Introduction

1.1 The Australian Government describes fraud as ‘dishonestly obtaining a benefit, or causing a loss, by deception or other means’. Additionally, fraud requires intent. It requires more than carelessness, accident or error which may be non-compliance not fraud.⁹

1.2 The Australian Institute of Criminology (AIC) has reported that¹⁰ in 2015–16 the estimated value of Commonwealth fraud investigations commenced was $503.5 million, with an estimated $25.7 million lost under finalised investigations in 2015–16.¹¹ The majority of alleged fraud incidents and confirmed fraud involved parties external to the entity.

1.3 Detecting all fraud can pose challenges, with the UK Cabinet Office stating:

The government can deal with the [fraud] problem that is known, as the loss associated with this is self-evident. Dealing with the problem that we do not know about is more complex, as the loss is not self-evident. The challenge is to shine a light on those areas where information is poor or non-existent.

Fraud is a hidden and evolving crime; fraudsters make themselves hard to find and adjust and improve their tactics for evading detection when organisations take preventative action.¹²

The Commonwealth Fraud Control Framework

1.4 The Public Governance Performance and Accountability Act 2013 (PGPA Act) is the key piece of legislation underpinning the Australian Government’s financial framework. The PGPA Act, the Public Governance Performance and Accountability Rule 2014 (PGPA Rule)¹³ and associated policies and guidance set out the regulatory framework for the proper use and management of public resources by Commonwealth entities.

1.5 The Commonwealth’s requirements for managing the risk of fraud are outlined in the Commonwealth Fraud Control Framework 2017 (the Framework).¹⁴ The Framework requires government entities to put in place a comprehensive fraud control program that covers prevention, detection, investigation and reporting strategies. The three key elements in the Framework are the:

• Fraud Rule: From section 10 of the PGPA Rule, the Fraud Rule is a legislative instrument that binds all Commonwealth entities and sets out the key requirements of managing fraud;
• Commonwealth Fraud Control Policy: The Fraud Control Policy sets out procedural requirements for specific areas of fraud management; and
• Resource Management Guide No. 201 — Preventing, detecting and dealing with fraud: (Fraud Guidance): outlines better practice guidance, setting out the government’s expectations for fraud management arrangements within Commonwealth entities.

1.6 Each of these elements has a different binding effect on corporate and non-corporate entities (Figure 1.1)¹⁵

Figure 1.1: Binding effects of the Commonwealth Fraud Control Framework

 

 

Source: Attorney-General’s Department, Commonwealth Fraud Control Framework 2017.

1.7 The National Disability Insurance Agency (NDIA or the Agency) is a corporate entity, and must comply with the requirements in the Fraud Rule. Although it distributes $20 billion of funds annually which poses a fraud risk, NDIA can choose to align its processes with the Fraud Policy and Fraud Guidance as a matter of better practice.

1.8 The Fraud Rule contains the following mandatory requirements for all Commonwealth corporate and non-corporate entities:

The accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by:

1. conducting fraud risk assessments regularly and when there is a substantial change in the structure, functions or activities of the entity; and
2. developing and implementing a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment; and
3. having an appropriate mechanism for preventing fraud, including by ensuring that:
   
   1. officials in the entity are made aware of what constitutes fraud; and
   2. the risk of fraud is taken into account in planning and conducting the activities of the entity; and
4. having an appropriate mechanism for detecting incidents of fraud or suspected fraud, including a process for officials of the entity and other persons to report suspected fraud confidentially; and
5. having an appropriate mechanism for investigating or otherwise dealing with incidents of fraud or suspected fraud; and
6. having an appropriate mechanism for recording and reporting incidents of fraud or suspected fraud.

The National Disability Insurance Agency

1.9 The National Disability Insurance Scheme (NDIS or the Scheme) replaces existing Commonwealth, state and territory disability support systems with a nationally consistent scheme aimed at providing Australians under the age of 65, who have a permanent and significant disability, ‘with the reasonable and necessary supports they need to live an ordinary life’.¹⁶

1.10 The NDIA was established on 1 July 2013 as a corporate Commonwealth entity under the National Disability Insurance Scheme Act 2013 (the Act), to deliver the NDIS and manage, advise and report on its financial sustainability. Table 1.1 provides an overview of NDIA staff, participants, and funding.

Table 1.1: The NDIA — entity overview

Note a: NDIS Partners in the Community are qualified and experienced organisations chosen by the NDIA for their strong local knowledge and understanding of people with disability or developmental delay. Partners in the Community provide two key services:

• Delivering Early Childhood Early Intervention services for children aged 0–6 years; and
• Assisting NDIS participants to understand and access the NDIA, develop and refine their plans, and link them to community and mainstream services.

Note b: COAG Disability Reform Council Quarterly Report 31 March 2019, [Internet], available at: <https://www.ndis. gov.au/about-us/publications/quarterly-reports> [accessed 6 June 2019].

Source: 2017–18 NDIA Annual Report and page 134, 2019–20 Social Services Portfolio Budget Statements.

1.11 For 2019–20, the estimated total net resourcing to NDIA is $20.209 billion, which includes funds from state and territory governments.¹⁷ This is about one per cent of the Australian GDP.¹⁸ The Commonwealth Government’s contribution to NDIS, including to the Quality and Safeguards Commission, is forecast to rise from $8.459 billion in 2019–20 to $13.161 billion in 2022–23 (a 55.6 per cent increase). At full implementation (460,000 participants), the average payment to participants is estimated at $45,000 per year.

1.12 The NDIA Corporate Plan 2018–22 notes that it has a conservative risk appetite,¹⁹ and its Risk Appetite Statement states that any type or amount of fraud is unacceptable. As the Scheme grows, potential fraud risk from participants, providers, partners in the community, NDIA staff and other external parties may also increase.

1.13 In July 2018, the Government established the national NDIS Fraud Taskforce (the Taskforce) to tackle potential fraud against the NDIA. The Taskforce is a partnership between the NDIA, the Department of Human Services and the Australian Federal Police.²⁰ Chapter 3 has further detail on the establishment of the Taskforce and its investigation work.

Rationale for undertaking the audit

1.14 ANAO performance audits have shown that schemes similar to the NDIS have posed fraud risks and implementation challenges.²¹ The ANAO’s financial auditing of the NDIA has identified specific fraud risks relating to third party providers.²² There is also a risk that people committing fraud can move between government programs, for example from the family day care sector.²³ In developing its fraud control program the NDIA must comply with the Fraud Rule, however, as a corporate entity, the Commonwealth’s Fraud Policy and Fraud Guidance are not mandatory for it as they are for non-corporate entities. This is despite the NDIA receiving public funds for a public purpose.

1.15 These risks, along with the scale of the NDIA which will receive an estimated $20.209 billion in 2019–20, led to the prioritisation of an audit of the NDIA Fraud control program. The ANAO has an ongoing performance audit program covering the NDIS, with the previous audits focused on participant access decision making controls and the management of transition of the disability services market.

Audit approach

Audit objective, criteria and scope

1.16 The objective of this audit was to examine the effectiveness of the NDIA’s fraud control program and its compliance with the Commonwealth Fraud Control Framework. To form a conclusion against the audit objective, the ANAO adopted the following high-level audit criteria:

• Has the NDIA implemented effective strategies to prevent fraud?
• Does the NDIA effectively detect and respond to fraud?
• Has the NDIA implemented effective arrangements to oversight, monitor and report on its fraud control arrangements?

1.17 The audit originally commenced in November 2017. In February 2018 the Auditor-General paused the audit as the NDIA was undertaking an overhaul of its fraud control program. The audit recommenced in October 2018.

Audit methodology

1.18 In addition to reviewing key policy, procedural, governance and risk management documentation, the audit methodology included:

• interviewing relevant officers (of the NDIA, Department of Human Services, Australian Federal Police and the NDIS Quality and Safeguards Commission);
• examining guidance and training available to NDIA staff, including fraud and prevention officers;
• examining information available to providers and participants to assist them to meet their obligations;
• reviewing whether fraud controls and strategies reflect identified fraud risks and testing whether a selection of planned controls were implemented;
• examining fraud detection and investigation approaches; and
• examining fraud governance, project management and reporting arrangements.

1.19 The audit was conducted in accordance with ANAO auditing standards at a cost to the ANAO of $586,305.

1.20 The team members for this audit were Kate Lawrence-Haynes, Deanne Allan, Joel Smith, Sam Painting and David Brunoro.

Summary of compliance with the Framework

2.1 Table 2.1 outlines the National Disability Insurance Agency’s (NDIA or the Agency) compliance with the mandatory requirements of Commonwealth Fraud Rule in relation to strategies to prevent fraud. The detailed analysis supporting these conclusions is included in the following sections of this Chapter, as well as analysis of whether the NDIA is meeting the requirements of its internal fraud policies.

Table 2.1: The NDIA’s compliance with mandatory fraud prevention requirementsa

 

 

Note a: These are mandatory requirements under the Commonwealth Fraud Control Framework, Fraud Rule, parts (a), (b), (c) (i).

Note b: The Fraud Control Plan deals with identified risks at a high level only.

Source: ANAO.

2.2 Figure 2.1 shows how the NDIA’s fraud risk processes and documents fit together. It has:

• undertaken a fraud risk assessment;
• created a Fraud and Corruption Risk Register (the Risk Register) with risks and fraud controls;
• developed a Fraud Control Plan informed by the Risk Register; and
• released a public Fraud Strategy Statement.

Figure 2.1: Summary of the NDIA’s fraud risk assessment and documents

 

 

Source: ANAO summary of NDIA activities and documents.

Did the NDIA comprehensively assess fraud risks and establish an appropriate Fraud Control Plan?

2.3 As a corporate Commonwealth entity, the NDIA must comply with section 10 of the Public Governance Performance and Accountability Rule 2014 (Fraud Rule) which states:

The accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by:

1. Conducting fraud risk assessments regularly and when there is a substantial change in the structure, functions or activities of the entity; and
2. Developing and implementing a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment.²⁴

2.4 The ANAO assessed the NDIA’s fraud risk assessment process, including the comprehensiveness of the assessment, and whether the NDIA developed an appropriate Fraud Control Plan.

The NDIA’s fraud risk assessments

2.5 The NDIA has complied with the Fraud Rule and conducted regular fraud risk assessments.²⁵ Since 2015, the NDIA has conducted three fraud risk assessments, completed in March 2015, May 2016, and February 2018.

2.6 The NDIA’s 2018 fraud risk assessment included twenty three fraud risk workshops and discussions with both executive and non-executive NDIA staff from all states and territories. The fraud risk assessment activities engaged staff from multiple branches and divisions within the Agency, with a particular focus on service delivery areas. Consultation for the 2018 risk assessment was internal and did not involve consultation with external stakeholders who have expertise in fraud risk (for example the Australian Federal Police or the Department of Human Services).²⁶

2.7 The workshops covered general information on fraud, the NDIA’s 17 fraud risk types (see paragraph 2.25 for example risk types) and the agency’s fraud-specific responsibilities. In January 2018 a workshop was held with senior staff to determine the risk ratings for the 17 risk types using the Agency’s Risk Assessment Criteria to assess likelihood and Scheme consequences. In March 2018, the NDIA finalised the NDIA Fraud and Corruption Risk Register (the Risk Register). The Risk Register was updated in November 2018 to reflect fraud control changes in response to an alleged fraud.

2.8 The Fraud Rule requires the NDIA to conduct a new fraud risk assessment when a substantial change in the structure, function or activities of the Agency has occurred. The NDIS Quality and Safeguards Commission (QSC) was established in July 2018 to improve the registration and regulation of NDIS providers. From 1 July 2018, the QSC became responsible for registering providers in New South Wales and South Australia and will progressively assume this responsibility in all states and territories by 1 July 2020. The NDIA continues to be responsible for registering providers in states and territories where the QSC is not yet operating.

2.9 Both entities have established referral pathways between each other in relation to Fraud (see Chapter 4, paragraph 4.9).

2.10 During March and April 2019, the NDIS ran 23 fraud risk assessment group workshops and 12 individual consultations to underpin updating of the Risk Register. The NDIA advised that the Department of Human Services and the QSC were consulted during the process, with the Australian Federal Police providing input via the Risk Register held by the NDIS Taskforce.

The comprehensiveness of the NDIA’s 2018 fraud risk assessment

2.11 The Commonwealth Fraud Control Framework, Fraud Guidance (Fraud Guidance)²⁷ lists 18 areas where fraud vulnerabilities can arise. Seventeen of the areas are applicable to the NDIA’s operating environment (Table 2.2).

Table 2.2: NDIA fraud vulnerabilities relevance and assessment

Note a: The NDIA does not provide identification documents, as such that vulnerability is not relevant to the NDIA.

Source: ANAO analysis using two tables from the Commonwealth Fraud Control Framework, Risk Management Guide 201, pages C9 and C12.

2.12 The NDIA comprehensively assessed the fraud vulnerabilities involved in 10 out of the 17 relevant areas. The key fraud vulnerabilities that were not adequately considered and reflected in the risk register are:

• self-managed participants, for example, use of unregistered providers and low verification thresholds for payments to self-managed participants (see rows C and Q in Table 2.2);
• risks associated with having an IT system provided by a third party (the Department of Human Services), for example, limitations on NDIA’s ability to manage the provision of services given the lack of an enforceable contract (see row J in Table 2.2);
• possible risks given the forthcoming split of responsibilities between the NDIA and the QSC for provider registration (see rows F, I and J in Table 2.2); and
• risks that could arise due to the rapidly expanding Scheme, for example, Fraud and Compliance Branch resourcing may not align with the expansion of the Scheme and the expanded risk of exploitation by professional facilitators (see rows K and M in Table 2.2).

2.13 The NDIA identified nine points in the NDIS process where assurance activities should be conducted. The Risk Register records risks at these points except for reviewable decision reviews.

NDIA’s Fraud Control Plan

2.14 Sub-section 10 (b) of the Fraud Rule requires the NDIA to develop and implement ‘a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment’.

2.15 The NDIA’s 2018 Fraud Control Plan (FCP) was considered by the Board in May 2018 and finalised in August 2018. The FCP was uploaded to the NDIA intranet in October 2018 alongside a publicly available NDIA Fraud Strategy Statement (see paragraph 2.50).

2.16 The Commonwealth’s Fraud Guidance outlines the content that may be included in fraud control plans, such as: a summary of fraud risks and vulnerabilities; treatment strategies and controls; training approaches; and internal management mechanisms, protocols, roles and responsibilities. The NDIA’s 2018 FCP contains all of the elements listed in these better practice guidelines. This is an improvement on the Agency’s 2016 FCP, which did not include most of the recommended content, and did not list any of the identified risks.

Has the NDIA identified and implemented controls to reduce the risk of fraud?

The NDIA’s Fraud Risk Register

2.17 NDIA has advised the ANAO that its Fraud and Corruption Risk Register (the Risk Register) should be the single source of truth on fraud risks and controls.²⁸ Acting on the findings from the fraud risk workshops in 2017–18, in March 2018²⁹ the NDIA created a new Risk Register. In the Risk Register, each of the 17 risk types has a range of ‘key risk causes’ which outline how the risk could materialise and associated controls (an example is at Figure 2.2).

Figure 2.2: Items in the Fraud Risk Register — example

 

 

Source: ANAO reproduction of the NDIA Fraud and Corruption Risk Register.

2.18 The ‘Key Risk Causes’ column in the Risk Register demonstrates that the NDIA has given consideration to how fraud risks could occur. The key risk causes are accompanied by a large list of controls in place to mitigate the overall risk. The controls cannot be directly linked to the key risk causes, but the controls do relate to the broad risk type. The Risk Register lists 338 current controls in place to help mitigate the consequence and likelihood of each fraud risk type.

2.19 The Australian Standard AS 8001-2008 Fraud and Corruption Control³⁰ defines a control as ‘an existing process, policy, device, practice or other action that acts to minimise negative risks or enhance positive opportunities.’ A more recent New South Wales Audit Office publication has a stricter definition that a control is a process that should be actioned, rather than a reference to policy or legislation.³¹ Controls can be preventive, detective or corrective.

2.20 Of the 338 controls listed in the Risk Register, 185 (55 per cent) are not active ‘controls’, as they are:

• acts/legislation;
• internal audits;
• NDIA guidance/policy documents; or
• not yet operational.

2.21 Some controls are listed against more than one risk type if they are generic and relevant to different fraud risks, for example, fraud training and the fraud reporting hotline.

2.22 In order to assess the implementation of the NDIA’s fraud risk controls, the ANAO randomly selected and tested 10 controls from the Risk Register.³² Seven of the 10 selected controls have been implemented.³³

The NDIA’s assessment of fraud controls

2.23 The NDIA policy is that any amount of fraud is ‘unacceptable’ within the context of an entity level ‘conservative’ risk appetite. In addition, the NDIA’s Risk Assessment Guide states that controls rated as ‘poor’ should have improvements scheduled within three months, and for those rated as ‘adequate’ within six months. It also notes that high risk ratings are ‘typically undesirable’.

2.24 The Risk Register identifies the NDIA’s 17 fraud and corruption risk types and lists the untreated and residual impact of each of the fraud risk types (see Table 2.3).

Table 2.3: NDIA’s assessment of identified fraud and corruption risks, November 2018

Notes: For the November 2018 version of the Risk Register, when considering the impact of the controls, the NDIA first considered the consequence and likelihood of a risk occurring — the ‘untreated’ risk rating. Then, once consideration of the controls effectiveness was complete, the NDIA re-assessed the consequence and likelihood of each risk occurring — the ‘residual’ risk rating. The June 2019 version of the Risk Register, which is not reflected in this Table, includes updated risk types.

Source: ANAO reproduction of the NDIA Fraud and Corruption Risk Register.

2.25 Table 2.3 does not show the specific risk types but these include participant fraud, provider fraud, cyber/IT fraud, identity fraud, procurement and grant funding fraud, and payroll and leave entitlement fraud. The NDIA identified two fraud risk types that have a high residual risk impact and 11 risk types with a medium residual impact.

2.26 The NDIA assessed that 10 out of 17 of its fraud risk types have ‘poor’ controls. Four of the controls rated as ‘poor’ and three of those rated as ‘adequate’ do not have any associated improvements scheduled. In addition, for three fraud risk types, the residual risk rating was lower than the untreated risk rating, despite the control effectiveness being rated as poor.

2.27 In 2018 the NDIA developed a Fraud and Compliance Roadmap to strengthen its management of fraud and compliance risks. The Roadmap is supported by a two year program of work with over 280 deliverables. There was no clear link between the Risk Register and the deliverables in the Fraud and Compliance Strategic Roadmap.

2.28 In April 2019, the NDIA mapped the 280 deliverables in the Fraud and Compliance Roadmap to the 17 risk types in the Fraud Risk Assessment. This showed that at least 70 of the deliverables could be linked directly to the fraud risk types and would strengthen the controls for these risks.

2.29 The NDIA should improve its management of fraud risk by using the Risk Register to record and prioritise work to improve fraud controls, linked to the Fraud and Compliance Roadmap.

2.30 In April 2019, the NDIA provided the ANAO with an incomplete draft of an updated Risk Register. A new Risk Register was approved by the Board Risk Committee in early June 2019. NDIA has provided details of the fraud risk implications of this new Risk Register in its response this Audit (paragraph 30 and paragraphs 2.32–2.36). The ANAO has not assessed the June 2019 version of the Risk Register.

Has the NDIA implemented appropriate fraud training for all officials in the entity, including those with fraud-specific responsibilities?

2.37 The Fraud Rule states that:

The accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by:

1. Having an appropriate mechanism for preventing fraud, including by ensuring that:
   1. Officials in the entity are made aware of what constitutes fraud.

Awareness-raising and training

2.38 The NDIA updated its mandatory ‘Fraud Awareness’ eLearning in January 2019, with a policy that the training be completed by all NDIA and Partners in the Community staff within three months of commencing employment, and recompleted once a year. The content of the module includes a definition of fraud, the difference between fraud and error, and examples of fraud. Chapter 3 outlines further details on reporting suspected fraud.

2.39 As of 31 January 2019, 47 per cent of all NDIA staff have completed the mandatory eLearning module within the last year (see Figure 2.3). A further 35 per cent of NDIA staff have completed the training more than one year ago and need to recomplete the training. The NDIA advised that, where applicable, email reminders are given to staff twice before the due date for the mandatory training and one week after, and that a monthly report records outstanding mandatory training. The NDIA also advised that from May 2019 all Branch Managers will be given a report on outstanding mandatory training for their staff and from 1 July 2019 the SES performance framework will include training compliance.

Figure 2.3: ‘Fraud Awareness at NDIA’ completion rates, as at 31 January 2019

Source: ANAO analysis of NDIA eLearning completion data.

2.40 In addition to the eLearning, the NDIA also runs ‘Payment Integrity’ face-to-face training.³⁴ The training includes information on: the impact of poor payment integrity; specific examples of how staff should respond to suspected fraud; and some of the warning signs of fraud and misuse. NDIA has advised that the payment integrity training is one of 18 modules in the New Starter Program and is mandatory for planners and local area coordinators. It further advised that 223 Australian Public Service planners commenced within NDIA between January and March 2019, with 91 per cent of them having completed the New Starter Program. NDIA records completion rates for local area coordinators but these may not be accurate as this is based on data from manual attendance records provided by Partners in the Community.

2.41 The NDIA also raises internal awareness of fraud on its intranet. During 2018, six notices relating to fraud were posted on the Intranet. The fraud reporting page on the intranet provides information on: how to report suspected fraud; what information to include in a report; and the actions that will be taken by the Fraud and Compliance Branch when the report is received.

Training and qualifications for fraud and compliance staff

2.42 The 2017 Commonwealth Fraud Control Framework Fraud Policy (Fraud Policy)³⁵ states:

Entities must ensure officials primarily engaged in fraud control activities possess or attain relevant qualifications or training to effectively carry out their duties; and

Fraud investigations must be carried out by appropriately qualified personnel as set out in AGIS.

2.43 The Fraud Guidance recommends:

• Qualifications for investigators in line with the Australian Government Investigation Standards 2011 (AGIS),³⁶ which recommends:
  • Certificate IV in Government (Investigation) or its equivalent — for staff primarily engaged as an investigator; or
  • Diploma of Government (Investigation), or equivalent — for staff primarily engaged in the coordination and supervision of investigations;
• The following qualifications for fraud control officials:
  • Certificate IV in Government (Fraud Control) or equivalent qualification for officials implementing fraud control; or
  • Diploma in Government (Fraud Control) or equivalent qualification for officials managing fraud control.
• Training within 12 months for officials entering these roles without the relevant experience.

2.44 The Fraud and Compliance Branch has an Attainment of Fraud Qualifications Policy which was approved on 4 January 2019. The policy references and is closely aligned with the 2017 Commonwealth Fraud Control Framework and AGIS requirements. The NDIA’s position descriptions for investigators list the required qualifications.

2.45 The Fraud and Compliance Branch maintains a qualifications register, verifies the qualifications of staff, and holds certified copies on file. The register identifies 28 staff and contractors, consisting of eight fraud control officials and 20 fraud investigators. ³⁷ Of the staff identified as investigators or fraud control officials, most hold the recommended qualification. The NDIA has outlined equivalent experience and qualifications for those who do not hold the recommended qualifications (for example, significant police experience), except one investigator is to obtain a qualification by December 2019. As at June 2019, the NDIA was in the process of verifying the qualifications of five investigators who have police backgrounds.

2.46 The NDIA has 15 Department of Human Services and Australian Federal Police officers supporting the NDIS Fraud Taskforce. These staff are involved in NDIA fraud investigations but are not listed on the qualifications register. The NDIA has advised that it has received assurance from the relevant entity that these staff hold the required qualifications.

2.47 The NDIA Fraud and Compliance Branch has taken proactive steps to upskill staff in investigation and fraud control positions. In 2018, five qualifications were obtained by four individuals who entered their roles at the NDIA without the recommended qualifications. Two of these staff attained their qualifications through the recognition of prior learning process.

2.48 Staff in the Fraud and Compliance Branch have undertaken additional investigation training. The Fraud and Anti-Corruption Centre runs a Commonwealth Agency Investigations Workshop. Four staff from the NDIA investigations team participated in the workshops in 2017 and 2018. In March 2018, the investigations team also engaged an external facilitator to run training sessions. The sessions focused on interview training, including interviewing vulnerable people and taking witness statements.

Has the NDIA appropriately raised fraud awareness among external stakeholders?

2.49 There are no mandatory requirements for the NDIA to help raise awareness amongst external stakeholders. However, the Fraud Guidance states the following:

Paragraph 49. Having effective outreach programs can help entities prevent fraud. Outreach activities include entities clearly explaining their integrity policies and programs, and position on fraud to clients and service providers, and where appropriate, to members of the public.

Paragraph 50. It is beneficial for awareness-raising programs for third-party providers to take into account the work they do directly for entities and the services they deliver on behalf of the entity. These programs can be extended to provide clients and providers information about their rights and obligations, including information on their fraud control responsibilities.

The Fraud Strategy Statement

2.50 The Fraud Guidance states that ‘a widely distributed fraud strategy statement can assist in raising awareness’. The NDIA Fraud Strategy Statement was posted to the intranet on 12 October 2018 and made publically available on the NDIS website.³⁸ It includes all of the recommended content in the Fraud Guidance including the definition of fraud, a summary of the consequences of fraud, an assurance that allegations of fraud will be handled confidentially and advice on where to obtain further information.

Awareness raising for the public

2.51 The NDIS website contains publicly available resources to raise awareness of fraud:

• the ‘Reporting suspected fraud’ page (provides examples of fraudulent behaviour and explains how to report suspected fraud); and³⁹
• the NDIS 2017–18 Annual Report has information on how NDIA is managing fraud risk.⁴⁰

2.52 The topic of fraud within the NDIS attracts a large amount of media attention. Widespread media coverage can assist in raising awareness and the Commonwealth Director of Public Prosecutions acknowledges that increased publicity of prosecution can have a deterrent effect.⁴¹ The NDIA Engagement and Communications Strategy (October 2018) recognises awareness raising as a priority in external communications.

2.53 On 24 July 2018, the NDIA posted a media release on the NDIS website for the announcement of the Fraud Taskforce.⁴² Further media releases were posted in September 2018 regarding on-going investigations⁴³ and in October 2018 regarding the Taskforce’s first arrest.⁴⁴

Awareness raising for providers

2.54 The NDIA publishes monthly e-Newsletters to which all registered providers are automatically subscribed. Any party can also subscribe via the NDIS website. The July 2018 e-Newsletter mentioned the establishment of the NDIS Fraud Taskforce.

2.55 The NDIA has an online Provider Toolkit⁴⁵ with resources for NDIS providers. These include eLearning activities including ‘payment integrity responsibilities for providers’ and ‘warning signs and how to report fraud’. The training explains the provider’s responsibility in upholding Scheme integrity and details how to detect and report suspected fraud.

2.56 There is also training material advising providers how to comply with the NDIS Terms of Business. The Terms of Business outline mandatory requirements and the proper conduct for payments and pricing. If a provider is found to not comply with the Terms of Business registration can be revoked and legal action can be taken on fraudulent claims.

2.57 Over 2018 the NDIA ran face-to-face payment integrity sessions for providers. For instance, in early 2018, the NDIA ran payment integrity provider sessions as a part of the National Provider Forum in each state and territory. Sessions were also held at regional sites where there was demand due to difficulties in travelling to capital cities.

2.58 The NDIA records attendance and collects feedback forms from the payment integrity sessions. Across both the National Provider Forum and the individual sessions, an estimated 1187 provider staff attended payment integrity sessions in 2018. The NDIA has advised that it does not track which providers have completed the online activities, which limits oversight of the impact and utility of these resources.

Summary of Compliance with the Framework

3.1 Table 3.1 outlines the NDIA’s overall compliance with the mandatory requirements outlined in the Attorney-General’s Commonwealth Fraud Control Framework in relation to detecting and responding to fraud. The two relevant requirements are:

• having an appropriate mechanism for detecting incidents of fraud or suspected fraud, including a process for officials of the entity and other persons to report suspected fraud confidentially; and
• having an appropriate mechanism for investigating or otherwise dealing with incidents of fraud or suspected fraud.

3.2 For the purposes of this assessment, the first requirement has been separated into two sub-tests, with the first focusing on implementing confidential reporting channels and the second focusing on other mechanisms for detecting fraud. The detailed analysis supporting the conclusions in Table 3.1 is included in the following sections of this Chapter.

Table 3.1: NDIA’s compliance for fraud detection and response

 

 

Note: These are mandatory requirements under the Commonwealth Fraud Control Framework Fraud Rule parts (d) and (e).

Source: ANAO.

Has the NDIA put in place appropriate processes for suspected fraud to be confidentially reported?

3.3 The 2017 Commonwealth Fraud Control Framework Fraud Rule (Fraud Rule)⁴⁶ states:

The accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by:

a process for officials of the entity and other persons to report suspected fraud confidentially.

3.4 The 2017 Commonwealth Fraud Control Framework Fraud Guidance (Fraud Guidance), although non-mandatory for the NDIA, states that it is important for entities to appropriately publicise fraud reporting mechanisms. It also encourages entities to establish measures to protect those making reports from adverse consequences.⁴⁷

Channels to report fraud

3.5 The NDIA has implemented a number of channels for suspected fraud to be reported. The channels are advertised on the NDIA’s intranet and internet pages and include:

• the fraud reporting hotline, a telephone service for reporting fraud;
• the fraud reporting email address; and
• an online contact form.⁴⁸

3.6 The NDIA’s intranet page contains relevant information on fraud tip-offs and reminders are posted to internal noticeboards. These tip-off channels are also listed in the NDIA’s Fraud Control Plan, in updates to staff groups, and in the NDIA’s mandatory fraud awareness training.

3.7 There has been an increase in tip-offs since July 2017, and a marked increase since the NDIS Fraud Taskforce was established in July 2018 (Figure 3.1).

Figure 3.1: Tip-offs about suspected fraud to the NDIA, July 2017 to February 2019

Source: ANAO analysis of NDIA tip-off data.

3.8 The majority of tip-offs to the NDIA in the 2017–18 financial year were received through the fraud reporting email address and hotline. A small number were received by letter or in person (Figure 3.2).

Figure 3.2: Source of tip-offs to the NDIA, 2017–18 financial year

Source: ANAO analysis of NDIA tip-off data.

3.9 Public Interest Disclosures are disclosures made by a public official to a government entity, persons not in government, or to a legal practitioner which may relate to fraud. The NDIA has developed policies for managing Public Interest Disclosures, appointed authorised officers to whom NDIA officials may make disclosures, published guidance on making a disclosure, and referenced disclosures in its fraud awareness training. The guidance also outlines the rights that officials have under the Public Interest Disclosures Act 2013.

Managing the confidentiality of reports

3.10 The NDIA’s website notes that people reporting fraud can request to have their details remain confidential, and that the NDIA has established procedures to assist with managing confidentiality. These procedures require the Intake and Assessment Team who receive the reports to ask whether the informant would like their details to remain confidential. If so, the Intake and Assessment Team must ensure there are no identifying details on the intake record such as names and phone numbers. As part of this process officers are prompted by the IT system to review the description of the case before saving the record to ensure it does not include identifying information.

3.11 The ANAO reviewed tip-offs received by the Intake and Assessment Team in December 2018 to check if the confidentiality procedures had been implemented. Figure 3.3 shows that in December 2018, 160 reports were recorded and confidentiality was requested by 32 informants. The request for confidentiality was not correctly handled in 15 per cent of sampled cases, as identifying information was recorded in five instances.

Figure 3.3: NDIA’s compliance with confidentiality procedures for tip-offs received in December 2018

Source: ANAO analysis of NDIA files.

3.12 Where the confidentiality procedure was not followed, the identifying information was removed before the case was referred outside the Intakes and Assessment Team.

3.13 Following the ANAO’s assessment of this process, Intake and Assessments staff undertook additional training, and relevant guidance documentation was updated with the aim of ensuring staff do not record information when confidentiality is requested. In addition, the NDIA is in the process of procuring a new case management system (see paragraphs 3.41–3.45). Documentation outlining the case management system requirements specifies IT system controls and business rules to further enhance compliance with this procedure.

Does the NDIA have appropriate methods to detect potential fraud other than via reports from staff and external parties?

3.14 The Fraud Rule⁴⁹ states:

The accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by:

d) having an appropriate mechanism for detecting incidents of fraud or suspected fraud…

3.15 The 2017 Commonwealth Fraud Control Framework Fraud Policy (Fraud Policy)⁵⁰ states that ‘Entities must maintain appropriately documented instructions and procedures to assist officials [to] … detect … fraud’.

3.16 The Australian Institute of Criminology’s Commonwealth Fraud Investigations 2015–16 report identifies ten ways fraud is usually detected in the Commonwealth, based on a census of Commonwealth entities. Each of these methods are listed and discussed in Table 3.2.

Table 3.2: The NDIA’s implementation of mechanisms to detect fraud

KEY: ✔ Implemented ✘ Not implemented

Note a: Engagement with law enforcement is further explored in Chapter 4.

Source: ANAO analysis.

3.17 Some mechanisms to detect fraud are included in the NDIA’s Fraud and Corruption Risk Register. However, as outlined in Chapter 2, paragraphs 2.27 the Risk Register does not record all current and planned fraud controls, which may include other detection methods.

Data analytics for fraud detection

3.18 The Association of Certified Fraud Examiners has observed ‘proactive data monitoring and analysis are among the most effective anti-fraud controls. Organisations which undertake proactive data analysis techniques experience frauds that are 54 per cent less costly’.⁵¹ As such, data analytics and data matching could be a critical tool for the NDIA.

3.19 The NDIA had developed actuarial profiles that used NDIA data to identify instances of suspicious activity such as patterns of fund utilisation, claims above pricing caps or claims above a participant’s budget.⁵² Reports against these profiles were provided to the Fraud and Compliance Branch (the Branch) on an ad-hoc basis until May 2018.

3.20 In May 2018, the Branch undertook a review of 15 of the 17 actuarial profiles.⁵³ The review examined a sample of cases created from each profile to identify whether the reports were useful to the Branch. In summary, the assessment found that:

• three profiles were acceptable in their current form;
• three profiles were acceptable if better data was captured;
• five profiles would need more significant changes before they could be accepted;
• two profiles were likely useful to another business area; and
• two profiles were no longer required.

3.21 Responsibility for fraud risk profiles was transitioned to the Branch in July 2018. In December 2018 the Branch obtained access to a data analytics platform and began drafting a Fraud Risk Profile Development Framework, and made changes to work practice documentation. After refining data analytics, including the profile outputs and business rules, the Branch began running its own reports in March 2019. Although no reports were run after May 2018, three profile reports were generated in March 2019 and the outputs were backdated to July 2017.⁵⁴ The reports generated are improved versions of the three determined as acceptable in May 2018. NDIA has advised that a further three reports will be tested and implemented by 30 September 2019 and that an additional six profiles have been identified for implementation by the end of 2019.

3.22 The NDIA expects to finalise its Fraud Risk Profile Development Framework in June 2019. This framework is intended to be a standardised methodology for the design, development, testing and production of risk profiles.

Data matching for fraud detection

3.23 Data-matching involves bringing together data from different sources and analysing it to identify individuals or organisations for further investigation or action.

3.24 The NDIA began conducting the following data matching activities in 2018:

• Payment Integrity: The NDIA’s actuarial team routinely undertakes a payment integrity activity where it matches participant data with state and territory data. This is to ensure that the correct government entity is paying supports.
• Family Day Care provider matching: The NDIA receives information from the Department of Education Child Care Enforcement Action register regarding Family Day Care providers that have been sanctioned. The NDIA matches this data to its own providers and investigates as required. As at February 2019, the NDIA had engaged with 38 NDIA providers following this data matching activity, and is in the process of de-registering 25 providers. The NDIA has identified that providers with sanctions against them in the Department of Education Child Care Enforcement Action register have made $3.6 million in service bookings and have received payments totalling $2.3 million from the NDIA. The NDIA advised the ANAO that it is in the process of implementing this check as a pre-registration step, at which time the data-matching will become a ‘business as usual’ activity.

3.25 The NDIA continues to invest in building its data matching capability. In February 2019, the NDIA Risk Committee noted the NDIA’s new Identity Management Framework. This aims to strengthen identity controls for participants seeking access to the Scheme by accessing and using third party data sets. This includes matching data from government and non-government organisations. As an example, the NDIA received its first set of ‘fact of death’ data in March 2019 and compared it with participant information to identify discrepancies.⁵⁵

Are there appropriate processes in place for investigating suspected fraud and taking appropriate action?

3.30 The Fraud Rule⁵⁶ states:

The accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by:

5. having an appropriate mechanism for investigating or otherwise dealing with incidents of fraud or suspected fraud; and
6. Commonwealth entities must have an appropriate mechanism for recording and reporting incidents of fraud or suspected fraud.

3.31 The Fraud Policy⁵⁷ provides further guidance on investigations and states that entities must have investigation processes and procedures that are consistent with the Australian Government Investigations Standards (AGIS) 2011. While the Fraud Policy is not binding for the NDIA, the NDIA’s Fraud Control Plan states that investigations undertaken within the Agency will comply with the AGIS.

The NDIS Fraud Taskforce

3.32 A key enhancement to the practical capacity to respond to fraud was the establishment of the NDIS Fraud Taskforce in July 2018, supported by the Australian Federal Police (AFP) and the Department of Human Services (Human Services).⁵⁸

3.33 In July 2018 responsible Ministers advised the Prime Minister that the establishment of the NDIS Fraud Taskforce was ‘to mitigate potential serious fraud within the NDIS which is being reported both through intelligence sources and in the media’.

3.34 In 2018–19, the NDIA allocated $16 million for ‘business as usual’ fraud and compliance activities, including for approximately 75 staff. In addition, $7.7 million was allocated for the NDIS Fraud Taskforce in 2018–19.

3.35 At 30 March 2019 the Fraud and Compliance Branch had 103 staff either working on the NDIS Fraud Taskforce or business as usual activities. Twelve of these NDIA staff were dedicated to the NDIS Fraud Taskforce. In total, Human Services’ has committed 15 staff to the Fraud Taskforce (including access to AFP staff via the Human Services and AFP Memorandum of Understanding). Human Services also provides additional staff, through short-term arrangements, to support the operational requirements of the Fraud Taskforce. The NDIA has advised that recruitment action is continuing for Taskforce staff.

3.36 The Memorandum of Understanding (MOU) between NDIA and Human Services for the establishment of the NDIS Fraud Taskforce says that the Taskforce is a partnership between NDIA, Human Services and the AFP.⁵⁹ The MOU also states that the Taskforce has been established with two objectives:

• immediately commence investigations where intelligence is readily available; and
• strengthen the NDIA’s longer-term fraud prevention and detection activity and capability’.

3.37 The NDIS Fraud Taskforce is governed by an Inter-Departmental Committee (IDC) comprising NDIA, Human Services, the AFP, the Australian Taxation Office, the NDIS Quality and Safeguards Commission and the Department of Social Services.

3.38 Chapter 4 (paragraph 4.49) mentions the first Taskforce arrest in October 2018. ⁶⁰ On 22 May 2019, the AFP, NDIA and Human Services announced that an NDIS Fraud Taskforce investigation into an organised criminal syndicate suspected of defrauding the NDIS had resulted in the arrest of five people in western Sydney. ⁶¹ It is alleged that three registered NDIS providers ‘controlled and exploited by those arrested’ fraudulently claimed more than $1.1 million in NDIS payments from more than 70 NDIS participants. Investigations into the true scale of this fraud are continuing, with the three entities believed to have received more than $2.6 million in NDIA payments since December 2017.

NDIA’s compliance with the AGIS

3.39 The AGIS establishes the minimum standards for Australian Government agencies conducting investigations. While not mandatory for the Corporate Commonwealth entities, the NDIA has agreed to reflect the AGIS standards for undertaking fraud investigations. There are 54 requirements and recommendations in the AGIS across four categories: operating standards, identification of breaches and case selection, investigation management, and investigation practices. The requirements include written policies, templates, systems, and specific activities.

3.40 The ANAO reviewed 36 of the 54 requirements, including the written policies, templates, systems, and nine specific activities.⁶² The NDIA was compliant with 34 of the 36 tested requirements, as outlined in Table 3.3.

Table 3.3: NDIA’s compliance with AGIS requirements

 

 

Source: ANAO analysis.

NDIA fraud management systems

3.41 In order to comply with the AGIS, entities must have systems to manage tip-offs, a case management system, and a system to manage evidence collected in the course of investigations. The NDIA has established three separate spreadsheets for these purposes.

3.42 The AGIS requires that entities have an electronic system for recording the receipt of referrals or conduct identified as allegedly, apparently or potentially breaching the law. It must have the ability to record investigation plans, investigation activity and management of tasks and facilitate the preparation of briefs of evidence.

3.43 The NDIA’s current system does not meet these requirements, as most information on individual cases is held separately in hard copy files. In addition, the NDIA has identified issues with its case management system including:

• the system provides limited functionality;
• data can become corrupt and reporting is unreliable; and
• it does not support efficiency and effectiveness.

3.44 The NDIA has commenced procurement of a new electronic case management system, which will replace the existing referrals and case management systems. It has established a detailed list of requirements for the procurement, which includes the functionality needed to comply with the AGIS. The NDIA sought a quotation from the preferred provider in February 2019, and expects to fully implement the new system by July 2019.

3.45 The NDIA has established an Exhibit Register spreadsheet to manage evidence collection which is compliant with AGIS requirements. The list of requirements for the case management system being procured includes the capability to manage evidence, to replace this spreadsheet.

Quality assurance of investigations

3.46 The NDIA’s Investigations Manual (December 2018), states that:

NDIA management must be assured that investigations are conducted in an efficient and effective manner, and meet contemporary standards and expectations such as those prescribed in the AGIS … An effective means of measuring levels of compliance is to conduct Quality Assurance Reviews.

3.47 The NDIA advised that it has not undertaken any Quality Assurance Reviews, however it has identified the development of a quality framework for all branch activities in its future work plan.

3.48 The AGIS also notes that the AFP can undertake Quality Assurance Reviews of entities’ investigations processes to examine issues relevant to the Commonwealth Director of Public Prosecutions (CDPP) or external counsel. The AFP has not undertaken a formal Quality Assurance Review of any NDIA investigations. Following the NDIA’s first fraud investigation which led to an arrest, an AFP member of the NDIS Fraud Taskforce debriefed NDIA staff, although this was not a requirement. There were no recommendations regarding the application of the AGIS in this debrief.

Action in response to fraud

3.53 The AGIS states that entities may form a committee to inform and oversee the decisions and recommendations following the initial evaluation process, and that decision makers should be at the Senior Executive Service (SES) level. The NDIA has a triaging and escalation process for managing its response to fraud, as outlined in Figure 3.4 and records critical decisions relating to investigations outcomes in line with the AGIS.

Figure 3.4: Fraud escalation at the NDIA

 

 

Source: ANAO analysis.

3.54 Following the initial intake and assessments procedure outlined in paragraphs 3.5–3.9, the NDIA refers instances of suspected fraud to the Fraud Intelligence Team for further investigation. The Fraud Intelligence Team reviews available information such as participant information, provider records or other investigations that may be related. Initial findings are documented in the established template for intelligence reports.

3.55 Where it is considered appropriate by the delegate, these intelligence reports are referred to the Case Management Committee (CMC), which is led by an SES officer. The CMC’s assessment of the intelligence report and the outcome are recorded in the critical decision template.

3.56 The CMC may finalise the investigation, approve an investigation by NDIA staff, or refer the matter to the NDIS Fraud Taskforce or the AFP for further investigation.

3.57 Under the AGIS, cases must be referred to the AFP where the matter relates to serious crime or complex criminal investigation.⁶³ These referrals are usually managed through the AFP’s Fraud and Anti-Corruption Centre. The NDIA instead makes referrals directly to the AFP through the NDIS Fraud Taskforce.⁶⁴

3.58 Internal NDIA policy also states that other investigative milestones such as referral to the CDPP for briefs of evidence are to be recorded in the critical decision template and approved by the CMC. Briefs of evidence include information such as witness statements and evidence. These are referred to the CDPP for a decision on whether or not to prosecute. The NDIA advised that it has referred one brief of evidence to the CDPP and that this case is ongoing.

3.59 The Fraud and Compliance Branch reports on the progress and outcome of investigations to the NDIA Risk Committee and previously reported to the NDIA Audit Committee. Further details on fraud reporting to the NDIA’s governance committees is included in Chapter 4. In February 2019, the Fraud and Compliance Branch also reported to the NDIA Board on ongoing investigations, noting that 21 investigations were ongoing. The NDIA advised that at 31 May 2019 20 investigations were ongoing, with an estimated value of $9.3 million.

3.60 As discussed in paragraphs 3.41–3.45, the NDIA has identified issues with data integrity in its current case management system. It has also identified the development of a contemporary fraud and compliance reporting framework in its future work plans.

Recovery of funds

3.61 Funds from identified fraud against the Commonwealth are recovered by the CDPP and AFP in line with the Proceeds of Crime Act 2002. The NDIA advised that the CDPP and AFP are seeking to recover funds from the one investigation the NDIA has referred recently, but this has not yet been finalised. Additionally, the NDIA reported to the NDIA Board and NDIA Risk Committee that it is has prevented $2 million in potentially fraudulent claims in relation to its ongoing investigations.

3.62 The NDIA has also taken action to recover funds in relation to fraud or non-compliance by providers other than through the CDPP or AFP. For example, between August and December 2018 breaches totalling $4.6 million were identified, and $2.4 million was reinstated to participant plans. The NDIA has advised that processes are in place to reinstate funds to current participant plans so that no participant loss will occur as a result of identified fraud or non-compliance. The NDIA advised that non-compliant payments were cancelled, and became a negative balance on the provider’s account to facilitate recovery.

Summary of compliance with the Framework

4.1 Table 4.1 outlines the NDIA’s overall compliance with requirements and a better practice principle outlined in the Attorney-General’s Commonwealth Fraud Control Framework in relation to oversight, monitoring and reporting of fraud. The detailed analysis supporting these conclusions is included in the following sections of this Chapter.

Table 4.1: NDIA’s compliance in overseeing, monitoring and reporting fraud

 

 

Note a: A mandatory requirement under the Commonwealth Fraud Control Framework, Fraud Rule part (c) (ii).

Note b: A mandatory requirement under the Commonwealth Fraud Control Framework, Fraud Rule part (f).

Note c: A better practice principle requirement under the Commonwealth Fraud Control Framework, Fraud Policy parts 13 and 14.

Source: ANAO.

Does the NDIA work effectively with other entities to mitigate fraud?

4.2 The Australian Federal Police (AFP) hosted Fraud and Anti-Corruption Centre (FAC) is one way in which Commonwealth entities work together to combat fraud. The NDIA is a member of the FAC (see Table 4.2 below). The AFP notes that through the FAC:

The AFP works closely with partner agencies using a multi-agency approach to strengthening the Commonwealth’s capability to respond to fraud and corruption. This multi-agency approach contributes to the reduction, disruption or cessation of activities beyond those targeted by a particular investigation, which results in increased compliance with Commonwealth legislation and provides enhanced revenue and expenditure outcomes for the Commonwealth.⁶⁵

4.3 The Attorney-General’s Department’s Resource Management Guide on fraud⁶⁶ lists eight entities with cross-government responsibilities in fraud control. As detailed in Table 4.2 below, the NDIA has contact with these entities. This is principally to share intelligence on the nature of fraud against the Commonwealth and strategies to combat fraud.

4.4 The 2019–20 Budget included $16.4 million over two years for a targeted approach to tackling fraud and includes funding for the AFP and the Attorney-General’s Department.⁶⁷ This funding is to improve the way the Commonwealth uses intelligence and data to combat fraud and design fraud resilient programs. This measure is likely to have implications for how Commonwealth entities work together to combat fraud.

4.5 The outcome of NDIA’s interactions with other entities is principally demonstrated through:

• the work of the Fraud Taskforce (see Chapter 3, paragraphs 3.32–3.38);
• the use of the Child Care Enforcement Action Register and the planned roll-out of other data matching activities (see Chapter 3, paragraphs 3.23–3.25); and
• liaison with the NDIS Quality and Safeguards Commission which is detailed below.

Table 4.2: NDIA’s contact with other agencies on fraud matters

Note a: These cover six of the eight entities listed as having cross-government fraud control responsibilities in the AGD’s Resource Management Guide No. 201: Preventing, detecting and dealing with fraud [Internet], AGD, August 2017, available at: <https://www.ag.gov.au> [accessed 27 February 2019]. One entity is ANAO which has statutory responsibilities and is not listed in the Table. Another entity is the Australian Commission for Law Enforcement Integrity supports the AIC and has no direct engagement with the NDIA (not included in the table).

Note b: Austrac, About Us [Internet], Austrac, available at:

<http://www.austrac.gov.au/about-ushttps://www.ndiscommission.gov.au/&gt; [accessed 27 February 2019].

Note c: QSC, [Internet], available at: <https://www.ndiscommission.gov.au/about&gt; [accessed 27 February 2019].

Source: ANAO.

Engagement with the NDIS Quality and Safeguards Commission

4.6 The Quality and Safeguards Commission (QSC) is currently responsible for NDIS provider registration in New South Wales and South Australia, and will take over this role for other States and Territories by July 2020.⁶⁸ It is responsible for the implementation of the National Disability Insurance Scheme (Provider Registration and Practice Standards) Rules 2018. These include a requirement for the QSC to have regard to whether an applicant or a member of the key personnel of an applicant has been the subject of any findings or judgment in relation to fraud.

4.7 The QSC has advised that it has adopted a staged process to re-register all existing providers in New South Wales and South Australian as providers are required to meet new requirements including third party audits against NDIS practice standards.

4.8 The draft NDIS and QSC Fraud and Compliance Operational Protocol details working arrangements, roles and responsibilities, agreed principles and governance arrangements for fraud and compliance practices across the two entities. The QSC is responsible for investigating allegations of misconduct, underperformance and sharp practices by NDIS registered providers and enforcement action, but not fraud which is solely the responsibility of the NDIA.

4.9 There is a QSC template to refer matters to the NDIS Fraud Taskforce. The QSC has reported seventeen instances of potential fraud to the NDIA. The NDIA has made 17 referrals to the QSC regarding non-compliance by New South Wales and South Australian providers.

Does the NDIA undertake projects to improve fraud controls and consider fraud risks for other projects?

Project management for fraud control

4.10 The 2017 Commonwealth Fraud Control Framework — Fraud Rule says the agency must ensure ‘the risk of fraud is taken into account in planning and conducting the activities of the entity.’⁶⁹ The NDIA’s Fraud Control Plan reflects this, stating that the ‘Agency must consider the risk of fraud when planning and conducting business activities, including major new policies and projects’. The Plan also states that fraud risk assessments must be completed for all projects.⁷⁰ This section examines how NDIA projects take fraud into account. Chapter 2 deals with how risk of fraud is managed more generally through fraud risk assessments and the Risk Register.

4.11 NDIA programs, strategies and projects are run either by its Project Management Office (PMO) or by the relevant line area. Fraud is relevant for NDIA projects due to:

• the project objective includes enhanced fraud control; or
• changes as a result of the project could impact fraud risks.

4.12 The NDIA’s PMO commenced in early 2018 and is managing seven strategic programs, and was also allocated 10 smaller-scale projects. The strategic programs and projects managed by the PMO are required to have a Risks, Assumptions, Issues and Dependencies (RAID) log completed which includes assessment of fraud risk.⁷¹ The NDIA has advised that by the end of May 2019 a ‘risk-in-change tool’ will also be used for the strategic programs. This tool identifies where a program may impact fraud risks, requiring action to manage this before it moves into a ‘business as usual’ state.

4.13 RAID logs were completed for the PMO smaller-scale projects except two projects were reclassified as ‘business as usual’ with no RAID log required, and one RAID log is still to be completed for a project in the initial planning stage. NDIA has advised that ‘business as usual’ activity risks are managed at the group level and are reported to the Executive Leadership Team.

4.14 NDIA has also advised that for projects managed by line areas, best practice is advised but completion of a RAID log or a Risk Action Plan is not mandated. ⁷² When a project business case is considered by the Executive Leadership Team, a template which lists project risks and proposed mitigations is completed. NDIA has further advised that all new projects will be required to apply a project management tool which uses a RAID log approach to identifying and managing risks.

4.15 The NDIA advised the ANAO that ‘the single source of truth’ on the gap between fraud risks and controls should be the Fraud and Corruption Risk Register. As noted in Chapter 2, the current version of the Risk Register does not contain all planned controls.

4.16 NDIA has advised that it is updating the Risk Register and building a new project and portfolio management system. However, currently there is no centralised source of truth on all projects which have a fraud control dimension, specifying key information such as project objective and priority, deliverables and their status, linkages between projects and resourcing.

4.17 To enhance the management of the NDIA’s fraud control activities, the NDIA should review its project management of fraud control. This would also assist in implementing Recommendation 1 (updating the Risk Register). NDIA has advised that the current refresh of the current Risk Register ‘will link any projects to the fraud risk profile or fraud controls (either in place or planned)’.

Fraud-related projects

4.21 The NDIA has three programs/strategies designed to make critical contributions to enhancing fraud controls. These are the:

• Robust NDIA Strategic Program (includes the Fraud and Compliance Roadmap stream);
• Payments Strategy; and
• Self-managed Strategy.

4.22 Table 4.3 provides a summary of the fraud control components of each of these. NDIA has suitable governance arrangements for the program and strategies examined and is compliant with its requirements for risk assessment documentation. Risk identification is still required for the Payments Strategy which is in the concept phase. The four risks identified for the Self-managed Strategy include the risks that the findings of a self-managed internal audit are not addressed and that the new fraud controls are not effective. These risks and the mitigation strategies may need to be updated once this strategy moves into the implementation stage in 2019–20.

Table 4.3: Assessment of key NDIA programs / strategies contributing to fraud control

Source: ANAO.

Robust NDIA

4.23 The Robust NDIA Strategic Program aims to build and embed mature enterprise functions for the NDIA including robust risk, assurance, fraud program and change management functions. The project has had eight project streams, six are active and two are closed. Three steams are critical for fraud control:

• the Fraud and Compliance Strategic Roadmap (discussed below);
• the Protective Security stream, which covers improvements to meet the Attorney- General’s Department Protective Security Policy Framework (PSPF)⁷³; and
• the Remedial Activity stream, which was designed to address the backlog of open external audit findings and to minimise adverse findings in future. The stream was closed in December 2018 after resolution of the major external audit issues.

The Fraud and Compliance Roadmap

4.24 The central NDIA mechanism for delivery of fraud control enhancements is the Fraud and Compliance Roadmap (the Roadmap). It was initially developed in March 2018, and was approved by the NDIS Board and the Risk Committee in November 2018. A key completed area of focus under the Roadmap was the establishment of the NDIS Fraud Taskforce in July 2018. ⁷⁴ Chapter 3 outlines the governance for the Taskforce and its role in fraud investigations.

4.25 The Roadmap is intended to ‘build an autonomous and industry-leading fraud and compliance program across four critical dimensions’ and 12 capabilities (see Table 4.4).

Table 4.4: NDIA Fraud and Compliance Roadmap dimensions and capabilities

Source: NDIA documentation.

4.26 The NDIA has advised that the twelve core capabilities are required to deliver an integrated function that can effectively control fraud risk. In February 2019, the NDIA produced a two-year program of work for the Roadmap with over 280 deliverables. The NDIA is delivering the program of work in 100 day ‘sprints’ ⁷⁵ and has developed a work plan for each sprint. A closure report was completed for the first October 2018 to January 2019 sprint. This notes the key achievements for the sprint, for example, additional data inputs for data matching. The closure report lists all Roadmap work streams as on track except for an amber rating for ‘demonstrated value’ (minor delays in the overall project plan for Roadmap).

Payments Strategy

4.27 The Payments Strategy, although still in the concept phase, aims to develop a future- state payment strategy. One of the five objectives relates to enhancing payment controls, assurance and reporting. The high level strategy has the following three phases:

• remedy the past (by April 2019), for example by resolving payment delay problem;
• enhance the existing (by June 2019) using root-cause identification, payments value chain and payment scenario tools to develop options to improve the current state (for example, providing an alert to a participant when a provider makes a claim against their plan); and
• build the future (by mid-2020), by developing a business case and implementing a real time claims platform which could include removing payments going directly to self-managed participants.

4.28 The NDIA has advised that the risk action plan, which would consider fraud risks, is not yet available for the Payment Strategy as it is still in the concept phase.

Self-managed Strategy

4.29 NDIS participants can request to self-manage their NDIS funds.⁷⁶ Following a risk assessment, the NDIA decides if a participant can self-manage and directly purchase the supports they need in line with their support plan.

4.30 In November 2018, an internal audit of self-managed participant processes was completed. The audit concluded that as the NDIS expands it is likely that the number of participants choosing self-management will continue to increase.⁷⁷ The audit identified issues in a number of areas including:

• recording expenses;
• validating spends;
• high risk spends;
• spending above budget;
• eligibility to self-manage; and
• the Participant Portal.

4.31 As part of the 2015–16 financial statement audit, the ANAO noted that there were no documented compliance activities for payments made directly to self-managed participants. This was reported as part of the ANAO report to Parliament titled ‘Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2016’.⁷⁸ The NDIA provided further explanation that funds are paid directly to the self-managed participants and no supporting documentation is required as part of the claiming process. Self-managed participants are required to keep copies of receipts for supports provided. The NDIA has stated that it plans to fully address this finding by June 2019. Risks associated with self-managed participants also formed a focus area for the 2018–19 ANAO financial statement audit.⁷⁹

4.32 The Joint Committee of Public Accounts and Audit (JCPAA) Report on 2017–18 financial statements⁸⁰ noted the NDIA’s progress in resolving the audit findings and stated that the Committee will continue to monitor the NDIA’s progress in addressing audit findings.

4.33 In response to the internal audit, the NDIA is developing a Self-managed Strategy with implementation planned for 2019–20.

4.34 A presentation on the internal audit findings and development of the strategy was made to some members of the Board and the Executive Leadership Team on 30 January 2019. Before June 2019, interim controls for self-managed participants are to be enhanced, for instance procedures for self-managed claims and improved risk assessment to determine if participants are suitable to self-manage. The January presentation notes that in 2017–18 there were 216 allegations of misuse of funds related to self-managed participants or their nominees, and this equated to less than one per cent of the total number of self-managed participants.

4.35 Quality assurance of payments to self-managed participants commenced at the start of 2017–18. ⁸¹ A number of critical tests (with a potential impact on the payment value) are applied: (1) valid supporting documentation for the payment (receipt), (2) the receipt shows the amount paid, and (3) the funds have been spent in line with a plan goal.

4.36 In 2017–18 the average error rate for each of the three critical tests was 14.2 per cent, 7.3 per cent and 14.7 per cent respectively. For quarters one to three in 2018–19, the average rates were 4.0 per cent, 3.4 per cent and 4.4 per cent. For quarter three in 2018–19 the rates were 1.3 per cent, 1.3 per cent and 2.5 per cent for the 79 payments tested.

Does the NDIA have effective governance and internal reporting arrangements for fraud control?

4.37 The NDIA’s Fraud Control Plan outlines the NDIA governance committees and key responsibilities related to fraud control. These are summarised in Table 4.5.

Table 4.5: The NDIA’s key committees for fraud governance

Note a: Other NDIA Committees not relevant to fraud and not in the Fraud Control Plan are not included.

Note b: Commonwealth Legislation, National Disability Insurance Scheme — Risk Management Rules 2013 [Internet], available from: <https://www.legislation.gov.au/Details/F2013L01183> [accessed 10 April 2019].

Note c: Includes eight senior executives including the Deputy CEO, Strategy Development (Chief Risk Officer), the Scheme Actuary, and Chief Information Officer.

Source: NDIA Fraud Control Plan and Committee agendas.

Board and Committee oversight of fraud

4.38 In 2018 and 2019 the NDIA Board, Committees and the Executive Leadership Team considered the status of fraud control activities. Key were:

• advice was provided regarding the risk rating for the 17 fraud risk types, noting where improved controls were required, to the Risk and the Audit Committees in February 2018 and Executive Leadership Team in March 2018;
• the Risk Committee endorsed the Fraud Risk Assessment and Framework in May 2018;
• the Fraud Control Plan was considered by the Board in May 2018 and finalised in August 2018, with the Board noting the publication of the Fraud Statement in October 2018;
• quarterly reports to the Risk Committee on fraud tip-offs and fraud cases, including the number of tip-offs and open and closed fraud cases, the value of payments under fraud investigation, and details of investigations and system changes in response to fraud;
• quarterly regulatory compliance reports to the Audit Committee noting incidents under the Fraud Rule / Criminal Code; and
• various status updates on fraud control projects including the Roadmap.

4.39 Despite reporting on the fraud risk activities and fraud cases, there was not consistent reporting on key assessments in the Risk Register, including the controls effectiveness rating (poor, adequate or good).

4.40 In March 2019, the Executive Leadership Team was provided with information on the planned update of the agency’s fraud risk profile, which includes updating the Risk Register and the Fraud Control Plan, with supporting risk assessment workshops run in March and April 2019.

4.41 There are planned improvements to internal reporting on fraud control under the Fraud and Compliance Strategic Roadmap two year program of work. A March 2019 update for the Leadership Team on the Fraud Risk Profile stated ‘more regular reporting of the fraud risk profile and buy down of risk over time (including state of control environment) should occur to the appropriate committees or governance bodies.’

4.42 The improvements should include streamlined, regular and clear reporting to the Executive Leadership Team and the Board on the gaps between fraud risks and controls.

ICT governance for fraud control

4.47 Human Services hosts the main NDIA IT systems under a 13 April 2017 Shared Services Agreement and Services Schedule which is reviewed annually. Human Services works with the NDIA to understand its business requirements and can provide professional advice to the NDIA on ICT matters. The NDIA is responsible for IT business cases and change specifications. Human Services then documents requirements and delivers the system.

4.48 Human Services’ Protective Security Directorate has issued a Directive on cyber security arrangements for agencies hosted on its networks. The NDIA and Human Services signed a copy of this Directive on 13 December 2018, signalling mutual compliance with these obligations.

4.49 NDIS ICT systems are modified in response to learnings and incidents of fraud. This included a response to the approach taken by a Victorian man who was charged with allegedly defrauding the NDIS of more than $400,000.⁸² This arrest was a result of the work of the Fraud Taskforce. A guilty plea was entered and sentencing is set down for 20 June 2019. ICT changes, including due to this case, were reported to the Risk Committee in November 2018:

• enhanced controls for provider access to a participant’s budget;
• workshops for NDIA staff registering providers on the required checks prior to registration;
• tightening staff access to locks on payments to providers; and
• blocking of high-risk providers from the NDIS portal.

Essential Eight

4.50 As a hosted network, Human Services requires the NDIS system to comply with the cyber security controls outlined under the Australian Signals Directorate’s (ASD) Essential Eight and associated Information Security Manual (ISM) controls. The Essential Eight is a proactive mitigation strategy to prevent cyber security incidents. Following requests from the NDIA, Human Services commenced providing Essential Eight assurances to the NDIA in November 2018.

4.51 In February 2019, NDIA’s Audit Committee was provided with a summary of NDIA compliance with Essential Eight (assessed by Human Services from November 2018 to January 2019). At January 2019, Human Services’ assessment was that the NDIA system was non-compliant with three of the eight requirements. For one of these, which is not a Top Four requirement,⁸³ Human Services provides a compensating control. For the other two (one of which is a Top Four requirement), further work is underway, and the NDIA has advised that it expects this to be sufficient.

4.52 NDIA has advised that it is developing a Protective Security Policy Framework (PSPF) capability, including aligning this with management of the Top Four aspects of the Essential Eight. This is a focus under the Robust NDIA Strategic Program. It has further advised that an ongoing internal audit advisory engagement is assisting with the development of the PSPF framework planned for 2018–19 and 2019–20.

4.53 The Essential Eight compliance reporting to the NDIA and the signing of the Directive occurred over 18 months after the signing of the Shared Services Agreement. The NDIA has advised that it will be important to have ongoing and productive engagement with Human Services under the shared services arrangements. This is so that assurances from Human Services regarding ICT and wider matters remain up-to-date.⁸⁴

Is the NDIA meeting the external reporting requirements of the Commonwealth Fraud Control Framework?

Reporting to the Australian Institute of Criminology

4.54 The 2017 Commonwealth Fraud Control Framework Fraud Policy⁸⁵ states:

The Australian Institute of Criminology (AIC) must make an annual report to the Attorney-General’s Department (AGD) on fraud against the Commonwealth and fraud control arrangements. To facilitate this all entities must provide information to the AIC in the form requested by AIC.⁸⁶

4.55 Even though this is not a mandatory requirement for the NDIA, in line with better practice, the NDIA made reports to the AIC in 2017 and 2018. The quality of the 2017 report reflects the immaturity of the NDIA fraud control processes at the time. The 2018 report has more detail as there were active investigations for that reporting period. However, there is scope for improvement in the 2019 report as the NDIA’s fraud control matures.

4.56 Table 4.6 summarises and assesses data for the 2017 and 2018 responses.

Table 4.6: Assessment of NDIA reporting to AIC in 2017 and 2018

 

 

Source: ANAO.

Public reporting on fraud

4.59 Corporate entities, including the NDIA, are not required to report on their compliance with the Fraud Rule in Annual Reports, even though they must comply with the Rule itself. Nevertheless, the 2017–18 NDIA Annual Report makes a number of references to fraud control. For example, there is a paragraph on managing the fraud risk which says:⁸⁷

The Fraud Control Plan was developed with a focus on sustainability of the Scheme.…Increasing the effectiveness in handling reports of suspected fraud received from the public or other stakeholders was a focus for the NDIA in 2017–18 … The Fraud Control Plan is supported by ongoing fraud risk assessment processes and the implementation and expansion of the control testing regime.

4.60 Although not a mandatory requirement, the NDIA’s Financial Statements within the 2017–18 Annual Report⁸⁸ reported a payment accuracy rate of 95 per cent (a five per cent improper payment rate, including fraud). In November 2018 the Executive Leadership Team noted that the tolerance for non-compliant payments for 2018–19 should be under five per cent in line with benchmarks applied for several other government programs.

4.61 The UK Cabinet Office publishes a Cross-Government Fraud Landscape Annual Report, with the 2018 report listing the value of fraud detected for each of 17 departments in 2016–17.⁸⁹ This could be an option to consider in the Australian context.

Appendix 1 Entity response