Fraud Control Plan - Department of the Prime Minister … · Web viewFraud Control Plan Version...

FRAUD & CORRUPTION CONTROL PLAN

2016 – 2018

Foreword

The Department of the Prime Minister and Cabinet (PM&C) has unique responsibilities and a privileged role within the Commonwealth. PM&C has a strategic policy development and coordination role, providing guidance to the whole of government, in addition to a substantial programme delivery responsibility.

PM&C staff members, contractors and organisations engaged to provide or deliver services on behalf of the Department, all have crucial roles to play in reducing the Department’s exposure to fraud. This Fraud Control Plan 2016 to 2018 (the Plan), outlines our approach to effectively prevent, detect and respond to fraud or misuse of Commonwealth resources.

Fraud has the potential to undermine our ability to achieve our objectives, reputation and ethical organisational culture. Recent fraud response activities have identified that elements of organised crime are viewing government programmes as potential targets. Organised crime has evolved well beyond a simple law and order problem within the remit of an individual agency, jurisdiction or country. The latest Australian Institute of Criminology (AIC) estimated that fraud costs Australians $8.5 billion a year. The AIC estimated that external and internal fraud losses against the Commonwealth were $206,696,910 million. Of the estimated amount, $203,270,364 million related to external fraud, while $3,426,546 million related to internal fraud.

In all our dealings, we must ensure public monies are spent for their intended purposes, information is secured, and assets and resources are used appropriately to protect the interests and reputation of the Department. To succeed, we must apply risk–based principles in decision–making to ensure day-to-day functional activities are not compromised. To manage the risk of opportunistic fraud, we must continually review the effectiveness of our internal controls and ensure our business processes are streamlined and that complexity is minimised.

This Plan is intended to support PM&C staff, contractors and service providers engaged by the Department to assess risk as well as prevent, detect and report fraud so that Commonwealth funding and assets are used for their intended purpose.

Elizabeth Kelly

Deputy Secretary, Governance

FRAUD & CORRUPTION CONTROL PLAN VERSION 2016 – 2018 1

Document History

A history of released document versions

Version Date Description Approved

2012 – 2014 Oct 2012 Fraud Control Plan (FCP)

Secretary

2014 – 2016 Sep 2014 Draft FRA and FCP Fraud Manager, FCIS

2014 – 2016 Oct 2014 Draft FRA and FCP Assistant Secretary, GARB

2014 – 2016 Nov 2014 Draft FRA and FCP First Assistant Secretary, MSD

2014 – 2016 Feb 2015 Final FRA and FCP Deputy Secretary, Governance

4 February 2015

2016 - 2018 Mar 2016 Biennial update

Change Control

PM&C Fraud Control Officer is responsible for the maintenance and implementation of changes to this document.

Approval

Name Position Date

Elizabeth Kelly Deputy Secretary, Governance

Paula Ganly A/g First Assistant Secretary, MSD

Sam Skelton Assistant Secretary, GARB 26/10/2016


Contents

FOREWORD............................................................................................................................................1DOCUMENT HISTORY..........................................................................................................................2APPROVAL.............................................................................................................................................2CONTENTS..............................................................................................................................................3GLOSSARY.............................................................................................................................................5ABBREVIATIONS..................................................................................................................................71. INTRODUCTION...........................................................................................................................81.1 LEGISLATIVE AND POLICY REQUIREMENTS................................................................................8

1.2 OBJECTIVES OF THE PLAN..........................................................................................................8

2. DEPARTMENT OF THE PRIME MINISTER AND CABINET................................................93. GOVERNANCE.............................................................................................................................93.1 OFFICERS WHO HAVE KEY RESPONSIBILITIES FOR FRAUD CONTROL IN PM&C......................9

3.2 EXECUTIVE COMMITTEES........................................................................................................10

3.2.1 Executive Leadership Group......................................................................................103.2.2 Audit Committee...........................................................................................................103.2.3 Financial Statements Sub – Committee...................................................................113.2.4 Operations Committee...............................................................................................113.2.5 National Health and Safety Sub-Committee...........................................................113.2.6 External Budgets Sub-Committee............................................................................113.2.7 Compliance Sub-Committee..................................................................................113.2.8 Senior Management Group........................................................................................11

4. FRAUD CONTROL ENVIRONMENT......................................................................................114.1 KEY FRAUD CONTROL STRATEGIES..................................................................................................12

4.2 DEFINITION OF FRAUD..............................................................................................................12

4.3 FRAUD POLICY STATEMENT.....................................................................................................13

5. FRAUD MANAGEMENT............................................................................................................145.1 FRAUD PREVENTION..................................................................................................................14

5.2 FRAUD RISK MANAGEMENT.......................................................................................................14

5.3 RELATIVE EXPOSURE TO INTERNAL AND EXTERNAL FRAUD....................................................15

5.4.1 Screening service providers.......................................................................................165.5 FRAUD RISK ASSESSMENT.......................................................................................................17

5.5.1 Methodology..................................................................................................................175.5.2 Sources of Risk..............................................................................................................185.5.3 Overview of the fraud risks.....................................................................................195.5.4 Risk assessment analysis...........................................................................................19

6. DETECTION (REPORTING), INVESTIGATIONS AND RESPONSE................................196.1 REPORTING FRAUD...................................................................................................................20

6.2 PUBLIC INFORMATION AND DISCLOSURE ACT.........................................................................20


6.3 EXTERNAL PERFORMANCE REPORTING..................................................................................21

6.3.1 Annual and Statistical Reporting................................................................................216.3.2 Australian National Audit Office.............................................................................21

6.4 INVESTIGATION.........................................................................................................................21

6.4.1 Non – Compliance........................................................................................................226.4.2 Internal audit................................................................................................................22

6.5 REFERRAL..................................................................................................................................22

6.5.1 Referrals to law enforcement agencies....................................................................226.5.2 Commonwealth Director of Public Prosecution Referrals......................................236.5.3 Proceeds of Crime Referrals......................................................................................236.5.4 Debt Management and Recoveries...........................................................................23

APPENDIX A - FRAUD CONTROL RESPONSIBILITIES FOR ALL STAFF............................24APPENDIX B – SUMMARY OF ACTION ITEMS............................................................................27REFERENCES......................................................................................................................................30EXTERNAL................................................................................................................................................30

INTERNAL.................................................................................................................................................30


Glossary

Term Description

Accountable Authority The Secretary or group of persons who has responsibility for, and control over, a Commonwealth entity’s operations as set out under section 12 of the PGPA Act.

Compliance The outcome of the Department meeting its legal and ethical obligations.

Commonwealth Entity A department of state, a parliamentary department, a listed entity or a body corporate established by a law of the Commonwealth.

Control A measure that modifies a risk.

Department The Department of the Prime Minister and Cabinet

Entity A department of state, a parliamentary department, a listed entity or a body corporate established by a law of the Commonwealth.

External fraud Fraud committed against PM&C by a person other than an employee or contractor of PM&C.

Fraud response Covers the systems and processes that assist an entity to respond appropriately to an alleged fraud where it is detected.

Fraud risk assessment The application of risk management principles and techniques to assess the risk of fraud in PM&C.

Fraud risk register Contains a collection of functional activities, programmes / projects detailed fraud risk assessments.

Internal fraud Fraud committed against PM&C by an employee or contractor.

Investigation A process of seeking information relevant to an alleged, apparent or potential breach of the law, involving possible judicial proceedings. The primary purpose of an investigation is to gather admissible evidence for any subsequent action, whether under criminal, civil penalty, civil, disciplinary or administrative sanctions.

Prevention Strategies that are designed to proactively reduce or eliminate fraud committed against PM&C.

Residual risk A risk remaining after risk treatment.

Risk owner A person or entity with the accountability and authority to manage a risk.

Risk profile A description of any set of risks.


Term Description

Risk treatment A process to modify risk.

Serious and complex

fraudFraud which due to its size or nature is too complex for most entities to investigate

Stakeholders Those people and organisations who may affect, be affected by or perceive themselves to be affected by a decision or activity.


Abbreviations

Abbreviation

Description

AAO Administrative Arrangements Order

AFP Australian Federal Police

AGIS Australian Government Investigation Standards

AIC Australian Institute for Criminology

APS Australian Public Service

AS Assistant Secretary

CDPP Commonwealth Director of Public Prosecutions

FAS First Assistant Secretary

FCIS Fraud Control and Investigations Section

FCP Fraud Control Plan (the Plan)

FRA Fraud Risk Assessment

FRR Fraud Risk Register

GARB Governance, Audit and Reporting Branch

MoG Machinery of Government

MSD Ministerial Support Division

PID Public Interest Disclosure Act 2013

PGPA Act Public Governance, Performance and Accountability Act 2013

PGPA Rule Public Governance, Performance and Accountability Rule

PM&C Department of the Prime Minister and Cabinet


1. Introduction

Fraud against the Commonwealth is a serious matter for all Commonwealth entities and for the wider community. PM&C has a zero tolerance for fraud. Not only is it a criminal offence, but fraud reduces funds available for delivering public goods and services and the propensity to undermine the integrity of the public’s confidence in government.

Corruption is commonly associated with fraud, however it can also be a risk in itself (where fraud is not directly involved). Recent corruption inquiries in the Australian Public Service (APS) indicate that while levels of corruption and serious misconduct in the APS remain low, the risks remain real. This Fraud Control Plan (the Plan) and associated Fraud Risk Assessment (FRA) take into account the risks of corruption, and aim to mitigate them through the promotion of a culture of ethical behaviour.

The leadership role PM&C plays in the Commonwealth demands that our senior executives and managers engage positively with risk. This includes championing a culture where all staff are encouraged to become familiar with the key elements of a robust fraud control framework, including policy, legal and governance requirements.

Effective fraud control strategies need an integrated response led by the executive and embedded in governance, programme design and management. This Plan outlines the obligations, systems, policies and strategies PM&C has in place to prevent detect and respond to fraud.

1.1 Legislative and Policy Requirements

Fraud is a criminal offence under Chapter 7 of the Criminal Code Act 1995. The foundations for this Plan and fraud risk assessment are stipulated in sections 15 to 19 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act), and section 10 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule). These sections set out fraud control requirements to assist the Department to meet its obligations under the PGPA Act. Breaches of the fraud rule may attract a range of criminal, civil, administrative and disciplinary remedies.

Other relevant legislation includes the Public Interest Disclosure Act 2013 (the PID Act) which provides the legislative basis for whistleblowing including corruption or wastage of public funds, the Public Service Act 1999 (PS Act) and the Australian Public Service (APS) Values and Code of Conduct.

In conducting the Department’s fraud risk assessments, which underpin this Plan, the AS/NZS/ISO 31000:2009 Risk Management - Principles and guidelines, the Australian Standard 8001 – 2008: Fraud and Corruption Control and the PM&C Risk Management Framework were followed.

1.2 Objectives of the Plan

The primary objectives of the Plan are to protect public money, information and property and safeguard the integrity and reputation of PM&C. The Plan is underpinned by fraud risk


assessments which are detailed in the Fraud Risk Register (FRR). The fraud risk assessments are dynamic, reviewed six monthly and on a needs basis, through ongoing and targeted analysis. The Fraud Risk Register is not made public or generally available (to internal or external stakeholders) as it contains sensitive information.

2. Department of the Prime Minister and Cabinet

Under the Public Service Act 1999 Act and the PGPA Act, the Secretary is accountable for the Department's performance and compliance with legal requirements. Key responsibilities include:

• managing the affairs of the Department efficiently, effectively, economically and ethically that is not inconsistent with the policies of the Commonwealth;

• providing leadership, strategic direction and a focus on results for the • Department; • driving best practice risk management and behavioural change; and• engaging with stakeholders, particularly in relation to the core activities

of the Department.

The Secretary is supported by an Executive team and operational managers who assist in providing leadership, establishing the organisational culture, promoting integrity and developing the strategies necessary to ensure ‘best practice’ fraud control and ethical standards are embedded in organisational governance and processes.

3. Governance The realisation of fraud risks in a number of high-profile government programmes has highlighted the need for strong leadership which supports effective risk management practice and culture. Poor leadership can lead to a culture of complacency or give rise to situations where fraud incidents are only addressed after they emerge. Likewise, risk assessments are only conducted as an add-on to meet a compliance requirement rather than being fully integrated as part of day-to-day business operations. Appropriate governance structures are therefore critical to the effective operation of fraud control and support the role of the Secretary. 3.1 Officers who have key responsibilities for fraud control in PM&C

SecretaryUnder the PGPA Act, the Secretary is accountable for governing the organisation in a way that promotes the proper use of public resources. This includes adopting best practice approaches to conduct fraud risk assessments and to develop a fraud control plan. The Secretary has delegated some authority to other accountable officers and committees.

Deputy Secretary (Governance) The Deputy Secretary, Governance has the corporate responsibility for overseeing the implementation of fraud prevention and control for the Department.


First Assistant Secretary, Ministerial Support Division The First Assistant Secretary (FAS), Ministerial Support Division (MSD), has responsibility for policy and management of fraud prevention and fraud control.

Assistant Secretary, Governance, Audit and Reporting Branch, Ministerial Support Division The Assistant Secretary (AS), Governance Audit and Reporting Branch (GARB) has operational responsibility for governance issues including fraud prevention and control, and ensuring that business processes and internal and external controls are planned and undertaken following the due consideration of fraud risk exposures.

Fraud Manager, Fraud Control and Investigations Section, GARB The Fraud Manager, Fraud Control and Investigations Section (FCIS), GARB, has responsibility for developing, implementing, and maintaining the fraud control plan and reporting framework.

3.2 Executive Committees

The Secretary has established several committees to support oversighting the proper use and management of public resources and the financial sustainability of PM&C.

3.2.1 Executive Leadership Group

The Executive Leadership Group deals with management decisions and issues across PM&C. It considers strategic issues impacting on the Department, including any ongoing or emerging risks, and monitors performance in delivering outcomes..

3.2.2 Audit Committee

The Audit Committee provides independent assurance and assistance to the Secretary and the Executive on PM&C’s risk, control and compliance frameworks. Key review responsibilities of the Audit Committee include:

• risk management;• internal control frameworks;• external accountability (including the PM&C’s financial statements);• legislative compliance; and• internal audit and external audit.

The audit committee’s responsibilities in relation to fraud control generally include:

• reviewing the risk management framework and associated procedures for the effective identification and management of PM&C’s financial and business risks, including fraud risks; and


• reviewing the process of developing and implementing the fraud control plan, to provide assurance that PM&C has appropriate processes and systems in place to prevent, detect and effectively respond to fraud-related information.

3.2.3 Financial Statements Sub – Committee

The Financial Statements Committee is a Sub-Committee of the Audit Committee. Its role is to oversee, review, report and advise the Audit Committee on the planning, management and finalisation of the Department’s annual financial statements process and certificate of compliance process.

3.2.4 Operations Committee

The Operations Committee considers, oversees and provides advice to the Secretary and ELG on matters relating to all aspects of PM&C’s operations including, but not limited to Financial Management, Human Resources, Security, Corporate Improvement and Programme Management.

3.2.5 National Health and Safety Sub-Committee

The National Health and Safety is a sub-committee of the Operations Committee. The Committee facilitates discussion and cooperation regarding work health and safety (WH&S) issues and assists in the developing Health and Safety Management Arrangements through consultation with all staff.

3.2.6 External Budgets Sub-Committee

A sub-committee of the Operations Committee, that advises the Operations Committee on the planning, management and clearance of key PM&C Commonwealth Budget related deliverables.

3.2.7 Compliance Sub-Committee

A sub-committee of the Operations Committee that supports the Operations Committee in providing assurance to the Secretary and ELG regarding PM&C’s performance, and its compliance with internal and external requirements.

3.2.8 Senior Management Group

The Senior Management Group comprises the Executive Leadership Group and all Senior Executive Service Band 2 Officers. It meets each week to discuss key business issues for the Department, including business priorities, key commitments and any ongoing or emerging risks.

4. Fraud Control Environment

As part of the Department’s commitment to good governance, PM&C promotes a culture that encourages and supports all staff to be accountable for their actions and act with integrity, trust, honesty and respect. PM&C requires all staff to comply with the PS Act,


uphold the APS Values and Code of Conduct, and manage the risk of fraud in their day to day business operations.

4.1 Key fraud control strategies

Fraud control requires the implementation of a number of key control strategies which contribute to an effective fraud control framework. These strategies are interdependent and subject to a cyclic process of review and enhancement, alongside active management and ownership within the Department. The strategies are grouped into four key themes:

• fraud prevention involves those strategies designed to prevent fraud from occurring in the first instance;

• fraud detection includes strategies to discover fraud as soon as possible after it has occurred;

• fraud response covers the systems and processes that assist an entity to respond appropriately to an alleged fraud when it is detected; and

• fraud monitoring and review, reporting and evaluation are strategies to provide assurance that legislative responsibilities are being met, as well as promoting accountability by providing information that demonstrates compliance with specific fraud control strategies.1

Executive oversight through sound governance arrangements will ensure that each strategy does not operate in isolation and those interdependencies are effectively identified and managed appropriately.2

4.2 Definition of Fraud

The Department has adopted the definition of fraud provided in the PGPA Fraud Rule which is defined as “Dishonestly obtaining a benefit, or causing a loss, by deception or other means.” Fraud against the Commonwealth may include but is not limited to:

• theft;• Commonwealth programme funding and grants (e.g. Community Development

Programme, Vocational Training and Education Centre (VTEC), School Attendance, Social and Emotional Wellbeing);

• entitlements (e.g. expenses, leave, travel allowances or attendance records);• facilities (e.g. unauthorised use of corporate credit cards or information

technology, mobile devices (e.g., iPhones, Samsung, blackberries, tablets etc.) and telecommunication systems);

• accounting fraud (e.g. false invoices, misappropriation);• Unlawful use of, or unlawful obtaining of, property, equipment, material or

services;• causing a loss, or avoiding and/or creating a liability;• providing false or misleading information to the Commonwealth, or failing to

provide information when there is an obligation to do so (Falsifying participant rates and attendance);

• misuse of Commonwealth assets, equipment, facilities or telecommunication systems;

1 Fraud Control and Australian Government Entities – Better Practice Guide – March 20112 Fraud Control and Australian Government Entities – Better Practice Guide – March 2011


• making, or using, false, forged or falsified documents; and • wrongfully using Commonwealth information or intellectual property.

It is important to note a benefit is not restricted to a monetary or material benefit, and may be tangible or intangible, including the unauthorised provision of access to, or disclosure of, information. A benefit may also be obtained by a third party rather than, or in addition to, the perpetrator of the fraud.

4.3 Fraud Policy Statement

The PM&C does not tolerate dishonest or fraudulent behaviour and is committed to deterring and preventing such behaviour in the performance of its business operations. Fraud undermines the ability of PM&C to achieve its objectives. The Department has adopted the definition of fraud provided in the Commonwealth Fraud Rule which is defined as “Dishonestly obtaining a benefit, or causing a loss, by deception or other means.” For a more comprehensive definition of fraud see Section 4.2, page 12 of the Plan.

Fraud prevention is the responsibility of all PM&C staff, contractors and organisations engaged to provide or deliver services on behalf of the Department. All have an essential part in reducing the Department’s exposure to fraudulent activity by behaving in an ethical way consistent with the APS Code of Conduct, APS Values and reporting any incidents of suspected fraud through their managers / supervisors or to the FCIS who have the capability to conduct complex investigations.

PM&C’s Fraud Policy Statement is in line with the PGPA Fraud Rule and is available to all staff, contractors and external service providers on the intranet and internet sites. The aim of the Fraud Policy Statement is to reflect better practice in fraud risk management and to protect public money, property and information.

The Department’s commitment to preventing fraud and deterring fraudulent behaviour will be met by:

• maintaining an effective system of internal controls to protect public money, information and property;

ensuring all PM&C officials and contractors complete the mandatory fraud awareness training modules on induction and undertake revision training every two years. Targeted face-to-face training will be provided on request or as required;

• conducting periodic fraud risk assessment reviews to identify emerging opportunities for fraud and supporting business managers to embed prevention and minimisation procedures in day to day operations;

• establishing formal procedures for reporting and investigating allegations of dishonest and/or fraudulent behaviour;

assuring confidentiality with regard to receiving and handling investigations; referring allegations of serious wrongdoing or misconduct under the Public Interest

Disclosure Act to HR; maintaining efficient and effective arrangements to investigate fraud; investigating fraud in accordance with the Australian Government Investigations

Standards (AGIS);


• referring offenders to the Australian Federal Police (AFP) and other state and territory law enforcement agencies where necessary; seeking civil, administrative or disciplinary remedies such as those available under

the Public Service Act 1999; and• pursuing all means open to the Department to recover losses caused by illegal

activity, irrespective of whether a prosecution is undertaken, including the use of proceeds of crime legislation and civil recovery action.

The Fraud Policy should be read in conjunction with other relevant documents, including the Department’s Fraud Control Plan, Commonwealth Grant Rules and Guidelines 2014, the Commonwealth Procurement Rules 2014, the Department’s Protective Security Policy and the Department’s Risk Management Framework.

5. Fraud Management

5.1 Fraud prevention

Fraud prevention strategies are the first line of defence and provide the most cost-effective method of controlling fraud within PM&C. To be effective, fraud prevention requires a number of contributory elements, including an ethical organisational culture, a strong awareness of fraud among employees, suppliers, service providers and clients, and an effective internal control framework.3

Key elements of PM&C’s fraud prevention strategies include:

• having a robust Fraud Policy Statement;• promotion and adherence to APS Code of Conduct;• risk-based decision making processes• sound fraud risk management processes, including assurance testing of controls

that have been put in place;• a comprehensive fraud control plan;• practical employee, and third party, due diligence;• mandatory online and targeted face-to-face fraud awareness training;• ICT cyber security controls to prevent external penetration into IT systems and to

ensure reliable, accurate and up-to-date data; and• communication about investigation outcomes to demonstrate that allegations and

incidences of fraud are treated seriously and appropriately dealt with.4

5.2 Fraud risk management

Risk management is crucial to fraud control because it provides a framework to identify, analyse, evaluate, and treat fraud risks. Structured and systematic risk management methodologies can therefore assist the Department to assess the level and nature of its exposure to fraud threats. These methodologies also establish fraud risk profiles so that resources proportionate to the nature and scale of the risk can be allocated to mitigate or minimise significant risks. The effectiveness of control measures can then also be evaluated.

3 Fraud Control and Australian Government Entities – Better Practice Guide – March 20114 Fraud Control and Australian Government Entities – Better Practice Guide – March 2011, Page 78 paragraph 8.2.3.


As there is often considerable overlap between organisational risks (that is, enterprise risk, business risk, audit risk, security risk and fraud risk), fraud risk assessments must be considered in the broader context of organisation-wide strategic planning and risk assessment.

This overlapping of risks means, in turn, that controls addressing these risks may intersect. For example, security controls to manage risks to the integrity of PM&C’s information systems, or grant programmes / projects, can be similar to the fraud controls required. In addition, a robust fraud control plan can itself be an effective control in the treatment of an organisation’s reputation and/or business continuity risks.

5.3 Relative exposure to internal and external fraud

The risk of fraud may be internal (committed by an employee or contractor of PM&C) or external (committed by an external service provider or third party). In complex fraudulent activity there may be collaboration between employees, contractors and/or external service providers.

Common types of internal fraud include:

• theft or misuse of tangible assets (cash, stationary, smart phones, tablets, computer and computer-related software) by employees;

• entitlements (e.g. expenses, leave, travel allowances or attendance records);• Theft or misuse of intellectual property or other confidential information (including

funding proposals, procurement information, personal records); • release or use of misleading information for the purposes of deceiving,

misleading or to hide wrongdoing;• false invoicing; • credit card and other payments fraud; • receiving bribes or improper payments; and • misuse of position by employees in order to gain some form of financial or non-

financial benefit (corruption).

Typically, the principle opportunities for internal fraud to occur arise from poor internal controls.

Examples of external fraud include:

• theft or misuse of tangible assets such as plant / equipment• false reporting on the expenditure of funding and falsifying funding applications to

receive payments from government programmes that they are knowingly not eligible for;

• Falsifying data in relation to participants engaged in funded activities; and• external service providers making claims for services that were not provided,

converting funded assets to personal use or misappropriating cash payments for personal use.

Internal audit can specifically assist the Department to manage fraud control by providing advice on the risk of fraud, advising on the design or adequacy of internal controls to


minimise the risk of fraud occurring, and by assisting management to develop fraud prevention and monitoring strategies.

5.4 Outsourcing arrangements

PM&C relies heavily on third-party service providers, including non-government organisations, the private sector or other levels of government to undertake significant work on its behalf.

Under the PGPA Act and the PGPA Fraud Rule, PM&C has an obligation to make third-party providers aware of PM&C’s position on fraud control and put measures in place to ensure that third-party service providers meet the high standard of accountability required as part of the Australian Government’s financial management framework. PM&C retains responsibility for the services delivered by third parties to clients, including requirements in relation to fraud control.5

If allegations are made in relation to third-party providers, PM&C needs to determine whether, if proven, the fraud constitutes fraud against the Commonwealth. If a third-party provider experiences internal fraud, this does not necessarily constitute fraud against the Commonwealth. The victim of the fraud is more likely to be the contractor and action is most likely to be considered under state or territory law. However, third parties may be subject to Criminal Code offences, including abuse of public office offences under section 142.2 as highlighted in the PM&C Head Agreement for Indigenous Grants.

5.4.1 Screening service providers

Confirming the identity and reputation of service providers is important in managing fraud control within PM&C. In accordance with the Commonwealth Grant Rules and Guidelines July 2014, the vetting of service providers should be tailored to the materiality and relative risk the individual or organisation represents.6

The standard, AS 8001-2008 Fraud and Corruption Control, requires organisations to ‘take steps to ensure the bona fides of new suppliers and customers and periodically confirm the bona fides of continuing suppliers and customers’.

5 Resource Management Guide No 201 Page 8 paragraph 4.76 Commonwealth Grant Guidelines and Rule 2014


5.5 Fraud Risk Assessment

Section 10 Paragraph (a) of the PGPA Fraud Rule states, ‘A fraud risk assessment must be conducted regularly and when there is substantial change in the structure, functions or activities of an entity.’ Risk assessments should consider internal and external fraud risks and should be refined on an ongoing basis.

Fraud risk should not be looked at in isolation from the general business of the Department, but should be embedded in day-to-day business processes as an aspect of the Department’s broader risk assessment processes, including the Department’s security risk assessment.

5.5.1 Methodology

To identify the Department’s sources of fraud risk, the following methodology was used:

the Fraud Control Officer through the FAS MSD, contacted all PM&C’s FAS’ to seek their input into the review of the Department’s fraud control plan;

contact officers were nominated by the respective Divisions / Branches; the review took the form of face-to-face meetings and interviews with managers,

subject matter experts and operational staff; fraud Control and Investigation staff met with each identified fraud risk owner and

together, identified / reviewed and/or developed the fraud risk assessment for their respective business area;

during the review / development, each of the identified risks, their contributing factors, consequences and likelihood/consequence ratings were assessed for relevance and updated as required;

during the review, new and emerging risks and agreed controls were added to the assessment where appropriate;

key controls were reviewed / developed and assessed for each individual risk. The controls were analysed for their adequacy and effectiveness and, where the risks were assessed as unacceptable, treatment strategies were identified to reduce their levels;

the actual risk and residual risk levels were reviewed and adjusted where needed to reflect the nature of the risk and the controls already in place. The risk ratings are in accordance with the PM&C Risk Assessment Matrix; and

after consulting with all the risk owners, the FCIS updated the risk assessment and circulated draft copies to the risk owners for their analysis and comment. Comments from the risk owners were further assessed and where appropriate, included in the fraud risk assessment.


5.5.2 Sources of Risk

The fraud risks identified in the consultation process have been categorised in the table below.

Sources Fraud RiskAdministrative fraud

Occurs when PM&C staff use resources for purposes other than for which they were provided. This can involve stealing property for personal use, manipulating salaries or fraudulent overtime claims.

Information Management (IM)

Risks relating to employees / contractors inappropriately using IT system access to dishonestly create, delete and modify PM&C data and records. The benefit obtained may be tangible or intangible. An example of a tangible benefit would be the selling or provision of personal information to third parties (e.g. private investigators). An intangible benefit may be obtaining personal information about a colleague, or others, which you were not entitled to.

Grants / Programme Funding

Risks relating to inappropriate provision, use and acquittal of Programme funding. It includes providing false or misleading information to claim payment or providing false or misleading advice of changed circumstances according to the conditions of the relevant grant.

Credit Cards Risks relating to staff using Credit Cards dishonestly to receive cash or purchase personal goods and services.

Property / Fit Outs / Asset Management

Internal and external fraud. Asset risk exposures relate to the tangible property assets of PM&C, including buildings, vehicles, plant and equipment, records, data and intellectual property. Also theft or copying of intangible assets.

Physical security Risks relating to protection of people, information and property from potential threats and dangers, including the protection of information from misuse or unauthorised disclosure.

Procurement and Contracting

Risks relating to liability issues, contractual obligations, probity, legislative and regulatory obligations, breach of duty of care, service standards and service level agreements. Purchasing functions not performed in accordance with the Public Governance, Performance and Accountability Act 2013 (PGPA Act). Purchase orders fraudulently raised for goods and services.

Accounts payable / Treasury

Risks relating to staff members and external parties deceitfully obtaining benefits to which they are not entitled.

Staff Selection Processes

Risks relating to an applicant making a false claim or providing false documentation or submitting false referee reports. Other risks may include conflict of interest or favouritism in the recruitment process by a delegate.

Salaries Salary payments may be incorrect, unauthorised or invalid and/or payroll ghosting.

Leave Leave entitlement, flex and medical information/documents may be falsified or dishonestly recorded.

Travel

CabCharge

Risks include inappropriate/unauthorised travel or misuse of CabCharge. Travel plans may be changed without corresponding changes to travel allowance being made. Travel allowance or remote locality leave fares may be overstated or fraudulent.

Motor vehicles and fuel

Risk relating to staff members using departmental vehicles and fuel for private purposes.

Special Accounts Risks relating to inappropriate expenditure, financial management, and financial system failures, taxation rates, interest rates, exchange rates, loss of revenue and increase in costs.


5.5.3 Overview of the fraud risks

As at June 2016, there were 51 potential fraud risks that were assessed across the Department. Of the 51, 45 (88.2%) were assessed as having an acceptable Low to Moderate residual risk level. The remaining six risks (11.8%) were rated High. On this basis the overall potential for fraud in PM&C is considered Low to Moderate.

At the time of the assessment, no independent control testing was conducted for the individual existing controls. Risk owner assessments of the residual risk ratings were relied upon to determine the overall PM&C risk profile. Plans are in place to test the internal control environment to ensure the adequacy of those controls.

Notwithstanding the above, there is a need for ongoing monitoring of the internal control environment to ensure the risks do not escalate. New or emerging risks need to be identified early and managed appropriately to prevent fraud.

5.5.4 Risk assessment analysis

A summary of the functional areas’ activity risks, the total number of risks in each of the functional activities and the residual risk ratings is provided in the table below.

Functional activities Number of identified risks Very High High Moderate Minor Low

ICT 2 0 2 0 0 0

Corporate 18 0 1 12 4 1

Programme 31 0 3 17 7 4

Total 51 0 6 29 11 5

Percentage 100% 0.0% 11.8% 56.9% 21.6% 9.8%

In accordance with the PM&C Risk Management Framework, treatment strategies must be identified and implemented for risks rated High or Very High. Risk identified as Moderate is acceptable if the potential benefit outweighs the consequences of the associated risk. Low or Minor risk is acceptable and requires no treatment. All risks must be monitored to ensure they do not escalate.

6. Detection (Reporting), Investigations and Response

Fraud detection, investigation and response are key elements of the overall fraud control framework. Paragraphs (d) and (e) of section 10 of the PGPA Fraud Rule require PM&C to have appropriate mechanisms for detecting (reporting) and investigating fraud. These mechanisms have been developed by PM&C in accordance with the requirements of the AGIS.


http://pmc-intranet/corporate-services/governance/risk

Despite prevention activities, fraud is still most likely to occur. A summary of actions to improve the overall fraud control environment through systems, internal controls and processes are detailed in the Fraud Risk Action items at Appendix B.

6.1 Reporting Fraud

Under the Secretary’s Instructions 1.2, staff must report all incidents of suspected or potential fraud immediately to the GARB. PM&C can also receive reports of alleged fraud from internal and external audits and reviews, members of the public, external contractors, service providers and other Government agencies, including law enforcement bodies.

Internal and external guidelines for reporting fraud to PM&C have been published on PM&C’s internet, intranet and extranet sites. These include:

• the Fraud Hotline: (02) 6152 3598;• fraud Helpdesk email: [email protected]; • fraud Reporting Form: Fraud reporting form | Intranet, and• The Fraud Manager

Fraud Control and Investigations Section PO Box 6500 Canberra ACT 2600

6.2 Public Information and Disclosure Act

On 15 January 2014, the PID Act commenced. On the same day the Whistleblowing provisions under the PS Act were repealed.

The PID Act builds on practices established to protect APS employees who ‘blow the whistle’ on suspected breaches of the APS Code of Conduct. Other entities connected with the Australian Government are covered by the PID Act, and new avenues of reporting suspected wrongdoing are available. The emphasis of the scheme is on disclosures being made and investigated within government.

PID is the reporting of wrongdoing in the Commonwealth public sector where investigation and correction is in the public interest. This may include conduct which employees reasonably believe:

• contravenes a law;• is corrupt;• perverts the course of justice;• results in wastage of public funds or property;• is an abuse of public trust;• unreasonably endangers health and safety or endangers the

environment; and• is maladministration, including conduct that is unjust, oppressive or negligent.

Disclosure does not include disagreements with government policy or expenditure.More detailed information about the PID Act and how to make a disclosure can be found on PM&C’s internet and intranet sites at Public Interest Disclosure Act Procedures.


http://pmc-intranet/policies-and-guidelines/public-interest-disclosure-act-procedures

http://pmc-intranet/node/605

mailto:[email protected]

6.3 External Performance Reporting

6.3.1 Annual and Statistical Reporting

PM&C is required to provide an annual return to the AIC prior to 30 September each year. The information provided includes fraud prevention and control measures in place; statistical data on suspected fraud; matters under investigation; completed matters whether the fraud was proven or not; and whether the matter was dealt with by way of criminal, civil or administrative remedy.

6.3.2 Australian National Audit Office

The Australian National Audit Office (ANAO) is responsible for assessing key aspects of an entity’s fraud control arrangements to effectively prevent, detect and respond to fraud, as outlined in the PGPA Fraud Rule.

6.4 Investigation

PM&C has an in-house capability to conduct internal and external fraud investigations in accordance with the AGIS.

The purpose of a fraud investigation is to gather evidence relating to a specific fraud allegation(s) to determine the facts relating to the matter and to assist in deciding what, if any, action should be taken in relation to the matter(s). Under the PGPA Rule, PM&C is required to investigate instances of alleged fraud and to document the reasons for decisions, irrespective of whether the initial assessment results in the matter being referred for a criminal investigation.

PM&C’s FCIS observes the PGPA Fraud Rule and the AGIS, which provide guidance on investigation competency standards for Commonwealth employees and investigation service providers.

The FCIS is responsible for:

• receiving and investigating allegations of internal and external fraud;• managing the Fraud Control Plan, including monitoring of its implementation; • developing and delivering fraud awareness training; and • mandatory reporting on fraud-related matters for PM&C.

PM&C’s Investigators (APS 4-6) are required to have a minimum of the Cert IV, Government Investigation; Senior Investigators (EL1), the Diploma, Government Investigation; and Managers (EL2), the Advanced Diploma Government Investigation.

The FCIS utilises a secure and restricted access, an entity-based case management system using cases, case notes, incident and information reports, tasks and task results to fully manage all aspects of an investigation. This system also provides for data and intelligence management, which in turn supports timely and accurate reporting.


6.4.1 Non – Compliance

Non-compliance with terms and conditions of funding agreements is a particular issue for PM&C. However, non-compliance may not constitute fraud. For fraud to be established there must have been intent to commit the fraud. Non-compliance can be deliberate or may occur because of a lack of understanding or awareness of obligations, or being compliant is difficult to achieve due to limited resources and capabilities.

The IAG Compliance, Risk and Integrity Branch, Programme Integrity and Engagement Division, is responsible for the Department’s programme risk and compliance frameworks. The Branch undertakes a proactive, risk-based approach to ensure programmes or projects achieve their intended outcomes. It does this through desktop reviews, spot audits and site visits to support organisations in modifying their behaviours in order to achieve desired programme outcomes.

The Branch works closely with the Governance, Audit and Reporting Branch in making decisions at a number of critical stages in the management of serious non-compliance or a suspected fraud. When referrals to either Branch are received, the information goes through an assessment process to determine whether the issues relate to fraud or serious non-compliance in connection to PM&C funding. If the information falls outside the jurisdiction of either Branch to take action, it may be referred to another area in PM&C, an external agency, or simply retained for intelligence purposes.

6.4.2 Internal audit

Internal audit provides an independent and objective review and advisory mechanism to:

• provide assurance to the Secretary that the financial and operational controls designed to manage the Department’s risks and achieve objectives are operating in an efficient, effective and ethical manner;7 and

• assist management in improving PM&C’s business performance. Internal audit can provide advice on the risk of fraud, advice on the design or adequacy of internal controls to minimise the risk of fraud occurring, and assist management to develop fraud prevention and monitoring strategies.8

6.5 Referral

6.5.1 Referrals to law enforcement agencies

PM&C will refer matters to the AFP in accordance with the requirements of the AFP Case Categorisation and Review Model. This includes matters that are considered serious, complex, involves cross-agency issues, or are of a politically sensitive nature. In certain circumstances matters may be brought to the attention of relevant Ministers at the time of referral.

If the AFP declines to investigate a matter, it will advise PM&C of the reasons in writing at the earliest opportunity and, in any case, within 28 days (unless another period is agreed).

7 ANAO Better Practice Guide—Public Sector Internal Audit – An investment in assurance and business improvement, 2007, p.4. Business improvement, 2007, p.4.

8 Resource Management Guide No 201 July 2014


The AFP may also suggest alternative methods of handling the matter and may assist PM&C by executing search warrants and providing other forms of assistance. If additional information becomes available that shows that the matter is more serious than first indicated, PM&C may again refer the matter to the AFP for consideration.9

When a matter involves offences under state or territory law, PM&C will consider referring it to the responsible state or territory law enforcement agency or other relevant authority for investigation.

6.5.2 Commonwealth Director of Public Prosecution Referrals Prosecutions are important in deterring fraud and in educating officers and the public generally about the seriousness of fraud. The Australian Government’s policy on prosecution of criminal offences is set out in the Prosecution Policy of the Commonwealth, which is available on the Commonwealth Director of Public Prosecutions (CDPP) website.

If the AFP or another law enforcement agency declines to investigate a potential offence, PM&C may, if it has investigated the matter and obtained sufficient evidence, subsequently refer the matter to the CDPP for consideration of prosecution action. Briefs should be prepared in accordance with the Guidelines for dealings between Commonwealth investigators and the CDPP.

If PM&C sends a brief of evidence to the CDPP to consider prosecution action, and the CDPP advises that a prosecution will not proceed, PM&C remains responsible for resolving the matter and for considering other available remedies, in accordance with the relevant criteria under the PGPA Act and section 10 of the PGPA Rule. PM&C should also consider civil, administrative or disciplinary proceedings for which a lower standard of proof is required.

6.5.3 Proceeds of Crime Referrals

PM&C will take all reasonable measures to recover financial losses caused by illegal activity through proceeds of crime and civil recovery processes or administrative remedies.

In this context, ‘benefit’ is not simply financial, but should include consideration of deterrent value and other non-financial benefits such as public interest and integrity of the government’s or PM&C’s reputation.

6.5.4 Debt Management and Recoveries

For an organisation that has not complied with the terms and conditions of the Funding Agreement entered into with the Department, and where fraud has not been detected, the inappropriate use of Commonwealth funds can be the subject of debt recovery action.

Where PM&C funds have not been used in accordance with the Terms and Conditions of the Funding Agreement, the Department may by notice:

9 Resource Management Guide No 201. 2014


(a) Terminate or reduce a Grant payment up to the relevant amount; or (b) Require the repayment of the relevant amount, by a specified date.

Where the misuse of PM&C funds involves criminality, action may be taken under Proceeds of Crime or Unexplained Wealth legislation.

Appendix A - Fraud Control Responsibilities for all staff

The table below summarises additional fraud control responsibilities for staff, managers and committees.

WHO RESPONSIBILITIES / ACTION

All staff Familiarise themselves with the Fraud Policy Statement, the Fraud Control Plan and the Secretary’s Instruction on Fraud Control to enable them to make risk-based decisions about fraud control compliance in their day-to-day operations.

Immediately report suspected incidents of fraud and misconduct.

Behave ethically and in accordance with the APS Code of Conduct in the performance of their duties.

Comply with general duties of officials under section 25 of PGPA Act.

Comply with ICT Security Policy, Domestic and International Travel Policies.

All Managers and Executive

Advise staff on procedures for resolving ethical dilemmas through the APS Code of Conduct and the FCP.

Foster an environment which promotes the highest standards of ethical behaviour.

Governance, Audit & Reporting Branch

Conduct internal audits of risk, governance and control processes within PM&C.

Maintain communication with the FCIS to notify of suspected fraud activities within PM&C.

Ensure appropriate processes are in place to manage PM&C’s fraud risks in accordance with the PGPA Fraud Rule.

Review and maintain PM&C’s fraud control policies and instructions and ensure they are communicated to all staff.

Communicate to all staff their responsibilities in preventing, detecting and reporting



fraud.

Provide Fraud Awareness Training to Staff.

Support programme areas and the Network on compliance issues, fraud, risk, due diligence, and matters of internal serious misconduct.

Formally update the Plan as required.

Conduct bi-annual fraud risk reviews and develop cost-effective strategies to reduce risk to an acceptable level.

Implement monitoring, review and reporting processes to report the incidence of fraud within PM&C and advise management actions to address weaknesses in fraud risk controls.

Manage the conduct of investigations into suspected fraudulent activity, and where necessary, engage services of the AFP or other agencies.

Refer matters to the CDPP in accordance with the Prosecution Policy of the Commonwealth.

Independently review processes, systems and controls where fraud is detected, to ensure lessons learned are recorded and communicated to relevant stakeholders and governance committees.

Actively and appropriately pursue the recovery of money or property lost through fraud.

Engage in operational compliance activities to address serious non-compliance with funding agreements by service providers.

Proactive collection and analysis of intelligence, and dissemination to stakeholders where appropriate

Credit Card Holders

Comply with and apply PM&C’s Credit Card Business Rules.

Fuel Card Holders Comply with and apply PM&C’s Fuel Card Business Rules.

Division and Branch Managers

Identify and manage individual fraud risks originating in or relevant to their Group/Branch and implement risk treatments identified in this Plan.

People, Capability & Performance

Educate, investigate and manage issues relating to behavioural and ethical standards, such as the APS Code of Conduct and Values (below a criminal



threshold).


Appendix B – Summary of Action Items

Fraud risk improvement action items

Ref

Activity Strategy Action Responsibility Timing

1. Awareness Development of resources to support managers and staff

Update fraud awareness induction programme on LearnHub as appropriate. FCIS Ongoing

Ensure the mandatory fraud awareness training is completed by all new starters and ongoing staff in a two year cycle

FCIS Ongoing

3. Awareness Communication to all staff of their responsibilities with regard to prevention, detection and reporting

Ensure fraud control and prevention updates are promoted on Corporate Update via intranet and Net Comm and changes to fraud control advised to staff

FCIS Ongoing

4. Awareness Publicly available information on the Department’s attitude and approach to fraud control

Ensure the Fraud Policy Statement and the Fraud Control Plan 2016 – 2018 remain current

FCIS Ongoing

5. Fraud Control Plan Maintain Fraud Control Plan

Formal update of the FCP every two years and when there are significant functional changes

FCIS Ongoing

6. Fraud Policy Statement

Maintain Fraud Policy Statement

Formal update of the FPS every two years and when there are significant functional

FCIS Ongoing

FRAUD CONTROL PLAN VERSION 2016 – 2018 27

Ref


changes

7. Fraud Risk Assessment

Conduct Fraud Risk Assessments

Conduct fraud risk assessment reviews bi-annually

All Branches / Programme Areas

Ongoing (6 monthly)

8. Report Update fraud reports for governance committees

GARB to provide Audit Committee with fraud trend information to assist in monitoring the levels of internal and external fraud committed across the Department

Audit Committee

Ongoing (quarterly)

9. Fraud cases Case referral to AFP GARB to refer instances of suspected fraud to the appropriate law enforcement agency such as the AFP or state police for investigation

FCIS As necessary

10. Investigations AGIS standards GARB to ensure Investigations are conducted by appropriately qualified investigators in accordance with the requirements of the AGIS

FCIS As necessary

11. Investigations Quality Assurance Standards

Fraud investigations undertaken by the Department may be subject to Quality Assurance Reviews by the AFP

FCIS As necessary

12. Investigations Staff Responsibility All departmental staff and contractors have a responsibility to fully assist with any fraud investigation

FCIS As necessary

13. Investigations Case referral to the to the Minister for Justice

Politically sensitive investigations deemed by PM&C as appropriate for referral to the AFP

MSD As necessary


Ref


through the Prime Minister

should be brought to the attention of the Minister for Justice through the Prime Minister. This will enable the Government to be informed at the earliest opportunity.

14. Prosecution A zero tolerance approach

Where an investigation has been undertaken other than by a law enforcement agency, investigators will prepare a report that makes recommendations to the FAS, MSD on whether to refer a matter to another law enforcement agency

FCIS As necessary

15. Resolution Review of systems and procedures (post fraud)

If a fraud is detected, the control system involved will be independently reviewed to identify improvements

FCIS As necessary

Formal reporting to the Audit Committee FCIS & Governance, Risk Management & Assurance Section

As necessary

17. Recovery of money/property lost through fraud

If deemed cost effective, will actively pursue the recovery of lost money or property

FCIS As necessary


References

External

Commonwealth Procurement Rules 2012Summarises the rules for all procurements.

Criminal Code Act 1995Defines possible offences and penalties relating to fraud.

Crimes Act 1914Authorises and prescribes activities relevant to the conduct of investigations.

Evidence Act 1995The primary source of statutory evidence law applying in relation to proceedings in federal courts and Australian Capital Territories courts.

Privacy Act 1988Prescribes the manner in which private information can be obtained, utilised and shared.

Prosecution Policy of the CommonwealthUnderpins all of the decisions made by the CDPP throughout the prosecution process and promotes consistency in decision making.

Public Governance, Performance and Accountability Act 2013Consolidates into a single piece of legislation the governance, performance and accountability requirements of the Commonwealth and relevant entities.

Public Governance, Performance and Accountability Rule 2014Sets a minimum standard for accountable authorities of Commonwealth entities for managing the risk and incidents of fraud.

Public Service Act 1999Provides the legal framework for APS employees. The Act also establishes the APS Values and Code of Conduct.

Internal

Secretary’s InstructionsProvide guidelines on the Department’s Financial Management framework, including responsibilities relating to fraud control and reporting and the identification and management of risk.

Fraud Control and Fraud ReportingContains fraud prevention and detection information and details of how to report fraud.


Date post:	09-Jun-2018
Category:	Documents
Upload:	doquynh
View:	213 times
Download:	0 times

Fraud Control Plan - Department of the Prime Minister … · Web viewFraud Control Plan Version...

Documents