’s roles and responsibilities for oversight of fraud control

Source: ANAO Analysis of ASQA’s Fraud Control Plan 2022–2024 and advice from ASQA.

2.10 A description of the roles responsible for fraud control, as set out in ASQA’s Fraud Control Plan 2022–2024, is provided below.

• Chief Executive Officer — ensuring effective management of ASQA’s risk and fraud control and responsible for responding to reports of breaches of the Code of Conduct (including suspected fraudulent activities).
• Executive directors — ensuring operational fraud control activities are implemented such as risk treatments, controls, monitoring and management of fraud risks, determining ASQA’s fraud risk tolerance levels and setting a tone for fraud control within the entity.
• Audit and Risk Committee (ARC) — reviewing and examining successive updates of ASQA’s Fraud Control Plan, and overseeing the risk management strategy and development of the Fraud and Corruption Control Plan. The Committee is also responsible for assuring that processes are in place to prevent, detect and respond to fraud related incidents and monitoring compliance with laws and regulations (including the Fraud Policy and Guidance and the Fraud Rule).
• Director People and Capability — coordinating training across the entity in relation to fraud and managing workforce aspects relating to suspected fraud.
• Chief Financial Officer (CFO) — reports directly to the Chief Executive Officer (CEO) on fraud control and is the central point of contact for fraud control within the entity. The CFO is also responsible for oversight of fraud controls and the maintenance of key documentation.
• Director of Risk Assurance and Compliance — the central point of contact for fraud control within the entity. Manages key fraud risks, including responding to fraud risks at the strategic and operational levels. The director is also responsible for assessing fraud and corruption risk annually.
• Agency Security Advisor — reporting on fraud and corruption within ASQA and investigating alleged fraudulent activities.

2.11 In addition to these officials, ASQA advised the ANAO on 30 April 2024 that its Resources and Regulatory Committee supports the CEO and delegates to address their fraud control responsibilities. The Committee includes the Deputy CEO, the four regulatory Executive Directors, the CFO and the directors of: Governance, Support and Parliamentary; People and Capability; Risk Assurance and Evaluation; and General Counsel.

2.12 The Committee meets on a monthly basis. The Terms of Reference do not include fraud or fraud control as an objective, and fraud control is not a standing agenda item. In March 2024, the Committee discussed ASQA’s draft Fraud and Corruption Control Policy and Plan 2024–2026.

2.13 ASQA’s Fraud Control Plan 2022–2024 contains an overlap of responsibilities. In particular, the CFO and the Director of Risk, Assurance and Compliance hold similar responsibilities in terms of being the ‘central point of contact’. This is also reflected in ASQA’s fraud and corruption reporting flowchart (see Figure 4.2). The Agency Security Advisor role also contains reporting functions that are shared by the CFO and the Director of Risk, Assurance and Compliance.

2.14 In practice, the operation of ASQA’s governance and oversight framework does not reflect the documented responsibilities in its Fraud Control Plan 2022–2024. Fraud control within the regulatory environment was directed by the Deputy CEO, in particular for functions that would align more with the role of the CFO in relation to oversight.

Assurance

Audit and Risk Committee

2.17 ASQA’s Fraud Control Plan 2022–24 sets out the role of its ARC in terms of fraud control within the entity.

• Review and examine successive updates of ASQA’s Fraud Control Plan.
• The oversight of the risk management strategy and development of the Fraud and Corruption Control Plan to maintain currency and a focus on areas of medium/high risk.
• Assuring that processes are in place to prevent, detect and respond to fraud related incidents.
• Monitoring compliance with laws and regulations (including the Fraud Policy and Guidance and the ‘Fraud Rule’).

2.18 The ARC minutes of 12 September 2022 identified that in quarter two of 2022–23, the committee discussed ASQA’s strategic and operational risks. The committee reviewed ASQA’s risk register, risk management framework and the strategic risk report. The ARC minutes of 13 May 2024 stated that ASQA provided an update to the ARC on ASQA’s Fraud and Corruption Control Policy and Plan, in preparation for the changes to the Commonwealth Fraud and Corruption from 1 July 2024.

2.19 The ARC meeting minutes of 13 May 2024 also state that the ARC provided feedback on changes to be made to the new Fraud and Corruption Control Policy and Plan 2024–26, such as providing further clarity for employees who report fraud to be assured the matter has been appropriately actioned. The accountable authority did not provide evidence to the ANAO that the Fraud and Corruption Policy and Plan had been approved.

Internal audit

2.20 ASQA conducted an internal audit in May 2023 relating to internal fraud control, specifically addressing its delegations framework. The internal audit report was provided to the ARC on 23 May 2023, and found that ASQA had an appropriate authorisation and delegation process.

2.21 No internal audits have been conducted on regulatory fraud related risks, such as those detected by ASQA’s environmental scans.³⁶ ASQA advised the ANAO on 11 July 2024 that ‘regulatory fraud is an ongoing program of work and fraud may be identified through the course of an audit with particular areas of focus as determined by the regulatory risk priorities’.

Advisory mechanisms

2.22 In April 2022, ASQA established the National Vocational Education and Training Regulator Advisory Council as an advisory board on the regulation of the VET sector. The council is an advisory function established under section 174 of the National Vocational Education and Training Regulator Act 2011. The key function of the council is ‘to provide advice to the national VET regulator on the regulator’s functions’.³⁷

2.23 The NVETR Advisory Council statement of outcomes states that it considers strategic threat assessments to the integrity of the VET sector but did not specifically address fraud.

Has ASQA appropriately addressed its fraud risks?

2.24 Table 2.1 provides an assessment of ASQA’s approach to applying the Commonwealth’s Fraud Rule, Guidance and Policy in relation to conducting its fraud risk assessments.

Table 2.1: Assessment against the Fraud Framework — Fraud risk assessment

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note: The Fraud Rule and Fraud Policy is mandatory for all non-corporate Commonwealth entities (NCCEs), and the Fraud Guidance is better practice for NCCEs (see Table 1.2). NCCEs undertake grants administration based on the mandatory requirements and key principles of grants administration in the Commonwealth Grants Rules and Guidelines (CGRGs). Paragraphs 7.5 to 7.12 of the CGRGs represent better practice for NCCEs.

Source: ANAO analysis of ASQA documentation.

Fraud risk assessments

2.25 The Fraud and Corruption Rule 2017 requires accountable authorities to take all reasonable measures to prevent, detect and respond to fraud and corruption relating to the entity, including through conducting assessments of fraud and corruption risks regularly, and when there is a substantial change in the structure, functions or activities.³⁸

2.26 The Commonwealth Fraud and Corruption Guidance identifies that:

For many entities, it may be appropriate to integrate enterprise-level fraud and corruption risk assessments into broader enterprise-level risk assessments. Entities with higher exposure to fraud and corruption risks should consider developing a standalone enterprise-level fraud and corruption risk assessment.³⁹

2.27 Risk assessments across ASQA’s internal and regulatory fraud environments are not integrated into enterprise-level risk assessments. ASQA’s approach to fraud risk assessments is based on separate internal and regulatory assessments that are not incorporated into ASQA’s Fraud Control Plan 2022–2024.

2.28 ASQA conducted a review of its internal fraud risks in December 2023 and January 2024. ASQA identified seven internal fraud risks, and one external fraud risk relating to false and misleading information in ASQA’s Fraud Control Plan 2022–2024.

2.29 ASQA’s risk register indicates that six of the eight risks identified in its fraud control plan were reviewed. The six risks were:

• ASQA employees engage in corrupt of fraudulent behaviour;
• inappropriate or unauthorised employee payments are made;
• inappropriate or unauthorised payments or procurements are made;
• misuse/theft of cash, cash equivalents or corporate credit cards;
• payment of employee salaries and entitlements is incorrect; and
• theft, inappropriate disposal, or unauthorised use of ASQA assets for personal gain.

2.30 The two risks not reviewed were:

• an external entity provides false or misleading information to ASQA in order to obtain a favourable regulatory outcome; and
• an external entity attempts to induce a favourable regulatory outcome through bribery, coercion or other corrupt means.

2.31 ASQA’s primary risk assessment tool for regulatory fraud control is its annual environmental scan.⁴⁰ The scans were conducted in 2023 and 2024.

Entity-specific risk factors

2.32 ASQA’s approach to fraud risk did not include consideration of its regulatory risk assessments as part of the entity’s Fraud Control Plan 2022–2024. Internal fraud and regulatory fraud risk assessments were conducted as separate fraud control exercises.

2.33 ASQA’s review of its internal fraud risks focussed on risks associated with the misappropriation of money and property. For a smaller entity like ASQA, these risks reflect the entity’s primary internal fraud risks.

2.34 The environmental scans conducted in 2023 and 2024 considered visa fraud as a significant entity risk factor in relation to ASQA’s regulatory environment. ASQA also conducted a risk assessment after the establishment of its tip-off line in October 2023.

Risk, fraud and corruption control standards

2.35 Paragraph 32 of the 2017 Fraud Guidance encourages entities to consider the relevant recognised standards, including the Australian/New Zealand Standard AS/NZ ISO 31000-2009 Risk Management—Principles and Guidelines and Australian Standard AS 8001-2008 Fraud and Corruption Control.

2.36 ASQA’s Fraud Control Plan 2022–2024 identifies that it applies the Australian Standard AS 8001–2008: Fraud and Corruption Control. The plan also identifies the Commonwealth’s Fraud Corruption Framework 2017, Commonwealth Fraud Control Policy, the PGPA Act 2013 and associated guidance.

2.37 The Regulatory Risk Management Framework considers relevant standards but does not specify how ASQA meets these standards. Specific fraud and corruption control standards are not mentioned in the environmental scan or tip-off assessments.

Fraud control as part of the risk management framework

2.38 Fraud control arrangements have been developed in the context of the entity’s respective regulatory risk frameworks. The Fraud Control Plan 2022–2024 aligns with the entity’s enterprise risk framework. Regulatory fraud risk is addressed through ASQA’s regulatory operating model, which forms part of ASQA’s regulatory risk framework.

Informing internal audit of fraud risk

2.39 ASQA did not provide the findings of the environmental scans to its internal auditor.

Has ASQA developed an appropriate fraud control plan and mechanisms to test the effectiveness of controls?

2.40 The Fraud Rule requires accountable authorities to develop and implement control plans to deal with fraud and corruption risks. Controls and strategies in fraud control plans should align with assessed fraud risks.

2.41 Table 2.2 provides an assessment of ASQA’s Fraud Control Plan 2022–24 against the Fraud Rule and Guidance.

Table 2.2: Compliance assessment — ASQA’s Fraud Control Plan 2022–2024

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note: The Fraud Rule is mandatory for all NCCEs.

Source: ANAO analysis of ASQA documentation.

ASQA’s Fraud Control Plan

2.42 ASQA’s Fraud Control Plan 2022–2024 documents its approach to managing internal fraud within the entity. It does not include ASQA’s regulatory fraud control arrangements. The Fraud Control Plan 2022–2024 states that the plan is a key document in ASQA’s fraud control guidance and should be read in conjunction with ASQA’s Fraud Control Policy. The plan includes a summary of ASQA’s key fraud risks with associated controls and treatment strategies. For each fraud risk, ASQA has identified the senior responsible officer.

Controls and strategies to align with assessed fraud risks

2.43 ASQA’s Fraud Control Plan 2022–24 includes seven internal fraud risks and associated controls and one external fraud risk relating to false and misleading information but does not address ASQA’s regulatory role in relation to fraud. Fraud risks identified in the Fraud Control Plan 2022–2024 align with ASQA’s enterprise risk register. Internal controls and proposed strategies outlined in fraud control plan are commensurate with assessed fraud risks. A summary of the fraud risks and key controls is provided in Appendix 3.

Review and testing of control effectiveness

2.44 ASQA’s internal audit conducted one controls testing exercise in May 2023, focused on its delegations and authorisations. The testing found that ASQA has an appropriate authorisation and delegation process. There is no strategy or framework for the regular testing of the controls identified in the Fraud Control Plan 2022–2024.

2.45 As mentioned in paragraph 2.42, ASQA’s Fraud Control Plan 2022–2024 does not include its regulatory fraud control arrangements. In relation to regulatory fraud control, ASQA advised the ANAO on 11 July 2024 that:

Regulatory fraud is an ongoing program of work and fraud may be identified through the course of an audit, with areas of focus as determined by the regulatory risk priorities. The regulatory risk priorities are:

• non genuine providers and bad faith operators
• inadequate or fraudulent recognition of prior learning
• shortened course duration
• academic cheating
• student work placement
• online delivery.

2.46 On 1 July 2024, ASQA advised the ANAO that environmental scans contribute to testing the effectiveness of controls in ASQA’s regulatory environment, but ASQA was unable to provide evidence of how this occurs.

3.1 The Commonwealth Fraud Control Framework 2017 requires accountable authorities to establish appropriate mechanisms for preventing fraud, including by ensuring that entity officials are made aware of what constitutes fraud⁴¹, and that officials engaged in fraud control activities receive appropriate training or attain necessary qualifications.⁴² The Fraud Guidance states that ‘Fraud prevention involves putting into place effective accounting and operational controls, and fostering an ethical culture that encourages all officials to play their part in protecting public resources’.⁴³

Have appropriate mechanisms been established to prevent fraud?

3.2 Table 3.1 presents an assessment of ASQA’s approach to applying the Commonwealth’s 2017 Fraud Rule, Fraud Guidance and Fraud Policy in relation to fraud prevention.

Table 3.1: Assessment against the Fraud Framework — Fraud prevention in ASQA

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note: The Fraud Rule and the Fraud Policy is mandatory for all non-corporate Commonwealth entities (NCCEs) and the Fraud Guidance is better practice for NCCEs (see Table 1.2).

Source: ANAO analysis of ASQA documentation.

Appropriateness and effectiveness of preventative controls

Internal fraud

3.3 ASQA’s primary internal fraud preventative control is mandatory fraud awareness training for staff. ASQA requires existing staff and new starters to complete mandatory fraud awareness training: APS Essential — Fraud Awareness. The training provides education on what constitutes fraud, how fraud can occur, and responsibilities when dealing with fraud as a public official. New starters are required to complete the training when onboarding to ASQA and existing staff are required to complete the training annually as a refresher.

3.4 From July 2023 to April 2024, the Chief Executive Officer (CEO) shared updates with staff through a total of 14 communications via CEO weekly wraps, videos or messages. Several of these communications include case studies aimed at assisting staff in understanding what constitutes fraudulent behaviour and keeping the staff informed about legislative changes. For example, the CEO provided updates to staff on amendments to the National Vocational Education and Training Regulator Bill, explaining how the new powers will address quality and integrity issues in the VET sector. These updates also cover the Nixon review and government responses.⁴⁴

3.5 ASQA held an all-staff forum on 21 May 2024 to inform staff about the revised Commonwealth Fraud and Corruption Control Framework. The presentation highlighted new obligations for Commonwealth entities, such as adding corruption to all elements, implementing new regular review requirements, and embedding governance structures. The forum also covered the definitions of fraud and corruption, the role of the National Anti-Corruption Commission, and ASQA’s reporting process for fraud and corruption. The session concluded with a ‘Q&A’ segment to address staff questions.

3.6 ASQA has established internal preventative controls aligned to the risks identified in its Fraud Control Plan 2022–2024. ASQA does not classify its controls into preventative, detective or response controls. Table 3.2 below sets out the controls the ANAO identified as preventative and the list of all controls is at Appendix 3.

Table 3.2: ANAO analysis of ASQA’s fraud preventative controls

Source: ANAO analysis of ASQA’s Fraud Control Plan 2022–2024.

Regulatory fraud

3.7 Within ASQA’s regulatory environment, preventative controls include sector alerts and participation in the Fraud Fusion Taskforce led by the National Disability Insurance Agency (NDIA). ASQA advised the ANAO on 14 June 2024 that it had implemented preventative regulatory controls through the program of work undertaken by its Integrity Unit, which involves raising awareness through ‘sector alerts’ to the education sector and/or directly communicated to Commonwealth Register of Institutions and Courses for Overseas Students (CRICOS) providers.

Sector alerts

3.8 From May 2023 to April 2024 ASQA issued the following sector alerts.

• Unethical practices of third-party education agents and direct communication to CRICOS providers (11 May 2023) — ASQA emphasised ethical practices in delivering Australian VET qualifications to internal students, promoting the importance of compliance with ESOS Act and National Code Obligations. Subsequently, ASQA communicated directly with all CRICOS providers to restate its expectations and the actions taken to address concerns around provider practice, further reminding providers of their obligations under the Education Services for Overseas Students Act 2000 (ESOS Act) and National code.
• Bogus VET qualifications (9 June 2023) — ASQA highlighted the issue of fraudulent qualification documents, emphasising the legal ramifications under the NVETR Act and urging employers to verify qualifications before acceptance.
• Scam Warning (22 August 2023) — ASQA announced that the Australian Federal Police and Department of Home Affairs have raised awareness about a ‘virtual kidnapping’ scam affecting Chinese students.
• Concerning practices in the real estate sector (13 October 2023) — Issued to providers with specific real estate qualifications in its scope of registration. ASQA identified concerns over inadequate training and assessment practices in real estate qualifications, highlighting the need for RTOs to meet legal and licensing requirements.
• English Language Intensive Courses to Overseas Students (ELICOS): Multiple Confirmations of Enrolment (CoEs) and direct communication to ELICOS providers (17 October 2023) — ASQA alerted ELICOS providers about issuing multiple short CoEs for the same course, stressing compliance with the National Code of Practice for Providers of Education and Training to Overseas Students 2018⁴⁵ and English Language Intensive Courses for Overseas Students (ELICOS) Standards 2018⁴⁶ to ensure proper enrolment practices and student protection.
• Guilty verdict reinforces importance of transparency for third-party RTO agreements (2 April 2024) — ASQA responded to a conviction of Qualify Me! Pty Ltd for misleading practices in VET course advertising, emphasising the need for accurate representation in third-party agreements to protect student interests.

Social media alerts

3.9 ASQA issued the following social media posts in 2023:

• 24 May 2023 (Linkedin and X47) — ASQA identified fraudulent First Aid statements and Early Childhood Education and Care qualifications allegedly issued by Au Skills Training after March 2020, these documents are considered invalid, and individuals possessing them are encouraged to contact ASQA.
• 30 May 2023 (Facebook and Linkedin) — The Australian Government made a post to inform the public about counterfeit First Aid statements of attainment and Early Childhood Education and Care qualifications allegedly issued by Au Skills training after March 2020, requesting anyone in possession of such documents to contact ASQA. ASQA advised the ANAO on 11 July 2024 that it collaborated with the Australian Government social media team through the GovSocial network to share this alert, aiming to reach an audience beyond ASQA’s standard platforms.
• 9 June 2023 (LinkedIn and X) — ASQA issued an alert about bogus qualifications from Au Skills Training. The post emphasised the legal consequences of issuing fraudulent qualifications.
• 15 August 2023 (LinkedIn and X) — ASQA shared a scam alert from the Australian Federal Police and the Department of Home Affairs about a ‘virtual kidnapping’ scam targeting Chinese students, detailing how the scam operates and advising on protective measures.

3.10 Since its establishment in October 2023, ASQA has highlighted the VET tip-off line in its monthly edition of ‘ASQA IQ article’ which is published on its website.⁴⁸ The ASQA IQ article aims to encourage readers to report any practices or behaviours that compromise the integrity of the VET sector. An ‘ASQA Update’, issued in January 2024, elaborated on ASQA’s mechanisms in safeguarding student welfare and VET quality, which included references to the VET tip-off line and Operation Inglenook, further discussed in paragraphs 4.6 to 4.9.

Fraud Fusion Taskforce

3.11 ASQA includes its participation in the Fraud Fusion Taskforce⁴⁹ as a preventative measure. In April 2024, ASQA commenced participation in the Fraud Fusion Taskforce which is a partnership between the National Disability Insurance Agency and Services Australia, and other government agencies. The taskforce aims to improve how government agencies work together to detect and prevent fraud and serious organised crime.

Controls testing

3.12 ASQA does not categorise controls into preventative and detective controls within its Fraud Control Plan 2022–2024. ASQA has undertaken limited testing for two internal fraud controls contained within its Fraud Control Plan. There has been no testing to establish the effectiveness of regulatory fraud controls.

Fraud risk considered within ASQA’s activities

3.13 In planning and conducting its regulatory activities, ASQA primarily considers fraud risk as part of overall regulatory risk. Risk assessments inform its outreach mechanisms to the sector about regulatory issues including fraud. Outreach mechanisms are delivered through sector alerts, mentioned in paragraph 3.8, which are part of ASQA’s education and awareness initiatives aimed at promoting a culture of integrity.

Documented instructions to prevent, detect and deal with fraud

3.14 ASQA’s Fraud Control Policy 2013 outlines ASQA’s approach to fraud prevention, detection and response. As discussed in paragraphs 2.9 to 2.10 and 2.43, ASQA’s Fraud Control Plan 2022–2024 has outlined the roles and responsibilities of officials involved in internal fraud-related activities and includes documentation of identified risks with corresponding treatments and controls. While the controls are not categorised within the plan, it includes preventative measures for key risks, such as segregation of duties. Additionally, the plan features detective measures including a flowchart procedure for reporting suspected fraud.

3.15 As mentioned in paragraph 2.42, ASQA’s approach to regulatory fraud control is not contained within its fraud control plan. ASQA does not have a regulatory fraud control plan, and there is no documented plan to test the effectiveness of controls within its regulatory functions.

3.16 ASQA advised the ANAO on 17 July 2024 that ASQA’s market entry, registration management and internal review instructions ‘are all relevant to the methodology utilised to assist ASQA staff to prevent, detect and deal with fraud’. These documents provide details on identification of fraud. They do not refer to ASQA’s regulatory risk framework or regulatory model.

Mitigating the risk of identity fraud

Internal identity fraud

3.17 ASQA has policies that detail how it manages the risk of internal identity fraud. These policies cover security of personnel, information technology systems and security governance. Fraud mitigation actions include:

• requiring staff to wear an identity card and swipe the card to enter the office;
• pre-employment checks of potential employees;
• requiring staff members to have a security clearance commensurate to their role;
• requiring staff to take part in annual security awareness training; and
• cyber safety information for staff including awareness of phishing and password safety.

Regulatory identity fraud

3.18 ASQA has a published guide for registered training organisations that details the evidence required for ASQA to establish the identity of an applicant (potential VET provider). ASQA’s mechanisms to verify the identity of the RTOs and individuals include:

• validity checks of details on the initial registration application including the Australian Business Number and Australian Company Number, or for sole traders’ proof of identity documents; and
• ‘Fit and Proper Person’ declarations for CEOs and higher managerial agents which act as a legally binding documents similar to a statutory document.

3.19 A primary mechanism ASQA uses to manage identity fraud within its regulatory environment is a Fit and Proper Person declaration. This declaration is a mandatory requirement for some managerial positions including CEOs or directors of RTOs, and ASQA can also request other positions within entities to complete the declaration. These declarations provide ASQA with information to cross check a person’s identity against:

• compliance with the law including criminal history;
• management history;
• financial records; and
• previous conduct and involvements in registered training organisations.

3.20 These checks are also used by the intelligence team within ASQA, which can identify and share concerns regarding market entry applicants, allowing ASQA’s market entry team to confirm the identity and eligibility of applicants to enter into the sector.

Are appropriate mechanisms in place to promote fraud awareness and a culture of integrity?

3.21 Table 3.2 presents an assessment against ASQA’s approach to applying the Commonwealth’s 2017 Fraud Rule and Fraud Guidance in relation to fraud awareness and developing a culture of integrity.

Table 3.3: Assessment against the Fraud Framework — Fraud awareness in ASQA

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note: The Fraud Rule is mandatory for all NCCEs and the Fraud Guidance is better practice for NCCEs (see Table 1.2).

Source: ANAO analysis of ASQA documentation.

Fraud awareness

3.22 The Fraud Rule requires the accountable authority to ensure that officials in the entity are made aware of what constitutes fraud. ASQA’s Fraud Control Plan 2022–2024 includes a definition of fraud that aligns with Section 4.2 of the Department of Finance’s Resource Management Guide 201, on preventing, detecting and dealing with fraud.⁵⁰

Fraud and integrity training

3.23 ASQA staff are provided with training resources, including e-learning modules and participation opportunities, aimed at improving capability to detect and identify corruption within the agency. All ASQA internal staff are required to complete the APS Essential — Fraud Awareness unit as part of its induction process, and a refresher unit is required to be completed on an annual basis. As at April 2024, ASQA recorded a completion rate of its fraud awareness training of 84 per cent.

3.24 ASQA’s six senior executives attended an integrity masterclass session in April 2024 conducted by Department of Employment and Workplace Relations (DEWR). The integrity masterclass sessions included two self-paced modules undertaken prior to the face-to-face sessions, and materials were provided to participants online.

Monitoring and evaluation of fraud awareness initiatives

3.25 ASQA has developed a monitoring and evaluation process for communication within its regulatory environment, which is conducted by ORIMA Research. The process includes a survey to collect feedback from course owners and RTOs about interactions with ASQA during 2022–23 and 2023–24. The survey provides data on stakeholder’s experience with ASQA through the lens of ASQA’s Key Performance Indicators (KPIs) which is in line with its Corporate Plan. For the survey conducted in 2023–24, the response rate from stakeholders was 39 per cent. The survey includes questions regarding risks and ASQA’s communication of these risks to providers.

3.26 The 2023–24 survey notes that ASQA’s performance was consistent to the ratings recorded in the 2021–22 survey, there were slight declines when compared to 2022–23. The 2023–24 survey reported that 93 per cent of providers were undertaking monitoring and evaluation activities as part of self-assurance.⁵¹ ASQA has not used the survey data to inform its activities. The survey does not provide specific data on the operational controls that ASQA implements for fraud control.

Outreach programs

3.27 ASQA informs the VET sector on fraud through education and awareness to promote integrity in the sector.

• On 22 August 2023, ASQA conducted a provider roundtable for consultation with peak bodies in the sector.
• ASQA implemented a stakeholder liaison group in July 2020 which included subgroups aligned to the regulatory risk priorities. The purpose of this group is to engage with providers and other key stakeholders on ASQA’s approach to engagement and education, and to identify and respond to key issues facing providers.
• ASQA provides sector alerts to its stakeholders on matters including scam warnings, concerning practices in the real estate sector and English Language Intensive Courses to Overseas Students (ELICOS).

Has appropriate training been provided to ASQA officials with fraud control responsibilities?

3.28 Table 3.4 presents an assessment against ASQA’s approach to applying the Commonwealth’s 2017 Fraud Policy and Fraud Guidance in relation to training and qualifications for officials with fraud control responsibilities.

Table 3.4: Assessment against the Fraud Framework — Fraud training

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note: The Fraud Policy is mandatory for all NCCEs and the Fraud Guidance is better practice for NCCEs (see Table 1.2).

Source: ANAO analysis of ASQA documentation.

Fraud control officials’ qualifications

3.29 The Fraud Policy requires officials primarily engaged in fraud control activities possess or attain relevant qualifications or training to effectively carry out their duties. Paragraph 56 of the Fraud Guidance provides that ‘relevant training can include a Certificate IV in Government (Fraud Control) or equivalent qualification for officials implementing fraud control, or a Diploma of Government (Fraud Control) or equivalent qualification for officials managing fraud control.’

3.30 ASQA has one staff member with the qualification of Diploma in Government (Fraud Control Investigation) and one staff member has the qualification of Cert IV in Government (Fraud Control).

3.31 The Fraud Policy requires fraud investigations to be carried out by appropriately qualified investigators. The Australian Government Investigations Standards (AGIS) 2022 require that for investigations within the Australian Government ‘a vocational and educational training (VET) qualification must be obtained, unless another qualification or internal training is determined as equivalent’.⁵² Australian recognised qualifications are: Certificate IV in Government Investigations; Diploma of Government Investigations; and Advanced Diploma of Government Investigations.⁵³ The AGIS identifies the Certificate IV as the foundational qualification and the Diploma as the supervisory qualification.⁵⁴ The AGIS requires that ‘entities must ensure foundational qualifications (or equivalency) are obtained prior to supervisory qualifications’.⁵⁵

3.32 A total of 20 ASQA staff have the qualification of Certificate IV in Government (Investigation) and four staff have the qualification of Diploma in Government (Investigation).

3.33 ASQA advised the ANAO on 23 August 2024 that the average staffing level for 2023–24 is 213. The integrity unit consists of a total of 26 personnel, including eight team members from the Investigations and Enforcement team, who are qualified and directly responsible for undertaking investigations.

Professional development relating to fraud control

3.34 The Fraud Guidance outlines the importance for entities ensuring ‘officials engaged in fraud control have ongoing professional development to further develop their expertise and ensure their skills remain current’.

3.35 ASQA employees involved with fraud responsibilities are required to complete annual mandatory training to assist with ongoing development in relation to fraud. In addition, ASQA advised the ANAO on 22 May 2024 that it has scheduled its new staff to attend investigator training conducted by Commonwealth Director of Public Prosecutions and is providing a refresher for more experienced investigators to attend the training. ASQA further advised the ANAO on 11 July 2024 of the topics covered, dates and the number of ASQA staff who attended the training:

• Statement of facts (13 May 2024) — three staff attended;
• Disclosure (29 May 2024) — four staff attended; and
• What to expect at court (12 June 2024) — four staff attended.

4.1 The 2017 Commonwealth Fraud Control Framework requires entities to have appropriate mechanisms for detecting, investigating, recording and reporting incidents of fraud or suspected fraud.⁵⁶

Have appropriate mechanisms been established to detect fraud?

4.2 Table 4.1 presents an assessment of ASQA’s detective controls against the 2017 Fraud Rule and Guidance in relation to fraud detection.

Table 4.1: Assessment against the Fraud Framework — Fraud detection

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note: The Fraud Rule is mandatory for all non-corporate Commonwealth entities (NCCEs), and the Fraud Guidance is better practice for NCCEs (see Table 1.2).

Source: ANAO analysis of Australian Skills Quality Agency documentation.

Appropriateness and effectiveness of detective controls

4.3 ASQA’s Fraud Control Plan 2022–2024 addresses internal fraud detection. The plan includes a process for ASQA staff to report fraud. This process directs that the staff member who observes potential fraud or corruption, or identifies a corruption risk, reports this to the Chief Financial Officer (CFO) or the Director of Risk, Assurance and Compliance (the director). The CFO or director is required to add this risk to ASQA’s register and potentially escalate the report to the Chief Executive Officer (CEO). The ANAO did not see any evidence of this process operating in practice.

4.4 ASQA’s Integrity Unit is primarily responsible for fraud detection within ASQA’s regulatory environment. Figure 4.1 illustrates the placement within ASQA’s organisational structure of the Integrity Unit.

Figure 4.1: Integrity unit within ASQA’s regulatory functions

Source: ASQA Organisation Chart 2023.

4.5 ASQA has established controls to detect fraud within the regulatory environment. These controls include:

• tip-offs;
• market entry monitoring; and
• intelligence and data sharing.

Tip-offs

4.6 Introduced in October 2023, ASQA’s tip-off line established a reporting channel for current and former students, staff and other potential whistleblowers to anonymously report illegal and serious non-compliance activity within the VET sector.

Table 4.2: Tip-offs received by ASQA since October 2023

Note a: This is the year to date from October 2023 to May 2024.

Source: ASQA Integrity Program Dashboard Fast Facts.

4.7 From October 2023 to May 2024, ASQA received a total of 1,864 tip-offs, which includes 321 tip-offs received for May 2024. ASQA advised the ANAO that there are ‘one to two new tip-offs being received per day’.

4.8 Of the tip-offs received to October 2023, 61 per cent were identified by ASQA as requiring a detailed intelligence assessment, with 29 per cent of those tip-offs assessed leading to new compliance or investigation activities.

4.9 ASQA investigates these tip-offs utilising several approaches including: assessing the tip-off for risk; open-source intelligence triangulation; scan of internal systems; and history checks of the provider. The ANAO was advised by ASQA on 30 April 2024 that this assessment process takes approximately three to four hours per tip-off. Case study 1 demonstrates how ASQA utilised a tip-off to detect and respond to fraud.

Note a: ASQA defines ‘ghost colleges’ as entities that offer qualifications with no instruction or assessment (also known as diploma mills). https://asqaconnect.asqa.gov.au/Article/GetKnowledgeBaseArticleById?ArticleId=0219c4af-6ac6-4a70-b21a-bd5f6d669697&ParentCategoryId=202106e7-6a62-ee11-99ac-0050568f4aba [accessed 30 June 2024].

4.10 As at June 2024, ASQA had not reviewed the effectiveness of the tip-off line as a control.

Market entry monitoring

4.11 ASQA’s Market Entry, Skills and Accreditation team identifies and escalates potential fraud within in ASQA’s regulatory environment. The team functions as a ‘gatekeeper’ to the VET sector, that aims to prevent non-genuine providers from entering the market. Applications are assessed using:

• pre-assessment checks;
• financial viability assessments;
• assessment of business plans;
• fit and proper person checks; and
• accounting certificates.

4.12 The assessment of financial viability in the renewal of applications allows ASQA to identify potential fraudulent conduct of providers who change the scope of their registration to avoid scrutiny of training and assessment practice.

4.13 ASQA has a case conferencing model (operating within the Integrity Unit)⁵⁷, where information may be shared. ASQA’s Market Entry, Skills and Accreditation team shared information on applications of concern with ASQA’s Integrity Unit to achieve an integrated approach to intelligence.

Intelligence and data sharing

4.14 ASQA holds data sharing agreements and memoranda of understanding with other Commonwealth agencies as well as international agencies. Examples of these include with the VET Student Loans Ombudsman and the New Zealand Qualifications Authority. These instruments set out, under relevant legislation, the information and data to be shared between agencies, and it aims to contribute to ASQA detecting cases of fraud.

4.15 As set out in paragraph 3.11, ASQA recently became a member of the National Disability Insurance Agency’s Fraud Fusion Taskforce in April 2024. This taskforce is a partnership between various government agencies to support the detection, resolution and prevention of fraud and serious organised crime.

4.16 ASQA has established mechanisms to share information with other Commonwealth agencies. Its effectiveness in sharing information internally has been limited. The Market Entry, Skills and Accreditation team and the Market Performance and Engagement team report to the Deputy CEO. ASQA’s sharing of information in relation to potential fraud is reliant on teams sharing data between each other and there is no documented process to support this occurring on a regular or as-needed basis.

Reporting processes for suspected fraud

4.17 ASQA’s draft Fraud and Corruption Control Policy Plan 2024–26 includes a reporting process chart that sets out how staff can report potential fraud or corruption within ASQA’s reporting channels. The plan encourages staff to report potential fraud or corruption or fraud or corruption risk, to the CFO or the Director of Reporting, Assurance and Evaluation. It also notes that ‘any ASQA official can report Serious or Systemic corruption to the NACC at any time’. Figure 4.2 below illustrates the process.

Figure 4.2: ASQA Fraud and Corruption Reporting flowchart

Source: ASQA Fraud and Corruption Control Policy and Plan 2024–26.

4.18 While encouraging staff to report fraud and corruption, there is no further detail within the draft Fraud and Corruption Control Policy and Plan 2024–2026 or in any supporting procedural guidance, on how this process would work in practice. The flowchart requires that the CEO report to the National Anti-Corruption Commission (NACC) where ‘required under Section 33 of the National Anti-Corruption Commission Act 2022 to report serious and systemic corruption’.

4.19 ASQA does not have a specific reporting channel for employees to anonymously report suspected fraud within the entity. ASQA staff could use the tip-off line for this purpose as it is not restricted to any particular audience.

Other measures to detect fraud

4.21 Internally, fraud risks have been identified in ASQA’s Fraud Control Plan 2022–2024. These risks have not been updated since 2021. The current Fraud Control Plan 2022–2024 and the updated draft Fraud and Corruption Control Policy and Plan 2024–26 (discussed in paragraph 4.3) do not provide specific processes or methodologies for how the controls would be reviewed in line with the update to the fraud plans every two years.

4.22 Within its regulatory environment, ASQA advised the ANAO on 3 May 2024 that it has a case conferencing model as an approach to monitor and evaluate detection controls. This involves a meeting between the: Integrity Unit; People and Capability; Market entry; Skills and Accreditation; and Corporate and Enabling teams as discussed in paragraph 4.16.

4.23 ASQA has identified risk themes through its environmental scans, reflected in its regulatory risk framework. Some detective controls have been monitored periodically through advisory bodies such as the National Vocational Education and Training Regulator (NVETR) Advisory Council, including discussion and review of ASQA’s environmental scan process and outputs. There is no documented or consistent process for monitoring and evaluating the effectiveness detective controls.

Have appropriate mechanisms been established to investigate and respond to fraud?

4.26 Table 4.3 sets out an assessment of ASQA’s fraud investigation procedures and policies against the Commonwealth Fraud Policy in relation to investigating and responding to fraud.

Table 4.3: Assessment against the Fraud Framework — ASQA’s fraud investigation and response

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note: The Fraud Policy is mandatory for NCCEs (see Table 1.2).

Source: ANAO analysis of Australian Skills Quality Authority documentation.

Documented procedures for fraud incidents

4.27 ASQA has an investigation capability within its Integrity Unit, established in October 2023. ASQA advised the ANAO on 30 April 2024 that its investigation team was increasing from six to 18 staff to manage investigations and caseloads within ASQA.

4.28 ASQA has internal procedures and guidelines on how an investigation proceeds within ASQA which are detailed in Table 4.4.

Table 4.4: ASQA investigations guidance

Source: ASQA internal investigation documents.

4.29 ASQA has guidance to assist staff to use the internal case management system (iCMS). These guidance documents provide a consistent process for actions such as recording of case notes, investigation plans and infringement notices.

Documented decisions for responses to fraud

4.30 Potential fraud identified through tip-offs or other detection methods is assessed by ASQA’s Integrity Unit to determine the legitimacy of the matter and whether an investigation was required. ASQA’s iCMS allows for critical decisions, documents and evidence to be recorded, meaning that there is a mechanism to allow clear record of all decision-making in relation to an investigation.

4.31 ASQA reports on the response mechanisms it has used across non-compliance, of which fraud is included. This includes noting decisions that have proceeded through civil bodies⁵⁸ where results are summarised and provided to relevant teams to learn from decisions and identify gaps in cases.

Investigating suspected fraud

4.32 ASQA advised the ANAO on 9 May 2024 that it is currently managing over 150 serious matters, including with other law enforcement partners in order to prevent, detect, deter and disrupt fraud and serious crime. Of these 150 matters, approximately 50 per cent related to alleged fraud including bogus qualifications, cash for qualifications⁵⁹, fabrication of assessments and evidence and ghost colleges. There is no evidence of key performance indicators specific to its investigation capability to measure its effectiveness and ability to respond potential instances of fraud.

Referrals of serious and complex fraud

4.33 ASQA advised the ANAO on 9 May 2024 that its investigation team has referred incidents of serious and complex fraud to the Australian Federal Police (AFP) and the Commonwealth Director of Public Prosecutions (CDPP). ASQA engages with the AFP on regulatory enforcement and the CDPP in investigations-based training. On 1 July 2024, ASQA advised the ANAO that it refers serious fraud matters to the AFP and CDPP, and did not provide evidence to the ANAO to support this statement. On 14 August 2024 ASQA provided evidence of two referrals to the CDPP which were created on 9 August 2024. Evidence was also provided regarding a potential fraud matter discussed with the AFP during 2023–24.

4.34 ASQA has also referred matters to the National Disability Insurance Agency, Australian Crime and Intelligence Commission and the Australian Transaction Reports and Analysis Centre.

Measures to recover financial losses from fraud

4.35 ASQA has a ‘cost recovery implementation statement’ and as of 1 July 2022, ASQA operates as a full cost recovery agency. ASQA charges fees to registered providers⁶⁰ and Education Services for Overseas Students registered providers for:

• initial registration application;
• initial registration assessment;
• renewal of registration application;
• change of scope application; and
• performance monitoring charges.

4.36 The Cost Recovery Impact Statement (CRIS)⁶¹ published by ASQA⁶² details how it applies cost recovery in its fees and charges for its regulatory activities. This includes estimating ASQA’s regulatory costs before the beginning of each financial year based on best practice, and notes that this is independently assured. ASQA advised the ANAO on 1 July 2024 that it does not have the legislative powers to recover benefits from a registered training provider who has received financial benefits from misrepresentation or fraud.

4.37 Under section 137 of the NVR Act, ASQA can apply to the Federal Court of Australia or Federal Circuit Court on behalf of the Commonwealth to seek a pecuniary penalty. The benefit received by fraudulent behaviour is considered a factor in civil proceedings when determining a pecuniary penalty, however this does not include any provision for reparations.

Have appropriate mechanisms been established to record and report fraud?

4.38 Table 4.5 presents an assessment of ASQA’s fraud reporting processes against the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the Fraud Policy in relation to recording and reporting fraud.

Table 4.5: Assessment against the Fraud Framework — Fraud reporting by ASQA

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note: The Fraud Policy is mandatory for NCCEs (see Table 1.2).

Source: ANAO analysis of ASQA documentation.

Annual reporting requirements

4.39 ASQA’s Accountable Authority (Chief Executive Officer) stated in ASQA’s 2022–2023 annual report that:

I certify that I am satisfied that ASQA has prepared fraud risk assessments and fraud control plans, has in place appropriate fraud prevention, detection, investigation, reporting and data collection procedures and processes to meet ASQA’s specific needs, and has taken all reasonable measures to minimise the incidence of fraud, and to investigate and recover any processes of fraud against the agency.

4.40 Paragraph 3.12 identified that ASQA does not undertake controls testing within its regulatory environment. Controls testing would provide a level of assurance that ASQA’s regulatory fraud controls are effective. There is no evidence that supports the validity of the CEO’s statement in the annual report.

Reporting incidents of fraud to relevant ministers

4.41 Section 19 of the PGPA Act requires the accountable authority of a Commonwealth entity to keep the responsible minister informed of significant issues that may or has affected the entity or any of its subsidiaries. Supported by the Department of Finance’s Resource Management Guide 214, a significant issue includes significant non-compliance with the finance law. What constitutes significant non-compliance is a matter for the accountable authority to determine.

4.42 ASQA advised the ANAO on 1 July 2024 that it had not provided any briefings to the minister on fraud or serious non-compliance with the finance law as ‘to the best of our knowledge there hasn’t been any non-compliance that satisfies these criteria’. ASQA advised the minister on 28 May 2024 on the volume of tip-offs received since the establishment of the tip-off line, and updates on ASQA’s Integrity Unit caseload, which deals with alleged non-compliance cases.

Disclosure of potential criminal activity to other entities

4.43 ASQA has established channels with other Australian Government agencies to share information and data, including its recent membership with the Fraud Fusion Taskforce. These channels allow ASQA to notify other agencies of potential fraud occurring with providers, or persons of interest, and allow them to appropriately respond to the potential fraud.

Procedures to collect and manage information about fraud

4.44 ASQA has mechanisms to collect information about potential fraud. This includes the tip-off line from October 2023 which is managed by ASQA’s intelligence team, with tip-off information managed in spreadsheets. ASQA’s environmental scan process also involves consultation with various stakeholder groups to collect data regarding matters of integrity. As mentioned in paragraphs 4.14 to 4.16, ASQA also relies on intelligence shared from external agencies as a primary mechanism to identify and receive information about fraud. Through these mechanisms, ASQA gathers insights regarding fraud from numerous sources, which primarily feeds through to ASQA’s Integrity Unit.

Reporting to the Australian Institute of Criminology

4.45 Section 14 of the Fraud Policy states that Australian Government entities must provide information to the Australian Institute of Criminology (AIC) by 30 September each year to support the Fraud Against the Commonwealth census (fraud census).⁶³ The AIC advised the ANAO in June 2024 that with the agreement of the Attorney-General’s Department, this date was amended to the end of October and that extensions can be requested.

4.46 ASQA was unable to provide evidence to the ANAO if it had complied with its reporting requirements to the AIC. The ANAO confirmed with the AIC that ASQA had provided the required information on 28 October 2022 and 27 October 2023.

5.1 From 1 July 2024, non-corporate Commonwealth entities must adhere to the revised Commonwealth Fraud and Corruption Policy. Effective planning and preparation will help ensure that entities are compliant with the revised policy.

Does ASQA have a fit-for-purpose implementation plan?

5.2 Implementation planning should be a consideration for entities when addressing the new requirements of the 2024 Fraud and Corruption Control Framework. This includes consideration of:

• change management in an entity’s activities, controls and controls testing to incorporate corruption;
• training updates to include corruption modules to assist staff to identify potential corruption and the processes to report behaviour; and
• communication requirements, for example, organisation-wide announcements, intranet resources etc.

5.3 In line with the transition to the Commonwealth Fraud and Corruption Control Framework 2024, ASQA has developed a draft Fraud and Corruption Control Policy and Plan 2024–2026. Minimal changes have been made from the current 2022–2024 plan, with changes focused on including the word ‘corruption’ in addition to ‘fraud’ throughout the document.

• The Plan includes the updated Public Governance, Performance and Accountability Rule requirements for Accountable Authorities incorporating corruption control requirements.
• The Plan includes the definition of corruption contained in the Commonwealth Fraud and Corruption Control Framework 2024.
• The Plan includes references to the National Anti-Corruption Commission.

5.4 The draft Fraud and Corruption Control Plan 2024–2026 does not address ASQA’s regulatory fraud environment.

5.5 The draft policy is undergoing review and approval processes by the Chief Executive Officer (CEO) for finalisation. ASQA also noted in the minutes for the Regulation and Resources Committee in March 2024, that ‘a final draft of the ASQA Fraud and Corruption Control Policy and Plan 2024–26 be circulated for endorsement to the committee once all Rules have been received and incorporated’. As of July 2024, this had not yet occurred.

5.6 In July 2023, ASQA’s Resources Committee identified the upcoming changes to the Commonwealth Fraud and Corruption Control framework and the requirements on ASQA to establish and maintain a system of fraud and corruption control. This included a list of documents noted by ASQA as being ‘required to be in place by July 2024’.

Table 5.1: Comparison of the requirements of the new Fraud and Corruption Rule identified in July 2023 by ASQA and ASQA’s current work

Source: ANAO analysis.

5.7 While ASQA has identified some changes required for the introduction of the Commonwealth Fraud and Corruption Control Framework 2024, ASQA has not developed an implementation plan for the updated Commonwealth Fraud and Corruption Control Policy.

5.8 The draft ASQA Fraud and Corruption Control Policy and Plan 2024–2026 states that serious and systemic corruption are investigated by the National Anti-Corruption Commission based on complaints provided. Apart from a flowchart that details the process for reporting fraud or corruption within ASQA (see Figure 4.2), ASQA has not developed processes or procedures for administering corruption complaints or the referral process to the National Anti-Corruption Commission.

Is there a plan to evaluate implementation of new or revised fraud and corruption controls?

5.9 ASQA has implemented an additional control to address the new Fraud and Corruption Control Framework — corruption training for ASQA staff. There is no plan to evaluate the effectiveness of the new and revised controls

5.10 The draft Fraud and Corruption Control Policy and Plan 2024–2026 was updated on 1 March 2024 to reflect the corruption element changes. It identifies designated contacts for corruption — the Chief Financial Officer or the Director of Reporting, Assurance, and Evaluation. It also includes a fraud and corruption reporting process. ASQA’s control testing regime does not include an evaluation plan on the effectiveness of its updated control.

Appendix 1 Entity response

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s corporate plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. During the course of the audit, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

• As discussed in paragraph 5.3, ASQA has updated its fraud control plan by adding ‘corruption’ to the draft Fraud and Corruption Control Policy and Plan.
• Chapter 5 of the audit report sets out how ASQA has prepared for the new Fraud and Corruption Rule that came into effect on 1 July 2024.

Appendix 3 Fraud risks in ASQA’s Fraud Control Plan 2022–2024

Source: ASQA Fraud Control Plan 2022–24 page 16–18.