COMMONWEALTH FRAUD CONTROL FRAMEWORK 2014

Transcription

1 COMMONWEALTH FRAUD CONTROL FRAMEWORK 2014

2 ISBN: Commonwealth of Australia 2014 This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be reproduced by any process without prior written permission from the Commonwealth. Requests and inquiries concerning reproduction and rights should be addressed to the Commonwealth Copyright Administration, Attorney-General s Department, 3 5 National Circuit, Barton ACT 2600 or posted at

3 COMMONWEALTH FRAUD CONTROL FRAMEWORK 2014 Commonwealth Fraud Control Framework 2014 I

4 TABLE OF CONTENTS INTRODUCTION III AGENCY STATUS IV FRAUD RULE A1 FRAUD POLICY B1 FRAUD GUIDANCE C1 ii Commonwealth Fraud Control Framework 2014

5 INTRODUCTION Fraud is a threat that affects every Commonwealth entity in all areas of business, including benefits, taxation, procurement, grants and internal procedures. Estimates of what fraud costs Australians vary, but even conservative estimates put the cost at over $1 billion a year. Fraud against the Commonwealth is a criminal offence that impacts directly on Australians. It reduces the funds available for delivering public goods and services and undermines public confidence in the Government. It also creates risks for public health and safety though faulty construction, untested pharmaceuticals, unnecessary medical procedures and dumping of toxic waste. Fraud threats are becoming increasingly complex. Not only are entities at risk of fraud from external parties and internal officials, but increased provision of online services and exposure to overseas markets has created new threats from overseas criminals. Further, organised criminals are actively seeking to infiltrate Commonwealth entities to access government information and are committing fraud to fund other illegal activities. In order to manage these risks, the Government has developed the Commonwealth Fraud Framework (Framework) under the Public Governance, Performance and Accountability Act 2013 (PGPA Act). The Framework consists of three tiered documents: section 10 of the Public Governance, Performance and Accountability Rule 2014 a legislative instrument binding all Commonwealth entities setting out the key requirements of fraud control the Commonwealth Fraud Control Policy a Government Policy binding non-corporate Commonwealth entities setting out procedural requirements for specific areas of fraud control such as investigations and reporting, and Resource Management Guide No. 201, Preventing, detecting and dealing with fraud a best practice document setting out the Government s expectations in detail for fraud control arrangements within all Commonwealth entities. The Framework was developed in line with the cultural change in Commonwealth resource management under the PGPA Act, which reflects a move from a compliance approach to a principles-based framework. The Framework maintains the core elements of fraud control: rigorous risk assessments; fraud control plans, and appropriate prevention, detection and investigations measures. However, while all entities face fraud risks, each entity faces different fraud risks. What may be an effective fraud control in one entity may be unnecessary or insufficient in another. The Framework allows Commonwealth entities to manage their fraud risks in a way which best suits the individual circumstances of the entity. The Government takes fraud extremely seriously and is determined to ensure entities take all measures to control fraud and properly manage public resources in a way that maximises benefits for the Australian people. Commonwealth Fraud Control Framework 2014 III

6 AGENCY STATUS The Commonwealth Fraud Framework consists of three tiered documents, each with a different binding effect as set out in the table below. Non-corporate Commonwealth entities must comply with the fraud rule and fraud policy. While they are not bound by the fraud guidance, the Government considers it as best practice and expects that agencies will follow the fraud guidance where appropriate in meeting the requirements of the fraud rule and policy. Corporate Commonwealth entities must comply with the fraud rule. While they are not bound by the fraud policy or fraud guidance, the Government considers both documents as best practice for corporate Commonwealth entities and expects that these entities will follow the fraud guidance and fraud policy where appropriate in meeting the requirements of the fraud rule. Fraud Rule Fraud Policy Fraud Guidance Non-corporate Binding Binding Best practice Corporate Binding Best practice Best practice IV Commonwealth Fraud Control Framework 2014

7 FRAUD RULE Section 10 of the Public Governance, Performance and Accountability Rule 2014 This rule binds all Commonwealth entities. PART 2-2 ACCOUNTABLE AUTHORITIES AND OFFICIALS DIVISION 1 REQUIREMENTS APPLYING TO ACCOUNTABLE AUTHORITIES 10 Preventing, detecting and dealing with fraud Guide to this section The purpose of this section is to ensure that there is a minimum standard for accountable authorities of Commonwealth entities for managing the risk and incidents of fraud. It is made for paragraphs 102(a), (b) and (d) of the Act. The accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by: (a) conducting fraud risk assessments regularly and when there is a substantial change in the structure, functions or activities of the entity; and (b) developing and implementing a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment; and (d) having an appropriate mechanism for detecting incidents of fraud or suspected fraud, including a process for officials of the entity and other persons to report suspected fraud confidentially; and (e) having an appropriate mechanism for investigating or otherwise dealing with incidents of fraud or suspected fraud; and (f) having an appropriate mechanism for recording and reporting incidents of fraud or suspected fraud. (c) having an appropriate mechanism for preventing fraud, including by ensuring that: (i) officials in the entity are made aware of what constitutes fraud; and (ii) the risk of fraud is taken into account in planning and conducting the activities of the entity; and Fraud Rule A1

8 FRAUD POLICY Commonwealth Fraud Control Policy This policy binds all non-corporate Commonwealth entities and is considered best practice for corporate Commonwealth entities. PURPOSE i. The Commonwealth Fraud Control Policy (the Policy) has been developed to support the accountable authorities of non-corporate Commonwealth entities (entities) to effectively discharge their responsibilities under the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and section 10 of the Public Governance, Performance and Accountability Rule 2014 (the fraud rule). Under section 21 of the PGPA Act, the accountable authority of a non corporate Commonwealth entity must govern the entity in a way that is not inconsistent with the policies of the Australian Government. ii. The Policy sets out the key procedural requirements which the Government views as necessary for accountable authorities to establish and maintain an appropriate system of fraud control for their entity. Consistent with the fraud rule, the objectives of the requirements are to: protect public resources, including money, information and property, and protect the integrity and good reputation of entities and the Commonwealth. SCOPE iii. Consistent with the Commonwealth Risk Management Policy corporate Commonwealth entities are not required to comply with this Policy, but should review and align their fraud control frameworks and systems with this Policy as a matter of good practice. iv. Non-corporate Commonwealth entities must comply with this Policy by virtue of section 21 of the PGPA Act. v. Non-corporate Commonwealth entities must ensure that their fraud control arrangements are developed in the context of the entity s overarching risk management framework as described in the Commonwealth Risk Management Policy. vi. This Policy commences immediately after the commencement of section 10 of the PGPA Act rule or 1 July 2014, whichever is the later. INTRODUCTION vii. The fraud rule sets out the key principles of fraud control which all accountable authorities must comply, but allow entities flexibility to develop measures which are adapted to the risks of that entity s own arrangements. viii. The procedural requirements in this Policy supplement the fraud rule and aim to ensure key elements of fraud control are maintained by entities. The procedures relate to fraud control activities in particularly sensitive areas, where there is a high risk of significant impact to the entity if they are not appropriately maintained. The procedures are also intended to ensure the necessary level of accountability. ix. As with the fraud rule, additional information on implementing the requirements in this Policy are set out in guidance issued by the Minister for Justice Resource Management Guide No 201 Preventing, detecting and dealing with fraud (fraud guidance). B1 Commonwealth Fraud Control Framework 2014

9 FRAUD POLICY COMMONWEALTH FRAUD CONTROL PROCEDURES x. For the purposes of the Policy, the fraud rule and fraud guidance, fraud is defined as dishonestly obtaining a benefit or causing a loss by deception or other means. This definition is based on the fraudulent conduct offences under part 7.3 of the Criminal Code Act 1995, in addition to other relevant offences under chapter 7 of the Criminal Code. xi. In addition to the requirements set out in the fraud rule, the accountable authority must ensure that the entity meets the following procedural requirements: PREVENTION AND TRAINING 1. Entities must document their instructions and supporting procedures that assist officials to deal with fraud. 2. All officials and contractors must take into account the need to prevent and detect fraud as part of their normal responsibilities. 3. Entities must ensure that officials who are primarily engaged in investigating fraud as a minimum meet the required fraud control competency requirements set out in the Australian Government Investigations Standards (AGIS) within 12 months of being engaged in investigating fraud. 4. Entities must ensure officials primarily engaged in fraud control activities possess or attain relevant qualifications or training to effectively carry out their duties within 12 months of being engaged in fraud control activities. Relevant qualifications include a Certificate IV in Government (Fraud Control) or equivalent for officials primarily engaged in fraud risk assessment, and a Diploma of Government (Fraud Control) or equivalent for officials primarily engaged in the coordination and management of fraud control activities. OUTSOURCING 5. Outsourcing does not remove the responsibility of the accountable authority to manage fraud risk. However, when an entity provides third-party services for another entity, the entity delivering the service retains responsibility for meeting the first entity s obligations under this Policy and the fraud rule. INVESTIGATIONS 6. Entities must take into consideration the requirements of the AGIS when developing systems and processes for the detection and investigation of fraud. 7. Entities must maintain appropriately documented procedures setting out criteria for making decisions at critical stages in the management of a suspected fraud incident. The procedures must be consistent with the Policy and in accordance with any relevant requirements under the AGIS. 8. Entities must appropriately document decisions to use civil, administrative or disciplinary procedures or to take no further action in relation to a suspected fraud incident. 9. An entity is responsible for investigating instances of fraud or suspected fraud against it, including investigating disciplinary matters, unless the matter is referred to and accepted by the Australian Federal Police (AFP) or another law enforcement agency. 10. Where a law enforcement agency declines a referral, entities must resolve the matter in accordance with internal and external requirements such as the AGIS and relevant entity specific criteria. 11. The AFP has the primary law enforcement responsibility for investigating serious or complex fraud against the Commonwealth. Entities must refer all instances of potential serious or complex fraud offences to the AFP in accordance with the AGIS and AFP referral process, except in the following circumstances: Fraud Policy B2

10 a) entities that have the capacity and the appropriate skills and resources needed to investigate potential criminal matters and meet the requirements of the Commonwealth Director of Public Prosecutions (CDPP) in preparing briefs of evidence and the AGIS for gathering evidence, or b) where legislation sets out specific alternative arrangements. 12. Investigations must be carried out by appropriately qualified personnel as set out in paragraph 3. If external investigators are engaged, they must as a minimum have the required investigations competency requirements set out in the AGIS. 13. Entities must have in place investigation processes and procedures that are consistent with the AGIS. Entities must also comply with the Prosecution Policy of the Commonwealth. 14. Entities must take all reasonable measures to recover financial losses caused by illegal activity through proceeds of crime and civil recovery processes or administrative remedies. 15. Where an investigation discloses potential criminal activity involving another entity s activities or programs, the investigating entity must report the matter to that entity in accordance with the Privacy Act 1988 and the Australian Privacy Principles. REPORTING 16. Entities must have procedures in place to manage information gathered about fraud against the entity. Australian Institute of Criminology report on fraud against the Commonwealth 17. All entities must collect information on fraud and provide it to the Australian Institute of Criminology (AIC), by 30 September each year to facilitate production of an AIC annual report on fraud against the Commonwealth and fraud control arrangements. The AIC must provide this annual report to the Attorney-General s Department (AGD) within six months of receiving the information collected under paragraphs 17, 18 and In addition to providing data under paragraph 17 to the AIC, the AFP is to provide annual information to the AIC on all fraud incidents against the Commonwealth referred to, accepted or declined by, the AFP during the previous financial year. The precise data items will be agreed between the AFP and the AIC. 19. In addition to providing data under paragraph 17 to the AIC, the CDPP is to provide annual information to the AIC on all fraud incidents handled by the CDPP during the previous financial year. The precise data items will be agreed between the CDPP and the AIC. Attorney-General s Department report on compliance 20. The AIC must provide the relevant information it collects under paragraphs 17, 18 and 19 within six months of receiving it to the AGD to facilitate production of an AGD annual report on whole of government compliance with the requirements of the fraud rule and this Policy. Reporting to Ministers or Presiding Officers 21. Accountable authorities must provide a report annually to their Minister or Presiding Officers, which includes: fraud initiatives undertaken by the entity in the reporting period, including an evaluation of their impact on fraud prevention, detection and response B3 Commonwealth Fraud Control Framework 2014

11 planned fraud initiatives yet to be implemented information regarding significant fraud risks for the entity, and significant fraud incidents which occurred during the reporting period. GLOSSARY OF TERMS Accountable authority The person or group of persons who has responsibility for, and control over, a Commonwealth entity s operations as set out under section 12 of the PGPA Act. Commonwealth entity A department of state, a parliamentary department, a listed entity or a body corporate established by a law of the Commonwealth. Commonwealth official (official) An individual who is in, or forms part of, the entity as set out under section 13 of the PGPA Act. Corporate Commonwealth entity A Commonwealth entity that is a body corporate and legally separate from the Commonwealth. Non-corporate Commonwealth entity A Commonwealth entity that is not a body corporate and legally part of the Commonwealth. Serious and complex fraud Fraud which due to its size or nature is too complex for most entities to investigate (further information serious and complex fraud can be found in the fraud guidance). Fraud Policy B4

12 FRAUD GUIDANCE Resource Management Guide No Preventing, detecting and dealing with fraud This guidance supports the fraud rule and fraud policy and is considered best practice for all Commonwealth entities. CONTENTS RESOURCE MANAGEMENT GUIDE NO. 201 Audience Key points Abbreviations and acronyms Glossary Part 1 Introduction Part 2 The legislative framework Part 3 Objectives and scope Part 4 Definition of fraud Part 5 Role of accountable authorities Part 6 Risk assessment Part 7 Fraud control plans Part 8 Fraud prevention, awareness and training Part 9 Outsourcing arrangements Part 10 Detection, investigation and response Part 11 Quality assurance and reviews Part 12 Reporting C1 C2 C2 C2 C3 C4 C4 C6 C7 C9 C9 C11 C12 C14 C14 C19 C20 C1 Commonwealth Fraud Control Framework 2014

13 FRAUD GUIDANCE Resource Management Guide No Preventing, detecting and dealing with fraud AUDIENCE This guide is intended for accountable authorities and Commonwealth officials. KEY POINTS This guide: is issued by the Minister for Justice to assist accountable authorities to meet their obligations under the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and section 10 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) and the Commonwealth Fraud Control Policy. provides best practice guidance for fraud control arrangements within entities commences on 1 July 2014, when the PGPA Act and PGPA Rule take effect, and is available on the Attorney-General s Department website at < ABBREVIATIONS AND ACRONYMS ACCC ACLEI AFP AGD AGIS AIC ANAO APSC ASIC CCPM CDPP Corporate entity Non-corporate entity Official Australian Competition and Consumer Commission Australian Commission for Law Enforcement Integrity Australian Federal Police Attorney-General s Department Australian Government Investigations Standards Australian Institute of Criminology Australian National Audit Office Australian Public Service Commission Australian Securities and Investments Commission Case Categorisation and Prioritisation Model Commonwealth Director of Public Prosecutions Corporate Commonwealth entity Non-corporate Commonwealth entity Commonwealth Official PGPA Act Public Governance, Performance and Accountability Act 2013 PGPA Rule Public Governance, Performance and Accountability Rule 2014 Fraud Guidance C2

14 GLOSSARY accountable authority: the person or group of persons who has responsibility for, and control over, a Commonwealth entity s operations as set out under section 12 of the PGPA Act. Commonwealth official: an individual who is in, or forms part of, the entity as set out under section 13 of the PGPA Act. Commonwealth entity: a department of state, a parliamentary department, a listed entity or a body corporate established by a law of the Commonwealth. corporate Commonwealth entity: a Commonwealth entity that is a body corporate and legally separate from the Commonwealth. Criminal Code: Criminal Code Act fraud rule: Section 10 of the PGPA Rule. non-corporate Commonwealth entity: a Commonwealth entity that is not a body corporate and legally part of the Commonwealth. FRAUD RULE 10 Preventing, detecting and dealing with fraud GUIDE TO THIS SECTION The purpose of this section is to ensure that there is a minimum standard for accountable authorities of Commonwealth entities for managing the risk and incidents of fraud. It is made for paragraphs 102(a), (b) and (d) of the Act The accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by: (a) conducting fraud risk assessments regularly and when there is a substantial change in the structure, functions or activities of the entity; and (b) developing and implementing a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment; and (c) having an appropriate mechanism for preventing fraud, including by ensuring that: (i) officials in the entity are made aware of what constitutes fraud; and (ii) the risk of fraud is taken into account in planning and conducting the activities of the entity; and (d having an appropriate mechanism for detecting incidents of fraud or suspected fraud, including a process for officials of the entity and other persons to report suspected fraud confidentially; and (e) having an appropriate mechanism for investigating or otherwise dealing with incidents of fraud or suspected fraud; and (f) having an appropriate mechanism for recording and reporting incidents of fraud or suspected fraud. C3 Commonwealth Fraud Control Framework 2014

15 PART 1 INTRODUCTION 1.1 Fraud against the Commonwealth is a serious matter for all Commonwealth entities and for the community. Not only is it a criminal offence, but fraud reduces funds available for delivering public goods and services, undermines the integrity of and public confidence in the government and can place public safety at risk. The Australian community rightly expects that entities and officials acknowledge and fulfil their responsibilities as stewards of public funds and make every effort to protect public resources. 1.2 This guide is issued by the Minister for Justice to assist accountable authorities to meet their obligations under the PGPA Act and section 10 of the PGPA Rule and the Commonwealth Fraud Control Policy. The purpose of the guide is to promote high standards of governance, performance and accountability by establishing non-binding principles and processes for effective fraud control for all Commonwealth entities and their officials and contractors. 1.3 The fraud rule ensures that there is a minimum standard for accountable authorities of Commonwealth entities for managing the risk and incidence of fraud. It articulates the key requirements for establishing and maintaining fraud control systems, including prevention, detection and responses to fraud. This guide expands on these requirements to articulate a flexible framework for fraud control that can be tailored to the circumstances and needs of different entities while providing coherent, consistent, transparent and accountable requirements. 1.4 The guide should be read in conjunction with other relevant documents, including the Commonwealth Grant Guidelines, the Commonwealth Procurement Rules, the Covert Surveillance in Commonwealth Administration Guidelines, the Commonwealth Protective Security Policy Framework, Commonwealth Risk Management Policy and the AGIS. Where the guide states that an accountable authority, official or entity must do something, this reflects a pre existing obligation. If a conflict arises between this guide and legislation (including legislative instruments) or Australian Government policies, the legislation or policy takes precedence. 1.5 The AGIS provides minimum case handling standards for investigations. Copies are available from AGD or the AFP, which administers the AGIS on behalf of the Heads of Commonwealth Operational Law Enforcement Agencies. 1.6 Fraud risks and controls are often linked in with other corporate and integrity related risks, including protective security and corruption. Fraud risk assessments and controls should often be integrated within an overall general business risk approach. PART 2 THE LEGISLATIVE FRAMEWORK 2.1 Fraud is a criminal offence under chapter 7 of the Criminal Code. 2.2 Section 10 of the PGPA Rule provides a legislative basis for the Commonwealth s fraud control arrangements. It sets out fraud control requirements to assist accountable authorities to meet their obligations under the PGPA Act. 2.3 Breaches of the fraud rule may attract a range of criminal, civil, administrative and disciplinary remedies (including under the PGPA Act, the Public Service Act 1999, the Criminal Code and the Crimes Act 1914). 2.4 Under section 21 of the PGPA Act, non-corporate entities are also required to be governed in a way that is not inconsistent with polices of the Australia Government, which would include any policies issued by the Government on fraud. 2.5 Guidance material, including this guide is non-binding, but provides best practice to assist accountable authorities to meet their obligations under the fraud rule. Fraud Guidance C4

16 Roles and responsibilities of key entities The AFP investigates most serious or complex crime against Commonwealth laws, its revenue, expenditure and property, which can include both internal and external fraud committed in relation to Commonwealth programs. The AFP conducts quality assurance reviews of entities fraud investigations and can provide advice and other forms of assistance to entities conducting fraud investigations, including recovery action under the Proceeds of Crime Act The Commonwealth Director of Public Prosecutions (CDPP) is responsible for prosecuting offences against Commonwealth law. All prosecutions and related decisions are made in accordance with the guidelines set out in the Prosecution Policy of the Commonwealth. The Attorney-General s Department (AGD) is responsible for providing high-level advice to the Government about fraud control arrangements within the Commonwealth. This includes developing and reviewing general policies of the Government with respect to fraud control, currently embodied in this guide, advising entities about the content of those policies, and reporting to Government on compliance with the fraud rule. The Australian National Audit Office (ANAO) has the authority to conduct performance audits of Commonwealth entities that may include an assessment of how entities meet their fraud responsibilities. The Australian Institute of Criminology (AIC) is responsible for conducting an annual fraud survey of entities and producing a report on fraud against the Commonwealth, and fraud control arrangements within entities. The report is known as the Annual report to government: fraud against the Commonwealth, and is provided to the Minister for Justice. Australian Commission for Law Enforcement Integrity (ACLEI) assists the Integrity Commissioner in carrying out his or her responsibilities to detect and prevent corrupt conduct and to investigate corruption issues in prescribed Australian Government entities with law enforcement functions. Fraud incidents in these prescribed entities may also include corrupt conduct which may be referred to ACLEI. The Australian Competition and Consumer Commission (ACCC) is responsible for enforcing compliance with Australia s competition laws, which contain criminal and civil prohibitions on fraud in the form of cartel conduct. Cartel conduct occurs when competitors conspire to fix or control prices, rig bids, restrict supply or allocate markets. The ACCC is committed to providing procurement officers within entities with the knowledge and the tools needed to detect and report possible collusion by suppliers. The Australian Securities and Investments Commission (ASIC) regulates Australian companies, financial markets, and financial services organisations and professionals who deal with and advise on investments, superannuation, insurance, deposit taking and credit under a number of Commonwealth laws. ASIC uses enforcement powers to detect and deal with unlawful conduct and responds to breaches of law ranging from minor regulatory offences through to serious misconduct. ASIC uses compulsory information-gathering powers to collect documents and information for formal investigations. Entities should contact ASIC where fraud matters involve any of the above conduct. C5 Commonwealth Fraud Control Framework 2014

17 PART 3 OBJECTIVES AND SCOPE 3.1 The Australian Government is committed to taking a targeted and risk based approach to the prevention and detection of fraud perpetrated against the Commonwealth. The management of fraud risk is a collective responsibility of all Commonwealth officials or persons otherwise engaged by the Commonwealth. Everyone in an entity is responsible for the proper management of public resources, whether working in policy design, program delivery, or other functions. 3.2 The objectives of the fraud rule, fraud policy issued by the Australian Government and this guide, consistent with good governance by the Commonwealth, are to: protect public resources, including information and property, and protect the integrity and good reputation of entities and the Commonwealth. This includes reducing the risk of fraud occurring, discovering and investigating fraud when it occurs, and taking appropriate corrective actions to remedy the harm. 3.3 The fraud rule and this guide establish the fraud control framework within which all entities determine their own specific practices, plans and procedures to manage the prevention and detection of fraudulent activities, the related investigation and, where appropriate, prosecutions of offenders. The fraud control framework also includes fraud policy issued by the Minister for Justice, which non-corporate entities must, and corporate entities should, comply with. Fraud control strategies should become an integral part of an entity s culture, processes and practices. The most effective way to prevent or deter fraud is through the thorough and rigorous design of entity-level policy and programs, which should include detailed planning for implementation. 3.4 Fraud control in the Commonwealth is based on: thorough regular assessment of risks particular to the operating environments of entities and the programs they administer development and implementation of processes and systems to effectively prevent, detect and investigate fraud application of appropriate criminal, civil, administrative or disciplinary action to remedy the harm from fraud recovery of proceeds of fraudulent activity training officials and relevant contractors in fraud awareness and specialised training of officials involved in fraud control activities, and external scrutiny of fraud control activities by the ANAO to provide accountability to Parliament. 3.5 While the fraud rule binds all Commonwealth entities, this guide sets out the Commonwealth s expectations for best practice in fraud control arrangements, which entities should adhere to taking into account their individual circumstances. The guide is not intended to cover all types of entity risk. For instance, where corruption or other internal or external entity risks are concerned, the guide should be considered a useful starting point to be used in conjunction with other appropriate guidance materials. 3.6 If not already required, entities should ensure that their fraud control arrangements are developed in the context of the entity s overarching risk management framework as described in the Commonwealth Risk Management Policy. Fraud Guidance C6

18 PART 4 DEFINITION OF FRAUD 4.1 For the purposes of this guide, fraud against the Commonwealth is defined as dishonestly obtaining a benefit, or causing a loss, by deception or other means. This definition is based on the fraudulent conduct offences under part 7.3 of the Criminal Code, in addition to other relevant offences under chapter 7 of the Criminal Code. 4.2 There is a mental or fault element to fraud requiring intent; it requires more than carelessness, accident or error. 4.3 Offences of fraud against the Commonwealth may be prosecuted under a number of different Commonwealth laws. The dishonesty offences under part 7.3 in chapter 7 of the Criminal Code are often used and offer a good example of the fault elements necessary to establish fraudulent behaviour. 4.4 Fraud against the Commonwealth may include (but is not limited to): theft accounting fraud (e.g. false invoices, misappropriation) misuse of Commonwealth credit cards unlawful use of, or unlawful obtaining of, property, equipment, material or services causing a loss, or avoiding and/or creating a liability providing false or misleading information to the Commonwealth, or failing to provide information when there is an obligation to do so misuse of Commonwealth assets, equipment or facilities cartel conduct making, or using, false, forged or falsified documents, and/or wrongfully using Commonwealth information or intellectual property. 4.5 A benefit is not restricted to a monetary or material benefit, and may be tangible or intangible, including the unauthorised provision of access to or disclosure of information. A benefit may also be obtained by a third party rather than, or in addition to, the perpetrator of the fraud. 4.6 Fraud against the Commonwealth takes many forms, and may target one or more of the following: revenue (e.g. income tax, GST or customs duty) benefits and transfer payments (e.g. social security, healthcare, childcare, child support, education or training, visa or grant of citizenship) property (e.g. cash, computers, other portable and attractive items, or stationery) information and intelligence (e.g. personal information or classified material) Commonwealth program funding and grants (e.g. education, childcare, employment) entitlements (e.g. expenses, leave, travel allowances or attendance records) government procurement through cartel conduct misuse of fraudulent identities (e.g. to access services, information, locations or other benefits) facilities (e.g. unauthorised use of vehicles or information technology and telecommunication systems), and/or money or property held in trust or confiscated. C7 Commonwealth Fraud Control Framework 2014

19 4.7 The risk of fraud can come from inside an entity, that is, from its officials or contractors. This is known as internal fraud. External fraud, on the other hand, is where the risk of fraud comes from outside the entity, that is, from external parties, such as clients, service providers or other members of the public. Fraud can also enable future criminal activity, including further frauds and other serious and organised crime (e.g. through obtaining false identities or licences, or by providing funds for other criminal activities). 4.8 Entities also need to be alert to the risk of complex fraud involving collusion between their officials and external parties. Complex fraud, which may also constitute corrupt conduct, can include instances when an official or group of officials: are targeted and succumb to exploitation by external parties (bribery, extortion, grooming for favours or promises), or initiate the misconduct (including through infiltration of an entity by an external party). 4.9 Note that some forms of corrupt conduct, such as soliciting for bribes or secret commissions, may not cause a direct loss to the Commonwealth, but may distort the market for fair provision of services or inflate prices, and may damage the public s trust in the Government and Australia s international reputation Fraud can be a criminal offence, breach of the APS Code of Conduct or duties of officials under the PGPA Act, and/or a breach of contract or other wrong amounting to a civil action. Dishonesty in the Criminal Code Part 7.3 in chapter 7 of the Criminal Code deals with fraudulent conduct against the Commonwealth, and contains a range of offences, including: - dishonestly obtaining a financial advantage from a Commonwealth entity by deception (section 134.2) - doing anything with the intention of dishonestly: obtaining a gain from a Commonwealth entity, or causing a loss to a Commonwealth entity (sections 135.1(1) and (3)) - conspiring with another person with the intention of dishonestly: obtaining a gain from a Commonwealth entity, or causing a loss to a Commonwealth entity (sections 135.4(1) and (3)) - dishonestly influencing a Commonwealth public official in the exercise of their duties (section 135.1(7)), or - obtaining a financial advantage which the recipient knows or believes they are not eligible to receive (section 135.2(1)). The meaning of dishonesty is set out in section as follows: (a) dishonest according to the standards of ordinary people, and (b) known by the defendant to be dishonest according to the standards of ordinary people. Fraud Guidance C8

20 PART 5 ROLE OF ACCOUNTABLE AUTHORITIES 5.1 Effective fraud control requires the commitment of all officials, contractors and third party providers. However, the primary responsibility for fraud control rests with accountable authorities. Accountable authorities play a key role in ensuring their entities have appropriate fraud control arrangements, and in setting the ethical tone within their entities. 5.2 Section 15 of the PGPA Act provides that the accountable authority of an entity must govern the entity in a way that promotes: the proper use and management of public resources for which the authority is responsible; the achievement of the purposes of the entity and the financial sustainability of the entity. 5.3 Section 16 of the PGPA Act provides that the accountable authority of an entity must establish and maintain an appropriate system of risk oversight and management for the entity and an appropriate system of internal controls for the entity, including implementing measures directed at ensuring officials of the entity comply with the finance law. 5.4 The general duties provisions in the PGPA Act (sections 25 to 29) impose a range of obligations on officials, including acting in good faith and for proper purpose, and not improperly using their position or information. 5.5 Accountable authorities must be satisfied that their entities comply with the mandatory requirements in section 10 of the PGPA Rule. The requirements are: (a) conducting fraud risk assessments regularly and when there is a substantial change in the structure, functions or activities of the entity (b) developing and implementing a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment (c) having an appropriate mechanism for preventing fraud, including by ensuring that: (i) officials in the entity are made aware of what constitutes fraud; and (ii the risk of fraud is taken into account in planning and conducting the activities of the entity (d) having an appropriate mechanism for detecting incidents of fraud or suspected fraud, including a process for officials of the entity and other persons to report suspected fraud confidentially (e) having an appropriate mechanism for investigating or otherwise dealing with incidents of fraud or suspected fraud, and (f) having an appropriate mechanism for recording and reporting incidents of fraud or suspected fraud. PART 6 RISK ASSESSMENT 6.1 Under paragraph (a) of section 10 of the PGPA Rule, a fraud risk assessment must be conducted regularly and when there is a substantial change in the structure, functions or activities of the entity. 1 Subject to an entity s individual risks and environment, risk assessments should be conducted at least once every two years. Risk assessments consider internal and external fraud risks. Entities whose functions or operations are associated with a high fraud risk, or that operate in environments with a high fraud or corruption risk, should assess risk more frequently. 1 See paragraph 6.9 of this guide. C9 Commonwealth Fraud Control Framework 2014

21 6.2 Risk assessment strategies should be reviewed and refined on an ongoing basis in light of experience with continuing or emerging fraud vulnerabilities. The outcomes of fraud risk assessments should be provided to entities internal audit units for consideration in the annual audit work program. Entities should develop dynamic risk assessment procedures and integrate the fraud risk assessment process within an overall general business risk approach. 6.3 Fraud risk should not be looked at in isolation from the general business of the entity but should be considered as an aspect of the entity s broader risk assessment processes, including the entity s security risk assessment. 6.4 Entities will generally face different fraud control issues depending on their size and the nature of their business, both of which influence an entity s potential exposure to fraud. Risk management is an integral part of good management practice and should be integrated into an entity s strategic and business planning processes. It is not cost effective to institute measures to address every possible business risk, including potential fraud. Therefore, the likely occurrence of fraud and its impact on an entity s key organisational objectives and core business should be carefully assessed. A risk based approach enables an entity to target its resources, both in prevention and detection, at problem areas. 6.5 Entities are responsible for determining the risk assessment approach that is most appropriate for their circumstances. Risk assessment processes should take into account all significant factors likely to affect an entity s exposure to risk. The level and depth of the assessment will be determined by the level of vulnerability or exposure to fraud relevant to the entity. 6.6 Generally, management of fraud risks should be embedded in an entity s risk control and governance procedures rather than being seen or practiced as a separate program. However, some large entities or programs will have an inherent risk of fraud due to the nature of their business (e.g. revenue collection, payment of benefits or contract procurement activities). Those entities should consider developing a fraud risk assessment process that is specific to a particular policy or program area. 6.7 In developing their fraud risk assessment and fraud control plan, entities should adopt a methodology consistent with the relevant up to date recognised standards: currently the Australian/New Zealand Standard AS/NZ ISO Risk Management Principles and Guidelines and Australian Standard AS Fraud and Corruption Control. 6.8 Risk assessment is a continuous process. Where appropriate, entities should consider introducing a rolling program of updating their risk assessment procedures and risk mitigation measures. 6.9 Under paragraph (a) of section 10 of the PGPA Rule, when an entity undergoes a substantial change in structure, function or programmes, or when there is a significant transfer in function (for example, as a result of a machinery of government change), the entity must conduct a fraud risk assessment in relation to the changed structure, function or programs. A substantial change can include changes to service delivery models, such as expansion of, or into, online provision of information and services. In such cases, the revised fraud risk assessment will need to consider new or varied fraud risks arising from a transfer to, or increased use of, the online environment Under paragraph (c)(ii) of section 10 of the PGPA Rule, the risk of fraud is to be considered when planning and conducting the activities of entities. This includes when major new policies are being developed or when there is a significant change in a policy or in the way a policy will be implemented. Again, this should be considered in the context of other business risks. The assessment of fraud risks is an integral part of program design, and program design should include measures to prevent fraud from occurring in addition to fraud minimisation. Fraud Guidance C10

22 6.11 Risk assessment and fraud control planning require specific expertise, particularly in the increasingly complex context in which entities are operating. Risk assessments can be undertaken using in-house resources, but it is important to ensure that the risk assessment team has access to the range of skills, knowledge and experience necessary to provide coverage of the categories of risk to be considered If resources are not available in-house, entities may choose to outsource all or part of the risk assessment and fraud control planning process. However, even if the tasks are outsourced, the process should be overseen by a senior official in the entity. Outsourcing does not remove the responsibility of accountable authorities or of senior management to deal with fraud risk. Entities should ensure that the organisation to which it is outsourcing has the competencies set out in this guide. Entities should ensure that relevant corporate knowledge is appropriately captured and taken into account during the risk assessment and fraud control planning process. PART 7 FRAUD CONTROL PLANS 7.1 Under paragraph (b) of section 10 of the PGPA Rule, fraud risk assessments must be followed by the development (or updating) and implementation of a fraud control plan to manage the identified risks. Effective oversight mechanisms should be in place to oversee the process of developing and implementing the fraud control plan. The fraud control plan should, whenever appropriate, emphasise prevention measures, including effective policy and program design to minimise the opportunity for fraud. 7.2 Fraud control plans and processes do not have to be developed as standalone documents. The fraud control plan should, where appropriate, be integrated into the entity s strategic plan, business plan or risk management plan. When a fraud risk is assessed to be high due to the nature of an entity s business, specific fraud control plans at the entity, enterprise or program level may be appropriate. 7.3 The fraud control plan should document the entity s approach to controlling fraud at a strategic, operational and tactical level, and should encompass prevention, detection, reporting and investigation measures. The plan should include: a summary of the identified internal and external fraud risks or vulnerabilities associated with the entity s activities or functions the treatment strategies or controls (including policies, governance and other structures, and procedures) put in place to mitigate the identified risks or vulnerabilities information about implementation, such as identifying positions responsible for implementation, timeframes, monitoring arrangements, and channels and processes for officials, contractors or members of the public to report fraud or suspected fraud strategies to ensure the entity meets its training needs mechanisms for collecting, analysing and reporting the number and nature of incidents of fraud or alleged fraud within or against the entity, and protocols setting out how the entity will handle allegations or suspicions of fraud, including assessment of allegations, establishment of investigations and options for resolution of incidents (such as referral to police and when and how to initiate a recovery action). 7.4 Controls and strategies outlined in fraud control plans should be commensurate with assessed fraud risks. Testing controls may indicate that not all controls and strategies are necessary or that different approaches may have more effective outcomes. Controls should be reviewed on a regular basis to make sure they remain useful. C11 Commonwealth Fraud Control Framework 2014

23 7.5 Fraud control arrangements should reflect the fraud risk profile of an entity or particular program. The ANAO report Fraud control in Australian Government agencies (2010) found that small entities (those with fewer than 249 employees) comprised the largest percentage of entities that indicated they were not meeting the mandatory fraud external reporting requirements and generally were less likely to have fraud prevention oversight arrangements in place. While the nature and extent of internal and external fraud risks faced by smaller entities may differ from the fraud risks facing larger, service delivery entities, these risks will still require targeted mitigation strategies. Small entities should adopt fit-for-purpose mechanisms to address specific fraud risks. 7.6 In addition to the requirement under paragraph (b) of section 10 of the PGPA Rule for fraud control plans to follow as soon as practical after an entity s risk assessment, fraud control plans should include review mechanisms to enable an entity to evaluate the effectiveness of its fraud control strategies regularly, particularly following changes in business processes or systems or after instances of fraud have been discovered. This will help ensure that control systems remain appropriate, cost-effective and proportionate to the actual risks they are addressing. 7.7 Fraud control plans should be user-friendly and available to all relevant officials. Entities should provide a copy of their fraud control plans to AGD or the AFP on request to assist in the analysis of fraud trends and in development of guidance material. 7.8 Fraud control plans should also include strategies to mitigate the risk of fraudulent issuance of identity documents or other credentials or qualifications that may have downstream consequences to other government agencies or the broader community, such as approaches to address the risk of fraud facilitated by trusted insiders. Further guidance on dealing with identity fraud can be found in the National Identity Security Strategy and National e-authentication Framework. Online services such as the Document Verification Service can assist in this regard by improving agencies ability to detect potentially fraudulent identity documents. PART 8 FRAUD PREVENTION, AWARENESS AND TRAINING 8.1 Fraud prevention involves not only putting into place effective accounting and operational controls, but also fostering an ethical culture that encourages officials and contractors at all levels to play their part in protecting public resources. Establishing an ethical culture is a key element of sound governance and is an important factor in preventing fraud and helping to detect it once it occurs. 8.2 As part of the accountable authority s responsibility for developing an overall fraud control strategy, the entity must ensure that officials in the entity are made aware of what constitutes fraud, consistent with paragraph (c)(i) of section 10 of the PGPA Rule. At a minimum, this should include preparing and widely distributing a fraud strategy statement. 8.3 Typically, a fraud strategy statement will form part of other corporate documentation and include: the definition of fraud and an outline of the entity s position on fraud a statement of the entity s commitment to investigating and prosecuting fraud or pursuing other effective remedies a statement of officials and contractors responsibilities relating to preventing and reporting fraud, and the protocol for how fraud is to be reported a summary of the consequences of acting fraudulently an assurance that allegations and investigations will be handled confidentially directions on how allegations and incidents of fraud are to be managed, and advice on where further information can be found. Fraud Guidance C11