Background

In 1999, the ANAO conducted a survey of fraud control arrangements in Australian Public Service (APS) agencies, which revealed that although a majority of agencies had implemented relevant systems to prevent and deal with fraud, there was still a significant proportion of agencies that did not have appropriate arrangements in place.¹

In May 2002, the revised Commonwealth Fraud Control Guidelines (the Guidelines) were released by the Attorney-General. The May 2002 Guidelines included some significant changes from the previous Commonwealth Fraud Control Policy. APS agencies were made aware of these changes through the circulation of Consultation Drafts prior to the release of the revised Guidelines.

The ANAO decided to conduct another survey of fraud control arrangements in the APS to identify improvements made by agencies since the 1999 survey and in response to the revised Guidelines. One hundred and sixty agencies (including both FMA agencies and CAC bodies) were involved in the survey. Government Business Enterprises were not included.

The objective of the survey was to assess key aspects of the fraud control arrangements in place across APS agencies against the Commonwealth Fraud Control Guidelines 2002 (the Guidelines).

Key findings

Defining and Measuring Fraud (Chapter 2)

The survey responses revealed that agencies are using a variety of definitions for fraud, which impacts directly on the ability to measure the incidence and cost of fraud committed against the Commonwealth. In the absence of clear guidelines for agencies to follow in attributing a dollar value to a case of fraud, ANAO encourages agencies to report the value of fraud as estimated through their initial investigations.

Only 50 per cent of agencies that responded to the 2002 survey reported using the current Commonwealth definition set out in the Guidelines. Some 32 per cent advised they were still using the previous Commonwealth definition, 11 per cent advised they used an agency-specific definition and 7 per cent did not supply a definition to ANAO or indicated that they considered that a definition of fraud was not applicable to their operations.

ANAO appreciates that some agencies, particularly large agencies, have difficulty in applying the current Commonwealth definition in relation to all of their operations. For example, the provision of inaccurate information by applicants for Commonwealth benefits might constitute fraud within the quite broad Commonwealth definition. However, in practical terms, it can be very difficult to substantiate fraud if the actions of the applicant could also be considered to fall within the policy guidelines for the particular benefit. In these circumstances, agencies are more likely to seek to recover the Commonwealth funds involved through administrative recoveries than to categorise and pursue the matter as fraud (see paragraphs 5.32 to 5.37 for further discussion of administrative recoveries). The ANAO notes that there is scope for future refinements of the Guidelines and/or other guidance to assist agencies by drawing out these issues further.

ANAO found that the lack of consistency was not limited to the overall definition of fraud used by an agency. Variations were also evident at other levels such as defining what constitutes an allegation of fraud and at what stage a case of fraud is considered proved. In addition, ANAO has identified, through various detailed performance audits on fraud control arrangements in selected agencies, that agencies often classify, treat and report matters resulting in losses to the Commonwealth as something other than fraud.

In response to ANAO's 2002 survey, agencies reported experiencing a total of $1.69 million in internal fraud in 2000-01 and $2.63 million in 2001–02. Agencies reported a total of $115.13 million in external fraud in 2000-01 and $90.7 million in 2001–02. However, these figures must be seen as only the minimum level of fraud because of a number of issues related to agencies' reporting of fraud, including the fact that a common definition of fraud is not used across the APS.

Accordingly, ANAO considers that agencies should work towards adopting the Commonwealth's current definition so that accurate data can be collected and analysed to provide accurate information about the level of fraud being perpetrated against the Commonwealth, the value of fraud, and emerging trends to inform fraud control activities across the Commonwealth.

Since the promulgation of the 1994 version of the Commonwealth Fraud Control Policy, agencies have been required to provide information on fraud matters to the Australian Federal Police (AFP) and the then Commonwealth Law Enforcement Board, which was part of the Attorney-General's Department (AGD). In addition, AGD also collected information on fraud matters from the AFP and the DPP. The ANAO notes that the fraud data provided by agencies to AGD under the 1994 policy did not generate any outcome to agencies that would enable them to appreciate the context of their returns. In ANAO's experience, this can have implications for the quality of the data provided by agencies.

However, under the Guidelines introduced in May 2002, agencies are now required to report annually to AGD on an expanded range of information collected on fraud matters including suspected fraud, matters under investigation, completed matters, whether the fraud is proven or not, and whether the matter was dealt with by a criminal, civil or administrative remedy. In November 2003, AGD advised ANAO that, since the introduction of the current Guidelines, AGD has provided feedback to a number of agencies on their fraud control arrangements and reporting requirements. In addition, AGD noted that the Minister for Justice and Customs plans on writing to his Ministerial colleagues, on a portfolio basis, detailing issues that have arisen out of the Fraud Annual Report to Government 2002-03, the first report to Government generated under the current Guidelines.

ANAO welcomes these developments and is jointly working with AGD on a Better Practice Guide for Fraud Control in the APS, expected to be released in early 2004, that should provide further opportunities to improve data quality in agencies.

Detailed analysis of responses provided by agencies to the ANAO's 2002 survey indicated that there had been a slight increase in the percentage of APS agencies reporting having experienced fraud.² The 2002 survey also established that the bulk of fraud continues to be experienced by a small percentage of agencies with 99 per cent of the reported fraud committed against approximately 10 per cent of agencies as compared to 85 per cent of reported fraud committed against less than 10 per cent of agencies in the 1999 survey.

Fraud Control Planning (Chapter 3)

The survey showed that awareness of the current Guidelines was high among APS agencies, with 95 per cent reporting being aware. Some 80 per cent of agencies also reported having an agency-specific fraud control policy in place. In addition, more than half of the respondent agencies had also developed their own agency-specific code of conduct/ethics to complement the APS values and code of conduct prescribed by the Public Service Act 1999.

ANAO's analysis of agencies' responses to the 2002 survey indicated that fraud risk assessments had been undertaken by most agencies. However, only 69 per cent of respondents had undertaken such a risk assessment in the preceding two years, as required by the Guidelines. Given the changing nature of fraud, this could result in agencies not identifying emerging risks in a timely manner. 

Some 70 per cent of respondent agencies reported that they had either developed or reviewed their fraud control plan in the preceding two years, in accordance with the Guidelines. Of the 30 per cent of agencies that reported not having reviewed their fraud control plan in the preceding two years, 11 were FMA agencies and 35 were CAC agencies. One FMA agency reported not having developed a fraud control plan at all, notwithstanding the requirement under section 45 of the FMA Act that the agency have a fraud control plan in place. Twenty-two CAC bodies also reported not having a fraud control plan in place.

ANAO's analysis of a sample of fraud control plans supplied by agencies in response to the survey identified a number of weaknesses, such as:

• plans not being based on recent risk assessments (that is undertaken in the preceding two years or on a rolling basis);
• plans not addressing the risks identified by the risk assessment; and
• responsibility not being allocated for development, implementation and review of the plans.

A particular issue ANAO noted was the tendency for agencies to comply with parts of the Guidelines rather than complying with them in full. For example, of the sample of 12 agency fraud control plans ANAO examined against the key features of an effective fraud control plan, as set out in the Guidelines, not one plan contained all of these key features.

Fraud Awareness and Training (Chapter 4)

Ninety-three per cent of responding APS agencies reported having undertaken some form of fraud awareness-raising activities. The main activities reported were the circulation of the fraud control plan and fraud control policy; inclusion of fraud-awareness in induction training; and the conduct of code of conduct/ethics training.

However, only 26 agencies had established specific policies and procedures to ensure that consultants, suppliers and other third-party providers were aware of, and complied with, the agency fraud control policy. Given the widespread use of contracting arrangements, it is sound practice for agencies to take steps to effectively communicate to contractors the importance of ethical behaviour and the agency's approach to fraud.

There has been an increase in the number of agencies that provide some form of training to their staff in relation to fraud control. However, two per cent of agencies that reported fraud also reported that they did not provide any form of relevant training to staff. This is a significant improvement on the previous survey where 22 per cent of agencies that had experienced fraud advised that they did not provide fraud control training to staff. While this is a welcome improvement, ANAO is concerned that at least 32 APS agencies continue to omit to provide any form of fraud control training to their staff.

A majority of agencies with staff responsible for fraud investigations are in the process of getting their staff trained to the required competency level. Other agencies have training plans in place to enable them meet the deadlines specified in the Guidelines for staff to achieve the required competency. One large agency recently advised ANAO that it had met 100 per cent of its training target as at 30 June 2003. There were a few other agencies that are yet to put mechanisms in place to address this mandatory requirement as at the date of their survey response.

Fraud Control Operations (Chapter 5)

The majority of respondents reported having established appropriate management structures for fraud control, with the most common structure being the Audit Committee. Additionally, most agencies had developed, and made available to staff, procedures and guidelines on the action to be taken in regard to fraud matters, including procedures for staff to report fraud. These guidelines were either independent documents or were part of documents such as agencies' Chief Executive's Instructions. However, only a small number of agencies had systems that encouraged the community to report suspected fraud

An important contribution to fraud prevention is to have a suitable management information system (MIS) that assists in identifying systemic issues or control weaknesses and helps to manage cases of fraud expeditiously once they have occurred. The ANAO asked agencies if they had an MIS in place for recording, monitoring and reporting all aspects of fraud control. Of the 157 agencies that responded to this question, only 48 agencies or some 31 per cent indicated that they had such an MIS in place. This reflected an increase of 14 per cent from the previous survey, in which only 17 per cent of respondents reported having such a system.

Of particular concern to the ANAO was that approximately 43 per cent of agencies that had reported having experienced fraud in the previous two years also advised that they did not have any form of fraud control MIS.

Agencies need to base their fraud control activities on sound information. However, ANAO also recognised the need for a fraud control MIS to be cost-effective for an agency. Accordingly, agencies need to tailor their MIS to meet their individual needs. ANAO encourages all agencies to implement Guideline 8 and establish costeffective systems tailored to meet their information needs for fraud control, recognising that for agencies with a low incidence of fraud, a simple manual-based system may be sufficient.

ANAO's detailed performance audits on fraud control arrangements undertaken in various agencies revealed, among other things, that agencies were more often unable to identify a dollar value for the administrative recoveries effected internally by them, than for fraud-related recoveries. Agencies need to be able to identify this value to assist the Commonwealth estimate the amount of funds recovered in relation to the estimated amount lost to fraud. (see Chapter 5 for information on the level of fraud and administrative recoveries reported by agencies).

Follow-up of ANAO Recommendations (Chapter 6)

The ANAO sought information from the agencies included in eight recent detailed performance audits on fraud control arrangements about their progress with implementing the recommendations included in these audit reports. Of the 35 recommendations, the audited agencies advised they had fully implemented 18 recommendations and were in the process ofimplementing a further 13. Of the remaining four recommendations, ANAO was advised that one had not been implemented but it was unclear to ANAO from the advice provided whether the other three were being implemented or not.

Some three quarters of respondent agencies reported that, in accordance with advice provided in Finance Circular No. 2 of 1999, they were monitoring for general applicability ANAO recommendations made in performance audits of other agencies and were, as a result, implementing changes, where practical.³ Agencies that have not been monitoring the recommendations, are encouraged to do so, not only to enhance fraud control arrangements across the APS but, more generally, to ensure that all matters raised by ANAO that effect the agency are identified and satisfactorily addressed.

Overall audit conclusion

In comparison to the results from the previous survey, the ANAO concluded that a larger number of APS agencies had established suitable fraud control arrangements in line with the Commonwealth Guidelines. However, there are still a number of agencies that need to:

• undertake risk assessments on a regular basis to keep abreast of current trends and the changing nature of fraud;
• develop fraud control plans based on the most recent risk assessment, and to monitor and review the plans for effectiveness on a regular basis; and
• implement a cost-effective fraud control MIS to suit the needs of the agency.

The 2002 survey highlighted that 99 per cent of fraud against the Commonwealth is committed against approximately 10 per cent of the agencies. These agencies tended to be the ones with comprehensive fraud control systems in place. The other agencies that reported experiencing fraud, experienced relatively lower levels of it. This does not mean that those agencies that did not report fraud can assume an absence of it. It may mean that they either do not have the systems in place to detect fraud or that the systems already in place are ineffective or inadequate.

Footnotes

1 Audit Report No.47 1999–2000, Survey of Fraud Control Arrangements in APS Agencies, p.14.

2 Some 44 per cent of agencies responding to 2002 survey reported that they had experienced some fraud in the preceding two years as compared to 40 per cent of respondent agencies in the 1999 survey.

3 Finance Circular No. 2 of 1999 on the Follow-up of Auditor- General Matters, recommended that agencies review all Auditor-General reports for applicability, identify matters that affect the entity and satisfactorily address the recommendations made.