Introduction

Creative Australia

1.1 Creative Australia is a corporate Commonwealth entity (CCE) of 143 staff in 2023–24⁷ and statutory authority within the Department of Infrastructure, Transport, Regional Development, Communications, Sports and the Arts portfolio.

1.2 Founded as the Australia Council of the Arts in 1968⁸, Creative Australia commenced operating under its current name and absorbed the people and functions of Creative Partnerships Australia Limited (ACN: 072 479 835) on 1 July 2023.⁹ The Creative Australia Act 2023 (CA Act) establishes the change from the Australia Council to Creative Australia, effective 24 August 2023.¹⁰

1.3 The National Cultural Policy — Revive: a place for every story, a story for every place¹¹, was released by the Australian Government on 30 January 2023. Over the following five years, in response to this policy, Creative Australia is to establish the First Nations Arts and Culture and First Nations Board, Music Australia, Writing Australia, and Creative Workplaces.

1.4 As the Australian Government’s ‘investment, development and advisory body for arts and culture’¹², in 2023–24, Creative Australia distributed funding of $237.4 million under section 11 of the CA Act.¹³ Funding opportunities can span across many years (multi-year investment programs), relate to discrete projects (general grant programs)¹⁴, or provide access to a fundraising platform (Australian Cultural Fund).¹⁵ This funding is awarded to groups, individuals and organisations depending on the funding opportunity as set out in Table 1.1.

1.5 Grants are awarded directly to recipients. Funding decisions are made independent of the Australian Government by peer assessors, industry advisors and Creative Australia officials.¹⁶

Table 1.1: Funding distributed by Creative Australia to the arts and culture community in 2023–24^a

Note a: Financial year figures for 2024–25 are not available at the time of completing this audit.

Note b: The Australian Cultural Fund was managed by Creative Partnerships Australia Limited and was transferred to Australia Council, now Creative Australia, through section 8 of Schedule 2 in the Australia Council Amendment (Creative Australia) Act 2023 from 1 July 2023.

Source: Creative Australia, Annual Report 2023–24, pp. 20–21.

1.6 Creative Australia’s funding and average staffing level are provided in Table 1.2.

Table 1.2: Creative Australia’s funding allocation and average staffing levels

Note a: Average staffing level is a method of counting that adjusts for casual and part-time staff to show the average number of full-time equivalent employees.

Note b: Creative Australia is not directly appropriated as it is a CCE. Appropriations are made to the Department of Infrastructure, Transport, Regional Development, Communications, Sports and the Arts (a non-corporate Commonwealth entity (NCE)), which are then paid to Creative Australia and are considered ‘departmental’ for all purposes.

Note c: 2024–25 numbers are estimates only.

Source: Australian Government, Portfolio Budget Statements 2024–25, Budget Paper No. 1.12, Infrastructure, Transport, Regional Development, Communications and the Arts Portfolio, Australian Government, Canberra, 2024, p. 251.

1.7 Creative Australia advised the ANAO in March 2025 that it has not received any reports or detected suspected incidents of fraud or corruption since the implementation of its Fraud Control Policy in 2016.

The Commonwealth Fraud and Corruption Control Framework

1.8 Fraud against Australian Government entities and corrupt conduct by Australian Government officials are serious matters that can constitute criminal offences. Fraud and corruption undermine the integrity of and public trust in government, can reduce funds available for government program delivery, and cause financial and reputation damage to defrauded entities.¹⁷

1.9 The Australian Government’s Commonwealth Fraud and Corruption Control Framework 2024 (2024 Commonwealth Framework) defines fraud and corruption as:

• fraud: dishonestly obtaining (including attempting to obtain) a gain or benefit, or causing a loss or risk of loss, by deception or other means; and
• corruption: any conduct that does or could compromise the integrity, accountability or probity of public administration.¹⁸

1.10 Fraud against the Australian Government can be in the form of corruption against an Australian Government entity that is perpetrated by its officials (internal fraud) or committed by external parties which are not engaged by the Australian Government entity, such as clients of government services, service providers, grant recipients, other members of the public or organised criminal groups (external fraud).¹⁹ In its annual report on fraud against the Commonwealth, the Australian Institute of Criminology reported that, for 2022–23, the total losses reported to internal fraud was $2.9 million and to external fraud was $158.1 million, noting that reported losses are not always able to be quantified.²⁰ The Commonwealth Fraud Prevention Centre states that ‘the cost of reported and unreported fraud, corruption and payment error could be between three to 5.95 per cent of government expenditure’, based on international comparisons. This translates to a cost as high as $2.3 billion in 2023–24 when applied to the $38.5 billion in grant payments.²¹ Losses incurred due to fraud and corrupt activity go beyond the direct financial loss.²²

1.11 The Australian Government Fraud Risk Profile identifies eight fraud risk areas across different functions, including:

• corporate functions: assets, corporate information, human resources, and corporate funds; and
• program and policy functions: program payments, program revenue, program information, and program and policy outcomes.

1.12 On 1 July 2024, the 2024 Commonwealth Framework²³ came into effect, replacing the Commonwealth Fraud Control Framework 2017 (2017 Commonwealth Framework).²⁴ The framework supports Australian Government entities to manage fraud and corruption risks, and to prevent, detect, and otherwise respond to fraud and corruption.²⁵

1.13 NCEs are required to adhere to the rule and policy, while CCEs are required to adhere to the rule and apply the policy as better practice.²⁶ All Australian Government entities are encouraged to follow the guidance as better practice. Table 1.3 outlines the three components of the 2024 Framework and the binding effect.

Table 1.3: Components — Commonwealth Framework for Fraud and Corruption Control

Source: ANAO summary of the 2024 Commonwealth Framework and 2017 Commonwealth Framework components.

1.14 The 2024 Framework introduced provisions to mitigate corruption risk in addition to fraud risk and complement the function of the National Anti-Corruption Commission.²⁷ It also introduced new requirements for fraud and corruption governance oversight arrangements and controls testing. The changes between the former Fraud Rule and the new Fraud and Corruption Rule that came into effect on 1 July 2024 are outlined in Table 1.4.²⁸

Table 1.4: Comparison of the key elements of the 2024 Fraud and Corruption Rule to the 2017 Fraud Rule

Source: Adapted from Commonwealth Fraud Prevention Centre, Learn about the Fraud and Corruption Control Framework [Internet], Attorney-General’s Department, Canberra, 2024, available from https://www.counterfraud.gov.au/learn-about-fraud-and-corruption-control-framework [accessed 28 January 2025].

1.15 The Fraud and Corruption Rule applies to both the internal and external fraud risks identified in paragraph 1.11. The 2024 Framework states that:

Fraud and corruption are risks that can undermine the objectives of every Australian Government entity in all areas of their business, including the delivery of services and programs, policy-making, regulation, taxation, procurement, grants and internal procedures.²⁹

Responsibilities of accountable authorities

1.16 The Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the PGPA Rule contain specific duties and requirements for the accountable authority of an Australian Government entity pertaining to internal control arrangements, including fraud and corruption control and reporting. This includes:

• section 15 of the PGPA Act — Duty to govern the Commonwealth entity;
• section 16 of the PGPA Act — Duty to establish and maintain systems relating to risk control; and
• section 10 of the PGPA Rule — The Fraud and Corruption Rule, Preventing, detecting and responding to fraud and corruption.

1.17 In administering its grants program, Creative Australia is required to use public funds efficiently:

• the PGPA Act requires the accountable authority — in this case, the Australia Council Board (the Board) — to manage and use public resources efficiently³⁰; and
• the CA Act requires the Board to ensure the proper and efficient performance of Creative Australia’s functions, delivering on these functions through a range of policies and programs, including the provision of grant funding.³¹

Rationale for undertaking the audit

1.18 Fraud and corruption against Australian Government entities reduces available funds for public goods and services and causes financial and reputational damage to the Australian Government.³²

1.19 The Australian Government amended section 10 of the PGPA Rule, effective 1 July 2024³³, to include corruption risks and introduce new requirements for fraud and corruption governance arrangements. All Australian Government entities are required to have fraud and corruption control arrangements in place to prevent, detect and respond to fraud and corruption.³⁴

1.20 Creative Australia must meet the minimum standards set out in the PGPA Rule and, as a CCE, it is strongly encouraged to implement the Commonwealth Fraud and Corruption Policy.³⁵ This audit is intended to provide assurance to the Parliament regarding the fraud and corruption control arrangements in Creative Australia.

Audit approach

Audit objective, criteria and scope

1.21 The objective of the audit was to assess the effectiveness of Creative Australia’s fraud and corruption control arrangements.

1.22 To form a conclusion against this objective, the following high-level criteria were adopted.

• Have appropriate arrangements been established to oversee and manage fraud and corruption risks?
• Have appropriate mechanisms been established to prevent fraud and corruption, and promote a culture of integrity?
• Have appropriate mechanisms been established to detect and respond to fraud and corruption?

1.23 This audit examines Creative Australia’s fraud and corruption arrangements in 2023–24 and 2024–25 to February 2025. The audit assesses Creative Australia’s compliance with the 2017 Commonwealth Framework and 2024 Commonwealth Framework.

Audit methodology

1.24 The audit methodology included:

• examination of entity records; and
• meetings with Creative Australia officials, including walkthroughs of Creative Australia’s grant management system at its office in Melbourne.

1.25 The ANAO did not assess the effectiveness of Creative Australia’s fraud and corruption controls.

1.26 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $355,000.

1.27 The team members for this audit were Leisa Baynham, Alyssa McDonald, Madigan Paine and David Tellis.

2.1 The Public Governance, Performance and Accountability Act 2013 (PGPA Act) (section 16) states that the accountable authority of an Australian Government entity has a duty to establish and maintain systems relating to risk and control. The Commonwealth Fraud and Corruption Control Framework 2024 (2024 Commonwealth Framework) (see Table 1.3), which replaced the Commonwealth Fraud Control Framework 2017 (2017 Commonwealth Framework), requires accountable authorities to conduct regular risk assessments and, as soon as practicable, develop and implement fraud and corruption control plans to deal with identified risks.³⁶ The 2024 policy expands on this by requiring fraud and corruption risk assessments to be conducted at least every two years for non-corporate Commonwealth entities.³⁷

Are there appropriate governance and oversight arrangements for fraud and corruption control?

2.2 Table 2.1 presents an assessment of Creative Australia’s approach to applying the Fraud and Corruption Rule, Guidance and Policy in relation to governance arrangements.

Table 2.1: Assessment against the Fraud and Corruption Framework — governance arrangements

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant

Note a: For corporate Commonwealth entities (CCEs), the Fraud and Corruption Rule is mandatory, the Fraud and Corruption Policy and Guidance is better practice.

Source: ANAO analysis of Creative Australia documentation.

Fraud and corruption reporting, oversight and assurance

Australia Council Board

2.3 The Board is Creative Australia’s accountable authority.³⁸ The terms of reference for the Board are documented in Divisions 3 and 4 of the Creative Australia Act 2023.³⁹ As the accountable authority, the Board is responsible for the performance of Creative Australia, ‘ensuring its ongoing sustainability’ and ‘fraud and corruption control and compliance with PGPA Act and section 10 of the PGPA Rule.’

2.4 The Board receives a compliance report at the start of each financial year which advises the Board of actual or emerging instances of non-compliance with the PGPA Act, and to provide the Board assurance that ‘existing internal processes and systems of control are being monitored and maintained.’ The report prepared for the Board in August 2024 does not refer to the PGPA Rule (section 10) and references fraud and corruption by referring to Creative Australia’s internal audit program report: Fraud and Corruption Control Audit–July 2023.

2.5 Creative Australia’s Board minutes from 4 December 2024 show a verbal update on the ARC report was provided and included updates on, and approval of the new fraud and corruption policy, outcomes of Creative Australia’s internal audit program and that the ARC considered recommendations on the top ten risks of the organisation. The minutes do not reflect further discussion of fraud and corruption risks.

Audit and Risk Committee

2.7 Four members of the Board sit on Creative Australia’s Audit and Risk Committee (ARC). Verbal updates are provided to the Board by the ARC and documented in the Board meeting minutes.

2.8 Creative Australia’s terms of reference for its ARC aligns with the Department of Finance’s guidance, noting that the ARC is responsible to ‘regularly update the Board on its activities and make recommendations to the Board, as appropriate.’

2.9 Responsibility for the ARC to endorse Creative Australia’s Fraud and Corruption Control Policy and Fraud and Corruption Control Plan, monitor compliance, and review internal controls, is documented in Creative Australia’s Fraud and Corruption Control Policy 2024–25.

2.10 The ARC meetings consider risks in the broader Risk Management Update and in the IT/Cyber Security Update. Non-compliance with grant reporting requirements is reported to the ARC every six months in an Outstanding Acquittals paper. Creative Australia advised its ARC in March 2025 that, starting with this meeting, outstanding acquittals relating to the Australian Cultural Fund will be included in the Outstanding Acquittal paper.

2.11 Creative Australia advised the ANAO in October 2024 that active oversight of fraud and corruption control management is provided by the ARC through consideration of updates on risk management every six months, and Creative Australia’s internal audit program.

2.12 Creative Australia advised the ANAO that its internal audit program is determined in response to discussions within its ARC.

2.13 The services provided by BDO Services Pty Ltd⁴⁰ in delivery of Creative Australia’s internal audit program are ‘advisory in nature and do not constitute an assurance engagement’.

Officials are assigned responsibility for managing fraud and corruption risks

2.15 Creative Australia’s Fraud and Corruption Control Policy 2024–25 sets out the responsibilities of relevant officials which include senior executives and Board members. The Fraud and Corruption Control Policy 2024–25 identifies specific officials as ‘Authorised Officers’ under the Public Interest Disclosure Act 2013 which is reflected in Creative Australia’s Authorisations Framework.

2.16 The Authorisations Framework identifies officials with responsibility for Creative Australia’s risk register and reviewing fraud and risk policies. This framework does not identify officials with responsibilities to address corruption risks, or a general responsibility for all Creative Australia officials to comply with Creative Australia’s Fraud and Corruption Control Framework.

Entity identifies structures, processes and officials to manage fraud and corruption risks

2.18 Approved by the ARC⁴¹ in November 2024, the Fraud and Corruption Control Policy 2024–25 and Fraud and Corruption Control Annual Plan forms Creative Australia’s Fraud and Corruption Control Framework. This framework was last issued in June 2022. Creative Australia did not update its June 2022 framework in relation to the acquisition of new functions once performed by the now deregistered Commonwealth company, Creative Partnerships Australia Limited, which Creative Australia commenced performing on 1 July 2023.

2.19 The responsibilities for managing fraud and corruption risks, and the process for reporting suspected incidences of fraud and corruption, are outlined in Creative Australia’s Fraud and Corruption Control Policy 2024–25.

2.20 The 2024 Commonwealth Framework outlines the application of the rule, policy and guidance with respect to different types of Australian Government entities. While the policy and guidance are not binding to CCEs, adhering to these will assist CCEs to meet their obligations under the NACC Act.⁴² Creative Australia’s updated Fraud and Corruption Control Policy 2024–25 does not fully incorporate corruption to all relevant sections, does not include a reference to the NACC Act, and the definition of corruption is not consistent with the provisions made in the NACC Act.

Has the entity appropriately assessed its fraud and corruption risks?

2.21 Table 2.2 presents an assessment of Creative Australia’s approach to applying the Fraud and Corruption Rule, Policy and Guidance in relation to conducting risk assessments.

Table 2.2: Assessment against the Fraud and Corruption Framework — risk assessment

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant

Note a: For CCEs, the Fraud and Corruption Rule is mandatory, the Fraud and Corruption Policy and Guidance is better practice.

Note b: These requirements are not reflected in the new 2024 Commonwealth Framework. The 2017 Commonwealth Framework remains relevant as the audit scope includes an assessment across 2023–24 and 2024–25.

Source: ANAO analysis of Creative Australia documentation.

Fraud and corruption risk assessments

2.22 Fraud and corruption risk assessments help entities to develop an informed view of where fraud and corruption risks lie and implement fit for purpose arrangements accordingly.⁴³ CCEs must conduct a risk assessment where there is a substantial change in the structure, functions, or activities of the entity and, as better practice, undertake a risk assessment of fraud and corruption risks at least every two years.⁴⁴ The Risk Management Framework does not state the timing or occurrence of any events for undertaking risk assessments.

2.23 Creative Australia’s Fraud and Corruption Control Policy 2024–25 states that a ‘review and update of the Fraud and Corruption Risk Assessment’ is done at least every two years, it does not state that fraud and corruption risk assessments will be undertaken on the occurrence of events referred to in paragraph 2.22. Creative Australia advised the ANAO in December 2024 that this risk assessment is represented by the ‘Internal Audit section of the Fraud Control Work Plan’.

2.24 Payment fraud is documented in Creative Australia’s Fraud and Corruption Annual Work Plan 2024–25 as part of its internal audit program and is focused on the validity of Creative Australia’s payment data and aimed to identify key drivers of risk. It did not constitute a risk assessment. There is no link back to an identified risk in Creative Australia’s risk register and no evidence that the internal audit program follows the four key steps of the risk assessment process outlined in the Commonwealth Fraud Prevention Centre’s ‘Fraud Risk Assessment Leading Practice Guide’.⁴⁵

2.25 Creative Australia uses a third-party risk register application called ‘Lighthouse’ to record and manage its fraud and corruption risks. To prepare the Risk Management Report for its ARC, Creative Australia reviews the risks recorded in its risk register every six months, consistent with what is stated in its Risk Management Framework Policy.

2.26 Creative Australia advised the ANAO in December 2024 that the risk register is updated following changes resulting from meetings with each risk owner. In these meetings, senior executives are able to recommend or report new risks. Creative Australia further advised that the top ten risks are reviewed by senior executives collectively in these meetings. Meeting decisions and outcomes are not documented. A Risk Management Update report is prepared and presented every six months to Creative Australia’s ARC.

2.27 Creative Australia has not documented a process for the identification and review of risks.

Fraud and corruption control as part of the risk management framework

2.29 Creative Australia’s Fraud and Corruption Control Policy 2024–25 states that it is to be read in conjunction with its Risk Management Framework Policy. This Risk Management Framework Policy describes the activities of Creative Australia’s Risk Management Process. Four activities described are: establishing context; identifying risks; analysing risk; and evaluating risk.

2.30 Creative Australia complies with the Risk Management Framework Policy’s requirement to determine a risk rating based on its consequence and likelihood matrices and provide an ‘overall risk rating’. Creative Australia also scans its external environment for risks associated with fraud and corruption through subscriptions to newsletters and academic journals.

2.31 No changes were made to fraud and corruption risks, nor any fraud and corruption risks added, after Creative Australia absorbed the functions and activities of Creative Partnerships Australia on 1 July 2023. In the Policy Register update in August 2023 to the ARC, Creative Australia reports that its Fraud Control Policy remains ‘fit for purpose’. No changes were made to the Fraud Control Policy until November 2024.

Risk, fraud and corruption control standards

2.32 Paragraph 32 of the 2017 Fraud Guidance encourages entities to consider the relevant recognised standards, including the Australian/New Zealand Standard ISO 31000–2009 Risk Management — Principles and Guidelines, Australian Standard AS 8001–2008 Fraud and Corruption Control, and the 2024 Commonwealth Framework. Creative Australia’s Fraud and Corruption Control Policy 2024–25 states that it incorporates methodologies from these standards and that it should be read in conjunction with these standards.

Entity-specific fraud and corruption risk factors

2.33 Creative Australia assigned 56 controls across 13 of its 15 identified fraud and corruption risks. Creative Australia does not categorise its controls as preventative, detective or corrective and does not categorise its fraud and corruption risks as originating from the internal or external environments. The ANAO analysed Creative Australia’s fraud and corruption risks recorded in its risk register, identifying controls with preventative, detective and corrective elements.⁴⁶

2.34 Creative Australia identifies 15 risks in its fraud and corruption risk register. Risks are not identified as either ‘fraud’ or ‘corruption’ and ‘internal’ or ‘external’. The controls identified to mitigate fraud and corruption risks are not categorised as ‘preventative’, ‘detective’, or ‘corrective’. ANAO analysis identified eight internal fraud risks, six external fraud risks, and one combined internal/external fraud risk. There are no internal corruption risks recorded in the risk register.

2.35 There are no fraud or corruption risks connected to key functions other than grants administration. For example, there are no fraud and corruption risks relating to the fundraising approach to grants through the Australia Cultural Fund.⁴⁷ Creative Australia lists the following grants administration fraud risks:

• ‘Funding intentionally used for non-approved purposes/misrepresentation in progress/acquittal reports for funding’;
• ‘Grantee enters incorrect bank details into Fluxx⁴⁸ by error or by a fraudulent entry’; and
• ‘Funding being approved due to conflicts of interest or inducements provided to peers’.

2.36 There are no fraud and corruption risks listed in Creative Australia’s risk register that relate to grants managed in the system, SmartyGrants.

2.37 Creative Australia’s ARC is not able to fulfil its review function and provide assurance to the accountable authority that its fraud and risk control arrangements are appropriate if risk assessments by Creative Australia’s management do not cover all of Creative Australia’s grant programs.⁴⁹

Informing internal audit of fraud and corruption risk

2.40 Creative Australia advised the ANAO in October 2024 that the fraud and corruption component of its internal audit program has pre-determined topics planned for every two years. There is no evidence of fraud and corruption risks being advised to the team delivering Creative Australia’s internal audit program for consideration as part of the audit work program.

Is there an appropriate fraud and corruption control plan and testing of control effectiveness?

2.41 Table 2.3 presents an assessment of Creative Australia’s approach to applying the Fraud and Corruption Rule, Policy and Guidance in relation to fraud and corruption control plans.

Table 2.3: Assessment against the Fraud and Corruption Framework — fraud and corruption control plan

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant

Note a: For CCEs, the Fraud and Corruption Rule is mandatory, the Fraud and Corruption Policy and Guidance is better practice.

Source: ANAO analysis of Creative Australia documentation.

Creative Australia’s Fraud and Corruption Control Annual Plan

2.42 There was no fraud plan in place for 2023–24.⁵⁰ Creative Australia considered its 2022–23 plan remained fit for purpose (see paragraph 2.31). Creative Australia’s Fraud and Corruption Control Annual Plan 2024–25 outlines the fraud and corruption activities planned over the course of 2024–25. This plan is not informed by identified fraud and corruption risks, risk assessments, or their controls.

Review and testing of control effectiveness

Updates to the fraud and corruption control plan

2.43 Creative Australia updated its Fraud Control Annual Plan 2022–23 to the Fraud and Corruption Control Annual Plan 2024–25 by including references to corruption, that all officials receive fraud and corruption training, and regular review of fraud and corruption control actions.

2.44 The Fraud and Corruption Control Annual Plan 2024–25 has not been updated in relation to risk assessments, or to reflect functions that were absorbed as part of the transition of functions from Creative Partnership Australia Limited to Creative Australia on 1 July 2023.

Regular testing of fraud and corruption control effectiveness

2.45 As of 27 November 2024, Creative Australia has assessed 10 of its 56 fraud and corruption controls as effective, 42 as mostly effective and two as partly effective. No controls were assessed as not effective. Two controls did not have a rating.

2.46 Creative Australia engages third-party providers, Centorrino Technologies, to undertake periodic ICT security testing, and Content Security, to respond to cyber incidents and perform penetration testing.⁵¹ Centorrino Technologies does not provide a full report of the results of its security testing with Creative Australia.

2.47 There is no documented evidence, outside of what is recorded in its risk register, that Creative Australia tests the effectiveness of its controls for fraud and corruption risks. The team delivering Creative Australia’s internal audit program noted that there is no specific testing for fraud but noted annual penetration testing is conducted on Creative Australia’s third-party systems. Creative Australia advised the ANAO in March 2025, that effectiveness ratings are a ‘subjective’ decision made by the risk owner and is based on knowledge of the risk environment.

Internal audit activities related to fraud and corruption controls

2.48 As part of Creative Australia’s internal audit program a review of fraud and corruption controls is completed every two years. The most recent review on this topic was completed in August 2023 and covered four ‘key control elements’:

• conflicts of interest register;
• payments approvals and segregation of duties;
• grants assessment process; and
• system user access settings and authority limits.

2.49 Creative Australia has not documented how these elements were determined, and does not include a list of controls in its annual fraud and corruption control plan. Twelve areas were highlighted for improvement as a result of the review (constructed of nine recommendations and three opportunities for improvement). The ARC noted the report in August 2023. Creative Australia maintains a list of recommendations from its internal audit program in its risk management system, Lighthouse.

Design and content of control plan is proportionate to the entity and with its fraud and corruption risks

2.52 Accountable authorities must develop control plans to address fraud and corruption risks.⁵² Control plans should include existing controls that are in place, how these controls mitigate risk, new treatments to be implemented which include timeframes, and control owners.⁵³

2.53 Controls or strategies for fraud and corruption risks recorded in Creative Australia’s risk register are not outlined in its Fraud and Corruption Control Annual Plan 2024–25.

3.1 In exercising its power to provide financial assistance under subsection 12(2) of the Creative Australia Act 2023 (CA Act), Creative Australia is required to use public funds efficiently.⁵⁴ The CA Act requires the Australia Council Board (the Board), the accountable authority with respect to Creative Australia, to ensure the proper and efficient performance of Creative Australia’s functions, delivering on these functions through a range of policies and programs, including the provision of financial assistance.⁵⁵

3.2 Section 10 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) requires accountable authorities to establish appropriate mechanisms for preventing fraud and corruption, including by ensuring entity officials are aware of what constitutes fraud and corruption and consider fraud and corruption risks when planning and undertaking activities.⁵⁶ While the Fraud and Corruption Guidance does not bind Australian Government entities, as better practice, entities should prioritise prevention as their primary focus, including ensuring that its ‘culture promotes an open and proactive approach to managing fraud and corruption risk’.⁵⁷

Have appropriate mechanisms been established to prevent fraud and corruption?

3.3 Table 3.1 presents an assessment of Creative Australia’s approach to applying the Fraud and Corruption Rule, Policy and Guidance, in relation to fraud and corruption prevention.

Table 3.1: Assessment against the Fraud and Corruption Framework — prevention

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant

Note a: For corporate Commonwealth entities (CCEs), the Fraud and Corruption Rule is mandatory, the Fraud and Corruption Policy and Guidance is better practice.

Note b: ANAO did not test the effectiveness of the controls. The analysis is based on Creative Australia’s description of the controls in its risk register, and assessment of Creative Australia’s risk review and internal audit program.

Note c: These requirements are not reflected in the new Commonwealth Fraud and Corruption Control Framework 2024 (2024 Commonwealth Framework). The Commonwealth Fraud Control Framework 2017 (2017 Commonwealth Framework) remains relevant as the audit scope includes an assessment across 2023–24 and 2024–25.

Source: ANAO analysis of Creative Australia documentation.

Effectiveness of prevention controls

3.4 Creative Australia has assigned 56 controls to 13 of its 15 fraud and corruption risks recorded in its risk register. Creative Australia does not categorise its controls as preventative, detective or corrective and does not categorise its fraud and corruption risks as internal or external. The ANAO classified 47 of the 56 controls (84 per cent) as having preventative properties. Two fraud and corruption risks do not have controls in place to reduce the likelihood and/or consequence of the risk occurring, of which one has a ‘high’ risk rating.⁵⁸

3.5 Forty-two controls with preventative properties that are recorded in Creative Australia’s risk register are consistent with the Commonwealth Fraud Prevention Centre’s catalogue of fraud controls. Eight controls with preventative properties also have detective properties; 13 controls with preventative properties contain multiple preventative elements in the one control description.

Table 3.2: Creative Australia’s assessment of its controls with ANAO assessed preventative properties

Source: ANAO categorisation of preventative properties based on the controls recorded in Creative Australia’s Fraud and Corruption Risk Register.

3.6 Creative Australia relies on the reviews undertaken as part of its internal audit program on fraud and corruption risk, that it delivers every two years, to inform the appropriateness and effectiveness of its controls. The Fraud and Corruption Controls Review conducted in August 2023 did not include a measure of control effectiveness in its report provided to Creative Australia’s Audit and Risk Committee (ARC). Creative Australia advised the ANAO in March 2025 that the results from reviews undertaken in its internal audit program inform risk assessments. The process is not documented to demonstrate that the review results inform risk assessments and development of appropriate controls.

3.7 As outlined in paragraphs 2.33 and 2.34, fraud and corruption risks are not mapped to key functions, nor does Creative Australia categorise its controls. Multiple activities are used to describe controls that seek to prevent the occurrence of Creative Australia’s fraud and corruption risks (see paragraph 3.5).

3.10 Paragraphs 2.33, 2.34 and 2.43 to 2.49 of this report discuss the categorisation of controls and how these controls are incorporated into an entity’s fraud and corruption control plan to ensure compliance with paragraph 10(b) of the Fraud and Corruption Rule.

3.11 In designing fraud and corruption controls, the Attorney-General’s Department states that entities should ‘[b]e aware that controls can be breached and therefore it is important to have clear response protocols as part of fraud and corruption prevention’.⁵⁹

3.12 Recommendation numbers 2 and 3 in this report, recommend Creative Australia inform its annual Fraud and Corruption Control Plan through risk assessments and establish a framework for reviewing and testing its fraud and corruption controls.

Fraud and corruption risk considered within Creative Australia’s activities

3.14 The Risk Appetite Statement which is contained in Creative Australia’s Risk Management Framework 2024–25 provides officials guidance on broad risk management considerations to apply when designing and developing new programs and activities.

3.15 The principles which underpin Creative Australia’s risk management states that ‘Risk management is an integral part of all organisational activities.’ The framework details the roles and responsibilities of Creative Australia officials, with the Executive Team being responsible for notifying the Manager Risk and Compliance of any changes in risk levels or new initiatives or projects that may expose Creative Australia to risk.

3.16 The framework refers to ‘fraud and corruption’ in the context of a risk category. It does not integrate corruption further. For example, new starters in the entity are to receive a training session on ‘Risk Management and Fraud Control’, the ARC is to oversee the management of Creative Australia’s ‘business and financial risks, including fraud’, and the purpose of the framework refers to Creative Australia’s obligation to detect fraud as prescribed in the PGPA Rule (section 10).

3.17 Creative Australia advised the ANAO in December 2024 that it undertakes fraud and corruption risk assessments every six months when planning and conducting activities (see paragraphs 2.22 to 2.27).

Documented instructions to prevent, detect and deal with fraud and corruption

3.18 Creative Australia’s Fraud and Corruption Control Framework consists of its Fraud and Corruption Control Policy 2024–25 and Fraud and Corruption Control Annual Plan 2024–25 (see paragraphs 2.18 to 2.20). Embedded in its business-as-usual processes are documented processes and policies that assist Creative Australia officials to manage reported conflicts of interest, receipt of gifts, benefits and tickets, disclosures of public interest, procurement activities, the receipt of private donations and investment decisions, and administration of grant payments. The ACF Policy provides a high-level process for grants and payments, including the return of uncollected funds raised, acquittals, and reporting requirements for funding recipients. The policy states that risks associated with the delivery of the ACF ‘are outlined and treated as part of the Creative Australia Risk Framework’.

3.19 Grant recipients, other than recipients of funding through the ACF are ineligible to apply for future grants where there is an outstanding acquittal report for 13 weeks or more. Recipients of funding through the ACF are ineligible to apply for future support, including coaching and mentoring, where an acquittal report is overdue by 10 weeks or more. Creative Australia advised the ANAO in December 2024 that if a grant recipient is non-compliant in its other grant programs, they are prevented from accessing support through the ACF. Non-compliant ACF participants are not prevented from accessing funding through Creative Australia’s other grant programs.

3.20 Creative Australia’s Fraud and Corruption Control Policy 2024–25 does not document the mechanisms for preventing or detecting fraud and corruption and has not been updated to incorporate the new functions (see paragraphs 2.18 and 2.31).

3.21 The Cyber Security Incident Management Framework consists of the Cyber Security Incident Response Policy and Cyber Security Incident Response Plan. This framework documents how Creative Australia will respond to, and deal with, cyber incidents. Creative Australia treats cyber incidents as potential fraud incidents.

Mitigating the risk of identity fraud

3.22 Creative Australia requires new starters to show identity documents on commencement of their employment. Creative Australia does not retain identity documents of its officials. Creative Australia advised the ANAO in March 2025 that it does not use the Australian Government’s document verification service, IDMatch.

3.23 Creative Australia does not require grant applicants to provide identity documents when applying for grants or funding support. It is not apparent how Creative Australia mitigates the risk of external identity fraud.

Are appropriate mechanisms in place to promote fraud and corruption awareness and a culture of integrity?

3.24 Table 3.3 presents an assessment of Creative Australia’s approach to applying the Fraud and Corruption Rule, Policy and Guidance in relation to fraud and corruption awareness and developing a culture of integrity.

Table 3.3: Assessment against the Fraud and Corruption Framework — awareness and culture of integrity

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant

Note a: For CCEs, the Fraud and Corruption Rule is mandatory, the Fraud and Corruption Policy and Guidance is better practice.

Note b: This requirement is not reflected in the new 2024 Commonwealth Framework. The 2017 Commonwealth Framework remains relevant as the audit scope includes an assessment across 2023–24 and 2024–25.

Source: ANAO analysis of Creative Australia documentation.

Fraud and corruption awareness

3.25 Creative Australia’s intranet, which is accessible to all officials, has a page titled ‘Risk Management and Fraud & Corruption’. This page provides links to risk management documents and software, the Fraud and Corruption Control Policy 2024–25 and Fraud and Corruption Control Annual Plan 2024–25, and public risk management and fraud resources. This is consistent with Creative Australia’s Fraud and Corruption Control Policy.

3.26 Creative Australia has a Cyber Security Information Hub available for its officials on its intranet. This page provides information about Cyber Security training, how to report incidents, contact information of relevant officials and general information about cyber security.

Fraud and corruption integrity training

3.27 Creative Australia assigns annual, mandatory Cyber Security Awareness training to its officials. Under its Risk Management Framework, Creative Australia’s policy is to require new officials to undertake Risk Management and Fraud and Corruption Awareness induction training, and all officials to complete annual risk management refresher training. Creative Australia does not have Risk Management and Fraud and Corruption refresher training available to its officials.

3.28 Creative Australia delivered induction training on Risk Management and Fraud Control to nine officials in July 2023. Fraud and corruption induction training to new starters was not delivered between August 2023 and February 2025. In November 2024, Creative Australia updated its induction training material to incorporate corruption. Forty-two of 54 new officials attended training on 4 and 5 February 2025.

3.29 Creative Australia compiled the list of required attendees for the July 2023 induction training manually. Creative Australia advised the ANAO in March 2025 that it had moved to recording training records in its Human Resources management system going forward. Creative Australia advised the ANAO in March 2025 that it still needs to determine which new starters have not completed training by manually comparing a list of new starters from the same system.

3.30 Cyber Security Awareness training was assigned to 114 officials in December 2023, with 87 members completing the self-paced online training between December 2023 and July 2024. There is no evidence that the remaining 27 officials have completed, or are still required to complete, the training.

Outreach programs

3.31 Creative Australia’s Conflicts of Interest and Confidentiality Policy, Public Interest Disclosure Policy and Code of Conduct are available on its website. The ACF website does not provide access to information on fraud or corruption policies or responsibilities for external parties.⁶⁰ The ‘Frequently Asked Questions’ page on the ACF website provides guidance on topics such as who can donate to a project or whether a project participant can donate. This page does not reference fraud or corruption.

3.32 The Fraud and Corruption Control Policy 2024–25 states that the Fraud and Corruption Control Policy and the Fraud and Corruption Annual Control Plan are ‘made available to external parties where appropriate so that officials, peers and external parties are aware of their obligations to identify and report fraud and corruption or suspected fraud and corruption’. There is no mechanism on Creative Australia’s website to request a copy of these documents and Creative Australia has recorded no instances of its Fraud and Corruption Control Policy 2024–25 and Annual Control Plan being made available to external parties.

3.33 Creative Australia advises external parties of their obligations with respect to fraud and corruption through service agreements for contractors, a handbook for industry peer panels⁶¹, and funding agreements for grant recipients. A grant funding agreement requires grant recipients to comply with applicable laws, including the National Anti-Corruption Commission Act 2022.

Monitoring and evaluation of fraud and corruption awareness initiatives

3.34 Creative Australia advised the ANAO in October 2024 that its training and awareness materials are evaluated as part of its internal audit program. The August 2023 Fraud and Corruption Controls Review recommended Creative Australia update its training materials to better reflect its business needs and implement refresher training. The training updates planned by Creative Australia are referred to in paragraphs 3.27 and 3.28.

3.35 Creative Australia does not evaluate its awareness and training initiatives to determine whether its officials have an improved understanding and awareness of fraud and corruption control and their responsibilities as Creative Australia officials.

Has appropriate training been provided to officials with fraud and corruption responsibilities?

3.37 Table 3.4 presents an assessment of Creative Australia’s approach to applying the Fraud and Corruption Rule, Policy and Guidance in relation to training and qualifications for officials with fraud and corruption control responsibilities.

Table 3.4: Assessment against the Fraud and Corruption Framework — fraud and corruption training

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant

Note a: For CCEs, the Fraud and Corruption Rule is mandatory, the Fraud and Corruption Policy and Guidance is better practice.

Note b: Creative Australia has not received a report of, or detected, a suspected incident of fraud or corruption, has not undertaken a fraud or corruption investigation, and not recorded an incident of fraud or corruption.

Note c: Creative Australia officials with responsibility for managing fraud and corruption risks are not primarily engaged in fraud and corruption risk management activities.

Note d: This requirement is not reflected in the new 2024 Commonwealth Framework. The 2017 Commonwealth Framework remains relevant as the audit scope includes an assessment across 2023–24 and 2024–25.

Source: ANAO analysis of Creative Australia documentation.

Officials with fraud and corruption responsibilities

3.38 Outlined in paragraphs 2.15 and 2.16, Creative Australia has set out fraud and corruption risk management responsibilities for relevant officials. Creative Australia has officials who fill positions on the Board and the ARC, and officials occupying the relevant roles that are outlined in its Fraud and Corruption Control Policy 2024–25.

3.39 Creative Australia’s Authorisations Framework outlines responsibilities other than fraud and corruption risk management for its officials with fraud and corruption risk management responsibilities.

Fraud and corruption investigator qualifications

3.40 Creative Australia advised the ANAO in March 2025 that it has not received reports of fraud or corruption and has subsequently not undertaken an investigation (see paragraph 1.7).

3.41 The 2022 Australian Government Investigations Standards provide that, for investigations within the Australian Government, ‘a vocational and educational training (VET) qualification must be obtained, unless another qualification or internal training is determined as equivalent.’⁶² Creative Australia does not have officials qualified to undertake fraud and corruption investigations.

3.42 In its Fraud and Corruption Control Policy 2024–25, Creative Australia states that ‘appropriately experienced and qualified investigators’ will be engaged to carry out an investigation in the event of a suspected case.

Fraud and corruption control official qualifications

3.43 It is recommended that officials who are primarily employed to prevent, detect and investigate fraud and corruption have appropriate qualifications, including a Certificate IV in Government Security and Diploma of Fraud Control.⁶³

3.44 Creative Australia officials with responsibility for managing fraud and corruption risks are not primarily employed to prevent, detect and investigate fraud and corruption.

Professional development relating to fraud and corruption control

3.45 Outlined in paragraph 3.44 above, Creative Australia does not have officials employed primarily to manage fraud and corruption risks. The Fraud and Corruption Policy, at paragraph 4.3, requires non-corporate Commonwealth entities to ensure an appropriate level of capability is maintained to effectively manage fraud and corruption risks. CCEs are encouraged to implement the Fraud and Corruption Policy.⁶⁴

3.46 Creative Australia does not have a framework in place to support officials with responsibility to manage fraud and corruption risks to undertake ongoing professional development. Creative Australia officials with responsibility to manage fraud and corruption risks have not undertaken relevant professional development.

4.1 The Commonwealth Fraud and Corruption Control Framework 2024 requires entities to have appropriate mechanisms for detecting, investigating, recording and reporting incidents of fraud and corruption or suspected fraud and corruption.⁶⁵

Have appropriate mechanisms been established to detect fraud and corruption?

4.2 Table 4.1 presents an assessment of Creative Australia’s approach to applying the Fraud and Corruption Rule and Guidance in relation to fraud and corruption detection.

Table 4.1: Assessment against the Fraud and Corruption Framework — detection

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant

Note a: For corporate Commonwealth entities (CCEs), the Fraud and Corruption Rule is mandatory, the Fraud and Corruption Policy and Guidance is better practice.

Note b: ANAO did not test the effectiveness of the controls. The analysis is based on Creative Australia’s description of the controls in its risk register, and assessment of Creative Australia’s risk review and internal audit program.

Source: ANAO analysis of Creative Australia documentation.

Effectiveness of detective controls

4.3 The impact of Creative Australia not identifying its internal and external risks and assigned controls with preventative elements is discussed in paragraphs 3.4 to 3.12.

4.4 All 15 controls considered by the ANAO to contain detective properties⁶⁶ are recorded in Creative Australia’s risk register and are consistent with the Commonwealth Fraud Prevention Centre’s catalogue of fraud controls. Nine of the 15 controls with detective properties also contain preventative properties and 11 controls with detective properties contain multiple detective control mechanisms described in the one control description.

Table 4.2: Creative Australia’s assessment of its controls with ANAO assessed detective properties

Source: ANAO categorisation of detection properties based on controls recorded in Creative Australia’s Fraud and Corruption Risk Register.

4.5 Creative Australia tests its ICT systems using third-party providers (see paragraph 2.46). Creative Australia reported the outcome of the 2024 penetration tests of its ICT security to its Audit and Risk Committee (ARC) in August 2024, with eight recommendations being made to bolster Creative Australia’s internal networks. An assessment of effectiveness was not made at the time of testing Creative Australia’s ICT detective controls.

4.6 Creative Australia does not test its controls outside of its internal audit program and penetration testing of its ICT environment (see paragraphs 2.45 to 2.47).

Reporting processes for suspected fraud and corruption

4.7 Creative Australia’s Public Interest Disclosure Policy is available on its website⁶⁷ and contains procedures for facilitating and dealing with public interest disclosures. This process provides current and former government officials a mechanism to report suspected fraud and corruption. New officials are instructed on how to report suspicious activity in induction training. Creative Australia’s Fraud and Corruption Control Policy 2024–25 documents reporting and recording fraud and corruption incidents including the roles and responsibilities of its officials. The process by which Creative Australia officials can report cyber security incidents is included in Creative Australia’s Cyber Security Incident Response Plan.

4.8 There is no mechanism or documented process for external parties to provide an anonymous tip-off to report suspected cases of fraud or corruption via its website or procedures should anyone wish to make an anonymous tip-off. Creative Australia officials are directed to report suspected fraud or corruption to appointed senior officials. If not comfortable with the appointed senior officials, staff can also report a case of suspected fraud to their manager, the Chief Executive Officer, or an authorised officer of another Australian Government entity.

4.9 Creative Australia advised the ANAO in March 2025 that it has not received reports of actual or suspected fraud or corruption since the implementation of its Fraud Control Policy in 2016.

Other measures to detect fraud and corruption

4.12 Creative Australia advised the ANAO in March 2025 that it has ‘a much better understanding of [its] fraud and corruption environment as a result of analysis undertaken as part of the internal audit program’ which is delivered every two years as a detection control for fraud and corruption.

4.13 The review of Creative Australia’s payment fraud in November 2024 by its internal audit program provider, examined and evaluated Creative Australia’s payment processes and conducted data analysis to identify trends that indicate a higher risk of fraud. The review team was not able to complete its analysis due to source data limitations. The results reported in the report, where analysis was possible, highlighted opportunities to enhance detection processes through better data collection. The review team ‘did not note a heightened fraud risk within the payments process’.

4.14 Creative Australia engaged a service provider to develop a Cyber Security Response Policy and Incident Response Plan in September 2023. The policy has been approved by Creative Australia’s Executive. The Cyber Security Incident Management Framework, which includes the policy and plan, was released in March 2024.

4.15 Creative Australia examines grant and funding information as part of its processes. Reporting requirements for multi-year investment grants are greater than reporting requirements for general grants and the ACF. For grants, other than through the ACF, cases are reported to the ARC where grant recipients have not met reporting requirements for more than 30 weeks. From March 2025, Creative Australia reported data relating to ACF acquittals to its ARC. Cases of non-compliant ACF funding recipients are not reported to the ARC. Creative Australia does not consider non-compliance with grant requirements as an indicator of potential fraud.

4.16 Outlined in paragraph 3.19, non-compliant grant recipients who have received grants other than through the ACF, are not prevented from accessing funding through the ACF. There is no robust process for detecting potential cases of fraud in its grants program, including in the ACF. For example, Creative Australia does not use random or targeted audits of its grant recipients’ acquittal reports, or fraud detection software, which may help identify when fraud has occurred in its grants program.⁶⁸ The process that Creative Australia undertakes when following up on non-compliance in its grants program is discussed further at paragraphs 4.28 and 4.29.

Have appropriate mechanisms been established to investigate and respond to fraud and corruption?

4.18 Table 4.3 presents an assessment of Creative Australia’s approach to applying the Fraud and Corruption Rule and Policy in relation to investigating and responding to fraud and corruption.

Table 4.3: Assessment against the Fraud and Corruption Framework — investigation and response

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant

Note a: For CCEs, the Fraud and Corruption Rule is mandatory, the Fraud and Corruption Policy and Guidance is better practice.

Note b: Creative Australia has not received a report of, or detected, a suspected incident of fraud or corruption, has not undertaken a fraud or corruption investigation, and not recorded an incident of fraud or corruption.

Note c: While this requirement is not mandatory under the Commonwealth Fraud and Corruption Control Framework, the Public Governance, Performance and Accountability Act 2013 states that accountable authorities must govern the entity in a way that promotes the proper use and management of public resources (subsection 15(1)) and must consider the effect of decisions on public resources (subsection 15(s)).

Source: ANAO analysis of Creative Australia documentation.

Investigating suspected fraud and corruption

4.19 Creative Australia advised the ANAO in March 2025 that it has not received any reports, or detected suspected incidents of, fraud or corruption since the implementation of its Fraud Control Policy in 2016. Creative Australia further advised in October 2024, that it has not undertaken an investigation of suspected internal or external fraud or corruption.

4.20 In the November 2024 review of payment fraud, payments were found to be made to payees who were not registered in Creative Australia’s payment system. In response to the findings in this review, Creative Australia considered that it was a ‘reasonable likelihood’ that the details were updated to the system after the payment run. Creative Australia advised the ANAO in March 2025 that it reviewed each payment live in the system and concluded no fraudulent payments occurred. Creative Australia could not say when the assessment was made as it was not documented at the time.

Established and documented criteria for making decisions in the management of fraud and corruption investigations

Documented procedures for fraud and corruption investigations

4.21 Creative Australia’s policy for undertaking investigations of suspected cases of fraud and corruption is documented in the Fraud and Corruption Control Policy 2024–25, stating that all suspected cases of fraud and corruption will be handled, investigated and dealt with in a professional and prompt manner, using trained investigators where appropriate.

4.22 The Executive Director, Corporate Resources is responsible for maintaining fraud and corruption investigation procedures, managing investigations and initiating disciplinary or legal action upon advice. Creative Australia advised the ANAO in March 2025 that it does not maintain procedures to undertake fraud and corruption investigations.

Documented decisions for response to fraud and corruption

4.23 A Fraud and Corruption Incident Register has been developed as part of Creative Australia’s risk management system (see paragraph 4.42). The register contains a field ‘Action taken following discovery of an event’. Creative Australia’s incident register does not contain records and the field to record the actions taken in response to an incident is a free text field with no pre-determined options to record decisions (see paragraph 1.7).

Referral of serious and complex fraud and corruption

4.24 Creative Australia advised in March 2025 that it has not had a reported case of suspected fraud and corruption and subsequently has not referred any cases to the AFP. Creative Australia’s Fraud and Corruption Control Policy 2024–25 states that ‘investigations may be referred to the Australian Federal Police, in accordance with detailed guidelines’. Creative Australia advised the ANAO in March 2025 that it does not have guidelines to follow when deciding when to refer an investigation.

Measures to recover financial losses

4.26 Creative Australia advised the ANAO in March 2025 that it does not consider non-compliance with grant requirements as an indicator of potential fraud and that it takes all reasonable steps to recover financial losses. As outlined in paragraph 4.15, Creative Australia has processes in place to review instances where grant recipients have not met acquittal requirements.

4.27 Creative Australia requires grant recipients to repay unexpended funds, offering options such as a repayment plan. Decisions not to recover unexpended funds over $1,000 ‘are made on a case-by-case basis and require judgement as to how the principles described in the Acquittal Policy are applied’. No debts were waived during the period covered by this audit.

4.28 Creative Australia’s Acquittal Policy outlines the process for officials to follow in response to grant recipients’ non-compliance with reporting requirements. Officials are required to review outstanding grant reports; monitor follow up actions; and change the status of grants. Grant recipients are reminded of their reporting obligations via email at their project completion date, and then eight weeks, 13 weeks, and 20 weeks past their project completion date. When reporting is 13 weeks overdue, grant recipients are excluded from accessing future grant funding.

4.29 If an acquittal report is unsatisfactory after 20 weeks from a project end date, officials prepare a 20-week letter and attach an invoice for the return of grant funds. If an acquittal report remains outstanding at 30 weeks past the project end date, officials prepare a 30-week letter, report the overdue report to its ARC and consider a recommendation on further action which can include deeming the funds were appropriately expended, ceasing any further action in pursuit of the acquittal report, pursue debt recovery, or waive the requirement to provide an acquittal report.

4.30 As discussed in paragraph 4.15, Creative Australia does not have a robust detection control system in place to detect fraud in its grants programs.

4.31 Case study 1 highlights Creative Australia’s action on an outstanding debt.

Note a: Creative Australia advised its ARC of one debt recovery action, which was recommended and agreed to, throughout the period of scope for this performance audit.

4.32 There are limitations in Creative Australia’s grant system that prevent extraction and analysis of the number of acquittal reports that have been received late. The ANAO analysed data relating to grants with an agreed completion date between 1 January 2022 and 30 November 2024.

4.33 Table 4.4 details the total value of grant funding relating to projects, other than ACF projects, and the value of that funding that has not yet been acquitted. In 2024, $2.0 million of $4.4 million in funding relating to acquittal reports not received and more than 13 weeks passed the project end date, are not categorised by Creative Australia as overdue. Creative Australia advised the ANAO in April 2025 that the process to identify an overdue acquittal report is manual and that the most common reason that a report is not yet identified as overdue is because the submitted acquittal report has not yet been finalised for ‘various reasons’, including processing backlogs or complexity.

Table 4.4: Grant funding that is not yet acquitted (excluding ACF funding)^a

Note a: Projects where Creative Australia has waived the requirement to submit an acquittal are taken to have been acquitted.

Note b: Projects due for completion in December 2024 have been excluded from analysis as acquittal reports become overdue after data was provided to the ANAO.

Source: ANAO analysis of Creative Australia grant data.

4.34 Section 18 of the Creative Australia Act 2023 outlines the Australia Council Board’s responsibility to ensure proper and efficient performance of Creative Australia’s functions. The Public Governance, Performance and Accountability Act 2013 (PGPA Act), at section 15, states that accountable authorities must govern the entity in a way that promotes the proper use and management of public resources (subsection 15(1)) and to consider the effect of decisions on public resources (subsection 15(2)).

Have appropriate mechanisms been established to record and report fraud and corruption?

4.37 Table 4.5 presents an assessment of Creative Australia’s approach to its reporting requirements under the PGPA Act, the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule), and the Fraud and Corruption Policy.

Table 4.5: Assessment against the Fraud and Corruption Framework — fraud and corruption reporting

Key: ◆ Fully compliant ▲ Partly compliant ■ Not compliant

Note a: For CCEs, the Fraud and Corruption Rule is mandatory, the Fraud and Corruption Policy and Guidance is better practice.

Note b: Creative Australia has not received a report of, or detected, a suspected incident of fraud or corruption, has not undertaken a fraud or corruption investigation, and not recorded an incident of fraud or corruption.

Source: ANAO analysis of Creative Australia documentation.

Reporting incidents of fraud and corruption to relevant ministers

4.38 There have been no incidents of fraud or corruption reported by Creative Australia and as such, no incidents have been reported to the relevant minister.

Annual reporting requirements

4.39 Creative Australia has met the reporting requirements set out in the PGPA Rule (section 17BE) in 2023–24 by reporting that it had ‘no significant events in the context of the PGPA Act (section 19) occurred during 2023–24.’⁶⁹

Procedures to record and manage information gathered about fraud and corruption

4.40 There have been no incidents of fraud or corruption reported by Creative Australia.

Fraud and corruption incident registers

4.41 In the event of receiving a report of fraud or corruption, or suspected fraud or corruption, Creative Australia has developed an incident register. The register fields are:

• official who is submitting the record;
• date reported;
• date of the incident;
• time the incident was detected;
• how management became aware of the incident;
• nature of the incident;
• value of loss to Creative Australia; and
• action taken.

Analysis of fraud and corruption incidents

4.42 There are no entries in Creative Australia’s Fraud and Corruption Incident Register.

Reporting to the Australian Institute of Criminology

4.43 Paragraph 8.5 of the Fraud and Corruption Policy states that Australian Government entities must provide information for the previous financial year in the form requested by the Australian Institute of Criminology (AIC). This information must be provided to the AIC by the date requested each year.⁷⁰

4.44 The 2017 Commonwealth Fraud Policy specifies that responses to the AIC census are due by 30 September each year.⁷¹ The 2024 Fraud and Corruption Policy specifies that responses to the AIC census are due ‘by the date specified by the AIC each year’.⁷² The dates specified by the AIC by which Creative Australia had to submit its census responses were 27 October 2023 and 1 November 2024 for the 2022–23 and 2023–24 censuses, respectively. Creative Australia submitted its 2022–23 census response on 6 October 2023 and its 2023–24 census response on 29 October 2024.

Disclosures of potential criminal activity to other entities

4.45 Creative Australia advised the ANAO in October 2024 that it did not detect potential fraud or corruption that may impact on the activities and responsibilities of another entity.

Appendix 1 Entity response

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s corporate plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

• In November 2024, Creative Australia updated its induction training material to incorporate corruption (see paragraph 3.28).
• From March 2025, outstanding acquittals relating to the Australian Cultural Fund will be included in updates to the ARC (see paragraph 2.10).
• Advised to the ANAO in March 2025, Creative Australia has moved to recording training records in its Human Resources management system going forward (see paragraph 3.29).