Audit snapshot

Why did we do this audit?

  • Effective fraud control arrangements are integral to protect the integrity of the tax system, maintain public confidence and prevent a culture of non-compliance.
  • During 2021–22 the Australian Taxation Office (ATO) identified a significant increase in attempts to obtain false Goods and Services Tax (GST) refunds. This audit will provide assurance to Parliament over the ATO’s management and oversight of fraud control arrangements for the administration of GST.

Key facts

  • GST collected by the ATO has increased from $48.4 billion in 2012–13 to $81.4 billion in 2022–23.
  • The ATO processed 11.2 million Business Activity Statements in 2022–23.

What did we find?

  • The ATO’s management and oversight of fraud control arrangements for the GST is partly effective.
  • The ATO has implemented partly effective strategies to prevent GST fraud, but the framework for assessing and managing GST fraud risk is not fit for purpose.
  • The ATO has implemented largely effective strategies to detect and deal with GST fraud but does not have a strategy to deal with large-scale fraud events.
  • The ATO’s oversight, monitoring and reporting of GST fraud is partly effective, as roles and responsibilities are not clear.

What did we recommend?

  • There were five recommendations to the ATO aimed at strengthening assurance and improving responses to fraud events.
  • The ATO agreed to all five recommendations.

$2.0bn

estimated Operation Protego GST fraud (April 2022 to 30 June 2023).

>57,000

estimated Operation Protego participants in GST fraud (April 2022 to 30 June 2023).

4,745

tip-offs related to GST fraud (2019–20 to 2022–23).

Summary and recommendations

Background

1. The Australian Taxation Office (ATO) administers the Goods and Services Tax (GST), and in 2022–23 collected $81.4 billion of GST and raised an additional $6.1 billion in GST liabilities.

2. All Commonwealth entities are required to have fraud control arrangements in place to ensure proper use of public resources, minimise losses and maintain public confidence.1 GST fraud can undermine the integrity of the tax system, reduce the revenue available for the Commonwealth to make GST payments to the states and territories and penalise taxpayers who do the right thing. Preventing and detecting GST fraud may contribute to the ATO’s purpose of ‘fostering willing participation in the taxation and superannuation system’.2

Rationale for undertaking the audit

3. All Commonwealth entities are required to have fraud control arrangements in place in accordance with the Commonwealth Fraud Control Framework. Preventing and detecting GST fraud is integral for minimising loss of GST revenue available for the Commonwealth to make payments to the states and territories and maintaining public confidence in the tax system to support voluntary compliance.

4. This audit provides assurance to the Parliament that the ATO has effective management and oversight of fraud control arrangements for the administration of GST to protect the integrity of the tax system.

Audit objective and criteria

5. The objective of the audit was to assess the effectiveness of the Australian Taxation Office’s management and oversight of fraud control arrangements for the Goods and Services Tax.

6. To form a conclusion against the objective, the following criteria were adopted:

  • Has the ATO implemented effective strategies to prevent GST fraud?
  • Has the ATO effectively implemented strategies to detect and respond to GST fraud?
  • Has the ATO implemented effective arrangements to oversee, monitor and report on fraud control arrangements for the administration of GST?

Conclusion

7. The ATO’s management and oversight of fraud control arrangements for the GST is partly effective. The lack of clarity for roles and responsibilities, inadequate implementation of assurance requirements, and absence of a holistic and contemporary view of GST fraud risks undermines the effectiveness of efforts to prevent, detect and respond to fraud events in a timely manner and minimise fraud losses.

8. The ATO has implemented partly effective strategies to prevent GST fraud. The ATO has established an enterprise framework for fraud, but it is not fit for purpose and is not operating as intended. The ATO assesses fraud risks and produces an annual fraud and corruption control plan. It is not evident how the ATO’s 2023 Fraud Control and Corruption Plan deals with identified external fraud risks as required under paragraph 10(b) of the Public Governance, Performance and Accountability Rule. The ATO has implemented mandatory training which includes fraud awareness content and monitors compliance with its requirement for ATO employees and contracted individuals to complete the mandatory training. The ATO raises awareness of GST fraud among external stakeholders through publishing information on its website and social media accounts.

9. The ATO’s processes to detect and deal with suspected GST fraud are largely effective. The ATO has implemented effective processes to confidentially report allegations of suspected fraud. The ATO has procedures to assess and refer ‘tip offs’ of external fraud to the relevant business line for further action, and to assess and investigate allegations of suspected internal fraud. The ATO has methods to detect potential GST fraud. The ATO has processes for investigating suspected fraud and taking action but does not have a procedure to respond to a large-scale fraud event.

10. The ATO has partly effective governance arrangements for GST fraud control. There is a lack of clarity regarding ownership of GST risks and artefacts to support risk assessment, monitoring and treatment are incomplete or in draft. The ATO provide reports to its Audit and Risk Committee through the ATO’s conformance reporting process and dashboard. The benchmark used in the dashboard reporting is not fit for purpose as it is a measure of fraud and error for government payments. In contrast, the ATO’s fraud indicators reported in the dashboard are the proportion of tax lodgments that are referred for investigation.

Supporting findings

Goods and Services Tax fraud prevention

11. The ATO has established an enterprise framework for fraud, but it is not fit for purpose and is not operating as intended. The ATO has established an external fraud risk owner and an internal fraud risk owner. The Commissioner of Taxation has issued two Chief Executive Instructions (CEIs) setting out the requirements for managing fraud — one for external fraud and one for internal fraud. The CEIs do not reflect the roles and responsibilities in place in the ATO’s current structure. The ATO is in the process of clarifying roles and responsibilities for managing fraud risk and making the relevant changes to its CEIs. The ATO’s conformance reporting process for external fraud is not fit for purpose. The ATO Audit and Risk Committee relies on this information to provide assurance to the Commissioner of Taxation as the ATO’s accountable authority. The ATO advised the ANAO in June 2023 that it is planning to redesign the external fraud conformance process to support the revised roles and responsibilities framework. (See paragraphs 2.3 to 2.20).

12. The ATO assesses fraud risks and produces an annual fraud and corruption control plan. It is not evident how the ATO’s 2023 Fraud Control and Corruption Plan deals with identified external fraud risks (including GST fraud risks) as required under paragraph 10(b) of the Public Governance, Performance and Accountability Rule, or whether the ATO’s controls and strategies for external fraud are commensurate with assessed fraud risks as suggested in the fraud guidance. The ATO has completed internal fraud and corruption risk assessments, largely within the two-year timeframe suggested in the Commonwealth fraud guidance. The ATO has not completed external fraud risk assessments within the two-year timeframe required by its external fraud governance framework. No ATO business line has completed a business line level fraud risk assessment relevant to GST fraud since 2020. As of June 2023, the ATO was working towards clarifying the roles and responsibilities for assessing and managing GST fraud risks. (See paragraphs 2.21 to 2.53).

13. The ATO has documented a clear and widely available definition of what constitutes fraud in its Fraud and Corruption Control Plan 2023. The ATO’s external and internal fraud CEIs require ATO employees and contracted individuals to complete ‘mandatory training’, which includes three courses with fraud awareness content. The ATO monitors compliance with its requirement that staff complete mandatory training and reports completion rates for these three courses to the ATO Audit and Risk Committee. (See paragraphs 2.54 to 2.63).

14. The ATO has established external communications products that raise GST fraud awareness among external stakeholders. Information from these products is contained on the ATO’s website and social media posts. (See paragraphs 2.64 to 2.68).

Goods and Services Tax fraud detection, investigation and response

15. The ATO has processes for ATO officials and members of the public to confidentially report allegations of suspected GST fraud. The ATO has documented instructions and procedures for ATO officials to assess reports of suspected external fraud (including suspected GST fraud) and to refer these reports to the relevant business line for further investigation. (See paragraphs 3.2 to 3.9).

16. The ATO has largely appropriate methods to detect potential GST fraud. The ATO’s measures of effectiveness for GST fraud detection have improved over time. Registers of controls used to detect potential GST fraud are dispersed across ATO business lines and the ATO does not maintain a centralised register. The dispersed nature of GST controls means the ATO relies on internal committee discussions to draw together a ‘whole of GST product’ perspective on the effectiveness of these methods, rather than on collated or aggregated data. The Contemporising GST Risk Models (CGRM) project involves a redesign of existing risk models to detect Business Activity Statement refunds that are incorrect, based on a risk likelihood score. The CGRM project ran 12 months behind schedule, with models being deployed over time from May 2021 to January 2022. The ATO is assessing the effectiveness of two risk models deployed under the CGRM project (the identity crime and the incorrect reporting models) through a random audit program. This project is running eight months behind schedule. The ATO utilises other methods to detect potential GST fraud including data matching, referrals from financial institutions and using justified trust to assure GST compliance of large businesses. (See paragraphs 3.10 to 3.33).

17. The ATO has largely appropriate processes in place for investigating suspected fraud and taking appropriate action. The ATO has documented procedures in place to investigate suspected internal fraud and external fraud and is in the process of updating documents to meet the Australian Government Investigations Standard 2022 requirements. The proportion of Integrated Compliance cases and audits resulting in a GST adjustment was 32.4 per cent of cases and 81.9 per cent of audits completed in 2022–23. The ATO did not have a procedure to respond to a large-scale external fraud event such as the GST fraud event that led to the ATO’s ‘Operation Protego’ response from April 2022 to October 2023. The ATO publicly reports the results of tax crime prosecutions, including prosecutions for GST fraud, on the ATO website. (See paragraphs 3.34 to 3.50).

Oversight, monitoring and reporting

18. The ATO’s governance and reporting arrangements for GST fraud control are partly effective. The ATO has identified there is a lack of clarity regarding accountability for GST fraud control and after two years of committee discussions this issue remains unresolved. Interim arrangements establishing a GST Fraud Advisor were endorsed by the GST Product Committee (an ATO SES Band 2 committee with responsibility for GST administration within the ATO) in September 2023, with a risk assessment on fraud in the GST system along with a deep dive on fraud in the GST system to be completed in early 2024. The ATO provides reports to its Audit and Risk Committee through the ATO’s conformance reporting process and dashboard. The benchmark used in the dashboard reporting is not fit for purpose as it is a measure of fraud and error for government payments. In contrast, the ATO’s fraud indicators reported in the dashboard are the proportion of tax lodgments that are referred for investigation. (See paragraphs 4.2 to 4.35).

19. The ATO has met the external reporting requirements of the Commonwealth Fraud Control Framework by providing the required Information to the Australian Institute of Criminology in the form required by the specified deadline. (See paragraphs 4.36 to 4.39).

Recommendations

Recommendation no. 1

Paragraph 2.19

The Australian Taxation Office, as a matter of priority, should finalise its work on:

  1. clarifying and documenting the roles and responsibilities for fraud prevention, detection, and treatment;
  2. redesigning the external fraud conformance process to support the revised roles and responsibilities; and
  3. making the necessary changes to the external fraud and internal fraud Chief Executive Instructions.

Australian Taxation Office response: Agreed

Recommendation no. 2

Paragraph 2.36

The Australian Taxation Office should conduct and document assessments of its GST fraud risks regularly and ensure that it has a contemporary and holistic view of its GST fraud risks.

Australian Taxation Office response: Agreed

Recommendation no. 3

Paragraph 2.51

The Australian Taxation Office ensures that its fraud control and corruption plans are based on identified fraud risks that are documented in risk assessments.

Australian Taxation Office response: Agreed

Recommendation no. 4

Paragraph 3.48

The ATO should develop and implement a response for large-scale fraud events that do not meet the criteria specified in the extant Integrity Incident Response Framework. The response should encompass:

  1. the ability to monitor early warning signals from the disparate fraud detection methods across ATO business lines, including ‘tip-offs’ received by the ATO Tax Integrity Centre;
  2. identification of escalation triggers and the pathways that will be followed to develop an ATO response;
  3. a clear allocation of decision-making authority and accountability for initiating and finalising a rapid response;
  4. a prioritisation approach for action, emphasising the prevention and containment of revenue leakage;
  5. actions to recover losses; and
  6. criteria to evaluate the success of the framework’s use to contain fraud events, and the ability to adjust the framework in response to evaluation findings.

Australian Taxation Office response: Agreed

Recommendation no. 5

Paragraph 4.32

The Australian Taxation Office should:

  1. consider an alternative benchmark for ATO fraud indicators; and
  2. remove references to the ‘AGD fraud benchmark’.

Australian Taxation Office response: Agreed

Summary of entity response

The ATO welcomes the ANAO’s audit into its fraud control arrangements for the administration of the GST. Fraudsters’ tactics continuously develop, and the environment is rapidly evolving. The ATO, like other tax administrations and organisations around the world, continues to face increasing fraud attacks, often seeking to subvert the improved client experiences offered through digitalisation.

Protecting the ATO’s systems and the broader tax ecosystem from fraud is a constant fight, and one that the ATO takes extremely seriously. The ATO’s internal and external intelligence sources, risk models and pre-issue integrity activities identified a significant increase in attempts to obtain false GST refunds from December 2021. We responded to the threat and publicly announced Operation Protego in May 2022. The operation successfully contained this fraud and significantly strengthened a range of system controls.

In July 2023, we established the Fraud and Criminal Behaviours business line to focus on further protecting the system and clients against fraud and have since implemented a range of additional fraud defences.

We will continue to implement and build on the recommendations identified by the ANAO, which we consider will support the already improved management and assurance of fraud control arrangements for the GST.

Key messages from this audit for all Australian Government entities

20. Below is a summary of key messages, including instances of good practice, which have been identified in this audit and may be relevant for the operations of other Australian Government entities.

Group title

Governance and risk management

Key learning reference
  • Fraud losses can occur rapidly, particularly during large-scale fraud events. Entities should regularly assess the risk of a large-scale fraud event, monitor early warning signals and plan for a whole-of-entity response that can mobilise resources with the aim of minimising fraud losses and recovering amounts lost to fraud.
Group title

Performance and impact measurement

Key learning reference
  • Setting a benchmark against which performance is assessed can improve organisational effectiveness and assist an entity to make decisions about when and how to deploy its resources. To ensure benchmarks are reliable, verifiable and free from bias, entities should regularly review performance measures (including targets and benchmarks) and amend if necessary to ensure they are fit for purpose.

1. Background

Introduction

1.1 The Australian Taxation Office (ATO) administers the Goods and Services Tax (GST). In accordance with paragraph 25 of the Intergovernmental Agreement on Federal Financial Relations (IGAFFR), the Commonwealth makes GST payments equivalent to the revenue received from the GST to the states and territories for any purpose, with the states and territories reimbursing the Commonwealth for the ATO’s cost of administering the GST.3 The accountability and performance arrangements between the ATO and the Council on Federal Financial Relations as required under the IGAFFR have been established under the GST Administration Performance Agreement.4 The framework enabling the ATO to administer the GST is detailed in Appendix 3.

1.2 In 2022–23 the ATO collected $81.4 billion of GST and raised an additional $6.1 billion in GST liabilities.5 The ATO’s cost of administering the GST for 2022–23 was $653.3 million.

1.3 The Australian Government defines fraud as:

Dishonestly obtaining a benefit or causing a loss by deception or other means.6

1.4 Fraud against the Commonwealth can be committed by officials or contractors (internal fraud) or by external parties such as clients, service providers, other members of the public or organised criminal groups (external fraud). All Commonwealth entities are required to have fraud control arrangements in place to ensure proper use of public resources, minimise losses and maintain public confidence.7

1.5 GST fraud can undermine the integrity of the tax system, reduce the revenue available for the Commonwealth to make GST payments to the states and territories and penalise taxpayers who do the right thing. Preventing and detecting GST fraud may contribute to the ATO’s purpose of ‘fostering willing participation in the taxation and superannuation system’.8

Key Commonwealth requirements on fraud control

1.6 The requirements for Australian Government entities to have fraud control arrangements in place are contained in the Commonwealth Fraud Control Framework (the Framework), developed under the Public Governance, Performance and Accountability Act 2013 (PGPA Act).9

1.7 The Framework comprises three tiered documents, section 10 of the Public Governance, Performance and Accountability Rule 2014 (the fraud rule10), the Commonwealth Fraud Control Policy (the fraud policy) and Resource Management Guide No. 201, Preventing, detecting and dealing with fraud (the fraud guidance), with different requirements for corporate and non-corporate Commonwealth entities.11 The Attorney-General’s Department is responsible for the Framework. On 1 February 2024 the Australian Government released the new Commonwealth Fraud Corruption and Control Framework which will come into effect on 1 July 2024.

1.8 The ATO is a non-corporate Commonwealth entity, and therefore must comply with the fraud rule and fraud policy. The Australian Government considers the fraud guidance as better practice, and entities are expected to follow the guidance where appropriate.12

1.9 Estimates of fraud losses against the Australian Government are based on responses by Commonwealth entities to the Australian Institute of Criminology’s (AIC) annual online questionnaire. The AIC estimates show the total amount lost to internal fraud has risen from $907,657 in 2016–17 to $3.4 million in 2020–21. The ATO reported to the AIC that the total amount lost to internal fraud each year from 2016–17 to 2021–22 is not able to be quantified. The AIC estimates show the total amount lost to external fraud against the Commonwealth for completed investigations has also risen from $91.9 million in 2016–17 to $198.4 million in 2021–22. For the ATO, the estimated total amount lost to external fraud for completed investigations has increased from $4.7 million in 2016–17 to $173.0 million in 2021–22 (Figure 1.1).

Figure 1.1: Total estimated amount lost to external fraud against the Australian Government and the ATO, completed investigations, 2016–17 to 2021–22

 

Source: Australian Institute of Criminology annual fraud census reports to Government, 2016–17 to 2021–22 and ANAO analysis of ATO documentation.

The Goods and Services Tax

1.10 The GST came into effect in Australia on 1 July 2000, and is an indirect broad-based consumption tax of 10 per cent, levied on most goods and services in Australia.13 The A New Tax System (Goods and Services Tax) Act 1999 provides the administration framework for GST law.

1.11 The total net GST collected by the ATO has increased from $48.4 billion in 2012–13 to $81.4 billion in 2022–23, and the cost to administer the GST has decreased from $705.3 million in 2012–13 to $653.3 million in 2022–23. The ATO’s cost to administer the GST as a proportion of total net GST collected has decreased from 1.46 per cent in 2012–13 to 0.80 per cent in 2022–23 (Figure 1.2).

Figure 1.2: The ATO’s cost to administer the GST as a proportion of total net GST collected, 2012–13 to 2022–23

 

Note: Net GST is gross GST payable, excluding input tax credits and including deferred GST payments on imports and GST collections by the Department of Home Affairs. Input tax credits are credits for any GST included in the price paid for goods and services a business or organisation registered for GST buys for their business. Deferred GST payments on imports is GST payable on taxable imports that can be paid via a monthly business activity statement rather than to the Department of Home Affairs at the time of importation.

Source: Australian Taxation Office, Taxation Statistics, GST Table 1 [Internet], available from https://data.gov.au/data/dataset/taxation-statistics-2019-20 [accessed 15 May 2023]. Data for 2021–22 sourced from the Australian Taxation Office Annual Report 2021–22, ATO, 2022, Table 3.1 and the Australian Taxation Office, GST administration annual performance report 2021–22, ATO, 2023. Data for 2022–23 sourced from the Australian Taxation Office, Annual Report 2022–23, ATO, 2023, Table 4.1 and ANAO analysis of ATO documentation.

1.12 Information about the ATO’s administration of the GST is at Table 1.1.

Table 1.1: Information about the ATO’s administration of GST 2022–23

Element

Contextual information

Number of staff allocated to the administration of GST

2,144.8 Full Time Equivalent (FTE), of which 1,229.1 FTE were forecast to undertake GST compliance (client engagement and compliance intelligence, and risk management activities).

Total actual cost to administer the GST

$653.3 million

Geographical location of staff

Staff are based across Australia, with Client Engagement Group staff predominately located in: Brisbane Central Business District (CBD); Dandenong Victoria; Perth; Sydney CBD; Canberra and Adelaide.

   

Source: ANAO from ATO documentation.

Rationale for undertaking the audit

1.13 All Commonwealth entities are required to have fraud control arrangements in place in accordance with the Commonwealth Fraud Control Framework. Preventing and detecting GST fraud is integral for minimising loss of GST revenue available for the Commonwealth to make payments to the states and territories and maintaining public confidence in the tax system to support voluntary compliance.

1.14 This audit provides assurance to the Parliament that the ATO has effective management and oversight of fraud control arrangements for the administration of GST to protect the integrity of the tax system.

Previous scrutiny

1.15 Auditor-General Report No. 55 of 2002–03 Goods and Services Tax Fraud Prevention and Control observed that the ATO had systems and processes in place to prevent, detect, investigate and report GST fraud, with these activities undertaken and implemented across business lines. It made eight recommendations aimed at improving these systems and processes to strengthen its GST fraud control framework.14

1.16 The ATO agreed to all of the recommendations. Noting the significant timeframe (20 years) since this previous audit, along with subsequent changes to the Commonwealth fraud control requirements, this audit has not examined if the ATO implemented these recommendations. However, during the conduct of this audit, areas of the ATO’s GST fraud control framework identified as requiring strengthening were considered.

1.17 In 2018 the Inspector-General of Taxation undertook a review into the ATO’s fraud control management at the request of the Senate Economics References Committee, following events including those relating to Operation Elbrus and allegations of tax fraud. The review did not find evidence of systemic internal fraud or corruption and found that the ATO in general had sound systems in place to manage internal fraud, however there were areas requiring improvement. The Inspector-General of Taxation also made recommendations to improve processes aimed at the prevention of external fraud.15

1.18 In accordance with audit arrangements specified in the GST Administration Performance Agreement, the ANAO conducts an annual special purpose audit of GST costs and the systems of control of GST costs. Under Schedule C of the Agreement, the ANAO is required to provide all reports emanating from the special purpose audit directly to the ATO. The audit finding for the year ended 2023 was that ‘the ATO has suitably designed controls relating to the monitoring and reviewing of GST administration costs, as specified in Schedule B of the GST Administration Performance Agreement’.

Audit approach

Audit objective, criteria and scope

1.19 The objective of the audit was to assess the effectiveness of the Australian Taxation Office’s management and oversight of fraud control arrangements for the Goods and Services Tax.

1.20 To form a conclusion against the objective, the following criteria were adopted:

  • Has the ATO implemented effective strategies to prevent GST fraud?
  • Has the ATO effectively implemented strategies to detect and respond to GST fraud?
  • Has the ATO implemented effective arrangements to oversee, monitor and report on fraud control arrangements for the administration of GST?

1.21 The audit focused on the ATO’s effectiveness of fraud control arrangements. The audit did not examine the effectiveness of the:

  • ATO’s management and oversight for the risk of corruption;
  • ATO’s management and oversight of conflict-of-interest arrangements; and
  • the management and oversight of fraud control arrangements for the administration of GST by the Department of Home Affairs.

Audit methodology

1.22 The audit methodology involved:

  • reviewing ATO records, including fraud risk assessments, fraud control plans, ATO committee papers and minutes, ATO reporting and internal briefings;
  • reviewing the ATO’s procedures against the fraud guidance;
  • meetings with ATO staff;
  • analysis of relevant data provided by the ATO; and
  • walkthroughs of ATO systems, including the Contemporising GST Risk Models project at the ATO office in Brisbane.

1.23 The audit was open to contributions from the public along with state and territory Treasury departments, as official members of the GST Administration Sub-Committee. The ANAO received and considered two submissions from the public and input from one state/territory.

1.24 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $519,371.

1.25 The team members for this audit were Ailsa McPherson, Kim Murray, Kayla Hurley, Hazel Ferguson, Dale Todd, Afreen Shaik and David Tellis.

2. Goods and Services Tax fraud prevention

Areas examined

This chapter examines whether the Australian Taxation Office (ATO) has implemented effective strategies to prevent Goods and Services Tax (GST) fraud.

Conclusion

The ATO has implemented partly effective strategies to prevent GST fraud.

The ATO has established an enterprise framework for fraud, but it is not fit for purpose and is not operating as intended.

The ATO assesses fraud risks and produces an annual fraud and corruption control plan. It is not evident how the ATO’s 2023 Fraud Control and Corruption Plan deals with identified external fraud risks as required under paragraph 10(b) of the Public Governance, Performance and Accountability Rule.

The ATO has implemented mandatory training which includes fraud awareness content and monitors compliance with its requirement for ATO employees and contracted individuals to complete the mandatory training. The ATO raises awareness of GST fraud among external stakeholders through publishing information on its website and social media accounts.

Areas for improvement

The ANAO made three recommendations aimed at improving the ATO’s arrangements for assessing and managing its GST fraud risks.

The ANAO also suggested changes to the ATO’s mandatory training material.

2.1 Section 10 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) requires the accountable authority of a Commonwealth entity to take all reasonable measures to prevent fraud relating to the entity, including by conducting fraud risk assessments regularly, developing and implementing a fraud control plan that deals with identified risks, and ensuring that officials of the entity are made aware of what constitutes fraud.16

2.2 Leading practice in fraud risk assessment requires accountable fraud risk owners to monitor and report on fraud risks and to ensure controls are developed and implemented in a timely manner, including controls that are the responsibility of other officials in different business areas.17 To assist entities prevent fraud, the fraud guidance encourages entities to provide information to external parties about their rights and obligations with regards to fraud.18

Has the ATO established a fit for purpose framework for GST fraud risk?

The ATO has established an enterprise framework for fraud, but it is not fit for purpose and is not operating as intended.

The ATO has established an external fraud risk owner and an internal fraud risk owner.

The Commissioner of Taxation has issued two Chief Executive Instructions (CEIs) setting out the requirements for managing fraud — one for external fraud and one for internal fraud. The CEIs do not reflect the roles and responsibilities in place in the ATO’s current structure. The ATO is in the process of clarifying roles and responsibilities for managing fraud risk and making the relevant changes to its CEIs.

The ATO’s conformance reporting process for external fraud is not fit for purpose. The ATO Audit and Risk Committee relies on this information to provide assurance to the Commissioner of Taxation as the ATO’s accountable authority. The ATO advised the ANAO in June 2023 that it is planning to redesign the external fraud conformance process to support the revised roles and responsibilities framework.

ATO fraud risk owners

2.3 The ATO does not have a single GST fraud risk owner and relies on each of its business lines to identify, assess and manage GST fraud risks within its area of responsibility. At the enterprise level, the ATO considers GST fraud risks as part of its external and internal fraud risk arrangements.

2.4 The ATO’s Fraud and Corruption Control Plan 2023 identifies the Deputy Commissioner (Senior Executive Service (SES) Band 2) of Integrated Compliance as the risk owner for the ATO’s external fraud risk and the Assistant Commissioner (SES Band 1) of Fraud Prevention and Internal Investigations as the risk owner for the ATO’s internal fraud risk. ATO fraud control and corruption plans have consistently identified these two positions as the risk owners of external fraud and internal fraud since 2019–20. In mid-2023, as part of a restructure of its business lines, the Deputy Commissioner of Integrated Compliance was appointed the Deputy Commissioner of Fraud and Criminal Behaviours and retained responsibility as the risk owner for the ATO’s external fraud risk.19

2.5 Under the ATO’s Risk Management Framework, as set out in the accountable authority’s Chief Executive Instruction (CEI)20 on risk management, ATO risk owners:

  • are personally accountable for identified risks;
  • are responsible for providing direction on relevant risk management activities within their area of responsibility and across business lines where appropriate; and
  • oversee the status of risks, controls, and treatment strategies.

ATO Chief Executive Instructions on fraud

2.6 The Commissioner of Taxation, as the ATO’s accountable authority, has issued two CEIs that set out the requirements for all ATO employees and contracted individuals (subject to the terms of the individual’s contract) for preventing, detecting, and dealing with fraud.21 The CEIs also identify roles within the ATO that have specific responsibilities for assessing fraud risk and managing fraud in the ATO. One CEI covers external fraud (fraud committed by those outside of the ATO) and the other covers internal fraud (fraud committed by ATO employees or contracted individuals).

2.7 The ATO’s external fraud CEI requires ‘Senior Responsible Officers’ (senior responsible officers) to ‘actively manage external fraud by conducting and reviewing risk assessments regularly to ensure appropriate external fraud risk tolerances, treatments and controls are in place and documented for their program’. The ATO advised the ANAO in July 2023 that the CEI refers to a position title that does not exist within the ATO but the function is generally carried out by Executive Level or SES personnel responsible for managing a program of work.

2.8 The external fraud CEI further requires ‘National Program Managers’ to ‘manage external fraud risk within their business line’ and ‘provide assurance on the management of external fraud risk within their business line to the external fraud risk owner via the external fraud conformance process’ (discussed in paragraphs 2.11 to 2.17). The ATO advised the ANAO in July 2023 that the term ‘National Program Manager’ (national program manager) is no longer used in the ATO but had been used to describe those members of the SES that are responsible for large programs of work and collectively it refers to the Deputy Commissioner (SES Band 2) positions within the ATO.

2.9 The ATO’s internal fraud CEI does not mention senior responsible officers and does not identify who is responsible for conducting and reviewing internal fraud risk assessments. The ATO advised the ANAO in October 2023 that the ATO’s Assistant Commissioner of Fraud Prevention and Internal Investigations, in their capacity as the risk owner for the ATO’s internal fraud risk (see paragraph 2.4) is responsible for conducting and reviewing internal fraud risk assessments regularly. Similar to the external fraud CEI, the internal fraud CEI assigns responsibility for managing internal fraud and corruption risks within business lines to national program managers. National program managers are also required to ‘actively support’ internal fraud risk assessment activity within their business line. As noted in paragraph 2.8, the term national program manager is an outdated term for what are now Deputy Commissioner (SES Band 2) positions within the ATO.

2.10 The ATO is reviewing the roles and responsibilities including those of senior responsible officers and what were formerly known as national program managers. The CEIs will then be updated accordingly. In November 2023, the ATO updated its internal fraud CEI. The updated CEI refers to Deputy Commissioners instead of national program managers. In July 2023, the ATO advised the ANAO that the changes to the external fraud CEI would occur in three phases with phase one (‘minor changes’) being a revised CEI issued ‘within the next few months’, phase 2 changes by June 2024 and phase three post July 2024. The phase two changes include clarifying the roles and responsibilities of senior responsible officers which ATO documents state ‘will involve identifying and confirming SROs [senior responsible officers] with existing responsibilities for key controls and treatments.’ Phase three changes are undefined but the ATO advised the ANAO in July 2023 that they are in ‘recognition that a further revision may be required’.

The ATO’s external fraud conformance process

2.11 The ATO’s external fraud conformance reporting processes is the basis for the ATO’s external fraud risk owner’s reporting to the ATO Audit and Risk Committee (ARC) on the effectiveness of the ATO’s management of its external fraud risks.22 It is the mechanism for providing the risk owner with an ATO wide view of the entity’s external fraud risk, the administration of which is dispersed throughout various ATO business lines.

2.12 Each quarter, the ATO’s Integrated Compliance business line requests selected ATO business lines to complete a conformance questionnaire to self-assess whether the business line has conformed with the ATO’s obligations for managing external fraud, including the requirements of the external fraud CEI, during the relevant quarter. The ATO does not have a systematic process for selecting business lines each quarter to ensure timely and regular coverage of all ATO business lines, but informed the ANAO in August 2023 it is developing one. The ATO described its process of selecting business lines to the ANAO as follows:

The Fraud and Criminal Behaviours (FCB) conformance team maintains a list of previous conformance reviews for the prior three years and selects business lines for each quarter based on an area’s external fraud risk exposure and period of time since the last conformance review. To improve selection decisions, the FCB conformance team are in the process of preparing a forward plan for the 2023–24 year.

2.13 The business lines’ self-assessments then form the basis for quarterly reports of the ATO’s conformance with its external fraud obligations to the external fraud risk owner which in turn underpins the risk owner’s reporting to the ARC.

2.14 The ANAO examined the ATO’s external fraud conformance reporting records for the quarters from June 2021 to June 2023 inclusive (nine quarters). Quarterly conformance reporting during this period was incomplete, not timely, and did not provide adequate assurance of the ATO’s compliance with its external fraud obligations.

  • The quarterly statements of conformance to the external fraud risk owner are based on completed questionnaires requested from a selection of ATO business lines for that quarter. Coverage of the ATO’s business lines during the June 2021 to June 2023 period examined by the ANAO was limited to a total of ten23 of the ATO’s business lines, the number of which has changed from 24 in late 2022/early 2023, to 32 as at mid-2023.
  • The highest coverage of the ATO’s business lines in the nine reporting quarters from June 2021 to June 2023 (inclusive) was in the June 2021 and September 2021 quarters where three of the ATO’s 24 business lines were selected for review in each quarter.
  • The ATO does not have a systematic process for selecting business lines each quarter to ensure timely and regular coverage of all ATO business lines.
  • The statement of conformance for the March 2022, June 2022 and March 2023 quarters do not identify which business lines responded to the questionnaire.

2.15 The ATO further advised the ANAO in July 2023 that each business line is examined, approximately, on an annual basis. However, the ATO’s records of the quarterly external fraud conformance reporting processes shows that the ATO has not:

  • examined each business line annually during the nine reporting periods reviewed as part of this audit (June 2021 to June 2023 quarters);
  • examined every business line in the two year period reviewed as part of this audit (June 2021 to June 2023); and
  • examined any business line more than once during this time (June 2021 to June 2023), with one exception (the individuals and intermediaries business line).

2.16 An example of the realisation of the risk associated with the external fraud conformance process being incomplete and not timely occurred in June 2023 when the ATO’s Small Business line reported in its quarterly self-assessment questionnaire that it had not documented an assessment of its external fraud risks, including GST fraud risks, since April 2019. The ARC was advised of this non-conformance with the ATO’s obligations at its 31 August 2023 meeting. The ATO’s Small Business line has further advised the ARC that it intends to complete a fraud risk assessment by December 2023, advising the ‘consequence of not addressing this matter in a timely manner may bring adverse findings and criticism from targeted internal or external reviews’.

2.17 In its March 2023 and June 2023 quarter conformance reports, the ATO assessed the conformance of its senior responsible officers with the external fraud CEI as ‘partially effective’, concluding that:

Whilst accountability of external fraud rests with [Deputy Commissioner] DC Fraud and Criminal Behaviours, and is partially effective, reviews have revealed the role of Senior Responsible Officers across ATO business areas in fraud prevention, detection and treatment in context of their business areas are not clear and could lead to gaps in actively managing external fraud (top down and bottom up).

In response, the ATO is developing a new Governance framework including clarifying external fraud roles and responsibilities. This Governance framework is being considered for endorsement at senior levels as part of internal conversations on how external fraud is better managed across the ATO (particularly as a shared risk).

The External Fraud Roles and Responsibilities Framework will be agnostic of tax product and client experience.

The External Fraud conformance process will be redesigned to support the revised roles and responsibilities framework.

The ATO’s internal fraud conformance process

2.18 The ATO’s internal fraud risk owner (Assistant Commissioner (SES Band 1) of Fraud Prevention and Internal Investigations) reports the level of conformance with the ATO’s obligations for managing internal fraud to the ARC quarterly. In October 2023, the ATO advised the ANAO that the quarterly conformance process for internal fraud changed to an annual process from February 2023 consistent with the ATO’s requirement for annual conformance reporting where the risk consequence in the conformance report is assessed as ‘major’ and its likelihood ‘rare’.

Recommendation no.1

2.19 The Australian Taxation Office, as a matter of priority, should finalise its work on:

  1. clarifying and documenting the roles and responsibilities for fraud prevention, detection, and treatment;
  2. redesigning the external fraud conformance process to support the revised roles and responsibilities; and
  3. making the necessary changes to the external fraud and internal fraud Chief Executive Instructions.

Australian Taxation Office response: Agreed.

2.20 The ATO agrees to prioritise and finalise work on roles and responsibilities for fraud prevention, detection and treatment and reflect this in a redesign of the external fraud conformance process and Chief Executive Instructions for external and internal fraud.

Has the ATO assessed GST fraud risks and established and implemented an appropriate fraud control plan?

The ATO assesses fraud risks and produces an annual fraud and corruption control plan.

It is not evident how the ATO’s 2023 Fraud Control and Corruption Plan deals with identified external fraud risks (including GST fraud risks) as required under paragraph 10(b) of the Public Government, Performance and Accountability Rule, or whether the ATO’s controls and strategies for external fraud are commensurate with assessed fraud risks as suggested in the fraud guidance.

The ATO has completed internal fraud and corruption risk assessments, largely within the two-year timeframe suggested in the Commonwealth fraud guidance. The ATO has not completed external fraud risk assessments within the two-year timeframe required by its external fraud governance framework. No ATO business line has completed a business line level fraud risk assessment relevant to GST fraud since 2020. As of June 2023, the ATO was working towards clarifying the roles and responsibilities for assessing and managing GST fraud risks.

ATO GST fraud risk assessments

2.21 Part five of the fraud guidance encourages entities to conduct fraud risk assessments at least every two years and further suggests that ‘entities responsible for activities with high fraud risk may wish to assess fraud risk more frequently’.24 The Commonwealth Fraud Prevention Centre’s Fraud Risk Assessment Leading Practice Guide states ‘risk assessments provide assurance that public funds are being managed in an accountable manner and that the potential harms of fraud are being actively mitigated’.25

2.22 The GST is administered by ATO business lines that are structured around taxpayer types.26 The ATO does not develop GST specific fraud risk assessments. Each of its business lines is required to identify, assess and manage GST fraud risks within its area of responsibility. At the enterprise level, the ATO considers GST fraud risks as part of its external and internal fraud risk assessments. The ATO’s framework for assessing and managing external and internal fraud risk is examined in paragraphs 2.3 to 2.20.

2.23 In November 2020, the Assistant Commissioner of the GST Program established the GST Program Risk Assurance project to increase and maintain confidence that compliance risks to the GST system are being managed efficiently and effectively. In a presentation to the May 2021 meeting of the GST Integrated Risk Forum27 the project team (comprising ATO officials at the EL2, EL1 and APS 6 levels) reported a ‘lack of evidence of current key risk artefacts28 required to demonstrate that GST compliance risks are being managed efficiently and effectively across the ATO’. Further, the ATO’s Chief Internal Auditor’s report of their review of Operation Protego29 (April 2023) states that the ATO’s analysis and assessment of its GST fraud risks is ‘not holistic or based on robust evidence’. As of June 2023, the ATO was working towards clarifying the roles and responsibilities for assessing and managing GST fraud risks. This work was ongoing as of 2 November 2023.

ATO business line risk assessments relevant to GST fraud risk

2.24 Between 2017 and 2020 three ATO business lines responsible for managing the ATO’s engagement with different groups of taxpayers (Small Business, Privately Owned and Wealthy Groups, and Public and Multinational Businesses30) documented a total of eight risk assessments incorporating GST fraud risks relevant to their business line, three of which are marked as drafts. Of the remaining five, four contain no indication that they were approved, and one states that it was ‘endorsed/approved with qualification’ by the Risk Manager (the qualification is not specified). The authority and utility of these risk assessments is unclear given they are either in draft form or not approved by the risk owners.

2.25 No ATO business line has completed a business line level fraud risk assessment relevant to GST fraud since 2020. ATO documents indicate that the ATO is planning to complete three separate risk assessments to assess and determine the risk ratings and tolerances associated with GST refund integrity, Small Business GST, and GST registration. As of October 2023, the ATO had started work on the risk assessment for GST refund integrity — defined by the ATO as ‘incorrect GST refunds occurring because of failure to correctly report GST due to errors, deliberate misreporting of GST on sales or purchases, and/or incorrect GST registrations by those not entitled to be registered’.

ATO external fraud risk assessments

2.26 At the enterprise level, the ATO considers the risk of GST fraud perpetrated by individuals outside of the ATO as part of its external fraud risk assessments.31 The ATO’s External Fraud Governance Framework requires external fraud risk assessments to be completed every two years.

2.27 Since 2017, the ATO has finalised three external fraud risk assessments — in November 2018, in May 2021, and in October 202332 (see Table 2.1). Neither of the two most recent risk assessments were completed within the two year timeframe required by the ATO’s External Fraud Governance Framework. Table 2.1 sets out the ATO’s assessment of its external fraud risk as documented in its primary risk assessment artefacts since 2017.

Table 2.1: ATO’s assessment of its external fraud risk since 2017

External fraud risk assessment

Risk tolerance levela

Risk ratingb

Assessment of controls

Likelihood of risk occurring

Consequence of risk occurring

2023 External Fraud Risk Assessment and Treatment Plan (finalised October 2023)

High

Severe (risk rating is ‘above’ tolerance)

Partially effective

Even chance

Extreme

2020

(finalised May 2021)

Low

Low

(risk rating is within tolerance)c

Partially effective

Rare

Medium

External Fraud Risk Review as at December 2019

(finalised March 2020)

The risk review did not change any ratings and kept the risk level at ‘severe’.

The document states that that ‘in order to ensure our risk position is current given the rapidly changing environment undertake a program to review the risk on a monthly basis for the remainder of this year commencing 30 May 2020’. The ATO advised the ANAO it did not proceed with this plan due to other priorities (supporting the administration of the COVID-19 stimulus program).

2018

(finalised November 2018)

Significant

Severe

(risk rating is out of tolerance)

Partially effective

Almost certain

Very high

           

Note a: Risk tolerance levels operationalise an entity’s risk appetite by specifying the levels of risk taking that are acceptable. Source: Commonwealth Risk Management Policy, last updated 29 November 2022, available from https://www.finance.gov.au/government/comcover/risk-services/management/commonwealth-risk-management-policy. The ATO’s Risk Tolerance Guide states that risk tolerance is ‘the level of risk which is acceptable and where no further treatment action is required. In most cases, a risk that is not within tolerance must undergo further treatment action or a decision to accept the risk level would be documented’. Within the ATO, Risk Owners are responsible for setting the risk tolerance for the risk they own.

Note b: The ATO’s risk matrix comprises six risk levels — low, moderate, significant, high, severe, and catastrophic (see Appendix 4).

Note c: ATO documents indicate that it has been unable to locate ‘detailed written explanation for the change in risk level’ from ‘severe’ in the 2018 risk assessment to ‘low’ in the 2020 risk assessment.

Source: ANAO analysis of ATO documents.

The 2020 external fraud risk assessment (ATO’s extant fraud risk assessment until October 2023)

2.28 The ATO’s 2020 external fraud risk assessment was approved by the Deputy Commissioner of Integrated Compliance in May 2021 and was extant until October 2023. The ATO described its method for compiling its 2020 external fraud risk assessment as follows:

The 2020 Risk Assessment commenced in November 2020. The control framework was considered through a series of workshops with key stakeholders and the assessment of key programs including the Integrated Compliance managed, high-risk population programs following the ATO Enterprise Risk Management Framework and the AGD [Attorney-General’s Department] Control Assessment Guidelines. The final control and risk assessments were agreed to with the participants from key programs across the Compliance Engagement Group. These products were aggregated into the final assessment.

The assessment was approved 26 May 2021.

2.29 In this assessment, the ATO assigned an overall risk rating of ‘low’ to its external fraud risk and assessed the risk as being within tolerance. In consequence, the risk assessment states that the management responsibility for the risk of external fraud was assigned to the APS Executive Level 2, in accordance with the ATO’s scale of management actions.

2.30 As Table 2.1 shows, the ATO’s assessment of its risk of external fraud changed from ‘severe’ in 2018 to ‘low’ in 2020, and is rated as ‘severe’ in the ATO’s 2023 external fraud risk assessment. ATO documents state that the ATO has been unable to locate any ‘detailed written explanation for the change in risk level’ between the 2018 and 2020 external fraud risk assessments. The ATO described its rationale for this downgrading of its external fraud risk rating to the ANAO as follows:

The 2020 assessment (formally endorsed in 2021…) focussed on the effectiveness of the ATO’s existing controls. It also recognised the approach taken in the ATO’s rapid implementation of the economic stimulus measures to ensure the controls were as robust as could be and resulting occurrence of little fraud and immaterial revenue loss in relation to the total payments made. The likelihood of the controls failing was assessed as rare, supported with system-based analysis demonstrating the level of robustness of the holistic approach the ATO takes. The consequence should the controls fail was assessed as medium, resulting in the risk being assessed as within tolerance at low.

The data in 2020 did not indicate systemic fraud and the environment at the time had not changed.

2.31 The 2020 external fraud risk assessment also includes the ATO’s assessment of the effectiveness of its controls33 on 13 external fraud risks, which the ATO has assessed as being ‘generally reliable’ and ‘partially effective’ overall. The 2020 external fraud risk assessment also lists 13 preventative, detective and correction controls that require improvement to raise the effectiveness of the ATO’s control assessment above ‘partially effective’. The controls are not attributed in the document to the 13 external fraud risks. The ATO’s external fraud risk assessment is not underpinned by a documented record (such as a risk register) of specific risks and corresponding controls for each of the broad 13 external fraud risks identified in the risk assessment document.

The 2023 external fraud risk assessment

2.32 In May 2023, the ATO’s Integrity Steering Committee34 considered an overview of the ATO’s draft 2023 external fraud risk assessment and endorsed the proposed risk rating of ‘severe’ with the risk rating being ‘out of tolerance’. An action item from that meeting was for the ATO to finalise the 2023 external fraud risk assessment by 30 June 2023 for consideration by the committee at its next meeting on 1 August 2023. The ATO Integrity Steering Committee endorsed the 2023 External Fraud Risk Assessment and Treatment Plan, dated 28 September 2023 on 5 October 2023.

2.33 As Table 2.1 shows the ATO’s assessment of its risk of external fraud changed from ‘low’ in 2020 to ‘severe’ in 2023 and that the ATO considers this to be ‘above tolerance’. In consequence, the risk assessment states the required risk manager level for the ATO’s external fraud risk is SES Band 3. In its 2023 external fraud risk assessment document the ATO has:

  • identified 10 external fraud sub-risks (these are different risks to the 13 risks listed in the 2020 external fraud risk assessment);
  • assessed its controls35 against the 10 sub-risks as being ‘partially effective’ overall;
  • identified the requirements of section 10 of the PGPA Rule as further controls and assessed these controls as ‘partially effective’;
  • determined that risk treatment is required to bring the external fraud risk within tolerance;
  • determined that the required risk treatment is to add or modify controls (to reduce the likelihood or consequence of the risks) and bring the external fraud risk within tolerance; and
  • stated that the risk treatment plan is ‘pending’.

2.34 In June 2023, the ATO requested ministerial approval to seek additional funding for its counter fraud activities to bring its fraud risk back into tolerance. The ATO advised the Minister for Financial Services that this was the first time this risk has been out of tolerance. Table 2.1 shows the ATO had assessed the fraud risk as being out of tolerance from 2018 until it reassessed the risk in 2020 as being within tolerance.

ATO’s internal fraud and corruption risk assessments

2.35 At the enterprise level, the ATO considers the risk of GST fraud perpetrated by individuals inside of the ATO as part of its broader internal fraud and corruption risk assessments.36 Since 2017, the ATO has completed five enterprise-wide internal fraud and corruption risk assessments, largely within the two-year timeframe suggested in the Commonwealth fraud guidance. Table 2.2 sets out the ATO’s assessment of its internal fraud risk as documented in its primary risk assessment artefacts since 2017.

Table 2.2: ATO internal fraud and corruption risk assessment ratings since 2017

Internal fraud and corruption risk assessment

Risk tolerance levela

Risk ratingb

Assessment of controls

Likelihood of risk occurring

Consequence of risk occurring

2023

(finalised Jun 2023)

Significant

Significant (risk rating level is within tolerance)

Effective

Even chance

Major

2021

(finalised Mar 2021)

Significant

Significant (risk rating level is within tolerance)

Effective

Even chance

Medium

2020

(specific to COVID-19)

(finalised July 2020)

Significant

Significant (risk rating level is within tolerance)

Partially effective

Even chance

Medium

2019

(finalised Aug 2019)

Significant

Significant (risk rating level is within tolerance)

Effective

Even chance

Medium

2018

(finalised Nov 2018)

Significant

Significant (risk rating level is within tolerance)

Effective

Even chance

Medium

           

Note a: Risk tolerance levels operationalise an entity’s risk appetite by specifying the levels of risk taking that are acceptable. Source: Commonwealth Risk Management Policy, last updated 29 November 2022, available from https://www.finance.gov.au/government/comcover/risk-services/management/commonwealth-risk-management-policy. The ATO’s Risk Tolerance Guide states that risk tolerance is ‘the level of risk which is acceptable and where no further treatment action is required. In most cases, a risk that is not within tolerance must undergo further treatment action or a decision to accept the risk level would be documented.’ Within the ATO, Risk Owners are responsible for setting the risk tolerance for the risk they own.

Note b: The ATO’s risk matrix comprises six risk levels — low, moderate, significant, high, severe, and catastrophic (see Appendix 4).

Source: ANAO analysis from ATO documents.

Recommendation no.2

2.36 The Australian Taxation Office should conduct and document assessments of its GST fraud risks regularly and ensure that it has a contemporary and holistic view of its GST fraud risks.

Australian Taxation Office response: Agreed.

2.37 The ATO agrees to regularly conduct and document assessments of GST fraud risks and ensure it has a contemporary and holistic view of GST fraud risks.

Fraud Control and Corruption Plan 2023

2.38 Each year in the ATO’s annual report from 2017–18 (the timeframe covered in the scope of this performance audit), the Commissioner of Taxation, as the accountable authority for the ATO, certifies that the ATO has prepared fraud risk assessments and fraud control plans as required by section 10 of the PGPA Rule. The ATO has developed an enterprise-wide fraud and corruption control plan for each financial year from 2017–18.

2.39 The ANAO examined the ATO’s Fraud and Corruption Control Plan 2023 (the current plan at the time of this performance audit) to determine the extent to which the plan meets the requirements of paragraph 10(b) of the PGPA Rule and part six of the fraud guidance with regards to the plan emphasising prevention, being available to all officials, and dealing with identified fraud risks.

2.40 Part six of the fraud guidance states that it is important for fraud control plans to emphasise prevention and encourages entities to make their fraud control plans available and accessible to all officials.37 The ATO’s Fraud and Corruption Control Plan 2023 is available on the ATO’s external website38 and intranet. The plan identifies prevention as one of three elements of the ATO’s fraud and corruption control framework (prevention, detection, response). The plan also states that the ‘ATO promotes prevention of fraud and corruption risks’, and includes the following statements on the ATO’s view of fraud prevention:

  • Prevention strategies are the first line of defence, and these include proactive measures designed to help reduce the risk of fraud and corruption.
  • Preventing fraud minimises the need for the ATO to detect and respond to fraud.

2.41 The fraud guidance further suggests seven elements that entities may include in their fraud control plans, none of which are mandatory.39 The ATO’s Fraud Control and Corruption Plan 2023 includes these seven elements.

2.42 Paragraph 10(b) of the PGPA Rule requires the accountable authority of a Commonwealth entity to take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by developing and implementing a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment.40 Part six of the fraud guidance states that controls and strategies outlined in fraud control plans are ideally commensurate with assessed fraud risks.41

2.43 At the time that the ATO finalised its Fraud and Corruption Control Plan 2023 in early 202342, the ATO’s most recent external fraud risk assessment was a 2020 external fraud risk assessment that was approved in May 2021.43 The ANAO examined the alignment of the external fraud risks identified in the ATO’s Fraud and Corruption Control Plan 2023 with those in the ATO’s 2020 external fraud risk assessment.

2.44 The Fraud and Corruption Control Plan 2023 lists six ‘priority behavioural risks’ for external fraud:

  • identity crime enabled fraud;
  • refund fraud;
  • serious and organised crime in the tax and super systems;
  • offshore tax evasion;
  • illegal phoenix; and
  • black economy.44

2.45 The plan also lists examples of the ATO’s fraud and corruption prevention, detection and response activities. The plan does not attribute these activities to the six behavioural risks. Four of these behavioural risks (identity crime enabled fraud, serious and organised crime, offshore tax evasion, and illegal phoenix) are common to the list of 13 external fraud risks identified in the 2020 external fraud risk assessment (see paragraph 2.31). It is not evident how the plan deals with the ATO’s identified external fraud risks, as required under paragraph 10(b) of the PGPA Rule, or whether the ATO’s controls and strategies for external fraud are commensurate with assessed fraud risks as suggested in the fraud guidance because the identified risks in the two documents cannot be reconciled.

2.46 In June 2023 the ATO informed the ANAO that:

  • its publicly available fraud and corruption control plans are framework documents rather than detailed plans as they necessarily only include the ATO’s high level assessment of controls for addressing fraud risks and not the details of specific fraud risks and associated controls;
  • the ATO does not prepare a more detailed non-public version of its annual fraud control and corruption plan; and
  • each ATO business line maintains its own risk register and risk treatment plans.

2.47 As noted in paragraph 2.23, ATO internal reviews of its management of GST risks have identified gaps in the ATO’s records of current key risk artefacts (including risk assessments and treatment plans) and the ATO’s work on clarifying the roles and responsibilities for assessing and managing GST fraud risks is ongoing.

2.48 The ATO’s Fraud and Corruption Control Plan 2023 lists three areas of ‘priority internal fraud risk’ as:

  • corruption and insider threat;
  • working arrangements in a hybrid work environment; and
  • spending of public monies.

2.49 As noted in paragraph 2.45, the plan also lists examples of the ATO’s fraud and corruption prevention, detection and response activities. The plan does not attribute these activities to the three areas of ‘priority internal fraud risk’ listed in the plan.

2.50 The ATO’s most recent enterprise-wide internal fraud and corruption risk assessment is dated 30 June 2023. This risk assessment lists five ‘risk drivers’: financial advantage, disclosure of information, poor implementation of a new program, restructure of a process or function, and conflicts of interest. The risk assessment also includes the ATO’s assessment of the effectiveness of 10 controls that the ATO relies on to manage its single identified risk (internal fraud and corruption) and rates all 10 controls as being ‘effective’.

Recommendation no.3

2.51 The Australian Taxation Office ensures that its fraud control and corruption plans are based on identified fraud risks that are documented in risk assessments.

Australian Taxation Office response: Agreed.

2.52 The ATO agrees to ensure fraud control and corruption plans are based on identified fraud risks documented in risk assessments.

Changes to the ATO’s GST risk assessment strategies after the 2022 GST fraud events

2.53 Part five of the fraud guidance states that ‘it is important for risk assessment strategies to be reviewed and refined on an ongoing basis in light of experience with continuing or emerging fraud vulnerabilities’.45 In 2023 the ATO initiated activities intended to address the shortcomings in its GST fraud risk management that the Operation Protego GST fraud event46 exposed. These include the following.

  • The ATO has added ‘registration’ and ‘external fraud’ as new enterprise risks47 in its corporate plan for 2023–24.
  • In April 2023, the ATO’s Chief Internal Auditor completed an audit insights paper which includes observations and suggestions that the paper states are considered ‘critical to embedding GST fraud risk management as an enduring capability’.48 The ATO Audit and Risk Committee considered the paper at its June 2023 meeting. The minutes from that meeting state that the committee observed the ‘ambiguity around accountability for each of the suggestions’.

Has the ATO implemented appropriate fraud awareness and training for officials to prevent and detect GST fraud?

The ATO has documented a clear and widely available definition of what constitutes fraud in its Fraud and Corruption Control Plan 2023. The ATO’s external and internal fraud CEIs require ATO employees and contracted individuals to complete ‘mandatory training’, which includes three courses with fraud awareness content. The ATO monitors compliance with its requirement that staff complete mandatory training and reports completion rates for these three courses to the ATO Audit and Risk Committee.

The ATO’s definition of GST fraud

2.54 To assist with raising awareness of what constitutes fraud, part seven of the fraud guidance encourages entities to have a widely distributed fraud strategy statement. Guidance published by the Commonwealth Fraud Prevention Centre within the Attorney-General’s Department (AGD) explains that a fraud strategy statement helps people understand what fraud is, an entity’s views about fraud, and what staff and contractors should do if they suspect fraud.49 The guidance states that the fraud strategy statement can be part of an entity’s fraud control plan.

2.55 The ATO’s Fraud and Corruption Control Plan 2023 quotes the definition of fraud from the Commonwealth Fraud Control Policy. The plan provides further guidance on the nature of fraud and includes examples of what internal and external fraud might look like in the context of the ATO’s activities, including an example of GST fraud. The plan is publicly available on the ATO’s external website.

Fraud awareness training in the ATO

2.56 Part seven of the fraud guidance encourages entities to have all officials take into account the need to prevent and detect fraud as part of their normal responsibilities. The guidance suggests entities establish fraud awareness and integrity training in all induction programs and a rolling program of regular fraud awareness and prevention training for all officials.50

Mandatory training

2.57 The ATO’s Fraud and Corruption Control Plan 2023 identifies mandatory online51 training for ATO staff as one element of the ATO’s fraud and corruption prevention activity. The ATO’s external and internal fraud CEIs require ATO employees and contracted individuals to complete ‘mandatory training’, which includes three courses first introduced during the June 2020 quarter52 that include content covering fraud awareness, ethics, privacy and the APS Code of Conduct, as suggested by the fraud guidance.

  • ‘Working in the ATO’ (mandatory for all new staff).
  • ‘Safe, secure and inclusive’ (mandatory for all new staff and as an annual refresher).
  • ‘Managing safety and integrity’ (which is mandatory for all new managers53 and all existing managers as an annual refresher).54

2.58 The ANAO found that that the ‘Managing safety and integrity’ course:

  • does not refer to the current version of the ATO’s external fraud CEI; and
  • includes a scenario titled ‘reporting external fraud’ that is about document security when working from home and not about reporting external fraud.

2.59 The ATO advised the ANAO that certain cohorts of ATO staff are not granted access to ATO systems as their work requirements do not include the requirement for ATO system access to complete work tasks (for example some contractors or labour hire personnel). These cohorts of ATO staff are required to complete the ‘Working in the ATO’ course through a commercially available mobile application (EdApp) which can be downloaded to an individual’s personal device.

2.60 The ANAO reviewed the ‘Working in the ATO’ training available through EdApp and found that the fraud awareness content is materially the same as the ATO’s intranet based version of this ATO training. The ANAO found that the EdApp training refers the trainee to documents that the trainee cannot access without access to ATO systems (for example, the ATO external fraud CEI). If the information in such documents is important, then the content should be available to the trainee within EdApp, or through alternative means.

Opportunity for improvement

2.61 The Australian Taxation Office could improve the utility of its training material by:

  1. reviewing and updating the online version of ‘Managing safety and integrity’ course materials so that it refers to the current version of the ATO’s external fraud CEI and uses an appropriate scenario for ‘reporting external fraud’; and
  2. reviewing the EdApp version of the ‘Working at the ATO’ training course to remove references to documents that the participant is unable to access without access to ATO systems, and instead include the relevant information from those inaccessible documents (for example, the external fraud CEI).
Monitoring completion of mandatory training

2.62 The ATO monitors compliance with its requirement that staff complete mandatory training and issues reminder emails to staff and their manager if training is not completed within the expected timeframes. Where staff have not completed the required mandatory training, the ATO may remove an individual’s access to some systems.

2.63 ATO managers are responsible for ensuring that their team members are up to date with their mandatory training. Completion rates for mandatory training courses are reported to the ATO Audit and Risk Committee quarterly. In November 2023 the ATO reported completion rates of 90 per cent or more for each of the three mandatory training courses as at September 2023.

Has the ATO appropriately raised GST fraud awareness among external stakeholders?

The ATO has established external communications products that raise GST fraud awareness among external stakeholders. Information from these products is contained on the ATO’s website and social media posts.

2.64 The ATO’s Fraud and Corruption Control Plan 2023 identifies the ATO’s external communications program as one of its fraud and corruption prevention activities.

2.65 The ATO has a ‘the-fight-against-tax-crime’ website which includes:

  • an explanation of what tax crime is and what the ATO is doing to prevent and respond to tax crime;
  • a statement that the ATO takes all forms of tax crime seriously and will take firm action, including seizing the profits, of those participating in tax crime;
  • warnings about becoming involved in tax fraud (including GST fraud);
  • ATO media releases about GST fraud cases and prosecutions; and
  • outcomes of successful prosecutions for tax crime, including case studies of prosecutions for GST fraud.

2.66 The ATO provides information for businesses about what they need to do to meet their Business Activity Statement obligations on the ATO website and social media posts.

2.67 The ATO also posts information on social media (on Facebook, Twitter, and LinkedIn) and conducts advertising campaigns (on social media and internet search engines) with warnings about GST fraud and the risks and consequences of becoming involved in GST fraud. The ATO uses emails and its website to communicate with applicants for new Australian Business Numbers (ABN) to inform them about eligibility for an ABN and warning against becoming involved in GST fraud.

2.68 The ATO raises awareness of GST fraud among tax agents through, for example:

  • meetings of, and emails to, ATO Stewardship groups (including the Tax Practitioner Stewardship Group55 and the GST Stewardship Group56); and
  • the ATO’s ‘Tax professionals newsroom’ on the ATO website.57

3. Goods and Services Tax fraud detection, investigation and response

Areas examined

This chapter examines whether the Australian Taxation Office (ATO) has effectively implemented processes to detect and deal with suspected Goods and Services Tax (GST) fraud.

Conclusion

The ATO’s processes to detect and deal with suspected GST fraud are largely effective.

The ATO has implemented effective processes to confidentially report allegations of suspected fraud. The ATO has procedures to assess and refer ‘tip offs’ of external fraud to the relevant business line for further action, and to assess and investigate allegations of suspected internal fraud.

The ATO has methods to detect potential GST fraud.

The ATO has processes for investigating suspected fraud and taking action but does not have a procedure to respond to a large-scale fraud event.

Area for improvement

The ANAO made one recommendation aimed at expanding the ATO’s integrity incident response framework to include large-scale fraud events.

3.1 Section 10 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) requires the accountable authority of a Commonwealth entity to take all reasonable measures to detect and deal with fraud.58 In order to detect and then investigate and respond to fraud, entities must take active steps to find fraud when it occurs.

Does the ATO have appropriate processes for suspected GST fraud to be confidentially reported?

The ATO has processes for ATO officials and members of the public to confidentially report allegations of suspected GST fraud. The ATO has documented instructions and procedures for ATO officials to assess reports of suspected external fraud (including suspected GST fraud) and to refer these reports to the relevant business line for further investigation.

ATO processes for reporting suspected external fraud (including GST fraud)

3.2 Paragraph 10(d) of the PGPA Rule requires entities to have ‘a process for officials of the entity and other persons to report suspected fraud confidentially’.59 The fraud guidance notes that reporting suspected fraud is a common means of detection, and therefore it is important for entities to appropriately publicise fraud reporting mechanisms. Under the fraud guidance entities should encourage and support reporting of suspected fraud through proper channels, and this can include measures to protect those making such reports from adverse consequences.60

3.3 The ATO has channels for suspected fraud to be reported by the general public.61 These channels are advertised on the ATO’s website, including:

  • tip-off hotline;
  • tip-off form (the ATO tip-off form is also accessible through the ATO mobile app); and
  • postal address.

3.4 From 1 July 2019, amendments to the Taxation Administration Act 1953 created a whistleblower protection regime for the protection of individuals who report breaches of the tax laws or misconduct. The ATO advertises these arrangements on the ATO website.62

3.5 The ATO also has channels for ATO officials to report suspected external fraud and internal fraud, with details available in the ATO Fraud and Corruption Control plan, the external fraud and internal fraud Chief Executive Instructions (CEI), on the ATO intranet, and in staff mandatory training. From 2019–20 to 2022–23 the ATO received a total of 199,007 tip-offs from the general public and ATO officials, with 4,745 tip-offs (2.4 per cent) related to GST fraud (Table 3.1).

Table 3.1: Number and proportion of tip-offs from the general public and ATO officials received by the ATO related to GST fraud, 2019–20 to 2022–23

Financial year

Total tip-offs received

Total tip-offs received related to GST fraud

Per cent of tip-offs related to GST fraud

2019–20

56,292

125

0.2%

2020–21

52,580

170

0.3%

2021–22

43,020

2,280

5.3%

2022–23

47,115

2,170

4.6%

Total

199,007

4,745

2.4%

       

Source: ANAO from ATO documentation.

3.6 The ATO has documented processes for ATO officials responsible for assessing tip-offs to determine if the allegation requires a rapid response from the relevant ATO business line, or referral to other government departments/agencies. The ATO maintains a list of current and emerging risks to assist with determining if a rapid response is required.

3.7 In November 2021, the ATO Tax Integrity Centre (which is responsible for managing ATO ‘tip-offs’) identified a trend in tip-offs concerning GST refund fraud through its daily manual review of tip-offs. From January 2022 escalation pathways for GST fraud tip-offs were established, and between November 2021 and May 2022 1,169 tip-offs were escalated to the ATO’s Small Business line for action.

3.8 The ATO Tax Integrity Centre holds discussions and provides reports of tip-off data to business lines if requested. The ATO’s System Integrity Management Group63 April 2023 meeting discussed insights into the ATO’s fraud maturity, and noted the ATO is:

Not leveraging intelligence from AUSTRAC [Australian Transaction Reports and Analysis Centre] and TIC referrals.

3.9 The ATO Tax Integrity Centre developed a database solution to make data gathered from ‘tip-offs’ available on-demand for use in data analytics and risk models from July 2023.

Does the ATO have appropriate methods to detect potential GST fraud?

The ATO has largely appropriate methods to detect potential GST fraud. The ATO’s measures of effectiveness for GST fraud detection have improved over time. Registers of controls used to detect potential GST fraud are dispersed across ATO business lines and the ATO does not maintain a centralised register. The dispersed nature of GST controls means the ATO relies on internal committee discussions to draw together a ‘whole of GST product’ perspective on the effectiveness of these methods, rather than on collated or aggregated data.

The Contemporising GST Risk Models (CGRM) project involves a redesign of existing risk models to detect Business Activity Statement refunds that are incorrect, based on a risk likelihood score. The CGRM project ran 12 months behind schedule, with models being deployed over time from May 2021 to January 2022.

The ATO is assessing the effectiveness of two risk models deployed under the CGRM project (the identity crime and the incorrect reporting models) through a random audit program. This project is running eight months behind schedule.

The ATO utilises other methods to detect potential GST fraud including data matching, referrals from financial institutions and using justified trust to assure GST compliance of large businesses.

3.10 Paragraph 10(d) of the PGPA Rule states that the accountable authority must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by ‘having an appropriate mechanism for detecting incidents of fraud or suspected fraud’.64

3.11 The ATO Fraud and Corruption Control Plan 2023 states:

The ATO employs measures designed to uncover incidents of fraud and corruption when they occur.65

3.12 The ATO does not maintain a centralised GST fraud risk register or a central record of controls used to detect GST fraud. The ATO advised the ANAO that control records are maintained by the ATO business lines.

Detecting potentially incorrect GST refunds

3.13 Since the introduction of the GST in 2000, the ATO has used risk assessment tools and models to detect potentially incorrect GST refunds in a ‘real time environment’ at the time of Business Activity Statement (BAS) lodgment and prior to the issue of any refund. All BAS refunds are risk assessed as part of the refund processing system. In 2021–22, of the $5.41 billion raised by the ATO in GST compliance liabilities, 59 per cent ($3.19 billion) was for refund integrity.66

3.14 In 2022–23 the ATO processed 11.2 million BAS and issued 2.1 million refunds. Of the 10.9 million BAS lodged in 2022–23, 92.7 per cent were lodged electronically.67

3.15 In the 2010–11 Federal Budget the ATO received $337.5 million over four years under the GST Compliance Program to fund additional GST compliance activities.68 The GST Compliance Program was extended by two years (2014–15 and 2015–16) with $195.3 million provided to the ATO to continue activities to promote voluntary GST compliance.69 In the 2015–16 Federal Budget the ATO GST Compliance Program was extended with $265.5 million provided over three years from 2016–17 to continue activities to promote GST compliance.70 The GST Compliance Program was extended again in the 2018–19 Mid-Year Economic and Fiscal Outlook with funding totalling $466.9 million over four years, including funding to assist the ATO develop more analytical tools to combat emerging risks in the GST system (the Contemporising GST Risk Models [CGRM] project).71 The CGRM project ran 12 months behind schedule, due to the impact of resource reallocations from the ATO’s response to COVID-19. This required the ATO to move allocated CGRM project funding from 2019–20 to 2020–21.

3.16 The intent of the CGRM project is to modernise and improve the ATO’s capability to manage GST compliance risks by replacing or updating existing risk models. The ATO commenced deployment of the CGRM project risk models in May 2021, with the suspect refunds overlay model (SR2) replacing the existing suspect refunds model. An internal ATO evaluation finalised in June 2022 examining the effectiveness of the CGRM project showed the SR2 model has resulted in:

  • a reduction in the number of cases created in error;
  • a reduction in the number of duplicate cases; and
  • an improvement in the ‘strike rate’ from an average of 83 per cent (2018–19 to 2020–21) to 94 per cent in 2021–22.72

3.17 Two additional models were deployed into production in June 2021 to enable automated real time ‘nudge’ messaging during the online BAS lodgment process, allowing the taxpayer to self-correct the BAS prior to lodgment. Two further ‘nudge’ messaging models were deployed in September 2021 and March 2022.73

3.18 In January 2022 the ATO deployed two post-lodgment models, the identity crime model and the incorrect reporting model. After deployment these models identified increasing numbers of outputs with a risk likelihood score of 0.8 or above (Table 3.2).74 The likelihood score of 0.8 was categorised as ‘high risk’ for the purpose of Operation Protego.

Table 3.2: Monthly risk models output with a risk likelihood score of 0.8 or abovea (categorised as high risk for Operation Protego), January 2022 to July 2022, number

Month

Potential refunds with a risk likelihood score of 0.8 or above

January 2022

9,732

February 2022

17,084

March 2022

31,537

April 2022 (all refunds with a likelihood score of 0.8 and above stopped)

35,642

May 2022

19,758

June 2022

13,027

July 2022

6,813

   

Note a: The risk likelihood score is a number between 0 (low likelihood) and 1 (high likelihood) determining the likelihood that the refund is incorrect.

Source: ANAO from ATO documentation.

3.19 Once a refund has been identified by the CGRM models as requiring review based on the likelihood score, the ATO undertakes risk treatment. The number of cases actioned by the ATO is determined by the number of risk treatments planned to be undertaken by each business line, not by the model outputs. A case can be treated pre-issue (before the GST refund is issued) or post-issue (after the GST refund is issued). In 2022–23 the ATO undertook 43,103 pre-issue refund checks and 26,796 post-issue refund checks (Table 3.3).

3.20 The increase in case numbers for 2021–22 and 2022–23 compared to prior years reflects the treatment of suspected fraudulent GST refund lodgments under Operation Protego (see discussion of Operation Protego at Appendix 5). During Operation Protego (April 2022 to October 2023) the ATO implemented additional risk treatments to disrupt the behaviour and stop revenue leakage.

Table 3.3: Number of GST refund checks for cases and audits performed pre-issue and post-issue, 2017–18 to 2022–23a

Number

2017–18

2018–19

2019–20

2020–21

2021–22

2022–23

Pre-issue refund checks (cases)

21,220

14,151

12,509

17,201

65,771

43,103

Pre-issue refund checks (audits)

3,995

3,547

3,241

6,406

53,986

39,070

Post-issue refund checks (cases)

16,373

19,549

13,747

6,912

22,638

26,796

Post-issue refund checks (audits)

927

542

231

126

5,875

18,403

             

Note a: ‘Cases’ are work items created in the ‘Siebel’ work management system. ‘Audits’ are cases that have moved into the ‘audit and review’ classification in Siebel. Case numbers include audits. The increase in cases and audits for 2021–22 and 2022–23 is the result of activities relating to Operation Protego.

Source: ANAO from ATO documentation.

3.21 The GST refund ‘strike rate’ measures the percentage of pre-issue and post-issue cases and audits which achieved a result (which may or may not change net GST75) divided by the number of audit and enforcement cases completed. The strike rate for pre-issue cases and audits and post-issue cases and audit have all increased from 2017–18 to 2022–23 (Table 3.4).

Table 3.4: GST refund cases and audits strike ratea pre-issue and post-issue, per cent, 2017–18 to 2022–23

 

2017–18 %

2018–19 %

2019–20 %

2020–21 %

2021–22 %

2022–23 %

GST refund strike rate — pre-issue cases

19.0

25.5

27.9

39.8

81.8

89.4

GST refund strike rate — pre-issue audits

96.8

98.0

98.1

97.7

98.5

98.4

GST refund strike rate — post-issue cases

5.2

2.7

1.6

2.2

24.7

63.0

GST refund strike rate — post-issue audits

86.9

86.7

88.3

90.5

94.9

91.6

             

Note a: The ATO defines the GST refund ‘strike rate’ as the number of audit and enforcement cases completed which achieved a result (which may or may not change net GST) as a percentage of the number of all audit and enforcement cases completed.

Source: ANAO from ATO documentation.

3.22 The ATO commenced a program of work in November 2022 to improve risk identification by two of the post-lodgment risk models deployed in January 2022 under the CGRM project (the identity crime model and the incorrect reporting model). This work program is testing the risk model outputs by randomly selecting cases from a set of risk bands based on scores generated by the model for further testing. Existing treatment pathways (reviews and audits) for selected cases are being utilised. A risk guide was prepared for ATO officials undertaking reviews and audits to provide guidance and detail the required steps to be undertaken, with a separate form to be completed by ATO officials for intelligence capture purposes. This program of work was scheduled to be completed by August 2023 but is running eight months behind schedule. ATO documents state the delay is due to resourcing issues, the time required to build proficiency for case officers and the impact of case complexity. The ATO intends to finalise this work by April 2024.

3.23 In the 2023–24 Federal Budget, the GST Compliance Program was extended, with $588.8 million provided to the ATO over four years from 1 July 2023. The funding provided through this extension is intended to ‘also help the ATO develop more sophisticated analytical tools to combat emerging risks to the GST system’.76 Phase 2 of the CGRM project commenced in 2023 and is a four-year project to build on Phase 1 by developing new risk models to:

  • further identify risks of incorrect reporting;
  • identify high-risk registrants; and
  • enhance model outputs to allow for differentiated treatments.

Other methods to detect potential GST fraud

3.24 In addition to detection methods to identify potentially incorrect GST refunds, the ATO utilises other methods to detect potential GST fraud, including referrals from financial institutions of potentially suspicious refunds (including GST refunds), data-matching for property transactions, off-shore suppliers of low value imported goods and non-lodgment. The ATO also uses the justified trust regime to obtain assurance that large businesses are paying the correct amount of GST.

Referrals from financial institutions of potentially suspicious refunds

3.25 The ATO has an established process to assess referrals from the Reserve Bank of Australia (RBA) of potentially suspicious refunds (including GST refunds) identified by financial institutions. After identifying a potentially suspicious refund, the financial institution notifies the RBA. The RBA refers the potentially suspicious refund to the ATO, which conducts an audit, review or risk assessment and then advises the financial institution of the ATO’s decision to either retain or release the refund. The ATO’s data shows an increase in referrals from financial institution between October 2021 and March 2022 (see discussion of Operation Protego at Appendix 5) (Figure 3.1).

Figure 3.1: Percentage change in referrals from financial institutions to the ATO compared to prior month, July 2021 to June 2022

 

Source: ANAO from ATO documentation.

Property transactions with GST implications

3.26 The ATO detects potentially fraudulent property transactions using risk detection models including the CGRM project risk detection models, along with rule-based case selection models to identify high-risk refunds and other potentially fraudulent behaviour.

3.27 The ATO sources property data from the states and territories along with other relevant taxation and financial data including data from the Australian Securities and Investments Commission, and uses ‘data matching’ within case selection models to identify potential non-compliance, including potential fraud. The ATO has a case selection pathway that determines the allocation of the case for audit, review or other actions. Between 2017–18 and 2022–23 the ATO completed an average of 3,023 cases and 274 audits annually of potentially fraudulent property transactions. The average percentage of cases and audits resulting in a GST adjustment increased from 57 per cent in 2017–18 to 70 per cent 2022–23. The ATO advised the ANAO in January 2024 the combination of new or improved data sources and technical training for ATO staff have led to increased GST adjustments over this time period. For ‘disengaged’ property developers77, the ATO completed an average of 1,071 cases and 169 audits annually between 2017–18 and 2022–23, with the average percentage of cases and audits resulting in a GST adjustment increasing from 67 per cent in 2017–18 to 78 per cent in 2022–23 (Table 3.5).

Table 3.5: Average percentage of cases and audits of potentially fraudulent property transactions resulting in a GST adjustment, per cent, 2017–18 to 2022–23

Project name

2017–18

%

2018–19

%

2019–20

%

2020–21

%

2021–22

%

2022–23

%

Property

57

63

66

66

70

70

‘Disengaged’ property developers

67

64

69

69

74

78

             

Source: ANAO from ATO documentation.

Low value imported goods (LVIG)

3.28 Since 1 July 2018, offshore suppliers of low value imported goods (value AUD $1000 or less) are subject to GST once taxable supplies exceeds the AUD $75,000 GST registration threshold.78

3.29 The ATO utilises data collection (via the ATO and third parties) and exchange of information with other tax jurisdictions to detect potential non-compliance with GST obligations by offshore suppliers. The ATO undertook 64 cases of compliance action for offshore supplies of low value imported goods and inbound intangible consumer supplies79, which resulted in GST revenue of $38.6 million in 2022–23 (Table 3.6).

Table 3.6: ATO planned and actual cases and GST revenue from compliance actions for offshore supplies of low value imported goods and inbound intangible consumer suppliesa, 2019–20 to 2023–24

 

2019–20

2020–21

2021–22

2022–23

2023–24

Planned cases (number)

158

68

61

70

148

Planned GST revenue ($million)

10.0

51.6

52.0

40.0

38.3

Actual cases (number)

87

68

48

64

In progress

Actual GST revenue ($million)

23.4

58.6

47.7

38.6

In progress

           

Note a: ‘Inbound intangible consumer supply’ means sales of anything other than goods or real property to an Australian consumer (for example, digital products and other services) that are made to an Australian consumer and not wholly done in Australia or through a business run in Australia.

Source: ANAO from ATO documentation.

Non-lodgment

3.30 The ATO undertakes direct contact with taxpayers who are registered and have not met their lodgment obligations. The ATO has two models to prioritise direct contact and lodgment compliance action based on the risk to revenue. The ATO also utilises ‘data matching’ with other taxation data to identify non-lodgers. For example, the ATO compares entities that declare business income in their income tax returns but do not lodge a BAS. Lodgment compliance activities undertaken by the ATO raised $743.0 million of GST liabilities in 2021–22.80

Justified trust

3.31 The ATO’s justified trust regime ‘seeks objective evidence that would lead a reasonable person to conclude a particular taxpayer paid the right amount of tax’ by confirming the existence, application and testing of a tax risk management and governance framework for large businesses.81 To provide GST assurance from justified trust, the ATO seeks objective evidence of the existence of policies and procedures, system rules and IT systems that reliably determine the correct GST treatment of sales and purchases. In 2019–20, 1.1 per cent of the GST base was assured by justified trust compared to 1.2 per cent, 8.1 per cent and 5.8 per cent in 2016–17, 2017–18 and 2018–19 respectively.82 The ATO advised the ANAO in January 2024 that ‘the proportion of the GST base assured varies each year depending on the amount of GST payable by the GST reporters (or divisions of reporters) assured in that year’.

3.32 In 2021–22, the ATO raised $146.4 million of GST liabilities attributed to the justified trust regime.83

Consideration of fraud detection method outputs from a ‘whole of GST’ product perspective

3.33 The ATO does not collate or aggregate data from the various fraud detection methods in each ATO business line to develop a ‘whole of GST’ product perspective of fraud. The ATO internal committees responsible for GST administration receive reporting, including data on the results from the various methods used to detect fraud. The ATO advised the ANAO in July 2023 that there is discussion of risks across the committees, and that urgent issues would not wait for the committee to meet but would be escalated immediately. The ATO’s arrangements to oversee, monitor and report on fraud control arrangements for the administration of GST are examined in Chapter 4.

Are there appropriate processes in place for investigating suspected fraud and taking appropriate action?

The ATO has largely appropriate processes in place for investigating suspected fraud and taking appropriate action. The ATO has documented procedures in place to investigate suspected internal fraud and external fraud and is in the process of updating documents to meet the Australian Government Investigations Standard 2022 requirements.

The proportion of Integrated Compliance cases and audits resulting in a GST adjustment was 32.4 per cent of cases and 81.9 per cent of audits completed in 2022–23.

The ATO did not have a procedure to respond to a large-scale external fraud event such as the GST fraud event that led to the ATO’s ‘Operation Protego’ response from April 2022 to October 2023.

The ATO publicly reports the results of tax crime prosecutions, including prosecutions for GST fraud, on the ATO website.

3.34 Paragraph 10(e) of the PGPA Rule requires the accountable authority to have an appropriate mechanism for investigating or otherwise dealing with incidents of fraud or suspected fraud.84 The fraud guidance states:

Entities are encouraged to take a common sense approach to non-compliance, misconduct and trivial fraud by having graduated and proportionate responses based on their risk tolerance and risk environment.85

ATO external fraud referrals process

3.35 The ATO Tax Integrity Centre (TIC) is the central point within the ATO for the collection, storage, analysis and sharing of external fraud allegations (‘tip-offs’). These allegations are recorded and managed in a centralised system.

3.36 TIC officials assess these allegations to determine whether further action is required and if so refer them to the relevant ATO business lines (including Integrated Compliance). The ATO has documented procedures to assist TIC officials make decisions about which ATO business line should receive external fraud allegations. In 2022–23, 3.1 per cent of tip-offs were assessed by TIC officials as requiring no further action (Table 3.7).

Table 3.7: ATO action taken for external fraud allegations ‘tip offs’

 

2019–20

2020–21

2021–22

2022–33

Tip offs referred to ATO business lines

54,558

51,223

41,389

45,636

Tip offs where no further action was taken

1,734

1,357

1,631

1,479

Total tip offs

56,292

52,580

43,020

47,115

Per cent of tip offs where no further action was taken

3.1%

2.6%

3.8%

3.1%

         

Source: ANAO from ATO documentation.

3.37 The ATO’s external fraud CEI requires ATO officials to report any suspicion of external fraud detected to the ATO’s Integrated Compliance business line (Integrated Compliance) and include advice on whether further investigation is required and why. The CEI mandates a fraud referral to Integrated Compliance when the ATO has decided to impose an administrative penalty86 of 75 per cent of the shortfall amount (for intentional disregard of the law); or 50 per cent of the shortfall amount (for recklessness) and where fraud is suspected. ATO officials within ATO business lines can report suspected GST fraud to Integrated Compliance using the ATO’s online fraud referral form available in the ATO’s work management system, or via email.

3.38 Integrated Compliance officials assess the referrals to determine whether further action is required. The ATO has documented procedures to assist Integrated Compliance officials with this activity. Figure 3.2 summarises the process Integrated Compliance uses to assess referrals of suspected external fraud received from ATO officials.

Figure 3.2: ATO’s external fraud referrals process

 

Source: ANAO from ATO documents.

3.39 Table 3.8 presents the number of referrals received by Integrated Compliance annually from 2020–21 to 2022–23. In 2021–22 (90.2 per cent) and in 2022–23 (91.3 per cent), the majority of referrals received by Integrated Compliance were Operation Protego referrals that were actioned by the Small Business line but reported to Integrated Compliance to comply with the external fraud CEI requirements.

Table 3.8: Number of referrals received by Integrated Compliance, 2020–21 to 2022–23a

 

2020–21

2021–22

2022–23

Referrals

6,035

31,586

60,432

Operation Protego referrals (actioned by Small Business line but reported to Integrated Compliance to comply with external fraud CEI)

0

28,497

55,159

       

Note a: Prior to 2019 all case work was generally actioned within the Indirect Tax business line, which was disbanded in 2019. Integrated Compliance replaced a multitude of different referral pathways into a single referral pathway in August 2019, and this was incrementally rolled out for all referrals to Integrated Compliance from February 2020. Data is comparable from 2020–21 onwards.

Source: ANAO from ATO documentation.

3.40 The proportion of Integrated Compliance cases and audits resulting in a GST adjustment was 27.6 per cent of cases and 87.9 per cent of audits completed in 2019–20, and 32.4 per cent of cases and 81.9 per cent of audits completed in 2022–23 (Table 3.9).

Table 3.9: Integrated Compliance cases and audits resulting in a GST adjustment, 2019–20 to 2022–23

Case type

2019–20

%

2020–21

%

2021–22

%

2022–23

%

Cases

27.6

34.0

65.6

32.4

Audits

87.9

78.4

90.8

81.9

         

Source: ANAO from ATO documentation.

ATO internal fraud referrals process

3.41 The ATO’s internal fraud CEI requires ATO officials to report any suspicion of internal fraud through the ‘Speak Up’ channels (phone, email or an anonymous fraud alert form on the ATO intranet). The ATO’s process for assessing and actioning suspected internal fraud referrals is at Figure 3.3.

3.42 The ATO’s Fraud Prevention and Internal Investigations (FPII) Branch assesses all matters received via these channels. The FPII will convene a Tasking and Coordination Committee (a leadership team) to assess and prioritise allegations if the intake and assessment team requires further advice. The decision to undertake or not to undertake an investigation is made by an SES or Executive Level 2 ATO official.

Figure 3.3: ATO’s internal fraud referrals process

 

Source: ANAO from ATO documents.

3.43 During 2022–23, FPII triaged and assessed 798 allegations or reports via the ATO’s ‘Speak Up’ integrity channel. Of these 798 allegations, 184 identified potential internal fraud, corruption or serious misconduct risk that required further investigation. In 2022–23 the ATO commenced 71 internal fraud investigations, commenced 44 alternative actions and did not proceed with 69 investigations or alternative actions.

ATO investigation procedures

3.44 The Australian Government Investigations Standard (AGIS) was updated in October 2022.87 Entities are required to proactively transfer their approaches from the requirements of the AGIS 2011 (the previous standard) to the updated requirements of AGIS 2022 ‘within a reasonable timeframe’.88 The ATO is in the process of updating the internal fraud investigation procedures to the AGIS 2022 and expects the draft to be available by end January 2024. The ATO is also in the process of updating the investigation procedures for external fraud to align with AGIS 2022 and expects to complete the updates by 29 February 2024.

The Integrated Compliance integrity incident response framework

3.45 In 2022 Integrated Compliance developed an integrity incident response to supplement the existing ‘rapid response groups’ mechanism to respond to fraud events during ‘Tax Time’.89 Rapid response groups are invoked ‘only in instances where there are known existing fraud behaviours identified’. The integrity incident response is intended to supplement the business line rapid response groups, and applies to ‘new third party fraud not detected by existing controls’.

3.46 The ATO advised the ANAO in July 2023 that an integrity incident response was not utilised in response to the fraud events leading up to Operation Protego as:

The incidents and instances of potential fraud that led to Operation Protego resulted from known fraud risks. [The Framework] is only initiated in instances of new, third-person frauds to identify systemic vulnerabilities and formulate proposals to mitigate those vulnerabilities.

3.47 The ATO’s Chief Internal Auditor report (April 2023) on the ATO’s learnings from Operation Protego identified that while the business lines were monitoring early warning signals of potential GST fraud, the ‘whole of GST fraud risk’ was not sufficiently measured and managed, and the ATO did not have an escalation and rapid response approach to respond to alerts that had raised the prospect of a systemic issue. The report notes that the ATO could experience a large-scale fraud event at any time. The report also notes that capabilities and controls should be in place to respond to events rather than reacting, and large-scale fraud treatment actions, roles and responsibilities could have been arranged ahead of time to allow for a timelier management response.

Recommendation no.4

3.48 The ATO should develop and implement a response for large-scale fraud events that do not meet the criteria specified in the extant Integrity Incident Response Framework. The response should encompass:

  1. the ability to monitor early warning signals from the disparate fraud detection methods across ATO business lines, including ‘tip-offs’ received by the ATO Tax Integrity Centre;
  2. identification of escalation triggers and the pathways that will be followed to develop an ATO response;
  3. a clear allocation of decision-making authority and accountability for initiating and finalising a rapid response;
  4. a prioritisation approach for action, emphasising the prevention and containment of revenue leakage;
  5. actions to recover losses; and
  6. criteria to evaluate the success of the framework’s use to contain fraud events, and the ability to adjust the framework in response to evaluation findings.

Australian Taxation Office response: Agreed.

3.49 The ATO agrees to develop and implement a response for large-scale fraud events that do not meet the criteria specified in the Integrity Incident Response Framework, encompassing all sub-elements (a to f) as specified.

3.50 The ATO publicly reports on its website the annual collation of results for prosecutions and tax crime prosecutions.90 The ATO also issues media releases of the results of tax crime prosecutions, including prosecutions for GST fraud on the ATO website. The ATO’s media release webpage includes a search function to allow for filtering of media releases by keywords.

4. Oversight, monitoring and reporting

Areas examined

This chapter examines whether the Australian Taxation Office (ATO) has effective governance, monitoring and reporting arrangements for fraud control of the Goods and Services Tax (GST) and has complied with mandatory reporting requirements in the Commonwealth Fraud Control Framework.

Conclusion

The ATO has partly effective governance arrangements for GST fraud control. There is a lack of clarity regarding ownership of GST risks and artefacts to support risk assessment, monitoring and treatment are incomplete or in draft.

The ATO provide reports to its Audit and Risk Committee through the ATO’s conformance reporting process and dashboard. The benchmark used in the dashboard reporting is not fit for purpose as it is a measure of fraud and error for government payments. In contrast, the ATO’s fraud indicators reported in the dashboard are the proportion of tax lodgments that are referred for investigation.

Areas for improvement

The ANAO made one recommendation for the ATO to consider an alternative benchmark for its fraud indicators.

4.1 Paragraph 10(f) of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) states that the accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by having an appropriate mechanism for recording and reporting incidents of fraud or suspected fraud.91 Paragraph 14 of the fraud policy sets out requirements for entities to provide information to the Australian Institute of Criminology (AIC) to facilitate the AIC’s annual report to the Attorney-General’s Department.92

Does the ATO have effective governance and reporting arrangements for GST fraud control?

The ATO’s governance and reporting arrangements for GST fraud control are partly effective. The ATO has identified there is a lack of clarity regarding accountability for GST fraud control and after two years of committee discussions this issue remains unresolved. Interim arrangements establishing a GST Fraud Advisor were endorsed by the GST Product Committee (an ATO SES Band 2 committee with responsibility for GST administration within the ATO) in September 2023, with a risk assessment on fraud in the GST system along with a deep dive on fraud in the GST system to be completed in early 2024.

The ATO provides reports to its Audit and Risk Committee through the ATO’s conformance reporting process and dashboard. The benchmark used in the dashboard reporting is not fit for purpose as it is a measure of fraud and error for government payments. In contrast, the ATO’s fraud indicators reported in the dashboard are the proportion of tax lodgments that are referred for investigation.

4.2 Effective governance arrangements drive accountability for performance by allowing appropriate oversight of program delivery, including how risks (including the risk of fraud) are being identified, reported and managed.

ATO-wide governance of fraud control arrangements

4.3 Key responsibilities specified in the ATO Fraud and Corruption Control Plan 2023 states the Commissioner of Taxation is the:

Accountable Authority responsible for taking all reasonable measures to prevent, detect and deal with fraud for the ATO, Tax Practitioners Board and the Australian Charities and Not-for-Profits Commission.93

4.4 The ATO Fraud and Corruption Control Plan 2023 specifies five ATO committees with fraud control responsibilities (Table 4.1).

Table 4.1: Fraud control governance — ATO committee roles and responsibilities

Committee

Committee roles and responsibilities

Audit and Risk Committee

Provides independent advice and assurance to the Commissioner of Taxation about the risk oversight and management of systems in place to implement the ATO’s Fraud and Corruption Control Plan.

ATO Enterprise Risk Management Committee

Considers emerging risks, which may include fraud and corruption, in the context of the ATO’s strategic objectives.

Integrity Steering Committee

Sets strategic, whole-of-ATO direction on external fraud risks and threats.

System Integrity Management Group

Takes a coordinated approach to fraud risk management across the organisation. Champions embedding fraud control practices.

Client Identity Refund Fraud Forum

Identifies, prioritises and drives initiatives to support refund integrity and management of identity crime.

   

Source: ANAO from Australian Taxation Office, ATO Fraud and Corruption Control Plan 2023, ATO, 2023.

4.5 The Integrity Steering Committee (an ATO SES Band 2 Committee) is central to the ATO’s governance of external fraud with responsibility for determining and directing the ATO’s response to external fraud risks and threats, as specified in the ATO Fraud and Corruption Control Plan 2023. The Integrity Steering Committee is co-chaired by the Deputy Commissioner, Integrated Compliance in the Client Engagement Group (the risk owner for external fraud), and the Deputy Commissioner, Client Account Services within the Service Delivery Group.94

4.6 The Integrity Steering Committee supports the Security Committee (an ATO SES Band 2 Committee chaired by the ATO Chief Information Officer), which is responsible for ‘strategic oversight of the ATO’s security and business continuity management outcomes’. The Security Committee’s charter specifies Committee matters extend to ‘the internal and external fraud landscape’. The Deputy Commissioner Integrated Compliance (co-chair of the Integrity Steering Committee and risk owner for external fraud) is a member of the Security Committee. The Deputy Commissioner Integrated Compliance presents an external fraud biannual report to the Security Committee that includes the external fraud dashboard (see paragraph 4.21). The Security Committee reports to the ATO Executive Committee, an SES Band 3 Committee chaired by the Commissioner of Taxation. During 2022–23 the ATO Executive Committee received updates on Operation Protego including information on the timeline for key events, the governance framework to manage the Operation, and the debt recovery strategy of fraudulent GST refunds.

4.7 As specified in the ATO Fraud and Corruption Control Plan 2023, the Integrated Compliance business line is responsible for responding to serious tax evasion and financial crime and provides the ATO’s investigative and prosecutorial capability. This business line also conducts the system integrity program to ensure senior responsible officers have appropriate external fraud risk tolerances, treatments and controls in place for their programs. The Deputy Commissioner for Integrated Compliance is the risk owner for external fraud and four of the six priority behavioural risks where external fraud is prevalent as specified in the ATO Fraud and Corruption Control Plan 2023:

  • identity crime enabled fraud;
  • serious and organised crime;
  • offshore tax evasion; and
  • illegal phoenix.

4.8 The ATO Fraud Control and Corruption Plan 2023 does not identify the risk owners for the remaining two priority behavioural risk (refund fraud and black economy95). The Deputy Commissioner for Integrated Compliance also manages the serious financial crime response across government and internationally for the ATO.

4.9 The ATO Fraud and Corruption Control Plan 2023 specifies the Fraud Prevention and Internal Investigations (FPII) Branch in the Enterprise Strategy and Corporate Operations Group is responsible for implementing measures to prevent, detect and respond to internal fraud and corruption. The Assistant Commissioner FPII (an SES Band 1 position) is the risk owner for internal fraud, and leads an independent function supporting the Commissioner on internal fraud control. The internal fraud risk owner provides reports to the ARC on the management of internal fraud and corruption risk. The Assistant Commissioner FPII maintains the role of ‘advisor’ to the ARC and holds the position of ‘advisor’ to the ISC.

Governance of GST administration

4.10 Schedule A of the Intergovernmental Agreement on Federal Financial Relations (paragraph A20)96 provides that the GST Administration Sub-Committee (GSTAS) will monitor the operation and administration of the GST and make recommendations to Council on Federal Financial Relations (CFFR) regarding modifications to the GST and the administration of the GST.97 GSTAS membership comprises Commonwealth, state and territory officials. In accordance with the terms of the Agreement, GSTAS delegates aspects of that role to the GST Policy and Administration Sub-group (GPAS) (Figure 4.1).98

Figure 4.1: Committees governing the GST Administration Performance Agreement

 

Source: ANAO based on ATO documentation.

4.11 The ATO has established a committee structure for GST administration (Figure 4.2). This committee structure brings together the managers and senior executives responsible for GST administration from different business lines across the ATO. The GST Program Branch in the International, Support and Programs business line in the Client Engagement Group provides the secretariat function for this committee structure.

Figure 4.2: ATO committees governing GST administration

Auditor-General_Report_2023-2024_15_Figure_4.2.png

Source: ANAO based on ATO documents.

4.12 GST fraud-related matters regularly come before the internal ATO committees for GST administration for information and discussion. There is no formal process in place for these committees to report or escalate issues to the ATO-wide committees with responsibility for fraud control.

GST risk ownership within the ATO

4.13 The ATO has allocated responsibility for its six ‘endemic’ GST risks as follows:

  • GST correct reporting and GST food classification to the Small Business line;
  • GST real property to the Private Wealth business line;
  • GST financial services and insurance, and GST International to the Public Groups and International business line99; and
  • GST evasion to the Integrated Compliance business line.

4.14 Committee records from 2021–22 to 2022–23 for the three GST committees in Figure 4.2 showed recurring discussions regarding the need to clarify governance structures and risk accountabilities, summarised as follows.100

  • Ownership and management of a GST endemic risk allocated to one business line, but the risk relates to responsibilities of different business lines to the risk owner.
  • Incomplete artefacts include risk assessments and treatment strategies.

4.15 Since early 2021, the ATO has made attempts to clarify governance and accountabilities, however ownership and management of GST endemic risks and finalisation of artefacts (including risk assessments and treatment plans) continue to be discussed and are incomplete. At the 20 June 2023 meeting of the GST Product Committee (an SES Band 2 Committee) it endorsed renaming one endemic risk, ‘correct reporting’ to ‘GST refund integrity’, with the Small Business line to be the risk lead and having responsibility for the risk assessment, while treatment approaches remain the responsibility of individual business lines. The following items have been identified for further progression during 2024.

  • A GST system vulnerability assessment for presentation to the GST Strategic Risk Committee (SRC) in December 2023, that is also intended to inform a deep dive into fraud in the GST system for presentation to the GST SRC in February 2024.
  • Recommendations from the GST Strategic Risk Committee to the GST Product Committee to decommission the endemic GST evasion risk and establish the Assistant Commissioner, Phoenix and Evasion Program, Behaviours of Concern, as the GST Fraud Advisor were endorsed as ‘interim’ on 28 September 2023. The GST Product Committee will review this decision following a risk assessment on fraud in the GST system along with deep dive on fraud in the GST system, to be co-ordinated by the GST Program Branch and completed in early 2024.
  • The GST SRC plans to discuss the endemic risks of GST real property, GST international and GST financial services and insurance in November and December 2023, and early 2024.

Reporting provided to the Audit and Risk Committee

Internal fraud

4.16 The ATO internal fraud risk owner provides reports to the ARC (also see paragraph 4.9) on activity during the relevant reporting period by presenting:

  • a status update of the FPII’s Forward Work Program; and
  • an ARC dashboard and dashboard report.

4.17 The ‘ARC dashboard’ for internal fraud reports the ATO’s compliance status across eight categories to accord with the Commonwealth Fraud Control Framework categories.101 The status of compliance for each category is rated green (fully compliant), amber (substantially compliance with low risk instance(s) of non-compliance) or red (one or more high risk areas of non-compliance). The dashboard status reporting for the six most recent ARC meetings (March 2022 to August 2023) was examined by the ANAO, with the internal fraud compliance status for each of the eight categories rated ‘green’ (fully compliant) for all reporting periods examined. The FPII team’s assessment that commenced in March 2023 determined the ATO’s internal response to Operation Protego ‘proactively mitigated any potential insider threat risk’, and ‘there have been no indicators that the internal fraud risk landscape is changing and we [the ATO] have not observed any identifiers of corruption which would shift this risk’.

4.18 The October 2023 FPII report to the ATO Audit and Risk Sub-committee (ARSC)102 on the 2022–23 Forward Work Program stated:

  • three of the four risk reviews, assessments and health checks had been completed and one (ongoing contract management) had been deferred to the 2023–24 Forward Work Program;
  • targeted detection scans and detection initiatives due June 2023 were ongoing; and
  • of the eight prevention activities, six had been completed and two were ongoing (fraud and corruption awareness sessions and internal communications).

4.19 The status report presented to the October 2023 ARSC was for the 2022–23 Forward Work Program. An annual review undertaken by FPII of the ATO’s internal fraud and corruption environment for 2022–23 was presented to the October 2023 ARSC, including the FPII’s program of work for 2023–24. There are five work program categories in the work program, comprising projects and programs of work; fraud risk reviews; strategic intelligence assessments; fraud detection and prevention and engagement. Under the category ‘projects and programs of work’ is the activity ‘external fraud perpetrated by ATO officers’ scoped as ‘types of external fraud perpetrated by ATO officers’ with a delivery timeframe of August 2024.

4.20 The ARC dashboard and dashboard report provides information and analysis, including trend analysis of FPII activities.

External fraud

4.21 The ATO external fraud risk owner provides reports to the ARC on activity during the relevant reporting period though two dashboards, the first is titled the ‘ARC dashboard’ for external fraud and the second is titled the ‘external fraud dashboard’.103 An extract of the ‘ARC dashboard’ was provided to the Security Committee in April 2022 and from May 2022, the Integrated Compliance Risk Management Committee received a copy of the ‘external fraud dashboard’ in the Committee meeting papers with the purpose listed as ‘update’.104

4.22 The ‘ARC dashboard’ for external fraud reports the ATO’s compliance status across eight categories to accord with the Commonwealth Fraud Control Framework categories.105 The status of compliance for each category is rated green (fully compliant), amber (substantial compliance with low risk instance(s) of non-compliance) or red (one or more high risk areas of non-compliance). The dashboard status reporting for the six most recent ARC meetings (March 2022 to August 2023) is at Table 4.2.

Table 4.2: Dashboard reporting to the ATO Audit and Risk Committee — external fraud

 

Mar 22

Jun 22

Nov 22

Mar 23

Jun 23

Aug 23a

Consistent with the Commonwealth Fraud Control Frameworkb

Managing risk and fraud

Fraud risk assessments

Fraud control plans

Preventing fraud

Detecting fraud

Investigating and dealing with fraud

Recording and reporting fraud

             

Key: The ATO provides the following definitions: Green: fully compliant Amber: substantially compliant with low risk instance(s) of non-compliance Red: one or more high risk areas of non-compliance.

Note a: For the August 2023 ARC meeting, the External Fraud dashboard reported fraud risk assessments as ‘compliant’. However, the August 2023 ARC papers include a conformance and integrity report for the June 2023 quarter, and this report stated the external fraud conformance statement included a matter of non-conformance for ‘regularly conduct and review risk assessment in relation to GST risks’ as a new matter of non-conformance.

Note b: The rationale for an amber rating (substantially compliant) is provided in the dashboard report, but no information is provided when the rating changes from amber (substantially compliant) back to green (fully compliant). The information provided for the amber rating in the March 2023 dashboard for preventing, detecting and investigating fraud is replicated for June 2023 and August 2023, except in August 2023 the detail regarding mitigations had been removed.

Source: ANAO analysis of ATO documentation.

4.23 The ‘external fraud dashboard’ to the ARC includes two quarterly indicators for external fraud and GST fraud and shows an increase from March 2022 to September 2022 (during Operation Protego see Appendix 5), and another increase in March 2023 after Integrated Compliance received a bulk referral of income and GST refund work actioned by the Small Business line (Figure 4.3).106 The dashboard notes provide the following definitions of these indicators.

  • External fraud indicator is calculated by the count of referrals (based on activities recorded in the ATO external fraud case management system) divided by the count of lodgments (sum of all original tax returns, Fringe Benefits Tax, Excise and Activity Statement form lodgments) multiplied by 100 over a 12-month period.
  • GST external fraud indicator is calculated by referrals with associated primary revenue product divided by the distinct lodgment type multiplied by 100 over a 12-month period.

Figure 4.3: ATO reporting to the ATO Audit and Risk Committee — quarterly external fraud indicator and quarterly GST fraud indicator (proportion of referrals to lodgments)a

Auditor-General_Report_2023-2024_15_Figure_4.3.png

Note a: Operation Protego commenced in April 2022. On 20 March 2023 Integrated Compliance received a bulk referral of income tax and GST refund work actioned by Small Business line (see paragraph 4.27).

Source: ANAO from ATO documentation.

4.24 The ATO also reports a year-to-date average for the external fraud indicator and the GST fraud indicator calculated from those quarters shown on the dashboard showing an increase in June 2022 (Operation Protego commenced in April 2022, see Appendix 5) and another increase in March 2023 after Integrated Compliance received a bulk referral of income and GST refund work actioned by the Small Business line (Figure 4.4).

Figure 4.4: ATO reporting to the ATO Audit and Risk Committee — year-to-date external fraud indicator and year-to-date GST fraud indicator (proportion of referrals to lodgments)a

Auditor-General_Report_2023-2024_15_Figure_4.4.png

Note a: Operation Protego commenced in April 2022. On 20 March 2023 Integrated Compliance received a bulk referral of income tax and GST refund work actioned by the Small Business line (see paragraph 4.27).

Source: ANAO from ATO documentation.

4.25 At the 8 June 2022 ARC, the ATO reported that:

The ATO’s fraud tolerance of 0.05 per cent is under pressure.107

4.26 The same ATO report to the ARC stated that:

The level of fraud on the system is currently recorded as 0.0004 per cent as of 30 April 2022. This is under the benchmark of 0.5 per cent, however this figure does not include the suspected fraud related to Operation Protego which is not yet recorded in the reporting system.

4.27 At the 8 June 2023 ARC meeting, the ATO advised the increase in the annual overall level of suspected fraudulent transactions reported at 0.0942 per cent108 is largely due to a bulk referral on 20 March 2023 of income tax and GST refund work actioned by the Small Business line and reported to Integrated Compliance to comply with the external fraud CEI requirements (see Table 3.8). At the same meeting, the ATO changed the reference in the external fraud dashboard reporting to the ARC from ‘the [Attorney-General’s Department] AGD fraud benchmark from 0.5 per cent to 5 per cent to ‘a range from 3 per cent to 5.95 per cent’.109 No rationale for this change was provided to the ARC.

4.28 The ATO’s Fraud and Corruption Control Plan 2023 states that ‘the ATO has zero tolerance to any fraudulent or corrupt behaviour that may in any way impact the ATO’, while acknowledging that the ATO cannot avoid or prevent all fraud and corruption risks.110 The ATO’s 2020 Tax Crime Risk Assessment (finalised in May 2021) states that ‘the ATO accepts fraud will occur; but our risk appetite is that we will not tolerate it’. This assessment then states:

The AGD [Attorney-General’s Department] led Commonwealth Fraud Prevention Centre has issued benchmarking guidelines applicable to payment type programs administered by Government agencies that range from 0.05 per cent to 5.00 per cent.

4.29 The ATO’s 2020 Tax Crime Risk Assessment states that the ATO has low tolerance for its controls failing to mitigate fraud by more than an incidence rate ranging between 0.05 per cent to five per cent. The likelihood is set at RARE and it [the ATO] will not tolerate a consequence of more than MEDIUM. The risk was therefore determined to be within tolerance, with a note that continued improvements will be required to maintain tolerance.

4.30 The ATO reference to an AGD fraud benchmark is not accurate.

  • The benchmark is referenced from a leading practice guide (the AGD guide) issued by the AGD’s Commonwealth Fraud Prevention Centre to provide Commonwealth officials with practical steps for developing counter fraud investment cases. The AGD Commonwealth Fraud Prevention Centre has not issued benchmarking guidelines and the 0.05 per cent to five per cent reference is not an ‘AGD fraud benchmark’111; and
  • The benchmark is presented in the AGD guide as a case study example of fraud loss measurement from exercises conducted by the United Kingdom (UK) Government to build an evidence base of fraud loss based on 60 fraud loss measurement exercises. As noted in the AGD guide, this evidence base is not conclusive.112

4.31 The ATO’s use of the benchmark is not appropriate.

  • The benchmark is a measure of estimated fraud for government spending in the UK and is calculated using different numerators and denominators (amount of government spending lost to fraud and error divided by government spending) to the ATO’s external fraud indicator (number of referrals divided by the number of lodgments) or the GST fraud indicator (number of GST referrals divided by the number of lodgments) reported to the ARC as part of the external fraud risk dashboard.
  • The benchmark in the AGD guide indicates fraud loss in UK government schemes is usually between 0.5 per cent to five per cent of spending.113 This benchmark is referenced inconsistently in ATO documents as either ‘0.5 per cent to 5 per cent’ or ‘0.05 per cent to 5 per cent’. The ATO’s 2020 Tax Crime Risk Assessment states ‘0.05 per cent to 5 per cent’. The ATO advised the ATO Audit and Risk Committee in September 2022 that ‘the ATO’s fraud tolerance is 0.05 per cent and the AGD fraud benchmark minimum is 0.5 per cent’. Using a benchmark of 0.05 per cent to 5 per cent against the estimated total net GST collected by the ATO in 2022–23 of $81.4 billion would result in an estimated range of fraud losses between $40.7 million (0.05 per cent), or $407 million (0.5 per cent) to $4.07 billion (5 per cent).

Recommendation no.5

4.32 The Australian Taxation Office should:

  1. consider an alternative benchmark for ATO fraud indicators; and
  2. remove references to the ‘AGD fraud benchmark’.

Australian Taxation Office response: Agreed.

4.33 The ATO agrees to consider an alternative benchmark for ATO fraud indicators and to remove references to the ‘AGD fraud benchmark’.

Reporting provided to the states and territories

4.34 In accordance with requirements contained in the GST Administration Performance Agreement, the ATO provides an annual performance report to the states and territories by providing a mid-year and annual report to GSTAS (through GPAS). The annual report is published on the ATO website.114

4.35 The ATO provides an annual briefing to states and territories. The ANAO sighted the 2022 briefing that included an agenda item relevant to the ATO’s fraud control arrangements for GST administration.

Does the ATO meet the external reporting requirements of the Commonwealth Fraud Control Framework?

The ATO has met the external reporting requirements of the Commonwealth Fraud Control Framework by providing the required Information to the Australian Institute of Criminology in the form required by the specified deadline.

Information provided to the Australian Institute of Criminology

4.36 Paragraph 14 of the fraud policy requires entities to provide information to the Australian Institute of Criminology (AIC) in the form requested to facilitate the AIC’s annual report to the Attorney-General’s Department on fraud against the Commonwealth and the fraud control arrangements.115

4.37 The ATO has provided the information requested by the AIC, in the form requested, by the required due date (which is not always set to 30 September).

4.38 The Fraud Prevention and Internal Investigations (FPII) Branch co-ordinates the ATO’s response. FPII Branch notifies (via email) relevant ATO areas who are responsible for answering the questions in the census related to their subject area. Each ATO area provides an SES approved/endorsed response to FPII who collate (but do not assure) and calculate the ATO response. The Assistant Commissioner of FPII Branch (SES Band 1) provides endorsement for the ATO response, and the AIC census is then uploaded online into the AIC portal.

4.39 The ATO advised the ANAO that there is no need to document its own procedures to respond to the AIC’s request as the AIC census contains explicit instructions on how to prepare the response.

Appendices

Appendix 1 Australian Taxation Office’s response

Auditor-General_Report_2023-24_15_Appendix1_entity_ATO_page1.png

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s Corporate Plan states that the ANAO’ s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

  • strengthening governance arrangements;
  • introducing or revising policies, strategies, guidelines or administrative processes; and
  • initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

  • The ATO is:

    • reviewing the roles and responsibilities for management of its fraud risk (paragraph 2.10);
    • reviewing and updating its external and internal fraud Chief Executive Instructions in line with its review of roles and responsibilities for fraud within the ATO (paragraph 2.10); and
    • planning to redesign its external fraud conformance process to support the revised roles and responsibilities (paragraph 2.17).
  • The ATO is developing a systematic process for selecting business lines each quarter for its external fraud conformance process to ensure timely and regular coverage of all ATO business lines (paragraph 2.12).
  • The ATO has added ‘registration’ and ‘external fraud’ as new enterprise risks116 in its corporate plan for 2023–24 (paragraph 2.53 and footnote 47).
  • The ATO’s Chief Internal Auditor has developed an audit insights paper (April 2023) which includes observations and suggestions that the paper states are considered ‘critical to embedding GST fraud risk management as an enduring capability’ (paragraph 2.53).
  • With regards to its mandatory training material, in October 2023 the ATO advised the ANAO of the following.
    • From May 2023, the ATO is reviewing its mandatory training material more regularly. The ATO advised the ANAO that, until recently, the material was reviewed every 12-months but from May 2023, the three mandatory training packages (including the EdApp content) are reviewed in April, August and December each year (footnote 54).
    • Consistent with the ANAO’s suggestion for improvement (paragraph 2.61) the ATO plans to make changes to EdApp to ensure participants have access to the content of ATO documents covered in the training (for example, the Chief Executive Instructions).
  • The ATO Tax Integrity Centre developed a database solution to make data gathered from ‘tip-offs’ available on-demand for use in data analytics and risk models from July 2023 (paragraph 3.9).
  • The ATO is in the process of updating the internal fraud investigation procedures to the Australian Government Investigations Standard (AGIS) 2022 and expects to endorse the revisions by 1 December 2023. The ATO is also in the process of reviewing and updating the investigation procedures for external fraud to align with AGIS 2022 and expects to finalise this review by 30 November 2023 (paragraph 3.44).
  • The GST Product Committee endorsed at the 20 June 2023 meeting endorsed renaming one endemic risk, ‘correct reporting’ to ‘GST refund integrity’, with the Small Business line to be the risk lead and having responsibility for the risk assessment, while treatment approaches remain the responsibility of individual business lines (paragraph 4.15).
  • Recommendations from the GST Strategic Risk Committee to the GST Product Committee to decommission the endemic GST evasion risk and establish the Assistant Commissioner, Phoenix and Evasion Program, Behaviours of Concern, as the GST Fraud Advisor were endorsed as ‘interim’ on 28 September 2023 (paragraph 4.15).

Appendix 3 The ATO’s administration arrangements for GST

1. The Intergovernmental Agreement on Federal Financial Relations provides for the ongoing provision of GST payments from the Australian Government to the states and territories.

Table A.1: Framework enabling the ATO’s administration of GST

Document

Relevance to ATO collection of GST

A New Tax System (Goods and Services Tax) Act 1999 (GST Act)

The GST Act provides for the Commonwealth to levy GST on final domestic consumption in Australia.

Federal Financial Relations Act 2009 (FFR Act)

The FFR Act identifies the Intergovernmental Agreement on Federal Financial Relations as providing the overarching framework for financial transfers between the Commonwealth and the states and territories.

Intergovernmental Agreement on Federal Financial Relations (the Intergovernmental Agreement)

The Intergovernmental Agreement provides the framework for federal financial relations, including for the ongoing provision of GST payments to the states and territories under two clauses:

25. The Commonwealth will make GST payments to the states and territories equivalent to the revenue received from the GST, subject to the arrangements in this Agreement. GST payments will be freely available for use by the states and territories for any purpose.

26. The Commonwealth will distribute GST payments among the states and territories in accordance with the principle of horizontal fiscal equalisation.

Schedule A of the Intergovernmental Agreement (paragraphs A16 to A25) detail arrangements for the ATO to administer the GST, and for the states and territories to compensate the Commonwealth for the agreed costs incurred by the ATO.

Paragraph A17 of Schedule A of the Intergovernmental Agreement requires the ATO to arrange for the Department of Home Affairs to assist with the collection of the GST on imports.

GST Administration Performance Agreement (the Agreement)

Schedule A of the Intergovernmental Agreement (paragraph A19) requires accountability and performance arrangements to be established between the ATO and the Council on Federal Financial Relations through the Agreement.

Paragraph 4 of the Agreement states that the GST Administration Sub-Committee (GSTAS) will monitor all aspects of the operation and administration of GST and this Agreement. GSTAS has delegated aspects of that role to the GST Policy and Administration Sub-group.

Paragraphs 22 to 25 of the Agreement requires the ATO to arrange, subject to the agreement of the Commonwealth Auditor-General, for the Australian National Audit Office to conduct an annual special purpose audit of GST costs and the systems of control of GST costs.

GST Administration Performance Agreement reporting

Paragraphs 10 and 11 of the Agreement state:

10. The Parties agree that the outcome to be achieved by the ATO in GST administration is to collect GST revenue effectively, including through optimising voluntary compliance by effectively and efficiently managing the administration and compliance risks to the GST system.

11. The ATO is accountable to the Council [on Federal Financial Relations] for achieving the above stated performance outcome, the achievement of which will be measured by the agreed measures outlined in Schedule A (Performance Outcome Measures).

Schedule A provides a range of agreed measures for the Council on Federal Financial Relations to determine whether the ATO has achieved the stated outcomes in clauses 10 and 11 of the Agreement.

   

Source: Extracts from listed documents.

Appendix 4 ATO risk matrix

Auditor-General_Report_2023-24_15_Appendix4_ATO_Risk_matrix.png

Source: ATO documents.

Appendix 5 Operation Protego

Operation Protego — a multi-agency response to large-scale GST fraud

1. In April 2022 the ATO launched Operation Protego, a multi-agency rapid response to large-scale escalation of GST refund fraud.

Case study: Operation Protego

From December 2021, the ATO began to receive an increasing number of referrals from financial institutions relating to suspicious income tax and GST refunds, with numbers escalating in early 2022. On 22 February 2022 the Small Business line formed a Refund Retention Stakeholder Group to work through the referrals and develop a management approach. During February and March 2022 the ATO worked with financial institutions to understand the referrals, collect further intelligence and implement an approach to recover fraudulent GST refunds via garnishees. As of 31 August 2023, the ATO had issued 3,241 garnishees and recovered $67.6 million via bank garnishees.

Other GST refund fraud early warning signs progressively identified by the ATO from late 2021 to early 2022 included the following.

  • An increase in GST refund fraud tipoffs (from July 2021).
  • An increase in Australian Business Number and GST registrations (November 2021).
  • Deployment of the ‘incorrect reporting’ and the ‘identity crime’ CGRM risk models immediately showed increasing numbers of GST refunds identified as ‘high risk’, defined as refunds with a risk likelihood rating of 0.8 and above (January 2022).
  • Social media posts promoting GST fraud identified by the ATO, though the ATO is unclear about when the posts began to circulate (April 2022).

After deployment of risk models as part of the Contemporising GST Risk Models project on 8 January 2022, it became ‘clearly apparent’ to the ATO that the amount of potential GST refund fraud exceeded the ATO’s business-as-usual capacity to treat. In April 2022 the ATO reallocated approximately 470 staff in GST related roles to inbound client engagement, complaints, review and audit case work. A range of other Operation Protego-related work, including external communication, inbound telephony, objections and investigations was managed by additional staff across the ATO.

Operation Protego commenced in April 2022 after an administrative decision was taken by the Deputy Commissioner of Integrated Compliance. The ‘Operation’ aspect of the ATO response is under the authority of the Serious Financial Crime Taskforce.a The initial response was to stop all high-risk refunds for audit and cancel GST registrations where no genuine signs of business were found. For individuals lodging further fraudulent refund claims additional treatments were applied, including cancelling ABN and all business-related registrations, amending past BAS refund claims, raising liabilities for prior refunds obtained and applying penalties, and applying account lockdowns.

The ATO issued a warning to the public on 6 May 2022 not to engage in GST fraud.

Operation Protego targeted the recipients of significant financial benefit as result of the fraud and those proliferating the fraud. Operation Protego targets are suspected of fraudulently obtaining GST refunds amounts between approximately $38,900 and $2.4 million and attempting to fraudulently claim GST refunds between approximately $8100 and $32.3 million.

The ATO established two senior executive level committees in May 2022, the Operation Protego Steering Committee comprising SES Band 1 members from relevant business lines across the ATO (which replaced the Small Business line Refund Retention Stakeholder Group) and the Operation Protego Governance Committee comprising SES Band 2 members from relevant business lines across the ATO.

The ATO has identified 57 per cent of individuals involved in the fraud were in receipt of a government benefit. Approximately 30 per cent of individuals attempted to obtain a fraudulent refund a second time and 10 per cent attempted a third time.

The ATO has identified individuals who have had their identity stolen and used to lodge fictitious BAS or have been coerced into participating or providing credentials to third parties. However, the ATO advised the ANAO in October 2023 it cannot identify the number of Operation Protego participants who were subject to identity crime and third-party fraud as:

During Operation Protego normal business processes were used to manage suspected cases of identity crime and third-party fraud, which means there was not specific tracking of Protego cases as a whole population.

The ATO confirmed with the ANAO that, as of October 2023, 150 ATO officials suspected of Operation Protego behaviours have been investigated using the ATO’s standard internal fraud procedures. A range of treatment strategies have been applied by the ATO, including termination of employment and criminal investigations.

At 31 August 2023 criminal investigations resulted in more than 100 arrests and 16 convictions. The ATO estimates there have been more than 57,000 perpetrators of GST fraud.

The total primary liabilities raised since the commencement of Operation Protego in mid-April 2022 to 30 June 2023 is $2.0 billion, with $2.7 billion in suspect GST refunds stopped prior to payment. Penalties of more than $120 million have been issued to 30 June 2023. Statutory interest was around $220 million at 31 August 2023 and will continue to accrue on amounts not repaid. As at 31 August 2023, the ATO had recovered $123 million (including $67.6 million recovered via bank garnishees).

The ATO has not quantified the administration cost of Operation Protego due to the significant manual estimation and apportionment of costs required. Operation Protego was closed on 3 November 2023 to new cases from 30 June 2023 following endorsement of the Deputy Commissioner for Small Business as the senior responsible officer for Operation Protego.

Note a: The Serious Financial Crime Taskforce (SFCT) is an ATO-led joint-agency taskforce established on 1 July 2015. The SFCT includes the following Australian Government entities: ATO; Australian Federal Police; Australian Criminal Intelligence Commission; Attorney-General’s Department; Australian Transaction Reports and Analysis Centre; Australian Securities and Investments Commission; Commonwealth Director of Public Prosecutions; Department of Home Affairs, incorporating its operational arm, the Australian Border Force; and Services Australia. Source: Australian Taxation Office, Serious Financial Crime Taskforce [Internet], ATO, available from https://www.ato.gov.au/General/The-fight-against-tax-crime/Our-focus/Serious-Financial-Crime-Taskforce/ [accessed 8 November 2023].

Footnotes

1 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, available from https://www.ag.gov.au/integrity/publications/commonwealth-fraud-control-framework [accessed 1 November 2023].

2 Australian Taxation Office, Corporate Plan 2023–24 [Internet], ATO, available from https://www.ato.gov.au/About-ATO/Managing-the-tax-and-super-system/In-detail/Corporate-plan---current-and-previous-years/ATO-corporate-plan-2023-24/ [accessed 29 September 2023].

3 The IGAFFR implements a framework for federal financial relations between the Commonwealth of Australia and the states and territories. The IGAFFR operates indefinitely from 1 January 2009 until the parties by unanimous agreement in writing revoke it. Paragraph A17 of Schedule A of the IGAFFR requires the ATO to arrange for the Department of Home Affairs to assist with the collection of the GST on imports. The ATO Annual Report 2022–23 (Table 4.1) reported in 2022–23 the Department of Home Affairs collected $5.7 billion of the total net GST collection of $81.4 billion. Council on Federal Financial Relations, The Intergovernmental Agreement on Federal Financial Relations [Internet], CFFR, available from https://federalfinancialrelations.gov.au/intergovernmental-agreement-federal-financial-relations [accessed 24 October 2023].

4 Australian Taxation Office, GST Administration Performance Agreement (from 1 July 2023) [Internet], ATO, available from https://www.ato.gov.au/About-ATO/Commitments-and-reporting/In-detail/GST-administration/GST-Administration-Performance-Agreement-1-July-2023/ [accessed 25 October 2023].

5 Australian Taxation Office, Annual Report 2022–23, ATO, 2023, Table 4.1 and Table 4.11.

6 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, fraud policy, paragraph viii, p. B1 available from https://www.ag.gov.au/integrity/publications/commonwealth-fraud-control-framework [accessed 1 November 2023].

7 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, p. iii.

8 Australian Taxation Office, Corporate Plan 2023–24 [Internet], ATO, available from https://www.ato.gov.au/About-ATO/Managing-the-tax-and-super-system/In-detail/Corporate-plan---current-and-previous-years/ATO-corporate-plan-2023-24/ [accessed 29 September 2023].

9 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, p. iii.

10 The fraud rule within the Commonwealth Fraud Control Framework reproduces the requirements of section 10 of the Public Governance, Performance and Accountability Rule 2014.

11 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, p. iii.

12 ibid., p. iv.

13 Most basic foods, some education courses and some medical, health and care products and services are GST-free.

14 Auditor-General Report No. 55 2002–03 Goods and Services Tax Fraud Prevention and Control.

15 Inspector-General of Taxation, Review into the Australian Taxation Office’s Fraud Control Management [Internet], IGT, 2018, available from https://www.igt.gov.au/investigation-reports/ato-fraud-control-management/ [accessed 14 November 2023].

16 Public Governance, Performance and Accountability Rule 2014, paragraphs 10(a) and 10(b), and subparagraph 10(c)(i).

17 Attorney-General’s Department, Commonwealth Fraud Prevention Centre, Fraud Risk Assessment Leading Practice Guide, AGD, 2022, available from https://www.counterfraud.gov.au/library/fraud-risk-assessment-guidance-and-tools [accessed 31 August 2023].

18 Attorney-General’s Department, Commonwealth Fraud Control Framework, 2017, AGD, fraud guidance, paragraphs 49 and 50, p. C13.

19 For consistency and to reflect language in documents provided to the ANAO, this report will use ‘Integrated Compliance’.

20 The ATO informed the ANAO in June 2023 that it has retained the term ‘Chief Executive Instruction’, a term in use prior to the enactment of the PGPA Act (2013), rather than the term Accountable Authority Instruction in the interests of supporting continuity of staff understanding.

21 References to ‘ATO officials’ in this report refers to ATO employees and contracted individuals.

22 The purpose of the ATO’s conformance process is to provide assurance that the ATO is meeting its legislative and policy obligations and appropriately managing non-conformance with those obligations. The CEI for ATO conformance with obligations, sets out the accountable authority’s requirements for monitoring conformance with legislating and policy obligations. The CEI requires non-conformance with obligations and emerging issues to be reported to the ATO Audit and Risk Committee on a quarterly basis.

23 These figures exclude three reporting quarters (March 2022, June 2022 and March 2023) where the quarterly conformance statement does not identify the business lines.

24 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, fraud guidance, paragraph 28, p. C9.

25 Attorney-General’s Department, Commonwealth Fraud Prevention Centre, Fraud Risk Assessment Leading Practice Guide, AGD, 2022, available from https://www.counterfraud.gov.au/library/fraud-risk-assessment-guidance-and-tools [accessed 20 June 2023].

26 The ATO’s organisational chart is available from https://www.ato.gov.au/About-ATO/Who-we-are/Executive-and-governance/Organisational-chart/ [accessed 18 September 2023].

27 The ATO’s GST Integrated Risk Forum comprises Executive Level 2 (Director) ATO personnel from various ATO business lines. The Forum is chaired by the Assistant Commissioner, Small Business, GST Program. The Forum’s charter states that its purpose is to ‘consider and facilitate collaboration on GST product risks, share insights and intelligence and advise the GST Strategic Risk Committee, client experience segments and other business lines on strategic risk matters’.

28 The artefacts sought by the project team included risk assessments, risk reviews, treatment strategies, evaluation results, and risk updates (including other reports presented to committees and forums).

29 In April 2022, the ATO established Operation Protego — an ATO-led investigation into large-scale GST fraud. Operation Protego is discussed in more detail in Appendix 5 of this audit report.

30 As at May 2023, these three ATO business lines have become four and are known as: Small Business; Private Wealth; Public Groups; and International, Support and Programs.

31 The risk owner for external fraud within the ATO is the Deputy Commissioner, Integrated Compliance. Under the ATO’s risk management framework, Risk Owners are assigned personal accountability for identified risks; and are responsible for providing direction on relevant risk management activities within their area of responsibility and across business lines where appropriate. Risk Owners are also responsible for overseeing the status of risks, controls and treatment strategies.

32 On 5 October 2023, the ATO Integrity Steering Committee endorsed the 2023 External Fraud Risk Assessment and Treatment Plan, dated 28 September 2023.

33 The controls are not specified in the 2020 external fraud risk assessment.

34 The Integrity Steering Committee (ISC) is responsible for determining and directing the ATO’s response to external fraud risks and threats. The ISC is co-chaired by the Deputy Commissioner, Integrated Compliance in the Client Engagement Group (the risk owner for external fraud), and the Deputy Commissioner, Client Account Services within the Service Delivery Group. See also Table 4.1 and paragraph 4.5.

35 The fraud risk assessment does not specify controls. The assessment states ‘specific prevent, detect and deal with controls will be listed in each of the 10 sub-controls’ risk assessments and the ATO Risk Register. The fraud risk assessment further states that this ‘has not been completed yet but will be a priority…in 2023-24’.

36 The Risk Owner for Internal Fraud within the ATO is the Assistant Commissioner, Fraud Prevention and Internal Investigations. Under the ATO’s risk management framework, Risk Owners are assigned personal accountability for identified risks; and are responsible for providing direction on relevant risk management activities within their area of responsibility and across business lines where appropriate. Risk Owners are also responsible for overseeing the status of risks, controls and treatment strategies.

37 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, fraud guidance, paragraph 36, p. C11.

38 Australian Taxation Office, Fraud and Corruption Control Plan 2023, March 2023 available from https://www.ato.gov.au/General/The-fight-against-tax-crime/In-detail/ATO-Fraud-and-Corruption-Control-Plan-2023/ [accessed 1 June 2023].

39 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, fraud guidance, paragraph 38, p. C11.

40 Public Governance, Performance and Accountability Rule 2014, paragraph 10(b).

41 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, fraud guidance, paragraph 39, p. C11.

42 ATO records indicate that the ATO’s Fraud and Corruption Control Plan 2023 was approved by the accountable authority in early 2023 and made available on the ATO’s website in March 2023.

43 This risk assessment document is titled the ‘Tax Crime Risk Assessment 2020’ and states that ‘the term tax crime and external fraud are interchangeable’.

44 On the ATO website it advises that the term ‘black economy’ has now changed to ‘shadow economy’. This change has been made to reflect the Organisation for Economic Co-operation and Development’s definition of unreported or dishonest economic activity.

45 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, fraud guidance, paragraph 29, p. C10.

46 Operation Protego is discussed in more detail in Appendix 5 of this audit report.

47 The 2023–24 ATO Corporate Plan defines enterprise risks as ‘key risks requiring oversight and management’.

48 The paper was developed in response to the Operation Protego GST fraud event (see Appendix 5).

49 Attorney-General’s Department, Commonwealth Fraud Prevention Centre, Develop a fraud strategy statement [Internet], AGD, available from https://www.counterfraud.gov.au/access-tools-and-guidance/develop-fraud-strategy-statement [accessed 5 June 2023].

50 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, fraud guidance, paragraph 46, p. C13.

51 The ATO maintains offline versions of these courses for individuals with a visual impairment.

52 These three training courses replaced the ATO’s Security, Privacy and Fraud training course during the June 2020 quarter.

53 The ATO defines managers as an Executive Level 2 officer, SES or anyone with positions, occupied or vacant, reporting to them on the ATO’s personnel management system. This includes staff in short-term acting manager roles.

54 The ATO advised the ANAO that from May 2023 the ATO has changed from an annual review of course material (including the EdApp version) to April, August and December each year.

55 The purpose and membership of the ATO’s Tax Practitioner Stewardship Group is described in Tax Practitioner Stewardship Group [Internet], ATO, available from https://www.ato.gov.au/about-ato/consultation/consultation-groups/stewardship-groups/tax-practitioner-stewardship-group [accessed 28 November 2023].

56 The purpose and membership of the ATO’s GST Stewardship Group is described in GST Stewardship Group [Internet], ATO, available from https://www.ato.gov.au/about-ato/consultation/consultation-groups/stewardship-groups/gst-stewardship-group [accessed 28 November 2023].

57 Australian Taxation Office, Tax professionals newsroom [Internet], ATO, available from https://www.ato.gov.au/Tax-professionals/Newsroom/ [accessed 26 October 2023].

58 Public Governance, Performance and Accountability Rule 2014, section 10.

59 Public Governance, Performance and Accountability Rule 2014, paragraph 10(d).

60 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, fraud guidance, paragraph 63, p. C15.

61 Australian Taxation Office, Making a Tip Off [Internet], ATO, available from https://www.ato.gov.au/general/gen/making-a-tip-off/ [accessed 18 July 2023].

62 Australian Taxation Office, Tax Whistleblowers [Internet], ATO, available from https://www.ato.gov.au/General/Gen/Whistleblowers/ [accessed 17 July 2023].

63 The System Integrity Management Group is an ATO SES Band 1 committee whose terms of reference includes supporting ‘the ATO’s response to fraud from a holistic risk perspective by acting in an advisory capacity to the System Integrity Program’.

64 Public Governance, Performance and Accountability Rule 2014, paragraph 10(d).

65 Australian Taxation Office, ATO Fraud and Corruption Control Plan 2023 [Internet], ATO, available from https://www.ato.gov.au/General/The-fight-against-tax-crime/In-detail/ATO-Fraud-and-Corruption-Control-Plan-2023/ [accessed 6 September 2023].

66 Australian Taxation Office, GST administration annual performance report 2021–22 Schedule A [Internet], ATO, available from https://www.ato.gov.au/About-ATO/Commitments-and-reporting/In-detail/GS… [accessed 11 September 2023], Table 5a(i) and 5c(i).

67 BAS processed are BAS with the status code ‘finalised, received, cancelled or discontinued’. BAS lodged are ‘latest finalised BAS’.

68 Australian Government, Budget 2010–11 Budget Paper 2: Budget Measures [Internet], available from https://archive.budget.gov.au/2010-11/index.htm [accessed 27 September 2023].

69 Australian Government, Budget 2012–13 Budget Paper 2: Budget Measures [Internet], available from https://archive.budget.gov.au/2012-13/index.htm [accessed 16 January 2024].

70 Australian Government, Budget 2015–16 Budget Paper 2: Budget Measures [Internet], available from https://archive.budget.gov.au/2015-16/index.htm [accessed 27 September 2023].

71 Australian Government, Mid-Year Economic and Fiscal Outlook 2018–19 [Internet], available from https://archive.budget.gov.au/2018-19/myefo/myefo_2018-19.pdf [accessed 27 September 2023].

72 The ATO defines ‘strike rate’ as the number of audit and enforcement cases completed with a ‘compliance outcome’ as a percentage of the number of all audit and enforcement cases completed. A compliance outcome can include both financial and non-financial outcomes, for example a debit, credit or notional tax adjustment; the application of penalties or regulatory enforcement; a referral for investigation of possible fraud and/or the taxpayer agreeing to do something for example lodging a return. The 83 per cent strike rate is calculated from the average strike rate for the previous suspect refund models from 2018–19 to 2020–21.

73 The ATO estimates as at 30 September 2023, $239.3 million in GST revenue was protected from the pre-lodgment ‘nudge’ messaging and the automated BAS revision rule.

74 These models produce a risk likelihood score between 0 (low likelihood) and 1 (high likelihood) that the GST refund is incorrect.

75 Results can be achieved without a change to net GST if GST payable and GST paid are adjusted by the same amount, or if there is no GST adjustment but a GST penalty was imposed.

76 Australian Government, Budget Measures 2023–24: Budget Paper No. 2 [Internet], Commonwealth of Australia, 2023, p. 19, available from https://budget.gov.au/content/bp2/download/bp2_2023-24.pdf [accessed 27 September 2023].

77 The ATO defines disengaged property developers into two categories of taxpayers. The first are registered taxpayers that claim GST credits during the construction phase of a building project but cease to lodge activity statements and income tax returns once sales of property occur. The second are taxpayers that do not claim GST credits during the construction phase and do not report the sale of property upon completion.

78 The AUD $1,000 value applies per shipping consignment excluding shipping and insurance.

79 ‘Inbound intangible consumer supply’ means sales of anything other than goods or real property to an Australian consumer (for example, digital products and other services) that are made to an Australian consumer and not wholly done in Australia or through a business run in Australia.

80 Australian Taxation Office, GST administration annual performance report 2021–22 [Internet], ATO, available from https://www.ato.gov.au/About-ATO/Commitments-and-reporting/In-detail/GST-administration/GST-administration-annual-performance-report-2021-22/ [accessed 15 September 2023], Table 10.

81 Australian Taxation Office, Justified Trust [Internet], ATO, available from https://www.ato.gov.au/Business/Large-business/Justified-trust/ [accessed 29 September 2023].

82 Australian Taxation Office, GST administration annual performance report 2021–22 [Internet] [accessed 15 September 2023], Table 6d.

83 Australian Taxation Office, GST administration annual performance report 2021–22 [Internet] [accessed 15 September 2023], Table 10.

84 Public Governance, Performance and Accountability Rule 2014, paragraph 10(e).

85 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, fraud guidance, paragraph 67, p. C16.

86 The ATO may impose administrative penalties for non-compliance with taxation obligations. The shortfall amount is the difference between the correct tax liability or credit entitlement, and the liability or entitlement worked out using the information provided. See: Australian Taxation Office, Penalties [Internet], available from https://www.ato.gov.au/General/Interest-and-penalties/Penalties/ [accessed 27 September 2023].

87 The AGIS establishes a standard for Australian Government entities conducting administrative, civil, or criminal (type) investigations. The fraud policy requires non-corporate entities to have detection and investigation systems consistent with the AGIS. Source: Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, fraud guidance, paragraph 61, p.C14.

88 Australian Federal Police, Australian Government Investigations Standard [Internet], AFP, 2022, available from https://www.afp.gov.au/sites/default/files/PDF/Australian-Government-Investigations-Standard-2022.pdf [accessed 30 October 2023].

89 ‘Tax Time’ in the context of the Integrity Incident Response Framework refers to the peak period of time between the 1 July and 31 October each year when the majority of tax returns are lodged for individuals.

90 Australian Taxation Office, Tax crime prosecution results [Internet], ATO, available from https://www.ato.gov.au/General/The-fight-against-tax-crime/News-and-results/Tax-crime-prosecution-results/ [accessed 5 October 2023].

91 Public Governance, Performance and Accountability Rule 2014, paragraph 10(f).

92 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, fraud policy, p. B3.

93 Australian Taxation Office, ATO Fraud and Corruption Control Plan 2023 [Internet], ATO, 2023, available from https://www.ato.gov.au/General/The-fight-against-tax-crime/In-detail/AT… [accessed 30 August 2023].

94 As noted in paragraph 2.4, in mid-2023 the ATO renamed its Integrated Compliance business line to ‘Fraud and Criminal Behaviours’. This chapter will reference the Integrated Compliance business line to align with language in the documents provided to the ANAO as evidence for this audit.

95 On the ATO website it advises that the term ‘black economy’ has now changed to ‘shadow economy’. This change has been made to reflect the Organisation for Economic Co-operation and Development’s definition of unreported or dishonest economic activity.

96 Council on Federal Financial Relations, Intergovernmental Agreement on Federal Financial Relations Schedule A, CFFR, 2009, paragraph A20.

97 The Council on Federal Financial Relations is responsible for overseeing the financial relationship between the Commonwealth and the state and territory governments. Council on Federal Financial Relations, Intergovernmental Agreement on Federal Financial Relations Schedule A, Definition and Institutional Arrangements CFFR, 2009, paragraph A2.

98 Australian Taxation Office, GST Administration Performance Agreement (from 1 July 2023) [Internet], ATO, available from https://www.ato.gov.au/About-ATO/Commitments-and-reporting/In-detail/GST-administration/GST-Administration-Performance-Agreement-1-July-2023/ [accessed 25 October 2023].

99 Following the June 2023 ATO organisational restructure this business line is now the ‘International, Support and Programs’ business line, the ‘Public Groups (Strategy and Programs)’ business line and the ‘Public Groups (Engagement)’ business line.

100 There were seven separate agenda items between 2021–22 and 2022–23 at the GST Integrated Risk Forum (EL2) that resulted in discussions and efforts to clarify governance structures and risk accountabilities; eight separate agenda items at the GST Strategic Risk Committee (SES Band 1) and five separate agenda items at the GST Product Committee (SES Band 2).

101 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017.

102 The Audit and Risk Sub-committee assists the Audit and Risk Committee to manage its workload in meeting its responsibilities.

103 The ARC external fraud dashboard reports against ‘charter requirements’, ‘specific requirements’, ‘status of compliance’, ‘evidence of compliance’, ‘comments, exceptions and issues of concern’, and ‘mitigations, exceptions or issues’.

104 The April 2022 meeting of the Security Committee received an extract of the December 2021 dashboard for three of the eight categories 1) ‘detecting fraud’, 2) ‘investigating and dealing with fraud’ and 3) ‘recording and reporting fraud’. These categories were reported as ‘fully compliant’ (green) with ‘no issues arising’. The Integrated Compliance Risk Management Committee meets monthly and received a copy of the ‘external fraud dashboard’ at the May 2022; June 2022; August 2022 and March 2023 meetings.

105 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017.

106 A third IT fraud indicator is included in the external fraud dashboard, this has not been included as IT fraud is outside the scope of this audit.

107 The ATO paper to the ARC states the ATO’s fraud tolerance is 0.05 per cent, the ‘AGD fraud benchmark’ referenced in the ATO paper states 0.5 per cent to five per cent.

108 This is the external fraud indicator year to date ending 31 March 2023 in Figure 4.4.

109 The Attorney-General’s Department (AGD) guide specifies the three per cent to 5.95 per cent estimate is from a 2019 report for the AGD by Ernst & Young and includes fraud and error (rather than solely fraud). This range is referenced in the AGD guide as an estimated cost of reported and unreported fraud and error against the Commonwealth, based on international comparators.

110 Australian Taxation Office, ATO Fraud and Corruption Control Plan [Internet] [accessed 4 September 2023].

111 Attorney-General’s Department Commonwealth Fraud Prevention Centre, Counter Fraud Investment Cases Leading Practice Guide [Internet], AGD, available from https://www.counterfraud.gov.au/sites/default/files/2021-03/counter-fraud-investment-cases-leading-practice-guide.PDF [accessed 14 August 2023], p. 10.

112 ibid., p. 10.

113 ibid., p. 10.

114 Australian Taxation Office, GST administration annual performance report 2021–22 [Internet], ATO, available from https://www.ato.gov.au/About-ATO/Commitments-and-reporting/In-detail/GST-administration/GST-administration-annual-performance-report-2021-22/ [accessed 4 September 2023].

115 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017.

116 The 2023–24 ATO Corporate Plan defines enterprise risks as ‘key risks requiring oversight and management’.