Introduction

1.1 Fraud against Australian Government entities and corrupt conduct by Australian Government officials are serious matters that can constitute criminal offences. Fraud and corruption undermine the integrity of and public trust in government, including by reducing funds available for government program delivery and causing financial and reputational damage to defrauded entities.⁶

1.2 The Australian Government defines fraud as:

Dishonestly obtaining (including attempting to obtain) a gain or benefit, or causing a loss or risk of loss, by deception or other means.⁷

1.3 Fraud against the Australian Government can be committed by government officials or contractors (internal fraud) or by parties such as clients of government services, service providers, grant recipients, other members of the public or organised criminal groups (external fraud).⁸ In its annual report on fraud against the Commonwealth⁹, the Australian Institute of Criminology reported that, for 2022–23:

• 378,033 fraud allegations were received, including 366,196 of external fraud¹⁰;
• 5,483 fraud investigations were commenced¹¹, primarily in large (1,001–10,000 employees) and extra-large (greater than 10,000 employees) entities;
• 6,915 fraud investigations were finalised¹², with 3,192 fraud allegations substantiated in full or in part¹³; and
• the cost of internal fraud was estimated at $2.9 million and the cost of external fraud was estimated at $158.1 million.¹⁴

1.4 The Australian Institute of Criminology notes that these reported fraud losses only include those which entities were able to quantify and that losses and recoveries may be difficult to quantify due to system limitations, conduct of investigations by external agencies or confidential settlements.¹⁵

1.5 The Commonwealth Fraud Risk Profile identifies eight fraud risk areas across corporate and program and policy functions (Table 1.1).

Table 1.1: Fraud risk areas in the Commonwealth

Source: Attorney-General’s Department, Commonwealth Fraud Prevention Centre, The New Commonwealth Fraud Risk Profile, AGD, 2022.

The Commonwealth Fraud Control Framework

1.6 The 2017 Commonwealth Fraud Control Framework provided the Australian Government’s fraud control requirements through to 30 June 2024. It had three components (see Table 1.2).

Table 1.2: 2017 Commonwealth Fraud Control Framework components

Source: ANAO summary of 2017 Commonwealth Fraud Control Framework components.

1.7 On 1 July 2024, the 2024 Commonwealth Fraud and Corruption Control Framework came into effect. From 1 July 2024, non-corporate Commonwealth entities are required to adhere to the revised Fraud and Corruption Policy.¹⁶ The Fraud and Corruption Policy considers it is better practice for corporate Commonwealth entities and Commonwealth companies. The revised framework includes provisions to mitigate corruption risk and complements the function of the National Anti-Corruption Commission (see Table 1.3).¹⁷ The revised framework introduces new requirements for fraud governance, oversight arrangements and controls testing.

Table 1.3: Comparison of the key elements of the 2024 Fraud and Corruption Rule to the 2017 Fraud Rule

Source: Adapted from Attorney-General’s Department, Commonwealth Fraud Prevention Centre. Learn about the Fraud and Corruption Control Framework available from https://www.counterfraud.gov.au/learn-about-fraud-and-corruption-control-framework [accessed 25 June 2024].

1.8 The 2017 Fraud Rule and the 2024 Fraud and Corruption Rule apply to both the internal and external fraud risks identified in Table 1.1. The 2024 Commonwealth Fraud and Corruption Control Framework states that:

Fraud and corruption are risks that can undermine the objectives of every Australian Government entity in all areas of their business, including delivery of services and programs, policy-making, regulation, taxation, procurement, grants and internal procedures.¹⁸

Responsibilities of accountable authorities

1.9 The Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the PGPA Rule contain specific duties and requirements for the accountable authority of a Commonwealth entity pertaining to internal control arrangements, including for fraud control and reporting (see Table 1.4).

Table 1.4: Fraud-related responsibilities of accountable authorities

Note a: In respect to ‘proper use’, section 8 of the PGPA Act provides that ‘proper, when used in relation to the use or management of public resources, means efficient, effective, economical and ethical’.

Source: PGPA Act and PGPA Rule.

1.10 The Commonwealth Grants Rules and Guidelines (CGRGs) note that probity and transparency in grants administration are achieved by ensuring that decisions are impartial, documented, and lawful; there is compliance with public reporting requirements; and there are appropriate safeguards against fraud. The CGRGs state that accountable authorities must ensure that the entity’s fraud procedures and practices comply with the Fraud Rule, including as they apply to grants administration. The CGRGs further note that officials undertaking grants administration should be aware of the procedures to follow if fraud is suspected.¹⁹

1.11 The APS Integrity Taskforce’s 2023 report Louder than Words: An APS Integrity Action Plan noted the need for entities to ‘gain reassurance that their integrity frameworks are effective and that their fraud and corruption risks are mitigated’.²⁰ The report contains a recommendation to ‘upscale institutional integrity (cultural and compliance) within agencies’.²¹ One of the actions identified by the APS Integrity Taskforce to support implementation of this recommendation is for accountable authorities to complete a self-assessment against the Commonwealth Integrity Maturity Framework and report the results to the Secretaries Board by September 2024.

1.12 The NHMRC’s April 2024 self-assessment identified its overarching integrity maturity at Level 3 against the Commonwealth Integrity Maturity Framework. As at 4 October 2024, the NHMRC’s self-assessment had not been provided to the Secretaries Board.

1.13 ‘Prevent, detect and manage fraud and corruption’ is one of the eight integrity principles identified by the National Anti-Corruption Commission (NACC) in the Commonwealth Integrity Maturity Framework.²² The NACC identified in its Integrity Outlook 2023–24 that:

Minimising the incidence of internal fraud through the identification and management of fraud risks should continue to be an ongoing focus of agencies. This can be achieved through the development, implementation and regular review of fraud prevention and detection strategies.²³

Previous audits

1.14 The fraud control arrangements of Australian Government entities have been the subject of previous Auditor-General reports. The most recent was tabled in 2023–24 and examined the Australian Taxation Office’s (ATO’s) management and oversight of fraud control arrangements for the Goods and Services Tax (GST). The audit found that the ATO’s management and oversight of fraud control arrangements for the GST was partly effective.²⁴

1.15 A series of three Auditor-General reports on the fraud control arrangements of Australian Government entities was published in June 2020.²⁵ The reports concluded that:

• fraud control arrangements in the Department of Home Affairs were effective;
• fraud control arrangements in the Department of Social Services and the Department of Foreign Affairs and Trade were largely effective; and
• each of the audited entities met the mandatory requirements of the 2017 Commonwealth Fraud Control Framework.²⁶

National Medical Health and Research Council

1.16 The NHMRC is non-corporate Commonwealth entity and a statutory authority within the Australian Government Health and Aged Care portfolio.

1.17 The NHMRC administers the Medical Research Endowment Account (the MREA) to provide assistance for public health and medical research and training, primarily through grant programs to:

• departments of the Australian or a state or territory government that are engaged in medical research;
• universities for the purpose of medical research;
• institutions and persons engaged in medical research; and
• in the training of persons in medical research.²⁷

1.18 The NHMRC awards funding through its grant programs to universities or research institutions that it has assessed as eligible to receive such funding, known as Administering Institutions.²⁸ Individual researchers can only apply for NHMRC grants via an Administering Institution. The Administering Institution is the grant recipient, not the individual researcher, and is bound by the terms of the funding agreement with the NHMRC, including to manage the grants effectively and responsibly.

1.19 In 2022–23 the NHMRC reported in its annual report that it managed the peer review of 4,426 applications and the award of 717 grants across its MREA grant program for a total of $898.1 million.²⁹

1.20 The NHMRC also manages grants through the Medical Research Future Fund (MRFF) on behalf of the Department of Health and Aged Care (Health) pursuant to a shared services agreement. Under its agreement with Health, in the NHMRC reported that it managed 1659 applications through 29 grant opportunities and awarded 382 grants valued at $626.5 million from the MRFF.³⁰ The NHMRC is required to notify Health when it becomes aware of any instances of suspected grant non-compliance, including fraud (see paragraph 2.8). Health is responsible for the reporting and investigation of any MRFF-related fraud allegations.

1.21 The NHMRC’s funding and average staffing levels for 2023–24 are provided in Table 1.5. For 2022–23, resourcing for administration and staffing was less than 6 per cent of the NHMRC’s estimated total resourcing, with approximately 94 per cent of resources administered through grant programs.

Table 1.5: NHMRC’s funding allocation and average staffing levels, 2023–24

Note a: Average staffing level is a method of counting that adjusts for casual and part-time staff to show the average number of full-time equivalent employees.

Source: Australian Government, Portfolio Budget Statements 2024–25, Budget Paper 1.9, Health and Aged Care Portfolio, Commonwealth of Australia, Canberra, 2023.

1.22 Fraud incidents that have been reported in the NHMRC’s fraud registers from 1 July 2022 to 31 May 2024 are shown in Table 1.6.³¹

Table 1.6: Outcome of NHMRC fraud incident investigations, 31 July 2022 to 31 May 2024^a

Note a: The outcomes shown in the table do not include reports of suspected fraud relating to the MRFF grants program administered by NHMRC on behalf of the Department of Health and Aged Care (see paragraph 1.20).

Note b: This case was opened in 2021–22 and was closed in the fraud and corruption control register in October 2023. During this period the case was closed in 2021 and then reopened in 2022 as more information became available to the NHMRC.

Source: ANAO analysis of NHMRC fraud registers.

Rationale for undertaking the audit

1.23 Fraud against Australian Government entities reduces available funds for public goods and services and causes financial and reputational damage to the Australian Government.³² All Commonwealth entities are required to have fraud control arrangements in place to prevent, detect and respond to fraud. From 1 July 2024, this requirement also extends to corruption.

Audit approach

Audit objective, criteria and scope

1.24 The objective of the audit was to assess the effectiveness of the NHMRC’s fraud control arrangements.

1.25 To form a conclusion against this objective, the following high-level criteria were adopted.

• Have appropriate arrangements been established to oversee and manage fraud risks?
• Have appropriate mechanisms been established to prevent fraud, and promote a culture of integrity?
• Have appropriate mechanisms been established to detect and respond to fraud?
• Has the NHMRC appropriately prepared for the commencement of the revised Commonwealth Fraud and Corruption Control policy in July 2024?

1.26 This audit examines the NHMRC’s fraud control arrangements in 2022–23 and 2023–24. The audit assesses the NHMRC’s compliance with the 2017 Commonwealth Fraud Control Framework and readiness to implement the Commonwealth Fraud and Corruption Control Framework 2024.

Audit methodology

1.27 The audit methodology included:

• examination of NHMRC’s strategies, frameworks, policies, procedures, guidelines and training, risk assessments, control plans, investigation processes; governance committee meeting papers; reviews, internal audits and assurance reports; and internal and external reporting on fraud and corruption control activities; and
• meetings with NHMRC officials.

1.28 The ANAO did not assess the effectiveness of NHMRC’s fraud controls.

1.29 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $252,570.

1.30 The team members for this audit were John McWilliam, Kim Bond, Lauren Dell, Jake Farquharson, Michael McGillion and Alexandra Collins.

2.1 Section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) states that the accountable authority of a Commonwealth entity has a duty to establish and maintain systems relating to risk and control. The 2017 Commonwealth Fraud Control Framework, (see Table 1.2) which was in place during the time period for this audit, required accountable authorities to conduct regular fraud risk assessments and, as soon as practicable, develop and implement fraud control plans to deal with the identified risks.³³ The requirement was restated in the 2024 Commonwealth Fraud and Corruption Framework, with the 2024 framework requiring fraud and corruption risk assessments to be undertaken at least every two years.³⁴

Are there appropriate governance and oversight arrangements for fraud control?

Entity framework for fraud control

2.2 The 2023–2025 NHMRC Fraud and Corruption Control Framework and the 2023–2025 NHMRC Fraud and Corruption Control Plan comprise the NHMRC’s Fraud and Corruption Control Policy.³⁵

2.3 In August 2023, the NHMRC’s CEO approved the 2023–2025 NHMRC Fraud and Corruption Control Framework. The framework sets out the NHMRC’s policies and procedures for preventing, detecting and responding to fraud. The framework replaced the 2020–2022 version (approved in January 2020). It was updated on 26 September 2023 for a change in the nominated FCCO.

2.4 The 2023–2025 NHMRC Fraud and Corruption Control Framework covers the key elements of the 2017 Commonwealth Fraud Control Framework.³⁶ The inclusion of corruption in the 2023–2025 version of the framework was to enable the NHMRC to meet its obligations under the National Anti-Corruption Commission Act 2022 which came into effect on 1 July 2023.

Roles and responsibilities

2.5 The NHMRC Fraud and Corruption Control Framework states that it is the CEO’s responsibility to implement the Fraud and Corruption Control Plan and fulfil relevant reporting requirements. It also sets out the responsibilities of the CEO, the General Manager and Executive Directors. The CEO’s instrument of delegation dated 14 April 2024 delegates the function to ‘implement formal measures to prevent, detect and deal with fraud’ to the General Manager, Chief Financial Officer, Deputy Chief Financial Officer and Executive Directors.

2.6 The NHMRC’s Accountable Authority Instructions, issued by the Chief Executive Officer, state that all officials must comply with the Commonwealth Fraud Control Policy and act in accordance with the NHRMC’s Fraud and Corruption Control Plan.

2.7 The 2023–2025 NHMRC Fraud and Corruption Control Framework names the Director, Governance and Legal Section as the entity’s FCCO and lists the position’s responsibilities, including the maintenance of a fraud and corruption register. In March 2024 the NHRMC advised the ANAO that the Executive Director, Research Quality and Advice is responsible for managing reports of suspected misconduct by a grant recipient and maintains a separate register of suspected misconduct. The People, Property and Security Section is responsible for the management and reporting of potential breaches of the Australian Public Service (APS) Code of Conduct, including internal fraud. These roles were not documented in the framework.

2.8 The NHMRC’s role in managing the Medical Research Future Fund (MRFF) grants program on behalf of the Department of Health and Aged Care (Health) is not reflected in the 2023–2025 Fraud and Corruption Control Framework or Plan (see paragraph 1.20). The NHMRC is required to notify Health when it becomes aware of any instances of potential grant non-compliance, including fraud. A draft flowchart has been developed for managing instances where suspected research misconduct has been identified and when Health is to be notified. The draft flowchart has not been incorporated into the 2023–2025 Fraud and Corruption Control Framework and there is no guidance on how reports of suspected non-compliance for MRFF grants are to be recorded in the NHMRC’s fraud or research and integrity misconduct registers. Nor does the flowchart refer to the NHMRC’s obligations under the shared services agreement with Health. The procedural document is not clear or complete.

Fraud reporting, oversight and assurance

Executive Board

2.9 The NHMRC Executive Board, chaired by the CEO, is the entity’s senior governance body and is responsible for ‘leadership and oversight of organisational performance, including strategic and sensitive discussions, managing risks and issues’. In March and July 2023, the NHMRC Executive Board considered the draft 2023–2025 Fraud and Corruption Control Framework, Plan and risk assessment.

2.10 In December 2023 the Executive Board was briefed on changes to the 2023 Administering Institution: Compliance Monitoring and Management Framework and was provided, for noting, the results of the 2022 Administering Institution Compliance Risk Assessment (AICRA). The Institutional Annual Compliance Report (IACR) is compiled from annual compliance self-assurance assessment surveys completed by Medical Research Endowment Account (MREA) grant recipients (known as Administering Institutions). The IACR is a key control for fraud risks relating to the NHMRC’s administration of its MREA grants program (see paragraphs 2.52 to 2.54). The surveys include questions on allegations of fraud, financial control, audit findings, governance and compliance with NHMRC and Australian Government policies, guidelines and legislation. Completion of the IACR is a condition of the NHMRC’s MREA funding agreement. No corresponding requirement is imposed upon the recipients of MRFF grants (known as eligible organisations) (see paragraph 1.20).

Audit and Risk Committee

2.11 The NHMRC’s Audit and Risk Committee (ARC) is responsible for providing independent assurance to the CEO on risk oversight and management. The functions of the ARC are consistent with the model charter for an audit committee in the Department of Finance’s Resource Management Guide (RMG) 202 - Audit Committee.³⁷ The ARC is to review and advise the CEO on the appropriateness of the NHMRC’s system of risk oversight and management, including the:

process for developing and implementing the entity’ fraud control arrangements consistent with the Commonwealth Fraud Control Framework, including satisfying itself that the entity has adequate processes for detecting, capturing and effectively responding to fraud risks.

2.12 Fraud is a standing agenda item at ARC meetings. At each meeting, the ARC receives a copy of the fraud incident register. It does not receive a copy of the misconduct register. Between July 2022 and June 2024, the registers provided to the ARC listed a total of three incidents relating to grant recipients (see Table 1.6). During these two years, the ARC sought information from management on fraud risk assessments and ratings in the context of the development of the 2023–2025 Fraud and Corruption Control Plan. The ARC did not seek further information on the effectiveness of controls or continuous improvement actions taken following the recording of or closure of the incidents on the register.

2.13 In March 2023 the ARC reviewed the draft 2023–2025 Fraud and Corruption Control Policy. It was provided with the 2023–2025 Fraud Control Framework, Plan and risk assessment for noting at its August 2023 meeting, following consideration of the documents by the Executive Board (see paragraph 2.9). The ARC suggested a small drafting change to improve readability and sought clarification on why grant recipients were not included in the flowchart for managing reports of suspected fraud (see paragraph 4.23).³⁸ Management advised the ARC that fraud detected by a grant recipient would fall within the NHMRC’s 2019 Research Integrity and Misconduct Policy.³⁹ No changes were made to the flowchart following the meeting. The inconsistencies in the procedures for investigating suspected fraud are discussed at paragraphs 4.23 to 4.26. There is no evidence that the ARC advised the CEO about the risk associated with the absence of the Research Integrity and Misconduct Policy procedures in the 2023–2025 Fraud and Corruption Control Policy.

2.14 In August 2023 the ARC provided the CEO with its statement on the committee’s assessment of the NHMRC’s risk management systems for 2022–23 and advised that:

Management has confirmed to the Committee that the entity complies with the Commonwealth Risk Management Policy and the Commonwealth Fraud Control Framework.

2.15 The ARC did not undertake an independent assessment to support its advice on the NHMRC’s risk management systems.

Has the entity appropriately assessed its fraud risks?

2.16 Table 2.1 presents an assessment of the NHMRC’s approach to applying the Fraud Rule, Guidance and Policy in relation to conducting fraud risk assessments.

Table 2.1: Assessment against the Fraud Framework — Fraud risk assessment

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note a: For non-corporate Commonwealth entities, the Fraud Rule and Policy are mandatory and the Fraud Guidance is better practice. Non-corporate Commonwealth entities undertake grants administration based on the mandatory requirements and key principles of grants administration in the Commonwealth Grants Rules and Guidelines (CGRGs). Paragraphs 7.5 to 7.12 of the CGRGs represent better practice for non-corporate Commonwealth entities.

Source: ANAO analysis of NHMRC documentation.

Fraud control as part of the risk management framework

2.17 The Fraud and Corruption Control Framework 2023–2025 states that it is to be read in conjunction with other policies, including the 2023–2026 Risk Management Framework and Policy.

2.18 The fraud risk assessment in the 2023–2025 Fraud Control Plan complies with the requirement to identify risks and rate them using the risk matrix in NHMRC’s 2023–2026 Risk Management Framework and Policy. It does not meet the NHMRC’s policy requirements for risk evaluation, including identifying risk owners, evaluating risks in the context of the NHMRC’s risk appetite, identifying possible treatments, assessing mitigation strategies, and arranging for the monitoring of controls and mitigation strategies.

2.19 The 2023–2025 Fraud and Corruption Risk Assessment identifies 27 fraud risks, most of which relate to internal fraud (see Table 2.2). Each risk is described and assigned ratings for current likelihood, current consequence, current risk rating and accepted risk rating. Internal controls for each risk are categorised as either detective or preventative and rated as either effective or moderately effective.

2.20 The risk assessment uses the term ‘current risk rating’ to describe an overall rating based on the likelihood and consequence rating. It does not specify if this rating is before or after the current internal controls listed for the particular risk have been applied. The 2023–2026 Risk Management Framework and Policy provides no basis for the assessment of the effectiveness of the internal controls as either effective or moderately effective.

2.21 The 2023–2026 Risk Management Framework and Policy provides guidance on the five categories of consequences to be used in evaluation of the fraud risk: catastrophic, major, moderate, minor and insignificant. Each consequence category includes a minimum and maximum range for the value of the fraud resulting from the risk occurring. For example, the catastrophic consequence guidance includes the value of fraud of greater than $10 million per event. The 2023–2025 Fraud and Corruption Risk Assessment does not quantify the potential value of fraud for each risk.

2.22 Under the NHMRC’s 2023–2026 Risk Management Framework and Policy, risk evaluation and response involves assessing the assurance provided by existing controls against the level of risk that can be tolerated for an activity:

Thoroughly consider (at a minimum) each risk that is rated as ‘medium’, ‘high’, or ‘extreme’. Consider the cost and benefit of controlling the risk and if additional systems of control or treatment are required. Consider whether the likelihood or consequences of risk are within NHMRC’s control. Record either ‘accept’ or ‘mitigate’ on the activity documentation.

2.23 The 2023–2025 Fraud and Corruption Risk Assessment does not refer to risk tolerances for any of the identified risks or categories of risks. The ‘accepted risk rating’ is the same as the ‘current risk rating’ in the 2023–2025 Fraud and Corruption Risk Assessment except for the following three risks:

• ‘Misuse of research grant funds’, which was rated high for the current risk rating before the application of a mitigation strategy that reduced the accepted risk rating to medium⁴⁰;
• ‘Poor management by Administering Institutions’ which was reduced from medium to low after the application of a mitigation strategy; and
• ‘Improper contractor conduct or improper contractor management’ which is stated as medium and the accepted risk rating as low without any mitigation strategy having been applied.

2.24 Mitigation strategies were not applied to all four of the risks with current risk ratings of high shown in Table 2.2. There is no rationale recorded in the 2023–2025 Fraud and Corruption Risk Assessment as to why these risks did not require a mitigation strategy or fall within the NHMRC’s relevant risk tolerance.

Risk, fraud and corruption control standards

2.25 Paragraph 32 of the Fraud Guidance encourages entities to consider the relevant recognised standards, including the Australian/New Zealand Standard AS/NZ ISO 31000-2009 Risk Management—Principles and Guidelines and Australian Standard AS 8001-2008 Fraud and Corruption Control. The Fraud and Corruption Control Framework 2023–2025 states that it has been developed in accordance with the Commonwealth Fraud Control Framework 2017 and the Australian Standard on Fraud and Corruption Control AS 8001:2021.

Fraud risk assessments

2.26 The 2023–2025 NHMRC Fraud and Corruption Control Framework states that:

NHMRC will conduct an assessment of fraud and corruption risk every two years and at times of significant change, as recommended in the Commonwealth Fraud Control Framework 2017.⁴¹

2.27 The NHMRC’s current fraud risk assessment is included in the Fraud and Corruption Control Plan which was approved in August 2023. The previous fraud risk assessment was conducted in November 2019 as part of the update to the Fraud Control Framework and Fraud Control Plan in January 2020. These fraud risk assessments were not completed within the two-yearly timeframe specified in the NHMRC’s 2023–2025 Fraud and Corruption Control Framework.

2.28 In January 2022, the NHMRC completed the rollout of a new grants management system, Sapphire, and decommissioned its previous system, the Research Grants Management System. Sapphire supports grants administration by NHMRC staff and grant-related activities including application, assessment and award activities.⁴² Authorised access is given to grant recipients, reviewers, researchers, and other eligible organisations. The fraud risk assessment that supported the 2020 Fraud Control Plan was not updated at the time of this significant transformation to the NHRMC’s operations.

Entity-specific fraud risk factors

2.29 The 2017 Commonwealth Fraud Control Framework states that ‘Risk assessment processes ideally take into account all significant factors likely to affect an entity’s exposure to risk.’⁴³ Table 2.2 shows the 27 fraud and corruption risks in NHRMC’s 2023–2025 Fraud and Corruption Control Plan categorised by ANAO as either internal or external risks.

Table 2.2: Categorisation of fraud and corruption risks from NHMRC’s 2023–2025 Fraud and Corruption Control Plan

Note a: The NHMRC’s 2023–2025 Fraud and Corruption Control Plan also includes but does not define an ‘accepted risk’ rating. The ‘accepted risk’ rating differs from the ‘current risk’ rating for the risks ‘misuse of research grant funds’, ‘poor management by administering institutions’ and ‘improper contractor conduct or improper contractor management’ (see paragraphs 2.20 to 2.21).

Note b: NHMRC’s 2023–2026 Risk Management Framework and Policy uses a risk rating scale of low, medium, high and extreme.

Source: NHMRC’s 2023–2025 Fraud and Corruption Control Plan.

2.30 The first three of the four risks rated as high in Table 2.2 relate to the administration of grant funding by the NHMRC.

2.31 The other fraud risks related to the administration of grants programs are:

• ‘Poor management by Administering Institutions’;
• ‘Deliberately converting an unsuccessful application to a successful application’;
• ‘Manipulation of Grant Budget process or approval’;
• ‘Provision of false or misleading information to NHMRC’; and
• ‘Alteration of data in grant management systems’.

2.32 The 2019 Fraud Risk Assessment identified five fraud risks and associated controls involving the Research Grants Management System operating at that time. The 2023–2025 Fraud Risk Assessment replaced some, but not all of the references to the decommissioned Research Grants Management System with references to Sapphire (see paragraph 2.28). Sapphire is supported by a contracted third-party ICT service provider. In May 2024, the NHMRC’s ARC was briefed by the Chief Information Officer on the risks associated with the NHMRC’s program of ICT investment and noted the reputation risk if the security of Sapphire was compromised.

2.33 The 2023–2025 Fraud Risk Assessment added a new risk relating to cyber security. The description of the risk relates to NHMRC’s financial ICT system; there is no reference to Sapphire. The NHMRC did not re-assess the likelihood or consequence of or the controls for grant related fraud after the rollout of the Sapphire system.

Informing internal audit of fraud risk

2.36 The NHMRC advised the ANAO that its internal audit team has not reviewed or reported on fraud and corruption control in the last five years.

2.37 At its meeting in May 2024, the ARC was provided with the 2024–25 Internal Audit Work Plan (the 2024–25 IAWP) proposing three audits and the 2025–26 Internal Work Plan: Forward Years (the forward plan) which identified future potential topics. No audits of fraud control were included in the 2024–25 IAWP. The forward plan included a proposed ‘governance review’ into risk control implementation and a ‘compliance audit’ into the operation of the grants program. The ARC did not consider the outcomes of the fraud risk assessment in advising the CEO on the appropriateness of the IAWP.

Is there an appropriate fraud control plan and testing of control effectiveness?

2.39 Table 2.3 presents an assessment of the NHMRC’s approach to applying the Fraud Rule and Guidance in relation to fraud control plans.

Table 2.3: Compliance assessment — Fraud control plan

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note a: For non-corporate Commonwealth entities, the Fraud Rule and Policy are mandatory and the Fraud Guidance is better practice.

Source: ANAO analysis of NHMRC documentation.

NHMRC’s Fraud control plan

2.40 The 2023–2025 NHMRC Fraud and Corruption Control Plan identifies fraud and corruption risks, and the controls and mitigating strategies to treat these risks.

2.41 Fraud risk controls are intended to reduce the likelihood of fraud or its impact.⁴⁴

• Preventative fraud controls prevent or limit the size of the fraud risk by reducing the likelihood and consequences of fraud.
• Detective fraud controls can help identify when fraud has occurred. If detected early, the impact of fraud can be reduced.

Controls and strategies align with assessed fraud risks

Internal fraud risks

2.42 The majority of the NHMRC’s preventative and detective controls for internal fraud risks, as described in the risk assessment, are commensurate with the described risks. They are also largely consistent with the Commonwealth Fraud Prevention Centre’s common fraud control types (see paragraphs 3.17 and 4.15).⁴⁵ In other cases, the NHMRC has:

• assigned preventative controls that are in effect detective controls and assigned a detective control that is in effect a preventative control (see paragraph 3.14); and
• nominated elements of its operating environment as preventative controls without including additional activities to embed these requirements into the agency’s operations (see paragraph 3.13).

External fraud risks

2.43 Four of the seven external fraud and corruption risks relate to the administration of the NHMRC’s grants programs. The Commonwealth Grant Rules and Guidelines 2017 state that probity and transparency in grants administration is achieved by ensuring, among other things:

that grants administration by officials and grantees incorporates appropriate safeguards against fraud, unlawful activities and other inappropriate conduct.⁴⁶

2.44 The recipients of grants administered by the NHMRC are universities, research institutes or other organisations that have been assessed as eligible by the NHMRC.

2.45 Eligible grant recipients enter into a funding agreement with the NHMRC that, among other things, requires them to conduct ‘research activities in an ethical manner in accordance with NHMRC approved standards and guidelines and all applicable Australian Government and State and Territory laws and regulations’.⁴⁷ The NHMRC’s approved standards includes the 2018 Australian Code for the Responsible Conduct of Research (the Code).⁴⁸

2.46 The Code is supported by guides, including the 2018 Guide to Managing and Investigating Potential Breaches of the Australian Code for the Responsible Conduct of Research (the Guide).⁴⁹ The Guide defines a breach as a failure to meet the principles and responsibilities of the Code and provides examples, including ‘Fabrication, falsification, misrepresentation … Falsification and/or misrepresentation to obtain funding’.⁵⁰

2.47 If an allegation of misconduct or of a potential breach of the Code is made in relation to research activities funded by the NHMRC, the grant recipient must notify the NHMRC in accordance with the 2019 NHMRC Research Integrity and Misconduct Policy. It provides that grant recipients must notify the NHMRC if they have received an allegation of fraud that relates to NHMRC funding:

as soon as possible and within one week of a decision by a senior employee of the grant recipient that the allegations warrant formal investigation.⁵¹

2.48 In practice, the NHMRC only receives notification of allegations in accordance with the flowchart in the 2019 NHMRC Research Integrity and Misconduct Policy. The flowchart sets out the notifications to be made to the NHRMC for research integrity matters, which may include fraud. The flowchart shows that no notification is required to be made to the NHMRC if the complaint made to the grant recipient does not proceed to preliminary assessment or investigation. The threshold for undertaking a formal investigation and therefore for notifying the NHMRC is a matter for the grant recipient to decide. The flowchart is inconsistent with the notification requirements set out within the 2019 NHMRC Research Integrity and Misconduct Policy. By adopting the terminology from the Code, such as ‘research misconduct’ and ‘misuse of research funds’, the NHMRC has not documented the relationship between academic related misconduct and the risk of fraud and corruption. The current identification and description of fraud risks focuses on the risks associated with the quality of research produced by grant recipients, rather than on the risk of misappropriation of public resources provided by way of grant funding. The NHMRC has not provided clear guidance or procedures for grant recipients to notify the NHMRC of all instances of suspected grant fraud. As a result, the NHMRC does not have accurate or reliable data upon which to properly assess grant related fraud risks.

2.49 Grant recipients are identified as the potential source for the majority of the external risks in the 2023–2025 Fraud and Corruption Risk Assessment. The NHMRC’s reliance on non-mandatory reporting to the NHMRC of suspected fraud diminishes the NHMRC’s ability to assess, detect and manage suspected fraud by grant recipients. The controls identified in the risk assessment do not seek to mitigate this risk.

2.50 The descriptions of the controls for four of the NHMRC’s external fraud risks and one internal risk were assessed by the ANAO for alignment with the guidance contained within the Commonwealth Fraud Prevention Centre’s catalogue of fraud controls.⁵²

2.51 The majority of controls for the internal fraud risk are aligned with the fraud control catalogue and commensurate with the cause of the identified risk. The controls included the separation of duties (preventative control) and audit-logging of the financial management information system (detective control).

2.52 The controls for the four external risks are aligned with the fraud control catalogue. Not all the controls are commensurate to the identified fraud risks. Two detective controls rely on grant recipients reporting suspected fraud, which only occurs if they decide to proceed with an investigation (see paragraph 2.48). Six preventative controls rely on information provided by the grant recipient themselves:

• an attestation provided upon application to become eligible to receive MREA grants, that the potential grant recipient:
  • complies with all relevant Commonwealth and state legislation;
  • has sufficient and available resources for the administration and acquittal of Commonwealth funds in accordance with the NHMRC’s MREA Funding Agreement;
  • has a current risk management plan, and the capacity to comply with the requirements of the Australian Code for the Responsible Conduct of Research and the NHMRC’s requirements for notification of research integrity matters; and
  • has policies, procedures and training, staffing and infrastructure in place to ensure any officer of the institution is not involved in any activities involving dishonesty including potential misappropriation of monies⁵³;
• an attestation, provided upon application to become eligible to receive MRFF grants, that the potential grant recipient ‘has, or if successful in securing an MRFF grant would be able to put in place, the ability to meet all obligations under the MRFF Grant Opportunity Guidelines and Funding Agreement, to support the administration of MRFF funding and the conduct of MRFF-funded research’⁵⁴;
• detecting and reporting discrepancies in grant payments made to them by the NHMRC; and
• MREA grant recipients providing responses to the NHMRC’s IACR (see paragraph 2.10). The MRFF funding agreement does not require MRFF grant recipients to complete an equivalent survey.

2.53 The NHMRC’s Institutional Annual Compliance Report (the Compliance Survey Report) dated September 2023 analysed the responses to the 2022 annual compliance survey of all 101 MREA grant recipients. The Compliance Survey Report assigned each respondent a compliance rating, identified those at risk of not complying with policies, and recommended actions that NHMRC could take to raise awareness of compliance issues and the need to remain compliant to retain their eligibility. The Compliance Survey Report is completed nine months after the calendar year surveyed.

2.54 The IACR survey did not seek information on the fraud controls of MREA grant recipients, including arrangements they have in place for possible fraud to be identified and whether any suspected fraud incidents have been reported. Nor did it ask MREA grant recipients whether they had conducted independent audits or reviews of their fraud compliance frameworks and to provide the NHMRC with the outcomes of such. Timely information on all grant recipients’ fraud control framework and monitoring activities would improve the NHMRC’s ability to assess fraud risks.

Review and testing of control effectiveness

Updates to the fraud control plan

2.57 The 2023–2025 Fraud and Corruption Control Plan includes two significant updates when compared to the 2020–2022 Plan. These are:

• references to corruption, consistent with the provisions of the National Anti-Corruption Commission Act 2022; and
• the inclusion of an additional high fraud risk arising from cybersecurity threats including hacking, malware, on-selling data and identity theft.

2.58 The 2023–2025 Fraud and Corruption Control Plan states that:

Specific individuals or sections of NHMRC are responsible for implementing each control action, within the agreed timeframe.

Responsibility is not further specified and senior officers who have been assigned responsibilities for managing the controls identified in the risk assessment are not listed. Responsibility for the mitigating strategy for selected risks is specified.

Regular testing of fraud control effectiveness

2.59 Paragraphs 39 and 41 of the Fraud Guidance provide that mechanisms be established to test control effectiveness on a regular basis, to help ensure that ‘control systems remain appropriate, cost-effective and proportionate to the actual risks they are addressing’. The 2024 Commonwealth Fraud and Corruption Control Framework requires control effectiveness testing.⁵⁵

2.60 The NHMRC has not tested the effectiveness of the controls listed in its Fraud and Corruption Control Framework with the exception of the activities listed below in relation to specific ICT controls:

• Penetration testing of systems supporting external access through NHMRC portals commenced in May 2023 and concluded in May 2024. The testing was relevant to controls for seven of the NHMRC’s 27 fraud risks. Minor vulnerabilities were identified and referred for management and mitigation within six weeks of the date of the report. The Executive Board was not briefed on the outcome of the testing or the recommended mitigation work.
• Phishing simulations were conducted in January 2024 and found a significant improvement in the ability of NHMRC’s staff to recognise a phishing email, when compared to the results of the previous simulation conducted in April 2023.

3.1 The 2017 Commonwealth Fraud Control Framework requires accountable authorities to establish appropriate mechanisms for preventing fraud, including by ensuring that entity officials are made aware of what constitutes fraud⁵⁶, and that officials engaged in fraud control activities receive appropriate training or attain necessary qualifications.⁵⁷ Grants administration by officials and grantees should incorporate appropriate safeguards against fraud and should comply with the Fraud Rule.⁵⁸ The Fraud Guidance states that ‘Fraud prevention involves putting into place effective accounting and operational controls, and fostering an ethical culture that encourages all officials to play their part in protecting public resources.’⁵⁹

Have appropriate mechanisms been established to prevent fraud?

3.2 Table 3.1 presents an assessment of the NHMRC’s approach to applying the Fraud Rule, Guidance and Policy in relation to fraud prevention.

Table 3.1: Assessment against the Fraud Framework — Fraud prevention

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note a: For non-corporate Commonwealth entities, the Fraud Rule and Policy are mandatory and the Fraud Guidance is better practice.

Note b: ANAO did not test the effectiveness of the controls. The analysis is based on the NHMRC’s description of the controls in their 2023–2025 Fraud and Corruption Risk Assessment.

Source: ANAO analysis of NHMRC documentation.

Documented instructions to prevent, detect and deal with fraud

3.3 The 2023–2025 NHMRC Fraud and Corruption Control Framework sets out the mechanisms to assist officials to prevent and detect fraud across the agency. It also includes a fraud incident reporting form and a flowchart of the processes for dealing with a suspected fraud. The flowchart refers to alleged or suspected fraud to be assessed and investigated by NHRMC, not that by a grant recipient (see paragraphs 4.23 to 4.25). The flowchart does not include the steps to be undertaken in relation to a Medical Research Future Fund (MRFF) grant managed by NHMRC on behalf of the Department of Health and Aged Care (see paragraph 2.8).

Mitigating the risk of identity fraud

3.4 The NHMRC utilises the Australian Government’s document verification service for identity documents for of all new staff employed by the agency.

Fraud risk considered within NHMRC’s activities

3.5 The ANAO examined a selection of NHMRC risk assessments of its proposed grant guidelines for the 2024 Investigator, Synergy and Ideas grants programs. The selected assessments addressed the three broad categories of risk in respect of grants programs as set out in the 2017 Commonwealth Grant Rules and Guidelines (CGRGs), including fraud risks relating to ‘grant program or grant opportunity risk; grantee risk; and grant activity risk’.⁶⁰

3.6 For example, the 2024 Grant Guidelines Risk Assessment for the Ideas Grants program included the risk that:

NHMRC is unable to prevent and investigate cases of research misconduct, unethical research, fraud or misrepresentation by researchers.

3.7 The risk was assessed as having a possible likelihood and a major consequence, resulting in a high risk rating. Risk mitigation strategies listed in the risk assessment included grant recipients’ compliance with the terms of the NHMRC Funding Agreement and relevant ethical standards and approvals; the ‘rigorous review’ of applications by NHMRC officials and by experts; compliance with the Australian Code for the Responsible Conduct of Research 2018⁶¹; and the monitoring of performance through self-assessment Institutional Annual Compliance Reports (IACR) (see paragraphs 2.52 to 2.54).

3.8 The grant opportunity risk assessment noted ‘Fraud or misrepresentation in the area is typically rare’. The grant opportunity risk assessment was conducted after the 2023–2025 Fraud and Corruption Risk Assessment was completed but did not refer to the fraud risks identified in the 2023–2025 Fraud and Corruption Control Plan or the controls for those risks. The assessments did not refer to the external fraud risk of ‘Provision of false or misleading information to NHMRC’ which was rated with medium current risk rating.

3.9 Following receipt of the IACR, the NHMRC undertakes a desktop review of the responses to ensure completeness and produces a report summarising the outcomes of the surveys (see paragraphs 2.52 to 2.54) and a risk assessment report with recommendations to improve grant recipients’ compliance with funding agreements (see paragraph 2.10). The risk assessment report is provided to the Executive Board. Neither the NHMRC’s analysis of the responses contained within the IACRs, nor any follow-up action taken by NHMRC, is used to assess fraud risks relating to grant recipients.

Appropriateness and effectiveness of preventative controls

3.10 The NHMRC has assigned 166 preventative controls for the 27 fraud risks identified in the NHMRC Fraud and Corruption Control Plan. The NHMRC rated 102 preventative controls as ‘effective’ and 64 as ‘moderately effective’.

Internal fraud risks

3.11 The NHMRC’s fraud risk assessment identified 20 internal fraud risks: 15 were assigned a medium current risk rating and five were assigned a low current risk rating. The majority of the NHMRC’s preventative fraud controls, as described in the risk assessment, relate directly to the root cause of the identified risk they are intended to control. Of the 121 listed preventative controls for internal risks, the risk assessment stated 82 (or 68 per cent) were effective and 39 controls (or 32 per cent) were moderately effective.

3.12 The majority of the NHMRC’s preventative controls for internal fraud risks are consistent with the Commonwealth Fraud Prevention Centre’s catalogue of fraud controls.⁶²

• The segregation of duties for 15 controls. For example, invoices are entered into the financial management system by one officer, payment can only be approved by another officer.
• System workflows for two controls. For example, cheques require two signatories.
• Defined decision-making powers for 18 controls. For example, a designated delegate needs to approve and sign off on all procurement documents.
• System or physical access controls for 15 controls, sometimes in conjunction with defined decision-making powers. For example, spare and loan IT equipment is kept secured in the ICT secure storage locations with access limited to authorised staff and the NHMRC service provider.
• Vouching for two controls. For example, physically confirming the receipt of goods before raising a request for payment.
• Maintaining accurate information and data for three controls. For example, maintaining registers of approved vendors to whom payments can be made through the financial management system.
• Regular review for eight controls. For example, the annual review of each credit card holder to ensure business requirements are still current.
• Self-disclosure and reporting processes for three controls. For example, by requiring a declaration of interest from all contractors upon commencement, annually and at any time the need arises.
• Identity checks are cited as controls for four risks and police checks are applied to 13 risks as suitability assessments for new staff and labour hire engagements.
• Procedural guidance and staff training are cited as controls for 10 risks.

3.13 Controls that directly affect a risk are distinct from elements of the normal operating environment that may indirectly impact on risk. For example, as a non-corporate Commonwealth entity that employs staff under the Public Service Act 1999, the Australian Public Service (APS) Code of Conduct is part of the NHMRC’s operating environment. The ‘expectation of following the APS Code of Conduct and PGPA Act duties of officials’ is listed as a preventative control for 20 risks. In the absence of additional activities that embed these requirements into the agency’s operations, such as specific training, policies and procedures or restrictions on systems access restrictions, the expectation of compliance alone is not an effective preventative control.

3.14 For seven risks, the risk assessment lists a preventative control, such as the monthly acquittal of credit card purchases, that is in effect a detective control. One control listed as detective, the dual sign-off before a grant payment run can be completed, is in effect a preventative control.

External fraud risks

3.15 The NHMRC’s fraud risk assessment included seven external fraud risks, of which four are rated high and three are rated medium. Three of the NHMRC’s high rated external fraud risks relate to the grant programs it administers, which accounted for $1.5 billion expenditure in 2022–23 (see paragraphs 1.19 and 1.20).

3.16 Of the 45 listed preventative controls for external risks, 20 controls (or 44 per cent) were stated as effective and 25 controls (or 56 per cent) were moderately effective.

3.17 The 20 preventative controls that the NHMRC assessed as effective are consistent with the Commonwealth Fraud Prevention Centre’s catalogue of fraud controls⁶³:

• seven relate to cybersecurity threats (through measures such as system or physical access controls);
• three involve identifying conflicts of interest (self-disclosure); and
• three involve the independent peer assessment of grant applications (expert oversight).

3.18 The remaining preventative controls that the NHMRC assessed as effective took the form of procedural instructions or guidance, consistent with the contractual clauses category within the Commonwealth Fraud Prevention Centre’s catalogue of fraud controls, including:

• providing grant recipients with cost guidelines and the answers to frequently asked questions on the NHMRC website;
• reminding grant recipients of their responsibilities through the NHMRC website, the annual compliance self-assessment survey, emails and conferences;
• reminding grant recipients not to misuse research funds in the text of the grant funding schedule attached to the grant recipient’s funding agreement;
• relying on grant recipients to adhere to the terms of their funding agreements with the NHMRC; and
• relying on grant recipients to adhere to the Australian Code for Responsible Conduct of Research.⁶⁴

3.19 Of the 25 preventative controls that the NHMRC reported as moderately effective, 21 were consistent with the Commonwealth Fraud Prevention Centre’s catalogue of fraud controls, including (among others) six cyber and ICT security controls and three conflict-of-interest controls. In other instances, the NHMRC:

• twice listed elements of its operating environment as preventative controls without the benefit of additional activities to embed these requirements into the agency’s operations (see paragraph 3.13); and
• listed two controls that were detective rather than preventive.

3.20 The NHMRC relies on grant recipients to certify the particulars of grant applications, and to make reasonable efforts to ensure they are complete and correct and comply with all eligibility and other application requirements. The NHMRC advised the ANAO in April 2024 that it conducts preliminary checks based on information it has about the researchers on file and other public information to verify their identities. The standard operating procedures for registering grant recipients in the grants management systems do not include details of such checks.

3.21 Six of the preventative controls in relation to the NHMRC’s external fraud risks rely on the cooperation of the grant recipient. The effectiveness of such controls, and in turn the accuracy of the risk assessment, is substantially reduced when the NHMRC has insufficient data and evidence with which to gain assurance over grant recipients’ compliance with the funding agreement (see paragraphs 2.52 to 2.54).

3.22 There is no instruction or guidance material that sets out how the controls listed in the NHMRC’s fraud risk assessment were assessed for effectiveness, or the decision-making criteria as to whether the conclusion should be reported as effective or moderately effective (see paragraph 2.20). There is no evidence the ratings of effective and moderately effective have been confirmed by any regular assessment or evaluation.

3.23 As discussed at paragraph 2.60, the NHMRC has not tested the effectiveness of controls, with the exception of the specific ICT testing. The NHMRC has not undertaken routine or periodic testing of controls with a view to establishing that they are appropriate, commensurate to the fraud risk and have been effectively implemented.

3.24 The absence of such testing limits the assurance the accountable authority can gain over the accuracy of the risk assessment and the appropriateness and effectiveness of the 2023–2025 Fraud and Corruption Control Plan, particularly in relation to the risks associated with the grant programs administered by the NHMRC.

Are appropriate mechanisms in place to promote fraud awareness and a culture of integrity?

3.25 Table 3.2 presents an assessment of the NHMRC’s approach to applying the Fraud Rule and Guidance in relation to fraud awareness and developing a culture of integrity.

Table 3.2: Assessment against the Fraud Framework — Fraud awareness

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note a: For non-corporate Commonwealth entities, the Fraud Rule and Policy are mandatory and the Fraud Guidance is better practice.

Source: ANAO analysis of NHMRC documentation.

Fraud awareness

3.26 The NHMRC‘s intranet, which is available to all staff, has a page titled ‘Fraud and Corruption Control’. This page:

• provides definitions of fraud and corruption control;
• provides links to the NHMRC 2023–2025 Fraud and Corruption Control Framework and Plan, which include definitions of ‘fraud’ and ‘corruption’;
• advises that all NHMRC staff are required to complete mandatory training on Learnhub and to refresh their training each November;
• names the NHMRC Fraud and Corruption Control Officer;
• advises staff what to do if a staff member has a concern about suspected internal or external fraudulent conduct; and
• provides links to the Fraud Incident Report template, the Fraud Reporting Checklist, and the Grants Administration Counter Fraud Toolkit (prepared by the Commonwealth Fraud Prevention Centre).

Fraud and integrity training

3.27 The NHMRC’s mandatory training package includes fraud awareness training to be completed upon induction and then annual refresher fraud awareness training. The requirement to complete mandatory refresher training each November is timed to coincide with the Australian Government’s annual Fraud Awareness Week and reminder emails are sent to all staff.

3.28 The NHMRC reported to the Australian Institute of Criminology, as part of the annual fraud census, that 140 staff had completed fraud awareness training in 2022–23.⁶⁵

3.29 The NHMRC advised the ANAO that, as at 30 June 2024, 189 of 244 staff had completed fraud awareness training. This represents 77.5 per cent of the NHMRC’s total workforce, which includes staff on extended leave. One of six senior executive service officers had completed this training. There is no process in place to ensure that the officials who have been delegated responsibility for fraud risk management (including the General Manager, Chief Financial Officer, Executive Directors and Deputy Chief Financial Officer) undertake the mandatory refresher training or undertake additional training.

Outreach programs

3.30 The NHMRC’s 2023–2025 Fraud and Corruption Control Framework is available on its website.⁶⁶ The NHMRC’s website also provides information on policies with which grant recipients must comply, including the Australian Code for the Responsible Conduct of Research and the NHMRC Research Integrity and Misconduct Policy.⁶⁷ The Research Integrity and Misconduct Policy includes a grant recipient’s responsibilities in relation to an alleged fraud and the steps the NHMRC undertakes when allegations of such misconduct are made.

3.31 The NHMRC’s website states:

NHMRC does not investigate allegations of research misconduct or potential breaches of the Australian Code for the Responsible Conduct of Research 2018 (the Code). This is the responsibility of the relevant research institution, as stated in the Code.⁶⁸

3.32 A downloadable fact sheet on research integrity on the NHMRC’s webpage provides information in relation to both allegations of research integrity and fraud.⁶⁹ The fact sheet states that an allegation of fraud related to NHMRC funding can be provided directly to the NHMRC by email (email address provided) and that:

Allegations of fraud may overlap with complaints or allegations that a researcher may have breached the Code (for example, where it is alleged that falsified data were used in a grant application). If this is the case, the allegations may trigger an institutional investigation of a potential breach of the Code, and may also be considered by the Fraud Control Officer under the provisions of the Fraud Control Framework.

3.33 In June 2024, the NHMRC updated its website to allow members of the public to report complaints and misconduct anonymously through the ‘contacts’ page.⁷⁰ From 15 July 2024, the research integrity page of NHMRC’s website was updated to refer to this option for making complaints.⁷¹ As at 27 July 2024 the NHMRC research integrity factsheet had yet to be updated to reflect this change.

3.34 The NHMRC’s funding agreement with grant recipients contains provisions that require them to notify the NHMRC of potential breaches of the Australian Code for the Responsible Conduct of Research, including fraud.

Monitoring and evaluation of fraud awareness initiatives

3.35 The NHMRC has not evaluated the effectiveness of the fraud and integrity training provided to staff.

Has appropriate training been provided to officials with fraud control responsibilities?

3.36 Table 3.3 presents an assessment of the NHMRC’s approach to applying the Fraud Rule, Guidance and Policy in relation to training and qualifications for officials with fraud control responsibilities.

Table 3.3: Assessment against the Fraud Framework — Fraud training

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note a: For non-corporate Commonwealth entities, the Fraud Rule and Policy are mandatory and the Fraud Guidance is better practice.

Source: ANAO analysis of NHMRC documentation.

Fraud investigator qualifications

3.37 The 2022 Australian Government Investigations Standards (AGIS) provide that, for investigations within the Australian Government, ‘a vocational and educational training (VET) qualification must be obtained, unless another qualification or internal training is determined as equivalent’.⁷² Australian recognised qualifications are: Certificate IV in Government Investigations; Diploma of Government Investigations; or Advanced Diploma of Government Investigations.⁷³ The AGIS identifies the Certificate IV as the foundational qualification and the Diploma as the supervisory qualification.⁷⁴ The AGIS provides that ‘entities must ensure foundational qualifications (or equivalency) are obtained prior to supervisory qualifications.’⁷⁵

3.38 No NHMRC staff are qualified to undertake fraud investigations. In March 2024 the NHMRC advised the ANAO that, if it needed to conduct such an investigation, it would engage appropriately qualified investigators. Consistent with the requirements of the 2017 Commonwealth Fraud Control Framework, the 2023–2025 Fraud and Corruption Control Plan states that external providers engaged by the NHMRC to undertake fraud investigations must meet at least the minimum competency requirements of a Certificate IV in Government (Fraud Control Investigation) or Diploma of Government (Fraud Control Investigation).

3.39 The NHRMC’s fraud incident registers recorded three reports of suspected external fraud and no reports of suspected internal fraud between July 2022 and 31 May 2024 (see Table 1.6). In June 2024, the NHMRC included in its 2023–24 fraud incident register other possible fraud matters not previously recorded in its fraud incident registers. These were incidents that were under preliminary examination. There were six such incidents for 2023–24, two of which involved a potential internal fraud (see paragraph 4.31). The register recorded that none of these incidents involved substantiated fraud as at 30 June 2024 (three had been closed and three, including the two potential internal fraud related matters, were under review).

3.40 Allegations of fraud relating to grant recipients are investigated by the relevant institution, not the NHMRC, although the NHMRC may undertake ‘preliminary assessments’ (see paragraph 4.30). The NHMRC has not overseen investigations by grant recipients in relation to suspected grant related fraud or taken any steps to satisfy itself the investigation was conducted in accordance with the Australian Government Investigations Standard.

Fraud control official qualifications

3.41 The Commonwealth Fraud Prevention Centre’s website lists the qualifications recommended by the Commonwealth Fraud Control Framework for officials undertaking fraud control activities and states⁷⁶:

Commonwealth officials primarily employed in fraud control should:

• receive additional training and obtain professional qualifications
• continue to have ongoing professional development to further develop and update their expertise and skills
• refresh their knowledge and skills at least every three years.

3.42 In June 2024 the NHMRC advised the ANAO that, prior to May 2024, its Fraud and Corruption Control Officers (FCCO) did not have ‘any specific training and/or qualifications’ and that the current FCCO completed the Commonwealth Fraud Prevention Centre’s five-day Counter Fraud Practitioner Training Program in May 2024.

3.43 No other NHMRC officials involved in fraud control activities, have the recommended training and qualifications. This includes those officials with specific responsibilities listed in the 2023–2025 Fraud and Corruption Control and staff completing the fraud risk assessment, developing procedural guidance for staff or with responsibility for the preventative and detective controls for fraud risks.

Professional development relating to fraud control

3.44 The NHMRC did not have plans in place for the professional development of staff involved in fraud and corruption activities.

4.1 The 2017 Commonwealth Fraud Control Framework requires entities to have appropriate mechanisms for detecting, investigating, recording and reporting incidents of fraud or suspected fraud.⁷⁷

Have appropriate mechanisms been established to detect fraud?

4.2 Table 4.1 presents an assessment of the NHMRC’s approach to applying the Fraud Rule and Guidance in relation to fraud detection.

Table 4.1: Assessment against the Fraud Framework — Fraud detection

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note a: For non-corporate Commonwealth entities, the Fraud Rule and Policy are mandatory and the Fraud Guidance is better practice. ANAO did not test the effectiveness of the controls. The analysis is based on the NHMRC’s description of the control in their 2023–2025 Fraud and Corruption Risk Assessment.

Source: ANAO analysis of NHMRC documentation.

Reporting processes for suspected fraud

4.3 The NHMRC’s procedure for facilitating and dealing with public interest disclosures is published on its website.⁷⁸ The procedure is consistent with the provisions of the Public Interest Disclosure Act 2013 (PID Act) and is intended to guide the consideration of and, where appropriate, the investigation of public officials’ reports of alleged wrongdoing.

4.4 Reports of suspected grant fraud may be made directly to the NHMRC or the grant recipient. The processes for reporting alleged fraud directly to NHMRC are set out in paragraphs 3.31 to 3.33. The NHMRC first provided an avenue for anonymous tip-offs to be received via its website in July 2024. Procedures for dealing with them are not yet on the website or in place within the NHMRC (see paragraph 3.33).

Other measures to detect fraud

4.5 Risk assessments when planning and conducting entity activities are considered at paragraphs 3.5 to 3.8.

4.6 In 2023–24 the NHMRC undertook an ‘audit’ of applications received for the 2024 round of its Investigator Grants program.⁷⁹ The review was undertaken prior to the award of funding for the round. The review assessed a targeted sample of 32 of the 88 applications that relied upon a specific eligibility criterion for researchers.⁸⁰ All grant applications included the following attestation by Administering Institutions:

I confirm I hold evidence to support this [eligibility criteria] and am able to provide it to NHMRC if requested.

4.7 During the review, the Administering Institution was required to provide the relevant evidence for each of the sampled applications. The review identified 11 applications that did not meet the tested eligibility criterion, after the NHMRC’s usual checks did not identify eligibility issues. In January 2024, following the review, the NHMRC advised these applicants that they proposed to remove them from consideration for the grants.

4.8 The brief to NHMRC’s Executive Director stated:

As this was the first time NHMRC has conducted this check of all applicants relying upon [the relevant eligibility criteria] to be eligible, and it identified 11 ineligible applicants, it is possible that there have been applicants to previous rounds who would have also been ineligible had this check been implemented earlier.

4.9 The report of this activity was not provided to the CEO or the Audit and Risk Committee. The NHMRC did not reassess the fraud risk of ‘Provision of false or misleading information to NHMRC’, which has a current risk rating of medium in its 2023–2025 Fraud and Corruption Control Plan, following the outcome of the review.

4.10 As at June 2024 the NHMRC was developing a new eligibility checking tool ‘to streamline and improve eligibility compliance checking’. In June 2024 the NHMRC advised the ANAO that it anticipates that it will be in operation for the 2025 Investigator Grant round commencing in September 2024.

Appropriateness and effectiveness of detective controls

4.11 The NHMRC has listed 68 detective controls for 25 of the 27 identified fraud risks in the risk assessment contained in its 2023–2025 NHMRC Fraud and Corruption Control Plan.⁸¹ The NHMRC rated 47 detective controls as ‘effective’ and 21 as ‘moderately effective’.

Internal fraud risks

4.12 The NHRMC’s 2023–2025 Fraud Risk Assessment identified 56 detective controls for the 20 internal fraud risks, assessing 38 as ‘effective’ and 18 as ‘moderately effective’.

4.13 The majority of NHMRC’s listed detective controls for internal fraud risks are consistent with the Commonwealth Fraud Prevention Centre’s catalogue of fraud controls.⁸²

• Audits and reviews — such as ICT auditing, tracking and reporting on particular sections of the grants management system to determine when changes have been made, what was changed and by whom.
• Reconciling records — such as expense claims for credit cards.
• Quality assurance — such as monthly reports on staff leave checked for appropriateness by the human resources director.

External fraud risks

4.14 The NHRMC’s 2023–2025 Fraud Risk Assessment listed 12 detective controls for its external fraud risks, assessing nine controls as ‘effective’ and three as ‘moderately effective’.

4.15 Four of the detective controls are consistent with the Commonwealth Fraud Prevention Centre’s common detective fraud control types.

• Fraud detection software — as applied to the risk of cyber fraud by the active monitoring of ICT systems.
• Incident reporting — such as the NHMRC’s fraud incident register.
• Tip-offs and public interest disclosures.⁸³

4.16 Six of the detective controls are in effect preventative controls. For example, the appointment of independent chairs and the appointment of independent observers are listed as detective controls for the risk that ‘Assessors or panel members may use their positions to influence other peer review participants either for or against applications’.

4.17 Two detective controls for the risk of ‘inappropriate influence in evidence review or guideline development’ re-state the statutory duties of the NHMRC Council and the Chief Executive Officer (CEO) (see paragraph 2.5) rather than relate to fraud detection:

• ‘Draft guidelines are put out for public consultation, as required by the NHMRC Act’ reflects the duties of the NHMRC Council to publicly consult before advising the CEO on making regulatory and other guidelines.⁸⁴
• ‘Consideration by Council which advises NHMRC’s CEO on the release of guidelines’ refers to the functions of the Council of the NHMRC.⁸⁵

4.18 The NHMRC has not listed detective controls for the fraud risk posed by ’Poor management by Administering Institutions’.⁸⁶

4.19 Most of the NHMRC’s detective controls for internal fraud risks, as described in the risk assessment, focus on the source of the suspected fraud and are implemented through NHMRC systems and procedures.

4.20 The detective controls, as described in the risk assessment, for risks associated with the NHMRC’s grants programs are not appropriate to the fraud risks posed by the size, scale and nature of the NHMRC’s core business of grant administration (see paragraphs 2.30 to 2.31). There is no evidence that the NHMRC undertakes risk-based reviews of compliance with the requirement in the funding agreements for grant recipients to maintain records of appropriate spending of grant funds or that it has implemented risk-based detective controls, including through audited financial statements of grants to organisations and institutions that receive large amounts of grant funding administered by the NHMRC.

4.21 As discussed at paragraph 2.60, the NHMRC has not tested the effectiveness of controls, with the exception of the penetration testing of systems supporting external access through NHMRC portals concluded in May 2024, and phishing simulations conducted in January 2024. The absence of such testing limits the assurance the accountable authority can gain over the accuracy of the risk assessment and the appropriateness and effectiveness of the 2023–2025 Fraud and Corruption Control Plan, particularly in relation to the risks associated with the NHMRC’s grants programs.

Have appropriate mechanisms been established to investigate and respond to fraud?

4.22 Table 4.2 presents an assessment of the NHMRC’s approach to applying the Fraud Policy in relation to investigating and responding to fraud.

Table 4.2: Assessment against the Fraud Framework — Fraud investigation and response

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note a: The Fraud Policy is mandatory for non-corporate Commonwealth entities.

Source: ANAO analysis of NHMRC documentation.

Documented procedures for fraud investigation

4.23 The NHMRC’s procedures for managing a suspected fraud incident are documented in a flowchart in the 2023–2025 Fraud and Corruption Control Framework. The 2023–2025 Fraud and Corruption Control Framework states that the processes contained within must be commenced if the NHMRC has received or suspects an allegation of fraudulent or corrupt behaviours. The steps in the flowchart include a preliminary inquiry, investigation, referral to the AFP and reporting to the CEO and the Audit and Risk Committee and alternative options if the allegation does not include a fraud relating to the NHMRC or an investigation is not required. The 2023–2025 Fraud and Corruption Control Framework also provides additional information on when to refer a suspected fraud to the AFP and steps to be taken if the allegation relates to the CEO. These processes are not applied to reports of suspected fraud by grant recipients, as they are assessed and investigated by the grant recipient under the 2019 NHMRC Research Integrity and Misconduct Policy (see paragraphs 2.46 to 2.49). The 2019 NHMRC Research Integrity and Misconduct Policy contains a flowchart of actions to be taken in relation to a complaint about research integrity and misconduct and states that such complaints may also ‘overlap’ with allegations of fraud.

4.24 The flowchart in the 2023–2025 Fraud and Corruption Control Framework is inconsistent with the 2019 NHMRC Research Integrity and Misconduct Policy when an alleged fraud relates to a grant recipient, and does not include details of actions to be taken in relation to suspected fraud involving the Medical Research Future Fund (MRFF) grant program (see paragraph 2.8). The flowchart in the 2023–2025 Fraud and Corruption Control Framework is also inconsistent with the reporting provided to the Executive Board in relation to the NHMRC’s Institutional Annual Compliance Report (IACR) for 2022 which stated:

Potential and actual breaches of the Code, including research misconduct, are referred to the Ethics and Integrity team by an AI [Administering Institution] in line with the requirements of the NHMRC Research Integrity and Misconduct Policy. The Ethics and Integrity team reviews the referral and determines if there is evidence of potential fraud. With advice from the Ethics and Integrity team the Fraud Executive determines if there is sufficient evidence to enter the allegation into the Fraud Register as a case of potential fraud.

4.25 The terms of the funding agreements with grant recipients do not require the NHMRC to be notified by a grant recipient of all suspected fraud allegations or those not warranting ‘formal investigation’ (see paragraphs 2.46 to 2.49). The non mandatory reporting by grant recipients of all instances of alleged fraud reduces the NHMRC’s ability to make informed decisions on appropriate responses (including referral to the AFP) so as to discharge its responsibility under the Fraud Rule or to assess the impact that such allegations may have on the effectiveness of its Fraud and Corruption Control Plan.

4.26 The NHMRC’s funding agreements and 2019 NHMRC Research Integrity and Misconduct Policy also do not provide it with an assurance that:

1. a grant recipient’s investigations of suspected fraudulent misconduct is conducted by qualified fraud investigators, as required under the Commonwealth Fraud Control Framework; or
2. that such investigation is independent and consistent with the Australian Government Fraud Investigation Standards.

4.27 The grant recipient is also not required to provide the NHMRC with any report that it receives from its investigators.

Investigating suspected fraud

4.30 Table 1.6 shows three fraud cases reported in NHMRC’s fraud registers from 1 July 2022 to 31 May 2024.

• One case involved a fraud substantiated following an investigation by the grant recipient, which found that grant applications were based on data that was fabricated, falsified or unreliable.
• One case involved a grant recipient receiving funding for a project under both the MREA and MRFF programs, which was not substantiated as fraud based on a ‘preliminary assessment’ by the NHMRC.
• One case involved an anonymous allegation of the misuse of grant funds, which was under initial investigation by the NHMRC as at 30 June 2024.

4.31 In June 2024, the NHMRC added six matters to the register (see paragraphs 1.22 and 3.39).

• One matter was determined by the NHRMC to be a research integrity matter not involving fraud and was closed.
• One matter was an anonymous complaint relating to an institution’s internal allocation of grant funding. It was unclear if the funding was provided by NHMRC. The matter was under investigation as at 30 June 2024.
• One matter involved possible conflicts of interest and financial mismanagement at a research institute and was under review as at 30 June 2024.
• Two matters involved possible internal fraud (time sheet anomalies and an anonymous complaint that a NHMRC staff member was using NHMRC resources for non work-related activities). Both were under review as at 30 June 2024.
• One matter related to allegations of financial mismanagement and alleged corrupt conduct. The NHMRC determined there was no fraud or corrupt conduct and the matter was closed with no further action taken.

Documented decisions for response to fraud

4.32 The NHMRC’s fraud registers include a summary of actions taken, including any sanctions imposed by it on grant recipients. Decisions are not consistently documented and there are no links to relevant correspondence or decision records.

4.33 The NHMRC’s 2023–2025 Fraud and Corruption Control Framework provides limited guidance on the documentation of decisions to use civil, administrative or disciplinary procedures, or to take no further action in response to a suspected fraud incident. The flowchart (see paragraph 4.23) lists the review of internal controls and ensuring appropriate records are retained as the final step when responding to an allegation of fraud. There is no supplementary guidance for the consideration of lessons learnt or assessment of the effectiveness of controls following the outcome of the investigation or action taken by NHMRC. In May 2024 the NHMRC advised the ANAO that, since March 2018, no changes have been made to NHMRC’s fraud controls as a direct result of fraud allegations.

Referral of serious and complex fraud

4.35 The NHMRC’s 2023–2025 Fraud and Corruption Control Framework includes the 2017 Commonwealth Fraud Control Framework requirement for all instances of potential serious or complex fraud and corruption offences to be referred to the Australian Federal Police (AFP). The framework lists the criteria the Fraud Corruption and Control Officer and the Chief Executive Officer will consider in determining whether the matter is serious or complex. The criteria are largely consistent with the definition of ‘serious and complex fraud’ from the 2017 Fraud Guidance.⁸⁷ The definition has been removed from the 2024 Commonwealth Fraud and Corruption Control Framework.

4.36 The one case between 2022–23 and 2023–24 (see Table 1.6) where fraud was substantiated, after investigation by the grant recipient, was not referred by the NHRMC to the AFP. The rationale for why the case did not require referral to the AFP based on the criteria in the NHMRC’s 2023–2025 Fraud and Corruption Control Framework was not recorded.

Measures to recover financial losses

4.37 The NHMRC advised the Minister for Health and Aged Care that it had fully recovered grant funding of $2.6 million for five grants in the one case where fraud was substantiated between 2022–23 and 2023–24 (see Table 1.6).

Have appropriate mechanisms been established to record and report fraud?

4.38 Table 4.3 presents an assessment of the NHMRC’s approach to applying the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the Fraud Policy in relation to recording and reporting fraud.

Table 4.3: Assessment against the Fraud Framework — Fraud reporting

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant.

Note a: The Fraud Policy is mandatory for non-corporate Commonwealth entities.

Source: ANAO analysis of NHMRC documentation.

Procedures to collect and manage information gathered about fraud

4.39 Incidents of fraud are reported to the NHMRC’s Executive Management Board or Chief Executive Officer, for example, where the fraud involves significant misrepresentation of research results to support grant applications. Reports of active fraud investigations are provided to the Audit and Risk Committee by the Fraud and Corruption Control Officer (FCCO).

Fraud incident registers

4.40 The 2023–2025 Fraud and Corruption Control Framework requires the FCCO to maintain a fraud and corruption incident register. Incidents of suspected fraud, internal or external, are to be recorded in the NHMRC’s Fraud Incident Registers. Separate registers are maintained for each year.

4.41 Where a report of suspected fraud from a grant recipient is determined by the FCCO to be a case of research misconduct and not a suspected fraud, it is stored in the research and integrity misconduct register, not the fraud register.

Recording of fraud in the research integrity and misconduct registers

4.42 The NHMRC maintains misconduct registers of matters notified under the NHMRC 2019 Research Integrity and Misconduct Policy (see paragraph 2.47). The Research Integrity and Misconduct registers are currently stored in Excel spreadsheets by year.

4.43 Fraud is a type of misconduct under the NHMRC’s 2019 Research Integrity and Misconduct Policy. Until 2020, all misconduct matters, including fraud-related incidents, were recorded in the research integrity and misconduct registers.

4.44 Since 2020, the NHMRC’s FCCO has maintained separate registers for misconduct and for incidents of corruption and fraud. Since then, the research integrity and misconduct registers have not identified where the notified misconduct may also involve suspected fraud.

4.45 The lack of consistency between research integrity and misconduct registers and the fraud and corruption registers creates the risk that all allegations or complaints of misconduct involving suspected fraud are not identified and actioned appropriately.

4.46 In June 2024, the NHMRC modified its fraud and corruption register to include more detailed information relating to suspected fraud (see paragraphs 1.22, 3.39 and 4.31). In July 2024, the NHMRC advised the ANAO that it expects to launch a new database for the capture and storage of related documents, tracking and reporting on research integrity matters in August 2024.

Analysis of fraud incidents

4.47 In March 2024 the NHMRC advised the ANAO that it has not conducted any data analysis, benchmark reviews and post transaction reviews since 1 July 2020. The fraud and corruption registers do not contain relevant fields to support trend analysis or continuous improvement, such as the nature of the allegation, the names of the researchers, the name of the institutions or the type of outcomes of the investigations.

Reporting to the Australian Institute of Criminology

4.49 Section 14 of the Fraud Policy states that Australian Government entities must provide information to the Australian Institute of Criminology by 30 September each year to support the Fraud Against the Commonwealth census (fraud census).⁸⁸ The Australian Institute of Criminology advised the ANAO in June 2024 that, with the agreement of the Attorney-General’s Department, this date was amended to the end of October and that extensions can be requested.

4.50 The NHMRC’s compliance with reporting requirements is outlined in Table 4.4.

Table 4.4: Compliance with fraud census submission timeframe

Source: Australian Institute of Criminology.

Reporting incidents of fraud to relevant ministers

4.51 In May 2023 the NHMRC briefed the Minister for Health and Aged Care on the one substantiated case of fraud between 2022–23 and 2023–24 (see Table 1.6 and paragraph 4.37). The brief was provided to the minister’s office on 24 May 2023, 14 days following the media release made by the grant recipient.⁸⁹ The brief annexed the media release and various other media articles. This case concerned the fabrication of data that were relied upon to support grant applications to the NHMRC that resulted in the award of five grants. In October 2024 the NHMRC advised the ANAO that it follows the Department of Finance’s Resource Management Guide 214 - Notification of significant non-compliance with the finance law to determine what constitutes a significant non-compliance with the finance law, reporting to the minister and annual reporting requirements.⁹⁰

Annual reporting requirements

4.52 The NHMRC has met the reporting requirements set out in section 17AG of the PGPA Rule (repeated in paragraph 97 of the Fraud Guidance) in 2022–23 and 2023–24 by including a certification from the CEO about the agency’s compliance with the fraud rule and a separate section on fraud in its annual reports.

Disclosures of potential criminal activity to other entities

4.53 The draft process for handling instances of suspected MRFF related fraud is described at paragraph 2.8. The NHMRC has not recorded any instances in 2022–23 or 2023–24 where suspected criminal activity involving another entity’s activities or programs has occurred.⁹¹

5.1 From 1 July 2024, non-corporate Commonwealth entities must adhere to the revised Commonwealth Fraud and Corruption Policy.⁹² Effective planning and preparation will help ensure that entities are compliant with the revised policy.

Is there a fit-for-purpose implementation plan?

5.2 The NHMRC included corruption control in the 2023–2025 Fraud and Corruption Control Framework in response to the commencement of the National Anti-Corruption Commission (NACC) on 1 July 2023 (see paragraphs 2.3 and 2.4).

• A definition of corruption within the meaning of section 8 of the National Anti-Corruption Commission Act 2022 (NACC Act) was included in the framework.
• The obligation to refer to the NACC, comply with investigations undertaken by the NACC on suspected serious or systemic corrupt conduct, and the mandatory reporting obligations under the NACC Act were included in the framework.
• The corruption control responsibilities of the Fraud and Corruption Control Officer (FCCO) (previously the Fraud Control Officer) were noted.
• The Fraud Incident Report and Fraud Register for new fraud incidents were updated to include the details of corruption incidents.

5.3 The 2023–2025 Fraud and Corruption Control Plan did not include any new corruption risks or controls.

Implementation plan for the revised Commonwealth Fraud and Corruption Control Policy

5.4 In February 2024 the NHMRC prepared a project plan for the implementation of the revised Commonwealth Fraud and Corruption Control Policy. This comprised five stages, including:

• identifying whether any changes to fraud and corruption control arrangements were required, including to the NHMRC’s governance, policies and procedures, record keeping and/or reporting;
• reporting to the Audit and Risk Committee in May 2024 on the proposed changes and on the Committee’s earlier request for a review of risks 4 (‘Misuse of research grant funds’) and 15 (‘Improper contractor conduct or improper contractor management’) (see paragraph 2.23);
• obtaining approvals from the NHMRC Executive Board and Chief Executive Officer (CEO); and
• publishing the approved documents on 1 July 2024.

5.5 An update about the revised framework and plan was provided to all staff via an intranet news item on 3 September 2024.

5.6 The NHMRC has not developed a plan to put the revised policy into action, including the delivery of change management activities, staff and stakeholder communication plans, updates to training and professional development and intranet and website materials.

Updated NHMRC Fraud and Corruption Control Policy

5.7 On 1 July 2024, the NHMRC’s Executive Board considered and approved draft updates to the Fraud and Corruption Control Framework and Plan, and priorities for reviewing risk assessments and the effectiveness of controls. The draft framework is available on the NHMRC website.⁹³ It explains and provides examples of corrupt behaviour and provides details of arrangements for members of the public to make anonymous tip-offs. On 15 July 2024, the new draft framework and plan was approved by the Acting CEO.

5.8 The changes to the draft plan include:

• nominating lead risk and control owners;
• outlining enterprise-level fraud and corruption risks; and
• updating arrangements for responding to suspected fraud or corruption incidents to include engaging with stakeholders, additional criteria for decision-making, and emphasising mandatory referrals to the Australian Federal Police (AFP) and the NACC.

5.9 The draft plan requires changes to be made to mitigate the risk of grant fraud by June 2025:

Review and implement changes, as necessary, to ensure that NHMRC’s Funding Agreement, Administering Institution requirements, and Research Integrity and Misconduct Policy, properly reflect and reinforce the obligations of grantees and NHMRC in countering fraud.

5.10 It also updated the risk assessments for the identified fraud risks of ‘Misuse of research funds’ and ‘Poor management by Administering Institutions’, both of which relate to the risk of grant fraud. The updates included: adding one new preventative control and three detective controls to the risk of misuse of research funds; and adding one new preventative control and four detective controls to the risk of poor administration by Administering Institutions.

Is there a plan to evaluate implementation of new or revised fraud and corruption controls?

5.11 On 1 July 2024, the NHMRC’s Executive Board approved priorities for reviewing targeted risk assessments and testing the effectiveness of controls. During the period 2024 to 2026, the NHMRC plans to re-assess 10 grant fraud risks, including three with high current risk ratings:

• Cybersecurity threats including hacking, malware, on-selling data and identity theft;
• Theft and misuse of application data; and
• Misuse of research grant funds.

5.12 Over the same period, the NHMRC plans to test the controls for four grant fraud risks, including the high rated risks of ‘Misuse of research grant funds’ and ‘Theft and misuse of application data’, along with the medium rated risks of ‘Deliberately converting an unsuccessful application to a successful application’ and ‘Manipulation of grant budget process or approval’.

5.13 Matters that the NHMRC has identified that require further consideration include:

• ‘periodically reviewing the effectiveness of our fraud and corruption controls’ — developing a schedule of control testing, to determine whether the controls in place are effective in managing their risk;
• ‘periodic (every two years) review of fraud and corruption risks at the enterprise level’ —enterprise risks to be considered in the coming months;
• ‘having appropriate arrangements to respond to suspected fraud or corruption incidents, including response plans’ — these can include criteria or protocols for decision-making, communicating with staff and the public, engaging with ministers and stakeholders (e.g. media), and referrals or notifications to relevant agencies, e.g. the AFP, the NACC); and
• ‘requirements to have governance structures and processes to effectively oversee and manage risks of fraud and corruption and officials responsible for managing these risks’ — while the NHMRC’s Framework already outlines the governance arrangements, in the future, risk assessments will identify the lead risk and control owner (program/business owner).

5.14 Plans for the implementation of these matters have still to be developed.

Appendix 1 Entity response

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s corporate plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

• Inclusion of a link on the NHMRC’s contacts and research integrity pages for complaints and reports of misconduct to be made anonymously (see paragraph 3.33).
• Additional fields added to the NHMRC’s fraud and corruption registers to ensure a complete record of all issues raised by a report of a suspected fraud (see paragraph 4.46).
• The current Fraud and Corruption Control Officer (FCCO) completed the Commonwealth Fraud Prevention Centre’s five-day Counter Fraud Practitioner Training Program in May 2024 (see paragraph 3.42).
• A new eligibility checking tool ‘to streamline and improve eligibility compliance checking’ was under development (see paragraph 4.10).
• The NHMRC’s activities to prepare for the 2024 Commonwealth Fraud and Corruption Control Framework are described in Chapter 5.