Introduction

1.1 Fraud against Australian Government entities and corrupt conduct by Australian Government officials are serious matters that can constitute criminal offences. Fraud and corruption undermine the integrity of and public trust in government, including by reducing funds available for government program delivery and causing financial and reputational damage to defrauded entities.⁸

1.2 The Australian Government defines fraud as:

Dishonestly obtaining (including attempting to obtain) a gain or benefit, or causing a loss or risk of loss, by deception or other means.⁹

1.3 Fraud against the Australian Government can be committed by government officials or contractors (internal fraud) or by parties such as clients of government services, service providers, grant recipients, other members of the public or organised criminal groups (external fraud).¹⁰ In its annual report on fraud against the Commonwealth¹¹, the Australian Institute of Criminology reported that, for 2022–23:

• 378,033 fraud allegations were received, including 366,196 of external fraud¹²;
• 5,483 fraud investigations were commenced¹³, primarily in large (1,001–10,000 employees) and extra-large (greater than 10,000 employees) entities;
• 6,915 fraud investigations were finalised¹⁴, with 3,192 fraud allegations substantiated in full or in part¹⁵; and
• the quantified reported internal fraud losses were $2.9 million and the quantified reported external fraud losses were $158.1 million.¹⁶

1.4 The Australian Institute of Criminology notes that these reported fraud losses only include those which entities were able to quantify, and that losses and recoveries may be difficult to quantify due to system limitations, conduct of investigations by external agencies or confidential settlements.¹⁷

1.5 The Commonwealth Fraud Risk Profile identifies eight fraud risk areas across corporate and program and policy functions (Table 1.1).

Table 1.1: Fraud risk areas in the Commonwealth

Source: Adapted from Commonwealth Fraud Prevention Centre, Learn about the Fraud and Corruption Control Framework [Internet], Attorney-General’s Department, Canberra, 2024, available from https://www.counterfraud.gov.au/learn-about-fraud-and-corruption-control-framework [accessed 25 June 2024].

The Commonwealth Fraud Control Framework

1.6 The 2017 Commonwealth Fraud Control Framework provided the Australian Government’s fraud control requirements through to 30 June 2024. It had three components (Table 1.2).

Table 1.2: 2017 Commonwealth Fraud Control Framework components

Source: ANAO summary of 2017 Commonwealth Fraud Control Framework components.

1.7 On 1 July 2024, the 2024 Commonwealth Fraud and Corruption Control Framework came into effect. From 1 July 2024, non-corporate Commonwealth entities are required to adhere to the revised Fraud and Corruption Policy (see Table 1.3).¹⁸ The Fraud and Corruption Policy is considered better practice for corporate Commonwealth entities and Commonwealth companies. The revised framework includes provisions to mitigate corruption risk and complement the function of the National Anti-Corruption Commission.¹⁹ The revised framework introduces new requirements for fraud governance, oversight arrangements and controls testing.

Table 1.3: Comparison of the key elements of the 2024 Fraud and Corruption Rule to the 2017 Fraud Rule

Source: Adapted from Commonwealth Fraud Prevention Centre, Learn about the Fraud and Corruption Control Framework [Internet], Attorney-General’s Department, Canberra, 2024, available from https://www.counterfraud.gov.au/learn-about-fraud-and-corruption-control-framework [accessed 25 June 2024].

1.8 The 2017 Fraud Rule and the 2024 Fraud and Corruption Rule apply to both the internal and external fraud risks identified in Table 1.1. The 2024 Commonwealth Fraud and Corruption Control Framework states that:

Fraud and corruption are risks that can undermine the objectives of every Australian Government entity in all areas of their business, including delivery of services and programs, policy-making, regulation, taxation, procurement, grants and internal procedures.²⁰

Responsibilities of accountable authorities

1.9 The Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the PGPA Rule contain specific duties and requirements for the accountable authority of a Commonwealth entity pertaining to internal control arrangements, including for fraud control and reporting (Table 1.4).

Table 1.4: Fraud-related responsibilities of accountable authorities

Note a: In respect to ‘proper use’, section 8 of the PGPA Act provides that ‘proper, when used in relation to the use or management of public resources, means efficient, effective, economical and ethical.’

Source: PGPA Act and PGPA Rule.

1.10 The Commonwealth Grants Rules and Guidelines (CGRGs) note that probity and transparency in grants administration are achieved by ensuring that decisions are impartial, documented, and lawful; there is compliance with public reporting requirements; and there are appropriate safeguards against fraud. The CGRGs state that accountable authorities must ensure that the entity’s fraud procedures and practices comply with the Fraud Rule, including as they apply to grants administration. The CGRGs further note that officials undertaking grants administration should be aware of the procedures to follow if fraud is suspected.²¹

1.11 The APS Integrity Taskforce’s 2023 report Louder than Words: An APS Integrity Action Plan²² noted the need for entities to gain ‘reassurance that their integrity frameworks are effective and that their fraud and corruption risks are mitigated.’ The report contains a recommendation to ‘upscale institutional integrity (cultural and compliance) within agencies.’²³ One of the actions identified by the APS Integrity Taskforce to support implementation of this recommendation is for accountable authorities to complete a self-assessment against the Commonwealth Integrity Maturity Framework and report the results to the Secretaries Board by September 2024. The Department of Health and Aged Care’s September 2024 self-assessed maturity rating against the Commonwealth Integrity Maturity framework was Level 2 overall, where Level 1 is the lowest level of maturity and Level 4 is the highest.

1.12 ‘Prevent, detect and manage fraud and corruption’ is one of the eight integrity principles identified by the National Anti-Corruption Commission (NACC) in the Commonwealth Integrity Maturity Framework.²⁴ The NACC identified in its Integrity Outlook 2022–23 that:

Minimising the incidence of internal fraud through the identification and management of fraud risks should continue to be an ongoing focus of agencies. This can be achieved through the development, implementation and regular review of fraud prevention and detection strategies.²⁵

Previous audits

1.13 The fraud control arrangements of Australian Government entities have been the subject of previous Auditor-General reports. The most recent was tabled in 2023–24 and examined the Australian Taxation Office’s (ATO’s) management and oversight of fraud control arrangements for the Goods and Services Tax (GST). The audit found that the ATO’s management and oversight of fraud control arrangements for the GST was partly effective.²⁶

1.14 Three Auditor-General reports on the fraud control arrangements of Australian Government entities was published in June 2020.²⁷ The reports concluded that:

• fraud control arrangements in the Department of Home Affairs were effective;
• fraud control arrangements in the Department of Social Services and the Department of Foreign Affairs and Trade were largely effective; and
• each of the audited entities met the mandatory requirements of the 2017 Commonwealth Fraud Control Framework.²⁸

1.15 Auditor-General Report No. 42 2023–24 Interim Report of Key Financial Controls of Major Entities assessed the effectiveness of 27 Australian Government entities’ (including the Department of Health and Aged Care’s) internal controls as they relate to the risk of misstatement in the financial statements. Key areas of financial statements risk identified for the department included accuracy of personal benefit health care entitlements (higher risk); accuracy of aged care subsidies (moderate risk); and accuracy and occurrence of administered grants expenses (moderate risk).²⁹ The interim report concluded that except for a moderate audit finding in relation to governance of legislative compliance, legal matters and legal advice, key elements of internal control were operating effectively to provide reasonable assurance that the department will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2023–24 final audit.³⁰

The Department of Health and Aged Care

1.16 The audit examines fraud risks in a non-corporate Commonwealth entity, the Department of Health and Aged Care (the department). The department is responsible for achieving the Australian Government’s health outcomes in the areas of health system policy, design and innovation; health access and support services; sport and recreation; individual health benefits; regulation, safety and protection; and ageing and aged care. This includes administering programs and services, such as the Medicare Benefits Schedule and the Pharmaceutical Benefits Scheme, and forming partnerships with the states and territories, as well as other stakeholders.

1.17 The department faces fraud risks across the corporate risk areas identified in the Commonwealth Fraud Risk Profile. In addition, as a funding entity, it faces fraud risks associated with its funding function. The department provides program payments to a wide variety of recipients to achieve government priorities and support beneficial community outcomes. There are risks of fraud in the provision of funding, whether through grants, procurements or other mechanisms.³¹

1.18 The department’s average staffing level for 2023–24 was 6,127.³² Table 1.5 shows the department’s resourcing in 2023–24.

Table 1.5: Department of Health and Aged Care budget, 2023–24

Source: Australian Government, Portfolio Budget Statements 2024–25, Budget Related Paper No. 1.9 — Health and Aged Care Portfolio, pages 24 and 26, Commonwealth of Australia, Canberra, 2023, [Internet] https://www.health.gov.au/sites/default/files/2023-05/health-portfolio-budget-statements-budget-2023-24.pdf [accessed 14 October 2024].

1.19 This audit examines fraud controls arrangements in the department, using the Indigenous Australians’ Health Programme as a case study of how the arrangements are applied. The Indigenous Australians’ Health Programme funds initiatives to increase access to health care and improve the health of Aboriginal and Torres Strait Islander people. The program funds work under four streams: (1) primary health care services; (2) improving access to primary health care; (3) targeted health activities; and (4) capital works.³³ Based on GrantConnect reporting³⁴, the Indigenous Australians’ Health Programme funded 24 grant programs valued at $1.3 billion over four financial years in 2022–23 and 17 grant programs valued at $603.9 million over four financial years in 2023–24. The department advised the ANAO in June 2024 that Indigenous Australians’ Health Programme procurements totalled $45.6 million (over 55 procurements) in 2022–23 and $56.5 million (over 56 procurements) in 2023–24.

1.20 Table 1.6 shows the potential value of fraud, number of fraud allegations, fraud investigations and prosecution outcomes in 2022–23 and 2023–24, as reported to the department’s Executive Committee³⁵ and Audit and Risk Committee³⁶ in September 2023 and September 2024.

Table 1.6: Fraud allegations, investigations and prosecution outcomes in the Department of Health and Aged Care, 2022–23 and 2023–24

Note a: In the dashboard presented to the audit and risk committee (September 2024), the 2023–24 number of specific fraud outcomes (N=820) did not add up to the total number of fraud assessments completed (N=1,018). The department advised the ANAO in October 2024 that the 59 ‘internal referrals’ were matters received and referred by the Benefits Integrity Division. There were two additional categories of fraud assessment outcome not included in the dashboard: referred to an internal business area (N=166) and Community Grants Hub high risk notifications (N=10).

Note b: The department advised the ANAO in October 2024 that 22 assessments were referred for investigation.

Source: As reported to the Department of Health and Aged Care Audit and Risk Committee and Executive Committee.

Rationale for undertaking the audit

1.21 Fraud against Australian Government entities reduces available funds for public goods and services and causes financial and reputational damage to the Australian Government.³⁷ All Commonwealth entities are required to have fraud control arrangements in place to prevent, detect and respond to fraud. From 1 July 2024, this requirement also extends to corruption.

1.22 The Indigenous Australians’ Health Programme was selected as a case study to assess the department’s fraud control arrangements, due to the program’s size, variety of funded activities, and opportunity it presented to assess the department’s fraud control arrangements as they related to grants administration. The Indigenous Australians’ Health Programme is the department’s main overarching Aboriginal and Torres Strait Islander health program.³⁸ The program funds initiatives to increase access to health care and improve the health of Aboriginal and Torres Strait Islander people, and represents the Australian Government’s largest direct expenditure on Indigenous primary healthcare.³⁹

Audit approach

Audit objective, criteria and scope

1.23 The objective of the audit was to assess the effectiveness of the Department of Health and Aged Care’s fraud control arrangements, with a specific focus on the Indigenous Australians’ Health Programme.

1.24 To form a conclusion against this objective, the following high-level criteria were adopted.

• Have appropriate arrangements been established to oversee and manage fraud risks?
• Have appropriate mechanisms been established to prevent fraud, and promote a culture of integrity?
• Have appropriate mechanisms been established to detect and respond to fraud?
• Has the entity appropriately prepared for the commencement of the revised Commonwealth Fraud and Corruption Control policy in July 2024?

1.25 This audit examined the department’s fraud control arrangements in 2022–23 and 2023–24. The audit assessed the department’s compliance with the 2017 Commonwealth Fraud Control Framework and readiness to implement the 2024 Commonwealth Fraud and Corruption Control Framework.

Audit methodology

1.26 The audit methodology included:

• examination of the department’s strategies, policies, procedures, guidelines, training, risk assessments, control plans, investigation processes; governance committee meeting papers; reviews, internal audits and assurance reports; and internal and external reporting on fraud and corruption control activities;
• for the Indigenous Australians’ Health Programme, analysis of fraud risk assessments, grant opportunity guidelines, grant agreements, and assessment and investigations of fraud tip-offs and referrals;
• analysis of grant management arrangements with the Community Grants Hub within the Department of Social Services as they relate to fraud and corruption prevention, detection and response; and
• meetings with departmental officials.

1.27 The ANAO did not assess the effectiveness of the department’s fraud controls.

1.28 During the course of the audit, the department was in the process of centralising previously decentralised fraud control and investigations functions. This included the centralisation of human resources, and fraud control, investigations and reporting functions, into a new Fraud and Integrity Branch. In this context, the ANAO assessed fraud control and investigations policies and procedures that were in development during the course of the audit.

1.29 Australian Government entities largely give the ANAO electronic access to records by consent, in a form useful for audit purposes. For the purposes of this audit, the Department of Health and Aged Care advised the ANAO that it would not voluntarily provide certain information requested by the ANAO due to concerns about its obligations under the Privacy Act 1988, secrecy provisions in Health and Aged Care portfolio legislation, confidentiality provisions in contracts and the Public Interest Disclosure Act 2013. The department advised that this type of information largely was not segregated in the department’s record-keeping systems and the department could not be certain, in providing documents through electronic means, that documents containing this type of information were excluded. To provide comfort to the Secretary regarding the department’s obligations under portfolio legislation, on 26 February 2024 the acting Auditor-General issued the Secretary of the department with a notice to provide information and produce documents pursuant to section 32 of the Auditor-General Act 1997. Under this notice, the department agreed to provide the information and documents requested through electronic means.

1.30 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $353,000.

1.31 The team members for this audit were Christian Coelho, Will Tse, Sam Skelton, Lauren Dell, Jake Farquharson and Christine Chalmers.

2.1 Section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) states that the accountable authority of a Commonwealth entity has a duty to establish and maintain systems relating to risk and control. The 2017 Commonwealth Fraud Control Framework, which was in place during the time period for this audit, required accountable authorities to conduct regular fraud risk assessments and, as soon as practicable, develop and implement fraud control plans to deal with the identified risks.⁴⁰ The requirement was restated in the 2024 Commonwealth Fraud and Corruption Control Framework, with the 2024 framework requiring fraud and corruption risk assessments to be undertaken at least every two years.⁴¹

Are there appropriate governance and oversight arrangements for fraud control?

Entity framework for fraud control

2.2 The accountable authority of the department has given effect to section 16 of the PGPA Act as it relates to fraud through:

• Accountable Authority Instructions (AAIs) on fraud risk management and control (November 2021, revised 26 June 2024);
• a Finance Business Rule (FBR) on fraud risk management and control (November 2021, revised 26 June 2024)⁴²;
• Fraud and Corruption Control Plans (FCCPs) for the period 2021–2023 (created August 2021 and updated November 2022) and 2023–2025 (June 2023); and
• manuals and guidelines to prevent, detect, investigate, record and report fraud (see paragraphs 4.21 to 4.29).

2.3 Together these documents represent the department’s fraud control policy framework. The framework covered the key elements of the 2017 Commonwealth Fraud Control Framework, with the following exceptions.

• The Fraud Rule requires the accountable authority to conduct fraud risk assessments regularly and when there is a substantial change in the structure, functions or activities of the entity. Although the FCCP 2021–2023 included this requirement, the 2021 AAIs, 2021 FBR and FCCP 2023–2025 did not. The June 2024 FBR requires ‘All First Assistant Secretaries and Assistant Secretaries for their program areas to conduct assessments of fraud and corruption risk regularly and when there is substantial change in the structure, functions or activities of the department.’
• The Fraud Policy at paragraph 4 states that entities must have in place investigation and referral processes and procedures that are consistent with the Australian Government Investigations Standard (AGIS).⁴³ Until February 2023, investigation functions within the department were decentralised, with separate investigation policies and procedures. From February 2023, the department began updating investigation policies and procedures to reflect centralisation of investigations functions (see paragraph 2.8). As at 30 June 2024 the department had draft guidance documents for the centralised investigations area that referred to the AGIS (see paragraph 4.27).

Roles and responsibilities

Assignment of roles and responsibilities for fraud control

2.4 As at June 2024 the department had 30 divisions across seven groups.⁴⁴ The 2021–2023 and 2023–2025 FCCPs indicate that divisional fraud risk assessments and the application of fraud controls to divisional activities are the responsibility of division heads.

2.5 The November 2021 FBR stated that the following line areas were ‘authorised by Health’s Executive to undertake fraud investigation activities consistent with relevant Government policy.’

• Corporate Assurance Branch — overarching departmental fraud control activities including internal fraud.
• Benefits Integrity and Digital Health Division — health provider benefits fraud. The Health Provider Fraud Section (HPFS) undertook investigations relating to the Medicare Benefits Schedule, Pharmaceutical Benefits Scheme, and Child Dental Benefits Schedule.
• Quality and Assurance Division, Aged Care Group — aged care fraud.

2.6 The November 2021 FBR made no specific reference to responsibility for other areas of potential external fraud besides health provider benefits and aged care. For example, as described in Auditor-General Report No. 3 2023–24, the Regulatory Compliance Branch within the Health Products Regulation Group directly undertook non-compliance investigations relating to therapeutic goods.⁴⁵

2.7 In February 2023 the Fraud Control and Investigation Branch (FCIB) was established within the Financial Management Division of the Corporate Operations Group. Departmental records stated that the FCIB amalgamated fraud and corruption sections across the department except for the HPFS (although, as noted above in relation to therapeutic goods, some investigation activities were still being undertaken in other areas of the department). A project plan for the FCIB indicated that the HPFS was expected to transition into the FCIB ‘in due course.’ The FCIB was to lead and coordinate the fraud control program, including undertaking investigations of alleged fraud and corruption.

2.8 In April 2024 fraud control activities, including those of the HPFS, were centralised within a renamed Fraud and Integrity Branch in the Corporate Operations Group. The department advised the ANAO in May 2024 that overall responsibility for managing enterprise-wide fraud control activities rested with the Assistant Secretary of that branch. The department advised the ANAO in July 2024 that enterprise fraud control functions, internal fraud and external fraud (excluding health provider and aged care fraud) were the responsibility of the branch. On 26 June 2024, the FBR was updated to reflect the role of the Fraud and Integrity Branch in managing department-wide fraud and corruption control arrangements. As at 30 June 2024 the FCCP 2023–2025 had not been updated.

2.9 A draft ‘Investigations Doctrine’ (June 2024, see paragraph 4.25) sets out responsibilities for managing fraud referrals within the Fraud and Integrity Branch.

Oversight of outsourced fraud planning

2.10 Table 2.1 presents an assessment of the department’s approach to applying the Fraud Guidance in relation to assigning a senior fraud officer or equivalent for outsourced fraud risk assessment and fraud control planning.

Table 2.1: Assessment against the Fraud Framework — Senior fraud officer

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note a: The Fraud Guidance is better practice for all non-corporate Commonwealth entities.

Source: ANAO analysis of Department of Health and Aged Care documentation.

2.11 The Fraud Guidance states at paragraph 35 that:

If resources are not available in-house, entities may choose to outsource all or part of the risk assessment and fraud control planning process. However, consistent with PGPA Act responsibilities, outsourcing does not remove the responsibility of the accountable authority or of senior management to manage fraud risk. For this reason, entities are encouraged to have a senior official oversee the process, and to ensure that relevant corporate knowledge is appropriately captured and taken into account during the risk assessment and fraud control planning process.

2.12 The department outsourced its enterprise fraud and corruption risk assessment to Deloitte Touche Tohmatsu (Deloitte) in May 2024 at a cost of $79,856 (GST inclusive)⁴⁶ (see paragraph 2.22). The order for services lists an Executive Level 2 official as the department’s representative for management of this contract. The Assistant Secretary Fraud and Integrity Branch provided oversight over the contracted services.⁴⁷

Fraud reporting, oversight and assurance

2.13 Subsection 17(2) of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) states that the functions of an audit committee must include reviewing the appropriateness of the system of risk oversight and management and of internal control for the entity. Department of Finance guidance⁴⁸ states that to fulfil this review function, audit committees could: review the process for developing and implementing the entity’s fraud control arrangements consistent with the fraud control framework, and satisfy itself that the entity has adequate processes for detecting, capturing and effectively responding to fraud risks.

2.14 The accountable authority has by written charter determined the functions of the department’s Audit and Risk Committee (ARC). The February 2024 ARC charter states that:

The committee will review and provide advice to the Secretary regarding the appropriateness of the department’s … process of developing and implementing the department’s fraud control arrangements, including their conformance with the Commonwealth Fraud Control Framework.

2.15 The FCCP 2023–2025 states that the ARC ‘oversees the department’s system of risk management and internal controls, including fraud and corruption risk.’ The FCCP 2023–2025 also outlines the ARC’s role in providing advice to the Secretary to support the certification of the department’s fraud control arrangements in the annual report. The Audit and Risk Committee’s exercise of this function is discussed at paragraphs 4.53 to 4.55.

2.16 In 2022–23 and 2023–24, the Executive Committee (see paragraph 1.20) received reports on fraud control activities from line management; the Security, Workforce Integrity and Assurance Committee (SWIAC)⁴⁹; and the ARC. Other committees provide operational oversight of fraud investigations. The Operational Management Committee for health provider fraud⁵⁰, and the Case Management Committee to oversee other investigation matters, were established in March–April 2022.

Has the entity appropriately assessed its fraud risks?

2.17 Table 2.2 presents an assessment of the department’s approach to applying the Fraud Rule, Guidance and Policy in relation to conducting fraud risk assessments.

Table 2.2: Assessment against the Fraud Framework — Fraud risk assessment

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note a: For non-corporate Commonwealth entities, the Fraud Rule and Policy are mandatory and the Fraud Guidance is better practice. Non-corporate Commonwealth entities undertake grants administration based on the mandatory requirements and key principles of grants administration in the Commonwealth Grants Rules and Guidelines (CGRGs). Paragraphs 7.5 to 7.12 of the CGRGs represent better practice for non-corporate Commonwealth entities.

Source: ANAO analysis of Department of Health and Aged Care documentation.

Fraud control as part of the risk management framework

2.18 The department’s fraud control arrangements are referenced in the department’s overarching risk management framework.

• The department’s AAI on risk management (October 2015) refers to the AAI and FBR on fraud risk management and control (see paragraph 2.2).
• The department’s risk management framework (April 2023) describes fraud risks as a specialist risk that should always be considered when undertaking risk management.
• The risk management policy (April 2023) references the fraud and corruption control plan.

2.19 The fraud control AAIs include a link to the department’s risk management policy. Specific references to the risk management framework are not made in the FBR and FCCPs.

Risk, fraud and corruption control standards

2.20 Paragraph 32 of the Fraud Guidance encourages entities to consider the relevant recognised standards, including the Australian/New Zealand Standard AS/NZ ISO 31000-2009 Risk Management — Principles and Guidelines and Australian Standard AS 8001-2008 Fraud and Corruption Control. The department’s fraud risk assessments have considered requirements in AS 8001:2008 Fraud and Corruption Control Standard and AS/NZS 31000:2018 Risk Management Principles and Guidelines.

Fraud risk assessments

Enterprise-level fraud risk assessments

2.21 An Enterprise Fraud and Corruption Risk Assessment (EFCRA) (December 2021) documents the department’s fraud risks, controls, and tests to determine whether controls are effective. The EFCRA 2021–2023 stated that it was developed following divisional fraud risk assessments conducted in April 2020. Following the development of the EFCRA 2021–2023, the department listed its enterprise fraud risks in an Enterprise Fraud Risk Register (Register) (December 2021). The Register contains 12 risks (10 fraud-related and two corruption-related) (Box 1).

Note a: Risk ratings are before treatment.

Source: Department of Health and Aged Care Fraud and Corruption Risk Register, December 2021.

2.22 An enterprise-level fraud risk assessment was undertaken. This assessment was not done regularly in accordance with better practice Commonwealth guidelines, which state that ‘entities are encouraged to conduct risk assessments at least every two years’ or more frequently for entities responsible for activities with high fraud risk.⁵¹ Between July 2022 and March 2023 the department commenced but did not finalise a review of two high and five medium enterprise fraud risks. As noted at paragraph 2.12, the department engaged Deloitte in May 2024 to review and update the EFCRA and Register before 30 June 2024. On 27 June 2024 the department extended Deloitte’s contract to 30 August 2024. On 27 August 2024, the department extended Deloitte’s contract to 30 November 2024.⁵² The second extension stated that ‘The cessation date is to be extended [due to] work being placed on hold by the Agency to manage competing priorities. There is no change to scope or expenditure.’

Divisional fraud risk assessments

2.23 The FCCP 2023–2025 states that fraud and corruption risks must be considered as part of the development of annual divisional business and risk plans, and that if any applicable enterprise fraud and corruption risks are identified, the division should ensure appropriate controls are implemented as outlined in the FCCP and Register. The ANAO reviewed 2023–24 divisional business and risk plans for all 30 divisions. Plans for 22 of the 30 divisions did not include fraud risk assessments, including for the First Nations Health Division which is responsible for the Indigenous Australians’ Health Programme. The Benefits Integrity Division did not include an assessment for provider benefits fraud in divisional plans. For 2024–25 divisional and business planning, the department introduced a new template that includes a new page for listing risks and makes reference to the FCCP. The template requires the division head to certify that they have considered the EFCRA in developing the divisional plan.

Program and project fraud risk assessments

2.24 The FCCP 2023–2025 states that during the design stage, each project or program should seek to identify fraud and corruption vulnerabilities that could threaten successful outcomes.

2.25 During December 2023 to February 2024, using a Strategic Risk Profiling Tool developed by the Commonwealth Fraud Prevention Centre, the department undertook a desktop review of its 20 Portfolio Budget Statements programs⁵³ and four processes and functions relating to grants, projects, digital transformation/ICT Strategy, and budget measures/election commitments/ministerial announcements. The department advised the ANAO in June and July 2024 that the purpose of the profiling exercise, which was conducted by the Fraud and Integrity Branch, was to inform the forward enterprise and corruption risk work plan, including education and awareness activities, and that the risk profiles were ‘preliminary’ and unvalidated with program areas.⁵⁴ Preliminary risk profiles were: very high for five programs (including First Nations Health of which the Indigenous Australians’ Health Programme is a sub-program)⁵⁵; high for nine programs; medium for five programs; and low for one program.

2.26 The department has undertaken program or activity fraud risk assessments for the Home Care Package Program (June 2022); and Community Grants Hub⁵⁶ grants programs (September 2022) (see Box 2). No other program risk assessments were undertaken in 2022–23 or 2023–24.

2.27 The department uses the services of the Community Grants Hub; the Department of Industry, Science and Resources (through the Business Grants Hub); the National Health and Medical Research Council; and Services Australia to administer grants and make payments on its behalf. Grants for the Indigenous Australians’ Health Programme are administered through the Community Grants Hub.

2.28 The department’s grants toolkit⁵⁷ states that risk is assessed at two levels in the grant lifecycle: (1) program risk (refers to the risk associated with the delivery of the grant program taken as a whole); and (2) organisational risk (refers to the risk associated with the individual grantee organisations). Program risk assessments are required to be undertaken at the ‘design’ phase of the grant lifecycle and are the responsibility of the relevant policy division within the department. Organisational risk assessments are required to be undertaken at the ‘select’ phase of the grant lifecycle by the relevant policy division, and updated in consultation with the Community Grants Hub at the ‘manage’ phase. The Community Grants hub is responsible for maintaining organisational risk ratings on an ongoing basis during the ‘manage’ phase. The policy division is responsible for reviewing program and organisational risk assessments at the ‘evaluate’ stage.

2.29 The ANAO reviewed program fraud risk assessments for eight of 24 Indigenous Australians’ Health Programme grant programs, with a combined value of $1.2 billion (Table 2.3).⁵⁸ Of the eight grant programs reviewed, the department considered and documented risks at the grant design stage for six. Three of the six programs with a risk assessment assessed fraud risks.

Table 2.3: Fraud risk assessments for selected Indigenous Australians’ Health Programme grant programs

Key: ✔ Fraud risk assessment was undertaken ✘ Fraud risk assessment was not undertaken.

Source: ANAO analysis of GrantConnect reporting and Department of Health and Aged Care documentation.

2.30 The Department of Social Services’ procedure for assessing organisational risk states that:

[The Department of Health and Aged Care] are accountable for the overall policy and program risk and decisions around how it is managed. This includes working with the Hub to manage risk. The [Community Grants] Hub identifies, monitors and escalates risk issues associated with administering funding arrangements. The Hub works with the relevant policy areas in [the Department of Health and Aged Care] to mitigate risk.

The Community Grants Hub advised the ANAO in July 2024 that it detects and manages potential fraud during the ‘manage’ phase by: agreeing grant activity work plans; undertaking regular provider risk assessments; undertaking due diligence over performance reports and financial statements provided by grant recipients; site visits; and requesting additional or audited performance and financial reports where required. The Community Grants Hub has standard operating procedures to assess and manage risks (including fraud risks) posed by grantees and to escalate incidents to the department. The Department of Social Services provides the Department of Health and Aged Care with a management representation letter annually that outlines results of assurance and oversight of grants administered through the Community Grants Hub on behalf of the Department of Health and Aged Care.⁵⁹

Entity-specific fraud risk factors

2.31 The 2017 Commonwealth Fraud Control Framework states that ‘Risk assessment processes ideally take into account all significant factors likely to affect an entity’s exposure to risk.’⁶⁰ The EFCRA considered entity-specific risk factors at a high level, including funding activities such as grants (Risk 1) and health provider benefits (Risk 2). Separate detailed fraud risk assessments for Home Care Packages and grants (discussed at Box 2) examined significant risk areas for the department at a more detailed level. The department has not developed detailed fraud risk assessments for other programs, such as health provider benefits or health products regulation, or for grants administered through other mechanisms besides the Community Grants Hub.⁶¹

Informing internal audit of fraud risk

2.34 The 2022–23 and 2023–24 internal audit work programs were based on assurance maps that considered enterprise risks (including the enterprise financial risk which includes the risk of fraud). The programs did not refer to the enterprise fraud and corruption risk register. Internal audit program planning documents indicated that for the 2024–25 internal audit work program, the Register had been considered. The department advised the ANAO in May 2024 that:

The assurance mapping process considered financial materiality, priorities from the Secretary, Deputy Secretary and the interest of the public through senate estimates hearings. Amongst these priorities, fraud against the department’s programs is always a consideration.

2.35 The ARC reviews and approves the annual internal audit work program, which includes draft audit scopes for each proposed audit topic. A total of 39 internal audits were completed in 2022–23 and 2023–24. One completed audit (Review of the Pharmaceutical Benefits Scheme Program Agreement with Services Australia) covered fraud risks. An audit of fraud risk assessments on the 2021–22 internal audit program was deferred to 2022–23 as a reserve topic and never undertaken. As part of internal audit work planning, the ARC approved an audit of ‘Follow-up of Fraud Recovery of Funds.’ This audit was completed in 2023–24 as an examination of the debt recovery framework, and did not consider processes to recover funds lost to fraud.

2.36 At the June 2024 meeting of the ARC, the committee requested the department provide it with greater assurance over how topics are selected or not selected for internal audit coverage.

Is there an appropriate fraud control plan and testing of control effectiveness?

2.39 Table 2.4 presents an assessment of the department’s approach to applying the Fraud Rule and Guidance in relation to fraud control plans.

Table 2.4: Compliance assessment — Fraud control plan

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note a: For non-corporate Commonwealth entities, the Fraud Rule is mandatory and the Fraud Guidance is better practice.

Source: ANAO analysis of Department of Health and Aged Care documentation.

Department of Health and Aged Care’s fraud control plan

2.40 As noted at paragraph 2.2, there are Fraud and Corruption Control Plans (FCCPs) for the period 2021–2023 (created August 2021, updated November 2022) and 2023–2025 (June 2023). Neither the FCCP 2021–2023 nor the FCCP 2023–2025 was based on an up-to-date fraud risk assessment.

• FCCP 2021–2023 — The November 2022 update occurred one year after the EFCRA was completed in November 2021.
• FCCP 2023–2025 — In June 2023 the department presented the draft plan to the ARC, noting that it ‘reflects revised current fraud and corruption risks and vulnerabilities with associated control strategies’. As the department’s EFCRA was last updated in November 2021, the FCCP 2023–2025 was not based on a current assessment of fraud and corruption risks.

2.41 The FCCP 2021–2023 listed activities to be implemented up to June 2023.

• Fraud risk reviews — The department commenced but did not complete fraud risk reviews between July 2022 to March 2023 (see paragraph 2.22).
• Fraud and corruption control plan updates — Biannual updates of the FCCPs were not undertaken as scheduled.
• Data analytics — The FCCP 2021–2023 stated that a ‘fraud intelligence capability, including a data analytics function, specific to the needs of investigation’ was being explored. As at May 2024 a data analytics capability was undergoing a privacy threshold assessment.
• Controls testing — Controls testing was not performed as scheduled.

2.42 The FCCP 2021–2023 was superseded by the FCCP 2023–2025 in June 2023. The FCCP 2023–2025 does not outline planned activities. At its June 2023 meeting the ARC requested the department provide an update on the FCCP 2023–2025 and its implementation at the September 2023 meeting. The department provided an update to the ARC on the implementation of the FCCP 2023–25 at the November 2023 meeting, which included a FCCP 2023–2025 Activity Plan. The FCCP 2023–2025 Activity Plan includes 22 activities categorised against: prevention (12), detection (six) and response (four), of which 21 were to be undertaken by June 2024. As at 30 June 2024, 16 of 21 planned activities were fully implemented. The five activities that were not fully implemented were: implementing a new anonymous fraud reporting system; implementing a new case management system; completing a review of the investigation framework and legislative requirements to support response activities; implementing the Commonwealth Fraud and Investigators Capability Framework; and implementing the AGIS 2022.

Controls and strategies align with assessed fraud risks

2.44 The strategies outlined in the FCCP 2021–2023 and 2023–2025 to prevent, detect and respond to fraud (see Box 3) are largely commensurate with the assessed fraud risks as at December 2021 (see Box 1 and Box 2).

Review and testing of control effectiveness

Updates to the fraud control plan

2.46 As noted at paragraph 2.22, in July 2022 the department commenced a review of some enterprise fraud risks (including of controls and treatments) that were rated medium and high (see Box 1).⁶² Control owners stated that some controls had not operated as intended, or that they were not aware of them. For example, the owner for ‘spot checks of security waste bins’ stated that ‘we have not implemented the checking … didn’t know about it.’ For an identity crime risk, a control owner stated ‘the control may not have applied at all.’ For medium risks, there were no final review reports or evidence of remedial activity. For high risks, a grants fraud risk (Risk 1) assessment was completed in September 2022. Draft reports from reviews of risks 8 and 10 were not finalised; and risk descriptions, controls, treatments and owners for these risks remained unchanged in the EFCRA and Register.

2.47 The department identified control owners (Senior Executive Service or Executive Level 2 departmental officials) within the Register. A total of 25 owners were specified across preventative, detective and response controls. As at May 2024, eight of the 25 control owners were no longer in the department. Collectively they were responsible for over 50 per cent of the 160 controls and countermeasures.

2.48 The FCCP 2021–2023 stated that it was to be updated on a quarterly basis. The FCCP 2021–2023 was updated once in November 2022. The FCCP 2023–2025 has not been updated since its creation in June 2023. Part of the department’s engagement of Deloitte in May 2024 (see paragraph 2.12) involved developing an EFCRA 2024–2026, ensuring alignment between that and the FCCP 2023–2025, and undertaking other activities to bring fraud risks assessments and plans up to date.

Regular testing of fraud control effectiveness

2.49 Paragraphs 39 and 41 of the 2017 Fraud Guidance suggest mechanisms be established to test controls effectiveness regularly, to help ensure that ‘control systems remain appropriate, cost-effective and proportionate to the actual risks they are addressing.’ The 2024 Commonwealth Fraud and Corruption Control Framework requires controls effectiveness testing (see Table 1.3).

2.50 The FCCP 2021–2023 required six-monthly testing of controls. The FCCP 2023–2025 did not require controls testing. The department tested the effectiveness of controls as part of developing the 2021–2023 EFCRA and 2022 Community Grants Hub grants fraud risk assessment (see paragraphs 2.21 and 2.26). It did not undertake six-monthly testing of controls in the period between the establishment of the FCCP 2021–2023 and its replacement by the FCCP 2023–2025.

2.51 Prior to July 2024 the department had not documented a framework and processes to test the effectiveness of its fraud controls. To meet the requirements of the 2024 Commonwealth Fraud and Corruption Control Framework, the department finalised a Fraud and Corruption Control Testing Framework (control testing framework) on 2 July 2024. The control testing framework states that the Fraud and Integrity Branch is responsible for undertaking control testing. The control testing framework outlines a high-level end-to-end testing process and the eight types of control tests.⁶³ The control testing framework states that, subject to business area approval, reports of control tests will be provided to the department’s governance committees. Business area discretion over the provision of control test reports to governance committees poses a risk that governance committees will not have complete oversight of the adequacy of controls. The department’s high-level control testing process is consistent with an international standard.⁶⁴ In July 2024 the Fraud and Integrity Branch provided a forward work plan for 2024–25 that includes control testing activities and priority ratings for these activities.

3.1 The 2017 Commonwealth Fraud Control Framework requires accountable authorities to establish appropriate mechanisms for preventing fraud, including by ensuring that entity officials are made aware of what constitutes fraud⁶⁵, and that officials engaged in fraud control activities receive appropriate training or attain necessary qualifications.⁶⁶ Grants administration by officials and grantees should incorporate appropriate safeguards against fraud and should comply with the Fraud Rule.⁶⁷ The Fraud Guidance states that ‘Fraud prevention involves putting into place effective accounting and operational controls, and fostering an ethical culture that encourages all officials to play their part in protecting public resources.’⁶⁸

Have appropriate mechanisms been established to prevent fraud?

3.2 Table 3.1 presents an assessment of the department’s approach to applying the Fraud Rule, Guidance and Policy in relation to fraud prevention.

Table 3.1: Assessment against the Fraud Framework — Fraud prevention

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note a: For non-corporate Commonwealth entities, the Fraud Rule and Policy are mandatory and the Fraud Guidance is better practice.

Note b: Rating is based on the department’s assessment of its preventative controls. The ANAO did not undertake an independent assessment.

Source: ANAO analysis of the Department of Health and Aged Care documentation.

3.3 As outlined at paragraph 2.21 and Box 1, the 2021 Enterprise Fraud and Corruption Risk Assessment (EFCRA) identified 12 enterprise fraud and corruption risks. The EFCRA established 103 preventative controls (58 unique controls)⁶⁹ applying to these 12 risks. This represented 64 per cent of all established fraud controls in the EFCRA. Preventative controls include: policies and business processes; legislative and other compliance requirements; system access controls; segregation of duties; identity verification; mandatory fraud awareness, integrity and security training; financial delegations; and due diligence processes. Grants program preventative controls include: grant agreement terms and conditions; a ‘compliance protocol’ established with Services Australia; site inspections; and audits.

3.4 For grants administration (see Risk 1 in Box 1), the department identified seven preventative controls and nine treatments. In September 2022 the department undertook a specific grant fraud risk assessment as it related to the Community Grants Hub (see paragraph 2.26 and Box 2). This assessment identified 37 preventative controls (out of 53 controls) and 16 treatments for the nine grants fraud risks.

Documented instructions to prevent, detect and deal with fraud

3.5 The department has established documented instructions and procedures to assist officials to prevent, detect and deal with fraud. These instructions and procedures comprise:

• Accountable Authority Instructions (November 2021) and a Finance Business Rule (November 2021) (see paragraph 2.2);
• the EFCRA and an Enterprise Fraud Risk Register (Register) (December 2021) (see paragraph 2.21);
• fraud and corruption control plans (FCCPs) (August 2021 and June 2023) (see paragraph 2.40);
• a draft investigation manual, referred to as the ‘Investigations Doctrine’ (May 2024);
• a fraud control toolkit and other information on the department’s intranet; and
• information about fraud prevention on the department’s website.

3.6 The documented instructions and procedures outline: the accountable authority’s expectations for staff to act in accordance with the FCCP; the department’s enterprise fraud and corruption risks; the department’s strategies for preventing, detecting and dealing with fraud; and departmental officials’ responsibilities to prevent, detect and report fraud.

3.7 In 2021 a partnership agreement was established with the Department of Social Services in relation to the Community Grants Hub (see paragraph 2.26), which provides grant management support to the department’s grant programs including the Indigenous Australians’ Health Programme. While the 2021 partnership agreement referred to operational risks (for which the Department of Social Services was identified as accountable) and program failure risks (for which the Department of Health and Aged Care was identified as accountable), it made no specific reference to fraud control arrangements. The Community Grants Hub partnership agreement was varied in May 2023 to ‘clarify and strengthen the roles of each party in relation to Conflicts of Interest and Fraud.’ The amended partnership agreement stated that:

• the Department of Social Services has an obligation to notify the Department of Health and Aged Care of any instances of identified fraud risk or incidents; and
• the Department of Health and Aged Care maintains carriage and ownership over the investigation of any fraud incidents that may be notified.

Mitigating the risk of identity fraud

3.8 The EFCRA and Register identified identity crime as one of the department’s 12 fraud and corruption enterprise risks (see Risk 5 in Box 1). The department established four preventative controls and four treatments for this risk.

Fraud risk considered within the Department of Health and Aged Care’s activities

3.9 The department’s divisional business and risk plans are developed annually. The FCCPs 2021–2023 and 2023–2025 provide that the divisional business and risk plans are to include consideration of fraud risks and controls. As discussed at paragraph 2.23, the majority of the divisional business and risk plans in the period examined by the ANAO (including for First Nations Health) did not include consideration of preventative fraud controls. The department has developed a mechanism for divisional planning to include consideration of fraud risks in 2024–25.

Appropriateness and effectiveness of preventative controls

3.10 In December 2021 the department tested the effectiveness of preventative controls identified in the EFCRA. The EFCRA outlines the department’s approach to, and results of, controls testing. Preventative controls were found to be ‘effective’ (57 per cent) or ‘partly effective’ (43 per cent), with no preventative controls categorised as ‘ineffective.’ Following the controls testing, an additional 64 treatments were identified.⁷⁰

• For the four preventative controls for the ‘identity crime’ enterprise fraud risk, two were ‘effective’ and two were ‘partially effective’, with four treatments identified following testing.
• For the seven preventative controls for the ‘grant funding’ enterprise fraud risk, four were ‘effective’ and three were ‘partially effective’ with nine treatments identified following testing.

3.11 As discussed at paragraph 2.50, there was no testing of preventative controls for EFCRA fraud risks in 2022–23 or 2023–24.

3.12 The department undertook effectiveness testing of the 37 preventative controls identified in the 2022 Community Grants Hub-related grants fraud risk assessment (see Box 2). This testing identified 11 controls as ‘effective’, 23 controls as ‘partially effective’ and three controls requiring further testing to determine effectiveness.

Are appropriate mechanisms in place to promote fraud awareness and a culture of integrity?

3.15 Table 3.2 presents an assessment of the department’s approach to applying the Fraud Rule and Guidance in relation to fraud awareness and developing a culture of integrity.

Table 3.2: Assessment against the Fraud Framework — Fraud awareness

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note a: For non-corporate Commonwealth entities, the Fraud Rule is mandatory and the Fraud Guidance is better practice.

Source: ANAO analysis of Department of Health and Aged Care documentation.

Fraud awareness

3.16 The department has maintained guidance to ensure officials are aware of what constitutes fraud. The guidance materials contained within the Accountable Authority Instructions (November 2021), Finance Business Rule (November 2021), FCCP 2023–2025 (June 2023), and fraud control information on its intranet are available to all staff, and inform staff about:

• the definition of fraud based on the 2017 Commonwealth Fraud Control Framework;
• the types of fraud staff may encounter in the department’s business activities;
• case studies about how fraud may be perpetrated; and
• examples of fraud controls that staff can implement in their business activities.

Fraud and integrity training

3.17 Integrity training is mandatory under the Australian Public Service (APS) Commissioner’s Direction 2022 for APS employees within six months of engagement in the APS.⁷¹ Fraud awareness and integrity training are mandatory for all departmental officials (including staff, contractors and consultants) under the 2021–2023 and 2023–2025 FCCPs. Fraud awareness training is to be completed within 30 days of commencement and annually thereafter.

3.18 The department’s fraud awareness training incorporates the items identified at paragraph 3.16. Integrity training informs staff of the legislative framework under the Public Service Act 1999, the requirements under the APS Values and Code of Conduct, definitions of the elements of the APS Values and Code of Conduct, and case studies of situations where the APS Values and Code of Conduct may require consideration.

3.19 The completion rates for fraud awareness and integrity training were reported at least twice annually to the Audit and Risk Committee (see paragraph 1.20), and periodically to the Executive Committee (see paragraph 1.20) and Security, Workforce Integrity and Assurance Committee (see paragraph 2.16). Reported overall completion rates are outlined at Table 3.3. A September 2023 report to the Audit and Risk Committee highlighted variation in fraud awareness completion rates between APS staff (92 per cent) and contractors (67 per cent), as well as across groups (ranging from 60 per cent for the Executive Group to 97 per cent for the Health Products Regulation Group). Training completion rates for the Health Strategy, First Nations and Sport Group was 92 per cent.

Table 3.3: Fraud and integrity training completion rates, 2023 and 2024

Note a: Based on information presented to the Audit and Risk Committee at its meeting on 27 September 2023.

Note b: Based on information presented to the Security, Workforce Integrity and Assurance Committee at its meeting on 26 February 2024.

Source: Department of Health and Aged Care.

Outreach programs

3.20 The department has established communication mechanisms to inform clients, providers and the public about fraud control arrangements. The department invited other Health and Aged Care portfolio entities to participate in Fraud Awareness Week⁷² activities in 2023. In November 2023 the department posted on its social media profiles information about fraud and the public’s ability to report allegations through a link to the department’s website.

3.21 For the Indigenous Australians’ Health Programme, the department communicates its risk and fraud management requirements through grant opportunity guidelines published on GrantConnect and grant agreements. Based on a sample of eight Indigenous Australians’ Health Programme grant programs (see paragraph 2.29 for how the sample was selected), the inclusion of information about fraud in grant opportunity guidelines and grant agreements was incomplete. Information about fraud was included in seven of eight programs’ grant opportunity guidelines. Four out of seven grant programs’ grant agreements had fraud clauses.⁷³

Monitoring and evaluation of fraud awareness initiatives

3.22 The department evaluated the impact of its outreach activities during International Fraud Awareness Week in November 2023. It has not evaluated other fraud awareness initiatives it has undertaken, including activities aimed at grantees. The evaluation of 2023 Fraud Awareness Week initiatives reported a 58 per cent increase in tip-offs during the week; 70 reactions to fraud awareness and fraud reporting posts on Facebook, LinkedIn and Instagram; and participation of 56 attendees from other portfolio agencies in activities. The evaluation reported 1,823 attendees at Fraud Awareness Week presentations.

Has appropriate training been provided to officials with fraud control responsibilities?

3.24 Table 3.4 presents an assessment of the department’s approach to applying the Fraud Policy and Guidance in relation to training and qualifications for officials with fraud control responsibilities.

Table 3.4: Assessment against the Fraud Framework — Fraud training

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note a: For non-corporate Commonwealth entities, the Fraud Policy is mandatory and the Fraud Guidance is better practice.

Source: ANAO analysis of Department of Health and Aged Care documentation.

Fraud investigator qualifications

3.25 The Australian Government Investigations Standard (AGIS) (2022) provides that for investigations within the Australian Government, ‘a vocational and educational training (VET) qualification must be obtained, unless another qualification or internal training is determined as equivalent’.⁷⁴ Australian recognised qualifications are: Certificate IV in Government Investigations; Diploma of Government Investigations; or Advanced Diploma of Government Investigations.⁷⁵ The AGIS identifies the Certificate IV as the foundational qualification and the Diploma as the supervisory qualification.⁷⁶ The AGIS provides that ‘entities must ensure foundational qualifications (or equivalency) are obtained prior to supervisory qualifications.’⁷⁷

3.26 As at June 2024 the department’s fraud investigations are undertaken within the Fraud and Integrity Branch across three sections: the Internal Investigations and Capability Section; the Health Provider Fraud Investigations Section; and the External Investigations Section. Across the three sections, the department advised the ANAO that, as at 14 June 2024, there were 45 staff undertaking investigations. Of the 45, 36 (80 per cent) had completed at least one of the VET qualifications or equivalent.

Fraud control official qualifications

3.27 The department advised the ANAO that, as at 14 June 2024, the Fraud and Integrity Branch had 17 staff undertaking fraud control activities, such as assessment detection and intelligence. Of the 17, 13 (76 per cent) had completed a Certificate IV in Government (Fraud Control) or Diploma of Government (Fraud Control), or equivalent.

Professional development relating to fraud control

3.30 The department has no framework for the ongoing professional development of its fraud control officials. The department advised the ANAO in June 2024 that ongoing professional development is achieved through on-the-job training, coaching, mentoring, and formal and role-specific training courses. The department provided to the ANAO in June 2024 a list of fraud control and investigations training courses and secondments undertaken by relevant staff.

4.1 The 2017 Commonwealth Fraud Control Framework requires entities to have appropriate mechanisms for detecting, investigating, recording and reporting incidents of fraud or suspected fraud.⁷⁸

Have appropriate mechanisms been established to detect fraud?

4.2 Table 4.1 presents an assessment of the department’s approach to applying the Fraud Rule and Guidance in relation to fraud detection.

Table 4.1: Assessment against the Fraud Framework — Fraud detection

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note a: For non-corporate Commonwealth entities, the Fraud Rule is mandatory and the Fraud Guidance is better practice.

Note b: Rating is based on the department’s assessment of its detective controls. The ANAO did not undertake an independent assessment.

Source: ANAO analysis of Department of Health and Aged Care documentation.

4.3 As outlined at paragraph 2.21 and Box 1, the 2021 Enterprise Fraud and Corruption Risk Assessment (EFCRA) identified 12 enterprise fraud and corruption risks. The EFCRA established 57 detective controls (27 unique controls)⁷⁹ applying to these 12 risks. This represented 35 per cent of all established fraud controls in the EFCRA. Detective controls include reactive controls such as fraud allegations reporting and proactive controls such as compliance monitoring, data matching capability and quality assurance processes.

4.4 For an enterprise fraud risk related to grants administration (see Risk 1 in Box 1), the department identified six detective controls. In September 2022 the department undertook a specific grant fraud risk assessment as it related to the Community Grants Hub (see paragraph 2.26 and Box 2). This assessment identified 16 detective controls (out of 53 controls) for nine grants fraud risks. Detective controls included reactive controls such as internal whistleblowing procedures (for the risk of internal exploitation of grants by public officials) and proactive controls such as due diligence checks over grant applicants (for the risk of falsified grant applications); grant agreement clauses requiring grantees to declare other contributions (for the risk of grantees receiving duplicate grants for the same service); and ongoing compliance, performance and contract reviews (for the risk of grants funds being used for improper purposes).

Reporting processes for suspected fraud

4.5 The department has channels for suspected fraud to be reported by departmental staff and the public⁸⁰, comprising: an online form for reporting health provider-related fraud allegations⁸¹; an online form for reporting all other fraud allegations⁸²; a telephone number; and an email address.⁸³ The website indicates that the online form is secure to protect privacy, and that the person completing the form may remain anonymous. The forms do not require personal details be provided.

4.6 WSP Australia Pty Ltd is the National Infrastructure Projects Facilitator (NIPF) for major capital projects funded under the Indigenous Australians Health Programme (IAHP).⁸⁴ KPMG was engaged⁸⁵ to be the NIPF for the ‘Better Renal Services for First Nations Peoples’ Budget measure, with the role of assisting funded organisations under the measure to manage complex capital projects. The department advised the ANAO in June 2024 that the NIPF may report non-compliance that could indicate potential fraud.

4.7 In the 2022 grant fraud risk assessment, some detective controls were assigned to the Community Grants Hub. The Department of Social Services maintains ‘Hub fraud protocols’ (March 2020), which set out the roles and responsibilities for fraud prevention and detection. The Department of Social Services advised the ANAO in June 2024 that, to detect fraud, it reviews grant acquittals, grantee financial reports, grant milestone reports and information from other government agencies.

4.8 Under a partnership agreement with the Department of Social Services in relation to the Community Grants Hub (see paragraph 3.7), the Department of Social Services has an obligation to notify the Department of Health and Aged Care of any instances of fraud risk or incidents. According to the protocols, the Department of Social Services maintains a ‘Hub escalation process’ and ‘Hub escalation template’ to be used for ‘medium to high risk issues and incidents that require escalation and attention by a Client Agency.’ Escalations are recorded by the Department of Social Services in a register.

4.9 The central Fraud and Integrity Branch advised the ANAO in May 2024 that no matters related to the IAHP were referred or tipped off in 2022–23 or 2023–24 (to May 2024). The First Nations Health Division advised the ANAO in May 2024 of three matters that were referred to the department in 2022–23 and 2023–24 (to May 2024). The ANAO’s review of the Community Grants Hub’s register of escalations identified eight potential matters⁸⁶ that related to the IAHP in the time period including the three matters previously advised by the First National Health Division. The ANAO reviewed the department’s records management system and identified three additional public tip-offs in February and June 2023.⁸⁷ The Fraud and Integrity Branch’s subsequent review of its case management system in July 2024 identified one further potential matter (a tip-off from the public) related to the IAHP. This totals 12 potential fraud matters associated with the IAHP in 2022–23 and 2023–24.

4.10 The grant toolkit states that if an escalation from the Department of Social Services ‘does reference possible fraud, [then staff] should ensure that [they] make contact with the Fraud Section as soon as possible.’ Of the eight escalated Community Grants Hub matters, one was escalated to the First Nations Health Division, which did not refer the matter to the department’s central fraud section. This matter was not recorded in the case management system. Although the other 11 matters were recorded in the case management system, the department advised the ANAO in July 2024 that it had initially stated that there were no matters related to the IAHP because its case management system did not classify matters by program. As noted at paragraph 2.4, the 2021–2023 and 2023–2025 fraud and corruption control plans (FCCPs) indicate that the application of fraud controls to divisional activities are the responsibility of division heads. The failure to link fraud matters with specific programs in the case management system may impede division heads and program staff to deliver on this responsibility (see paragraph 4.46).

Other measures to detect fraud

4.11 The Audit and Risk Committee was advised in November 2022 that data analytics was being used to monitor and identify irregularities in Medicare Benefits Schedule, Pharmaceutical Benefits Scheme and Child Dental Benefit Schedule claims by health providers, and that the department continued to engage with the Australian Taxation Office, Australian Criminal Intelligence Commission and Australian Charities and Not-for-profits Commission on data sharing and matching opportunities. The Secretary was advised in September 2023 that data analytics capability to detect ‘real-time’ Medicare payment fraud was being strengthened.

4.12 No outputs from data analytics work was presented to the Audit and Risk Committee or governance committees. The department reported in the 2022–23 Fraud Census (see paragraph 4.49) that there were 403 potential external fraud matters detected from ‘software flags, alerts, operational processes [and] data analytics’, including 15 relating to health providers.

4.13 Despite the focus on data analytics capability and a number of other proactive detective controls within the EFCRA, the department advised the Audit and Risk Committee in September 2023 that tip-offs were ‘currently the primary source of intelligence for the department.’

4.14 The department advised the ANAO in March 2024 that the Fraud and Integrity Branch was building expertise for a dedicated fraud detection team focused on proactive measures, and that a privacy impact assessment would likely be needed to ensure the proposed detection process meets privacy requirements. This information was presented to the Security, Workforce Integrity and Assurance Committee in May 2024. The Deputy Secretary, Corporate Operations was advised in June 2024 that the Fraud and Integrity Branch was implementing an automated detection solution.

4.15 In addition to data analytics, intelligence gathering through liaison with other entities is a potential proactive detection method, including for the IAHP.

• Since 2022 the First Nations Health Division has engaged approximately 20 times with the Office of the Registrar for Indigenous Corporations and quarterly with the National Indigenous Australians Agency regarding grantee or contractor governance or financial management that may indicate the risk of fraud.
• The department advised the ANAO in June 2024 that it meets on occasion with state/territory Community Grants Hub offices and the National Aboriginal Community Controlled Health Organisation⁸⁸ regarding fraud risks.

Appropriateness and effectiveness of detective controls

4.16 The department reported to the Audit and Risk Committee that it received 1,084 fraud tip-offs in 2022–23 and 1,054 in 2023–24 (see paragraph 1.20).

4.17 As discussed at paragraph 2.50, the FCCP 2021–2023 required testing of controls every six months and the FCCP 2023–2025 did not require controls testing. In December 2021 the department tested the effectiveness of detective controls identified in the EFCRA. The EFCRA outlines the department’s approach to, and results of, controls testing. Detective controls were found to be ‘effective’ (65 per cent) or ‘partly effective’ (35 per cent), with no detective controls categorised as ‘ineffective.’ Following the controls testing, an additional 64 treatments were identified.⁸⁹ There was no testing of detective controls for EFCRA fraud risks in 2022–23 or 2023–24.

4.18 The department’s testing of the effectiveness of six detective controls for the enterprise grant funding risk found three were ‘effective’ and three were ‘partially effective’, with nine treatments identified following testing. The department tested the 16 detective controls identified in the 2022 Community Grants Hub-related grants fraud risk assessment (see paragraph 4.4). This testing identified two controls as ‘effective’, 13 as ‘partially effective’ and one control requiring further testing to determine effectiveness.

Have appropriate mechanisms been established to investigate and respond to fraud?

4.19 The department reported to the Audit and Risk Committee that, as at 31 December 2023, 354 fraud assessments had been completed in the first half of the financial year, 140 fraud assessments were on hand, and there were 138 active investigations.

4.20 Table 4.2 presents an assessment of the department’s approach to applying the Fraud Policy in relation to investigating and responding to fraud.

Table 4.2: Assessment against the Fraud Framework — Fraud investigation and response

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note a: The Fraud Policy is mandatory for non-corporate Commonwealth entities.

Note b: The ANAO’s assessment of documented decision-making procedures is based on four draft and nine finalised procedures that existed during the audit period. During 2022–23 and 2023–24, there were 107 policies and procedures for managing fraud investigations across three separate investigation functions in the department (see paragraph 4.24). These procedures were being reviewed and amended over the course of the audit to reflect the centralisation of functions (see paragraph 4.21), and therefore some draft procedures were assessed. At July 2024, overall the department had finalised 42 policies and procedures (see paragraph 4.24).

Note c: The appropriateness of decisions to refer or not refer matters to the Australian Federal Police was not assessed. None of the Indigenous Australians’ Health Programme potential fraud matters in 2022–23 and 2023–24 were referred to the AFP (see paragraphs 4.33 to 4.35).

Source: ANAO analysis of Department of Health and Aged Care documentation.

Documented procedures for fraud incidents

4.21 As noted at paragraphs 2.5 to 2.8, prior to February 2023 fraud investigations were undertaken in different areas of the department, depending on the type of fraud. Fraud policies, standard operating procedures (SOPs), guidelines and templates were maintained separately by the various fraud sections. Health provider benefit fraud was managed by the Health Provider Fraud Section (HPFS) within the Benefits Integrity and Digital Health Division, until the formation of the Fraud and Integrity Branch in April 2024.

4.22 In May 2023, following the establishment of the central Fraud Control and Investigation Branch in February 2023, the department engaged KPMG at a cost of $249,041⁹⁰ (GST inclusive) to review SOPs, develop draft procedures for data and intelligence sharing across entities, draft a triaging and prioritisation matrix, and consolidate investigation SOPs into a draft investigations manual.⁹¹ KPMG completed this work in July 2023.

4.23 Following the KPMG work, the department initiated a project (the Australian Government Investigations Standard (AGIS) project) to support its compliance with the AGIS. A project plan dated August 2023 stated that:

A functional review and structural design of the branch was underway to consolidate duplicative and inconsistent functions and processes, address capability and capacity gaps and ensure compliance with Commonwealth Fraud Control Framework and the [AGIS]. The ambition is to be ‘future-ready’ by building high-end preventative, detection and intelligence and investigative capabilities comparable to other matured and centralised Commonwealth fraud management and investigation functions.

4.24 An ‘AGIS Project Index,’ dated August 2023, listed 17 SOPs, 19 templates and eight governance arrangements to be developed or updated to meet AGIS requirements. An August 2023 schedule for the AGIS project set out the timeframes for completion. Documents were categorised as first or second priority, with creation and updating of first priority documents to be completed by early October 2023, and the creation and updating of second priority documents to be completed by late November 2023. The department advised the ANAO in July 2024 that the AGIS project was paused in November 2023 in anticipation of the further consolidation of the department’s fraud functions, and recommenced in February 2024. The department advised the ANAO in May 2024 that there were 107 policies and procedures in operation for its investigations function during 2022–23 and 2023–24, which included a combination of draft, active and superseded guidance documents. As at 30 June 2024 the AGIS project was not complete. In July 2024 the Operational Management Committee⁹² endorsed 42 investigations procedures and templates.

4.25 In February 2024 a draft ‘Preliminary Analysis Operating Framework’ was developed, which provided a standardised approach for triaging, assessing, categorising and prioritising fraud allegations (except for health provider benefits fraud). In March 2024 a draft Prevention, Detection and Investigations Manual was developed. As at June 2024 a draft ‘Investigations Doctrine’ was also developed to guide the conduct of investigations. The department advised the ANAO in July 2024 that work was undertaken to reconcile and de-duplicate material in the various procedural documents.

4.26 The documents state that they apply to internal and external fraud and corruption allegations for all departmental programs, excluding health provider fraud for the Medicare Benefits Schedule, the Pharmaceutical Benefits Scheme and the Child Dental Benefits Schedule (which was managed separately by the HPFS until April 2024). The HPFS policies and procedures for decision-making contain differing processes and approval levels to the draft Investigations Doctrine. The department advised the ANAO in June 2024 that:

It is the Branch’s intention to consolidate common operational procedural documents to ensure consistency of practice. This has been delayed due to the deferred arrival of [HPFS] into the [Fraud and Integrity] Branch … It is expected the [draft Investigations] Doctrine and other supporting templates and [SOPs] will come online by June 30, 2024, with further procedural instructions, guidance and artefacts released as the Branch consolidates and stands up a single [Policy and Procedures Control Framework] and systems are implemented to support sound work practices.

4.27 The ANAO assessed the draft Investigations Doctrine (May 2024 version) and associated policies and procedures against mandatory AGIS requirements.⁹³ The draft Investigations Doctrine and associated policies and procedures were not fully compliant with the AGIS in the areas of legal professional privilege, evidence and exhibit audits, requests for specialist services, and international requests.

4.29 Box 4 shows decision-making criteria as outlined in the draft Prevention, Detection and Investigations Manual (March 2024).

Investigating suspected fraud

4.30 Paragraphs 6 and 7 of the Fraud Policy require non-corporate Commonwealth entities to investigate all instances of suspected fraud, unless referred to and accepted by a law enforcement agency. The triage and assessment process described in Box 4 means that not all instances of suspected fraud are investigated in the department. The ANAO considered whether all matters were at least assessed, for the 12 Indigenous Australians’ Health Programme fraud matters in 2022–23 and 2023–24. As outlined at paragraph 4.10, for the Indigenous Australians’ Health Programme, one of 12 fraud matters was not referred to the department’s central fraud team. This matter was not recorded in the case management system or assessed. The remaining 11 matters were assessed (nine) or in the process of being assessed (two) as at July 2024, with a determination of no further action for the nine matters that had an outcome.

Documented decisions for responses to fraud

4.31 Table 4.3 shows the ANAO’s assessment of documentation of assessments and decisions for the 12 Indigenous Australians’ Health Programme (IAHP) fraud matters raised between 1 July 2022 and 30 June 2024.

Table 4.3: Documentation of decision-making for IAHP fraud matters, at July 2024

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Source: Department of Health and Aged Care information in case management and records management systems.

4.32 Case study 1 shows issues related to record-keeping for one matter related to the IAHP.

Referrals of serious and complex fraud

4.33 The draft Investigations Doctrine establishes the process for referring serious and complex fraud matters to the AFP by the Operations Management Committee and states that this should be done in accordance with the AFP’s ‘preferred pathway’. A link is provided to procedures on the AFP website. The draft Investigations Doctrine does not provide a definition or criteria for determining whether a matter represents ‘serious and complex fraud’. This was defined in the 2017 Fraud Guidance.⁹⁴ The definition has been removed from the 2024 Commonwealth Fraud and Corruption Control Framework.

4.35 The department advised the ANAO in May 2024 that, across all matters in the department, in 2022–23 and 2023–24 one investigation had been referred to the AFP, and there were five Proceeds of Crime Act applications⁹⁵ made to the AFP. Of the active investigations as at 30 June 2024, the five matters with highest estimated loss to fraud were valued at $7.3 million; $3.3 million; 2.4 million; $1.8 million; and $1.4 million. All five matters related to health provider benefits fraud. As at 30 June 2024, these investigations were in progress with a decision on referring these matters to the AFP to be determined. The department sought AFP assistance in four of the matters during the course of the investigation.

Measures to recover financial losses from fraud

4.36 The department has policies and procedures on its intranet relating to debt recovery. This includes Accountable Authority Instructions (October 2015), Finance Business Rules (March 2024), a debt recovery factsheet and a debt escalation framework. A Finance Business Rule ‘Recovery of debts’ states that under section 11 of the Performance, Governance and Accountability Rule 2014 (PGPA Rule), the department is required to pursue all debts owing to the Commonwealth, and that debts must be pursued ‘vigorously’. The Finance Business Rule specifies that responsibility for identifying and quantifying debts rests with the business unit managing the underlying financial arrangement which gave rise to the debt. Accurate and complete debtor information must be maintained to allow complete reporting in the department’s financial statements.

4.37 Table 4.4 shows quantified financial losses from finalised investigations or alternative actions, the total debts raised, and the value of proceeds recovered for the department, as reported through the Fraud Census for 2022–23 and 2023–24 (see paragraph 4.49).

Table 4.4: Reported financial losses to fraud and recoveries, 2022–23 and 2023–24

Note a: This information was reported by the department as ‘unknown or not quantifiable’ in the Fraud Census 2022–23.

Note b: The department advised the ANAO in October 2024 that the six external (other) fraud matters in 2023–24 were estimated at zero value because their briefs of evidence were declined by the Commonwealth Director of Public Prosecutions.

Source: ANAO analysis of Department of Health and Aged Care submissions to the Fraud Census for 2022–23 and advice to the ANAO for 2023–24.

4.38 The department reported in the 2022–23 Fraud Census that the value of loss to external fraud (including within grant programs) was ‘unknown or not quantifiable’ except for health provider fraud matters managed by HPFS. This suggests that the value of potential loss to fraud as reported to and published by the Australian Institute of Criminology is understated for the department. HPFS’s case management system (CWMS, see paragraph 4.48) has data fields for the estimated amount of potential loss for each case in the system. The VOLT case management system used for internal and non-HPFS external fraud matters does not have this capability.

4.39 In its 2022–23 report, the Australian Institute of Criminology indicated that, for internal fraud, 12 entities (of 157 reporting entities) quantified fraud losses, and nine reported quantifiable recoveries greater than zero. For external fraud, 18 entities quantified fraud losses and 21 reported quantifiable recoveries greater than zero.⁹⁶ Quantifying fraud risks, where possible, provides an evidence base to support the accountable authority’s assessment of whether the entity’s prioritisation of fraud risks is appropriate, the control framework is robust, and the level of resourcing focussed on fraud controls is appropriate.

4.40 The reported amount of fraud loss recovered by the department was $1.6 million in 2022–23 (see Table 4.4). The Australian Institute of Criminology reported the overall rate of recovery of quantified fraud for reporting Commonwealth entities was 8.5 per cent for internal fraud and five per cent for external fraud in 2022–23. By contrast, based on 2022–23 Fraud Census reporting, the department’s reported recovery rate was zero per cent and 24 per cent, respectively.

4.41 The Commonwealth Fraud Prevention Centre (Attorney-General’s Department) in its publication ‘The total impacts of fraud’ provides that ‘government entities generally lose between 0.5 percent and [five] percent of their spending to fraud and related loss based on international estimates’.⁹⁷ For the department, this range applied against its 2023–24 Budget⁹⁸ is between $0.5 and $5.3 billion. A ‘potential loss to fraud’ of $5.095 billion was reported to the Executive Committee and Audit and Risk Committee through dashboard reporting (see Table 1.6 and paragraph 4.56).

Have appropriate mechanisms been established to record and report fraud?

4.44 Table 4.5 presents an assessment of the department’s approach to applying the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the Fraud Policy in relation to recording and reporting fraud.

Table 4.5: Assessment against the Fraud Framework — Fraud reporting

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note a: The Fraud Policy is mandatory for non-corporate Commonwealth entities.

Note b: Assessment is based on draft fraud control procedures as they existed at 30 June 2024. The ANAO did not undertake detailed assessments of procedures that existed prior to the AGIS Project, which commenced in July 2023 (see paragraph 4.23).

Note c: The ANAO did not comprehensively assess all matters to determine where a report was warranted, but noted that some reports to other entities were made for internal and external fraud during 2022–23 and 2023–24.

Source: ANAO analysis of Department of Health and Aged Care documentation.

Procedures to collect and manage information on fraud

4.45 The draft Investigations Doctrine (May 2024) sets out requirements for fraud information records management in the Fraud and Integrity Branch at a high level. Other draft standard operating procedures and templates set out record-keeping requirements in more detail for the Fraud and Integrity Branch. All key decisions, actions and correspondence relating to fraud investigations and intelligence must be recorded in VOLT, a case management system. The draft Investigations Doctrine states this must be done ‘in an appropriate and timely manner … so that others can review the case and easily understand what investigation activities have taken place.’ All fraud records, which are defined as ‘documents or objects in any form to support a business decision, transaction or activity, including evidence’ must be filed in the department’s approved electronic document and records management system, TRIM, in accordance with the department’s broader records management policy, including in relation to document naming conventions.

4.46 As noted at paragraph 4.10, the department has not linked fraud matters in the case management system VOLT to the specific grant program to which matters relate. This is not consistent with FCCP 2023–2025 and Finance Business Rule requirements that ‘programs and projects should identify what reporting and detection activities are required … ’, that responsibility for identifying and quantifying debts rests with the business unit managing the underlying financial arrangement which gave rise to the debt, and that program areas and division heads retain accountability for the application of fraud controls to divisional activities.

4.48 Record-keeping requirements for HPFS, which manages health provider benefits fraud for Medicare Benefits Schedule, Pharmaceutical Benefits Scheme and Child Dental Benefits Schedule, are set out in the procedures document ‘Critical Decisions’ (July 2022, see Box 4). This document states that records of critical decisions are to be made using a Critical Decision Record (CDR) template, which collects different and more precise information to that required by an assessment report template used by the Fraud and Integrity Branch.⁹⁹ Some more detailed information about documenting HPFS fraud matters is set out in other procedures that were overdue for review according to review dates set by the department.

Reporting to the Australian Institute of Criminology

4.49 Section 14 of the Fraud Policy states that Australian Government entities must provide information to the Australian Institute of Criminology by 30 September each year to support the Fraud Against the Commonwealth census (Fraud Census).¹⁰⁰ The Australian Institute of Criminology advised the ANAO in June 2024 that with the agreement of the Attorney-General’s Department, this date was amended to end October and that extensions can be requested. The department’s compliance with reporting requirements is outlined in Table 4.6.

Table 4.6: Compliance with Fraud Census submission timeframe

Source: Australian Institute of Criminology.

4.50 The number of fraud allegations reported in the 2022–23 Fraud Census was inconsistent with internal fraud dashboard reporting and the department’s 2022–23 annual report.¹⁰¹ The department advised the ANAO in June 2024 that due to separate investigation teams applying different definitions and assessment processes, 255 health provider fraud tip-offs were duplicated in the 2022–23 Fraud Census. After being alerted to it by the ANAO, the department informed the Australian Institute of Criminology of the error in June 2024.

Reporting incidents of fraud to relevant ministers

4.51 Under section 19 of the PGPA Act, significant matters of non-compliance with finance law are to be reported to the portfolio minister and the Minister for Finance. Department of Finance guidance indicates that this includes serious fraudulent activity by officials or non-officials, reflecting internal control shortcomings.¹⁰² The department has established a process to assess and identify matters to be reported to the minister as part of a ‘PGPA non-compliance report’ that is provided to the Audit and Risk Committee. The PGPA non-compliance report states that non-compliance assessments are made ‘per the assessment criteria’ as outlined in the Finance guidance. The department advised the ANAO in June 2024 that it did not report any fraud incidents as significant non-compliance with finance law in 2022–23 or 2023–24.

Annual reporting requirements

4.52 Under section 17AG of the PGPA Rule, the accountable authority of a Commonwealth entity is required to certify that fraud risk assessments and control plans have been prepared for the entity; appropriate mechanisms for preventing, detecting incidents of, investigating or otherwise dealing with, and recording or reporting fraud are in place; and all reasonable measures have been taken to deal appropriately with fraud relating to the entity. The department’s annual reports for 2021–22¹⁰³ and 2022–23¹⁰⁴ included the Secretary’s certification.

4.53 A ‘certification pack’ was provided to the Secretary in September of each year to support the certification. The 2022–23 certification pack included the number of tip-offs received in 2022–23 and other statistics, fraud briefings that had been provided to the Audit and Risk Committee (ARC) and the Fraud and Corruption Control Plan 2023–2025. The pack did not highlight that preventative and detective controls for fraud had not been tested since 2021.

4.54 At the end of 2022 and 2023, the Chair of the ARC provided the Secretary with an annual report documenting the work it had performed and its advice on the department’s system of risk oversight and management. In relation to fraud, the ARC’s 2023 annual report stated that it had reviewed the assurances provided by management in relation to fraud control, that it had formed a view that the activities for fraud control were appropriate, and that it noted that there was an undertaking to implement further strategies on fraud prevention, public interest disclosures, data analytics and intelligence, and internal and external collaboration.¹⁰⁵ The 2023 annual report also stated that it had received briefings on the 2023 Independent Review of Medicare Integrity and Compliance (Medicare Review).¹⁰⁶

4.55 Appendix 3 shows the key activities in the ARC’s 2022, 2023 and 2024 forward work plans through which the ARC was to provide assurance over the appropriateness of the department’s fraud control arrangements. ARC activities did not fully align with the 2022, 2023 and 2024 forward work plans. In providing assurance to the Secretary, the ARC largely relied on management’s representations on the implementation of fraud control activities. ARC papers do not refer to independent enquiries or assurance over management representations, with the exception of the ARC’s review of the 2023 Medicare Review. As noted at paragraph 2.35, one of 39 internal audit reports in 2022–23 and 2023–24 (the program for which is endorsed by the ARC) addressed fraud risks.

4.56 Year-end reporting to the ARC for 2022–23 included a dashboard with:

• counts of fraud tip-offs by program (HPFS and aged care), public interest disclosures, assessment outcomes, active investigations, briefs of evidence provided to the Commonwealth Director of Public Prosecutions, matters before the court, and prosecution outcomes;
• the ‘potential loss to fraud’ (which was estimated to be $5.095 billion in 2022–23, based on five per cent of $101.5 billion expenditure on departmental programs) and matters before the court ($10.2 million);
• resources used in fraud and corruption control (which was 57 Average Staffing Level and a budget of $5.7 million); and
• mandatory fraud training completion rates.

4.57 The ARC was told that tip-offs had increased by approximately 27.1 per cent compared to 2021–22. Although not reported to the ARC in percentage terms, the report also demonstrated that tip-offs had increased by 73.2 per cent compared to 2020–21. The increase in tip-offs was largely attributed to a rise in aged care fraud allegations. There was no further trends or explanatory analysis provided at that time.

4.58 In November 2022 and March 2023 the ARC had been advised that a June 2022 KPMG report commissioned by the department on fraud in the Home Care Packages Program¹⁰⁷, as well as Australian Criminal Intelligence Commission warnings, were indicating that aged care was a particular risk area for fraud control due to the infiltration of organised crime groups in similar programs such as the National Disability Insurance Scheme. Approximately 40 per cent of fraud allegations in aged care related to the Home Care Packages Program, which KPMG estimated was resulting in fraud losses of up to $323 million annually. The ARC was informed that there would be a greater focus on prevention and detection activities in aged care, and that input had been provided into the development of the new Aged Care Act to strengthen criminal investigations powers and introduce new criminal provisions.

Disclosure of potential criminal activity to other entities

4.59 In 2022–23 and 2023–24, one internal fraud matter and four external fraud matters were disclosed to other entities. The external fraud disclosures related to health provider benefits matters with the potential to impact other Commonwealth entities’ program activities. No external matters relating to the Indigenous Australians’ Health Programme or other non-health provider benefit activities were disclosed.

5.1 From 1 July 2024, non-corporate Commonwealth entities must adhere to the 2024 Commonwealth Fraud and Corruption Policy.¹⁰⁸ Effective planning and preparation will help ensure that entities are compliant with the revised framework.

Is there a fit-for-purpose implementation plan?

5.2 The department prepared for implementing requirements of the Commonwealth Fraud and Corruption Control Framework by developing:

• a one-page communications plan which covered the period March 2024 to July 2024;
• a high-level roadmap that outlined activities, milestones and the number of staff required to deliver activities (endorsed on 3 June 2024 by the Deputy Secretary, Corporate Operations (Chief Operating Officer), who is responsible for oversight of the implementation of the Commonwealth Fraud and Corruption Control Framework);
• a draft fraud and corruption control corporate reporting proposal;
• a draft fraud control testing framework; and
• a draft ‘assuring change integrity’ framework (which addresses consideration of fraud risks by five ‘change areas’ in the department including digital and ICT).

5.3 In April 2024 the Commonwealth Fraud Prevention Centre published an example implementation roadmap to assist Commonwealth entities implement the new Commonwealth Fraud and Corruption Control elements.¹⁰⁹ The example lists 12 steps entities may need to take to implement and comply with requirements. The department’s implementation roadmap largely reflects the 12 steps outlined in the Commonwealth Fraud Prevention Centre’s example. The roadmap did not assess risks to implementation or outline treatments to manage risks (such as delays to approving, endorsing and publishing key documents required to achieve compliance from 1 July 2024).

5.4 On 3 June 2024 the Deputy Secretary, Corporate Operations was briefed on progress towards commencement of the new Fraud and Corruption Framework on 1 July 2024. Reported activities included the updating of internal policies, plans, risk assessments (including the Enterprise Fraud and Corruption Risk Assessment), Accountable Authority Instructions, Finance Business Rules, mandatory training modules, intranet content, and other artefacts. The briefing stated that the Fraud and Integrity Branch was ‘well advanced’ in its preparations to ensure compliance from 1 July 2024. Similarly, the Fraud and Integrity Branch’s update to the Audit and Risk Committee on 17 June 2024 stated that it was ‘well advanced’. The updates did not outline how risks to not being compliant from 1 July 2024 would be managed.

5.5 In accordance with the communications plan, artefacts such as digital posters and screen savers were developed in May 2024. An all-staff email and newsletter were delivered in July 2024. An Executive Committee update planned for July was deferred to August 2024 to enable advance briefing of the Audit and Risk Committee. In addition to the activities listed in the communications plan, the Deputy Secretary, Corporate Operations was advised in June 2024 that there were presentations at branch and division meetings, targeted emails to the Senior Executive Service and through other channels, and fact sheets; and that the engagement would continue throughout the year.

5.6 Roadmap activities and their status were reported to the Audit and Risk Committee on 17 June 2024 (Appendix 4). The department provided evidence to the ANAO of other activities having been completed by early July 2024. All except one planned activity (an updated Enterprise Fraud and Corruption Risk Assessment (EFCRA)) was reported as completed by early July 2024.

5.7 One of the requirements of the new framework is that entities are to have governance structures and processes in place to effectively oversee and manage fraud and corruption risks; have officials who are responsible for managing fraud and corruption risks; and keep records identifying those structures, processes and officials. The briefing to the Deputy Secretary, Corporate Operations advised that the department’s current governance arrangements met these requirements. The Deputy Secretary, Corporate Operations agreed that existing departmental governance arrangements met the department’s obligations under the new framework.

Is there a plan to evaluate implementation of new or revised fraud and corruption controls?

5.8 The 2024 Fraud and Corruption Rule requires entities to periodically test the effectiveness of their fraud and corruption controls.¹¹⁰ This requirement aligns the Fraud and Corruption Rule with the Commonwealth Risk Management Policy, which has required entities to periodically review the effectiveness of controls since 1 January 2023.¹¹¹

5.9 As noted at paragraphs 2.12 and 2.22, the department engaged Deloitte to review the Enterprise Fraud and Corruption Risk Assessment before 30 June 2024 to inform updates to the Fraud and Corruption Control Plan. This engagement was later extended to 30 November 2024. The department’s implementation roadmap listed ‘Fraud and Corruption Controls Testing Framework’ as an activity to be completed by early June 2024. The department finalised the framework on 4 July 2024.

5.10 The draft fraud and corruption control corporate reporting proposal listed at paragraph 5.2 states that the department will implement bi-annual reporting to governance committees and the accountable authority, which will cover: emerging risks and threats, data on control gaps and risk treatments.

Appendix 1 Entity response

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s Corporate Plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. During the course of the audit, the Department of Health and Aged Care (the department) was in the process of centralising previously decentralised fraud control and investigations functions, including human resources, and fraud control processes, investigations and reporting functions into a new Fraud and Integrity Branch.

5. The below actions by the department were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

• In April 2024, the department amended its template for business plan risk assessments to include the identification and assessment of fraud risks (paragraph 2.23).
• In May 2024, the department commenced a review and update of its enterprise fraud and corruption risk assessment and fraud control plan (paragraph 2.12).
• In June 2024, the department notified the Australian Institute of Criminology that there had been an error in its 2022–23 Fraud Against the Commonwealth Census response (paragraph 4.50).
• In June 2024, Finance Business Rule 1.2 incorporated a requirement that ‘all First Assistant Secretaries and Assistant Secretaries for their program areas to conduct assessments of fraud and corruption risk regularly and when there is substantial change in the structure, functions or activities of the department’ (paragraph 2.3).
• In July 2024, the department advised the ANAO that it had started to link fraud matters with impacted programs in the fraud case management system (paragraphs 4.46 and 4.47).
• The department’s activities to prepare for the 2024 Commonwealth Fraud and Corruption Control Framework are described in Chapter 5.

Appendix 3 Implementation of Audit and Risk Committee fraud control assurance activities

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Source: ANAO analysis of Audit and Risk Committee 2022, 2023 and 2024 work plans, meeting papers and meeting minutes.

Appendix 4 Implementation of 2024 Commonwealth Fraud and Corruption Control Framework roadmap activities

Key: ✔ Roadmap activity completed by due date ✘ Roadmap activity not completed by due date.

Source: ANAO analysis of an implementation roadmap, 17 June 2024 report to the Audit and Risk Committee and supplementary evidence provided to the ANAO in early July and October 2024.