Introduction

National Indigenous Australians Agency

1.1 The National Indigenous Australians Agency (NIAA) is an executive agency under section 65 of the Public Service Act 1999 and is a non-corporate Commonwealth entity as defined by the Public Governance, Performance and Accountability Act 2013 (PGPA Act). The NIAA was established within the Prime Minster and Cabinet portfolio on 1 July 2019 and is the lead entity for the Commonwealth policy development, program design, implementation and service delivery for Aboriginal and Torres Strait Islander peoples.¹

1.2 The NIAA purpose is described in the following way in its 2022–23 Corporate Plan.

The NIAA works in genuine partnership to enable the self-determination and aspirations of First Nations communities. We lead and influence change across government to ensure Aboriginal and Torres Strait Islander peoples have a say in the decisions that affect them.²

1.3 The accountable authority of the NIAA under the PGPA Act is the Chief Executive Officer. At 30 June 2022 the NIAA had 1332 employees in Canberra, other capital cities and regional and remote areas, with the majority (59 per cent) in Canberra.

Indigenous Advancement Strategy

1.4 The Australian Government funds and delivers programs for Indigenous Australians through the Indigenous Advancement Strategy (IAS). Agreed outcomes are to be achieved through seven Portfolio Budget Statements programs.³ In this report, where reference is made to programs and sub-programs, the reference relates to grant programs and sub-programs which are at a level below those described in the Portfolio Budget Statements.

1.5 In 2021–22 the NIAA funded, through grants, more than 1000 external providers to deliver about 1500 IAS activities at a cost of $1.03 billion.⁴ Auditor-General Report No. 11 2020–21, Indigenous Advancement Strategy – Children and Schooling Program and Safety and Wellbeing Program, examined two IAS grant programs. The report found that the NIAA’s administration of the Children and Schooling and Safety and Wellbeing programs was largely effective. It found that the management of grants was largely consistent with the Commonwealth Grant Rules and Guidelines (CGRGs), although performance information was not fully appropriate.

Provider fraud and non-compliance

1.6 In 2021–22 the NIAA provided grants funding to over 1000 service providers to deliver activities related to the IAS. Grant funding is provided through grant opportunity guidelines, grant agreements and project schedules.

1.7 In a December 2022 program compliance and fraud management framework, the NIAA stated that it has a low tolerance for minor or careless ongoing non-compliance with grant agreements by providers, particularly where it impacts or disrupts services to the community. In a December 2020 Risk Management Policy, the NIAA stated that it has a zero tolerance for criminal activity and breaches of the law, including dishonest, fraudulent or corrupt behaviour.

1.8 The Commonwealth Fraud Control Framework 2017 and the CGRGs require Australian Government officials to consider fraud risks throughout the grants management lifecycle. In May 2022 the Commonwealth Fraud Prevention Centre released a Grants Administration Counter Fraud Toolkit (toolkit), which provides information on identifying and mitigating fraud risks, including provider fraud risks, within the grants management lifecycle. The toolkit highlights that:

While grants are necessary to achieve key government objectives, they also carry fraud risks. These risks are often elevated when a grant program is designed and delivered rapidly and/or with limited resources. The risks can also vary based on the type of grant. Fraud against Australian Government entities is becoming increasingly dynamic. People are using advanced and coordinated methods to target multiple government programs that could cost billions per year. Australian Government entities must have a good understanding of fraud risks to put in place effective countermeasures to reduce these risks – including detective and investigative countermeasures to deal with fraud that is not prevented.⁵

1.9 Potential provider fraud risks include: misrepresentation of identity; applicants using fictitious organisations; applicants falsifying information to receive a grant payment; grantees using funds for improper purposes; grantees inflating costs; grantees substituting materials or services; and grantees receiving duplicate grants.

Rationale for undertaking the audit

1.10 The IAS is one of the means through which the Australian Government seeks to improve the lives of Indigenous Australians. Grants funded under the IAS represent a significant commitment of public money across many activities and are delivered by a large number of service providers. Effective management of provider fraud and non-compliance reduces risk to the proper use of public resources and to the performance and availability of services to Aboriginal and Torres Strait Islander peoples. The audit will assure the Parliament that the NIAA has effective arrangements to manage provider fraud and non-compliance risks, thereby supporting the integrity of programs aimed at improving the lives of Aboriginal and Torres Strait Islander peoples.

Audit approach

Audit objective, criteria and scope

1.11 The objective of the audit was to assess the effectiveness of the NIAA’s management of provider fraud and non-compliance risks.

1.12 To form a conclusion against this objective, the following high-level criteria were adopted.

• Are the NIAA’s frameworks for managing provider fraud and non-compliance fit-for-purpose?
• Are the NIAA’s arrangements for the prevention, detection and referral of potential provider fraud and non-compliance effective?
• Are the NIAA’s arrangements for responding to matters referred as potential provider fraud and non-compliance effective?

1.13 The audit examined the period July 2020 to December 2022.

Audit methodology

1.14 The audit methodology included:

• examination of NIAA strategy, policies, procedures, frameworks and guidelines relevant to risk management and fraud prevention, detection and reporting;
• review of Executive Board⁶ and committee papers and minutes;
• review of internal and management reporting, including those related to conduct of fraud investigations and compliance activities;
• analysis of data relating to providers, grants, fraud investigations and compliance activities;
• examination of management-initiated reviews, internal audits and assurance reports related to grants management, risk management and fraud prevention and detection; and
• meetings with NIAA staff.

1.15 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $537,000.

1.16 The team members for this audit were Peter Bell, Susan Ryan, Elizabeth Robinson and Christine Chalmers.

2.1 Section 16 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) establishes the duty for the accountable authority of a non-corporate Commonwealth entity to establish and maintain systems relating to risk and control. Section 10 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) requires the accountable authority to take all reasonable measures to prevent, detect and deal with fraud relating to the entity.

2.2 The Commonwealth Risk Management Policy outlines mandatory policy and framework requirements which must be implemented by Commonwealth entities as well as better practice guidelines.⁷

2.3 The Commonwealth Fraud Control Framework 2017 outlines the Australian Government’s requirements for fraud control by Commonwealth entities. The Commonwealth Fraud Control Framework⁸ consists of three tiered documents: the fraud rule (section 10 of the PGPA Rule), the Commonwealth Fraud Control Policy and fraud guidance.⁹ The fraud rule is aimed at ensuring there is a minimum standard for accountable authorities of Commonwealth entities for managing the risk and incidents of fraud. As a non-corporate Commonwealth entity, the fraud rule and policy are binding on the NIAA. The Commonwealth Fraud Control Framework requires a fraud control program that covers prevention, detection, investigation and reporting strategies.

How effectively do the provider fraud and non-compliance frameworks meet Commonwealth requirements for risk and fraud management?

Risk management

2.4 On 17 December 2020 the NIAA Executive Board endorsed the NIAA Risk Management Policy and NIAA Risk Management Framework (NIAA Risk Management Policy and Framework).

2.5 The NIAA Risk Management Policy outlines the accountabilities and requirements for managing risk within the NIAA. The Chief Executive Officer (CEO) is responsible for endorsing and championing the NIAA’s Risk Management Framework; determining and articulating the NIAA’s risk appetite and tolerance; establishing and maintaining an appropriate system of internal controls; and reporting on the NIAA’s key risks to the responsible Minister. The Executive Board is responsible for the management and oversight of the efficient, effective and ethical use of resources; the management and oversight of NIAA enterprise risks; and planning and allocating resources to meet current and future work priorities in order to effectively manage risk. The Audit and Risk Committee is responsible for monitoring and reviewing the effectiveness of the risk management framework and policy; and providing assurance to the accountable authority on the existence and operation of controls.¹⁰ Other risk management responsibilities are assigned to other governance committees, deputy CEOs, the Chief Risk Officer, the Chief Operating Officer, senior management and ‘all officials’ of the NIAA.

2.6 The NIAA Risk Management Policy provides a statement of risk appetite and tolerance and the NIAA risk matrix to be used when preparing risk assessments.

2.7 The NIAA Risk Management Framework sets out a principles-based approach to risk management and the context and terminology to be used by the NIAA. This document refers to Risk Assessment Guidance and a template to be used when assessing risks. The NIAA Risk Management Framework articulates the three ‘levels’ of risks within the NIAA.

• External risks — factors in the NIAA environment and external forces that may impact on the NIAA’s chances of success. These risks are not assessed or managed by the NIAA although they will likely be sources of enterprise and operational risks.
• Enterprise risks — outlined in the corporate plan and affect the organisation as a whole. The Risk Management Framework identifies several risk assessment processes that examine enterprise risks including group, safety, fraud, security and program risks.
• Operational risks — the day-to-day risks relating to individual branch activities, projects or operational processes.

2.8 The NIAA Risk Management Policy and Framework are consistent with the requirements of the Commonwealth Risk Management Policy 2014. The purpose of the NIAA Risk Assessment Guidance is to support officials and staff in conducting formal risk assessments, including the use of the risk assessment template. The Risk Assessment Guidance states that, at a minimum, formal risk assessments should be conducted when developing business plans; planning or designing new policies and programs; undertaking a specific activity, event or project; and considering key investment and procurement decisions; or as required by any other policies or frameworks, such as a work health and safety policy.

2.9 Risk assessments were not prepared or reported on in line with the NIAA Risk Management Policy and Framework and Risk Assessment Guidance.

• Enterprise risk assessment — Enterprise risks and mitigations are identified at a high level in the NIAA corporate plan; and in an ‘enterprise risk register’. Neither the corporate plan nor the enterprise risk register assess the risks based on their likelihood and consequence, indicate whether the risks are within the NIAA’s tolerance for risk, or assign risk owners. Although NIAA documentation states that the enterprise risk register is not intended ‘to be a formal assessment and rating of risks’ these elements of risk assessment are not performed elsewhere. The enterprise risk register instructs users to ‘Ensure timeframes and accountability for each [mitigation] is included’; however, this is not done.
• Group, fraud and program risk assessments — An examination by the ANAO of 64 group, program and fraud risk assessments prepared between January 2021 and December 2022 indicated that none of the risk assessments examined for this period met all of the requirements of the Risk Assessment Guidance.¹¹ The ANAO identified deficiencies related to: the identification of controls; assessment of likelihood and consequence; and treatment plans (such as due date for application of the treatment and treatment owners). Moreover, approvals of the risk assessments were not consistently evidenced as required by the Risk Assessment Guidance and the template.

2.10 In December 2020 the Executive Board was provided with a risk management implementation plan. The risk management implementation plan included tasks (risk assessment tools; reporting; and culture) to be undertaken to facilitate the embedding of risk management in line with the new NIAA Risk Management Policy and Framework and Risk Assessment Guidance. An implementation deadline for tasks was not always identified. The Executive Board received updates between February 2021 and September 2021. An update on the status of the risk management implementation plan was provided to the Audit and Risk Committee in November 2021. The update identified that key tasks (consultation to achieve a common risk framework; review of risk reporting; risk training; committee terms of reference including risk reporting) had not yet been completed. No further update was provided to the Executive Board or the Audit Committee on risk management or implementation plan progress until March 2023, when an update on implementation progress was provided to the Audit and Risk Committee.

2.11 From January 2023 a revised Commonwealth Risk Management Policy came into force.¹² In February 2023 the NIAA advised the ANAO that it is considering how risk management policies, frameworks and guidance address the relevant changes to the Commonwealth Risk Management Policy.

Provider non-compliance and fraud risk management

2.15 The enterprise risk information included in NIAA corporate plans does not identify provider fraud or non-compliance risk. However, the implementation of an ‘Integrated Compliance and Fraud Management Framework’ was identified as a key mitigation for enterprise ‘delivery’ risks.

2.16 In October 2020 the Executive Board endorsed the development of a framework that was intended to integrate program compliance and fraud management in NIAA planning and business processes across the grants management lifecycle. Yardstick Advisory was engaged in December 2020 to further develop existing frameworks into an Integrated Program Compliance and Fraud Management Framework (ICFF). The ICFF was endorsed by the Executive Board in April 2021.

2.17 The ICFF was intended to address issues identified by the NIAA in relation to provider non-compliance and fraud control. This included that the approach to non-compliance had been primarily reactive rather than proactive, with a reliance on dedicated compliance and fraud teams to address issues of non-compliance or serious risk. To mitigate this issue, the ICFF defined roles and responsibilities for responding to compliance issues and set out a graduated approach to issue escalation. This included when grant agreement managers should respond to a compliance issue themselves and when matters should be escalated to the dedicated compliance and fraud team. By identifying different levels of seriousness of program non-compliance and associated escalation approach, the ICFF was to provide a basis for directing specialist resources to more serious program non-compliance.

Figure 2.1: Levels of seriousness of program non-compliance

Source: ANAO analysis of the escalation approach included in Appendix D of the Integrated Program Compliance and Fraud Management Framework (June 2021).

2.18 The endorsed ICFF document was released to NIAA staff in June 2021 and formally launched in August 2021 with a video presented by the Deputy CEO. At the time of its launch, many of the underpinning components of the framework had not been developed or updated. An assessment of the ICFF against Australian Government requirements for fraud and risk management (Table 2.1) shows that, at February 2023, the ICFF was relying on risk and fraud management policies and processes that were deficient or not fully consistent with the principles expressed in the ICFF.

Table 2.1: Comparison of ICFF implementation to Australian Government requirements for fraud and risk management, February 2023

Source: ANAO analysis of the Integrated Program Compliance and Fraud Management Framework (June 2021).

2.19 Table 2.2 shows that the implementation of the ICFF is not fully embedded in NIAA practices at February 2023.

Table 2.2: ICFF supporting standards, policies, procedures and systems, February 2023

Note a: Some of the components of AS ISO 19600:2015 are an independent compliance function; a compliance risk assessment; a compliance policy including a compliance objective; and a documented scope of the compliance management system. These are not reflected in the ICFF.

Source: ANAO analysis of the Integrated Program Compliance and Fraud Management Framework (June 2021).

2.20 In March 2021 the Audit and Risk Committee was provided with a copy of the draft ICFF and implementation plan. The draft implementation plan sets out tasks related to finalisation of the ICFF and implementation plan, and activities to develop: staff capability; business processes and controls; risk management; stakeholder engagement; IT systems and record keeping; compliance and fraud case management; governance and reporting; and continuous improvement. Due dates were not included for all tasks identified in the draft ICFF implementation plan. In June 2021, when the Audit and Risk Committee queried the timeframe for ICFF implementation, it was told that the work would take place over 18 months. In April 2023 the NIAA advised the ANAO that the next steps in implementing the ICFF were paused pending the outcomes of the ANAO performance audit.

2.21 In July 2021 the NIAA established a senior executive service working group of the Program Performance Committee¹³ to finalise the development of the ICFF implementation plan, including prioritising actions, assigning lead responsibility, identifying necessary resourcing and estimating timeframes. A number of draft ICFF implementation plans (both high level and detailed) were prepared. There are over 100 activities and tasks to facilitate implementation in the detailed implementation plans. The implementation plans were discussed at the working group five times between July 2021 and May 2022. The minutes of these meetings were subsequently provided to the Program Performance Committee. At February 2023 the Program Performance Committee has not approved the implementation plan and no overall implementation completion date has been communicated to the Policy and Delivery Committee or Executive Board.

Fraud control framework

Fraud risk assessments

2.22 Subsection 10(a) of the PGPA Rule states that the entity must conduct fraud risk assessments regularly and when there is a substantial change in the structure, functions or activities of the entity. In July 2022 the NIAA CEO approved and released the NIAA Fraud and Corruption Control System 2022–24 (FCCS), which replaced the Fraud Control Plan 2020–22. The FCCS is intended to outline how the NIAA will prevent, detect and respond to fraud and corruption. The FCCS states that:

The key fraud risks have been documented in NIAA’s Fraud and Corruption Risk Register. The register establishes the NIAA’s risk profile, reflects specific fraud risk assessments, and the counter-measures in place or to be implemented to address identified risks. This includes implementing treatments to reduce fraud risk to an acceptable level within the context of the specific circumstances.¹⁴

2.23 In 2021 the NIAA prepared a document titled ‘Fraud Risk Register Working Document’ (Fraud Risk Register). This document identifies 56 fraud risk assessments in various stages of progress. In July 2022 the NIAA prepared a ‘Fraud Risk Assessment Summary’ (Fraud Risk Summary), which showed the status of fraud risk assessments known to the Program Compliance and Fraud Branch at the time of its preparation. This document identified 129 fraud risk assessments.¹⁵

2.24 In addition to being out of date and unendorsed, the Fraud Risk Register did not meet the requirements of the FCCS 2022–24 or the Fraud Control Plan 2020–22 for an effective fraud and corruption risk register. The Fraud Risk Register was a ‘stocktake’ of fraud risk assessments indicating which had been completed, were out of date or were missing. Collated fraud risk assessments did not meet all of the requirements of the NIAA Risk Management Policy and Framework or the Risk Assessment Guidance. For example, where the fraud risk assessments were above risk appetite, no treatment plans had been identified. Where treatments had been identified, they were out of date without confirmation that treatments had been implemented.¹⁶

2.25 The Fraud Risk Summary was a listing of fraud assessment titles and their overall risk rating. It did not contain information on specific assessments, or counter-measures in place or to be implemented. The Fraud Risk Summary did not include reference to the Territories Stolen Generations Redress Scheme fraud risk assessment which was prepared in April 2022 and assessed the Scheme as having ‘extreme’ risk. The NIAA was unable to affirm that the Fraud Risk Summary was a complete and accurate list of fraud risk assessments, including the identification of all relevant programs and sub-programs.¹⁷

2.26 The FCCS 2022–24 and the Fraud Control Plan 2020–22 outline a rolling program of fraud risk assessments and state that fraud risk assessments for departmental and administered activities will occur at least once every two years, or when a major new activity, policy or program is developed, or when a significant organisational change occurs. Risks rated ‘low’ or ‘medium’ are to be reassessed biennially. Risks rated ‘high’ are to be reassessed at least once annually. Risks rated ‘extreme’ are to be reassessed every three months.¹⁸

2.27 Risk assessments were not conducted regularly or in accordance with the rolling program required by the NIAA.

• An overall inherent (before existing controls) and residual (after existing controls) risk rating was provided for each fraud risk assessment in the Fraud Risk Register.¹⁹ Based on the residual risk ratings included in the register, 24 of 56 fraud risk assessments (42 per cent) were not updated within time limits specified in the FCCS.
• In the Fraud Risk Summary, 26 of 129 (20 per cent) of fraud risk assessments were prepared within the timeframes set out in the FCCS. Eighty per cent were marked as ‘out of date’ or ‘unable to be located’. This spreadsheet identifies five ‘high’ or ’extreme’-rated fraud risk assessments that had not been assessed within the last 12 months.

2.28 A ‘Grant Design Strategy’ template, which is the first step in the design of a new NIAA grant program, requires that NIAA sub-programs have a risk assessment, which must include consideration of fraud risk. In completing the risk assessment, NIAA staff are required to consider the specific risks identified in the Commonwealth Grant Rules and Guidelines 2017 (CGRGs) and PGPA Rule 10.

2.29 In September 2021 a paper was provided to the Audit and Risk Committee, at its request, on the status of the Indigenous Advancement Strategy (IAS) program risk profiles. The paper summarised a review conducted by Yardstick Advisory, which observed that:

overarching risk assessments do not exist at the program level and generally do not exist at sub-program levels … The absence of overarching risk assessments at these levels restricts the ability of the NIAA to manage risks across the IAS in a coordinated and structured way. Similarly, it restricts the ability to effectively examine and profile risks across the IAS.

2.30 In May 2022 the NIAA commenced development of a new ‘Fraud Risk Exposure Assessment’ process aimed at collecting information to compile a list of NIAA sub-programs and to facilitate the prioritisation of the preparation of fraud risk assessments in the NIAA. The process commenced in September 2022 with responses received and analysed in December 2022. At December 2022 a total of 64 sub-programs had provided a response and four responses were outstanding. A paper presented to the Audit and Risk Committee on 10 March 2023 stated that the 2022 Fraud Risk Exposure Assessment process had identified that over 40 sub-programs had not undergone a fraud risk assessment; that results had informed the development of a new forward-workplan to 30 June 2023, specifically the prioritisation of fraud risk assessments; and that ‘a significant body of work is required to be undertaken to enable the NIAA to meet its Fraud Rule obligations by June 2023’.

Fraud control plan

2.31 Subsection 10(b) of the PGPA Rule requires entities to develop and implement a fraud control plan that deals with identified risks as soon as practicable after conducting a fraud risk assessment. The FCCS is the NIAA’s fraud control plan. In September 2022 the Program Compliance and Fraud Branch reported to the Audit and Risk Committee that:

At the time of developing the Agency’s Fraud and Corruption Control System 2022–24 … it was identified that some fraud risk assessments for programs and functions were either overdue for completion, or had not yet been developed. Rather than delay the development and release of the Fraud and Corruption Control System 2022–24, the information available in the current fraud risk register was drawn upon to inform its development. It was also informed by the body of work undertaken in 2021 and 2022 to develop and implement the new Integrated Compliance and Fraud Framework … as well as emerging risk assessments being conducted as new programs commence (e.g. the Territories Stolen Generations Redress Scheme).

2.32 As the FCCS 2022–24 was not developed based on the identified risks in a contemporary fraud risk assessment and there was no evidence of analysis of fraud risks, the NIAA’s fraud control plan does not meet the requirements of subsection 10(b) of the PGPA Rule.

2.33 In the 2021–22 Annual Report, the NIAA accountable authority certified compliance with subsection 17AG(2) of the PGPA Rule which relates to the preparation of fraud risk assessments and fraud control plans. The accountable authority certified that all reasonable measures had been taken to deal appropriately with fraud relating to the entity.

Are provider fraud and non-compliance governance and assurance mechanisms appropriate?

Governance and oversight

Audit and Risk Committee

2.36 Pursuant to section 45 of the PGPA Act, the NIAA accountable authority has established the Audit and Risk Committee (ARC). The NIAA ARC Charter (November 2022) sets out the role, authority, functions and membership of the ARC. The ARC comprises three members appointed by the NIAA CEO.²⁰

2.37 A function of an audit committee under subsection 17(2) of the PGPA Rule is to review the appropriateness of the agency’s system of risk oversight and management. A 2022–23 ARC Forward Work Plan outlines a range of functions to be undertaken by the ARC related to the system of risk oversight and management, including reviewing the risk management framework and risk management of individual projects, programs and activities; reviewing the NIAA’s fraud control arrangements; reviewing significant or systemic fraud allegations, the status of ongoing investigations and the implications for the NIAA’s fraud risk assessment; and (at least annually) commissioning an entity-wide assurance map.

2.38 The NIAA ARC is required to report at least annually to the CEO on its operation and activities in the year. The operation and activities to be performed by the ARC are specified in its forward work plan. The forward work plan activities for the review of the appropriateness of the system of risk oversight and management included: major risks (individual projects, program implementation, and activities); fraud control arrangements; and fraud risks.

• In September 2021 the ARC annual report to the CEO summarised how it had discharged its responsibilities between October 2020 and September 2021. The report concluded that the NIAA’s system of risk oversight and management was appropriate and still maturing. The report was silent on whether the ARC had reviewed fraud control arrangements as set out in the Fraud Control Plan 2020–22; fraud risks; or major project, program and activity risks. The September 2021 annual report to the CEO was approved by the ARC at the same meeting where the Yardstick Advisory review was discussed (see paragraph 2.29). The Yardstick Advisory review had found that there was a lack of program risk assessments, which was impeding the NIAA’s ability to manage risk effectively.
• In September 2022 the ARC annual report to the CEO (covering October 2021 to September 2022) concluded that the NIAA’s system of risk oversight and management was appropriate with work continuing to mature it further. The 2022 annual report to the CEO did not discuss how the ARC had discharged its responsibilities in relation to oversight of the management of fraud and other risks. During the period covered by the 2022 report, the ARC had reviewed the draft FCCS (June 2022) and was provided with an update that described deficiencies in the preparation and content of the FCCS (see paragraph 2.31).

2.39 The ARC Chair also reported to the Executive Board on the activities of the ARC three times in 2022. The three reports included information on agenda items discussed at the ARC but did not include information on content or outcomes of its deliberations in relation to risk management or fraud. The reports do note that the ARC had received an update from the Program Compliance and Fraud Branch on its activities.

2.40 In November 2022 the Program Compliance and Fraud Branch updated the ARC on key drivers of program non-compliance and fraud, new dashboard reporting and information on the Branch’s activities and caseload. In addition, the NIAA reported that, ‘(i)n the long term, a business case is being prepared to procure a more contemporary case management system’. The ARC asked for additional information to be included in existing fraud reporting about fraud at the strategic, regional and tactical local level.

Executive committees

2.41 The NIAA CEO has established a range of executive committees to support the discharge of the accountable authority’s roles and responsibilities. The committees relevant to the oversight and management of provider fraud and non-compliance are illustrated in Figure 2.2.

Figure 2.2: NIAA executive committees relevant to provider fraud and non-compliance

Source: ANAO analysis of the NIAA committee structure relevant to provider fraud and non-compliance.

2.42 A description of each executive committee is provided below.

• Executive Board — The Executive Board’s role is to support the CEO. This encompasses leadership, culture, capability and performance. The Executive Board sets the NIAA’s strategic direction, policy priorities and reform agenda; manages resources; and oversees operations, the use of resources and risk management.
• Policy and Delivery Committee (PDC) — The PDC is an advisory body to the Executive Board. The PDC’s stated aim is to help drive and operationalise the strategic agenda of the NIAA through improved oversight of the NIAA’s policies, and implementation and delivery activities. Between July 2020 and December 2022 the PDC considered information related to grants, risk, fraud and ICFF implementation. The PDC terms of reference state that the PDC must seek Executive Board endorsement or noting of key decisions. The Executive Board receives the minutes of PDC deliberations.
• Program Performance Committee (PPC) — The PPC is a sub-committee of the PDC. It is designed to act as an ‘operational clearing house’ by bringing together experts and practitioners to solve problems that could impede effective and efficient management of the IAS. The terms of reference state that the PPC is not a decision-making group or responsible for the executive management of its functions and that the PPC reports to the Executive Board through the PDC following each meeting.
• ICFF Working Group — The ICFF Working Group was established in July 2021. Terms of reference for the ICFF Working Group had not been approved by the PPC at February 2023. The draft terms of reference state that the functions of the ICFF Working Group include to guide the development and implementation of the ICFF and Grant Assurance Framework. It does not have decision-making authority or responsibility for the executive management of these functions. ICFF Working Group minutes are provided to the PPC.

2.43 The ICFF states that the Chief Operating Officer is responsible for approving any amendments to the ICFF, with substantive changes to be considered by the Executive Board. In August 2022 the ICFF Working Group endorsed the publication of escalation protocols on the NIAA’s intranet (see paragraphs 3.49 to 3.52). The new protocols portrayed the escalation approach differently to that outlined in the ICFF, including roles and workflow.

Assurance

2.48 Auditor-General Report No. 11 2020–21, Indigenous Advancement Strategy – Children and Schooling Program and Safety and Wellbeing Program, noted that the NIAA was in the process of reconsidering the role of the grant assurance function. A suggestion for improvement was that, as part of the reconsideration of the Grant Assurance Office’s role, adequate mechanisms were developed to support the effectiveness of the quality assurance framework, including ensuring that opportunities for improvement were acted upon. In February 2022 the NIAA released a Grant Assurance Framework. The Grant Assurance Framework summarised principles for control, assurance and continuous improvement mechanisms for grants administration.

2.49 The Grant Assurance Framework uses the three lines of defence model²¹ to describe different types of assurance that are applicable to the NIAA. The three lines of defence model adopted by the NIAA is illustrated in Figure 2.3.

Figure 2.3: Assurance levels outlined in the Grant Assurance Framework

Source: ANAO analysis of the Grant Assurance Framework (February 2022).

First line assurance activities

2.50 The first line of defence is the internal control environment and includes regular management functions that implement and monitor controls, including policies, procedures, and delegations of authority. These activities are intended to ensure that risks are identified and addressed, performance is monitored, and objectives are achieved by line management.

2.51 Within the NIAA, three portfolios (the Policy and Programs Portfolio, the Operations and Delivery Portfolio and the Corporate Portfolio) have responsibility for delivery of programs. Each of these portfolios has specific responsibilities for the management of provider fraud and non-compliance risks and activities.

• Policy and Programs Portfolio — Four groups design and program manage a range of IAS-funded programs and sub-programs. They are responsible for preparing program and fraud risk assessments.
• Operations and Delivery Portfolio — The Program Performance Delivery group within this portfolio consists of about 200 staff who undertake grant administration activities and are responsible for the development, maintenance and implementation of grants management processes and policies. The group comprises three branches including the Grant Design Branch and the Grants Management Unit. The Grant Design Branch includes the Grant Assurance Office whose role is to develop and implement an internal quality control and assurance framework that addresses the key steps in the grants administration lifecycle.
• Corporate Portfolio — The Program Compliance and Fraud Branch within this portfolio consists of about 25 staff whose role is to undertake compliance and fraud action and assist, advise and train staff in compliance management to strengthen the capacity of providers. The Branch has operational responsibility for fraud risk management, prevention and control.²²

Second line assurance activities

Community Development Program Assurance

2.52 The Grant Design Branch established a Community Development Program (CDP) Performance and Assurance Framework in June 2020. The purpose of the framework is to set out the NIAA’s approach to CDP performance monitoring and supporting provider compliance. The framework outlines how the Grant Design Branch will undertake assurance reviews and monitoring of compliance. The framework included a 2022 test schedule and the number of claims to be tested. The framework states that any suspected fraudulent activity identified through the assurance processes must be referred to the Program Compliance and Fraud Branch.

2.53 The outcomes of the CDP assurance and compliance monitoring activities are reported to the Policy and Delivery Committee through several reports. Performance and assurance reporting to the Policy and Delivery Committee includes the overall results for each provider (including validity testing), trend analysis in relation to previous performance assessment, recommended remedial action for underperforming providers and activity compliance trends or issues as observed through site visits. Although the assurance reporting identifies compliance trends over time for individual providers and proposes solutions to some operational problems, it does not provide insights into the overall operational effectiveness of the CDP or identify systemic or emerging issues, which the Performance and Assurance Framework stated the CDP assurance activity was designed to do.

Grant Assurance Office

2.54 The second line of defence assurance activities include those performed by the Grant Assurance Office. The Grant Assurance Framework defines the role of the Grant Assurance Office as reporting on the effectiveness of internal controls across the grant lifecycle and conducting assurance reviews.²³ In 2021–22 resourcing for the Grant Assurance Office was increased from one part-time position to 1.6 full-time equivalent positions.

2.55 There was no 2020–21 or 2021–22 forward work plan for the Grant Assurance Office. The Grant Assurance Office performed reviews and activities which were directed by the CEO or requested by the broader NIAA executive. In November 2022 a paper was provided to the Program Performance Committee with a draft Grants Assurance Office Forward Work Plan 2023. Nine potential topics for consideration were identified. In March 2023 the Forward Work Plan was approved by the Group Manager, Program Performance Delivery.

2.56 The outcomes of the work performed by the Grant Assurance Office in 2020–21 and 2021–22 were reported to the Program Performance Committee, covering 12 assurance activities during this period. Ten of the reports were presented to the Program Performance Committee within twelve months of the period under review. For two Grant Assurance Office reviews, this reporting occurred long after the work had been undertaken. For example, a March 2022 report covered activities from July 2020 to December 2020. The reports identified opportunities to improve the quality and consistency of grant processes, although action owners and implementation dates were sometimes lacking. Updates are also provided to the ARC upon request, with high-level findings, review suggestions and actions taken to date.

Management-initiated reviews

2.57 A range of management-initiated reviews have been commissioned by the NIAA. Of these, three 2021 reviews relate to provider fraud and non-compliance (Table 2.3).

Table 2.3: Management-initiated reviews relevant to provider fraud and non-compliance

Source: ANAO analysis of Policy Delivery Committee papers and minutes.

2.58 The three reviews were discussed by Policy and Delivery Committee in July 2021, where it was agreed to engage across the NIAA on the recommendations and implementation. In October 2021 the Group Manager, Program Performance Delivery presented a paper to the Executive Board which stated that the NIAA had considered the recommendations of the three reviews, identified priorities and determined to incorporate the recommendations into the work of an existing ‘Grants Business Transformation Project’ in 2021–22. The priorities included strengthening the grants risk management framework in two phases (with the second phase to consider the NIAA’s approach to program, sub-program and activity risk) and introducing a mandatory grants design process to inform grant opportunity planning.

2.59 Although the Policy and Delivery Committee has received regular updates on the progress of the Grants Business Transformation Project, there is no evidence that the Policy and Delivery Committee has held Program Performance Delivery accountable for timely delivery of the reforms. For example, the Grant Risk Management Guidelines were not updated to reflect the December 2020 changes to the NIAA’s Risk Management Framework until September 2022.

2.60 In an update on grants management provided to the ARC in November 2022, the NIAA indicated that grant risk assessments had been updated to reflect the changes to the December 2020 risk matrix contained in the Risk Management Policy.

Third line assurance activities

2.61 A three-year rolling internal audit work plan is prepared. The ARC tracks and reviews the outcomes of internal audit activities, including management responses to internal and external audit findings and recommendations. The Internal Audit Work Program 2022–23 includes eight audits to be undertaken during the year. Although a review of grants management and assurance is planned, none of the planned internal audits directly focuses on provider fraud and non-compliance risks.²⁴

2.62 Several relevant reviews were undertaken in 2021 (see Table 2.3) and in June 2021 KPMG Australia delivered an ‘IAS Program Health Check’. The purpose of this report was to assist the NIAA to prepare for this ANAO audit. The review considered the effectiveness of the NIAA’s arrangements to control the risk of IAS grant recipient fraud and non-compliance and found that ‘improvement was required’. Four ‘moderate’ risk-rated recommendations were identified related to the following areas: governance, roles and responsibilities; risk-based management of grants; policies and procedures; and accessibility and retention of data. By June 2022, all recommendations had been endorsed to be closed by the Audit and Risk Committee. Closure was recommended by the Head of Internal Audit based on advice from management. The ANAO has identified ongoing deficiencies in each of these areas.

3.1 The Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) subsection 10(c) includes the requirement to have an appropriate mechanism for preventing fraud. Prevention activities include designing grant opportunities to minimise the potential for fraud and promoting a fraud-aware culture.

3.2 PGPA Rule subsection 10(d) includes the requirement to have an appropriate mechanism for detecting incidents of fraud or suspected fraud, including a process for officials of the entity and other persons to report suspected fraud confidentially. The Commonwealth Fraud Control Policy also includes mandatory requirements related to establishing procedures to collect, manage and report information about fraud against the entity. The Commonwealth Fraud Control Policy encourages compliance with AS 8001:2021 Fraud and corruption control, which mandates that detection activities should encompass; post transactional review, review of management reports, identification of early warning signs/red flags, data analytics, whistle blower management systems, complaints management, grant acquittals and grant finalisation processes.²⁵

Are the NIAA’s arrangements for the prevention of provider fraud and non-compliance effective?

3.3 To determine if the NIAA’s approach to the prevention of provider fraud and non-compliance risks was effective, the ANAO considered business planning and grant planning arrangements; and whether training programs had been appropriately developed and monitored.

Business planning

3.4 The NIAA Risk Management Framework states that enterprise risk is a standing item on the Executive Board agenda, and these risks must be taken into account by groups as they conduct group business planning. Groups are required to consider the enterprise risks identified in the corporate plan and identify how these will be addressed at the group level. The enterprise risk related to ‘delivery’ identified, as a key mitigation, the implementation of the Integrated Program Compliance and Fraud Management Framework (ICFF).

3.5 The Program Performance Delivery group business plans²⁶ for 2021–22 and 2022–23 considered the enterprise-level delivery risks and mitigations and identified relevant controls and treatments. Risks and controls were not assessed in accordance with the NIAA’s Risk Assessment Guidance. For example, the plans did not include an assessment of likelihood and consequence of the risk eventuating after existing controls were applied, or include information for treatment plans such as due date, accountable officer, and assessment of likelihood and consequence after treatment.

3.6 The Program Compliance and Fraud Branch business planning documents²⁷ for 2021–22 and draft planning documents for 2022–23 considered the implementation of the ICFF when identifying its activities and risks for the reporting period.

3.7 The NIAA does not analyse the business planning risk assessments performed by business areas or assess what this means for the management and implementation of enterprise mitigations outlined in the corporate plan. It does not assess whether proposed management of risks is within the NIAA’s risk appetite. This includes whether identified timeframes for implementation of key activities are appropriate.

Grant planning

3.8 The ANAO analysed four primary areas in grant planning in the NIAA that relate to the prevention of provider fraud and non-compliance risks (Figure 3.1).

Figure 3.1: Provider fraud and non-compliance preventative controls

Source: ANAO analysis.

Design of grant programs

3.9 The ICFF identifies the importance of grant design planning arrangements to mitigate provider fraud and non-compliance risks. The ICFF includes a requirement for program risk to be assessed in the design phase. A ‘grant design strategy template’ states that the preparation of a grant design strategy is a mandatory requirement for NIAA sub-programs (see paragraph 2.28) developing ‘new or substantially redesigned’ grant funding opportunities requiring their own grant opportunity guidelines.²⁸ A grant design strategy is not mandatory for one-off or ad hoc grants²⁹, ‘but may still be useful’. The grant design strategy template states that a grant design strategy is needed to: have a clear plan for the grant opportunity, including the required outcomes and their alignment with strategic objectives; to support grant administrators in implementing the grant and identifying problems and risks before they occur; to meet legislative, audit and briefing requirements, noting that grant programs are subject to significant public and Parliamentary scrutiny; and to identify how the NIAA will work with community.

3.10 Section 7 of the NIAA’s grant design strategy template (March 2022) states that for each grant design strategy, the NIAA must complete a risk assessment, which must include fraud risk assessment, to be presented to the program owner (or delegate) in conjunction with the grant design strategy. The ICFF states that ‘compliance and fraud risks should be considered in program risk assessment and design … in accordance with NIAA risk assessment tool’. In completing the risk assessment, the NIAA needs to consider the specific risks identified in the Commonwealth Grant Rules and Guidelines 2017 (CGRGs) and PGPA Rule 10.

3.11 The NIAA advised the ANAO in February 2023 that since May 2022 there were eight new, revised or extended grant opportunities. Of these:

• one had an approved grant design strategy which included a risk assessment that considered fraud risks;
• for three, the NIAA advised that grant design strategies were in development; and
• four did not have grant design strategies or fraud risk assessments. The NIAA advised that these grant opportunities were not in scope for a grant design strategy because they related to a previously approved grant opportunity guideline. The NIAA could not provide evidence of fraud risk assessments for these previously approved grant opportunities.

3.12 In February 2023 the NIAA advised the ANAO that the Fraud Risk Exposure Assessment process, once completed, (see paragraph 2.30) would enable the Program Compliance and Fraud Branch to prioritise the preparation of fraud risk assessments for sub-programs in order of highest risk exposure to lowest risk exposure.

Notification of provider roles and responsibilities related to fraud control

3.13 NIAA Accountable Authority Instructions (AAIs) consider the prevention of fraud. AAI instruction 1.2 ‘Fraud Control’ states that:

All Officials, contractors and relevant third party providers must comply with the Commonwealth Fraud Control Policy. All Officials, contractors and third party providers should act in accordance with NIAA’s Fraud and Corruption Control Plan and the procedures for preventing, detecting and reporting suspected fraud. Officials must ensure that external service providers are aware of the Australian Government and NIAA’s position on fraud control, and meet the standard of accountability required under the [Public Governance, Performance and Accountability Act 2013].

3.14 The ANAO examined the three key documents given to all providers when applying for and/or receiving a grant.

• Grant Opportunity Guidelines template — Provides information on the grant funding opportunity and process. This document mentions fraud at a high level in the context of probity and the grant opportunity process being consistent with the CGRGs. The template mentions risk management with respect to developing a COVID-19 risk management plan and that the grant assessment process should describe the risks associated with how the proposed activity will be managed. The organisational risk profile and activity risk assessment (see paragraphs 3.18 to 3.19), which will be developed by the NIAA, are mentioned.
• Head Agreement template — Provides information on the framework that governs the relationship between the NIAA and the provider for all Indigenous Advancement Strategy (IAS) grants. This document includes specific requirements related to preparing risk assessments for vulnerable persons and safety, however there is no general requirement to develop a risk assessment for the project, including a fraud risk assessment. Information is included on different types of fraudulent behaviour, the NIAA’s fraud investigation powers and the penalties associated with fraud.
• Project Schedule template — Provides specific information about performance of the contract including financial and performance reporting obligations. This is tailored using the NIAA’s Standardised Control Framework.³⁰ There are no requirements, information or expectations related to fraud.

3.15 The ANAO noted that the template for the cover letter when providing the Head Agreement and Project Schedule to the provider included a section on ‘fraud control’ which states that ‘the Commonwealth does not tolerate dishonest or fraudulent behaviour and is committed to taking a targeted and risk based approach to the prevention and detection of fraud’. This section of the cover letter includes reference the fraud reporting section on the NIAA website (discussed in paragraph 3.32).

3.16 When asked how the NIAA makes external service providers aware of NIAA’s position on fraud control, the NIAA advised the ANAO of the following.

• Both the 2020–21 and 2021–22 NIAA annual reports state that the NIAA has zero tolerance for dishonest fraudulent or corrupt behaviour.
• Information for service providers about fraud and procurement is publicly available, on the Department of Finance’s and Attorney-General Department’s websites.
• Grant funding agreements include requirements for grantees to comply with laws; describe fraudulent offences under these laws; describe limitations on employing certain persons; and set out restrictions on certain types of expenditure in accordance with the project agreement.

3.17 On 17 November 2022, as part of Fraud Awareness Week, the NIAA included on its external website, information about the NIAA Fraud and Corruption Control System. This included information on the ICFF and the stages and types of responses to non-compliance and fraud.

Organisational risk profiles and activity risk assessments

3.18 In the grant design and establishment process, the NIAA is required to prepare an organisational risk profile (ORP) and an activity risk assessment (ARA). The ANAO did not examine the implementation of ORPs and ARAs.³¹

• Organisational risk profile — An ORP assigns a risk rating to a grantee based on an assessment of its governance, financial management and service delivery capability, including whether there are any concerns about fraud, serious non-compliance, or unpaid Government debts. If an ORP results in an overall risk rating of ‘high’ or ‘extreme’, risk treatments should be included as additional conditions to the grant agreement in line with the NIAA’s Standardised Control Framework.
• Activity risk assessment — The ARA is an assessment of risk associated with an individual activity funded under the IAS. ARAs are calculated based on the annualised grant value of the activity, the nature of the grant activity and the ORP results. ARAs are used to determine grant agreement and management controls to be applied as part of the NIAA’s Standardised Control Framework.

3.19 The standard operating procedures for preparing ORPs and ARAs were updated in October 2022 to reflect the December 2020 changes in the NIAA Risk Management Policy and NIAA Risk Management Framework (NIAA Risk Management Policy and Framework), including risk matrix and rating definitions. The October 2022 standard operating procedures for preparing ORPs and ARAs do not address the use of ORP and ARA risk ratings when making aggregated assessments of fraud risk at the sub-program level. The Chief Operating Officer (COO) reported to the Audit and Risk Committee in September 2021 that:

ORP and ARA risk ratings are not aggregated at the sub-program level to provide a holistic perspective of risks. The absence of an aggregated view of risk within a sub-program again restricts the ability of the NIAA to effectively manage associated risks, or to monitor for emerging risks that may require adjustments to be made to policy and/or program settings.

Monitoring, review and reporting of fraud risk assessments

3.20 Fraud risk assessments could not be located by the NIAA for 79 out of 115³² programs and sub-programs in the Program Compliance and Fraud Branch’s ‘Fraud Risk Assessment Summary’ dated July 2022 (see paragraph 2.23). Fraud risk assessments that were prepared did not assess risks and controls in accordance with the NIAA Risk Management Policy and Framework or include information required by the Risk Assessment Guidance (see paragraph 2.9).

3.21 The Fraud and Corruption Control System 2022–24 (FCCS), released in July 2022, states that the Program Compliance and Fraud Branch will monitor, review and report on fraud risk assessments to the COO and the Audit and Risk Committee. The predecessor Fraud Control Plan 2020–22 also identified the role of the Program Compliance and Fraud Branch to review and monitor fraud risk assessments. Both documents identify that the Program Compliance and Fraud Branch will test the effectiveness of fraud controls.

3.22 Monitoring, review and reporting of fraud risk assessments has not occurred in accordance with requirements.

• For 2020–21 and 2021–22 the Program Compliance and Fraud Branch did not monitor, review or report on the quality and completeness of fraud risk assessments, including the deficiencies in their implementation.
• The Program Compliance and Fraud Branch has not considered the implications of fraud risk assessments on the NIAA’s fraud risk profile and how this aligns with its stated risk appetite of ‘zero tolerance for criminal activity and breaches of the law’.
• Testing of the effectiveness of fraud controls was not undertaken in 2020–21, 2021–22 or from July 2022 to December 2022.

3.23 In summary, the NIAA has established mandatory controls to help prevent provider fraud through: business planning; grant opportunity design strategies; provider risk assessments and fraud risk assessments. For 2020–21, 2021–22 and July to December 2022, these mandatory controls have not been fully implemented.

Training

3.26 Staff capability and agency culture is a key element of compliance management detailed in the ICFF. Mandatory fraud and corruption awareness training is also identified as a key fraud prevention control in the NIAA’s Fraud and Corruption Control System 2022–24 (see paragraph 2.22).

3.27 In the NIAA, training relevant to the management of provider fraud and non-compliance includes: risk management, fraud awareness, grants administration and ICFF training. A comprehensive training needs analysis and training strategy has not been prepared for risk management, fraud awareness or grants administration training. At February 2023 the NIAA provided training related to risk management, fraud awareness and grants administration, however the training is out of date.

• Risk management training — The NIAA provides mandatory risk management training to staff. Monthly reporting on training completion rates is reported to the COO. Mandatory risk management training completion rates were between 90 and 95 per cent in 2021–22, depending on the month. Training content has not been updated to reflect the December 2020 changes to the NIAA Risk Management Framework and Policy. As noted in paragraph 2.10, the December 2020 risk management implementation plan identified the need to update and deliver new risk management training.
• Fraud awareness training — Mandatory fraud training completion rates, which are reported to the COO, were between 88 and 95 per cent in 2021–22, depending on the month. Fraud awareness training content was last updated in April 2019.
• Grants administration training — NIAA grants administration training includes a module on provider fraud and non-compliance. Since November 2021 the training module was mandatory for staff involved in grants administration. Completion rates in 2021–22 for relevant grants administration staff were 50 per cent for Executive Level 2 staff and 60 per cent for lower-level staff. The NIAA was unable to provide evidence of updates to content of training since 2019–20. There is other relevant non-mandatory training related to grants administration including system and process training.

3.28 In August 2022 the NIAA decided to commence a review of induction and mandatory training arrangements, including grants administration training. The NIAA informed the ANAO that the first stage of consultation relating to this review was concluded on 31 January 2023 and that this review will take one year to complete.

3.29 An ICFF training strategy was endorsed by the ICFF Working Group in February 2022 which included a needs analysis and an outline of training to be performed. Training was not categorised as mandatory. The Program Compliance and Fraud Branch provided an update to the Audit and Risk Committee in September 2022 on the roll out of ICFF training and indicated that face-to-face training had been delivered to 90 per cent of Grants Management Unit locations and 60 per cent of locations with regional engagement teams. This training was delivered to 305 staff. The ICFF training strategy identified the need to provide training to providers. At February 2023 the approach to achieve this had not been detailed and no training had been made available to providers.

Are the NIAA’s arrangements for the detection of provider fraud and non-compliance effective?

3.31 In determining whether the NIAA’s approach to the detection of provider fraud and non-compliance risks was effective, the ANAO considered reactive and proactive detection activities. Reactive detection activities are those where the NIAA responds to external information or advice including complaints, fraud reporting and public interest disclosures. Proactive detection activities are those where the NIAA does not rely on others to inform it of potential fraud and non-compliance and does rely on analytic processes which may identify potential provider fraud and non-compliance (for example, data analytics, grants performance monitoring and grants acquittal).

Reactive detection activities

3.32 The NIAA has established processes to receive complaints, public interest disclosures and reporting on suspected or alleged provider fraud and corruption. On the NIAA webpage, under the ‘contact us’ tab, links are provided to enable feedback, complaints, fraud reporting and public interest disclosures to be lodged with the NIAA.

• Complaints — Feedback and complaints can be provided verbally or in writing. Relevant telephone, email and postal addresses are provided. Information on assistance provided by the NIAA to make a complaint is also detailed.
• Fraud reporting — Under the link for fraud on the NIAA website, information on how to report suspected fraud or corrupt behaviour is provided. Fraud may be reported via telephone, email or in writing. A link is also provided to a summary of the NIAA’s Fraud and Corruption Control System and ICFF framework, which outlines NIAA’s zero tolerance for dishonest, fraudulent or corrupt behaviour.
• Public interest disclosures — An (inoperative) link to information related to submitting a public interest disclosure is provided under ‘feedback and complaints’. This includes a copy of the November 2020 NIAA Public Interest Disclosure Procedures, and information on how to submit an enquiry about making a public interest disclosure. This includes an email address and postal address.

3.33 There were 74 complaints in 2019–20, 59 in 2020–21, and 85 in 2021–22. In 2021–22, the NIAA advised that of the 85 complaints made, three related to allegations of serious non-compliance or fraud and were assessed by the Program Compliance and Fraud Branch. Regular reporting on the number of complaints is provided to the Audit and Risk Committee as part of the COO Report.

3.34 There was one public interest disclosure in 2020–21 and no public interest disclosures in 2021–22 related to provider fraud and non-compliance. The one public interest disclosure was received in May 2021 and a decision was made by the NIAA in October 2021 and notified to the Commonwealth Ombudsman in November 2021. The disclosable conduct for this public interest disclosure was classified as ‘maladministration’. The handling of this public interest disclosure was not examined by the ANAO.

3.35 The ANAO reviewed a selection of fraud and compliance cases (see paragraphs 4.40 to 4.63) and identified that, for the ten cases that identified the source of the referral, all ten indicated they were as a result of complaints or allegations received.

Proactive detection activities

3.36 The FCCS identifies ‘other detection controls’ comprising: data analysis techniques to detect fraud (including through external data sources and data matching); ongoing monitoring of funded activities by agreement managers (including credit card compliance and checks; spot checks of grant management; and spot checks to confirm acquittals are correct); and fraud and corruption control testing. The FCCS notes that the NIAA currently, or is in the processing of, implementing these controls. In addition, the NIAA engages with the Australian Federal Police, the Attorney-General’s Department and other agencies about non-compliance and fraud in the Australian Government environment.

Data analysis

3.37 The NIAA Data and Information Management Strategy 2020–25 (Data Strategy) identifies that over the next five years the NIAA will be converting the data and information it holds into strategic assets. The Data Strategy states that the NIAA’s data optimisation level is at ‘business reporting’ and ‘operational reporting’ levels, and there is a desire to move to ‘data exploration and analysis’ and ‘predictive analysis’ levels to more effectively use data in delivering on its objectives. The Information Communication Technology Strategy 2020–23 also identifies the use of data analytics as a key strategic pillar.

3.38 The ICFF identifies information technology systems and record keeping as key enabling elements to the management of provider fraud and non-compliance. The ICFF states that:

Underpinning effective monitoring and reporting arrangements relating to Providers and funded activities is the capture and analysis of relevant data, proportional to the nature and risks of each program, funded activity, and/or Provider. The Agency should determine the baseline of information and data to be captured to monitor and report on activities, and consider whether this information is currently available in existing information management systems, or whether it needs to be captured through other means. Where required, and viable, additional data capture should be pursued to ensure sufficient information and data is available to monitor and report on programs, funded activities, and/or Providers.

3.39 At February 2023 the NIAA did not provide evidence that it has mapped the baseline information and data to be captured, considered whether this information is available in existing information systems, or determined whether it needs to be captured through other means. The NIAA has not established a detailed timeline for developing a data analytics capability for detecting provider fraud and non-compliance.

Ongoing monitoring of funded activities

3.40 Section 12.12 of the CGRGs states that reliable, timely and adequate evidence is required to demonstrate that a grant has been expended in accordance with the terms and conditions of the grant agreement. The Commonwealth Fraud Control Policy encourages compliance with AS 8001:2021 Fraud and corruption control, which lists grant acquittals as one type of detection activity.³³

3.41 The NIAA advised the ANAO that it does not consider its grant performance monitoring or acquittal processes to be proactive fraud detection controls.

Fraud and corruption control testing

3.42 The Program Compliance and Fraud Branch did not undertake any fraud and corruption control testing during the review period of the audit.

Are the NIAA’s arrangements for the referral of potential provider fraud and non-compliance effective?

3.45 The ANAO considered whether the NIAA had developed guidance for the consistent escalation of potential provider fraud and non-compliance matters and whether it had established performance measures, resourcing requirements, timeframes, and record keeping protocols.

3.46 The ICFF sets out NIAA’s ‘proportional and graduated’ response model to provider non-compliance. The response model (Figure 3.2) is required to be informed by a provider’s compliance status, attitudes and behaviours. Response mechanisms range from education and support for accidental or one-off non-compliance through to possible prosecution for intentional non-compliance. Any suspected or alleged fraud is required to be escalated by grant agreement managers to the Program Compliance and Fraud Branch.

Figure 3.2: NIAA’s response model for provider non-compliance

Source: NIAA’s Integrated Program Compliance and Fraud Management Framework, Appendix E.

3.47 This escalation approach includes criteria and guidance for each of the four levels of non-compliance shown in Figure 3.2. The ICFF acknowledges that the application of the criteria requires judgement and there will be circumstances which fall in the ‘grey area’ between criteria. The ICFF states that where uncertainty exists grant agreement managers should consult with the Grants Advice Team as to whether further escalation is required.

3.48 In September 2021 Yardstick Advisory was commissioned by the NIAA to prepare a paper on the escalation model that considered what additional guidance might be required to clarify the model. The paper noted that the model required: threshold questions to guide escalation decisions; a decision tree; workflows with roles and responsibilities (particularly for higher risk matters); service level agreements between business areas; and an operating model. The paper was discussed at a November 2021 ICFF Working Group meeting where it was noted that most suggestions were already action items in the ICFF implementation plan (see paragraph 2.21).

3.49 In August 2022 the ICFF Working Group endorsed changes to the escalation process pictorial guidance (workflow) used by grants administration staff in a way that is not fully aligned to the process described in the ICFF.³⁴ The paper provided to the ICFF Working Group stated that there were still conflicting views held by regional engagement officers and the Grants Management Unit about who was responsible for escalating non-compliance and fraud matters to the Program Compliance and Fraud Branch.

3.50 Although the changes to the pictorial escalation model to support the implementation of the ICFF were intended to make the workflow clearer, they do not provide sufficient information to support a practical understanding of expectations of the NIAA’s grants processing staff. This would require clearer roles and responsibilities, timeframes, and record keeping protocols.

3.51 Related policies and procedures need to work together with the ICFF escalation model to provide a clear workflow for referring fraud and non-compliance matters. At February 2023 a number of these policies and procedures were not developed, and those that did exist were not necessarily consistent (refer to Table 2.2). For example, the July 2022 Compliance Control and Management Standard Operating Procedures specified that compliance reviews should be completed in 40 days. It is unclear if this is aligned to the escalation approach outlined in the ICFF (which does not specify any service level standard with respect to days) or other NIAA procedures.

3.52 In March 2022 the ICFF Working Group finalised ICFF performance measures. The measures included an increase in the reporting of suspected fraud until 2022–23, improvements in NIAA staff confidence in managing non-compliance and fraud and improvements in compliance reviews.

4.1 Subsections 10(e) and 10(f) of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) outline the requirement to have an appropriate mechanism for investigating or otherwise dealing with; and for recording and reporting; incidents of fraud or suspected fraud. The Australian Government Investigations Standards 2011 (AGIS 2011)³⁵ established the minimum standards for Australian Government agencies conducting investigations. These standards covered investigation policy, performance measurement and investigator qualifications. In October 2022 a revised version of the AGIS was released publicly. As the ANAO audit examined the period July 2020 to December 2022, and none of the fraud investigation activities examined by the ANAO commenced after 1 October 2022, compliance with the revised AGIS was not assessed as part of this audit.

4.2 The ANAO examined alignment with the PGPA Rule, AGIS 2011 and internal policies and procedures, across the lifecycle of responding to alleged provider fraud or non-compliance including triage, the management and resolution of the issue, and the incorporation of lessons learned into systems and processes.

Are arrangements for initial response to referred matters effective?

4.3 ‘Initial response’ in the NIAA refers to the decision to accept or reject a matter for further consideration. Effective initial response allows for timely consideration of matters and effective prioritisation of resources. Effective initial response should reflect the agency’s risk appetite and approach, be appropriately documented, be based on consistent criteria and have clear timeframes for completion.

4.4 The Program Compliance and Fraud Branch is responsible for managing major or severe non-compliance and fraud; and providing assistance, advice and training to staff in other parts of the NIAA. After potential provider fraud and non-compliance matters have been referred to it, the Program Compliance and Fraud Branch undertakes four types of initial response activities (Figure 4.1).

Figure 4.1: Initial response activities performed by the Program Compliance and Fraud Branch

Source: ANAO analysis of PCFB activities, policies and procedures.

4.5 The NIAA has developed Compliance, Fraud and Complaints Standard Operating Procedures (which apply primarily to ’intensive support compliance matters’), the Compliance Control and Management Standard Operating Procedures (which apply to compliance reviews), and the Fraud Investigation Manual (which applies to fraud investigations) to guide response activities. The Compliance Control and Management Standard Operating Procedures were established in July 2022. Before this date, there were no finalised and comprehensive standard operating procedures for the conduct of compliance reviews.

4.6 There is a Compliance Intake Team³⁶ within the Program Compliance and Fraud Branch which makes the initial assessment about the categorisation of the referral (see Figure 4.1). The decision is made by an officer based on the Compliance, Fraud and Complaints Standard Operating Procedures. The ANAO did not examine the quality of decision-making associated with classifying the matter as minor or more serious.

Minor advice and support

4.7 Some referred matters are judged by the Compliance Intake Team to require only minor advice and support from the Program Compliance and Fraud Branch. The advice and support is required to be provided to NIAA staff, such as grant agreement managers, who will deal directly with the matter.

4.8 The NIAA objective is to decrease the number of minor non-compliance matters that are dealt with by the Program Compliance and Fraud Branch. One of the Integrated Program Compliance and Fraud Management Framework (ICFF) performance measures was ‘improvement in compliance’. The indicator for this was a ‘decrease in the number of less serious compliance matters referred to the Program Compliance and Fraud Branch (as staff can better manage issues themselves).’

4.9 Minor advice is not formally tracked or recorded by the Program Compliance and Fraud Branch and the Program Compliance and Fraud Branch has no other involvement in the matter beyond providing advice and support to someone else within the NIAA. As the matters are not tracked, it is not possible for the ANAO or the NIAA to determine if the number of less serious compliance matters being managed directly by staff has increased or decreased.

4.10 The ANAO has not examined the quality or responsiveness of the advice provided for minor matters.

Intensive support compliance matters

4.11 ‘Intensive support compliance matters’ (ISCMs) are matters where non-compliance with the terms and conditions of a grant funding agreement or project schedule have been identified, which do not meet the threshold for serious non-compliance or fraud, and where the issue is too complex to be managed solely by the business area.

4.12 In line with the Compliance, Fraud and Complaints Standard Operating Procedures, an ISCM is required to be recorded and tracked by the Program Compliance and Fraud Branch in a spreadsheet. Recorded information should include the responsible officer; the JADE³⁷ identification number; priority rating (high, medium or low); date received by the Program Compliance and Fraud Branch; provider details; funding program, sub-program and current funding; organisational risk profile rating; detailed issue or concern; status and actions; and date closed. Access to the ISCM spreadsheet is restricted to staff in the Program Compliance and Fraud Branch, however there are no other access controls.

4.13 The priority rating is determined by the assessing officer in the Compliance Intake Team. The decision criteria for the rating are not formally defined in Compliance, Fraud and Complaints Standard Operating Procedures or in other documentation.

4.14 The spreadsheet is used for management reporting and tracking of ISCM activities. Table 4.1 outlines the number of ISCMs received, closed and on hand over three years, as reported to the Audit and Risk Committee by the Program Compliance and Fraud Branch.

Table 4.1: Intensive support compliance matters received, finalised and on hand, 2019–20 to 2021–22

Source: ANAO analysis of Program Compliance and Fraud Branch statistics prepared for the audit.

4.15 The number of ISCMs received has decreased by fifty-nine per cent over three years. Reflecting the decrease in matters received, the number of ISCMs on hand at the end of the financial year was more than halved in 2020–21 compared to 2019–20.

4.16 The decrease in the number of ISCMs received (and finalised) is not in line with the NIAA’s objectives following the implementation of the ICFF. One of the ICFF performance measures indicates that the NIAA expected an increase in the number of requests for compliance support in 2021–22 and 2022–23. The Program Compliance and Fraud Branch update to the Audit and Risk Committee in November 2022 stated that the decrease in ISCMs was attributed to it ‘honing its focus on more complex matters fully within its remit with more straightforward matters being referred to grants advice and other relevant areas in Program Performance Delivery’. The ANAO notes that this explanation is not consistent with the parallel decrease in more serious non-compliance and fraud matters over the same period (see Table 4.2 and Table 4.3).

Compliance reviews

4.17 If a compliance matter referred to the Program Compliance and Fraud Branch requires the Program Compliance and Fraud Branch to take the lead on an issue, the matter is referred to the Case Advisory Group (CAG). The Terms of Reference for the CAG (August 2021) states that the purpose of the CAG is to: prioritise Program Compliance and Fraud Branch workflows ‘to ensure cases are resourced in line with their urgency and other branch priorities’; and make decisions by consensus on the acceptance of administrative actions and criminal investigations.

4.18 The CAG Terms of Reference identify the membership and quorum of CAG. All members are required to attend meetings to meet the quorum for decision-making. The members include the Branch Manager of the Program Compliance and Fraud Branch.

4.19 Information is provided to the CAG by the Compliance Intake Team in an ‘assessment report’ to facilitate a decision on the acceptance of a referred matter as a compliance review. The assessment report includes information/considerations against a set of ten questions (Box 1).

4.20 The NIAA advised the Audit and Risk Committee that matters to undergo a compliance review may involve a site visit or desktop analysis, and do not meet the threshold for criminality involving fraud.³⁸ There is a lack of clarity around which criteria should be prioritised in the decision to accept a referred matter as a Compliance Review. The criteria and information contained in the assessment report do not consider the factors outlined in the ICFF related to what would constitute a ‘major or resistant ongoing non-compliance matter’, or ‘severe or deliberate ongoing non-compliance matter’.³⁹ Decisions are not consistently recorded in meeting minutes. There is no evidence of formal consideration at the CAG of the impact on NIAA resources in accepting new compliance reviews or if the compliance review reflects any trends/common themes in non-compliance.

4.21 A priority rating for a compliance review is determined by the relevant director. As with ISCMs, there are no criteria or definitions of priority ratings in NIAA Compliance Control and Management Standard Operating Procedures.

4.22 In a compliance review, the Program Compliance and Fraud Branch is required to work collaboratively with the NIAA business area and relevant provider to resolve the issue. Remedial actions include debt recovery, withholding funding, imposing additional conditions, reducing project scope or terminating the project. Table 4.2 outlines the number of compliance reviews commenced, finalised and on hand over three years.

Table 4.2: Compliance reviews received, finalised and on hand, 2019–20 to 2021–22^a

Note a: Statistical information included in this table does not align to the number of matters approved by CAG for commencement as recorded in CAG minutes. The information also does not agree to compliance review information provided in monthly Chief Operating Officer (COO) reporting or a compliance case management spreadsheet. The ANAO chose to use this information as it appeared to be more reliable than other information sources as it was prepared by the NIAA to support a Ministerial submission.

Source: ANAO analysis of Program Compliance and Fraud Branch statistics.

4.23 The number of compliance reviews commenced in 2020–21 was 92 per cent lower than in 2019–20. The NIAA advised the ANAO that this was, in part, due to the impact of the COVID-19 pandemic, which restricted the Program Compliance and Fraud Branch’s ability to conduct site visits. However, the number of compliance reviews commenced in 2021–22 was also almost half that of 2019–20. Between 2019–20 and 2021–22, the number of cases on hand at the end of the financial year decreased by 28 per cent.

Fraud investigations

4.24 The NIAA advised the Audit and Risk Committee that where fraud is suspected, qualified and experienced NIAA investigators (sometimes jointly with law enforcement or other government agencies) will conduct formal investigations in accordance with the AGIS and the Commonwealth Prosecution Policy.

4.25 NIAA staff are required to refer all instances of alleged or suspected internal and external fraud to the Program Compliance and Fraud Branch. Upon receipt of the referral, an assessment of the matter is prepared by the Compliance Intake Team for consideration by CAG. For fraud investigations, the AGIS 2011 recommends that any decisions regarding the evaluation and acceptance of investigations must be made by a senior executive service (SES) officer. The Branch Manager, Program Compliance and Fraud Branch (an SES position) is the Chair of the CAG.

4.26 The assessment is made against criteria established in the Compliance, Fraud and Complaints Standard Operating Procedures. The criteria are the same as those for compliance reviews which are outlined at paragraph 4.19.

4.27 As for compliance reviews, there is a lack of clarity around which criteria should be prioritised in the decision to proceed with a fraud investigation. The assessment reports reviewed by CAG include consideration of the costs and benefits⁴⁰ of conducting an investigation. The consideration of costs and benefits is in line with the AGIS 2011 and is aimed at ensuring the efficient and effective management of fraud investigations. The discretion involved in accepting a matter as a fraud investigation is inconsistent with the NIAA’s stated risk appetite for fraud in the Fraud Control Plan 2020–22 and in the Fraud and Corruption Control System 2022–24 (FCCS), which is ‘zero tolerance for criminal activity and breaches of law’ (Case study 1).

4.28 Subsection 2.2 of the AGIS 2011 states that the written procedures covering the initial evaluation and actioning of a matter which has been received or identified must include timeframes for initial evaluation of matters. The Compliance, Fraud and Complaints Standard Operating Procedures do not include relevant timeframes for the initial assessment to be provided to and considered by CAG.

4.29 Each fraud investigation is prioritised as either high, medium or low as determined by the relevant director. There is no definition of this priority rating in the NIAA Fraud Investigation Manual. An undated ‘NIAA Investigation Prioritisation Table’ provided to the ANAO in February 2023 provides a points-based prioritisation approach to fraud investigations. The ANAO found no evidence of its use during the audit review period.

4.30 Table 4.3 outlines the number of fraud investigations commenced, finalised and on hand for the last three financial years.

Table 4.3: Fraud investigations received, finalised and on hand, 2019–20 to 2021–22^a

Note a: Statistical information included in this table does not align to the number of fraud investigations approved by CAG for commencement as recorded in CAG minutes. The information also does not agree to fraud investigation information provided in monthly COO reporting. The ANAO chose to use this information as it appeared to be more reliable than other information sources as it was prepared by the NIAA to support a Ministerial submission.

Note b: The NIAA advised the ANAO in April 2023 that there had been one fraud investigation relating to internal credit card misuse, however this did not appear in the Program Compliance and Fraud Branch statistics.

Source: ANAO analysis of Program Compliance and Fraud Branch statistics.

4.31 The number of fraud investigations commenced decreased over the three years and no fraud investigations were commenced in 2021–22. The ICFF performance measures expected that there would be an increase in the detection of fraud compared to baseline data in 2020–21, given the projected increased awareness of staff of the ICFF expectations related to identification and escalation of potential provider fraud. The NIAA has not analysed why the results were different to what was expected.

4.32 The number of fraud investigations commenced in the NIAA is lower than the average number of fraud investigations commenced in 2020–21 in comparable⁴¹ Australian Government entities. Based on the ANAO analysis of the Australian Institute of Criminology statistical bulletin in June 2022, the average number of external fraud investigations commenced in medium agencies was 25 and in large agencies was 12.⁴²

Reporting of initial response

4.35 There is no summary reporting considered at CAG to indicate the current compliance review caseload or the characteristics of the caseload. This includes whether cases have been suspended, or how the backlog of cases is being managed.

4.36 Monthly dashboard reporting on the ISCM, compliance review and fraud investigation caseloads is provided by the Program Compliance and Fraud Branch to the COO. These reports include information on the number of ISCMs and compliance reviews by program and region; and the relevant organisational risk profile rating. For fraud investigations, this information is provided for individual fraud investigations and is not aggregated. The COO report includes some summary information on the status of fraud investigations, such as whether an investigation is before the courts.

Is management and resolution of referred matters effective?

Intensive support compliance matters

4.37 The primary focus of an ISCM is to support NIAA line managers and staff to perform compliance activities. There are no specific Australian Government requirements for the management and resolution of ISCMs, except for the efficient, effective, economical and ethical use of public resources. The NIAA has not established any timeliness or other service standards for ISCMs.

4.38 As noted at Table 4.1, there were 39 ISCMs finalised in 2021–22. For this period, the ANAO calculated that it took an average of 258 calendar days⁴³ to finalise an ISCM. As a proxy for relative backlog, the ratio of ISCMs on hand to finalised in a given year suggests that significant improvements in backlog in 2020–21 had reversed in 2021–22.

4.39 Outcomes and other characteristics of ISCMs are documented in the spreadsheet that is used for tracking ISCM activities. Information on ISCMs received and finalised is regularly reported to the Audit and Risk Committee.

Compliance reviews

4.40 There are no specific Australian Government requirements for the management and resolution of compliance reviews beyond the general principle of the efficient, effective, economical and ethical use of public resources. The Compliance Control and Management Standard Operating Procedures outline the expectations for undertaking a compliance review including estimates of timeframes for specific activities. A compliance review usually comprises five⁴⁴ phases: scope preparation; a preliminary desktop review; a site visit or comprehensive desk top review; post site visit analysis of information; and preparation of final closure reports.

Compliance review scoping

4.41 The scope preparation phase includes the requirement to detail: the background on the provider organisation and allegation; the period of activity that will be investigated; key activities to be performed; and required resourcing. The scope is prepared by the assigned officer.

4.42 The ANAO reviewed three of the eight scoping documents prepared for compliance reviews commenced since July 2020 (see Table 4.2).⁴⁵ This analysis identified that the scoping documents did not contain comprehensive information related to resourcing. None of the scoping documents included cost or resource requirements for the review, for example the length of time or level of effort required by staff.

4.43 One of the three scoping documents examined was unclear about when and how the matter was referred by CAG as a compliance review and how and when the review would be performed. There was no evidence that the CAG approved the referral of another matter as a compliance review. None of the documents indicated a date for completion of the review, although when outlining the required resources, the scoping form template indicates (in a heading) that it is ‘required to deliver draft findings and outcomes within 8 weeks of commencement of Review’. Although it is not an explicit requirement, none of the scoping documents were signed by the preparer or approver.

Compliance review closure reports

4.44 The final phase of a compliance review includes the preparation of an internal findings report (or closure report). NIAA’s template for the closure report includes information on: the background to the provider organisation and relevant compliance issues; details of the activities performed; outcomes of activities; lessons learned; and findings and recommendations.

4.45 The ANAO reviewed closure reports for three of the sixteen compliance reviews closed since July 2020 (see Table 4.2).⁴⁶ The three closure reports did not contain all of the required information. The exceptions were:

• none of the closure reports were evidenced as being endorsed by the Branch Manager, Program Compliance and Fraud Branch, or provided to CAG for final endorsement; and
• two of the three closure reports did not include information on lessons learned.

Timeliness of Compliance Reviews

4.46 The July 2022 Compliance Control and Management Standard Operating Procedures state that a compliance review will generally take eight weeks (40 business days) to complete.⁴⁷ As there was no standard operating procedure in place prior to July 2022, there was no timeliness service standard prior to July 2022. Templates in use prior to July 2022 did refer to an eight-week period.

4.47 In the period between July 2020 and December 2022, the Program Compliance and Fraud Branch did not monitor the time taken to complete compliance reviews.

4.48 The ANAO considered the timeliness of the examined compliance reviews. This analysis identified that:

• no scoping document had been prepared for one of the compliance reviews until seven months after the case had been allocated as a compliance review by the CAG;
• the same review was ongoing at December 2022, exceeding the eight week timeframe by more than thirty weeks;
• an update to the CAG on the progress of another matter did not address that the matter was in its fifth month of implementing an eight-week scope of review; and
• the closure reports were prepared between three and six years after the referral of the matter to the Program Compliance and Fraud Branch.

4.49 As noted at Table 4.2, there were seven compliance reviews finalised in 2021–22. Compliance reviews finalised in 2021–22 took an average of 1232 calendar days⁴⁸ to finalise. One of the objectives of the ICFF is to promote proactive and timely identification and resolution of potential provider fraud and non-compliance matters. There was no evidence that the Program Compliance and Fraud Branch considered the ongoing value of continuing these compliance reviews after such significant periods of time.⁴⁹ As a proxy for relative backlog, the ratio of compliance reviews on hand to finalised in a given year suggests that improvements in backlog in 2020–21 had reversed in 2021–22, as for ISCMs.

Fraud Investigations

4.50 The undated Fraud Investigation Manual outlines the framework, policy and procedures for undertaking fraud investigations in the NIAA. The Fraud Investigation Manual refers to the AGIS 2011 as setting out the minimum standards for conducting investigations.

Fraud investigation planning

4.51 Following a decision of the CAG to proceed with a fraud investigation, an investigation plan is to be prepared by the relevant case officer within the Program Compliance and Fraud Branch. Investigation plans include information such as: context and background on the investigation and allegations; confirmation of jurisdiction; identification of key stakeholders; investigative risks assessment; investigation activities; costings; detailed investigative action plan; and evidence matrix.

4.52 The ANAO reviewed planning documents for three⁵⁰ of the seven Fraud Investigations commenced since July 2020 (refer to Table 4.3). The investigation plans did not contain all of the information required by the Fraud Investigations Manual. The exceptions were:

• although not an explicit requirement, one investigation plan was not signed by the case officer or authorised by the relevant director;
• none of the investigation plans included information about costs or timeframes for the investigation that would allow for the investigation to be managed against budgets and timelines⁵¹; and
• one investigation plan did not identify any information about staff assigned to the investigation other than the case officer.

4.53 The ANAO reviewed management reporting to understand how these Fraud Investigations were monitored for progress against the investigation plan. The status and progress of each of these investigations was included in the COO report over the review period. The ANAO noted that one of the three investigations was suspended for the entire period reviewed (October 2021 to August 2022). There was no evidence that the Program Compliance and Fraud Branch considered the ongoing value of continuing this fraud investigation given it had been suspended for over ten months. In another case, reporting to the COO on the fraud investigation ceased in January 2022, and there was no further reporting to the COO on this matter. However, a closure report was prepared for this in July 2022 and considered by the CAG in August 2022.⁵²

Fraud investigation closure reports

4.54 Investigations can have a number of outcomes, including: taking no further action; the preparation of a brief of evidence for criminal prosecution; or disruptive/preventative activities. The purpose of an investigation case closure report is to formally close an investigation, inform management of the outcome of the investigation and to bring to notice any key lessons learned or recommendations arising.

4.55 The AGIS 2011 mandates procedures for the finalisation of fraud investigations. These include the requirement to include in closure reports analysis of results achieved against objectives; lessons learned (positive and negative) including those related to training, legal, resourcing or methodology issues; and appropriate follow up actions.⁵³ The NIAA investigation closure template includes information on: context and background; investigation activities; outcomes; lessons learned; recommendation and approvals.

4.56 The NIAA Fraud Investigation Manual requires the investigation closure report to be cleared by the relevant director. The terms of reference of the CAG states that ‘CAG has responsibility to endorse closure of fraud investigations.’

4.57 As noted at Table 4.3 in this period, 18 fraud investigations had been finalised between 1 July 2019 and 30 June 2022. The ANAO requested copies of all investigation closure reports from this period. In its response to the ANAO request, the NIAA subsequently stated that only 10 fraud investigations had been closed. The NIAA was unable to locate closure reports for five of the 10 closed fraud investigations. CAG meeting minutes for the period April 2020 to June 2022 identified an additional five fraud investigations which had been endorsed as closed by the CAG. These were not included among the 10 fraud investigations which the NIAA had stated were closed.

4.58 A review of the five investigation closure reports provided by the NIAA to the ANAO identified that the outcome of all five fraud investigations was that there was no or insufficient evidence of fraud. The ANAO found that, of the five reports provided:

• three closure reports were not approved;
• one closure report was not dated;
• of the four closure reports that were dated, three were not endorsed by CAG; and
• three closure reports did not include information on lessons learned.

Timeliness of Fraud Investigations

4.59 The Fraud Investigation Manual does not require a fraud investigation to be completed within a time limit. The Program Compliance and Fraud Branch did not monitor the time taken to complete fraud investigations. For the five closure reports examined, it took an average of 736 days⁵⁴ to finalise the investigation.

4.60 In relation to the sampled investigation plans, the ANAO identified that:

• one investigation plan was dated three months after the investigation was endorsed by CAG for commencement as a fraud investigation (four months after it was referred to the Program Compliance and Fraud Branch);
• one investigation plan was prepared three months after CAG endorsement as a fraud investigation (nine months after it was referred to the Program Compliance and Fraud Branch); and
• one investigation plan was dated the same date as referred to the Program Compliance and Fraud Branch and three months before CAG endorsed the referral to be treated as a fraud investigation.

Management of fraud investigations

4.61 The ANAO identified that, between October 2021 and August 2022, there were four active fraud investigations; an additional four investigations were suspended for the entire period and the NIAA supported eight investigations/prosecutions being undertaken by third parties. There was an average of six staff in the fraud investigation section of the Program Compliance and Fraud Branch during this time. The AGIS 2011 states that officials undertaking investigations need to have appropriate qualifications. The NIAA does not maintain evidence of investigative staff qualifications.

4.62 Section 3.2 of the Fraud Investigation Manual states that: ‘The adoption of appropriate planning tools and standards ensures cases are managed and investigated in an efficient and cost effective manner.’ Section 3.1 of the AGIS 2011 states that: ‘Agencies must employ investigation management procedures which are based on project management principles of managing resources, processes, work to be undertaken, time and outcomes’. This requirement was removed from the AGIS 2022.

4.63 There was no evidence that the Program Compliance and Fraud Branch employed project management principles or considered the ongoing value of continuing fraud investigations in the review period when the AGIS 2011 was in force. For example, after the commencement of investigations, the CAG did not monitor timeliness, or revisit the initial costs and benefits judgement about the value of the investigation.

Performance measurement of fraud investigations

4.64 The Fraud Investigation Manual outlines how performance for investigations will be measured (Box 2).

4.65 For the period July 2020 to December 2022, none of the above performance measures were tracked, reviewed or reported on by the Program Compliance and Fraud Branch.

Information systems for compliance reviews and fraud investigations

4.66 Although compliance reviews and fraud investigations are required to be allocated a JADE (case management system) reference number, JADE is not the primary source of management information for compliance reviews or fraud investigations. The NIAA has identified challenges with providing staff with appropriate access and training to be able to use JADE effectively.

4.67 For both compliance reviews and fraud investigations, management information is prepared by the relevant director using multiple spreadsheets. Spreadsheets are used to manage and track the caseload and for preparing reports to the COO. The spreadsheets examined by the ANAO were not consistent over the period reviewed. The ANAO noted that spreadsheets use different numbering, ordering and descriptions of cases and there were inconsistencies in terminology, structure and content. The NIAA has confirmed to the ANAO that there is ‘no single source of truth’ for compliance review and fraud investigation information.

Do lessons learned inform changes to systems and processes?

4.70 The ICFF and the AGIS 2011 include specific requirements to identify and share learnings from fraud and non-compliance matters.⁵⁵ The ICFF emphasises the importance of the NIAA having ‘open communication’ so that activities may be informed by lessons learned, systemic issues or other outcomes and individual recommendations arising from compliance reviews and fraud investigations.

4.71 Auditor-General Report No. 11 2020–21, Indigenous Advancement Strategy – Children and Schooling Program and Safety and Wellbeing Program, September 2020, noted that:

NIAA collects lessons learned through a variety of processes. The considerable amount of valuable information gathered is not yet sufficiently integrated to effectively inform program administration.

4.72 The ANAO considered whether lessons learned had been comprehensively considered across all aspects of the matter and had been appropriately communicated and incorporated into organisational change.

4.73 The NIAA has not set out an approach for the consideration of lessons learned to reflect the expectations outlined in the ICFF. However, the relevant areas of the NIAA that deal with provider fraud and non-compliance have established approaches to the consideration of lessons learned.

• The Program Performance Delivery group identifies opportunities for improvement as part of its assurance activities, including those undertaken by the Grant Assurance Office. These activities are described at paragraphs 2.54 to 2.56. Each Grant Assurance Office report includes consideration of lessons learned and potential control improvements.
• The Program Compliance and Fraud Branch has established principles for building on lessons learned in the ICFF. At the case level, the Program Compliance and Fraud Branch has established templates to collect lessons learned information from individual compliance reviews and fraud investigations as part of the preparation of closure reports, although, as noted at paragraphs 4.45 and 4.58, lessons learned are not always covered in these reports. The Program Compliance and Fraud Branch also periodically includes information on the key themes and lessons learned from its activities, including compliance reviews and fraud investigations, into the monthly COO reports. These lessons learned are generally written as broad observations related to the control environment or approach to provider fraud and non-compliance.

4.74 There is little monitoring of the implementation of activities identified to deal with lessons learned.

• Grant Assurance Office report recommendations are agreed with management at the time of the report, however there is inconsistent monitoring of the implementation of agreed actions. The Grant Assurance Office does refer to previous actions in some of their reports where issues remain outstanding.
• Lessons learned actions identified in Program Compliance and Fraud Branch closure reports do not always include dates for implementation or agreed action owners. The implementation of lessons learned from compliance reviews and fraud investigations is not currently monitored or tracked by the Program Compliance and Fraud Branch.
• Program Compliance and Fraud Branch COO reports have no specific action items, owners or timeframes for lessons learned and do not consider how this information will be incorporated into continuous improvement initiatives such as the ICFF implementation plan, risk management implementation plan or Grants Plus⁵⁶ continuous improvement project.

4.75 The ICFF requires lessons learned from provider fraud and non-compliance activities to be communicated and reported to the Policy and Delivery Committee. In 2021–22 the Policy and Delivery Committee received papers related to assurance activity outcomes from the Program Performance Delivery group, management-initiated review outcomes and progress information related to the ICFF. For 2021–22 the Policy and Delivery Committee did not receive any information from the Program Compliance and Fraud Branch on the outcomes of its activities such as lessons learned from compliance reviews and fraud investigations. In November 2022 the Program Compliance and Fraud Branch informed the ANAO that it had added an update on the outcomes of Program Compliance and Fraud Branch activities to the Policy and Delivery Committee rolling work plan.

Appendix 1 Entity response

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s 2022–23 Corporate Plan states that the ANAO’ s annual performance statements will provide a narrative which will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have all been appropriately implemented.

• IAS Program Health Check completed (June 2021) (paragraph 2.62).
• Compliance, Fraud and Complaints Standard Operating Procedures established (April 2022) (paragraph 4.5).
• Fraud Risk Exposure Assessment process established (May 2022) (paragraph 2.30).
• Grant Assurance Office increased from one part-time position to 1.6 full-time equivalent positions (2021–22) (paragraph 2.54).
• NIAA Fraud and Corruption Control System 2022–24 established (July 2022) (paragraph 3.21).
• Compliance Control and Management Standard Operating Procedures established (July 2022) (paragraph 4.5).
• Review of induction and mandatory training arrangements commenced (August 2022) (paragraph 3.28).
• Grant Risk Management Guidelines established (September 2022) (Table 2.1).
• Organisation Risk Profile, Select, Establish and Manage phases: Standard operating procedures established (October 2022) (paragraph 3.19).
• Activity Risk Assessment (ARA), Select, establish, manage phase: Standard operating procedures established (October 2022) (paragraph 3.19).
• Policy and Delivery Committee rolling work program updated to include information on Program Compliance and Fraud Branch activities and outcomes (November 2022) (paragraph 4.75).
• NIAA Risk Management Policy and NIAA Risk Management Framework updated (January 2023) (paragraph 2.4).
• Grants Assurance Office Forward Work Plan 2023 prepared (March 2023) (paragraph 2.55).