The objective of this audit was to examine the effectiveness of the National Disability Insurance Agency’s (NDIA) fraud control program and its compliance with the Commonwealth Fraud Control Framework.

Summary and recommendations

Background

1. The National Disability Insurance Scheme (NDIS/the Scheme) is being rolled out nationally over three years from 2016 to 2019. Once fully implemented, the NDIS will provide about 460,000 Australians aged under 65, who have permanent and significant disability, with funding for supports and services.1 The National Disability Insurance Agency (NDIA) is an independent statutory agency responsible for implementing the NDIS.2

2. The NDIA has a Fraud Strategy Statement3 which states that:

The NDIA has strengthened its fraud control arrangements to protect the Scheme and the Agency from exploitation through fraud. The NDIA and Commonwealth Government will not tolerate fraud or the misuse of funds intended to support people with disability.

3. The Commonwealth Fraud Control Framework4 is designed to manage the risks of fraud against Commonwealth entities. Under Section 10 of the Public Governance and Accountability Rule 2014, the NDIA (as a corporate entity) must comply with the Fraud Rule. However, the other elements of the Fraud Control Framework, the Fraud Policy and the Fraud Guidance, are not binding for NDIA.

4. The Commonwealth Government is aware of the need to enhance its response to fraud, noting that the 2019–20 Budget included ‘$16.4 million over two years for a targeted approach to tackling fraud’.5

Rationale for undertaking the audit

5. Australian National Audit Office (ANAO) performance audits have shown that schemes similar to the NDIS have posed fraud risks and implementation challenges.6 The ANAO’s financial auditing of the NDIA has identified specific fraud risks relating to third party providers.7 There is also a risk that people committing fraud can move between government programs, for example from the family day care sector.8 In developing its fraud control program the NDIA must comply with the Fraud Rule, however, as a corporate entity, the Commonwealth’s Fraud Policy and Fraud Guidance are not mandatory for it as they are for non-corporate entities. This is despite the NDIA receiving public funds for a public purpose.

6. These risks, along with the scale of the NDIA, which will receive an estimated $20.209 billion in 2019–20, led to the prioritisation of an audit of the NDIA’s fraud control program. The ANAO has an ongoing performance audit program covering the NDIS, with the previous audits focused on participant access decision making controls and the management of the transition of the disability services market.

Audit objective and criteria

7. The objective of this audit was to examine the effectiveness of the NDIA’s fraud control program and its compliance with the Commonwealth Fraud Rule. To form a conclusion against the audit objective, the ANAO adopted the following high-level audit criteria:

  • Has the NDIA implemented effective strategies to prevent fraud?
  • Does the NDIA effectively detect and respond to fraud?
  • Has the NDIA implemented effective arrangements to oversight, monitor and report on its fraud control arrangements?

Conclusion

8. The NDIA is largely compliant with the requirements of the Commonwealth Fraud Rule and is undertaking work which has the potential to make its fraud control program effective.

9. The NDIA Risk Appetite Statement states that fraud is unacceptable. The NDIA has developed strategies to prevent fraud, although after controls were implemented, two residual risk ratings remained high. The NDIA’s Fraud Control Plan is aligned with better practice and it has processes in place to assess fraud risks and raise fraud awareness. Further work is needed to reassess fraud risk, consolidate fraud controls, and prioritise and deliver future enhancements.

10. The NDIA has largely appropriate fraud detection and response mechanisms, except data analytics and data matching capabilities are being progressively implemented and it is developing a case management system that more effectively supports investigations.

11. The NDIA has implemented largely effective oversight, monitoring and reporting of its fraud control arrangements, with improvements made over 2018 and planned for 2019. The NDIA engages effectively with other government entities on fraud control, although fraud related governance should be improved via enhanced project management and reporting.

Supporting findings

Preventing fraud

12. The NDIA’s assessment of fraud risk was largely comprehensive, except that some risks were not adequately considered at the time of the risk assessment, including: self-managed participants; third party provision of the NDIA’s ICT services; and the upcoming transition of provider registration to the NDIS Quality and Safeguards Commission.

13. In 2018, the NDIA established an appropriate Fraud Control Plan that contains all of the elements listed in the Commonwealth’s better practice guidance.

14. The NDIA’s policy is that fraud is ‘unacceptable’ and high risk ratings are ‘typically undesirable’. The NDIA has identified fraud controls, except many of the ‘controls’ are not active controls. The control effectiveness rating for many fraud risk types is ‘poor’ and the Risk Register rates two risk types as having a high residual risk. The Risk Register should be updated so it is comprehensive and records control weaknesses and prioritised future actions.

15. The NDIA has developed appropriate training and activities to raise awareness of fraud amongst all agency and partner staff, except the completion rates of the training should be improved. It is mandatory for NDIA staff to complete the fraud training annually. Forty seven per cent of NDIA staff are up-to-date with the training, 35 per cent need to recomplete the training and 18 per cent have not completed the training. Fraud control officials and investigation staff are sufficiently qualified and experienced for their roles and the NDIA has received assurance that seconded staff and contractors on the Fraud Taskforce have the required qualifications.

16. The NDIA has published appropriate resources to raise awareness of fraud amongst external stakeholders. The NDIA records attendance and collects feedback for face-to-face provider training but does not monitor providers’ usage of online materials.

Detecting and responding to fraud

17. The NDIA has implemented appropriate processes for NDIA staff, providers, participants and members of the public to report fraud. The NDIA has established procedures to manage the confidentiality of the reports, however adherence to these procedures should be improved. During the course of the audit the NDIA updated guidance documentation, trained staff and commenced the procurement of a new case management system that may enhance compliance with the procedures.

18. The NDIA has implemented appropriate measures to detect potential fraud, except the important detection methods, data analytics and data matching, are being progressively implemented. Other detection methods include budget variance analysis, participant plan sampling and review, internal audit, and referral pathways with the NDIS Quality and Safeguards Commission. The NDIA redesigned the fraud control data analytics profiles and applied three profiles in March 2019, with an additional nine profiles planned. The NDIA is working to improve its data capability through the recent development of standardised frameworks, draft methodologies, and enhanced data sharing arrangements with other entities.

19. Processes for investigating and taking action against suspected fraud are largely appropriate. In December 2018, NDIA developed policies and procedures for investigations which are compliant with the Australian Government Investigations Standards (AGIS) 2011. The NDIA is undertaking investigations in line with these policies and has established an appropriate triaging, escalation, and oversight model. The NDIA also established the NDIS Fraud Taskforce in July 2018, which is a key enhancement to the practical capacity to respond to fraud.

20. The NDIA’s fraud response management is not fully compliant with investigations policies or the AGIS. The electronic case management system does not centrally record investigation activities or assist with the preparation of briefs of evidence. The NDIA has not established key performance indicators for investigations or undertaken assurance activities to confirm that investigations are being conducted in line with these policies and procedures. The NDIA is taking action to improve compliance in these areas.

Oversight, monitoring and reporting

21. The NDIA works effectively with other entities to mitigate fraud. Of note are:

  • the NDIA’s membership of the Fraud and Anti-Corruption Centre;
  • the July 2018 establishment of the NDIS Fraud Taskforce which draws in the expertise of the Australian Federal Police and Department of Human Services;
  • the NDIA reviews Department of Education and Training data on providers who have defrauded family day care; and
  • active engagement with the NDIS Quality and Safeguards Commission.

22. The NDIA is undertaking several projects to improve its fraud controls including delivery of a Fraud and Compliance Roadmap. The NDIA has completed risk assessments for its major fraud related projects. However, it has not provided evidence that risk assessments, which consider fraud risk, have been conducted for all NDIA projects. The NDIA should review its projects to identify how these will close the gaps between fraud risks and controls. This would assist in updating the Risk Register.

23. The NDIA has enhanced its governance and internal reporting of fraud control activities over 2018. The Board, Audit Committee, Risk Committee and the Executive Leadership Team have considered different aspects of the NDIA’s fraud control program including fraud risks, ICT fraud security, the Fraud Control Plan and fraud investigations. Fraud control governance and reporting would be more effective if the Board and the Executive Leadership Team were regularly updated on the status of fraud controls in response to fraud risks.

24. The NDIA responds to the annual Australian Institute of Criminology (AIC) questionnaire on fraud. Under the Fraud Control Framework, given the NDIA is a corporate entity, this reporting is better practice rather than being mandatory. There is scope for NDIA to enhance future reports given improvements in its fraud control activities.

Recommendations

Recommendation no. 1

Paragraph 2.31

That, to gain a better understanding of the overall fraud control strategies and to prioritise and track future control enhancements, the NDIA:

  1. remove any non-controls from the Risk Register;
  2. assess if key individual controls are implemented and effective; and
  3. regularly update the Risk Register with planned controls, the delivery date and the project or activity under which the control will be developed and implemented.

National Disability Insurance Agency response: Agreed.

Recommendation no. 2

Paragraph 3.26

That the NDIA improve its active fraud detection methods by implementing the planned data analytics and data matching activity as a matter of priority, and on a continuing basis.

National Disability Insurance Agency response: Agreed.

Recommendation no. 3

Paragraph 3.49

The NDIA improve compliance with investigations policies by:

  1. ensuring the new case management system has the functionality identified in pre-procurement planning documents;
  2. establishing performance measures for its investigative functions that align with organisational goals for fraud investigation; and
  3. undertaking quality assurance reviews of recent investigations to gain assurance that the NDIA Investigations Manual is being consistently applied.

National Disability Insurance Agency response: Agreed.

Recommendation no. 4

Paragraph 4.18

That the NDIA undertake a review of its project management of fraud control. This review should:

  1. map all projects and activities with fraud control dimensions, including their status, linkages, relative priority and resourcing;
  2. determine whether additional projects or activities are required to close any gaps between the fraud risks and the implemented and planned fraud controls within projects; and
  3. support updating the Fraud and Corruption Risk Register (Recommendation 1).

National Disability Insurance Agency response: Agreed.

Recommendation no. 5

Paragraph 4.43

That, to ensure visibility of the fraud control environment, NDIA provide regular reports to the Executive Leadership Team and the Board containing a summary of the status of the Fraud and Corruption Risk Register including:

  1. the untreated risk rating and the residual overall impact after controls are applied for each of the 17 fraud risk types;
  2. the controls effectiveness rating for each of the 17 fraud risk types; and
  3. the actions required on controls, with implementation dates.

National Disability Insurance Agency response: Agreed.

Recommendation no. 6

Paragraph 4.57

That, in making improvements to its fraud control processes and systems, the NDIA ensures that it is able to record and report more detailed fraud control data, including for the Australian Institute of Criminology Annual Reporting Census.

National Disability Insurance Agency response: Agreed.

Summary of entity response

25. The National Disability Insurance Agency (the Agency) welcomes the ANAO’s audit report into the NDIS Fraud Control Program. The Agency is committed to preventing, detecting and responding to fraud against the National Disability Insurance Scheme (the Scheme) to ensure we continue to support the independence and social and economic participation of people with a disability.

26. The Agency has strengthened its fraud control arrangements to protect the Scheme and the Agency from exploitation through fraud. Recent media regarding the Agency addressing serious fraud is an example of our efforts to detect and respond to fraud against the NDIS appropriately.

27. In addition to the audit finding that the Agency is compliant with the requirements of the Commonwealth Fraud Rule, the Agency is pleased the audit acknowledges that our investigation policies and procedures are compliant with best practice standards outlined in the Australian Government Investigation Standards and our investigations are undertaken in accordance with these policies.

28. The Agency accepts the six recommendations and is pleased to advise steps have already been taken to address a number of the recommendations and findings in the report.

29. The Agency is well progressed in delivering a strategic multi-year program to strengthen our management of fraud and compliance risks. The Agency is pleased to advise that since the audit we have procured a new case management system, continued to invest and mature our data analytics capability so fraud can be detected and responded to quickly, and introduced a rolling program to update the fraud risk assessment and fraud risk mitigation measures.

30. As noted in the report, the NDIA Board has recently endorsed an updated Fraud and Corruption Risk Register. This register includes an updated fraud risk profile as well as a comprehensive view of controls to ensure the Agency is well positioned to protect the Scheme and the Agency from exploitation through fraud. (Also refer to Appendix 1 for the entity response.)

Key learnings for all Australian Government entities

Below is a summary of key learnings, including instances of good practice, which have been identified in this audit that may be relevant for other Commonwealth entities.

Governance and risk management

Policy/program implementation

1. Background

Introduction

1.1 The Australian Government describes fraud as ‘dishonestly obtaining a benefit, or causing a loss, by deception or other means’. Additionally, fraud requires intent. It requires more than carelessness, accident or error which may be non-compliance not fraud.9

1.2 The Australian Institute of Criminology (AIC) has reported that10 in 2015–16 the estimated value of Commonwealth fraud investigations commenced was $503.5 million, with an estimated $25.7 million lost under finalised investigations in 2015–16.11 The majority of alleged fraud incidents and confirmed fraud involved parties external to the entity.

1.3 Detecting all fraud can pose challenges, with the UK Cabinet Office stating:

The government can deal with the [fraud] problem that is known, as the loss associated with this is self-evident. Dealing with the problem that we do not know about is more complex, as the loss is not self-evident. The challenge is to shine a light on those areas where information is poor or non-existent.

Fraud is a hidden and evolving crime; fraudsters make themselves hard to find and adjust and improve their tactics for evading detection when organisations take preventative action.12

The Commonwealth Fraud Control Framework

1.4 The Public Governance Performance and Accountability Act 2013 (PGPA Act) is the key piece of legislation underpinning the Australian Government’s financial framework. The PGPA Act, the Public Governance Performance and Accountability Rule 2014 (PGPA Rule)13 and associated policies and guidance set out the regulatory framework for the proper use and management of public resources by Commonwealth entities.

1.5 The Commonwealth’s requirements for managing the risk of fraud are outlined in the Commonwealth Fraud Control Framework 2017 (the Framework).14 The Framework requires government entities to put in place a comprehensive fraud control program that covers prevention, detection, investigation and reporting strategies. The three key elements in the Framework are the:

  • Fraud Rule: From section 10 of the PGPA Rule, the Fraud Rule is a legislative instrument that binds all Commonwealth entities and sets out the key requirements of managing fraud;
  • Commonwealth Fraud Control Policy: The Fraud Control Policy sets out procedural requirements for specific areas of fraud management; and
  • Resource Management Guide No. 201 — Preventing, detecting and dealing with fraud: (Fraud Guidance): outlines better practice guidance, setting out the government’s expectations for fraud management arrangements within Commonwealth entities.

1.6 Each of these elements has a different binding effect on corporate and non-corporate entities (Figure 1.1)15

Figure 1.1: Binding effects of the Commonwealth Fraud Control Framework

A graphic showing that the Fraud Rule and Fraud Policy are binding for non-corporate commonwealth entities, and the Fraud Guidance is better practice. It also indicates that the Fraud Rule is binding to corporate commonwealth entities, and the Fraud Rule

Source: Attorney-General’s Department, Commonwealth Fraud Control Framework 2017.

1.7 The National Disability Insurance Agency (NDIA or the Agency) is a corporate entity, and must comply with the requirements in the Fraud Rule. Although it distributes $20 billion of funds annually which poses a fraud risk, NDIA can choose to align its processes with the Fraud Policy and Fraud Guidance as a matter of better practice.

1.8 The Fraud Rule contains the following mandatory requirements for all Commonwealth corporate and non-corporate entities:

The accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by:

  1. conducting fraud risk assessments regularly and when there is a substantial change in the structure, functions or activities of the entity; and
  2. developing and implementing a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment; and
  3. having an appropriate mechanism for preventing fraud, including by ensuring that:
    1. officials in the entity are made aware of what constitutes fraud; and
    2. the risk of fraud is taken into account in planning and conducting the activities of the entity; and
  4. having an appropriate mechanism for detecting incidents of fraud or suspected fraud, including a process for officials of the entity and other persons to report suspected fraud confidentially; and
  5. having an appropriate mechanism for investigating or otherwise dealing with incidents of fraud or suspected fraud; and
  6. having an appropriate mechanism for recording and reporting incidents of fraud or suspected fraud.

The National Disability Insurance Agency

1.9 The National Disability Insurance Scheme (NDIS or the Scheme) replaces existing Commonwealth, state and territory disability support systems with a nationally consistent scheme aimed at providing Australians under the age of 65, who have a permanent and significant disability, ‘with the reasonable and necessary supports they need to live an ordinary life’.16

1.10 The NDIA was established on 1 July 2013 as a corporate Commonwealth entity under the National Disability Insurance Scheme Act 2013 (the Act), to deliver the NDIS and manage, advise and report on its financial sustainability. Table 1.1 provides an overview of NDIA staff, participants, and funding.

Table 1.1: The NDIA — entity overview

Category

Type of resource

Number

Number of staff (as at 30 June 2018)

APS employees

2634

Contractors and secondees

1799

Partners in the Communitya

3439

Number of Scheme participants (as at 31 March 2019)

277,155b

Estimated actual total net resourcing to the NDIA 2018–19

$15.718 billion

Estimated total net resourcing to the NDIA 2019–20

$20.209 billion

     

Note a: NDIS Partners in the Community are qualified and experienced organisations chosen by the NDIA for their strong local knowledge and understanding of people with disability or developmental delay. Partners in the Community provide two key services:

  • Delivering Early Childhood Early Intervention services for children aged 0–6 years; and
  • Assisting NDIS participants to understand and access the NDIA, develop and refine their plans, and link them to community and mainstream services.

Note b: COAG Disability Reform Council Quarterly Report 31 March 2019, [Internet], available at: <https://www.ndis. gov.au/about-us/publications/quarterly-reports> [accessed 6 June 2019].

Source: 2017–18 NDIA Annual Report and page 134, 2019–20 Social Services Portfolio Budget Statements.

1.11 For 2019–20, the estimated total net resourcing to NDIA is $20.209 billion, which includes funds from state and territory governments.17 This is about one per cent of the Australian GDP.18 The Commonwealth Government’s contribution to NDIS, including to the Quality and Safeguards Commission, is forecast to rise from $8.459 billion in 2019–20 to $13.161 billion in 2022–23 (a 55.6 per cent increase). At full implementation (460,000 participants), the average payment to participants is estimated at $45,000 per year.

1.12 The NDIA Corporate Plan 2018–22 notes that it has a conservative risk appetite,19 and its Risk Appetite Statement states that any type or amount of fraud is unacceptable. As the Scheme grows, potential fraud risk from participants, providers, partners in the community, NDIA staff and other external parties may also increase.

1.13 In July 2018, the Government established the national NDIS Fraud Taskforce (the Taskforce) to tackle potential fraud against the NDIA. The Taskforce is a partnership between the NDIA, the Department of Human Services and the Australian Federal Police.20 Chapter 3 has further detail on the establishment of the Taskforce and its investigation work.

Rationale for undertaking the audit

1.14 ANAO performance audits have shown that schemes similar to the NDIS have posed fraud risks and implementation challenges.21 The ANAO’s financial auditing of the NDIA has identified specific fraud risks relating to third party providers.22 There is also a risk that people committing fraud can move between government programs, for example from the family day care sector.23 In developing its fraud control program the NDIA must comply with the Fraud Rule, however, as a corporate entity, the Commonwealth’s Fraud Policy and Fraud Guidance are not mandatory for it as they are for non-corporate entities. This is despite the NDIA receiving public funds for a public purpose.

1.15 These risks, along with the scale of the NDIA which will receive an estimated $20.209 billion in 2019–20, led to the prioritisation of an audit of the NDIA Fraud control program. The ANAO has an ongoing performance audit program covering the NDIS, with the previous audits focused on participant access decision making controls and the management of transition of the disability services market.

Audit approach

Audit objective, criteria and scope

1.16 The objective of this audit was to examine the effectiveness of the NDIA’s fraud control program and its compliance with the Commonwealth Fraud Control Framework. To form a conclusion against the audit objective, the ANAO adopted the following high-level audit criteria:

  • Has the NDIA implemented effective strategies to prevent fraud?
  • Does the NDIA effectively detect and respond to fraud?
  • Has the NDIA implemented effective arrangements to oversight, monitor and report on its fraud control arrangements?

1.17 The audit originally commenced in November 2017. In February 2018 the Auditor-General paused the audit as the NDIA was undertaking an overhaul of its fraud control program. The audit recommenced in October 2018.

Audit methodology

1.18 In addition to reviewing key policy, procedural, governance and risk management documentation, the audit methodology included:

  • interviewing relevant officers (of the NDIA, Department of Human Services, Australian Federal Police and the NDIS Quality and Safeguards Commission);
  • examining guidance and training available to NDIA staff, including fraud and prevention officers;
  • examining information available to providers and participants to assist them to meet their obligations;
  • reviewing whether fraud controls and strategies reflect identified fraud risks and testing whether a selection of planned controls were implemented;
  • examining fraud detection and investigation approaches; and
  • examining fraud governance, project management and reporting arrangements.

1.19 The audit was conducted in accordance with ANAO auditing standards at a cost to the ANAO of $586,305.

1.20 The team members for this audit were Kate Lawrence-Haynes, Deanne Allan, Joel Smith, Sam Painting and David Brunoro.

2. Preventing fraud

Areas examined

This chapter examines whether the National Disability Insurance Agency has implemented effective strategies to prevent fraud. The Agency’s fraud risk assessment process, the fraud control plan, the fraud and corruption risk register and selected controls have been reviewed. Internal fraud awareness training and external fraud awareness-raising activities were also reviewed.

Conclusion

The NDIA Risk Appetite Statement states that fraud is unacceptable. The NDIA has developed strategies to prevent fraud, although after controls were implemented, two residual risk ratings remained high. The NDIA’s Fraud Control Plan is aligned with better practice and it has processes in place to assess fraud risks and raise fraud awareness. Further work is needed to reassess fraud risk, consolidate fraud controls, and prioritise and deliver future enhancements.

Areas for improvement

ANAO made one recommendation to enhance the comprehensiveness of fraud risk assessments and update the risk register to reflect all controls.

Summary of compliance with the Framework

2.1 Table 2.1 outlines the National Disability Insurance Agency’s (NDIA or the Agency) compliance with the mandatory requirements of Commonwealth Fraud Rule in relation to strategies to prevent fraud. The detailed analysis supporting these conclusions is included in the following sections of this Chapter, as well as analysis of whether the NDIA is meeting the requirements of its internal fraud policies.

Table 2.1: The NDIA’s compliance with mandatory fraud prevention requirementsa

Note a: These are mandatory requirements under the Commonwealth Fraud Control Framework, Fraud Rule, parts (a), (b), (c) (i).

Note b: The Fraud Control Plan deals with identified risks at a high level only.

Source: ANAO.

2.2 Figure 2.1 shows how the NDIA’s fraud risk processes and documents fit together. It has:

  • undertaken a fraud risk assessment;
  • created a Fraud and Corruption Risk Register (the Risk Register) with risks and fraud controls;
  • developed a Fraud Control Plan informed by the Risk Register; and
  • released a public Fraud Strategy Statement.

Figure 2.1: Summary of the NDIA’s fraud risk assessment and documents

This graphic is described in paragraph 2.2

Source: ANAO summary of NDIA activities and documents.

Did the NDIA comprehensively assess fraud risks and establish an appropriate Fraud Control Plan?

The NDIA’s assessment of fraud risk was largely comprehensive, except that some risks were not adequately considered at the time of the risk assessment, including: self-managed participants; third party provision of the NDIA’s ICT services; and the upcoming transition of provider registration to the NDIS Quality and Safeguards Commission.

In 2018, the NDIA established an appropriate Fraud Control Plan that contains all of the elements listed in the Commonwealth’s better practice guidance.

2.3 As a corporate Commonwealth entity, the NDIA must comply with section 10 of the Public Governance Performance and Accountability Rule 2014 (Fraud Rule) which states:

The accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by:

  1. Conducting fraud risk assessments regularly and when there is a substantial change in the structure, functions or activities of the entity; and
  2. Developing and implementing a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment.24

2.4 The ANAO assessed the NDIA’s fraud risk assessment process, including the comprehensiveness of the assessment, and whether the NDIA developed an appropriate Fraud Control Plan.

The NDIA’s fraud risk assessments

2.5 The NDIA has complied with the Fraud Rule and conducted regular fraud risk assessments.25 Since 2015, the NDIA has conducted three fraud risk assessments, completed in March 2015, May 2016, and February 2018.

2.6 The NDIA’s 2018 fraud risk assessment included twenty three fraud risk workshops and discussions with both executive and non-executive NDIA staff from all states and territories. The fraud risk assessment activities engaged staff from multiple branches and divisions within the Agency, with a particular focus on service delivery areas. Consultation for the 2018 risk assessment was internal and did not involve consultation with external stakeholders who have expertise in fraud risk (for example the Australian Federal Police or the Department of Human Services).26

2.7 The workshops covered general information on fraud, the NDIA’s 17 fraud risk types (see paragraph 2.25 for example risk types) and the agency’s fraud-specific responsibilities. In January 2018 a workshop was held with senior staff to determine the risk ratings for the 17 risk types using the Agency’s Risk Assessment Criteria to assess likelihood and Scheme consequences. In March 2018, the NDIA finalised the NDIA Fraud and Corruption Risk Register (the Risk Register). The Risk Register was updated in November 2018 to reflect fraud control changes in response to an alleged fraud.

2.8 The Fraud Rule requires the NDIA to conduct a new fraud risk assessment when a substantial change in the structure, function or activities of the Agency has occurred. The NDIS Quality and Safeguards Commission (QSC) was established in July 2018 to improve the registration and regulation of NDIS providers. From 1 July 2018, the QSC became responsible for registering providers in New South Wales and South Australia and will progressively assume this responsibility in all states and territories by 1 July 2020. The NDIA continues to be responsible for registering providers in states and territories where the QSC is not yet operating.

2.9 Both entities have established referral pathways between each other in relation to Fraud (see Chapter 4, paragraph 4.9).

2.10 During March and April 2019, the NDIS ran 23 fraud risk assessment group workshops and 12 individual consultations to underpin updating of the Risk Register. The NDIA advised that the Department of Human Services and the QSC were consulted during the process, with the Australian Federal Police providing input via the Risk Register held by the NDIS Taskforce.

The comprehensiveness of the NDIA’s 2018 fraud risk assessment

2.11 The Commonwealth Fraud Control Framework, Fraud Guidance (Fraud Guidance)27 lists 18 areas where fraud vulnerabilities can arise. Seventeen of the areas are applicable to the NDIA’s operating environment (Table 2.2).

Table 2.2: NDIA fraud vulnerabilities relevance and assessment

 

Is this vulnerability relevant to the NDIA?

Has the NDIA comprehensively assess the vulnerability?

Common areas where fraud vulnerabilities can arise

A) Policy/program design

B) Procurement (including tendering and managing supplier interfaces)

C) Revenue collection and administering payments to the public

D) Service delivery to the public, including program and contract management

E) Provision of grant and funding arrangements

F) Exercising regulatory authority

G) Provision of identification documentsa

N/A

H) Internal governance arrangements

I) Changes in the activities or functions of an entity

Factors that may lead to fraud vulnerabilities

J) Systems managed across different government portfolios, service providers and/or jurisdictions

K) Opportunities for exploitation by professional facilitators

L) Programs creating new opportunities for unregulated industries

M) Programs significantly expanding a regulated industry to new organisations

N) Programs requiring verification/authentication of identity, particularly online

O) Programs involving electronic claims, submissions, assessments, verification and/or payments

P) Programs providing assistance to vulnerable people

Q) Programs with low verification thresholds

R) Programs needing to be delivered quickly

   

Note a: The NDIA does not provide identification documents, as such that vulnerability is not relevant to the NDIA.

Source: ANAO analysis using two tables from the Commonwealth Fraud Control Framework, Risk Management Guide 201, pages C9 and C12.

2.12 The NDIA comprehensively assessed the fraud vulnerabilities involved in 10 out of the 17 relevant areas. The key fraud vulnerabilities that were not adequately considered and reflected in the risk register are:

  • self-managed participants, for example, use of unregistered providers and low verification thresholds for payments to self-managed participants (see rows C and Q in Table 2.2);
  • risks associated with having an IT system provided by a third party (the Department of Human Services), for example, limitations on NDIA’s ability to manage the provision of services given the lack of an enforceable contract (see row J in Table 2.2);
  • possible risks given the forthcoming split of responsibilities between the NDIA and the QSC for provider registration (see rows F, I and J in Table 2.2); and
  • risks that could arise due to the rapidly expanding Scheme, for example, Fraud and Compliance Branch resourcing may not align with the expansion of the Scheme and the expanded risk of exploitation by professional facilitators (see rows K and M in Table 2.2).

2.13 The NDIA identified nine points in the NDIS process where assurance activities should be conducted. The Risk Register records risks at these points except for reviewable decision reviews.

NDIA’s Fraud Control Plan

2.14 Sub-section 10 (b) of the Fraud Rule requires the NDIA to develop and implement ‘a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment’.

2.15 The NDIA’s 2018 Fraud Control Plan (FCP) was considered by the Board in May 2018 and finalised in August 2018. The FCP was uploaded to the NDIA intranet in October 2018 alongside a publicly available NDIA Fraud Strategy Statement (see paragraph 2.50).

2.16 The Commonwealth’s Fraud Guidance outlines the content that may be included in fraud control plans, such as: a summary of fraud risks and vulnerabilities; treatment strategies and controls; training approaches; and internal management mechanisms, protocols, roles and responsibilities. The NDIA’s 2018 FCP contains all of the elements listed in these better practice guidelines. This is an improvement on the Agency’s 2016 FCP, which did not include most of the recommended content, and did not list any of the identified risks.

Has the NDIA identified and implemented controls to reduce the risk of fraud?

The NDIA’s policy is that fraud is ‘unacceptable’ and high risk ratings are ‘typically undesirable’. The NDIA has identified fraud controls, except many of the ‘controls’ are not active controls. The control effectiveness rating for many fraud risk types is ‘poor’ and the Risk Register rates two risk types as having a high residual risk. The Risk Register should be updated so it is comprehensive and records control weaknesses and prioritised future actions.

The NDIA’s Fraud Risk Register

2.17 NDIA has advised the ANAO that its Fraud and Corruption Risk Register (the Risk Register) should be the single source of truth on fraud risks and controls.28 Acting on the findings from the fraud risk workshops in 2017–18, in March 201829 the NDIA created a new Risk Register. In the Risk Register, each of the 17 risk types has a range of ‘key risk causes’ which outline how the risk could materialise and associated controls (an example is at Figure 2.2).

Figure 2.2: Items in the Fraud Risk Register — example

A summary extract of the Fraud Risk Register which shows the provider fraud risk type, three key risk causes and that controls are linked to this

Source: ANAO reproduction of the NDIA Fraud and Corruption Risk Register.

2.18 The ‘Key Risk Causes’ column in the Risk Register demonstrates that the NDIA has given consideration to how fraud risks could occur. The key risk causes are accompanied by a large list of controls in place to mitigate the overall risk. The controls cannot be directly linked to the key risk causes, but the controls do relate to the broad risk type. The Risk Register lists 338 current controls in place to help mitigate the consequence and likelihood of each fraud risk type.

2.19 The Australian Standard AS 8001-2008 Fraud and Corruption Control30 defines a control as ‘an existing process, policy, device, practice or other action that acts to minimise negative risks or enhance positive opportunities.’ A more recent New South Wales Audit Office publication has a stricter definition that a control is a process that should be actioned, rather than a reference to policy or legislation.31 Controls can be preventive, detective or corrective.

2.20 Of the 338 controls listed in the Risk Register, 185 (55 per cent) are not active ‘controls’, as they are:

  • acts/legislation;
  • internal audits;
  • NDIA guidance/policy documents; or
  • not yet operational.

2.21 Some controls are listed against more than one risk type if they are generic and relevant to different fraud risks, for example, fraud training and the fraud reporting hotline.

2.22 In order to assess the implementation of the NDIA’s fraud risk controls, the ANAO randomly selected and tested 10 controls from the Risk Register.32 Seven of the 10 selected controls have been implemented.33

The NDIA’s assessment of fraud controls

2.23 The NDIA policy is that any amount of fraud is ‘unacceptable’ within the context of an entity level ‘conservative’ risk appetite. In addition, the NDIA’s Risk Assessment Guide states that controls rated as ‘poor’ should have improvements scheduled within three months, and for those rated as ‘adequate’ within six months. It also notes that high risk ratings are ‘typically undesirable’.

2.24 The Risk Register identifies the NDIA’s 17 fraud and corruption risk types and lists the untreated and residual impact of each of the fraud risk types (see Table 2.3).

Table 2.3: NDIA’s assessment of identified fraud and corruption risks, November 2018

Risk type

Impact (Untreated)

Impact (Residual)

1.

Medium

Medium

2.

Medium

Medium

3.

High

High

4.

Medium

Low

5.

Medium

Medium

6.

High

High

7.

Medium

Medium

8.1.

Medium

Medium

8.2.

High

Medium

9.

High

Medium

10.

Medium

Low

11.

Medium

Medium

12.

Medium

Low

13.

Medium

Low

14.

Medium

Medium

15.

Medium

Medium

16.

Medium

Low

17.

High

Medium

   

Notes: For the November 2018 version of the Risk Register, when considering the impact of the controls, the NDIA first considered the consequence and likelihood of a risk occurring — the ‘untreated’ risk rating. Then, once consideration of the controls effectiveness was complete, the NDIA re-assessed the consequence and likelihood of each risk occurring — the ‘residual’ risk rating. The June 2019 version of the Risk Register, which is not reflected in this Table, includes updated risk types.

Source: ANAO reproduction of the NDIA Fraud and Corruption Risk Register.

2.25 Table 2.3 does not show the specific risk types but these include participant fraud, provider fraud, cyber/IT fraud, identity fraud, procurement and grant funding fraud, and payroll and leave entitlement fraud. The NDIA identified two fraud risk types that have a high residual risk impact and 11 risk types with a medium residual impact.

2.26 The NDIA assessed that 10 out of 17 of its fraud risk types have ‘poor’ controls. Four of the controls rated as ‘poor’ and three of those rated as ‘adequate’ do not have any associated improvements scheduled. In addition, for three fraud risk types, the residual risk rating was lower than the untreated risk rating, despite the control effectiveness being rated as poor.

2.27 In 2018 the NDIA developed a Fraud and Compliance Roadmap to strengthen its management of fraud and compliance risks. The Roadmap is supported by a two year program of work with over 280 deliverables. There was no clear link between the Risk Register and the deliverables in the Fraud and Compliance Strategic Roadmap.

2.28 In April 2019, the NDIA mapped the 280 deliverables in the Fraud and Compliance Roadmap to the 17 risk types in the Fraud Risk Assessment. This showed that at least 70 of the deliverables could be linked directly to the fraud risk types and would strengthen the controls for these risks.

2.29 The NDIA should improve its management of fraud risk by using the Risk Register to record and prioritise work to improve fraud controls, linked to the Fraud and Compliance Roadmap.

2.30 In April 2019, the NDIA provided the ANAO with an incomplete draft of an updated Risk Register. A new Risk Register was approved by the Board Risk Committee in early June 2019. NDIA has provided details of the fraud risk implications of this new Risk Register in its response this Audit (paragraph 30 and paragraphs 2.32–2.36). The ANAO has not assessed the June 2019 version of the Risk Register.

Recommendation no.1

2.31 That, to gain a better understanding of the overall fraud control strategies and to prioritise and track future control enhancements, the NDIA:

  1. remove any non-controls from the Risk Register;
  2. assess if key individual controls are implemented and effective; and
  3. regularly update the Risk Register with planned controls, the delivery date and the project or activity under which the control will be developed and implemented.

National Disability Insurance Agency response: Agreed.

2.32 The NDIA undertook a comprehensive review of the Fraud and Corruption Risk Register in March 2019. This review included more than 20 group workshops and 12 individual sessions, with representatives from 60 different stakeholders groups involving almost 200 individuals. The finalised version of Fraud and Corruption Risk Register was endorsed by the NDIA Board in June 2019.

2.33 Through the update process the risk types listed in the Fraud and Corruption Risk Register were rationalised and re-categorised, to better consider the range and scope of fraud risks faced by the NDIA, changes in structure and the increased role of the NDIS Quality and Safeguards Commission. The Fraud and Corruption Risk Register has been updated for risks regarding self-managed participants, shared services agreements and arrangements with the NDIS Quality and Safeguards Commission. NDIA has not included the impacts of planned controls when assessing residual risk for each risk type, as until implemented the residual risk remains based on the controls actually implemented.

2.34 The updated Fraud and Corruption Risk Register identifies key controls, no longer includes non-controls, and assesses the implementation and effectiveness of individual controls and preventative measures. For proposed controls where timeframes have not been set at the time of writing, the Fraud & Compliance Branch, in partnership with Line 1 Risk Resources, will support business to set timeframes and deliver the controls.

2.35 In order to ensure the ongoing and contemporary assessment of NDIA’s fraud risk, a program of ongoing review of fraud risks faced by the NDIA was endorsed by the Board.

2.36 As noted in the audit report, the NDIA is undertaking several programs of work to improve our fraud controls. Activities within the Fraud and Compliance Roadmap which will develop, review and support the implementation of controls for fraud risk, to strengthen NDIA’s management of fraud and compliance risks, have been reflected in the updated Fraud and Corruption Risk Register. This will be supported by the work of our Project Management Office is undertaking in response to ANAO’s Recommendation 4.

Has the NDIA implemented appropriate fraud training for all officials in the entity, including those with fraud-specific responsibilities?

The NDIA has developed appropriate training and activities to raise awareness of fraud amongst all agency and partner staff, except the completion rates of the training should be improved. It is mandatory for NDIA staff to complete the fraud training annually. Forty seven per cent of NDIA staff are up-to-date with the training, 35 per cent need to recomplete the training and 18 per cent have not completed the training. Fraud control officials and investigation staff are sufficiently qualified and experienced for their roles and the NDIA has received assurance that seconded staff and contractors on the Fraud Taskforce have the required qualifications

2.37 The Fraud Rule states that:

The accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by:

  1. Having an appropriate mechanism for preventing fraud, including by ensuring that:
    1. Officials in the entity are made aware of what constitutes fraud.

Awareness-raising and training

2.38 The NDIA updated its mandatory ‘Fraud Awareness’ eLearning in January 2019, with a policy that the training be completed by all NDIA and Partners in the Community staff within three months of commencing employment, and recompleted once a year. The content of the module includes a definition of fraud, the difference between fraud and error, and examples of fraud. Chapter 3 outlines further details on reporting suspected fraud.

2.39 As of 31 January 2019, 47 per cent of all NDIA staff have completed the mandatory eLearning module within the last year (see Figure 2.3). A further 35 per cent of NDIA staff have completed the training more than one year ago and need to recomplete the training. The NDIA advised that, where applicable, email reminders are given to staff twice before the due date for the mandatory training and one week after, and that a monthly report records outstanding mandatory training. The NDIA also advised that from May 2019 all Branch Managers will be given a report on outstanding mandatory training for their staff and from 1 July 2019 the SES performance framework will include training compliance.

Figure 2.3: ‘Fraud Awareness at NDIA’ completion rates, as at 31 January 2019

 

Source: ANAO analysis of NDIA eLearning completion data.

2.40 In addition to the eLearning, the NDIA also runs ‘Payment Integrity’ face-to-face training.34 The training includes information on: the impact of poor payment integrity; specific examples of how staff should respond to suspected fraud; and some of the warning signs of fraud and misuse. NDIA has advised that the payment integrity training is one of 18 modules in the New Starter Program and is mandatory for planners and local area coordinators. It further advised that 223 Australian Public Service planners commenced within NDIA between January and March 2019, with 91 per cent of them having completed the New Starter Program. NDIA records completion rates for local area coordinators but these may not be accurate as this is based on data from manual attendance records provided by Partners in the Community.

2.41 The NDIA also raises internal awareness of fraud on its intranet. During 2018, six notices relating to fraud were posted on the Intranet. The fraud reporting page on the intranet provides information on: how to report suspected fraud; what information to include in a report; and the actions that will be taken by the Fraud and Compliance Branch when the report is received.

Training and qualifications for fraud and compliance staff

2.42 The 2017 Commonwealth Fraud Control Framework Fraud Policy (Fraud Policy)35 states:

Entities must ensure officials primarily engaged in fraud control activities possess or attain relevant qualifications or training to effectively carry out their duties; and

Fraud investigations must be carried out by appropriately qualified personnel as set out in AGIS.

2.43 The Fraud Guidance recommends:

  • Qualifications for investigators in line with the Australian Government Investigation Standards 2011 (AGIS),36 which recommends:
    • Certificate IV in Government (Investigation) or its equivalent for staff primarily engaged as an investigator; or
    • Diploma of Government (Investigation), or equivalent for staff primarily engaged in the coordination and supervision of investigations;
  • The following qualifications for fraud control officials:
    • Certificate IV in Government (Fraud Control) or equivalent qualification for officials implementing fraud control; or
    • Diploma in Government (Fraud Control) or equivalent qualification for officials managing fraud control.
  • Training within 12 months for officials entering these roles without the relevant experience.

2.44 The Fraud and Compliance Branch has an Attainment of Fraud Qualifications Policy which was approved on 4 January 2019. The policy references and is closely aligned with the 2017 Commonwealth Fraud Control Framework and AGIS requirements. The NDIA’s position descriptions for investigators list the required qualifications.

2.45 The Fraud and Compliance Branch maintains a qualifications register, verifies the qualifications of staff, and holds certified copies on file. The register identifies 28 staff and contractors, consisting of eight fraud control officials and 20 fraud investigators. 37 Of the staff identified as investigators or fraud control officials, most hold the recommended qualification. The NDIA has outlined equivalent experience and qualifications for those who do not hold the recommended qualifications (for example, significant police experience), except one investigator is to obtain a qualification by December 2019. As at June 2019, the NDIA was in the process of verifying the qualifications of five investigators who have police backgrounds.

2.46 The NDIA has 15 Department of Human Services and Australian Federal Police officers supporting the NDIS Fraud Taskforce. These staff are involved in NDIA fraud investigations but are not listed on the qualifications register. The NDIA has advised that it has received assurance from the relevant entity that these staff hold the required qualifications.

2.47 The NDIA Fraud and Compliance Branch has taken proactive steps to upskill staff in investigation and fraud control positions. In 2018, five qualifications were obtained by four individuals who entered their roles at the NDIA without the recommended qualifications. Two of these staff attained their qualifications through the recognition of prior learning process.

2.48 Staff in the Fraud and Compliance Branch have undertaken additional investigation training. The Fraud and Anti-Corruption Centre runs a Commonwealth Agency Investigations Workshop. Four staff from the NDIA investigations team participated in the workshops in 2017 and 2018. In March 2018, the investigations team also engaged an external facilitator to run training sessions. The sessions focused on interview training, including interviewing vulnerable people and taking witness statements.

Has the NDIA appropriately raised fraud awareness among external stakeholders?

The NDIA has published appropriate resources to raise awareness of fraud amongst external stakeholders. The NDIA records attendance and collects feedback for face-to-face provider training but does not monitor providers’ usage of online materials.

2.49 There are no mandatory requirements for the NDIA to help raise awareness amongst external stakeholders. However, the Fraud Guidance states the following:

Paragraph 49. Having effective outreach programs can help entities prevent fraud. Outreach activities include entities clearly explaining their integrity policies and programs, and position on fraud to clients and service providers, and where appropriate, to members of the public.

Paragraph 50. It is beneficial for awareness-raising programs for third-party providers to take into account the work they do directly for entities and the services they deliver on behalf of the entity. These programs can be extended to provide clients and providers information about their rights and obligations, including information on their fraud control responsibilities.

The Fraud Strategy Statement

2.50 The Fraud Guidance states that ‘a widely distributed fraud strategy statement can assist in raising awareness’. The NDIA Fraud Strategy Statement was posted to the intranet on 12 October 2018 and made publically available on the NDIS website.38 It includes all of the recommended content in the Fraud Guidance including the definition of fraud, a summary of the consequences of fraud, an assurance that allegations of fraud will be handled confidentially and advice on where to obtain further information.

Awareness raising for the public

2.51 The NDIS website contains publicly available resources to raise awareness of fraud:

  • the ‘Reporting suspected fraud’ page (provides examples of fraudulent behaviour and explains how to report suspected fraud); and39
  • the NDIS 2017–18 Annual Report has information on how NDIA is managing fraud risk.40

2.52 The topic of fraud within the NDIS attracts a large amount of media attention. Widespread media coverage can assist in raising awareness and the Commonwealth Director of Public Prosecutions acknowledges that increased publicity of prosecution can have a deterrent effect.41 The NDIA Engagement and Communications Strategy (October 2018) recognises awareness raising as a priority in external communications.

2.53 On 24 July 2018, the NDIA posted a media release on the NDIS website for the announcement of the Fraud Taskforce.42 Further media releases were posted in September 2018 regarding on-going investigations43 and in October 2018 regarding the Taskforce’s first arrest.44

Awareness raising for providers

2.54 The NDIA publishes monthly e-Newsletters to which all registered providers are automatically subscribed. Any party can also subscribe via the NDIS website. The July 2018 e-Newsletter mentioned the establishment of the NDIS Fraud Taskforce.

2.55 The NDIA has an online Provider Toolkit45 with resources for NDIS providers. These include eLearning activities including ‘payment integrity responsibilities for providers’ and ‘warning signs and how to report fraud’. The training explains the provider’s responsibility in upholding Scheme integrity and details how to detect and report suspected fraud.

2.56 There is also training material advising providers how to comply with the NDIS Terms of Business. The Terms of Business outline mandatory requirements and the proper conduct for payments and pricing. If a provider is found to not comply with the Terms of Business registration can be revoked and legal action can be taken on fraudulent claims.

2.57 Over 2018 the NDIA ran face-to-face payment integrity sessions for providers. For instance, in early 2018, the NDIA ran payment integrity provider sessions as a part of the National Provider Forum in each state and territory. Sessions were also held at regional sites where there was demand due to difficulties in travelling to capital cities.

2.58 The NDIA records attendance and collects feedback forms from the payment integrity sessions. Across both the National Provider Forum and the individual sessions, an estimated 1187 provider staff attended payment integrity sessions in 2018. The NDIA has advised that it does not track which providers have completed the online activities, which limits oversight of the impact and utility of these resources.

3. Detecting and responding to fraud

Areas examined

This chapter examines whether the National Disability Insurance Agency (NDIA) effectively detects and responds to fraud. Methods for receiving reports of suspected fraud, fraud detection capability and responses to instances of suspected fraud were reviewed.

Conclusion

The NDIA has largely appropriate fraud detection and response mechanisms, except data analytics and data matching capabilities are being progressively implemented and it is developing a case management system that more effectively supports investigations.

Areas for improvement

The ANAO made two recommendations to:

  • implement planned data analytics and data matching activities; and
  • increase compliance with investigations policies by implementing: a compliant case management system; relevant performance indicators; and a quality assurance for investigations.

Summary of Compliance with the Framework

3.1 Table 3.1 outlines the NDIA’s overall compliance with the mandatory requirements outlined in the Attorney-General’s Commonwealth Fraud Control Framework in relation to detecting and responding to fraud. The two relevant requirements are:

  • having an appropriate mechanism for detecting incidents of fraud or suspected fraud, including a process for officials of the entity and other persons to report suspected fraud confidentially; and
  • having an appropriate mechanism for investigating or otherwise dealing with incidents of fraud or suspected fraud.

3.2 For the purposes of this assessment, the first requirement has been separated into two sub-tests, with the first focusing on implementing confidential reporting channels and the second focusing on other mechanisms for detecting fraud. The detailed analysis supporting the conclusions in Table 3.1 is included in the following sections of this Chapter.

Table 3.1: NDIA’s compliance for fraud detection and response

Note: These are mandatory requirements under the Commonwealth Fraud Control Framework Fraud Rule parts (d) and (e).

Source: ANAO.

Has the NDIA put in place appropriate processes for suspected fraud to be confidentially reported?

The NDIA has implemented appropriate processes for NDIA staff, providers, participants and members of the public to report fraud. The NDIA has established procedures to manage the confidentiality of the reports, however adherence to these procedures should be improved. During the course of the audit the NDIA updated guidance documentation, trained staff and commenced the procurement of a new case management system that may enhance compliance with the procedures.

3.3 The 2017 Commonwealth Fraud Control Framework Fraud Rule (Fraud Rule)46 states:

The accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by:

a process for officials of the entity and other persons to report suspected fraud confidentially.

3.4 The 2017 Commonwealth Fraud Control Framework Fraud Guidance (Fraud Guidance), although non-mandatory for the NDIA, states that it is important for entities to appropriately publicise fraud reporting mechanisms. It also encourages entities to establish measures to protect those making reports from adverse consequences.47

Channels to report fraud

3.5 The NDIA has implemented a number of channels for suspected fraud to be reported. The channels are advertised on the NDIA’s intranet and internet pages and include:

  • the fraud reporting hotline, a telephone service for reporting fraud;
  • the fraud reporting email address; and
  • an online contact form.48

3.6 The NDIA’s intranet page contains relevant information on fraud tip-offs and reminders are posted to internal noticeboards. These tip-off channels are also listed in the NDIA’s Fraud Control Plan, in updates to staff groups, and in the NDIA’s mandatory fraud awareness training.

3.7 There has been an increase in tip-offs since July 2017, and a marked increase since the NDIS Fraud Taskforce was established in July 2018 (Figure 3.1).

Figure 3.1: Tip-offs about suspected fraud to the NDIA, July 2017 to February 2019

 

Source: ANAO analysis of NDIA tip-off data.

3.8 The majority of tip-offs to the NDIA in the 2017–18 financial year were received through the fraud reporting email address and hotline. A small number were received by letter or in person (Figure 3.2).

Figure 3.2: Source of tip-offs to the NDIA, 2017–18 financial year

 

Source: ANAO analysis of NDIA tip-off data.

3.9 Public Interest Disclosures are disclosures made by a public official to a government entity, persons not in government, or to a legal practitioner which may relate to fraud. The NDIA has developed policies for managing Public Interest Disclosures, appointed authorised officers to whom NDIA officials may make disclosures, published guidance on making a disclosure, and referenced disclosures in its fraud awareness training. The guidance also outlines the rights that officials have under the Public Interest Disclosures Act 2013.

Managing the confidentiality of reports

3.10 The NDIA’s website notes that people reporting fraud can request to have their details remain confidential, and that the NDIA has established procedures to assist with managing confidentiality. These procedures require the Intake and Assessment Team who receive the reports to ask whether the informant would like their details to remain confidential. If so, the Intake and Assessment Team must ensure there are no identifying details on the intake record such as names and phone numbers. As part of this process officers are prompted by the IT system to review the description of the case before saving the record to ensure it does not include identifying information.

3.11 The ANAO reviewed tip-offs received by the Intake and Assessment Team in December 2018 to check if the confidentiality procedures had been implemented. Figure 3.3 shows that in December 2018, 160 reports were recorded and confidentiality was requested by 32 informants. The request for confidentiality was not correctly handled in 15 per cent of sampled cases, as identifying information was recorded in five instances.

Figure 3.3: NDIA’s compliance with confidentiality procedures for tip-offs received in December 2018

 

Source: ANAO analysis of NDIA files.

3.12 Where the confidentiality procedure was not followed, the identifying information was removed before the case was referred outside the Intakes and Assessment Team.

3.13 Following the ANAO’s assessment of this process, Intake and Assessments staff undertook additional training, and relevant guidance documentation was updated with the aim of ensuring staff do not record information when confidentiality is requested. In addition, the NDIA is in the process of procuring a new case management system (see paragraphs 3.41–3.45). Documentation outlining the case management system requirements specifies IT system controls and business rules to further enhance compliance with this procedure.

Does the NDIA have appropriate methods to detect potential fraud other than via reports from staff and external parties?

The NDIA has implemented appropriate measures to detect potential fraud, except the important detection methods, data analytics and data matching, are being progressively implemented. Other detection methods include budget variance analysis, participant plan sampling and review, internal audit, and referral pathways with the NDIS Quality and Safeguards Commission. The NDIA redesigned the fraud control data analytics profiles and applied three profiles in March 2019, with an additional nine profiles planned. The NDIA is working to improve its data capability through the recent development of standardised frameworks, draft methodologies, and enhanced data sharing arrangements with other entities.

3.14 The Fraud Rule49 states:

The accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by:

d) having an appropriate mechanism for detecting incidents of fraud or suspected fraud…

3.15 The 2017 Commonwealth Fraud Control Framework Fraud Policy (Fraud Policy)50 states that ‘Entities must maintain appropriately documented instructions and procedures to assist officials [to] … detect … fraud’.

3.16 The Australian Institute of Criminology’s Commonwealth Fraud Investigations 2015–16 report identifies ten ways fraud is usually detected in the Commonwealth, based on a census of Commonwealth entities. Each of these methods are listed and discussed in Table 3.2.

Table 3.2: The NDIA’s implementation of mechanisms to detect fraud

Detection method

NDIA implementation

ANAO comment

External tip-offs, internal tip-offs, self-reporting, accidental detection, reporting by law enforcementa (five methods).

These five detection methods occur through the tip-offs mechanism, outlined in paragraphs 3.5–3.9. Accidental detection is not separately recorded by the NDIA but it has occurred.

Management review and document examination (two methods).

The Risk Register has management review and document examination as controls. Management reviews include reconciliations and variance analysis of expenditure against budgets. Document examinations include selecting a sample of finalised participant plans to analyse potential fraud. Both of these processes have been implemented, with documentation examination having led to identification of suspected fraud.

Internal Audit

The NDIA has established a procedure for the internal audit area to report any suspected fraud it identifies but it has not yet reported any instances of suspected fraud. A 2018 internal audit had a fraud focus (see Chapter 4, paragraph 4.30).

Reporting by financial institution

NDIA currently uses information from financial institutions to assist with its intelligence function.

Data analytics

In progress

The NDIA is progressively implementing its data analytics and data matching capability. See paragraphs 3.18–3.25. This work is part of the Fraud and Compliance Roadmap work (see paragraphs 4.24–4.26). NDIA has advised that it sees data analytics as an iterative tool with adjustments to be made as a result of learnings from fraud cases.

     

KEY: ✔ Implemented ✘ Not implemented

Note a: Engagement with law enforcement is further explored in Chapter 4.

Source: ANAO analysis.

3.17 Some mechanisms to detect fraud are included in the NDIA’s Fraud and Corruption Risk Register. However, as outlined in Chapter 2, paragraphs 2.27 the Risk Register does not record all current and planned fraud controls, which may include other detection methods.

Data analytics for fraud detection

3.18 The Association of Certified Fraud Examiners has observed ‘proactive data monitoring and analysis are among the most effective anti-fraud controls. Organisations which undertake proactive data analysis techniques experience frauds that are 54 per cent less costly’.51 As such, data analytics and data matching could be a critical tool for the NDIA.

3.19 The NDIA had developed actuarial profiles that used NDIA data to identify instances of suspicious activity such as patterns of fund utilisation, claims above pricing caps or claims above a participant’s budget.52 Reports against these profiles were provided to the Fraud and Compliance Branch (the Branch) on an ad-hoc basis until May 2018.

3.20 In May 2018, the Branch undertook a review of 15 of the 17 actuarial profiles.53 The review examined a sample of cases created from each profile to identify whether the reports were useful to the Branch. In summary, the assessment found that:

  • three profiles were acceptable in their current form;
  • three profiles were acceptable if better data was captured;
  • five profiles would need more significant changes before they could be accepted;
  • two profiles were likely useful to another business area; and
  • two profiles were no longer required.

3.21 Responsibility for fraud risk profiles was transitioned to the Branch in July 2018. In December 2018 the Branch obtained access to a data analytics platform and began drafting a Fraud Risk Profile Development Framework, and made changes to work practice documentation. After refining data analytics, including the profile outputs and business rules, the Branch began running its own reports in March 2019. Although no reports were run after May 2018, three profile reports were generated in March 2019 and the outputs were backdated to July 2017.54 The reports generated are improved versions of the three determined as acceptable in May 2018. NDIA has advised that a further three reports will be tested and implemented by 30 September 2019 and that an additional six profiles have been identified for implementation by the end of 2019.

3.22 The NDIA expects to finalise its Fraud Risk Profile Development Framework in June 2019. This framework is intended to be a standardised methodology for the design, development, testing and production of risk profiles.

Data matching for fraud detection

3.23 Data-matching involves bringing together data from different sources and analysing it to identify individuals or organisations for further investigation or action.

3.24 The NDIA began conducting the following data matching activities in 2018:

  • Payment Integrity: The NDIA’s actuarial team routinely undertakes a payment integrity activity where it matches participant data with state and territory data. This is to ensure that the correct government entity is paying supports.
  • Family Day Care provider matching: The NDIA receives information from the Department of Education Child Care Enforcement Action register regarding Family Day Care providers that have been sanctioned. The NDIA matches this data to its own providers and investigates as required. As at February 2019, the NDIA had engaged with 38 NDIA providers following this data matching activity, and is in the process of de-registering 25 providers. The NDIA has identified that providers with sanctions against them in the Department of Education Child Care Enforcement Action register have made $3.6 million in service bookings and have received payments totalling $2.3 million from the NDIA. The NDIA advised the ANAO that it is in the process of implementing this check as a pre-registration step, at which time the data-matching will become a ‘business as usual’ activity.

3.25 The NDIA continues to invest in building its data matching capability. In February 2019, the NDIA Risk Committee noted the NDIA’s new Identity Management Framework. This aims to strengthen identity controls for participants seeking access to the Scheme by accessing and using third party data sets. This includes matching data from government and non-government organisations. As an example, the NDIA received its first set of ‘fact of death’ data in March 2019 and compared it with participant information to identify discrepancies.55

Recommendation no.2

3.26 That the NDIA improve its active fraud detection methods by implementing the planned data analytics and data matching activity as a matter of priority, and on a continuing basis.

National Disability Insurance Agency response: Agreed.

3.27 As part of the Fraud and Compliance Roadmap, the NDIA has prioritised investment in data analytics and matching, infrastructure and data analysts. This has enabled the NDIA to stand up both data analytics and matching capabilities to proactively detected fraud and non-compliance. The NDIA continues to invest in and strengthen our data analytics and data matching capability.

3.28 The NDIA has implemented three fraud detection profiles. A further three fraud detection profiles have been developed and are undergoing refinement prior to operationalisation. These profiles have been prioritised as they act as key controls for identified fraud risks. An additional six profiles have been identified for future development.

3.29 As noted in the audit, the NDIA commenced data matching activities in 2018. As part of the Fraud and Compliance Roadmap, the NDIA has acquired the data storage and analytical tools to necessary to progress its data matching strategy. The NDIA has already entered into formal arrangements with six government and non-government organisations to acquire data with further arrangements currently being negotiated or planned.

Are there appropriate processes in place for investigating suspected fraud and taking appropriate action?

Processes for investigating and taking action against suspected fraud are largely appropriate. In December 2018, NDIA developed policies and procedures for investigations which are compliant with the Australian Government Investigations Standards (AGIS) 2011. The NDIA is undertaking investigations in line with these policies and has established an appropriate triaging, escalation, and oversight model. The NDIA also established the NDIS Fraud Taskforce in July 2018, which is a key enhancement to the practical capacity to respond to fraud.

The NDIA’s fraud response management is not fully compliant with investigations policies or the AGIS. The electronic case management system does not centrally record investigation activities or assist with the preparation of briefs of evidence. The NDIA has not established key performance indicators for investigations or undertaken assurance activities to confirm that investigations are being conducted in line with these policies and procedures. The NDIA is taking action to improve compliance in these areas.

3.30 The Fraud Rule56 states:

The accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by:

  1. having an appropriate mechanism for investigating or otherwise dealing with incidents of fraud or suspected fraud; and
  2. Commonwealth entities must have an appropriate mechanism for recording and reporting incidents of fraud or suspected fraud.

3.31 The Fraud Policy57 provides further guidance on investigations and states that entities must have investigation processes and procedures that are consistent with the Australian Government Investigations Standards (AGIS) 2011. While the Fraud Policy is not binding for the NDIA, the NDIA’s Fraud Control Plan states that investigations undertaken within the Agency will comply with the AGIS.

The NDIS Fraud Taskforce

3.32 A key enhancement to the practical capacity to respond to fraud was the establishment of the NDIS Fraud Taskforce in July 2018, supported by the Australian Federal Police (AFP) and the Department of Human Services (Human Services).58

3.33 In July 2018 responsible Ministers advised the Prime Minister that the establishment of the NDIS Fraud Taskforce was ‘to mitigate potential serious fraud within the NDIS which is being reported both through intelligence sources and in the media’.

3.34 In 2018–19, the NDIA allocated $16 million for ‘business as usual’ fraud and compliance activities, including for approximately 75 staff. In addition, $7.7 million was allocated for the NDIS Fraud Taskforce in 2018–19.

3.35 At 30 March 2019 the Fraud and Compliance Branch had 103 staff either working on the NDIS Fraud Taskforce or business as usual activities. Twelve of these NDIA staff were dedicated to the NDIS Fraud Taskforce. In total, Human Services’ has committed 15 staff to the Fraud Taskforce (including access to AFP staff via the Human Services and AFP Memorandum of Understanding). Human Services also provides additional staff, through short-term arrangements, to support the operational requirements of the Fraud Taskforce. The NDIA has advised that recruitment action is continuing for Taskforce staff.

3.36 The Memorandum of Understanding (MOU) between NDIA and Human Services for the establishment of the NDIS Fraud Taskforce says that the Taskforce is a partnership between NDIA, Human Services and the AFP.59 The MOU also states that the Taskforce has been established with two objectives:

  • immediately commence investigations where intelligence is readily available; and
  • strengthen the NDIA’s longer-term fraud prevention and detection activity and capability’.

3.37 The NDIS Fraud Taskforce is governed by an Inter-Departmental Committee (IDC) comprising NDIA, Human Services, the AFP, the Australian Taxation Office, the NDIS Quality and Safeguards Commission and the Department of Social Services.

3.38 Chapter 4 (paragraph 4.49) mentions the first Taskforce arrest in October 2018. 60 On 22 May 2019, the AFP, NDIA and Human Services announced that an NDIS Fraud Taskforce investigation into an organised criminal syndicate suspected of defrauding the NDIS had resulted in the arrest of five people in western Sydney. 61 It is alleged that three registered NDIS providers ‘controlled and exploited by those arrested’ fraudulently claimed more than $1.1 million in NDIS payments from more than 70 NDIS participants. Investigations into the true scale of this fraud are continuing, with the three entities believed to have received more than $2.6 million in NDIA payments since December 2017.

NDIA’s compliance with the AGIS

3.39 The AGIS establishes the minimum standards for Australian Government agencies conducting investigations. While not mandatory for the Corporate Commonwealth entities, the NDIA has agreed to reflect the AGIS standards for undertaking fraud investigations. There are 54 requirements and recommendations in the AGIS across four categories: operating standards, identification of breaches and case selection, investigation management, and investigation practices. The requirements include written policies, templates, systems, and specific activities.

3.40 The ANAO reviewed 36 of the 54 requirements, including the written policies, templates, systems, and nine specific activities.62 The NDIA was compliant with 34 of the 36 tested requirements, as outlined in Table 3.3.

Table 3.3: NDIA’s compliance with AGIS requirements

Source: ANAO analysis.

NDIA fraud management systems

3.41 In order to comply with the AGIS, entities must have systems to manage tip-offs, a case management system, and a system to manage evidence collected in the course of investigations. The NDIA has established three separate spreadsheets for these purposes.

3.42 The AGIS requires that entities have an electronic system for recording the receipt of referrals or conduct identified as allegedly, apparently or potentially breaching the law. It must have the ability to record investigation plans, investigation activity and management of tasks and facilitate the preparation of briefs of evidence.

3.43 The NDIA’s current system does not meet these requirements, as most information on individual cases is held separately in hard copy files. In addition, the NDIA has identified issues with its case management system including:

  • the system provides limited functionality;
  • data can become corrupt and reporting is unreliable; and
  • it does not support efficiency and effectiveness.

3.44 The NDIA has commenced procurement of a new electronic case management system, which will replace the existing referrals and case management systems. It has established a detailed list of requirements for the procurement, which includes the functionality needed to comply with the AGIS. The NDIA sought a quotation from the preferred provider in February 2019, and expects to fully implement the new system by July 2019.

3.45 The NDIA has established an Exhibit Register spreadsheet to manage evidence collection which is compliant with AGIS requirements. The list of requirements for the case management system being procured includes the capability to manage evidence, to replace this spreadsheet.

Quality assurance of investigations

3.46 The NDIA’s Investigations Manual (December 2018), states that:

NDIA management must be assured that investigations are conducted in an efficient and effective manner, and meet contemporary standards and expectations such as those prescribed in the AGIS … An effective means of measuring levels of compliance is to conduct Quality Assurance Reviews.

3.47 The NDIA advised that it has not undertaken any Quality Assurance Reviews, however it has identified the development of a quality framework for all branch activities in its future work plan.

3.48 The AGIS also notes that the AFP can undertake Quality Assurance Reviews of entities’ investigations processes to examine issues relevant to the Commonwealth Director of Public Prosecutions (CDPP) or external counsel. The AFP has not undertaken a formal Quality Assurance Review of any NDIA investigations. Following the NDIA’s first fraud investigation which led to an arrest, an AFP member of the NDIS Fraud Taskforce debriefed NDIA staff, although this was not a requirement. There were no recommendations regarding the application of the AGIS in this debrief.

Recommendation no.3

3.49 The NDIA improve compliance with investigations policies by:

  1. ensuring the new case management system has the functionality identified in pre-procurement planning documents;
  2. establishing performance measures for its investigative functions that align with organisational goals for fraud investigation; and
  3. undertaking quality assurance reviews of recent investigations to gain assurance that the NDIA Investigations Manual is being consistently applied.

3.50 National Disability Insurance Agency response: Agreed.

3.51 Since the audit the NDIA has entered into a contract with the provider for the case management system. The detailed design specifications were set out in the original request for quote, and NDIA has ensured that the design of the system is flexible to not only ensure the initial scope of work, but also to accommodate future improvements based on lessons learnt.

3.52 The NDIA has established a Case Management Committee to review the individual performance of each Fraud Investigation, this includes monitoring the timeliness of each investigation on a case by case basis, as well as a quality check on the critical decisions, evidence and brief.

Action in response to fraud

3.53 The AGIS states that entities may form a committee to inform and oversee the decisions and recommendations following the initial evaluation process, and that decision makers should be at the Senior Executive Service (SES) level. The NDIA has a triaging and escalation process for managing its response to fraud, as outlined in Figure 3.4 and records critical decisions relating to investigations outcomes in line with the AGIS.

Figure 3.4: Fraud escalation at the NDIA

This graphic is described in paragraph 3.54–3.59

Source: ANAO analysis.

3.54 Following the initial intake and assessments procedure outlined in paragraphs 3.5–3.9, the NDIA refers instances of suspected fraud to the Fraud Intelligence Team for further investigation. The Fraud Intelligence Team reviews available information such as participant information, provider records or other investigations that may be related. Initial findings are documented in the established template for intelligence reports.

3.55 Where it is considered appropriate by the delegate, these intelligence reports are referred to the Case Management Committee (CMC), which is led by an SES officer. The CMC’s assessment of the intelligence report and the outcome are recorded in the critical decision template.

3.56 The CMC may finalise the investigation, approve an investigation by NDIA staff, or refer the matter to the NDIS Fraud Taskforce or the AFP for further investigation.

3.57 Under the AGIS, cases must be referred to the AFP where the matter relates to serious crime or complex criminal investigation.63 These referrals are usually managed through the AFP’s Fraud and Anti-Corruption Centre. The NDIA instead makes referrals directly to the AFP through the NDIS Fraud Taskforce.64

3.58 Internal NDIA policy also states that other investigative milestones such as referral to the CDPP for briefs of evidence are to be recorded in the critical decision template and approved by the CMC. Briefs of evidence include information such as witness statements and evidence. These are referred to the CDPP for a decision on whether or not to prosecute. The NDIA advised that it has referred one brief of evidence to the CDPP and that this case is ongoing.

3.59 The Fraud and Compliance Branch reports on the progress and outcome of investigations to the NDIA Risk Committee and previously reported to the NDIA Audit Committee. Further details on fraud reporting to the NDIA’s governance committees is included in Chapter 4. In February 2019, the Fraud and Compliance Branch also reported to the NDIA Board on ongoing investigations, noting that 21 investigations were ongoing. The NDIA advised that at 31 May 2019 20 investigations were ongoing, with an estimated value of $9.3 million.

3.60 As discussed in paragraphs 3.41–3.45, the NDIA has identified issues with data integrity in its current case management system. It has also identified the development of a contemporary fraud and compliance reporting framework in its future work plans.

Recovery of funds

3.61 Funds from identified fraud against the Commonwealth are recovered by the CDPP and AFP in line with the Proceeds of Crime Act 2002. The NDIA advised that the CDPP and AFP are seeking to recover funds from the one investigation the NDIA has referred recently, but this has not yet been finalised. Additionally, the NDIA reported to the NDIA Board and NDIA Risk Committee that it is has prevented $2 million in potentially fraudulent claims in relation to its ongoing investigations.

3.62 The NDIA has also taken action to recover funds in relation to fraud or non-compliance by providers other than through the CDPP or AFP. For example, between August and December 2018 breaches totalling $4.6 million were identified, and $2.4 million was reinstated to participant plans. The NDIA has advised that processes are in place to reinstate funds to current participant plans so that no participant loss will occur as a result of identified fraud or non-compliance. The NDIA advised that non-compliant payments were cancelled, and became a negative balance on the provider’s account to facilitate recovery.

4. Oversight, monitoring, and reporting

Areas examined

This chapter examines whether the NDIA has implemented effective arrangements to oversee, monitor and report on its fraud control arrangements. The chapter also examines the NDIA’s liaison with other government entities, its management of projects which have a fraud control dimension and external reporting on fraud.

Conclusion

The NDIA has implemented largely effective oversight, monitoring and reporting of its fraud control arrangements, with improvements made over 2018 and planned for 2019. The NDIA engages effectively with other government entities on fraud control, although fraud related governance should be improved via enhanced project management and reporting.

Areas for improvement

The ANAO made three recommendations to:

  • review the project management of fraud control, including to identify gaps between fraud risks and fraud controls, which would assist in updating the Fraud and Corruption Risk Register;
  • enhance Board and Executive visibility of the status of fraud controls compared to fraud risks; and
  • enhance the comprehensiveness of the non-mandatory reporting to the Australian Institute of Criminology.

Summary of compliance with the Framework

4.1 Table 4.1 outlines the NDIA’s overall compliance with requirements and a better practice principle outlined in the Attorney-General’s Commonwealth Fraud Control Framework in relation to oversight, monitoring and reporting of fraud. The detailed analysis supporting these conclusions is included in the following sections of this Chapter.

Table 4.1: NDIA’s compliance in overseeing, monitoring and reporting fraud

Note a: A mandatory requirement under the Commonwealth Fraud Control Framework, Fraud Rule part (c) (ii).

Note b: A mandatory requirement under the Commonwealth Fraud Control Framework, Fraud Rule part (f).

Note c: A better practice principle requirement under the Commonwealth Fraud Control Framework, Fraud Policy parts 13 and 14.

Source: ANAO.

Does the NDIA work effectively with other entities to mitigate fraud?

The NDIA works effectively with other entities to mitigate fraud. Of note are:

  • the NDIA’s membership of the Fraud and Anti-Corruption Centre;
  • the July 2018 establishment of the NDIS Fraud Taskforce which draws in the expertise of the Australian Federal Police and Department of Human Services;
  • the NDIA reviews Department of Education and Training data on providers who have defrauded family day care; and
  • active engagement with the NDIS Quality and Safeguards Commission.

4.2 The Australian Federal Police (AFP) hosted Fraud and Anti-Corruption Centre (FAC) is one way in which Commonwealth entities work together to combat fraud. The NDIA is a member of the FAC (see Table 4.2 below). The AFP notes that through the FAC:

The AFP works closely with partner agencies using a multi-agency approach to strengthening the Commonwealth’s capability to respond to fraud and corruption. This multi-agency approach contributes to the reduction, disruption or cessation of activities beyond those targeted by a particular investigation, which results in increased compliance with Commonwealth legislation and provides enhanced revenue and expenditure outcomes for the Commonwealth.65

4.3 The Attorney-General’s Department’s Resource Management Guide on fraud66 lists eight entities with cross-government responsibilities in fraud control. As detailed in Table 4.2 below, the NDIA has contact with these entities. This is principally to share intelligence on the nature of fraud against the Commonwealth and strategies to combat fraud.

4.4 The 2019–20 Budget included $16.4 million over two years for a targeted approach to tackling fraud and includes funding for the AFP and the Attorney-General’s Department.67 This funding is to improve the way the Commonwealth uses intelligence and data to combat fraud and design fraud resilient programs. This measure is likely to have implications for how Commonwealth entities work together to combat fraud.

4.5 The outcome of NDIA’s interactions with other entities is principally demonstrated through:

  • the work of the Fraud Taskforce (see Chapter 3, paragraphs 3.32–3.38);
  • the use of the Child Care Enforcement Action Register and the planned roll-out of other data matching activities (see Chapter 3, paragraphs 3.23–3.25); and
  • liaison with the NDIS Quality and Safeguards Commission which is detailed below.

Table 4.2: NDIA’s contact with other agencies on fraud matters

Entity / role in relation to fraud

Nature of the NDIA’s liaison with the entity

 

Australian Federal Police (AFP)a

The NDIA refers serious fraud cases or cases requiring specific powers to the AFP. Current liaison between the NDIA and the AFP is via the Fraud Taskforce.

Commonwealth Director of Public Prosecutions (CDPP): prosecutes crimes against Commonwealth law.a

The NDIA engaged with the CDPP through liaison meetings, and the NDIA has referred fraud incidents to the CDPP for prosecution.

Attorney-General’s Department (AGD): the department owns the Commonwealth Fraud Control Framework.a

The NDIA liaises with the AGD, for example, attending its annual Commonwealth Fraud Liaison Forum.

Australian Institute of Criminology (AIC): compiles trend data and is a knowledge centre on crime and justice.a

The NDIA reports information on fraud to an AIC census every year. Refer to Table 4.6 on the nature and quality of this reporting.

Australian Competition and Consumer Commission (ACCC): has a Scams Awareness Network which runs an annual Scams Awareness Week.a

The NDIA is a member of the ACCC’s Australasian Consumer Fraud Taskforce and participates in Scams Awareness Week.

Australian Securities and Investment Commission (ASIC): Australia’s corporate regulator.a

The NDIA is planning to establish data sharing arrangements with ASIC.

Fraud and Anti-Corruption Centre (FAC): see paragraph 4.2.

The NDIA joined the FAC on 6 July 2018 to access intelligence and investigation support from FAC members.

Australia and New Zealand Inter-agency Fraud Association (ANZIFA): attended by government agencies to enable improved information sharing on fraud.

The NDIA is a member of the Interagency Fraud Forum and attends the quarterly ANZIFA forums.

Australian Transaction Reports and Analysis Centre (AUSTRAC): detects and addresses financial crime.b

Data acquisition and sharing arrangements are in place between AUSTRAC and NDIA.

NDIS Quality and Safeguards Commission (QSC): regulates the quality of the NDIS market.c

Refer to the paragraphs 4.6–4.9.

Commonwealth Department of Education and Training.

Refer to Chapter 3, paragraph 3.24.

   

Note a: These cover six of the eight entities listed as having cross-government fraud control responsibilities in the AGD’s Resource Management Guide No. 201: Preventing, detecting and dealing with fraud [Internet], AGD, August 2017, available at: <https://www.ag.gov.au> [accessed 27 February 2019]. One entity is ANAO which has statutory responsibilities and is not listed in the Table. Another entity is the Australian Commission for Law Enforcement Integrity supports the AIC and has no direct engagement with the NDIA (not included in the table).

Note b: Austrac, About Us [Internet], Austrac, available at:

<http://www.austrac.gov.au/about-ushttps://www.ndiscommission.gov.au/> [accessed 27 February 2019].

Note c: QSC, [Internet], available at: <https://www.ndiscommission.gov.au/about> [accessed 27 February 2019].

Source: ANAO.

Engagement with the NDIS Quality and Safeguards Commission

4.6 The Quality and Safeguards Commission (QSC) is currently responsible for NDIS provider registration in New South Wales and South Australia, and will take over this role for other States and Territories by July 2020.68 It is responsible for the implementation of the National Disability Insurance Scheme (Provider Registration and Practice Standards) Rules 2018. These include a requirement for the QSC to have regard to whether an applicant or a member of the key personnel of an applicant has been the subject of any findings or judgment in relation to fraud.

4.7 The QSC has advised that it has adopted a staged process to re-register all existing providers in New South Wales and South Australian as providers are required to meet new requirements including third party audits against NDIS practice standards.

4.8 The draft NDIS and QSC Fraud and Compliance Operational Protocol details working arrangements, roles and responsibilities, agreed principles and governance arrangements for fraud and compliance practices across the two entities. The QSC is responsible for investigating allegations of misconduct, underperformance and sharp practices by NDIS registered providers and enforcement action, but not fraud which is solely the responsibility of the NDIA.

4.9 There is a QSC template to refer matters to the NDIS Fraud Taskforce. The QSC has reported seventeen instances of potential fraud to the NDIA. The NDIA has made 17 referrals to the QSC regarding non-compliance by New South Wales and South Australian providers.

Does the NDIA undertake projects to improve fraud controls and consider fraud risks for other projects?

The NDIA is undertaking several projects to improve its fraud controls including delivery of a Fraud and Compliance Roadmap. The NDIA has completed risk assessments for its major fraud related projects. However, it has not provided evidence that risk assessments, which consider fraud risk, have been conducted for all NDIA projects. The NDIA should review its projects to identify how these will close the gaps between fraud risks and controls. This would assist in updating the Risk Register.

Project management for fraud control

4.10 The 2017 Commonwealth Fraud Control Framework Fraud Rule says the agency must ensure ‘the risk of fraud is taken into account in planning and conducting the activities of the entity.’69 The NDIA’s Fraud Control Plan reflects this, stating that the ‘Agency must consider the risk of fraud when planning and conducting business activities, including major new policies and projects’. The Plan also states that fraud risk assessments must be completed for all projects.70 This section examines how NDIA projects take fraud into account. Chapter 2 deals with how risk of fraud is managed more generally through fraud risk assessments and the Risk Register.

4.11 NDIA programs, strategies and projects are run either by its Project Management Office (PMO) or by the relevant line area. Fraud is relevant for NDIA projects due to:

  • the project objective includes enhanced fraud control; or
  • changes as a result of the project could impact fraud risks.

4.12 The NDIA’s PMO commenced in early 2018 and is managing seven strategic programs, and was also allocated 10 smaller-scale projects. The strategic programs and projects managed by the PMO are required to have a Risks, Assumptions, Issues and Dependencies (RAID) log completed which includes assessment of fraud risk.71 The NDIA has advised that by the end of May 2019 a ‘risk-in-change tool’ will also be used for the strategic programs. This tool identifies where a program may impact fraud risks, requiring action to manage this before it moves into a ‘business as usual’ state.

4.13 RAID logs were completed for the PMO smaller-scale projects except two projects were reclassified as ‘business as usual’ with no RAID log required, and one RAID log is still to be completed for a project in the initial planning stage. NDIA has advised that ‘business as usual’ activity risks are managed at the group level and are reported to the Executive Leadership Team.

4.14 NDIA has also advised that for projects managed by line areas, best practice is advised but completion of a RAID log or a Risk Action Plan is not mandated. 72 When a project business case is considered by the Executive Leadership Team, a template which lists project risks and proposed mitigations is completed. NDIA has further advised that all new projects will be required to apply a project management tool which uses a RAID log approach to identifying and managing risks.

4.15 The NDIA advised the ANAO that ‘the single source of truth’ on the gap between fraud risks and controls should be the Fraud and Corruption Risk Register. As noted in Chapter 2, the current version of the Risk Register does not contain all planned controls.

4.16 NDIA has advised that it is updating the Risk Register and building a new project and portfolio management system. However, currently there is no centralised source of truth on all projects which have a fraud control dimension, specifying key information such as project objective and priority, deliverables and their status, linkages between projects and resourcing.

4.17 To enhance the management of the NDIA’s fraud control activities, the NDIA should review its project management of fraud control. This would also assist in implementing Recommendation 1 (updating the Risk Register). NDIA has advised that the current refresh of the current Risk Register ‘will link any projects to the fraud risk profile or fraud controls (either in place or planned)’.

Recommendation no.4

4.18 That the NDIA undertake a review of its project management of fraud control. This review should:

  1. map all projects and activities with fraud control dimensions, including their status, linkages, relative priority and resourcing;
  2. determine whether additional projects or activities are required to close any gaps between the fraud risks and the implemented and planned fraud controls within projects; and
  3. support updating the Fraud and Corruption Risk Register (Recommendation 1).

National Disability Insurance Agency response: Agreed.

4.19 The NDIA has already progressed this recommendation and has mapped all endorsed projects. These projects have been considered and included where appropriate in the recent update to the Fraud and Corruption Risk Register.

4.20 The NDIA has also taken action to ensure the Strategic Portfolio Committee will have visibility of proposed projects with fraud dimensions by updating the project business case template to specifically identify those projects with fraud dimensions.

Fraud-related projects

4.21 The NDIA has three programs/strategies designed to make critical contributions to enhancing fraud controls. These are the:

  • Robust NDIA Strategic Program (includes the Fraud and Compliance Roadmap stream);
  • Payments Strategy; and
  • Self-managed Strategy.

4.22 Table 4.3 provides a summary of the fraud control components of each of these. NDIA has suitable governance arrangements for the program and strategies examined and is compliant with its requirements for risk assessment documentation. Risk identification is still required for the Payments Strategy which is in the concept phase. The four risks identified for the Self-managed Strategy include the risks that the findings of a self-managed internal audit are not addressed and that the new fraud controls are not effective. These risks and the mitigation strategies may need to be updated once this strategy moves into the implementation stage in 2019–20.

Table 4.3: Assessment of key NDIA programs / strategies contributing to fraud control

Program / strategy

Contribution to fraud controls

Has a Project Steering Committee

RAID log done

Risk action plan done

Risk-in-change tool applied

Robust NDIA Strategic Program (PMO led)

The program has eight project streams (two closed). See paragraph 4.23.

Not required as covered by RAID log

Fraud and Corruption Roadmap (stream of Robust NDIA)

This is detailed in paragraphs 4.24–4.26. There are over 280 actions under a two year program of work including fraud controls e.g. data matching.

✔ Final endorsed May 2019

Not required as covered by RAID log

Payments Strategy

One of the five objectives for this strategy relates to enhancing payment controls, assurance and reporting.

Not required

Risk log was blank in the August 2018 Steering Committee papers

Not required

Self-managed Strategy

Includes responding to the self-managed participant internal audit findings on fraud controls.

Not required

Risks and proposed mitigation in project plan

Not required

           

Source: ANAO.

Robust NDIA

4.23 The Robust NDIA Strategic Program aims to build and embed mature enterprise functions for the NDIA including robust risk, assurance, fraud program and change management functions. The project has had eight project streams, six are active and two are closed. Three steams are critical for fraud control:

  • the Fraud and Compliance Strategic Roadmap (discussed below);
  • the Protective Security stream, which covers improvements to meet the Attorney- General’s Department Protective Security Policy Framework (PSPF)73; and
  • the Remedial Activity stream, which was designed to address the backlog of open external audit findings and to minimise adverse findings in future. The stream was closed in December 2018 after resolution of the major external audit issues.
The Fraud and Compliance Roadmap

4.24 The central NDIA mechanism for delivery of fraud control enhancements is the Fraud and Compliance Roadmap (the Roadmap). It was initially developed in March 2018, and was approved by the NDIS Board and the Risk Committee in November 2018. A key completed area of focus under the Roadmap was the establishment of the NDIS Fraud Taskforce in July 2018. 74 Chapter 3 outlines the governance for the Taskforce and its role in fraud investigations.

4.25 The Roadmap is intended to ‘build an autonomous and industry-leading fraud and compliance program across four critical dimensions’ and 12 capabilities (see Table 4.4).

Table 4.4: NDIA Fraud and Compliance Roadmap dimensions and capabilities

The four dimensions

The 12 capability streams

Governance

Intra-agency collaboration

Demonstrated value (performance management system)

Fraud and compliance operations

Process / capabilities

Risk assessment processes

Prevention mechanisms

Compliance intervention mechanisms

Detection processes and enablers

Investigation processes and enablers

People / culture

Inter-agency collaboration

Extra-agency collaboration

Fraud and compliance culture

Systems

Data and systems

   

Source: NDIA documentation.

4.26 The NDIA has advised that the twelve core capabilities are required to deliver an integrated function that can effectively control fraud risk. In February 2019, the NDIA produced a two-year program of work for the Roadmap with over 280 deliverables. The NDIA is delivering the program of work in 100 day ‘sprints’ 75 and has developed a work plan for each sprint. A closure report was completed for the first October 2018 to January 2019 sprint. This notes the key achievements for the sprint, for example, additional data inputs for data matching. The closure report lists all Roadmap work streams as on track except for an amber rating for ‘demonstrated value’ (minor delays in the overall project plan for Roadmap).

Payments Strategy

4.27 The Payments Strategy, although still in the concept phase, aims to develop a future- state payment strategy. One of the five objectives relates to enhancing payment controls, assurance and reporting. The high level strategy has the following three phases:

  • remedy the past (by April 2019), for example by resolving payment delay problem;
  • enhance the existing (by June 2019) using root-cause identification, payments value chain and payment scenario tools to develop options to improve the current state (for example, providing an alert to a participant when a provider makes a claim against their plan); and
  • build the future (by mid-2020), by developing a business case and implementing a real time claims platform which could include removing payments going directly to self-managed participants.

4.28 The NDIA has advised that the risk action plan, which would consider fraud risks, is not yet available for the Payment Strategy as it is still in the concept phase.

Self-managed Strategy

4.29 NDIS participants can request to self-manage their NDIS funds.76 Following a risk assessment, the NDIA decides if a participant can self-manage and directly purchase the supports they need in line with their support plan.

4.30 In November 2018, an internal audit of self-managed participant processes was completed. The audit concluded that as the NDIS expands it is likely that the number of participants choosing self-management will continue to increase.77 The audit identified issues in a number of areas including:

  • recording expenses;
  • validating spends;
  • high risk spends;
  • spending above budget;
  • eligibility to self-manage; and
  • the Participant Portal.

4.31 As part of the 2015–16 financial statement audit, the ANAO noted that there were no documented compliance activities for payments made directly to self-managed participants. This was reported as part of the ANAO report to Parliament titled ‘Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2016’.78 The NDIA provided further explanation that funds are paid directly to the self-managed participants and no supporting documentation is required as part of the claiming process. Self-managed participants are required to keep copies of receipts for supports provided. The NDIA has stated that it plans to fully address this finding by June 2019. Risks associated with self-managed participants also formed a focus area for the 2018–19 ANAO financial statement audit.79

4.32 The Joint Committee of Public Accounts and Audit (JCPAA) Report on 2017–18 financial statements80 noted the NDIA’s progress in resolving the audit findings and stated that the Committee will continue to monitor the NDIA’s progress in addressing audit findings.

4.33 In response to the internal audit, the NDIA is developing a Self-managed Strategy with implementation planned for 2019–20.

4.34 A presentation on the internal audit findings and development of the strategy was made to some members of the Board and the Executive Leadership Team on 30 January 2019. Before June 2019, interim controls for self-managed participants are to be enhanced, for instance procedures for self-managed claims and improved risk assessment to determine if participants are suitable to self-manage. The January presentation notes that in 2017–18 there were 216 allegations of misuse of funds related to self-managed participants or their nominees, and this equated to less than one per cent of the total number of self-managed participants.

4.35 Quality assurance of payments to self-managed participants commenced at the start of 2017–18. 81 A number of critical tests (with a potential impact on the payment value) are applied: (1) valid supporting documentation for the payment (receipt), (2) the receipt shows the amount paid, and (3) the funds have been spent in line with a plan goal.

4.36 In 2017–18 the average error rate for each of the three critical tests was 14.2 per cent, 7.3 per cent and 14.7 per cent respectively. For quarters one to three in 2018–19, the average rates were 4.0 per cent, 3.4 per cent and 4.4 per cent. For quarter three in 2018–19 the rates were 1.3 per cent, 1.3 per cent and 2.5 per cent for the 79 payments tested.

Does the NDIA have effective governance and internal reporting arrangements for fraud control?

The NDIA has enhanced its governance and internal reporting of fraud control activities over 2018. The Board, Audit Committee, Risk Committee and the Executive Leadership Team have considered different aspects of the NDIA’s fraud control program including fraud risks, ICT fraud security, the Fraud Control Plan and fraud investigations. Fraud control governance and reporting would be more effective if the Board and the Executive Leadership Team were regularly updated on the status of fraud controls in response to fraud risks.

4.37 The NDIA’s Fraud Control Plan outlines the NDIA governance committees and key responsibilities related to fraud control. These are summarised in Table 4.5.

Table 4.5: The NDIA’s key committees for fraud governance

Governance committees for fraud controla

NDIA Board: responsible under the National Disability Insurance Scheme, Risk Management Rules 2013b to ensure the Agency’s operational structure facilitates effective risk management.

Audit Committee: provides risk oversight and management, and oversees internal audits.

Risk Committee: oversees the NDIA’s fraud prevention and response activities.

Executive Leadership Team: the management committee for the NDIA comprising senior executives and chaired by the CEO, which considers a range of fraud matters.c

Note a: Other NDIA Committees not relevant to fraud and not in the Fraud Control Plan are not included.

Note b: Commonwealth Legislation, National Disability Insurance Scheme — Risk Management Rules 2013 [Internet], available from: <https://www.legislation.gov.au/Details/F2013L01183> [accessed 10 April 2019].

Note c: Includes eight senior executives including the Deputy CEO, Strategy Development (Chief Risk Officer), the Scheme Actuary, and Chief Information Officer.

Source: NDIA Fraud Control Plan and Committee agendas.

Board and Committee oversight of fraud

4.38 In 2018 and 2019 the NDIA Board, Committees and the Executive Leadership Team considered the status of fraud control activities. Key were:

  • advice was provided regarding the risk rating for the 17 fraud risk types, noting where improved controls were required, to the Risk and the Audit Committees in February 2018 and Executive Leadership Team in March 2018;
  • the Risk Committee endorsed the Fraud Risk Assessment and Framework in May 2018;
  • the Fraud Control Plan was considered by the Board in May 2018 and finalised in August 2018, with the Board noting the publication of the Fraud Statement in October 2018;
  • quarterly reports to the Risk Committee on fraud tip-offs and fraud cases, including the number of tip-offs and open and closed fraud cases, the value of payments under fraud investigation, and details of investigations and system changes in response to fraud;
  • quarterly regulatory compliance reports to the Audit Committee noting incidents under the Fraud Rule / Criminal Code; and
  • various status updates on fraud control projects including the Roadmap.

4.39 Despite reporting on the fraud risk activities and fraud cases, there was not consistent reporting on key assessments in the Risk Register, including the controls effectiveness rating (poor, adequate or good).

4.40 In March 2019, the Executive Leadership Team was provided with information on the planned update of the agency’s fraud risk profile, which includes updating the Risk Register and the Fraud Control Plan, with supporting risk assessment workshops run in March and April 2019.

4.41 There are planned improvements to internal reporting on fraud control under the Fraud and Compliance Strategic Roadmap two year program of work. A March 2019 update for the Leadership Team on the Fraud Risk Profile stated ‘more regular reporting of the fraud risk profile and buy down of risk over time (including state of control environment) should occur to the appropriate committees or governance bodies.’

4.42 The improvements should include streamlined, regular and clear reporting to the Executive Leadership Team and the Board on the gaps between fraud risks and controls.

Recommendation no.5

4.43 That, to ensure visibility of the fraud control environment, NDIA provide regular reports to the Executive Leadership Team and the Board containing a summary of the status of the Fraud and Corruption Risk Register including:

  1. the untreated risk rating and the residual overall impact after controls are applied for each of the 17 fraud risk types;
  2. the controls effectiveness rating for each of the 17 fraud risk types; and
  3. the actions required on controls, with implementation dates.

National Disability Insurance Agency response: Agreed.

4.44 In updating the Fraud and Corruption Risk Register for 2019, the NDIA rationalised and re-categorised the risk types to better consider the range and scope of fraud risks faced by the NDIA. As such the 17 risk types referenced in the ANAO’s recommendation does not reflect a contemporary view of the risk types in the current risk register.

4.45 In endorsing the 2019 update to the Fraud and Corruption Risk Register the Board also endorsed the ongoing review and updating of fraud risks faced by the NDIA. The regular updating of the Fraud and Corruption Risk Register for changes in fraud risks and controls, will require updates to the structure and content of reporting to the Board and Executive Leadership Team. The updated Fraud and Corruption Risk Register identifies key controls, no longer includes non-controls, and assesses the implementation and effectiveness of individual controls and lists planned controls. For proposed controls where timeframes have not been set at the time of writing, the Fraud & Compliance Branch, in partnership with Line 1 Risk Resources, will support business to set timeframes and deliver the controls.

4.46 The NDIA Board has agreed that the Executive Leadership Team will be updated, through the Chief Risk Officer Report, monthly regarding the Agency’s fraud risk profile. The Fraud and Corruption Risk Register will be updated quarterly, and outcomes of fraud risk assessment activities will be shared with NDIA’s Internal Audit Team and the Controls and Assurance Branch for consideration in their forward work program.

ICT governance for fraud control

4.47 Human Services hosts the main NDIA IT systems under a 13 April 2017 Shared Services Agreement and Services Schedule which is reviewed annually. Human Services works with the NDIA to understand its business requirements and can provide professional advice to the NDIA on ICT matters. The NDIA is responsible for IT business cases and change specifications. Human Services then documents requirements and delivers the system.

4.48 Human Services’ Protective Security Directorate has issued a Directive on cyber security arrangements for agencies hosted on its networks. The NDIA and Human Services signed a copy of this Directive on 13 December 2018, signalling mutual compliance with these obligations.

4.49 NDIS ICT systems are modified in response to learnings and incidents of fraud. This included a response to the approach taken by a Victorian man who was charged with allegedly defrauding the NDIS of more than $400,000.82 This arrest was a result of the work of the Fraud Taskforce. A guilty plea was entered and sentencing is set down for 20 June 2019. ICT changes, including due to this case, were reported to the Risk Committee in November 2018:

  • enhanced controls for provider access to a participant’s budget;
  • workshops for NDIA staff registering providers on the required checks prior to registration;
  • tightening staff access to locks on payments to providers; and
  • blocking of high-risk providers from the NDIS portal.
Essential Eight

4.50 As a hosted network, Human Services requires the NDIS system to comply with the cyber security controls outlined under the Australian Signals Directorate’s (ASD) Essential Eight and associated Information Security Manual (ISM) controls. The Essential Eight is a proactive mitigation strategy to prevent cyber security incidents. Following requests from the NDIA, Human Services commenced providing Essential Eight assurances to the NDIA in November 2018.

4.51 In February 2019, NDIA’s Audit Committee was provided with a summary of NDIA compliance with Essential Eight (assessed by Human Services from November 2018 to January 2019). At January 2019, Human Services’ assessment was that the NDIA system was non-compliant with three of the eight requirements. For one of these, which is not a Top Four requirement,83 Human Services provides a compensating control. For the other two (one of which is a Top Four requirement), further work is underway, and the NDIA has advised that it expects this to be sufficient.

4.52 NDIA has advised that it is developing a Protective Security Policy Framework (PSPF) capability, including aligning this with management of the Top Four aspects of the Essential Eight. This is a focus under the Robust NDIA Strategic Program. It has further advised that an ongoing internal audit advisory engagement is assisting with the development of the PSPF framework planned for 2018–19 and 2019–20.

4.53 The Essential Eight compliance reporting to the NDIA and the signing of the Directive occurred over 18 months after the signing of the Shared Services Agreement. The NDIA has advised that it will be important to have ongoing and productive engagement with Human Services under the shared services arrangements. This is so that assurances from Human Services regarding ICT and wider matters remain up-to-date.84

Is the NDIA meeting the external reporting requirements of the Commonwealth Fraud Control Framework?

The NDIA responds to the annual Australian Institute of Criminology (AIC) questionnaire on fraud. Under the Fraud Control Framework, given the NDIA is a corporate entity, this reporting is better practice rather than being mandatory. There is scope for NDIA to enhance future reports given improvements in its fraud control activities.

Reporting to the Australian Institute of Criminology

4.54 The 2017 Commonwealth Fraud Control Framework Fraud Policy85 states:

The Australian Institute of Criminology (AIC) must make an annual report to the Attorney-General’s Department (AGD) on fraud against the Commonwealth and fraud control arrangements. To facilitate this all entities must provide information to the AIC in the form requested by AIC.86

4.55 Even though this is not a mandatory requirement for the NDIA, in line with better practice, the NDIA made reports to the AIC in 2017 and 2018. The quality of the 2017 report reflects the immaturity of the NDIA fraud control processes at the time. The 2018 report has more detail as there were active investigations for that reporting period. However, there is scope for improvement in the 2019 report as the NDIA’s fraud control matures.

4.56 Table 4.6 summarises and assesses data for the 2017 and 2018 responses.

Table 4.6: Assessment of NDIA reporting to AIC in 2017 and 2018

Source: ANAO.

Recommendation no.6

4.57 That, in making improvements to its fraud control processes and systems, the NDIA ensures that it is able to record and report more detailed fraud control data, including for the Australian Institute of Criminology Annual Reporting Census.

National Disability Insurance Agency response: Agreed.

4.58 The NDIA will continue to support better practice under the 2017 Commonwealth Fraud Control Policy and respond annually to the Australian Institute of Criminology Annual Reporting Census.

Public reporting on fraud

4.59 Corporate entities, including the NDIA, are not required to report on their compliance with the Fraud Rule in Annual Reports, even though they must comply with the Rule itself. Nevertheless, the 2017–18 NDIA Annual Report makes a number of references to fraud control. For example, there is a paragraph on managing the fraud risk which says:87

The Fraud Control Plan was developed with a focus on sustainability of the Scheme.…Increasing the effectiveness in handling reports of suspected fraud received from the public or other stakeholders was a focus for the NDIA in 2017–18 … The Fraud Control Plan is supported by ongoing fraud risk assessment processes and the implementation and expansion of the control testing regime.

4.60 Although not a mandatory requirement, the NDIA’s Financial Statements within the 2017–18 Annual Report88 reported a payment accuracy rate of 95 per cent (a five per cent improper payment rate, including fraud). In November 2018 the Executive Leadership Team noted that the tolerance for non-compliant payments for 2018–19 should be under five per cent in line with benchmarks applied for several other government programs.

4.61 The UK Cabinet Office publishes a Cross-Government Fraud Landscape Annual Report, with the 2018 report listing the value of fraud detected for each of 17 departments in 2016–17.89 This could be an option to consider in the Australian context.

Appendices

Appendix 1 Entity response

NDIS response letter

Footnotes

1 NDIA, [Internet], available at: https://www.ndis.gov.au/understanding/what-ndis [accessed 8 April 2019].

2 NDIA, About us [Internet], available at: < https://www.ndis.gov.au/about-us>, [accessed 8 April 2019].

3 NDIA: Fraud strategy, [Internet], available at: < https://www.ndis.gov.au/about-us/fraud-strategy> [accessed 8 April 2019].

4 Commonwealth Fraud Control Framework 2017, page IV, [Internet], available at: <https://www.ag.gov.au/Integrity/FraudControl/Documents/CommonwealthFraudControlFramework2017.PDF> [accessed 26 April 2019].

5 Attorney General 2019–20 Budget Media Release 2 April 2019, [Internet], available at:

<https://www.attorneygeneral.gov.au/Media/Pages/Budget-increase-provides-funding-certainty-for-legal-assistance-services-2-4-2019.aspx> [accessed 8 April 2019].

6 Refer to ANAO performance audits: (1) Administration of the VET fee help scheme No. 31 0f 2016–17 [Internet], available at: <https://www.anao.gov.au/work/performance-audit/administration-vet-fee-help-scheme> [accessed 26 April 2019]; (2) note there was a later, related audit: Design and Implementation of VET students loans program, No. 11 of 2018–19 [Internet], available at: <https://www.anao.gov.au/work/performance-audit/design-and-implementation-vet-student-loans-program>, [accessed 26 April 2019].

7Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2018 (Report number 19 of 2018–19), page 231 and paragraphs 4.17.38–4.17.42 [Internet] available at: <https://www.anao.gov.au/sites/default/files/Auditor-General_Report_2018-2019_19.pdf>, [accessed 24 April 2019].

8 The Minister for Education said in a 17 December 2018 family day care fraud Media Release that: ‘We will continue to work to detect and disrupt non-compliant and fraudulent services. There will also be greater cooperation between government agencies to protect other government payments’. [Internet], available at: <https://ministers.education.gov.au/tehan/stamping-out-fraud-family-day-care> [accessed 1 May 2019].

9 Attorney-General’s Department, Commonwealth Fraud Control Framework 2017, page C7. Available from: <https://www.ag.gov.au/Integrity/FraudControl/Pages/FraudControlFramework.aspx> [accessed 7 February 2019].

10 Australian Institute of Criminology, Commonwealth Fraud Investigations 201516, June 2018, page viii, [Internet], available at: < https://aic.gov.au/publications/sr/sr7-0> [accessed 8 April 2019].

11 Australian Institute of Criminology, Commonwealth Fraud Investigations 201516, June 2018, page viii, [Internet], available at: < https://aic.gov.au/publications/sr/sr7-0> [accessed 8 April 2019].

12 UK Cabinet Office, Cross Government Fraud Landscape Annual Report 2017, page 10. Available from: <https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/642784/2017-09-06_Cross_Government_Fraud_Landscape_Annual_Report_final.pdf> [accessed 7 February 2019].

13 The fraud-related sections in the PGPA Rule are made for paragraphs 102(a), (b) and (d) of the PGPA Act including Part 2-2(1) section 10 (which sets a minimum standard for accountable authorities to manage the risk of fraud) and Part 2-3(3A) subsection 17AG(2) (which sets the annual reporting requirements).

14 The Commonwealth Fraud Control Framework was reissued in August 2017 and replaced the previous Framework issued in 2014.

15 Within the PGPA Act there are three types of entities:

  • Non-corporate Commonwealth entities: these are legally and financially part of the Commonwealth. Examples include the Department of Human Services and the Department of Finance.
  • Corporate Commonwealth entities: a body corporate that has a separate legal personality from the Commonwealth and can act in its own right exercising certain legal rights such as entering into contracts and owning property. Examples include the National Disability Insurance Agency and Comcare.
  • Commonwealth companies: are companies that are established by the Commonwealth under the Corporations Act 2001 and are wholly controlled by the Commonwealth. These include NBN Co Limited and Australian Rail Track Corporation Limited.

    See: <https://www.finance.gov.au/resource-management/governance/overview/> and <https://www.finance.gov.au/sites/default/files/Flipchart%201%20February%202019%20clean%20final.pdf> [accessed 20 February 2019].

16 National Disability Insurance Agency, About the NDIS, undated, p. 2, available at: <https://www.ndis.gov.au/about-us/what-ndis> [accessed 2 January 2018].

17 Department of Social Services, Portfolio Budget Statement 2019–20, pages 72 and 134, available at: <https://www.dss.gov.au/sites/default/files/documents/04_2019/social_services_portfolio_budget_statements_2019-20tr408uh.pdf> [accessed 5 April 2019].

18 Australian Government, Budget 2019–20 Overview, May 2019, available at: <https://www.budget.gov.au/2019-20/content/overview.html> [accessed 5 April 2019].

19 NDIA Corporate Plan 2018–22, page 44, [Internet], available at: <https://www.ndis.gov.au/about-us/publications/corporate-plan#corporate-p...> [accessed 26 April 2019].

20 NDIA press release, 24 July 2018, available at: https://www.ndis.gov.au/news/479-minister-announces-ndis-fraud-taskforce [accessed 20 February 2019].

21 Refer to ANAO performance audits: (1) Administration of the VET fee help scheme No. 31 0f 2016–17 [Internet], available at: <https://www.anao.gov.au/work/performance-audit/administration-vet-fee-help-scheme> [accessed 26 April 2019]; (2) note there was a later, related audit: Design and Implementation of VET students loans program, Report 11 of 2018–19 [Internet], available at: <https://www.anao.gov.au/work/ performance-audit/design-and-implementation-vet-student-loans-program>, [accessed 26 April 2019].

22Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2018 (Report number 19 of 2018–19), page 231 and paragraphs 4.17.38–4.17.42 [Internet] available at: <https://www.anao.gov.au/sites/default/files/Auditor-General_Report_2018-2019_19.pdf>, [accessed 24 April 2019].

23 The Minister for Education said in a 17 December 2018 family day care fraud Media Release that: ‘We will continue to work to detect and disrupt non-compliant and fraudulent services. There will also be greater cooperation between government agencies to protect other government payments’. [Internet] available at: <https://ministers.education.gov.au/tehan/stamping-out-fraud-family-day-care> [accessed 1 May 2019].

24 Attorney-General’s Department, The Commonwealth Fraud Control Framework 2017, page A1. Available at: <https://www.ag.gov.au/Integrity/FraudControl/Pages/FraudControlFramework.aspx> [accessed 7 February 2019].

25 The NDIA has also followed Commonwealth guidance that suggests risk assessments should be completed at least every two years.

26 The NDIA’s external consultation with various departments and agencies is discussed further in Chapter 4 of this report.

27 As the NDIA is a corporate Commonwealth entity, the Fraud Guidance is non-binding but provides better practice guidance.

28 In April 2019, the NDIA advised the ANAO that it had identified a gap as the current Risk Assessment approach is focused on corporate and program-level risks. The NDIA intends to align this approach with the group and intra-agency fraud risks.

29 The NDIA’s Fraud and Corruption Risk Register was updated in November 2018. The NDIA also added a new control that was created after alleged fraudulent activity by a NDIS provider was identified in mid-2018.

30 The AS 8001-2008 Fraud and Corruption Control Standard, page 14, Available for purchase [Internet] at: <https://www.standards.org.au/standards-catalogue/sa-snz/publicsafety/qr-017/as--8001-2008> [accessed 5 June 2018].

31 Summary from: NSW Audit Office, Internal Controls Framework, July 2017 [internet], available at: <https://www.audit.nsw.gov.au/sites/default/files/auditoffice/Governance-and-Policies---Current/Internal%20Control%20Framework%20current%20version%201.2.pdf> [accessed 28 February 2019].

32 ANAO did not test a statistically significant sample as the diverse nature of the controls (what they are and how they are implemented) means that the percentage of implemented controls in a sample cannot be extrapolated to the whole set of controls.

33 The ANAO did not review the effectiveness of the selected controls.

34 In the context of the NDIS, ‘Payment Integrity’ refers to multiple, interrelated issues that can affect the quality of payments. These include fraud, misuse, error, sharp practice, conflict of interest and corruption.

35 As the NDIA is a corporate Commonwealth entity, the 2017 Fraud Policy is non-binding but provides better practice guidance.

36 As the NDIA is a corporate entity, the AGIS is not mandatory for the agency.

37 As of February 2019 the Fraud and Compliance Branch has a total of 89 staff (including the Fraud Taskforce), with 71 (80 per cent) listed as contractors.

38 National Disability Insurance Scheme, Fraud Strategy [Internet] NDIS, available at: <https://www.ndis.gov.au/about-us/fraud-strategy> [Accessed 18 February 2019]

39 National Disability Insurance Scheme, Reporting suspected fraud [Internet] NDIS, available at: <https://www.ndis.gov.au/about-us/fraud-strategy/reporting-suspected-fraud> [Accessed 18 February 2019].

40National Disability Insurance Scheme, Annual Report 2017–18, NDIS, available at: <https://www.ndis.gov.au/about-us/publications/annual-report#annual-repor...>

41 Commonwealth Director of Public Prosecutions, Prosecution Policy of the Commonwealth, CDPP available at: <https://www.cdpp.gov.au/prosecution-process/prosecution-policy> [accessed 6 June 2019].

42 National Disability Insurance Scheme, Minister announces NDIS Fraud Taskforce [Internet] NDIS, available at: <https://www.ndis.gov.au/news/479-minister-announces-ndis-fraud-taskforce> [Accessed 18/2/2019].

43 National Disability Insurance Scheme, NDIS Fraud Taskforce update [Internet] NDIS, available at: <https://www.ndis.gov.au/news/427-ndis-fraud-taskforce-update> [Accessed 18/2/2019].

44 National Disability Insurance Scheme, NDIS Taskforce makes first arrest [Internet] NDIS, available at: <https://www.ndis.gov.au/news/392-ndis-taskforce-makes-first-arrest> [Accessed 18/2/2019].

45 The NDIS Provider Toolkit is an online training website that is designed for organisations and individuals who want to learn more about working with the NDIS. Available at: https://providertoolkit.ndis.gov.au/> [accessed 18 February 2019].

46 As a corporate Commonwealth entity, the NDIA must comply with the Fraud Rule.

47 As the NDIA is a corporate Commonwealth entity, the Fraud Guidance is non-binding but provides better practice guidance.

48 This information is available on the NDIA’s website [Internet}, available at: <https://www.ndis.gov.au/about-us/fraud-strategy/reporting-suspected-fraud>, [accessed 8 February 2019].

49 As a corporate Commonwealth entity, the NDIA must comply with the Fraud Rule.

50 As the NDIA is a corporate Commonwealth entity, the Fraud Policy is non-binding but provides better practice guidance.

51 Association of Certified Fraud Examiners, Using Data Analytics to Detect Fraud (course introduction), [Internet] Available at:< https://www.acfe.com/topic.aspx?id=4294970985> [accessed 4 April 2019].

52 The NDIA developed 21 actuarial profiles between 2014 and 2017 which used NDIA data to detect payment integrity issues and non-compliance. In late 2016, the NDIA held a Risk and Intelligence forum where they identified seven potential new actuarial profiles. Six of these were implemented in 2017. Four profiles were discontinued in 2016 and 2017.

53 The review did not consider two profiles where there was either no guidance on the use of the profile or no data against the profile.

54 Issues identified from this process are yet to be finalised.

55 There were 97 matches from this data. One instance was referred to the fraud intelligence area, two were referred to the data quality area, two had no action as date of death was correctly recorded by the NDIA, and the rest were referred to the serious non-compliance area.

56 As a corporate Commonwealth entity, the NDIA must comply with the Fraud Rule.

57 As the NDIA is a corporate Commonwealth entity, the Fraud Policy is non-binding but provides better practice guidance.

58 Australian Government, Media Release: NDIS Taskforce established to tackle crime [Internet], Former Ministers, 24 July 2018, available at: <https://formerministers.dss.gov.au/18064/ndis-fraud-taskforce-established-to-tackle-crime/> [accessed 27 February 2019].

59 AFP resources are engaged in the Taskforce via the existing agreement between Human Services and AFP.

60NDIS Taskforce makes first arrest, October 2018, [Internet], available at: <https://www.ndis.gov.au/news/392-ndis-taskforce-makes-first-arrest> [accessed 23 May 2019].

61 Five arrested for million-dollar NDIS fraud, 22 May 2019, [Internet], available at: <https://www.afp.gov.au/news-media/media-releases/five-arrested-million-dollar-ndis-fraud>, [accessed 23 May 2019].

62 The 18 requirements not tested were either not applicable to the NDIA, not the responsibility of the Fraud and Compliance Branch, or examining them had the potential to impact ongoing investigations.

63 For example, where the crime produces significant harm to the Commonwealth or the community, is of such a nature or magnitude prosecution is required to deter potential offenders, or involves criminal behaviour by corrupt Commonwealth officials.

64 Some historical fraud investigations continue to be managed by the Fraud and Anti-Corruption Centre.

65 AFP, Fraud and Anti-Corruption, available at: <https://www.afp.gov.au/what-we-do/crime-types/fraud/fraud-and-anti-corruption>, [accessed 6 March 2019].

66 Attorney General’s Department (AGD), Resource Management Guide 201Preventing, Detecting and Dealing With Fraud, [Internet], AGD, August 2017, available at: <https://www.ag.gov.au/Integrity/ FraudControl/Documents/FraudGuidance.pdf> [Accessed 27 February 2019].

67 Attorney General Media Release, 2 April 2019 [Internet] available at: <https://www.attorneygeneral.gov.au/Media/Pages/Budget-increase-provides-funding-certainty-for-legal-assistance-services-2-4-2019.aspx> [accessed 3 April 2019].

68 QSC, About QSC, available from: <https://www.ndiscommission.gov.au/about> [accessed 6 March 2019].

69 AGD, Fraud Control Framework Fraud Rule, part (c) (ii), available at <https://www.ag.gov.au/Integrity/ FraudControl/Documents/CommonwealthFraudControlFramework2017.PDF>. [accessed 6 March 2019].

70 NDIA’s Fraud Control Plan also states that all projects are to have a risk management plan; and that fraud risks must be reflected appropriately in higher level risk management plans (for example at Group level).

71 NDIA has advised that an updated version of the template is being developed, known as the RAIDD log, with the extra ‘D’ being for Decisions.

72 The template for the Risk Action Plan is an extract of the RAID log.

73 The Protective Security Policy Framework is administered by the Attorney-General’s Department to assist Australian Government entities to protect their people, information and assets, at home and overseas. Under the Public Governance, Performance and Accountability Act 2013, non-corporate Commonwealth entities are required to apply the Protective Security Policy Framework as it relates to their risk environment Attorney-General’s Department, Protective Security Framework [Internet], available at: <https://www.protectivesecurity.gov.au/Pages/default.aspx> [accessed 27 February 2019].

74 Australian Government, Media Release: NDIS Taskforce established to tackle crime [Internet], Former Ministers, 24 July 2018, available at: <https://formerministers.dss.gov.au/18064/ndis-fraud-taskforce-established-to-tackle-crime/> [accessed 27 February 2019].

75 A sprint is a software development term which means a period of time during which specific work has to be completed as part of a larger project. It is now often used in project management terminology. [Internet], available at: <https://searchsoftwarequality.techtarget.com/definition/Scrum-sprint> [accessed 23 April 2019].

76 NDIS, Benefits of self-managing [Internet], available at: <https://www.ndis.gov.au/participants/using-your-plan/self-management#the...> [accessed 27 February 2019].

77 In 2016, there were 2515 participants self-managing. This increased to 24,983 in 2018 (900 per cent increase). The 2017–18 NDIA annual report (page 66) says that 24 per cent of participants were self-managed at 30 June 2018 (includes fully and partly self-managed participants), available at: <https://www.ndis.gov.au/about-us/publications/annual-report#annual-repor...> [accessed 1 March 2019].

79 Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2018 (Report number 19 of 2018–19), page 231 and paragraphs 4.17.38–4.17.38.42 [Internet] available at: <https://www.anao.gov.au/sites/default/files/Auditor-General_Report_2018-2019_19.pdf>, [accessed 24 April 2019].

80 JCPAA 2017–18 Commonwealth Financial Report (Number 477), paragraphs 2.10–2.13 [Internet], published August 2018, available at: <https://www.aph.gov.au/Parliamentary_Business/Committees/ Joint/Public_Accounts_and_Audit/FinancialStatements17-18/Report_477/section?id=committees%2freportjnt%2f024199%2f26323> [accessed 24 April 2019].

81 NDIA has advised that the random samples are derived to have a 95 per cent confidence level and an error rate of 10 per cent.

82 Ministerial Press Release, The Hon Paul Fletcher MP, NDIS Taskforce Makes First Arrest, 18 October 2018, [Internet], available at: <https://ministers.dss.gov.au/media-releases/3731> [accessed 15 March 2018].

83 Of the eight mitigation strategies, four are mandatory (the Top Four). Refer to ANAO Cyber Resilience Audit No. 35 of 2017–18, paragraph 3 [Internet] available at: <https://www.anao.gov.au/sites/default/files/ANAO_Report_2017-2018_53a.pdf> [accessed 24 April 2019].

84 For example, NDIA noted this is relation to its planned compliance with the Attorney-General’s Department (AGD)’s Protective Security Policy Framework (better practice for corporate Commonwealth entities). AGD, Protective Security Framework [Internet], AGD, 2019, available at: <https://www.protectivesecurity.gov.au/Pages/default.aspx> [accessed 27 February 2019].

85 Attorney-General’s Department, The Commonwealth Fraud Control Framework 2017, parts 13 and 14 of the Policy. Available at: <https://www.ag.gov.au/Integrity/FraudControl/Pages/FraudControlFramework.aspx> [accessed 7 February 2019].

86 As a corporate Commonwealth entity, 2017 Commonwealth Fraud Control Framework Fraud Policy is better practice rather than being binding.

87 NDIA, Annual Report 2017–18, page 53, available at: <https://ndis.gov.au/about-us/information-publications-and-reports/annual-reports> [accessed 27 February 2019].

88 NDIA, Annual Report 2017–18, page 92.

89 UK Government, Cross-Government Fraud Landscape Annual Report 2018 [Internet], page 21, available at: <https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/764832/Cross-GovernmentFraudLandscapeAnnualReport2018.pdf> [accessed 27 February 2019].