Audit snapshot

Why did we do this audit?

  • Fraud against the Commonwealth makes less money available for public goods and services.
  • All Commonwealth entities are required to have arrangements in place to prevent, detect and deal with fraud.
  • This audit is part of a series of three audits intended to provide assurance to Parliament on the selected entities’ fraud control arrangements, and assist other entities to consider the effectiveness of their fraud control arrangements.

Key facts

  • The Australian Government has set out its requirements for fraud control in the 2017 Commonwealth Fraud Control Framework.
  • All non-corporate Commonwealth entities are required to follow the framework’s fraud policy and should implement better practice fraud guidance, as relevant
  • As the accountable authority, the department’s Secretary is required to take all reasonable measures to prevent, detect and deal with fraud against the department.

What did we find?

  • Fraud control arrangements in the Department of Social Services are largely effective.
  • The department’s arrangements comply with the mandatory requirements of the Commonwealth Fraud Control Framework.
  • The department has also implemented arrangements that are largely consistent with the whole of government better practice fraud guidance.
  • The accountable authority has promoted a fraud aware culture.

What did we recommend?

  • The Auditor-General made two recommendations to the Department of Social Services, to document aspects of its fraud control processes, and provide a higher level of assurance to the Parliament about its fraud control arrangements.
  • The Department agreed to the recommendations.

96%

The proportion of staff that have completed mandatory fraud awareness training.

14

The number of finalised fraud investigations in 2018–19.

8 (57%)

The number of finalised investigations first identified through staff member detection.

Summary and recommendations

Background

1. The Australian Government (the government) defines fraud as:

Dishonestly obtaining a benefit or causing a loss by deception or other means.1

2. Fraud requires intent, and is more than carelessness, accident or error. Without intent, an incident may indicate non-compliance rather than fraud.2

3. Fraud against the Commonwealth can be committed by Commonwealth officials or contractors (internal fraud) or by external parties such as clients, service providers, members of the public or organised criminal groups (external fraud).3 In some cases fraud against the Commonwealth may involve collusion between external and internal parties, and can include corrupt conduct such as bribery. However, not all corrupt conduct meets the definition of fraud.4

4. Australian Government entities have long been required to establish arrangements to manage fraud risks. The government’s requirements for fraud control are contained in the 2017 Commonwealth Fraud Control Framework5 (the Framework) pursuant to the Public Governance, Performance and Accountability Act 2013 (PGPA Act). The Framework comprises three tiered documents — the fraud rule, fraud policy and fraud guidance — with different binding effects for corporate and non-corporate Commonwealth entities.6 The Attorney-General’s Department is responsible for administering the Framework.

5. As non-corporate Commonwealth entities, Australian Government departments must comply with the fraud rule and fraud policy. While the fraud guidance is not binding, the government considers the guidance to be better practice and expects entities to follow it where appropriate.7

6. This audit is one in a series of three performance audits reviewing fraud control arrangements in selected departments — the Department of Social Services, the Department of Foreign Affairs and Trade and the Department of Home Affairs. The focus of this audit report is the Department of Social Services.

Rationale for undertaking the audit

7. This audit series is intended to provide assurance to the Parliament regarding the fraud control arrangements of selected Australian Government departments. All Commonwealth entities are required to have fraud control arrangements in place because preventing, detecting and responding to fraud against the Commonwealth is necessary to ensure the proper use of public resources, financial and material losses are minimised, and public confidence is maintained. In addition, this audit series aims to assist all Commonwealth entities to consider the effectiveness of their fraud control arrangements, including areas where additional effort would improve consistency with whole of government better practice fraud guidance (discussed in paragraph 5) and the take-up of whole of government advice on new and emerging fraud risks (discussed in paragraph 10).

Audit objective and criteria

8. The objective of the audit was to assess the effectiveness of the Department of Social Services’ fraud control arrangements. The high level audit criteria were that the department:

  • complies with the mandatory requirements set out in the Commonwealth Fraud Control Framework and arrangements are consistent with the government’s better practice guidance; and
  • promotes a fraud aware culture.

9. The ANAO did not assess whether specific controls are in place or the effectiveness of such controls in the selected entity.8

10. The ANAO reviewed fraud control arrangements in place within the department during the period of audit fieldwork, September 2019 to early February 2020. On 18 February 2020 the Australian Government activated the Emergency Response Plan for Novel Coronavirus (COVID-19).9 On 27 March 2020 the Australian Federal Police’s Operation Ashiba and the Commonwealth Counter Fraud Prevention Centre in the Attorney-General’s Department established the Commonwealth COVID-19 Counter Fraud Taskforce intended to support Commonwealth agencies to prevent fraud against the COVID-19 economic stimulus measures.10 The Commonwealth Fraud Prevention Centre circulated the Fraud Control in COVID-19 Emergency and Crisis Management fact sheet to Commonwealth entities, with information about key fraud risks related to COVID-19 response efforts.

11. The Department of Social Services was invited by the ANAO to make a representation in relation to its current or planned arrangements to address increased fraud risks resulting from the COVID-19 response. The department advised the ANAO in May 2020 that:

The department has been assessing and monitoring the increased fraud risk as a result of the COVID-19 response. The department is continuing to work with the Commonwealth Fraud Prevention Centre and COVID-19 Counter Fraud Taskforce to strengthen the department’s control environment and implement new countermeasures to prevent fraud.

Guidance provided by the COVID-19 Counter Fraud Taskforce to assist in implementing fraud countermeasures during COVID-19 has informed the department’s approach to addressing the increased fraud risk. This includes building awareness of fraud risks, implementing low friction countermeasures to prevent fraud where possible and carrying out targeted assurance checks to identify instances of fraud.

Conclusion

12. Fraud control arrangements in the Department of Social Services are largely effective. The department’s arrangements comply with the mandatory requirements of the Commonwealth Fraud Control Framework, are largely consistent with the whole of government better practice fraud guidance, and the accountable authority has taken steps to promote a fraud aware culture. Further attention is required to document a formal assurance mechanism between fraud risk and control owners, and to provide the expected level of assurance in the department’s annual fraud certification.

13. The department has developed and implemented a fraud control framework, conducted fraud risk assessments, and has guidance and procedures to assist departmental staff to understand what constitutes fraud and to carry out their fraud prevention responsibilities. The department has also included performance indicators and an annual work program in its fraud control framework to assist it to monitor and review its fraud control arrangements.

14. The department has mechanisms in place to assess its fraud risks but has not fully addressed all fraud risks assessed as ‘high’ risk. The department’s oversight of its fraud controls would be strengthened by documenting fraud control and treatment owners in its fraud risk assessments, and documenting a process for control owners to provide assurance to risk owners about control effectiveness.

15. The department has put in place controls to detect fraud, including reporting channels for use by staff and members of the public and the use of data analytics. The department’s fraud investigation procedures are consistent with the Australian Government Investigations Standards.

16. The department has taken steps to promote a fraud aware culture and met the reporting requirements set out in the framework. The department’s certification in the two most recent annual reports provided a lower level of assurance to Parliament than is expected under the PGPA Rule.

Supporting findings

Risk management, planning and prevention

17. Fraud risk is considered within the context of the department’s overarching enterprise risk management framework. Fraud risk is categorised as a ‘specialist risk’. This means fraud risks need to be considered by officers with a thorough understanding of the subject matter. The department’s fraud control officers assist policy and program areas to consider fraud risk and to conduct fraud risk assessments. The department’s fraud control arrangements are set out in a fraud control framework that includes a fraud control plan, an annual work program and performance indicators intended to measure the success of its fraud control arrangements.

18. The department could more closely align to the whole of government fraud guidance by including a summary of the department’s fraud risks in its fraud control plan. Having this summary would assist staff to fulfil their responsibilities under the fraud control plan to report suspected fraud by providing a departmental-level overview of such risks.

19. The department has identified fraud risks and conducted fraud risk assessments at regular intervals. Fraud risk assessments cover risks related to internal operations that occur across the department, such as financial management and procurement, as well as risks specific to individual programs. The department’s fraud control officers, who assist departmental staff to undertake fraud risk assessments, have or are working towards acquiring qualifications in fraud investigations and fraud control.

20. Fraud risks are assessed and given a fraud risk exposure rating based on the likelihood and consequences of the risk occurring but the department has not fully addressed all fraud risks assessed as ‘high’ risk. The department determines whether risks are ‘acceptable’ or ‘unacceptable’ but does not document the rationale for deciding that certain ‘high’ risks are ‘acceptable’. Eight of the department’s 15 ‘high’ fraud risks that it had assessed as ‘unacceptable’ either did not have treatments identified to reduce the risk or those treatments were insufficient to reduce the risk exposure rating. The department has identified fraud risks that are shared with Services Australia and, in its capacity as administrator of the government’s Community Grants Hub, has drafted but not yet finalised protocols for the management of fraud risks by client services.

21. The department has a range of preventive controls in place and tests its controls to ensure they are operational. The department’s risk framework sets out responsibilities for risk, control and treatment owners but does not document either the control or treatment owner in the risk assessment. While the department has a process to identify improvements to existing controls, to meet the fraud guidance it should document a process for control owners to provide assurance to risk owners that the controls in place are useful, necessary and effective.

Detection, investigation and response

22. The department uses a range of detective controls to find fraud. These include processes for departmental staff and members of the public to confidentially report allegations of fraud. The main detection method for internal and external fraud investigations, finalised in 2018–19, was through staff member detection. The department also identifies fraud through other detective controls such as internal audits and data analytics. These detective controls have identified suspected fraud that has then been subject to assessment and investigation.

23. The department’s investigation procedures are consistent with the Australian Government Investigations Standards.

Culture, assurance and reporting

24. The department has set expectations and promotes a fraud aware culture through: the Secretary’s instructions; its fraud control framework; internal events during International Fraud Awareness week; and internal messaging to staff about fraud control and outcomes from significant fraud-related prosecutions. The department’s audit and assurance committee charter allows the committee to review the department’s fraud risks, and it has done so.

25. Completion of online fraud awareness training has been mandatory for all staff since August 2019. As of 1 November 2019, 96.8 per cent of staff had completed the training. As this mandatory requirement has recently been introduced there is value in the department closely monitoring completion rates to inform its approach to achieving full compliance.

26. In its 2017–18 and 2018–19 annual reports, the department provided a lesser level of assurance to the Parliament than is expected by the PGPA Rule. The Secretary’s certification in those annual reports did not meet the expectations of the PGPA Rule because it did not state that all reasonable measures had been taken to deal appropriately with fraud relating to the entity, or identify what, if any, further measures needed to be implemented.

27. The department has complied with the mandatory reporting obligation in the Commonwealth Fraud Control Policy to provide information to the Australian Institute of Criminology annually, and has briefed its Minister twice on specific fraud risks or issues since 2016.

Recommendations

Recommendation no.1

Paragraph 2.50

The Department of Social Services document control and treatment owners in its fraud risk assessments, and document a process to facilitate the provision of assurance to risk owners that controls are useful, necessary and effective.

Department of Social Services response: Agreed.

Recommendation no.2

Paragraph 4.24

The Department of Social Services accountable authority’s annual report certification prepared pursuant to subsection 17AG(2) of the PGPA Rule 2014 should certify that all reasonable measures have been taken to deal appropriately with fraud relating to the entity, or indicate what further measures need to be implemented.

Department of Social Services response: Agreed.

Summary of entity response

The Department of Social Services (the department) acknowledges the report and the opportunities the audit provides to strengthen our fraud control operations.

The department places a high priority on reviewing and improving fraud risk arrangements to protect the integrity of the department and our programs. The department has already begun taking steps that will address the recommendations identified in the report.

Key messages from this audit for all Australian Government entities

28. This audit is one in a series of three performance audits reviewing fraud control arrangements in selected non-corporate Commonwealth entities:

  • the Department of Social Services;
  • the Department of Foreign Affairs and Trade; and
  • the Department of Home Affairs.

29. Key messages from this audit series will be outlined in an ANAO Insights product available on the ANAO website.

1. Background

Introduction

1.1 Fraud against the Commonwealth causes financial and material loss, reducing the amount of money available for public goods and services and impacting on government’s ability to achieve its objectives. Fraud can also damage trust in government. Managing fraud risk is a responsibility shared by all Commonwealth officials, with ongoing effort commensurate to the scale of fraud risk required to effectively prevent, identify and respond to fraud. Fraud threats are constantly evolving, meaning responses need to be dynamic.

1.2 The Australian Government (the government) defines fraud as:

Dishonestly obtaining a benefit or causing a loss by deception or other means.11

1.3 Fraud requires intent, and is more than carelessness, accident or error. Without intent, an incident may indicate non-compliance rather than fraud.12 Fraud against the Commonwealth may include (but is not limited to):

  • theft;
  • accounting fraud (for example, false invoices, misappropriation);
  • misuse of Commonwealth credit cards;
  • unlawful use of, or unlawful obtaining of, property, equipment, material or services;
  • causing a loss, or avoiding and/or creating a liability;
  • providing false or misleading information to the Commonwealth, or failing to provide information when there is an obligation to do so;
  • misuse of Commonwealth assets, equipment or facilities;
  • cartel conduct;
  • making or using, false, forged or falsified documents; and/or
  • wrongfully using Commonwealth information or intellectual property.13

1.4 Fraud against the Commonwealth can be committed by Commonwealth officials or contractors (internal fraud) or by external parties such as clients, service providers, members of the public or organised criminal groups (external fraud).14 In some cases fraud against the Commonwealth may involve collusion between external and internal parties, and can include corrupt conduct such as bribery. However, not all corrupt conduct meets the definition of fraud.15

The Australian Government’s fraud control framework

1.5 Australian Government entities have long been required to establish arrangements to manage fraud risks. At the time of this audit, the government’s requirements for fraud control are contained in the 2017 Commonwealth Fraud Control Framework16 (the Framework) pursuant to the Public Governance, Performance and Accountability Act 2013 (PGPA Act). A desktop review conducted by the ANAO of state and territory and international fraud control frameworks is presented at Appendix 2.

1.6 The Framework is intended to: allow Commonwealth entities to manage their fraud risks in a way which best suits the individual circumstances of the entity; and support the accountable authority17 to effectively discharge their responsibilities under the PGPA Act. The Framework comprises three tiered documents with different binding effects:18

  • Section 10 of the Public Governance, Performance and Accountability Rule 2014 (the fraud rule): A legislative instrument binding all Commonwealth entities and setting out the key requirements of fraud control.
  • The Commonwealth Fraud Control Policy (the fraud policy): An Australian Government policy binding non-corporate Commonwealth entities19 setting out procedural requirements for specific areas of fraud control such as investigations and reporting.
  • Resource Management Guide No. 201 — Preventing, detecting and dealing with fraud (the fraud guidance): A better practice document setting out the government’s expectations in detail for fraud control arrangements within all Commonwealth entities.

1.7 As non-corporate Commonwealth entities, Australian Government departments must comply with the fraud rule and fraud policy. While the fraud guidance is not binding, the government considers it to be better practice and expects entities to follow it where appropriate.20

1.8 The Attorney-General’s Department (AGD) administers the Framework. The Australian Government is providing $16.4 million over two years from 2019–20 to AGD ($6.6 million) and the Australian Federal Police (AFP) ($9.8 million) to pilot and continue measures to strengthen Commonwealth counter-fraud arrangements.21 The AGD established the Commonwealth Fraud Prevention Centre, and is piloting measures to improve the sharing of data, information and knowledge across government. The AFP established Operation Ashiba to lead a Commonwealth multi-agency taskforce intended to support and strengthen whole of government efforts to detect, disrupt and respond to serious and complex fraud.

Responsibilities of accountable authorities

1.9 The PGPA Act and the PGPA Rule contain specific duties and requirements for the accountable authority of a Commonwealth entity pertaining to internal control arrangements, including for fraud control and relevant reporting (Table 1.1).

Table 1.1: Responsibilities of accountable authorities (PGPA Act and PGPA Rule)

Reference

Duty or requirement

Section 15

PGPA Act

Duty to govern the Commonwealth entity

1. The accountable authority of a Commonwealth entity must govern the entity in a way that:

  • promotes the proper usea and management of public resources for which the authority is responsible; and
  • promotes the achievement of the purposes of the entity; and
  • promotes the financial sustainability of the entity.

2. In making decisions for the purposes of subsection (1), the accountable authority must take into account the effect of those decisions on public resources generally.

Section 16

PGPA Act

Duty to establish and maintain systems relating to risk and control

The accountable authority of a Commonwealth entity must establish and maintain:

  1. an appropriate system of risk oversight and management for the entity; and
  2. an appropriate system of internal control for the entity;

including by implementing measures directed at ensuring officials of the entity comply with the finance law.

Section 10

PGPA Rule

Preventing, detecting and dealing with fraud

The accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by:

  1. conducting fraud risk assessments regularly and when there is a substantial change in the structure, functions or activities of the entity; and
  2. developing and implementing a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment; and
  3. having an appropriate mechanism for preventing fraud, including by ensuring that:
    1. officials of the entity are made aware of what constitutes fraud; and
    2. the risk of fraud is taken into account in planning and conducting the activities of the entity; and
  4. having an appropriate mechanism for detecting incidents of fraud or suspected fraud, including a process for officials of the entity and other persons to report suspected fraud confidentially; and
  5. having an appropriate mechanism for investigating or otherwise dealing with incidents of fraud or suspected fraud; and
  6. having an appropriate mechanism for recording and reporting incidents of fraud or suspected fraud.

Subsection 17AG(2)

PGPA Rule

Information on management and accountability

The annual report must include the following:

  1. information on compliance with section 10 (which deals with preventing, detecting and dealing with fraud) in relation to the entity during the period.
  2. A certification by the accountable authority of the entity that:
    1. fraud risk assessments and fraud control plans have been prepared for the entity; and
    2. appropriate mechanisms for preventing, detecting incidents of, investigating or otherwise dealing with and recording or reporting fraud that meet the specific needs of the entity are in place for the entity; and
    3. all reasonable measures have been taken to deal appropriately with fraud relating to the entity.
   

Note a: In respect to ‘proper use’, section 8 of the PGPA Act provides that ‘proper, when used in relation to the use or management of public resources, means efficient, effective, economical and ethical’.

Source: PGPA Act and PGPA Rule.

Extent of fraud against the Commonwealth

1.10 The Australian Government has reported that the extent of fraud against the Commonwealth, including the exact cost and impact, is unknown.22 Fraud can be hidden, difficult to detect or remain unreported. The Australian Institute of Criminology (AIC) produces an annual report measuring levels of fraud detected and investigated across the Commonwealth on the basis of data self-reported by Commonwealth entities via an online questionnaire.23 The Commonwealth fraud investigations 2017–18 and 2018–19 report24 stated that of 155 entities with responses, 30 (19 per cent) commenced internal fraud investigations and 37 (24 per cent) commenced external fraud investigations. In total, 52 (34 per cent) different entities commenced investigations. In 2018–19, 27 (17 per cent) entities finalised internal fraud investigations and 34 (22 per cent) entities finalised external fraud investigations. In total, 44 (28 per cent) different entities finalised fraud investigations in the 2018–19 financial year. The AIC estimated fraud losses during 2018–19 of $149,680,728 ($2,775,917 from internal fraud; $146,904,811 from external fraud), on the basis of completed investigations where fraud could be quantified.25

1.11 The results of a desktop review by the ANAO of international research to estimate fraud losses is presented in Appendix 2.

Previous audits

1.12 The interim audit phase of the ANAO’s annual program of financial statements audits includes an assessment of the effectiveness of each entity’s internal controls as they relate to the risk of misstatement in the financial statements. Auditor-General Report No.46 2018–19 Interim Report on Key Financial Controls of Major Entities (the controls report) reported that at the completion of the ANAO’s interim audits for the 26 major entities included in that report, the key elements of internal control were operating effectively for 19 entities26, including the three departments selected for this performance audit series.27 In the context of the ANAO’s review of entity internal controls, the controls report included a focus on and an analysis of, payment card and fraud control policies together with a continued review of compliance with the Commonwealth’s finance law.28

1.13 Australian Government fraud control arrangements have also been the subject of previous ANAO performance audits. The most recent relevant audit was tabled in 2018–19 and examined the fraud control arrangements of the National Disability Insurance Agency (NDIA). The audit found that while the NDIA was largely compliant with the requirements of the Commonwealth Fraud Rule29 there was scope to improve: fraud prevention strategies; measures to detect potential fraud; and the effectiveness of fraud control governance and reporting arrangements.30 A key learning for other government entities arising from the audit was that the Commonwealth Fraud Control Framework (not just the Fraud Rule) provides a robust framework for all government entities to manage fraud risk. In the absence of it being mandatory for corporate entities to comply with all elements of the framework, corporate entities should see its implementation as good practice.31

1.14 An ANAO audit tabled in 2014–15 of the fraud control arrangements of selected entities32 found that overall these entities were generally compliant with the applicable requirements of the 2011 Fraud Control Guidelines (the Guidelines) that were in effect during the course of the audit. The audit included one recommendation:

To facilitate the timely preparation of the annual Fraud Against the Commonwealth Report and the annual Compliance Report to Government, the ANAO recommends that the Attorney-General’s Department formalises its business arrangements with the Australian Institute of Criminology.33

1.15 From 1 July 2014, the Guidelines were replaced with the Commonwealth Fraud Control Framework pursuant to the PGPA Act. The fraud policy was reissued in August 2016, with new provisions implementing the ANAO recommendation detailed in paragraph 1.14 by formalising the requirement for entities to provide information to the AIC to facilitate the AIC annual fraud report.34 The fraud guidance was reissued in August 2017.35

Selected entities in this audit series

1.16 This audit is one in a series of three performance audits reviewing fraud control arrangements in selected departments — the Department of Social Services, the Department of Foreign Affairs and Trade and the Department of Home Affairs. The focus of this audit report is the Department of Social Services.

1.17 Other audits in the series are:

  • Auditor-General Report No.42 2019–20 Fraud Control Arrangements in the Department of Foreign Affairs and Trade; and
  • Auditor-General Report No.43 2019–20 Fraud Control Arrangements in the Department of Home Affairs.

1.18 Contextual information about the Department of Social Services (DSS) is provided at Table 1.2.

Table 1.2: Contextual information about the Department of Social Services

Element

Contextual information

Entity mission/purpose

To improve the wellbeing of individuals and families in Australian communities.

Number of staff (as at June 2019)

2,520

Number of staff dedicated to ‘fraud related duties’a (as at June 2019)

15

Total resourcing ($’000) (for 2018–19)

115,179,770

Geographic location

Major office in Canberra, offices in every state and territory.

   

Note a: ‘Fraud-related duties’ as defined within the 2018–19 AIC fraud questionnaire, could include work in fraud control policy, fraud risk management, prevention, detection, investigation, delivery of training and/or fraud reporting.

Source: ANAO, drawing on the Department of Social Services 2018–19 Annual Report, 2019–20 Portfolio Budget Statements and entity responses to the AIC 2018–19 fraud questionnaire.

Rationale for undertaking the audit

1.19 This audit series is intended to provide assurance to the Parliament regarding the fraud control arrangements of selected Australian Government departments. All Commonwealth entities are required to have fraud control arrangements in place because preventing, detecting and responding to fraud against the Commonwealth is necessary to ensure the proper use of public resources, financial and material losses are minimised, and public confidence is maintained. In addition, this audit series aims to assist all Commonwealth entities to consider the effectiveness of their fraud control arrangements, including areas where additional effort would improve consistency with whole of government better practice fraud guidance (discussed in paragraphs 1.6 and 1.7) and the take-up of whole of government advice on new and emerging fraud risks (discussed in paragraph 1.22).

Audit approach

Audit objective, criteria and scope

1.20 The objective of the audit was to assess the effectiveness of the Department of Social Services’ fraud control arrangements. The high level audit criteria were that the department:

  • complies with the mandatory requirements set out in the Commonwealth Fraud Control Framework and arrangements are consistent with the government’s better practice guidance; and
  • promotes a fraud aware culture.

1.21 The ANAO did not assess whether specific controls are in place or the effectiveness of such controls in the selected entity.36

1.22 The ANAO reviewed fraud control arrangements in place within the department during the period of audit fieldwork, September 2019 to early February 2020. On 18 February 2020 the Australian Government activated the Emergency Response Plan for Novel Coronavirus (COVID-19).37 On 27 March 2020 the Australian Federal Police’s Operation Ashiba and the Commonwealth Counter Fraud Prevention Centre in the Attorney-General’s Department established the Commonwealth COVID-19 Counter Fraud Taskforce intended to support Commonwealth agencies to prevent fraud against the COVID-19 economic stimulus measures.38 The Commonwealth Fraud Prevention Centre circulated the Fraud Control in COVID-19 Emergency and Crisis Management fact sheet to Commonwealth entities, with information about key fraud risks related to COVID-19 response efforts.

1.23 The Department of Social Services was invited by the ANAO to make a representation in relation to its current or planned arrangements to address increased fraud risks resulting from the COVID-19 response. The department advised the ANAO in May 2020 that:

The department has been assessing and monitoring the increased fraud risk as a result of the COVID-19 response. The department is continuing to work with the Commonwealth Fraud Prevention Centre and COVID-19 Counter Fraud Taskforce to strengthen the department’s control environment and implement new countermeasures to prevent fraud.

Guidance provided by the COVID-19 Counter Fraud Taskforce to assist in implementing fraud countermeasures during COVID-19 has informed the department’s approach to addressing the increased fraud risk. This includes building awareness of fraud risks, implementing low friction countermeasures to prevent fraud where possible and carrying out targeted assurance checks to identify instances of fraud.

Audit methodology

1.24 The audit methodology involved:

  • assessing entity arrangements against the mandatory requirements of the Commonwealth Fraud Control Framework;
  • reviewing entity records;
  • reviewing entity procedures for planning, prevention, detection, investigation and responding to fraud and allegations of fraud, against the fraud guidance; and
  • discussions with relevant entity staff.

1.25 To assess the department’s compliance with the Commonwealth Fraud Control Framework, the ANAO has read the fraud rule in conjunction with the fraud guidance, and has based its assessment and findings on the suite of documents produced by the department to support fraud control planning.

1.26 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $215,000.

1.27 The team members for this audit were Tracy Cussen, Ailsa McPherson, Hannah Climas, Michael Fitzgerald and Michelle Page.

2. Risk management, planning and prevention

Areas examined

This chapter examines whether the department has complied with the mandatory requirements set out in the Commonwealth Fraud Control Framework as they relate to fraud prevention and the extent to which these arrangements are consistent with the Australian Government’s fraud guidance.

Conclusion

The department has developed and implemented a fraud control framework, conducted fraud risk assessments, and has guidance and procedures to assist departmental staff to understand what constitutes fraud and to carry out their fraud prevention responsibilities. The department has also included performance indicators and an annual work program in its fraud control framework to assist it to monitor and review its fraud control arrangements.

The department has mechanisms in place to assess its fraud risks but has not fully addressed all fraud risks assessed as ‘high’ risk. The department’s oversight of its fraud controls would be strengthened by documenting fraud control and treatment owners in its fraud risk assessments, and documenting a process for control owners to provide assurance to risk owners about control effectiveness.

Areas for improvement

The ANAO has made one recommendation aimed at assisting fraud risk owners to have appropriate assurance that the controls identified to reduce the risk are useful, necessary and effective.

The ANAO has suggested that the department include a summary of fraud risks in its fraud control plan to provide greater transparency to its staff of department-level fraud risks.

The ANAO has also suggested that the department’s fraud risk assessments record: the rationale for accepting fraud risks it has assessed as ‘high’ or for not applying a treatment to a risk outside its tolerance; and a final assessment of the fraud risk following the application of a risk treatment(s).

2.1 Section 10 of the Public Governance, Performance and Accountability Rule 2014 (the fraud rule) requires the accountable authority of a Commonwealth entity to take all reasonable measures to prevent fraud relating to the entity.39 In order to prevent fraud, entities must understand their fraud risks and ensure arrangements are in place to prevent fraud from occurring.

2.2 The ANAO examined entity compliance with the mandatory requirements of the Commonwealth Fraud Control Framework and the extent to which entity arrangements are consistent with Resource Management Guide No. 201 — Preventing, detecting and dealing with fraud (the fraud guidance), to assess:

  • whether the entity has considered fraud risk management within the context of its overall risk management process, including the content of the entity’s fraud control plan;
  • how fraud risks are identified and whether these assessments are conducted at regular intervals;
  • how identified fraud risks are assessed and addressed; and
  • whether preventive controls to manage fraud risks have been identified and are being adequately assessed.

Is fraud risk considered within the context of the overall risk management process?

Fraud risk is considered within the context of the department’s overarching enterprise risk management framework. Fraud risk is categorised as a ‘specialist’ risk. This means that fraud risks need to be considered by officers with a thorough understanding of the subject matter. The department’s fraud control officers assist policy and program areas to consider fraud risk and to conduct fraud risk assessments. The department’s fraud control arrangements are set out in a fraud control framework that includes a fraud control plan, an annual work program and performance indicators intended to measure the success of its fraud control arrangements.

The department could more closely align to the whole of government fraud guidance by including a summary of fraud risks in its fraud control plan. Having this summary would assist staff to fulfil their responsibilities under the fraud control plan to report suspected fraud by providing a departmental-level overview of such risks.

2.3 As a non-corporate Commonwealth entity, the Department of Social Services (DSS or the department) is bound by the Australian Government’s Commonwealth Fraud Control Policy (fraud policy), which states that:

Non-corporate Commonwealth entities must ensure that their fraud control arrangements are developed in the context of the entity’s overarching risk management framework as described in the Commonwealth Risk Management Policy.40

2.4 In addition, the fraud guidance states that:

It is important to avoid looking at fraud in isolation from the general business of the entity. Entities are strongly encouraged to develop dynamic fraud risk assessment procedures integrated within an overall business risk approach rather than in a separate program.41

2.5 To assess whether fraud risk is considered within the context of DSS’s overarching risk management process, the ANAO reviewed how fraud is considered in the department’s risk management guide and assessed whether the contents of the department’s fraud control plan contained the components suggested in the fraud guidance.

DSS’s risk management framework

2.6 The department’s Enterprise Risk Management Framework (the risk framework) was issued in December 2018. The risk framework states that it is intended to provide a common-sense and pragmatic approach to risk management.

2.7 The department’s risk framework includes an enterprise risk management model. This model structures risks around five perspectives intended to reflect the department’s approach to managing its risks. The five perspectives presented in the risk model are:

  • enterprise risks — critical risks identified by DSS’s Executive Management Group which are of strategic importance;
  • group risks — identified as part of delivering group business plans;
  • policy and program risks — identified in the design, development and implementation of policy or programs;
  • program and project risks — identified in the delivery of transformation and ICT programs and projects; and
  • specialist risks — identified in the delivery of common corporate/operational areas.

2.8 Fraud risk is categorised as a ‘specialist’ risk within the department’s risk framework. As a specialist risk, the framework indicates that managing fraud risks requires: the person undertaking the risk assessment to have a thorough understanding of the subject matter; and that staff required to consider these risks seek support from the relevant business functions. The department has a fraud control section responsible for facilitating the completion of risk assessments.

2.9 The risk framework identifies that management of specialist risks is guided by specific documents. For fraud risks these documents include the department’s fraud control framework.

DSS’s fraud control framework

2.10 Subsection 10(b) of the fraud rule states that the accountable authority must develop and implement ‘a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment’.42

2.11 A strict interpretation of the fraud rule would require the department to undertake a linear process: first conduct a risk assessment and then, as soon as practicable, develop and implement a fraud control plan that specifically addresses the identified risks. To assess the department’s compliance with the Commonwealth Fraud Control Framework, the ANAO has read the fraud rule in conjunction with the fraud guidance, and has based its assessment and findings on the suite of documents produced by the department to support fraud control planning (rather than whether the department strictly adheres to the linear process identified in the fraud rule).

2.12 The fraud guidance suggests that fraud control plans can:

Document the entity’s approach to controlling fraud at a strategic, operational and tactical level, and encompass awareness raising and training, prevention, detection, reporting and investigation measures.43

2.13 The department’s fraud control arrangements are set out in its Fraud Control Framework (the fraud framework) signed by the Chief Operating Officer on 28 June 2019.44 The fraud framework outlines the strategies the department has in place for identifying and managing fraud risk and comprises the Secretary’s Instruction 2.2—Fraud Risk Management and Control, DSS’s Fraud Control Plan 2019–21 and Fraud Control Annual Work Program 2019–20.

2.14 The department’s fraud control plan contains most of the components suggested by the fraud guidance. The department’s fraud control plan does not contain a summary of the fraud risks and treatment strategies. The department’s fraud risks and the treatment strategies to manage these risks are identified and assessed through the department’s risk assessment process, and are detailed in the fraud risk assessments.

2.15 When considered together, the department’s fraud framework and risk assessment documentation encompass all of the components recommended by the fraud guidance (Table 2.1).

Table 2.1: Content of DSS’s fraud control documentation

Fraud guidance suggested areas

DSS fraud control documentation

A summary of fraud risks and vulnerabilities associated with the entity

Yesa

Treatment strategies and controls put in place to manage fraud risks and vulnerabilities

Yesa

Information about implementing fraud control arrangements within the entity

Yes

 

Strategies to ensure the entity is meeting its training and awareness needs

Yes

Mechanisms for collecting, analysing and reporting fraud incidents

Yes

Protocols for handling fraud incidents

Yes

An outline of key roles and responsibilities for fraud control within the entityb

Yes

  

Note a: Fraud risks and treatment strategies are contained in the department’s fraud risk assessments, rather than within the department’s fraud framework.

Note b: Appendix 3 of this audit report outlines roles and responsibilities for fraud control within DSS as detailed in the department’s fraud control documentation.

Source: Commonwealth Fraud Control Framework and ANAO analysis of DSS documentation.

2.16 The department’s fraud documentation at a program level identifies identity fraud and identity theft as fraud risks. However, the department’s fraud control framework does not identify or include strategies to mitigate the risk of identity fraud.

2.17 The department could more closely align to the Australian Government’s fraud guidance requirements for the content of fraud control plans, by including a summary of its fraud risks, including identity fraud, and the treatments in place to manage these risks. Having this summary would assist staff to fulfil their responsibilities under the fraud control plan to report suspected fraud by providing a departmental-level overview of the risks to be aware of.

2.18 The department’s fraud control plan sets out ‘measures of success’ intended to assist the department to monitor and review its fraud prevention, detection and response strategies. These measures include quantitative indicators (for example, reduced length of time between risk being identified and response) and monitoring results from the annual APS Employee Census questions relating to fraud and/or corruption.

Are fraud risks identified and are assessments conducted at regular intervals?

The department has identified fraud risks and conducted fraud risk assessments at regular intervals. Fraud risk assessments cover risks related to internal operations that occur across the department, such as financial management and procurement, as well as risks specific to individual programs. The department’s fraud control officers, who assist departmental staff to undertake fraud risk assessments, have or are working towards acquiring qualifications in fraud investigations and fraud control.

2.19 Subsection 10(a) of the fraud rule requires the accountable authority of a Commonwealth entity to conduct ‘fraud risk assessments regularly and when there is a substantial change in the structure, functions or activities of the entity.’45 The fraud guidance encourages entities to conduct fraud risk assessments at least every two years.46

2.20 The fraud policy requires that:

Entities must ensure officials primarily engaged in fraud control activities possess or attain relevant qualifications or training to effectively carry out their duties.47

2.21 The fraud guidance identifies that relevant training can include a Certificate IV in Government (Fraud Control) or equivalent qualification for officials implementing fraud control, or a Diploma of Government (Fraud Control) or equivalent qualification for officials managing fraud control.48

2.22 The ANAO reviewed when fraud risk assessments had been undertaken and examined the department’s process for identifying fraud risks, including whether staff conducting these assessments are appropriately trained.

2.23 The department has regularly conducted fraud risk assessments in accordance with the fraud rule. It has completed: fraud risk assessments for internal operations that span the department49 so as to address fraud risks across the department; and ten fraud risk assessments for individual programs it has identified as ‘high risk’.50

2.24 The process to determine whether a program requires a fraud risk assessment is set out in a matrix, which requires staff to consider the risk exposure based on known information such as program payment/funding types and potential program expenditure. A fraud risk assessment is undertaken for programs identified as ‘high risk’ using this matrix.51

2.25 Consistent with the requirements set out in its risk framework, DSS uses a risk assessment eTool template to complete its fraud risk assessments. The template includes explanatory information to assist program areas completing the assessments to understand the steps required. These steps are: establish the context; identify fraud risk; assess fraud risk; evaluate fraud risk; implement control measures; re-assess fraud risk; and monitor and review.

2.26 The template identifies five categories of known fraud risk (corruption, fraudulent statements, asset misappropriation, employment and entitlements fraud, and contract/grant payment/service program misappropriation) with a standard set of preventive controls that apply. Program areas are responsible for incorporating relevant fraud risks and controls from these five categories into their fraud risk assessment, and for adding any program-specific fraud risks. Fraud control officers facilitate the process and provide the program area with subject matter expertise, however they are not responsible for completing fraud risk assessments.

2.27 The department has three fraud control officers who assist program areas to conduct fraud risk assessments. At the commencement of this audit these officers held or were undertaking qualifications in fraud investigations and the department considered that these qualifications fulfilled the fraud guidance as they are ‘equivalent qualifications’ (see paragraph 2.21). These officers completed a Diploma of Government (Fraud Control), in line with the fraud guidance, in April 2020.

2.28 As the department has identified fraud as a ‘specialist’ risk under its risk framework (see paragraph 2.8) and has designated specific officers to facilitate the development of fraud risk assessments, it should consider documenting its expectations around fraud control officer qualifications, including what it accepts as ‘equivalent qualifications’.

Are fraud risks assessed and addressed?

Fraud risks are assessed and given a fraud risk exposure rating based on the likelihood and consequences of the risk occurring but the department has not fully addressed all fraud risks assessed as ‘high’ risk. The department determines whether risks are ‘acceptable’ or ‘unacceptable’ but does not document the rationale for deciding that certain ‘high’ risks are ‘acceptable’. Eight of the department’s 15 ‘high’ fraud risks that it had assessed as ‘unacceptable’ either did not have treatments identified to reduce the risk or those treatments were insufficient to reduce the risk exposure rating. The department has identified fraud risks that are shared with Services Australia and, in its capacity as administrator of the government’s Community Grants Hub, has drafted but not yet finalised protocols for the management of fraud risks by client services.

2.29 In order for entities to effectively respond to fraud risks it is important for the significance of the risks to be assessed and to determine whether treatments are required. The ANAO examined how the department assesses its risk exposure and identified the mechanisms the department uses to address fraud risks.

2.30 The ANAO examined the eight fraud risk assessments the department advised its audit committee were in place in November 2019. These eight assessments identified 110 fraud risks and indicated a fraud risk exposure rating for each risk on the basis of the likelihood of the risk occurring and the consequence if the risk occurred. Table 2.2 shows the department’s risk matrix used to determine the risk exposure rating for each fraud risk based on this assessment.

Table 2.2: Risk matrix of fraud risks to determine fraud risk exposure rating

 

Consequence of risk occurring

 

Insignificant

Minor

Moderate

Major

Severe

 

2

3

4

5

6

Likelihood of risk occurring

Almost Certain

Low

Medium

High

Extreme

Extreme

Likely

Low

Medium

High

High

Extreme

Possible

Low

Medium

Medium

High

High

Unlikely

Low

Low

Medium

High

High

Rare

Low

Low

Low

Medium

High

       

Source: ANAO analysis of departmental documentation.

2.31 The department’s assessment process also takes into account the department’s tolerance for each of the identified fraud risks52, leading to the allocation of a fraud risk response rating of ‘acceptable’ or ‘unacceptable’. The ANAO’s review of DSS fraud risk assessments identified that all assessments included a description of the risk, current controls, control effectiveness rating, and a risk rating. They also documented whether the risk was considered ‘acceptable’ or ‘unacceptable’. The ANAO saw evidence that assessments covering fraud risks rated as ‘high’ were signed off by the appropriate senior executive as required under the department’s guidelines.

2.32 Of the 110 identified fraud risks, 29 (26.4 per cent) were rated by the department as ‘high’ (none were rated as ‘extreme’). The department’s risk management process guidelines state that risks rated as ‘high’ or ‘extreme’ (see Figure 2.1) are ‘…generally considered unacceptable and require further action via escalation to, and treatment by, the appropriate level of senior executive management’. The ANAO reviewed how risks rated as ‘high’ were addressed and documented in the fraud risk assessments. Of the 29 ‘high’ risks, 14 were considered ‘acceptable’ and 15 as ‘unacceptable’. The rationale for assessing these 14 ‘high’ risks as ‘acceptable’ was not recorded in the assessment.

2.33 The ANAO found inconsistencies in whether treatments for ‘high’ risks were documented and whether, if a treatment was documented, the residual risk rating was reduced. Overall, of the 15 ‘high’ risks recorded as ‘unacceptable’, eight were not adequately addressed through treatments —treatments for these risks were either not identified (6 risks) or the documented residual risk rating was not reduced in spite of treatment (2 risks).53

2.34 In July 2019 the department advised its audit committee that a ‘refresh of the department’s fraud risk assessments commenced in May 2019 to identify any changes to the risk profile and to determine the effectiveness of controls’. The department’s fraud control annual work program 2019–20 indicated that this bulk review of all fraud risk assessments would be completed by December 2019. The department advised the ANAO in May 2020 that of the 13 fraud risk assessments being reviewed: eight had been finalised or were awaiting sign-off; and the five remaining reviews had commenced.

2.35 In the context of its review, the department could improve the fraud risk management process by recording the following in its fraud risk assessments:

  • the rationale for any decision to consider a ‘high’ risk as ‘acceptable’;
  • the rationale for not applying a risk treatment(s) to ‘unacceptable’ risks; and
  • a final assessment of whether a risk is considered ‘acceptable’ after an additional risk treatment has been applied.

2.36 In addition to program-level fraud risk assessments, the department has program-level fraud control plans outlining the approach for preventing, detecting and responding to fraud in specific programs. This approach is intended to assist staff in program areas.54 These plans summarise fraud risks and risk ratings detailed in the fraud risk assessment, and identify key preventive and detective actions.

2.37 The department’s risk framework sets out how it contributes to managing any shared or cross jurisdictional risks, which it defines as those risks ‘which extend beyond the department and require shared oversight and management with stakeholders’. The department also has Bilateral Management Agreements with other Commonwealth entities. The ANAO’s review of program-level fraud risk assessments indicated that the department has identified shared risks with Services Australia.55

2.38 The department administers the Community Grants Hub (CGH), which provides grants administration services on behalf of other government entities.56 The CGH operational risk management plan 2019–20 and draft ‘Hub Fraud Protocols—Interagency Shared Services Obligations’ outline the accountabilities, roles and responsibilities of the CGH and client entities in relation to the management of fraud risks in the delivery of grants administration services. As the CGH administered over 44,000 funding arrangements worth over $10 billion during 2018–19, the draft Hub Fraud Protocols (which were due to be completed by December 2019) should be finalised as a matter of priority.

Does the department’s internal control environment include preventive controls and are these adequately assessed?

The department has a range of preventive controls in place and tests its controls to ensure they are operational. The department’s risk framework sets out responsibilities for risk, control and treatment owners but does not document either the control or treatment owner in the risk assessment. While the department has a process to identify improvements to existing controls, to meet the fraud guidance it should document a process for control owners to provide assurance to risk owners that the controls in place are useful, necessary and effective.

2.39 Preventive controls can help entities prevent fraud from occurring in the first place or reduce the consequences when it occurs. The fraud guidance states that:

Controls and strategies outlined in fraud control plans are ideally commensurate with assessed fraud risks. Testing controls may indicate that not all controls and strategies are necessary or that different approaches may have more effective outcomes. Controls can often be reviewed on a regular basis to make sure they remain useful.57

2.40 The ANAO examined whether DSS has documented preventive controls to manage its identified fraud risks and whether it has established mechanisms to assess and provide assurance over the control’s effectiveness. The ANAO did not test the design or operational effectiveness of individual controls.58

Preventive controls

2.41 The Australian Government’s Risk Management Policy defines an internal control as:

Any process, policy, device, practice or other actions within the internal environment of an organisation which modifies the likelihood or consequences of a risk.59

2.42 Broadly, there are two types of controls — preventive controls which are put in place to prevent fraud before it occurs, and detective controls which are put in place to identify when fraud has occurred (detective controls are discussed in chapter three).

2.43 The ANAO’s review of the department’s fraud risk assessments identified that preventive controls are included, although the department does not categorise its controls as preventive or detective. Categorising controls in the fraud risk assessments would assist the department to assess whether the suite of controls provides end-to-end coverage — to prevent, detect and deal with identified fraud risks.

Assessment of controls

2.44 The department’s risk framework identifies responsibilities for managing risk as follows:

Risk or issue owner — accountable for managing a particular risk or issue;

Control owner — responsible for maintaining the effectiveness of controls intended to modify the risk or issue; and

Treatment owner — responsible for implementing actions and strategies to treat/mitigate the risk to an acceptable level.

2.45 The department advised the ANAO that program areas are responsible for assessing controls. The ANAO viewed evidence that controls are assessed by program areas and that mechanisms exist for the regular review of controls—through internal audits, use of data analytics, compliance testing and financial reconciliations. In 2019–20 the department commenced a project to review and test controls and control methodology in the Community Grants Hub (see paragraph 2.38), and has developed a control testing plan template.60

2.46 While there is evidence that business areas have tested controls, the department has not provided a formal mechanism for use by control owners to provide assurance to risk owners on the effectiveness of controls. Further, the department’s fraud risk assessments do not always include sufficient detail to demonstrate to a risk owner that the controls in place are sufficient to manage the risk.

2.47 The department’s fraud risk assessments record a risk owner (or are signed off by the risk owner) but do not record a control or treatment owner. The staff position accountable for maintaining control effectiveness is therefore not clear.

2.48 DSS’s fraud risk assessments document controls against risks that have been grouped into categories, rather than against individual risks, and control effectiveness ratings are documented for each individual risk. This approach suggests that each full suite of controls is equally necessary and effective (or not effective) in addressing individual risks. This approach does not facilitate an assessment of whether identified controls are commensurate with the fraud risk, as detailed in the fraud guidance (paragraph 2.39).

2.49 To provide greater transparency to risk owners that controls are useful, necessary and effective, the department should identify control and treatment owners in its fraud risk assessments and document the process to be used for control owners to give assurance to risk owners on the effectiveness of controls.

Recommendation no.1

2.50 The Department of Social Services document control and treatment owners in its fraud risk assessments, and document a process to facilitate the provision of assurance to risk owners that controls are useful, necessary and effective.

Department of Social Services response: Agreed.

2.51 Fraud risk assessments form part of the department’s broader approach to risk management and provide risk owners with visibility of control and treatment owners.

2.52 To support ongoing verification and assurance of control effectiveness, the department will develop a pressure testing strategy for fraud controls informed by guidance received from the Commonwealth Fraud Prevention Centre. The pressure testing strategy will be incorporated into future Fraud Control annual work programs and will provide risk owners with greater assurance that controls are necessary and effective.

3. Detection, investigation and response

Areas examined

This chapter examines whether the department has complied with the mandatory requirements of the Commonwealth Fraud Control Framework as they relate to the detection, investigation and response to fraud and the extent to which these arrangements are consistent with the Australian Government’s fraud guidance.

Conclusion

The department has put in place controls to detect fraud, including reporting channels for use by staff and members of the public and the use of data analytics. The department’s fraud investigation procedures are consistent with the Australian Government Investigations Standards.

3.1 Section 10 of the Public Governance, Performance and Accountability Rule 2014 (the fraud rule) requires the accountable authority of a Commonwealth entity to take all reasonable measures to detect and deal with fraud.61 In order to detect and deal with fraud, entities must take active steps to find fraud when it occurs and investigate or otherwise respond to it.

3.2 The ANAO examined the department’s compliance with relevant mandatory requirements of the Commonwealth Fraud Control Framework and the extent to which arrangements are consistent with Resource Management Guide No. 201 — Preventing, detecting and dealing with fraud (the fraud guidance) to assess whether:

  • detective controls are identified; and
  • the department’s investigations procedures are consistent with the Australian Government Investigations Standards.

Are detective controls identified?

The department uses a range of detective controls to find fraud. These include processes for departmental staff and members of the public to confidentially report allegations of fraud. The main detection method for internal and external fraud investigations, finalised in 2018–19, was through staff member detection. The department also identifies fraud through other detective controls such as internal audits and data analytics. These detective controls have identified suspected fraud that has then been subject to assessment and investigation.

3.3 Detective controls are used to manage fraud risks and find fraud. Detecting fraud in an entity can highlight any vulnerabilities in existing preventive controls.

3.4 Subsection 10(d) of the fraud rule requires entities to have ‘a process for officials of the entity and other persons to report suspected fraud confidentially’.62

3.5 The fraud guidance notes that reporting suspected fraud is a common means of detection, and therefore it is important for entities to appropriately publicise fraud reporting mechanisms. Under the fraud guidance entities should encourage and support reporting of suspected fraud through proper channels, and this can include measures to protect those making such reports from adverse consequences.63

3.6 The ANAO examined the controls the department has in place to detect fraud with reference to the requirements of the Commonwealth Fraud Control Framework.

Detective controls

3.7 Suspected fraud can be reported by departmental staff and others (such as the general public) by phone, email or post.64 These reporting channels are advertised on the department’s website65 and for staff, on the intranet.

3.8 The department’s website states that if a person reports suspected fraud or misconduct, their ‘privacy and confidentiality will be respected.’66 The website also provides information on how to make an anonymous report and instructions on how to arrange a secure transmission for sensitive information.67 The department has policies and procedures for managing the confidentiality of those making reports, which include internal systems access controls to manage the information received through reporting channels.

3.9 Public Interest Disclosures are allegations made by public officials (disclosers) under the Public Interest Disclosure Act 2013 to an authorised officer because they suspect wrongdoing within the Commonwealth public sector.68 The department has procedures for handling Public Interest Disclosures, including: protection for disclosers; roles and responsibilities; details of how to make a disclosure; procedures for supervisors and managers; procedures for authorised officers; procedures for investigators; and confidentiality and record keeping.69

3.10 The department’s procedures for handling Public Interest Disclosures identify that:

  • if a disclosure relates to conduct that may need to be addressed under the department’s fraud control plan, the authorised officer may refer the matter to be dealt with in accordance with the relevant policy; and
  • if a disclosure relates to conduct that would require the department to take steps under the fraud control plan, the processes set out in the fraud control plan must be complied with in the conduct of an investigation under these procedures.

3.11 The Australian Institute of Criminology’s (AIC) annual fraud questionnaire asks entities to identify the detection method for finalised fraud investigations using categories provided by the AIC. In its response to the AIC’s 2018–19 questionnaire, the department reported ‘staff member detected’ as the most common detection method across both internal and external frauds. For the six internal fraud investigations finalised, the department reported that detection occurred through:

  • ‘staff member detected’ in four cases;
  • a ‘tip off within the entity’ in one case; and
  • ‘information technology controls’ in one case.

3.12 For the eight external fraud investigations finalised in 2018–19, detection was reported as occurring through:

  • ‘staff member detected’ in four cases;
  • ‘tip offs external to the department’ in three cases; and
  • ‘information technology controls’ in one case.

3.13 The department has in place other detective controls, consisting of: internal audits intended to identify vulnerabilities in the fraud control environment; data analytics (including operationalised machine learning models to detect fraud in high risk programs); and probity checks. The department has undertaken random sampling activities to identify records, transactions or entities that do not conform to expected patterns or that display characteristics or behaviours consistent with previous fraud events, and has reported to the Audit and Assurance Committee that results have led to the detection of suspected fraud, non-compliance and subsequent investigations.

Are the department’s investigation procedures consistent with the Australian Government Investigations Standards?

The department’s investigation procedures are consistent with the Australian Government Investigations Standards.

3.14 Once fraud is detected it is necessary to take action. Taking action shows that incidences of suspected fraud are not only identified but are responded to. Any investigation undertaken needs to be handled in a manner that will gather evidence to allow for subsequent responses, including criminal prosecution.

3.15 The Commonwealth Fraud Control Policy (the fraud policy) requires entities to have investigation processes and procedures consistent with the Australian Government Investigations Standards (AGIS) (see details in Box 1).70

Box 1: The Australian Government Investigations Standards (AGIS)

The AGIS establish the minimum standards for Australian Government agencies conducting investigations, and apply to all stages of an investigation.

AGIS defines an investigation as:

A process of seeking information relevant to an alleged, apparent or potential breach of the law, involving possible judicial proceedings. The primary purpose of an investigation is to gather admissible evidence for any subsequent action, whether under criminal, civil penalty, civil, disciplinary or administrative sanctions. Investigations can also result in prevention and/or disruptive action.

AGIS lists standards the agency must have (mandatory), as well as standards the agency should have (not mandatory).

The most recent review of the AGIS was in 2011 through a working group commissioned by the Heads of Commonwealth Operational Law Enforcement Agencies, chaired by the Australian Federal Police. The PGPA Act, and the Commonwealth Fraud Control Framework 2017 pursuant to the PGPA Act, are not referenced in the AGIS. The AGIS states that it is mandatory for all agencies required to comply with the Financial Management and Accountability Act 1997, legislation that has been replaced by the Public Governance, Performance and Accountability Act 2013 (PGPA Act).

Note: Australian Government, Australian Government Investigations Standards 2011 [Internet], Attorney-General’s Department, available from https://www.ag.gov.au/Integrity/counter-fraud/fraud-australia/Documents/AGIS %202011.pdf [accessed 12 February 2020]. Following a machinery of government change in 2017, responsibility for the AGIS transferred to the Home Affairs portfolio.

3.16 The ANAO examined whether the department’s investigation procedures for internal and external fraud met the mandatory requirements listed in the AGIS (Table 3.1).

Table 3.1: Department of Social Services investigation procedures and the AGIS mandatory requirements

AGIS requirement

 

A clear written policy in regard to its investigative function

A procedure governing the manner in which complaints concerning the conduct of its investigations are handleda

Written procedures regarding liaison with the media and the release of media statements in regard to investigations

Exhibit handling procedures

A written procedure covering the initial evaluation and actioning of each matter that has been received or identified.

Investigation management procedures

Written procedures relating to finalising the investigation

Investigator qualifications

   

Note a: Complaints about the conduct of an investigation are managed through existing departmental policies and are not specifically referenced in the current investigations manual.

Source: ANAO analysis of departmental documentation.

3.17 Details of the ANAO’s assessment against the AGIS requirements are set out below — grouped as written procedures, case selection and referral, and investigation management. Departmental responses to the 2018–19 AIC fraud questionnaire are also included.71

AGIS requirements for written procedures

3.18 The department has a policy for its investigative functions that sets out the objective, activities, responsibilities and referral processes relevant to investigations, as required by the AGIS. The department also has an Investigations Manual developed in April 2014 and which is currently being updated. Procedures for liaising with the media and exhibit handling are documented in the manual. Complaints about the conduct of investigations are managed through departmental processes documented in separate policies and procedures. DSS advised the ANAO that the benefits of having a dedicated section in the manual on managing confidentiality and complaint handling have been identified and are planned for inclusion in the updated version of the manual.

Case selection and referral

3.19 The department has a case prioritisation model and assessment tool to inform its decisions about matters referred for investigation. The factors taken into account when making a decision to investigate include:

  • the nature and value of the alleged fraud;
  • the prospect of sufficient evidence for prosecution; and
  • likely costs and benefits of investigation.

3.20 In its response to the 2018–19 AIC fraud questionnaire, the department reported that five internal fraud cases and 18 external fraud cases did not meet the threshold to warrant an investigation.72

3.21 The department has a written policy which includes its responsibility to refer ‘sufficiently serious and/or complex’ matters to the Australian Federal Police (AFP) in accordance with AGIS. Such referrals may be made for either full transfer of the investigation or in pursuit of joint investigation arrangements. In its response to the 2018–19 AIC fraud questionnaire the department reported that all fraud investigations were handled internally.

Investigation management

3.22 As required by the AGIS, the department has procedures for investigating allegations of suspected fraud. These are documented in the Investigations Manual and recorded in an electronic investigation management system. These procedures start from receiving an allegation through to finalising an investigation, including preparing briefs of evidence for the Commonwealth Director of Public Prosecutions (CDPP). The department has also developed flow charts to assist officials to identify procedural steps in internal and external investigations.

3.23 The ANAO reviewed records contained within the department’s electronic investigation management system and found records of all steps undertaken in an end-to-end investigation process.73

3.24 The department reported to the AIC that it commenced a total of 12 investigations during 2018–19, related to seven suspected internal frauds and five suspected external frauds.74

3.25 The department records the outcomes of investigations. In 2018–19, around 16 per cent of internal fraud investigations and 37 per cent of external fraud investigations had allegations substantiated in full or in part (Table 3.2).

Table 3.2: Outcomes of investigations finalised in 2018–19

 

Internal fraud

External fraud

Allegation substantiated (in full or in part)

1

3

All allegations not substantiated

5

4

Allegation referred to another agency and outcome currently unknown

0

1

Total

6

8

     

Source: ANAO analysis of departmental documentation.

3.26 For those investigations of internal fraud and external fraud finalised in 2018–19, where allegations were substantiated (in full or in part), all were referred to the CDPP.

Recovery of financial losses

3.27 The fraud policy states that:

… entities must take all reasonable measures to recover financial losses caused by illegal activity through proceeds of crime and civil recovery processes or administrative remedies.75

3.28 The 2018–19 AIC annual fraud questionnaire asked entities to estimate the recoveries over the time period, regardless of when the fraud was committed, when the losses were incurred, or when the investigation was completed. In its response to the questionnaire, the department did not quantify the estimated recovery amounts for fraud and advised the ANAO that recovery actions had not yet been completed.76

3.29 The department has debt recovery policies and procedures to provide guidance to staff when undertaking accounts receivable, debt management and recovery processes, including raising, collecting, receipting, reporting and acquitting debts owing to the department.

4. Culture, assurance and reporting

Areas examined

This chapter examines whether the department promotes a fraud aware culture and has complied with mandatory reporting requirements in the Commonwealth Fraud Control Framework.

Conclusion

The department has taken steps to promote a fraud aware culture and met the reporting requirements set out in the framework. The department’s fraud certifications in the two most recent annual reports provided a lower level of assurance to Parliament than is expected under the PGPA Rule.

Areas for improvement

The ANAO has recommended that the accountable authority’s annual report certification on fraud control provide the level of assurance expected by the PGPA Rule.

The ANAO has suggested that, following the recent introduction of mandatory fraud training, there is value in the department closely monitoring completion rates to inform its approach to achieving full compliance.

The ANAO has also suggested that the department consider providing an annual fraud control report to the responsible Minister that includes the suggested content detailed in the whole of government fraud guidance.

4.1 Under the Public Governance, Performance and Accountability Act 2013 (PGPA Act) the accountable authority must promote the proper use and management of public resources (section 15).77 The accountable authority must also establish and maintain an appropriate system of risk oversight and management for the entity, and an appropriate system of internal control for the entity, including by implementing measures directed at ensuring officials of the entity comply with the finance law (section 16).78

4.2 Preventing, detecting and dealing with fraud requires an ongoing effort. That effort will be more effective in an environment with a fraud aware culture that includes transparent reporting because staff will be alert to fraud and better able to develop dynamic responses based on evidence.

4.3 To inform the ANAO’s review of the effectiveness of DSS’s fraud control arrangements, the ANAO considered whether:

  • the department promotes and supports a fraud aware culture; and
  • the department provides assurance about entity fraud control arrangements through reporting.

Does the department promote and support a fraud aware culture?

The department has set expectations and promotes a fraud aware culture through: the Secretary’s instructions; its fraud control framework; internal events during International Fraud Awareness week; and internal messaging to staff about fraud control and outcomes from significant fraud-related prosecutions. The department’s audit and assurance committee charter allows the committee to review the department’s fraud risks, and it has done so.

Completion of online fraud awareness training has been mandatory for all staff since August 2019. As of 1 November 2019, 96.8 per cent of staff had completed the training. As this mandatory requirement has recently been introduced there is value in the department closely monitoring completion rates to inform its approach to achieving full compliance.

4.4 Resource Management Guide No. 201 — Preventing, detecting and dealing with fraud (the fraud guidance) states that:

Accountable authorities play a key role in setting the ethical tone within their entities, and fostering and maintaining a culture of fraud awareness and prevention.79

Fraud prevention involves … fostering an ethical culture that encourages all officials to play their part in protecting public resources. Establishing an ethical culture is an important factor in preventing and detecting fraud. Accountable authorities are strongly encouraged to foster this culture in their senior leadership specifically, as well as across staff more generally.80

4.5 Culture in the context of this audit is the set of shared attitudes, values and behaviours that characterise how an entity considers fraud risk in its day-to-day activities.81 Evidence of certain behaviours and practices operating in the organisation can indicate that a particular type of culture in being promoted.82

4.6 To assess whether the department promotes a fraud aware culture the ANAO examined departmental governance arrangements, departmental activities and completion rates for mandatory fraud awareness training.

Departmental governance arrangements to promote and support a fraud aware culture

4.7 The Secretary’s Instructions83 — an extract of which is in the department’s Fraud Control Framework (the fraud framework) — set expectations by requiring all officials to act in accordance with the department’s fraud control plan.84

4.8 The department’s Chief Operating Officer issued the department’s fraud control framework in June 2019.85 It is the framework for the management of fraud risk within the department. The fraud control plan, contained within the fraud control framework, states that all staff are responsible for managing the department’s exposure to fraud and details their roles and responsibilities. The fraud framework and plan are available to all staff via the intranet. The department’s tolerance levels for fraud risk are publicly available through the annual report.

4.9 The Secretary has established departmental governance arrangements intended to provide leadership and strategic direction to the department, and to facilitate the flow of information from the department to the executive. These arrangements are summarised in Figure 4.1.

Figure 4.1: Departmental governance arrangements

This figure illustrates the department’s governance arrangements. It shows the relationships between the departmental committees.

Note: The Executive Management Group oversees the department’s financial position by allocating resources, monitoring performance and risk, and ensuring regulatory requirements are met.

Source: ANAO analysis of departmental documentation.

4.10 The structure of the department’s governance arrangements support a fraud aware culture as they allow for:

  • regular reporting on fraud and corruption control activities to executive-led governance committees; and
  • oversight and review by the audit and assurance committee.

4.11 The whole of government fraud guidance suggests that the outcome of fraud risk assessments can be provided to an entity’s audit committee for consideration.86 Entities are also encouraged to ensure appropriate monitoring and evaluation of fraud control plans.87

4.12 The audit and assurance committee’s charter allows for the review of fraud risk, and the committee has regularly discussed and engaged with fraud risk during committee meetings. The audit and assurance committee has reviewed the department’s fraud control plan.

Departmental activities to promote and support a fraud aware culture

4.13 DSS has taken steps to promote and support a fraud aware culture within the department by implementing a range of activities in accordance with the fraud rule and fraud guidance (Table 4.1).

Table 4.1: Activities undertaken to promote and support a fraud aware culture

Commonwealth Fraud Control Framework reference

Details

The fraud rule requires the accountable authority to ensure that officials in the entity are made aware of what constitutes fraud.a

The Secretary has communicated with staff about fraud risk and their responsibilities to prevent and detect fraud.

Outcomes from successful fraud prosecutions are announced on the intranet.

The fraud guidance advises that a widely distributed fraud strategy statement can assist in raising fraud awareness.b

The department’s fraud control framework (that includes its fraud control plan) is available through its intranet.

The department has not developed a stand-alone fraud strategy statement but its intranet includes fraud awareness resources that contain all elements specified in the fraud guidance.

   

Note a: Attorney-General’s Department, Commonwealth Fraud Control Framework 2017, AGD, 2017, p. A1.

Note b: ibid., para. 44, p. C12.

ibid., para 43, p. C12. This paragraph states that Fraud Control Statements can include: the definition of fraud; a statement of the entity’s commitment to preventing and controlling fraud; a statement of officials’ and contractors’ responsibilities; a summary of the consequences of fraud; an assurance that allegations and investigations will be handled confidentially; directions on how allegations and incidents of fraud are to be reported and managed; and advice on where further information can be found.

Source: ANAO analysis of departmental documentation.

4.14 The department has also promoted fraud awareness by participating in International Fraud Awareness Week 201988, which included a range of internal events. The department advised the ANAO that it is planning its participation in International Fraud Awareness Week 2020, which will include a push for staff to recomplete fraud awareness training.

Completion rates for mandatory fraud awareness training

4.15 The fraud rule requires the accountable authority to ensure that officials in the entity are made aware of what constitutes fraud.89 The fraud guidance states that:

Entities are encouraged to have all officials take into account the need to prevent and detect fraud as part of their normal responsibilities. Appropriate mechanisms could include fraud awareness and integrity training in all induction programs and a rolling program of regular fraud awareness and prevention training for all officials.90

4.16 The department offers the online fraud awareness training module developed by the Attorney-General’s Department to all staff. Prior to August 2019 completion of this module was not mandatory and was not monitored. In August 2019 the Secretary set an expectation that this training be completed by all staff annually. As at November 2019, 96.8 per cent of staff had completed the training.91 As this mandatory requirement was only recently introduced, there would be benefit in the department continuing to monitor compliance rates to inform its approach to achieving full compliance.

4.17 The department offers additional online training modules relevant to fraud control that cover security (protective security, personnel security, physical security and information security), APS values and principles (employment principles, Code of Conduct expectations, and applying ethical standards), and risk management modules.

4.18 Multiple face-to-face fraud awareness training sessions for staff were offered during International Fraud Awareness Week 2019. These sessions were facilitated by the department’s Audit and Assurance Branch and each session was targeted towards a particular program (for example, the National Rental Affordability Scheme) or towards a particular area of work (for example, grant-related roles or community-related roles).

4.19 The whole of government fraud guidance states that it is beneficial for awareness-raising programs for third-party providers to take into account the work they do directly for entities and the services they deliver on behalf of the entity.92 Fraud awareness training for third-party providers is not currently offered by DSS.

Is assurance about the department’s fraud control arrangements provided through reporting?

In its 2017–18 and 2018–19 annual reports, the department provided a lesser level of assurance to the Parliament than is expected by the PGPA Rule. The Secretary’s certification in those annual reports did not meet the expectations of the PGPA Rule because it did not state that all reasonable measures had been taken to deal appropriately with fraud relating to the entity, or identify what, if any, further measures needed to be implemented. The department has complied with the mandatory reporting obligation in the Commonwealth Fraud Control Policy to provide information to the Australian Institute of Criminology annually, and has briefed its Minister twice on specific fraud risks or issues since 2016.

Annual report requirements

4.20 Accountable authorities are required, under subsection 17AG(2) of the Public Governance, Performance and Accountability Rule 2014, to include information in their annual report on compliance with section 10 of the Rule, which deals with preventing, detecting and dealing with fraud. The accountable authority is also required to certify in the annual report that:

  • fraud risk assessments and fraud control plans have been prepared for the entity;
  • appropriate mechanisms for preventing, detecting incidents of, investigating or otherwise dealing with, and recording or reporting fraud that meet the specific needs of the entity are in place for the entity; and
  • all reasonable measures have been taken to deal appropriately with fraud relating to the entity.

4.21 The ANAO’s review of DSS’s annual report for the past three years (Table 4.2) indicates that the department has not fully satisfied the annual report expectations of the PGPA Rule. In particular, there is an expectation to certify that ‘all reasonable measures have been taken to deal appropriately with fraud relating to the entity’. The Secretary’s certification, in the 2017–18 and 2018–19 annual reports, omitted the word ‘all’, providing a lower level of assurance to the Parliament than is expected by the PGPA Rule (Table 4.2, Note a).

Table 4.2: Compliance with subsection 17AG(2) of the PGPA Rule 2014

Requirement

2016–17

2017–18

2018–19

 

Information on compliance with section 10 (which deals with preventing, detecting and dealing with fraud) in relation to the entity during the period.

An explicit certification that:

  • fraud risk assessments and fraud control plans have been prepared for the entity, and

  • appropriate mechanisms for preventing, detecting incidents of, investigating or otherwise dealing with, and recording or reporting fraud that meet the specific needs of the entity are in place for the entity, and

  • all reasonable measures have been taken to deal appropriately with fraud relating to the entity.a

       

Note a: The word ‘all’ is omitted from the certification in the 2017–18 and 2018–19 annual reports.

Source: Department of Social Services, Annual Report 2016–17, DSS, 2017; Department of Social Services, Annual Report 2017–18, DSS, 2018; Department of Social Services, Annual Report 2018–19, DSS, 2019.

4.22 In addition to the annual report requirements detailed above, the department provides an overview of fraud control strategies and investigations in the annual report.

4.23 For future annual reports, the annual report certification should meet the expectations of the PGPA Rule and indicate whether all reasonable measures have been taken to deal appropriately with fraud relating to the entity, or identify what measures have not been implemented.

Recommendation no.2

4.24 The Department of Social Services accountable authority’s annual report certification prepared pursuant to subsection 17AG(2) of the PGPA Rule 2014 should certify that all reasonable measures have been taken to deal appropriately with fraud relating to the entity, or indicate what further measures need to be implemented.

Department of Social Services response: Agreed.

4.25 The wording of the annual report certification will be amended for future reports to reflect that the department is taking all reasonable measures to deal with fraud appropriately.

4.26 The department has a robust framework in place to prevent, detect and deal with fraud and is compliant with all obligations as specified in section 10 of the Public Governance, Performance and Accountability Rule 2014. The department’s governance committees and Executive are regularly briefed on fraud control activities framed against section 10 of the Public Governance, Performance and Accountability Rule 2014.

Information provided to the Australian Institute of Criminology

4.27 The fraud policy requires entities to provide information to the Australian Institute of Criminology (AIC) in the form requested, to facilitate the AIC’s annual report to the Attorney-General’s Department on fraud against the Commonwealth and fraud control arrangements.93

4.28 DSS has provided the information requested by the AIC, in the form requested, by the required due date. The department has documented the areas responsible for providing input and individuals responsible for review, clearance and sign-off of the department’s response.

Informing the Minister about the entity’s fraud control arrangements and significant issues

4.29 The fraud guidance states that:

… while there is no specific mention of reporting fraud matters to an entity’s Minister in the Fraud Rule or Fraud Policy, section 19 of the PGPA Act requires an accountable authority to keep their Minister informed about the activities of the entity and significant issues that may affect the entity.94

4.30 The department has briefed the Minister twice on specific fraud risks or issues since 2016.

4.31 The department could usefully consider providing an annual fraud control report to the responsible Minister that includes the suggested content detailed in the fraud guidance (Table 4.3).

Table 4.3: Suggested content for reporting to the responsible Minister

Suggested content

Fraud initiatives undertaken by the entity in the reporting period, including an evaluation of their effectiveness

Planned fraud initiatives not yet in place

Information regarding significant fraud risks for the entity

Significant fraud incidents which occurred during the reporting period.

Source: Attorney General’s Department, Commonwealth Fraud Control Framework 2017, AGD, 2017, para. 94, p.C19.

Appendices

Appendix 1 Entity response

Response from Secretary of the Department of Social Services

Appendix 2 Desktop review: fraud control frameworks, estimates of fraud losses and fraudster personas

Fraud control frameworks

1. The ANAO conducted a desktop review of the fraud control frameworks for New South Wales; Victoria; Queensland; South Australia; Tasmania, the Australian Capital Territory; and the Northern Territory. International counterparts examined included the United Kingdom, New Zealand, South Africa and the United States of America.

2. The comparison of the current Commonwealth Fraud Control Framework95 with arrangements applying in other jurisdictions identified common approaches to some key aspects, including the requirement for:

  • regular fraud risk assessments;
  • a fraud control plan with an emphasis on fraud prevention;
  • clearly documented roles and responsibilities with an explicit statement that fraud prevention is the responsibility of all staff;
  • all staff to complete fraud awareness training (this is encouraged, but not a mandatory requirement for all jurisdictions);
  • clear reporting channels for reporting suspected fraud and agreed responses for dealing with detected fraud; and
  • policies and processes for detecting, investigating and responding to suspected fraud.

3. The comparison identified six key differences to the Commonwealth Fraud Control Framework (which is broadly consistent with other Australian jurisdictions):

  • Publicising antifraud efforts and successfully resolved cases to raise awareness about program integrity and antifraud efforts (USA).
  • The requirement for a fraud control policy to reflect the conditions associated with fraud, including incentives/pressure, opportunities, and attitudes, to assist employees to identify potential fraud (the ‘fraud triangle’ discussed in more detail in paragraph 10) (South Africa and NZ).
  • Distinguishing between the government’s fraud policy and other government policies such as the public servant code of conduct, noting the policies can be closely aligned, often overlap and may operate concurrently (NZ).
  • Setting clear requirements for separate documents to meet strategic and operational purposes. For example, a fraud control strategy can communicate a commitment to combatting fraud and present the entities’ strategic approach to fraud control (the ‘why’ of fraud control); separate and distinct from fraud control plans which can take a more operational view (the ‘how’ of fraud control) (South Africa, UK and USA).
  • The use of outcome based metrics summarising what the organisation is seeking to achieve and, for those organisations with ‘significant estimated’ fraud loss, metrics with a financial impact (UK).
  • Focusing on finding fraud, including through the use of data analytics (UK and USA).

Estimating fraud losses — survey responses

4. Estimates of fraud losses against the Australian Government developed by the Australian Institute of Criminology (AIC) are based on responses by Commonwealth entities to its annual online questionnaire.96

5. The AIC publishes an estimate of fraud losses on the basis of completed investigations where fraud could be quantified. In 2018–19 (the most up-to-date data available from the AIC reports), the AIC estimated fraud losses of $149.7m on this basis.97

6. The AIC notes there are a number of limitations associated with developing estimates of fraud losses on the basis of entity responses:

  • Not all entities invited to respond to the online questionnaire provided a response. In 2018–19, 156 (83 per cent) of invited entities provided a response. One of these entities however did not provide data to the AIC due to security reasons.
  • Undetected or unreported fraud is excluded, as is fraud that was detected but written off, either due to the low value of the fraud, or because resources were not allocated to undertake an investigation.
  • Incomplete survey responses; a respondent may be unable or unwilling to answer a question, or the relevant information was not collected during the investigation and therefore cannot be provided to the AIC.
  • Fraud losses include intangible costs such as reputational damage. Intangible costs are not captured in the AIC estimates of fraud losses.98

7. The Association of Certified Fraud Examiners (CFEs) publishes an annual Report to the Nations on the basis of survey responses by CFEs in 125 countries.99 The 2020 report contains an analysis of 2,504 cases of occupational fraud investigated between January 2018 and September 2019 by CFEs.100 The survey respondents were asked the percentage of revenue they believe a typical organisation loses to fraud each year, with the median response being 5 per cent of annual revenues.

Estimating fraud losses — cost measurements

8. Since 2014 the UK Government’s Counter Fraud Centre of Expertise has been building its evidence base of public sector fraud101 and error loss estimates for central government spending102 by developing cost measurement estimates.103 To develop a cost measurement estimate, the level of irregularity (fraud and error) in an area of government spending is tested. The UK Government has undertaken 53 cost measurement exercises in various categories of government expenditure, and on the basis of these estimates the fraud and error loss for government expenditure is 0.5 to 5.0 per cent.

9. The Financial Cost of Fraud report published in the UK by Crowe and the Centre for Counter Fraud Studies at the University of Portsmouth updates research first undertaken in 2009 to collate information from around the world on the financial cost of fraud and error. Analysis of 690 loss measurement exercises from 10 countries undertaken between 1997 and 2018 found that losses are usually in the range of 3 per cent to 10 per cent, with a likely average of 6.05 per cent.104

The fraud diamond and fraudster personas

10. The seminal ‘fraud triangle’ was developed in the 1950s on the basis of in-depth interviews with those convicted of trust violations. The fraud triangle posits that individuals are motivated to commit fraud when three elements come together: some kind of perceived pressure; some perceived opportunity; and some way to rationalise the fraud.105

11. The fraud triangle was expanded in 2004 to include a fourth element, the individual’s capability; those personal traits and abilities that play a major role in whether fraud may actually occur even with the presence of the other three elements from the fraud triangle (Figure A1).106 The personal traits and abilities identified by the research that are key for the capability to commit fraud include:

  • a position or function in the organisation that furnishes the ability to create or exploit an opportunity for fraud;
  • the person is smart enough to understand and exploit internal control weaknesses and to use position, function or authorised access to the greatest advantage;
  • the person has a strong ego and great confidence that they will not be detected, or they believe they could easily talk themselves out of trouble if caught; and
  • the person can coerce others to commit or conceal fraud.107

Figure A.1: The fraud diamond

This figure illustrates the four elements that increase the likelihood for fraud to occur. These elements are described in paragraphs 10 and 11.

Source: Wolfe, D., and Hernanson, D., The Fraud Diamond: Considering the Four Elements of Fraud.

12. One focus of international research concerns the key characteristics of those who commit fraud, with these characteristics identified and distilled by undertaking case study analysis.

13. The AIC’s annual report to government includes more detailed questions about the one matter that resulted in the greatest financial loss or impact to the responding entity.108 In the 2018–19 report, 19 entities provided details about the most costly internal frauds. The AIC reported that the most costly internal fraud perpetrators were most commonly aged between 25 and 34 years, with 8 men and 7 women (not every entity which provided details about the most harmful fraud was able to provide this demographic information). Seven of the 16 internal fraud perpetrators (44 per cent) had been employed by the entity for 85 months or longer. In contrast to other international research discussed below, the AIC reported that internal fraud perpetrators were employed at more junior levels (APS1–4) rather than at the senior executive level. The principal target for internal fraud was financial gain, either through employee entitlements or internal financial fraud.

14. The KMPG 2016 report Global profiles of the fraudster is based on analysis of 750 fraudsters with data collected from KPMG forensic professionals in response to a questionnaire about the fraudsters they investigated between March 2013 and August 2015. KMPG reported:

  • a perpetrator of fraud tends to be male between the ages of 36 and 55, working with the organisation for more than six years and holds an executive position;
  • 44 per cent of perpetrators had unlimited authority in their company and were able to override controls; and
  • in 62 per cent of frauds, the perpetrator colluded with others.109

15. The Association of Certified Fraud Examiners (ACFE) 2020 Report to the Nations found —on the basis of 2,504 cases of occupational fraud investigated between January 2018 and September 2019 — that the ‘typical fraudster’ is more likely to be:

  • in the 36 to 45 year age group, but those aged over 60 cause the largest median losses;
  • male, with males causing much larger median losses than females;
  • employed within the organisation for between one and five years;
  • working in the accounting and operations areas of the organisation; and
  • a low-level employee. However, if they are in an executive position, they will cause a median loss that far exceeds the losses caused by managers and staff-level employees.110

16. The PwC’s 2020 Global Economic Crime and Fraud Survey report compiled over 5,000 survey responses from organisations about who has perpetrated fraud against them. The report highlights that:

  • third party providers committed 19 per cent of fraud, with only half of organisations surveyed having a third-party risk program in place;
  • senior management committed 26 per cent of fraud, in part because of their ability to override internal controls.111

17. In 2018, PwC drew out key findings for Australia from the 158 Australian respondents to the 2018 global survey in the PwC 2018 Global Economic Crime and Fraud Survey: Australian Report. The report shows that ‘frenemies’, or those close to the organisation committed 60 per cent of economic crime in Australia. ‘Frenemies’ are defined as employees, customers, suppliers, consultants and agents.112

18. The Attorney-General’s Department Commonwealth Fraud Prevention Centre has used recent case studies of those found guilty of fraudulent acts to develop a series of eight fraudster personas on the basis of the methods they commonly employ to commit fraud. The aim is to assist Commonwealth entities to:

  • evaluate exposure to the methods of these types of fraudsters; and
  • assess current capability in countering these types of fraudsters.113

Appendix 3 Department of Social Services: Roles and responsibilities for fraud control

Role

Responsibilities

The Secretary

Under section 10 of the Public Governance, Performance and Accountability Rule 2014, the Secretary as the Accountable Authority must take all reasonable measures to prevent, detect and deal with fraud relating to the department.

All Employees

All staff have a number of obligations to support the department to prevent fraud and must:

  1. report any incident of suspected or potential fraud or corruption immediately. All suspected fraudulent or corrupt activity will be assessed and, where appropriate, investigated;
  2. provide assistance during the course of suspected fraud or corruption investigations unless issues of self-incrimination arise;
  3. adhere to the APS Values and Code of Conduct;
  4. be aware of the department’s Fraud Control, Enterprise Compliance, Enterprise Risk and Protective Security Policy Frameworks and understand how they apply to their work; and
  5. foster an environment that promotes the highest standards of ethical behaviour.

Chief Risk Officer

The Chief Risk Officer is responsible for supporting the Secretary and the Executive Management Group to drive a positive risk culture across the department, and building the capability of our staff to manage risk effectively and efficiently.

Managers

All managers must educate their staff and raise awareness of fraud, compliance, risk security and the APS Values and Code of Conduct.

Fraud Control Officers

Fraud Control Officers must:

  1. investigate and manage all reported cases of fraud or corruption;
  2. undertake all fraud control activities with integrity and impartiality; and
  3. ensure effective operational controls and procedures are in place for the prevention and detection of fraud and corruption.

Assurance and Performance Branch

Operational responsibility for fraud governance issues, including fraud prevention, detection, investigations, monitoring and evaluation lies with the Assurance and Performance Branch. This includes responsibility for developing, implementing and maintaining the department’s Fraud Control Framework.

People Services Branch

People Services Branch has responsibility for investigating suspected breaches of the APS Code of Conduct and may refer matters to the Director, Investigations, Assurance and Performance Branch, where appropriate.

Agency Security Advisor

The Agency Security Advisor is responsible for the day-to-day management of protective security measures within the department. The Agency Security Advisor leads activities for the promotion of a security-aware culture and encourages staff to value, protect and use agency information and assets correctly, contributing to the effectiveness of the department’s fraud control strategies.

IT Security Advisor

The IT Security Advisor is responsible for developing the department’s Information and Communications Technology security plans, policies and procedures, ensuring that the department’s systems are protected against unauthorised access.

Policy and Program Areas

All policy, program and system design areas are responsible for the continued development of programs and systems that consider fraud risks in their design and construction, and for ensuring control mechanisms remain relevant.

Community Grants Hub

The Community Grants Hub (the Hub) is responsible for working with the department and other client agencies to prevent and detect fraud in the grants administration process. The Hub administers community-based grants on behalf of Australian Government departments, agencies and organisations.

While the department administers the grants, fraud responsibilities including prevention, detection and investigating fraud against client agency programs remain with the client agency. The Hub works with client agencies to ensure they are aware of their responsibilities.

   

Appendix 4 Commonwealth Fraud Control Framework procedural requirements for investigations mapped to the Australian Government Investigations Standards

The Commonwealth Fraud Control Policy (fraud policy)114 details procedural requirements for investigations. The ANAO has mapped these requirements to the Australian Government Investigations Standards (AGIS) for the purpose of ensuring that by undertaking an assessment of whether a department’s investigation procedures are consistent with the AGIS, all procedural requirements for investigations detailed in the fraud policy have also been assessed.

Fraud policy procedural requirement

AGISa

Entities must maintain appropriately documented procedures setting out criteria for making decisions at critical stages in managing a suspected fraud incident.

3.1 Investigation management.

Agencies must employ investigation management procedures which are based on project management principles of managing resources, processes, work to be undertaken, time and outcomes […] Agencies are to incorporate the following concepts into investigation management procedures:

3.2 Investigation commencement.

3.3 Planning phase.

3.4 Risk management.

3.5 Implementation phase.

3.6 Investigation closure.

Entities must have in place investigation and referral processes and procedures that are consistent with the AGIS.

2.1 Receiving and recording alleged, apparent or potential breaches.

2.2 Evaluation of referrals or conduct identified as allegedly, apparently or potentially breaching the law.

2.4 Referral of matters to the AFP.

2.5 Referral to Australian Commission for Law Enforcement Integrity (ACLEI).

3.1 to 3.6 Investigation management.

Entities must appropriately document decisions to use civil, administrative or disciplinary procedures, or to take no further action in response to a suspected fraud incident.

3.6.2 Finalising investigation.

Agencies are to have written procedures relating to finalising the investigation following legal proceedings, disruption or prevention actions or decision to take no further action.

An entity is responsible for investigating instances of fraud or suspected fraud against it, including investigating disciplinary matters, unless the matter is referred to and accepted by the Australian Federal Police (AFP) or another law enforcement agency.

2.2 Evaluation of referrals or conduct identified as allegedly, apparently or potentially breaching the law.

2.4 Referral of matters to the AFP.

2.5 Referral to Australian Commission for Law Enforcement Integrity (ACLEI).

Where a law enforcement agency declines a referral, entities must resolve the matter in accordance with relevant internal and external requirements.

2.3 Accepting matters for investigation.

The AFP has the primary law enforcement responsibility for investigating serious or complex fraud against the Commonwealth. Entities must refer all instances of potential serious or complex fraud offences to the AFP in accordance with the AGIS and AFP referral process, except in the following circumstances:

a) where entities:

  1. have the capacity and the appropriate skills and resources needed to investigate potential criminal matters; and
  2. meet requirements of the AGIS for gathering evidence and the Commonwealth Director of Public Prosecutions in preparing briefs of evidence, or

b) where legislation sets out specific alternative arrangements.

2.3 Accepting matters for investigation.

2.4 Referral of matters to the AFP.

Fraud investigations must be carried out by appropriately qualified personnel as set out in the AGIS. If external investigators are engaged, they must as a minimum meet the required investigations competency requirements set out in the AGIS.

1.5 Investigator qualifications.

Entities must take all reasonable measures to recover financial losses caused by illegal activity through proceeds of crime and civil recovery processes or administrative remedies.

Not covered by the AGIS. Assessed separately by the ANAO.

Where an investigation discloses potential criminal activity involving another entity’s activities or programs, the investigating entity must report the matter to that entity to the extent possible subject to relevant requirements of any Australian law.

1.7 Information sharing.

   

Note a: Extracts of the relevant wording from the AGIS is provided.

Source: Commonwealth Fraud Control Framework and the Australian Government Investigations Standards.

Footnotes

1 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, para. viii, p.B1.

2 ibid. para. 16, p. C7.

3 ibid., paras 18–19, p. C7.

4 ibid., para. 21, p. C7.

5 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017.

6 Entity types are discussed in footnote 19.

7 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, p. IV.

8 As discussed in paragraph 1.12, the ANAO assesses the effectiveness of entity internal controls as they relate to the risk of misstatement in the financial statements on an annual basis.

9 Department of Health, Australian Health Sector Emergency Response Plan for Novel Coronavirus (COVID-19) [Internet], Department of Health, available from https://www.health.gov.au/resources/publications/australian-health-sector-emergency-response-plan-for-novel-coronavirus-covid-19 [accessed 6 April 2020].

10 Department of the Prime Minister and Cabinet, Senate Select Committee on COVID-19 Whole-of-Government submission, Attachment 1 [Internet], PMC, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/COVID-19/COVID19/Submissions [accessed 3 June 2020].

11 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, para. viii, p.B1.

12 ibid., para. 16, p. C7.

13 ibid., para. 15, p. C7.

14 ibid., paras 18–19, p. C7.

15 ibid., para. 21, p. C7.

16 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017.

17 Under subsection 12(2) of the PGPA Act, the accountable authority for the Department of Social Services is the Secretary of the Department.

18 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, p. III.

19 A non-corporate Commonwealth entity, such as a department of state, is not a body corporate. A corporate Commonwealth entity is a body corporate which may, among other things, enter into contracts and acquire property in its own name.

20 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, p. IV.

21 Australian Government, Budget Paper No. 2 Budget Measures 2019–20 [Internet], 2019, available from https://budget.gov.au/2019-20/content/bp2/index.htm [accessed 13 November 2019].

22 Attorney-General’s Department, About fraud in Australia [Internet], AGD, available from https://www.ag.gov.au/Integrity/counter-fraud/fraud-australia/Pages/about-fraud-australia.aspx [accessed 24 February 2020].

23 In accordance with the Commonwealth Fraud Control Policy, all non-corporate Commonwealth entities are required to collect information on fraud and complete an online questionnaire by 30 September each year. Corporate Commonwealth entities are not formally required to complete the questionnaire, however the Australian Government considers that collection of fraud information by these entities is best practice and expects they will complete the questionnaire by the due date. In 2019, 156 entities participated out of the 188 entities invited to participate, an 83 per cent participation rate.

24 C Teunissen, R Smith and P Jorna, Commonwealth Fraud Investigations 2017–18 and 2018–19, Statistical Report No.25, Australian Institute of Criminology, Canberra, 2020.

25 Respondents were asked to provide their best estimate of the total amount that perpetrators were found to have dishonestly obtained from the Commonwealth, according to the findings of the finalised investigations. Note that not all respondents could quantify loss amounts for investigations.

26 Auditor-General Report No.46 2018–19, Interim Report on Key Financial Controls of Major Entities, para. 3.

27 See paragraphs 1.16–1.17 of this performance audit report.

28 Auditor-General Report No.46 2018–19, Interim Report on Key Financial Controls of Major Entities, para. 6 and para. 1.21.

29 The objective of the audit was to examine the effectiveness of the NDIA’s fraud control program and its compliance with the Commonwealth Fraud Rule.

30 Auditor-General Report No.50 2018–19 National Disability Insurance Scheme Fraud Control Program.

31 ibid., p. 13.

32 The selected entities were Comcare, the Australian Trade Commission and the Department of Veterans’ Affairs.

33 Auditor-General Report No.3 2014–15 Fraud Control Arrangements Across Entities. Fraud control was also reviewed in Auditor-General Report No.42 2009–10 Fraud Control in Australian Government Agencies.

34 AGD and the AIC entered into a memorandum of understanding in May 2017 that sets out the ‘agreed role, responsibilities and timeframes for the preparation and annual submission’ of the AIC’s annual fraud report.

35 Attorney-General’s Department, Commonwealth Fraud Control Framework 2017, AGD, 2017, para. 14(a), p. B3.

36 As discussed in paragraph 1.12, the ANAO assesses the effectiveness of entity internal controls as they relate to the risk of misstatement in the financial statements on an annual basis.

37 Department of Health, Australian Health Sector Emergency Response Plan for Novel Coronavirus (COVID-19) [Internet], Department of Health, available from https://www.health.gov.au/resources/publications/australian-health-sector-emergency-response-plan-for-novel-coronavirus-covid-19 [accessed 6 April 2020].

38 Department of the Prime Minister and Cabinet, Senate Select Committee on COVID-19 Whole-of-Government submission, Attachment 1 [Internet], PMC, available from https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/COVID-19/COVID19/Submissions [accessed 3 June 2020].

39 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, p. A1.

40 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, para. v. p.B1.

41 ibid., para. 31, p. C10.

42 Attorney-General’s Department, Commonwealth Fraud Control Framework, AGD, 2017, p. A1.

43 ibid., para. 38, p. C11.

44 Approval by the accountable authority of key policies and frameworks, such as the entity’s fraud control framework, can assist the accountable authority to gain assurance that they are effectively discharging their duties by setting the framework for compliance with relevant legislation and government policy. Approving such frameworks also enables the accountable authority to influence behaviours and can be an important mechanism in communicating the desired culture within the entity.

45 Attorney-General’s Department, Commonwealth Fraud Control Framework 2017, AGD, 2017, p. A1.

46 ibid., para. 28, p. C9.

47 ibid., para. 2, p. B2.

48 ibid., paras. 55–58, p. C14.

49 Internal operations include financial management and procurement, people services and other corporate functions.

50 Program level fraud risk assessments may cover one or more programs. For example, fraud risks related to the department’s nine financial counselling/resilience programs are covered in a single fraud risk assessment.

51 The department advised the ANAO that programs not identified as ‘high risk’ have their fraud risks assessed and managed through its standard risk assessments.

52 The department’s tolerance for fraud risk is specified in the fraud risk assessment template.

53 In addition, ten of the ‘acceptable’ high fraud risks had treatments identified and for two of these risks the residual risk rating was reduced.

54 The department has produced three program-specific fraud control plans intended to complement program-level fraud risk assessments.

55 For programs like the National Redress Scheme, the Department of Social Services is responsible for policy and Services Australia is responsible for service delivery.

56 An internal audit conducted on fraud controls in grants administration in 2018–19 concluded that the grants hub ‘has established and implemented fraud risk management processes and internal controls documented within the PDM [program delivery model] underpinned by relevant fit for purpose frameworks. [The audit] noted [that] the PDM clearly articulated controls for risk mitigation throughout the five phases of Design, Select, Establish, Manage and Evaluate, and that there was good coverage of fraud controls during the Manage phase pertaining specifically to the provision of Financial Assurance’.

57 Attorney-General’s Department, Commonwealth Fraud Control Framework 2017, AGD, 2017, para. 39, p. C11.

58 See paragraph 1.12.

59 Department of Finance, Commonwealth Risk Management Policy, DOF, 2014, p. 1.

60 The department further advised the ANAO that it intends to document reviews of controls as planned activities in its fraud control annual work programs going forward.

61 Attorney-General’s Department, Commonwealth Fraud Control Framework 2017, AGD, 2017, p. A1.

62 ibid.

63 ibid., paras. 62–63, p. C15.

64 These channels consist of a public fraud hotline number, a fraud email inbox, and a postal address for the Branch Manager of the Audit and Assurance Branch.

65 Department of Social Services, Reporting Suspected Fraud [Internet], DSS, available from https://www.dss.gov.au/contact/reporting-suspected-fraud [accessed 17 February 2020].

66 Department of Social Services, Reporting Suspected Fraud [Internet], DSS, available from https://www.dss.gov.au/contact/reporting-suspected-fraud [accessed 17 February 2020].

67 Department of Social Services, Reporting Suspected Fraud [Internet], DSS, available from https://www.dss.gov.au/contact/reporting-suspected-fraud [accessed 17 February 2020].

68 Commonwealth Ombudsman, Public Interest Disclosure [Internet], Commonwealth Ombudsman, available from https://www.ombudsman.gov.au/Our-responsibilities/making-a-disclosure accessed 13 February 2020].

69 Department of Social Services, Public Interest Disclosure Procedures [Internet], DSS, available from https://www.dss.gov.au/sites/default/files/documents/08_2019/public-interest-disclosure-procedure-signed-version.pdf [accessed 17 February 2020].

70 The fraud policy procedural requirements for investigations encapsulates the standards set out in the AGIS, and also includes the requirement for entities to take all reasonable measures to recover financial losses caused by illegal activity through proceeds of crime and civil recovery processes or administrative remedies (para. 10). Therefore this audit examined whether the department’s investigation procedures were consistent with the AGIS, and whether entities have a process to recover financial losses.

Appendix 4 of this audit report maps the AGIS requirements to the requirements set out in the fraud policy.

71 Entities are required to report to the AIC annually as described in footnote 23.

72 The data presented in paragraphs 3.24–3.28 and in Table 3.2 of this audit report was sourced from the department’s questionnaire response.

73 Including receipt of an allegation; initial evaluation and actioning/referral; investigation management; and case finalisation.

74 The number of investigations commenced in a financial year will not necessarily equal the total of the number of investigations finalised in that financial year, as a case can commence in one financial year and be finalised in a subsequent financial year.

75 Attorney-General’s Department, Commonwealth Fraud Control Framework 2017, AGD, 2017, para. 10, p. B2.

76 The AIC’s guidance to support completion of the fraud questionnaire advises entities to enter ‘NQ’ if recoveries were ‘unable to be quantified, or recovery action has not been completed’. In its response to the 2018–19 questionnaire, DSS reported ‘NQ’.

77 In respect to proper use, section 8 of the PGPA Act provides that: ‘proper, when used in relation to the use or management of public resources, means efficient, effective, economical and ethical’.

78Public Governance, Performance and Accountability Act 2013 [Internet], available from https://www.legislation.gov.au/Details/C2017C00269 [accessed 23 March 2020].

79 Attorney-General’s Department, Preventing, detecting and dealing with fraud, Resource Management Guide No. 201, AGD, 2017, para. 24, p. C9.

80 ibid., para. 43, p. C12.

81 These are the hallmarks of a positive risk culture articulated in the Commonwealth Risk Management Policy. Department of Finance, Commonwealth Risk Management Policy, 2014, paragraph 17, available from https://www.finance.gov.au/comcover/risk-management [accessed 19 February 2020].

82 The ANAO has previously conducted performance audits that have examined an aspect of the entity’s culture. See: Auditor-General Report No.6 2017–18 The Management of Risk by Public Sector Entities; Auditor-General Report No.53 2017–18 Cyber Resilience; Audit Insights May 2019 Board Governance; and Auditor-General Report No.1 2019–20 Cyber resilience of Government Business Enterprises and Corporate Commonwealth Entities.

83 The Secretary’s Instructions are issued under section 20 of the Public Governance, Performance and Accountability Act 2013.

84 Section 10 of the Public Governance, Performance and Accountability Rule 2014 (the fraud rule) states that the accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity. The accountable authority for the Department of Social Services is the Secretary, and the term ‘Secretary’ is used throughout this chapter. Attorney-General’s Department, Commonwealth Fraud Control Framework 2017, AGD, 2017, p. A1.

85 The benefits of the accountable authority approving key policies and frameworks, such as the entity’s fraud control framework, are discussed in footnote 44 of this audit report.

86 Attorney-General’s Department, Commonwealth Fraud Control Framework 2017, AGD, 2017, para. 29, p. C10.

87 ibid., para. 87, p. C19.

88 International Fraud Awareness Week is an initiative of the Association of Certified Fraud Examiners and is held in November each year.

89 Attorney-General’s Department, Commonwealth Fraud Control Framework 2017, AGD, 2017, page A1.

90 ibid., para. 46, p. C13.

91 As at 4 December 2019, 89.9 percent of staff had completed the training. The 96.8 per cent figure results from excluding casual staff and staff on long service leave.

92 Attorney-General’s Department, Commonwealth Fraud Control Framework 2017, AGD, 2017, para. 50, p. C13.

93 Attorney-General’s Department, Commonwealth Fraud Control Framework 2017, AGD, 2017. para. 14(a), p.B3. Following a machinery of government change in 2017, the AIC is now within the Home Affairs portfolio. The Commonwealth Fraud Control Framework has not yet been updated to reflect this change.

94 ibid., para. 94, p. C19.

95 ibid., AGD, 2017.

96 In accordance with the Commonwealth Fraud Control Policy, all non-corporate Commonwealth entities are required to collect information on fraud and complete an online questionnaire by 30 September each year. Corporate Commonwealth entities are encouraged, but not required, to do so.

97 C Teunissen, R Smith and P Jorna, Commonwealth Fraud Investigations 2017–18 and 2018–19, Statistical Report No.25, Australian Institute of Criminology, Canberra, 2020.

98 ibid.

99 Association of Certified Fraud Examiners, Report to the Nations 2020 Global Study on Occupational Fraud and Abuse [Internet], ACFE, 2020, available from https://www.acfe.com/report-to-the-nations/2020/ [accessed 3 June 2020].

100 Occupational fraud is defined as the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organisation’s resources or assets.

101 The UK government departments report fraud against a civil test definition of fraud. They consider on the balance of probabilities whether or not an action or inaction was likely to have been taken with the intention of defrauding the taxpayer. Cases do not need to be proved to a criminal standard to be reported as fraud.

102 Outside of the tax and welfare system.

103 UK Cabinet Office, Cross-Government Fraud Landscape Annual Report 2019, UK Cabinet Office, 2020.

104 The exercises included had: a statistically valid sample; sought or examined information indicating the presence of fraud, error or correctness in each case within that sample; have been completed and reported; were externally validated; had a measurable level of statistical confidence; had a measurable level of accuracy.

105 Association of Certified Fraud Examiners, Iconic Fraud Triangle endures [Internet], ACFE, 2014, available from https://www.fraud-magazine.com/article.aspx?id=4294983342 [accessed 11 March 2020].

106 Wolfe, D., and Hernanson, D., The Fraud Diamond: Considering the Four Elements of Fraud [Internet], Kennesaw State University, 2004, available from https://digitalcommons.kennesaw.edu/cgi/viewcontent.cgi?article=2546&context=facpubs [accessed 11 March 2020].

107 ibid.

108 The fraud matter was for a completed investigation in which the allegation was substantiated, either in full or in part, and the investigation was finalised in 2018–19, regardless of when the fraud was committed or when the investigation commenced.

109 KPMG, Global profiles of the fraudster [Internet], KPMG, 2016, available from https://assets.kpmg/content/dam/kpmg/pdf/2016/06/profiles-of-the-fraudster-au.pdf [accessed 11 March 2020].

110 Association of Certified Fraud Examiners, Report to the Nations 2020 Global Study on Occupational Fraud and Abuse [Internet], ACFE, 2020, available from https://www.acfe.com/report-to-the-nations/2020/ [accessed 3 June 2020].

111 PwC, 2020 Global Economic Crime and Fraud Survey [Internet], PwC, 2020, available from https://www.pwc.com/gx/en/services/advisory/forensics/economic-crime-survey.html [accessed 16 March 2020].

112 PwC, Global and Economic Crime and Fraud Survey: Australian Report [Internet], PwC, 2018, available from https://www.pwc.com.au/consulting/assets/gecs-report18.pdf [accessed 16 March 2020].

113 Attorney-General’s Department, Fraudster personas [Internet], AGD, available from https://www.ag.gov.au/Integrity/counter-fraud/fraudster-personas/Pages/default.aspx [accessed 11 March 2020].

114 The fraud policy is binding for all non-corporate Commonwealth entities.