4. Fraud Control Environment - Department of the Prime Minister
advertisement
FRAUD CONTROL PLAN 2014 – 2016 Foreword The Department of the Prime Minister and Cabinet (PM&C) has unique responsibilities and a privileged role within the Commonwealth. PM&C has a strategic policy development and coordination role, providing guidance to the whole of government, in addition to a substantial programme delivery responsibility. As a PM&C staff member you have an essential role to play in reducing the Department’s exposure to fraud. This Fraud Control Plan 2014 to 2016 (the Plan), outlines our approach to effectively prevent, detect and respond to fraud or misuse of Commonwealth resources. Fraud has the potential to undermine our ability to achieve our objectives, reputation and ethical organisational culture. Recent fraud response activities have identified that elements of organised crime are viewing government programmes as potential targets. Organised crime has evolved well beyond a simple law and order problem within the remit of an individual agency, jurisdiction or country. Estimates of what fraud costs Australians vary, but even conservative estimates put the cost at over $8.5 billion a year. According to the Australian National Audit Office, in 2010 – 11, external and internal fraud losses against the Commonwealth were estimated at $119 million. Of the estimated amount, $116 million related to external fraud, while $3 million related to internal fraud. In all our dealings, we must ensure public monies are spent for their intended purposes, information is secured, and assets and resources are used appropriately to protect the interests and reputation of the Department. In our day to day activities, we must ensure our business operations are not compromised and that we have adequate internal controls to minimise risks to achieve our purpose. To manage the risk of opportunistic fraud, we must ensure our business processes are streamlined and that complexity is minimised. This Plan is intended to support PM&C staff to assess risk as well as prevent, detect and report fraud so that Commonwealth funding and assets are used for their intended purpose. Elizabeth Kelly Deputy Secretary, Governance FRAUD CONTROL PLAN VERSION 2014 – 2016 I Document History A history of released document versions Version Date Description Approved 2012 – 2014 Oct 2012 Fraud Control Plan (FCP) Secretary 2014 – 2016 Sep 2014 Draft FRA and FCP Fraud Manager, FCIS 2014 – 2016 Oct 2014 Draft FRA and FCP Assistant Secretary, GARB 2014 – 2016 Nov 2014 Draft FRA and FCP First Assistant Secretary, MSD 2014 – 2016 Feb 2015 Final FRA and FCP Deputy Secretary, Governance Change Control PM&C Fraud Control Officer is responsible for the maintenance and implementation of changes to this document. Approval Name Position Date Elizabeth Kelly Deputy Secretary, Governance 4 February 2015 Pip Spence First Assistant Secretary, MSD 27 January 2015 Sam Skelton Assistant Secretary, GARB 27 January 2015 FRAUD CONTROL PLAN VERSION 2014 – 2016 II Contents FOREWORD .......................................................................................................................................... I DOCUMENT HISTORY ....................................................................................................................... II APPROVAL ........................................................................................................................................... II CONTENTS ......................................................................................................................................... III GLOSSARY ........................................................................................................................................... V ABBREVIATIONS ............................................................................................................................. VII 1. INTRODUCTION .......................................................................................................................... 1 1.1 LEGISLATIVE AND POLICY REQUIREMENTS ............................................................................... 1 1.2 OBJECTIVES OF THE PLAN ......................................................................................................... 1 2. DEPARTMENT OF THE PRIME MINISTER AND CABINET ............................................... 2 3. GOVERNANCE ............................................................................................................................ 2 3.1 OFFICERS WHO HAVE KEY RESPONSIBILITIES FOR FRAUD CONTROL IN PM&C ....................... 2 3.2 EXECUTIVE COMMITTEES.......................................................................................................... 3 3.2.1 3.2.2 3.2.3 3.2.4 3.2.5 4. Executive Leadership Group ....................................................................................... 3 Audit Committee ............................................................................................................ 3 Security Committee ...................................................................................................... 3 Senior Management Group ......................................................................................... 4 People and Leadership Committee ............................................................................ 4 FRAUD CONTROL ENVIRONMENT ....................................................................................... 5 4.1 KEY FRAUD CONTROL STRATEGIES ................................................................................................... 5 4.2 DEFINITION OF FRAUD ............................................................................................................... 5 4.3 FRAUD POLICY STATEMENT ...................................................................................................... 6 5. FRAUD MANAGEMENT ............................................................................................................ 7 5.1 FRAUD PREVENTION................................................................................................................... 7 5.2 FRAUD RISK MANAGEMENT ........................................................................................................ 7 5.3 RELATIVE EXPOSURE TO EXTERNAL AND INTERNAL FRAUD ...................................................... 8 5.5 5.4.1 Screening service providers ........................................................................................ 9 FRAUD RISK ASSESSMENT ........................................................................................................ 9 5.5.1 5.5.2 5.5.3 5.5.4 6. Methodology .................................................................................................................. 9 Sources of Risk ............................................................................................................ 10 Overview of the fraud risks .................................................................................... 11 Risk assessment analysis.......................................................................................... 12 DETECTION (REPORTING), INVESTIGATIONS AND RESPONSE................................ 12 6.1 REPORTING FRAUD .................................................................................................................. 12 6.2 PUBLIC INFORMATION AND DISCLOSURE ACT ......................................................................... 13 6.3 EXTERNAL PERFORMANCE REPORTING .................................................................................. 13 6.4 6.3.1 Annual and Statistical Reporting .............................................................................. 13 6.3.2 Australian National Audit Office ............................................................................ 13 INVESTIGATION ........................................................................................................................ 13 FRAUD CONTROL PLAN VERSION 2014 – 2016 III 6.5 6.4.1 Compliance .................................................................................................................. 14 6.4.2 Internal audit ............................................................................................................... 15 REFERRAL ................................................................................................................................ 15 6.5.1 6.5.2 6.5.3 Referrals to law enforcement agencies ................................................................... 15 Commonwealth Director of Public Prosecution Referrals ..................................... 15 Proceeds of Crime Referrals ..................................................................................... 16 APPENDIX A - FRAUD CONTROL RESPONSIBILITIES FOR ALL STAFF ........................... 16 REFERENCES ..................................................................................................................................... 23 EXTERNAL............................................................................................................................................... 23 INTERNAL ................................................................................................................................................ 23 FRAUD CONTROL PLAN VERSION 2014 – 2016 IV Glossary Term Description Accountable Authority Is the Secretary of the Department of the Prime Minister and Cabinet (PM&C). Compliance Control The outcome of the Department meeting its legal and ethical obligations. A department of state, a parliamentary department, a listed entity or a body corporate established by a law of the Commonwealth. A measure that modifies a risk. Department The Department of the Prime Minister and Cabinet Entity A department of state, a parliamentary department, a listed entity or a body corporate established by a law of the Commonwealth. Fraud committed against PM&C by a person other than an employee or contractor of PM&C. Covers the systems and processes that assist an entity to respond appropriately to an alleged fraud where it is detected. The application of risk management principles and techniques to assess the risk of fraud in PM&C. Commonwealth Entity External fraud Fraud response Fraud risk assessment Fraud risk register Internal fraud Investigation Prevention Residual risk Risk owner Risk profile Contains a collection of individual detailed fraud risk assessments. Fraud committed against PM&C by an employee or contractor. A process of seeking information relevant to an alleged, apparent or potential breach of the law, involving possible judicial proceedings. The primary purpose of an investigation is to gather admissible evidence for any subsequent action, whether under criminal, civil penalty, civil, disciplinary or administrative sanctions. Strategies that are designed to proactively reduce or eliminate fraud committed against PM&C. A risk remaining after risk treatment. A person or entity with the accountability and authority to manage a risk. A description of any set of risks. FRAUD CONTROL PLAN VERSION 2014 – 2016 V Term Description Accountable Authority Is the Secretary of the Department of the Prime Minister and Cabinet (PM&C). Risk treatment A process to modify risk. Stakeholders Those people and organisations who may affect, be affected by or perceive themselves to be affected by a decision or activity. FRAUD CONTROL PLAN VERSION 2014 – 2016 VI Abbreviations Abbreviation Description AAO Administrative Arrangements Order AFP Australian Federal Police AGIS Australian Government Investigation Standards AIC Australian Institute for Criminology APS Australian Public Service AS Assistant Secretary CDPP Commonwealth Director of Public Prosecutions FAS First Assistant Secretary FCIS Fraud Control and Investigations Section GARB Governance, Audit and Reporting Branch MoG Machinery of Government MSD Ministerial Support Division PID Public Interest Disclosure Act 2013 PGPA Act Public Governance, Performance and Accountability Act 2013 PGPA Rule Public Governance, Performance and Accountability Rule PM&C Department of the Prime Minister and Cabinet FRAUD CONTROL PLAN VERSION 2014 – 2016 VII 1. Introduction Fraud against the Commonwealth is a serious matter for all Commonwealth entities and for the wider community. PM&C has a zero tolerance for fraud. Not only is it a criminal offence, but fraud reduces funds available for delivering public goods and services and the propensity to undermine the integrity of the public’s confidence in government. Corruption is commonly associated with fraud, however it can also be a risk in itself (where fraud is not directly involved). Recent corruption inquiries in the Australian Public Service (APS) indicate that while levels of corruption and serious misconduct in the APS remain low, the risks remain real. This Fraud Control Plan and associated Fraud Risk Assessment take into account the risks of corruption, and aim to mitigate them through the promotion of a culture of ethical behaviour. The leadership role PM&C plays in the Commonwealth demands that our senior executives and managers are familiar with the key elements of a robust fraud control framework, including policy, legal and governance requirements. Effective fraud control strategies need an integrated response led by the executive and embedded in governance, programme design and management. This Plan outlines the obligations, systems, policies and strategies PM&C has in place to prevent, detect and respond to fraud. 1.1 Legislative and Policy Requirements Fraud is a criminal offence under Chapter 7 of the Criminal Code Act 1995. The foundations for this Plan and fraud risk assessment are stipulated in sections 15 to 19 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act), and section 10 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule). These sections set out fraud control requirements to assist the Department to meet its obligations under the PGPA Act. Breaches of the fraud rule may attract a range of criminal, civil, administrative and disciplinary remedies. Other relevant legislation includes the Public Interest Disclosure Act 2013 (the PID Act) which provides the legislative basis for whistleblowing including corruption or wastage of public funds, the Public Service Act 1999 (PS Act) and the Australian Public Service (APS) Values and Code of Conduct. In conducting the Department’s fraud risk assessments, which underpin this Plan, the AS/NZS/ISO 31000:2009 Risk Management - Principles and Guidelines, the Australian Standard 8001 – 2008: Fraud and Corruption Control and the PM&C Risk Management Framework were followed. 1.2 Objectives of the Plan The primary objectives of the Plan are to protect public money, information and property and safeguard the integrity and reputation of PM&C. The Plan is underpinned by fraud risk assessments which are detailed in the Fraud Risk Register. The fraud risk assessments are dynamic and will be reviewed six monthly, or on a needs basis, through ongoing and FRAUD CONTROL PLAN, VERSION 2014 – 2016 1 targeted analysis. The Fraud Risk Register is not made public or generally available (to internal or external stakeholders) as it contains sensitive information. 2. Department of the Prime Minister and Cabinet Under the Public Service Act 1999 and the PGPA Act 2013, the Secretary is accountable for the Department's performance and compliance with legal requirements. Key responsibilities include: • • • • • managing the affairs of the Department efficiently, effectively, economically and ethically; providing leadership, strategic direction and a focus on results for the Department; and engaging with stakeholders, particularly in relation to the core activities of the Department. The Secretary is supported by an Executive team and operational managers who assist in providing leadership, establishing the organisational culture, promoting integrity and developing the strategies necessary to ensure ‘best practice’ fraud control is embedded in organisational governance and processes. 3. Governance The realisation of fraud risks in a number of high-profile government programmes has highlighted the need for strong leadership which supports effective fraud control. Poor leadership can lead to a culture of complacency within organisations with respect to fraud control and management. Appropriate governance structures are therefore critical to the effective operation of fraud control and support the role of the Secretary. 3.1 Officers who have key responsibilities for fraud control in PM&C Secretary Under the PGPA Act, the Secretary is accountable for governing the organisation in a way that promotes the proper use of public resources. This includes the mandatory requirement to conduct fraud risk assessments and to develop a fraud control plan. The Secretary has delegated some authority to other accountable officers and committees. Deputy Secretary (Governance) The Deputy Secretary, Governance has the corporate responsibility for overseeing the implementation of fraud prevention and control for the Department. First Assistant Secretary, Ministerial Support Division The First Assistant Secretary (FAS), Ministerial Support Division (MSD), has responsibility for policy and management of fraud prevention and fraud control. FRAUD CONTROL PLAN, VERSION 2014 – 2016 2 Assistant Secretary, Governance, Audit and Reporting Branch, Ministerial Support Division The Assistant Secretary (AS), Governance Audit and Reporting Branch (GARB) has operational responsibility for governance issues including fraud prevention and control, and ensuring that business processes and internal and external controls are planned and undertaken following the due consideration of fraud risk exposures. Fraud Manager, Fraud Control and Investigations Section, GARB The Fraud Manager, Fraud Control and Investigations Section (FCIS), GARB, has responsibility for developing, implementing, and maintaining the fraud control plan and reporting framework. 3.2 Executive Committees The Secretary has established several committees to support oversighting the proper use and management of public resources and the financial sustainability of PM&C. 3.2.1 Executive Leadership Group The Executive Leadership Group makes key management and issue management decisions in PM&C. It considers strategic issues impacting on the Department, including any ongoing or emerging risks, and monitors performance in delivering outcomes. 3.2.2 Audit Committee The Audit Committee provides independent assurance and assistance to the Secretary and the Executive on PM&C’s risk, control and compliance frameworks. Key review responsibilities of the Audit Committee include: • • • • • • risk management; the internal control framework; external accountability (including the PM&C’s financial statements); legislative compliance; internal audit; and external audit. The audit committee’s responsibilities in relation to fraud control generally include: • • 3.2.3 reviewing the risk management framework and associated procedures for the effective identification and management of PM&C’s financial and business risks, including fraud risks; and reviewing the process of developing and implementing the fraud control plan, to provide assurance that PM&C has appropriate processes and systems in place to prevent, detect and effectively respond to fraud-related information. Security Committee FRAUD CONTROL PLAN, VERSION 2014 – 2016 3 The objective of the Committee is to monitor the Department’s preparedness to counter security threats and to report and make recommendations to the Executive Group on any significant security risk management issues requiring its attention. The Committee is also responsible for establishing well-designed security risk management policies, for ensuring an appropriate level of senior management involvement and clarification of roles and responsibilities and appropriate training for staff with security responsibilities. The Committee also seeks to put into place systematic and coordinated security risk management processes, in order to identify, assess, treat and control protective security risks. The Committee has a key responsibility of oversighting adherence to the Australian Government’s Protective Security Policy Framework. Fraud control is central to this Framework. 3.2.4 Senior Management Group The Senior Management Group comprises the Executive Leadership Group and all Senior Executive Service Band 2 Officers. It meets each week to discuss key business issues for the Department, including business priorities, key commitments and any ongoing or emerging risks. 3.2.5 People and Leadership Committee The role of the Committee is to empower the whole Department to participate in strategic human resource issues, noting all employees are responsible for contributing to a positive work environment. The Committee provides strategic advice to the Secretary and the Executive Leadership Group on integrating the Department's people planning, including leadership priorities and development within the Department's strategic direction and business priorities. Senior executives must ensure the work practices of the Department are consistent with the principles of the APS Values and Code of Conduct. Creating a culture in which employees are prepared to report a suspected fraud and supported when they do so is critical in the ongoing operation of the Department’s fraud control strategy. In terms of fraud detection, the KPMG Fraud and Misconduct Survey 2010 identified that 20 per cent of reported major frauds were identified by employees. The Australian Institute of Criminology (AIC) has also reported that the detection of external fraud through discovery by staff members or colleagues was an important method of detection.1 1 Fraud Control and Australian Government Entities – Better Practice Guide – March 2011 Page 10 FRAUD CONTROL PLAN, VERSION 2014 – 2016 4 4. Fraud Control Environment As part of the Department’s commitment to good governance, PM&C promotes a culture that encourages and supports all staff to be accountable for their actions and act with integrity, trust, honesty and respect. PM&C requires all staff to comply with the PS Act and uphold the APS Values and Code of Conduct. 4.1 Key fraud control strategies Fraud control requires the implementation of a number of key control strategies which contribute to an effective fraud control framework. These strategies are interdependent and subject to a cyclic process of review and enhancement, alongside active management and ownership within the Department. The strategies are grouped into four key themes: • • • • fraud prevention involves those strategies designed to prevent fraud from occurring in the first instance; fraud detection includes strategies to discover fraud as soon as possible after it has occurred; fraud response covers the systems and processes that assist an entity to respond appropriately to an alleged fraud when it is detected; and fraud monitoring, reporting and evaluation are strategies to provide assurance that legislative responsibilities are being met, as well as promoting accountability by providing information that demonstrates compliance with specific fraud control strategies.2 Executive oversight through sound governance arrangements will ensure that each strategy does not operate in isolation, and that interdependencies are effectively identified and managed appropriately.3 4.2 Definition of Fraud The Department has adopted the definition of fraud provided in the PGPA Fraud Rule which is defined as “Dishonestly obtaining a benefit, or causing a loss, by deception or other means.” Fraud against the Commonwealth may include but is not limited to: • • • • • • • • 2 3 theft; Commonwealth programme funding and grants (e.g. Remote Jobs and Community Programme, School Attendance, Social and Emotional Wellbeing); entitlements (e.g. expenses, leave, travel allowances or attendance records); facilities (e.g. unauthorised use of corporate credit cards or information technology and telecommunication systems); accounting fraud (e.g. false invoices, misappropriation); Unlawful use of, or unlawful obtaining of, property, equipment, material or services; causing a loss, or avoiding and/or creating a liability; providing false or misleading information to the Commonwealth, or failing to provide information when there is an obligation to do so; Fraud Control and Australian Government Entities – Better Practice Guide – March 2011 Fraud Control and Australian Government Entities – Better Practice Guide – March 2011 FRAUD CONTROL PLAN, VERSION 2014 – 2016 5 • • • misuse of Commonwealth assets, equipment or facilities; making, or using, false, forged or falsified documents; and wrongfully using Commonwealth information or intellectual property. It is important to note a benefit is not restricted to a monetary or material benefit, and may be tangible or intangible, including the unauthorised provision of access to, or disclosure of, information. A benefit may also be obtained by a third party rather than, or in addition to, the perpetrator of the fraud. 4.3 Fraud Policy Statement The Department of the Prime Minister and Cabinet (PM&C) does not tolerate dishonest or fraudulent behaviour and is committed to deterring and preventing such behaviour in the performance of its business operations. Fraud undermines the ability of PM&C to achieve its objectives. The Department has adopted the definition of fraud provided in the Commonwealth Fraud Rule which is defined as “Dishonestly obtaining a benefit, or causing a loss, by deception or other means.” For a more comprehensive definition of fraud see Section 4.2, page 5.of the PM&C Fraud Control Plan. Fraud prevention is the responsibility of all PM&C staff. PM&C staff play an essential part in reducing the Department’s exposure to fraudulent activity by behaving in an ethical way consistent with the APS Code of Conduct, APS Values and reporting any incidents of suspected fraud. PM&C’s Fraud Policy Statement is in line with the PGPA Fraud Rule and is available to all staff and external service providers on the internet, intranet and extranet sites. The aim of the Fraud Policy Statement is to reflect better practice in fraud risk management and to protect public money, property and information. The Department’s commitment to preventing fraud and deterring fraudulent behaviour will be met by: • maintaining an effective system of internal controls to protect public money, information and property; ensuring all PM&C officials are aware of their obligations in relation to fraud through the Department’s fraud awareness training; • • conducting periodic fraud risk assessment reviews to identify emerging opportunities for fraud and implementing prevention and minimisation procedures in day to day operations; establishing formal procedures for reporting and investigating allegations of dishonest and/or fraudulent behaviour; assuring confidentiality with regard to receiving and handling investigations; referring allegations of serious wrongdoing or misconduct under the Public Interest Disclosure Act to HR; maintaining efficient and effective arrangements to investigate fraud; • reacting appropriately to situations by referring offenders to the Australian Federal Police (AFP) and other state and territory law enforcement agencies where necessary; investigating fraud in accordance with the Australian Government Investigations Standards (AGIS); seeking civil, administrative or disciplinary remedies such as those available under the Public Service Act 1999; and • FRAUD CONTROL PLAN, VERSION 2014 – 2016 6 • pursuing all means open to the Department to recover losses caused by illegal activity, irrespective of whether a prosecution is undertaken, including the use of proceeds of crime legislation and civil recovery action. The Fraud Policy should be read in conjunction with other relevant documents, including the Department’s Fraud Control Plan, Commonwealth Grant Rules and Guidelines 2014, the Commonwealth Procurement Rules 2014, the Department’s Protective Security Policy and the Department’s Risk Management Framework. 5. Fraud Management 5.1 Fraud prevention Fraud prevention strategies are the first line of defence and provide the most cost-effective method of controlling fraud within PM&C. To be effective, fraud prevention requires a number of contributory elements, including an ethical organisational culture, a strong awareness of fraud among employees, suppliers, service providers and clients, and an effective internal control framework.4 Key elements of PM&C’s fraud prevention strategies include: • • • • • • • • • a robust Fraud Policy Statement; promotion and adherence to APS Code of Conduct; sound fraud risk management processes; a comprehensive fraud control plan; practical employee, and third party, due diligence; regular fraud awareness training; fraud-related controls for activities with a high fraud risk exposure; system controls to ensure accurate and up-to-date data; and communication about investigation outcomes to demonstrate that allegations and incidences of fraud are treated seriously and appropriately dealt with.5 5.2 Fraud risk management Risk management is crucial to fraud control because it provides a framework to identify, analyse, evaluate, and treat fraud risks. Structured and systematic risk management methodologies can therefore assist the Department to assess the level and nature of its exposure to fraud threats. These methodologies also establish fraud risk profiles so that resources proportionate to the nature and scale of the risk can be allocated to mitigate or minimise significant risks. The effectiveness of control measures can then also be evaluated. As there is often considerable overlap between organisational risks (that is, enterprise risk, business risk, audit risk, security risk and fraud risk), fraud risk assessments must be 4 5 Fraud Control and Australian Government Entities – Better Practice Guide – March 2011 Fraud Control and Australian Government Entities – Better Practice Guide – March 2011, Page 78 paragraph 8.2.3. FRAUD CONTROL PLAN, VERSION 2014 – 2016 7 considered in the broader context of organisation-wide strategic planning and risk assessment. This overlapping of risks means, in turn, that controls addressing these risks may intersect. For example, security controls to manage risks to the integrity of PM&C’s information systems, or special projects such as the G20 Summit, can be similar to the fraud controls required. In addition, a robust fraud control plan can itself be an effective control in the treatment of an organisation’s reputation and/or business continuity risks. 5.3 Relative exposure to external and internal fraud The risk of fraud may be internal (committed by an employee or contractor of PM&C) or external (committed by an external service provider or third party). In complex fraudulent activity there may be collaboration between employees, contractors and/or external service providers. Common types of internal fraud include: • • • • • • • • theft or misuse of tangible assets (cash, inventory, plant and equipment) by employees; entitlements (e.g. expenses, leave, travel allowances or attendance records); Theft or misuse of intellectual property or other confidential information (including funding proposals, procurement information, personal records); release or use of misleading information for the purposes of deceiving, misleading or to hide wrongdoing; false invoicing; credit card and other payments fraud; receiving bribes or improper payments; and misuse of position by employees in order to gain some form of financial or nonfinancial benefit (corruption). Typically, the principle opportunities for internal fraud to occur arise from poor internal controls. Examples of external fraud include: • • false reporting on the expenditure of funding and falsifying funding applications to receive payments from government programmes that they are knowingly not eligible for; and external service providers making claims for services that were not provided, converting funded assets to personal use or misappropriating cash payments for personal use. Internal audit can specifically assist the Department to manage fraud control by providing advice on the risk of fraud, advising on the design or adequacy of internal controls to minimise the risk of fraud occurring, and by assisting management to develop fraud prevention and monitoring strategies. FRAUD CONTROL PLAN, VERSION 2014 – 2016 8 5.4 Outsourcing arrangements PM&C relies heavily on third-party service providers, including non-government organisations, the private sector or other levels of government to undertake significant work on its behalf. Under the PGPA Act and the PGPA Fraud Rule, PM&C has an obligation to make thirdparty providers aware of PM&C’s position on fraud control and put measures in place to ensure that third-party service providers meet the high standard of accountability required as part of the Australian Government’s financial management framework. PM&C retains responsibility for the services delivered by third parties to clients, including requirements in relation to fraud control.6 If allegations are made in relation to third-party providers, PM&C needs to determine whether, if proven, the fraud constitutes fraud against the Commonwealth. If a third-party provider experiences internal fraud, this does not necessarily constitute fraud against the Commonwealth. The victim of the fraud is more likely to be the contractor and action is most likely to be considered under state or territory law. However, third parties may be subject to Criminal Code offences, including abuse of public office offences under section 142.2 as highlighted in the PM&C Head Agreement for Indigenous Grants. 5.4.1 Screening service providers Confirming the identity and reputation of service providers is important in managing fraud control within PM&C. In accordance with the Commonwealth Rules and Grant Guidelines 2014, the vetting of service providers should be tailored to the materiality and relative risk the individual or organisation represents.7 The standard, AS 8001-2008 Fraud and Corruption Control, requires organisations to ‘take steps to ensure the bona fides of new suppliers and customers and periodically confirm the bona fides of continuing suppliers and customers’. 5.5 Fraud Risk Assessment Section 10 Paragraph (a) of the PGPA Fraud Rule states, ‘A fraud risk assessment must be conducted regularly and when there is substantial change in the structure, functions or activities of an entity.’ Risk assessments should consider internal and external fraud risks and should be refined on an ongoing basis. Fraud risk should not be looked at in isolation from the general business of the Department, but should be considered as an aspect of the Department’s broader risk assessment processes, including the Department’s security risk assessment. 5.5.1 Methodology To identify the Department’s sources of fraud risk, the following methodology was used: 6 7 Resource Management Guide No 201 Page 8 paragraph 4.7 Commonwealth Grant Guidelines and Rule 2014 FRAUD CONTROL PLAN, VERSION 2014 – 2016 9 the Fraud Control Officer through the FAS MSD, contacted all PM&C’s FAS’ to seek their input into the review of the Department’s fraud control plan; contact officers were nominated by the respective Divisions / Branches; the review took the form of face-to-face meetings and interviews with managers, subject matter experts and operational staff; fraud Control and Investigation staff met with each identified fraud risk owner and together, identified / reviewed and/or developed the fraud risk assessment for their respective business area; during the review / development, each of the identified risks, their contributing factors, consequences and likelihood/consequence ratings were assessed for relevance and updated as required; during the review, new and emerging risks and agreed controls were added to the assessment where appropriate; key controls were reviewed / developed and assessed for each individual risk. The controls were analysed for their adequacy and effectiveness and, where the risks were assessed as unacceptable, treatment strategies were identified to reduce their levels; the actual risk and residual risk levels were reviewed and adjusted where needed to reflect the nature of the risk and the controls already in place. The risk ratings are in accordance with the PM&C Risk Assessment Matrix; and after consulting with all the risk owners, the FCIS updated the risk assessment and circulated draft copies to the risk owners for their analysis and comment. Comments from the risk owners were further assessed and where appropriate, included in the fraud risk assessment. 5.5.2 Sources of Risk The fraud risks identified in the consultation process have been categorised in the table below. Sources Fraud Risk Administrative fraud Occurs when PM&C staff use resources for purposes other than for which they were provided. This can involve stealing property for personal use, manipulating salaries or fraudulent overtime claims. Information Management (IM) Risks relating to employees / contractors inappropriately using IT system access to dishonestly create, delete and modify PM&C data and records. The benefit obtained may be tangible or intangible. An example of a tangible benefit would be the selling or provision of personal information to third parties (e.g. private investigators). An intangible benefit may be obtaining personal information about a colleague, or others, which you were not entitled to.. Grants / Programme Funding Risks relating to inappropriate provision, use and acquittal of Programme funding. It includes providing false or misleading information to claim payment or providing false or misleading advice of changed circumstances according to the conditions of the relevant grant. Credit Cards Risks relating to staff using Credit Cards dishonestly to receive cash or purchase personal goods and services. Property / Fit Outs / Asset Management Internal and external fraud. Asset risk exposures relate to the tangible property assets of PM&C, including buildings, vehicles, plant and equipment, records, data and intellectual property. Also theft or copying of intangible assets. Physical security Risks relating to protection of people, information and property from potential threats FRAUD CONTROL PLAN, VERSION 2014 – 2016 10 Sources Fraud Risk and dangers, including the protection of information from misuse or unauthorised disclosure. Procurement and Contracting Risks relating to liability issues, contractual obligations, probity, legislative and regulatory obligations, breach of duty of care, service standards and service level agreements. Purchasing functions not performed in accordance with the Public Governance, Performance and Accountability Act 2013 (PGPA Act). Purchase orders fraudulently raised for goods and services. Accounts payable / Treasury Risks relating to staff members and external parties deceitfully obtaining benefits to which they are not entitled. Staff Selection Processes Risks relating to an applicant making a false claim or providing false documentation or submitting false referee reports. Other risks may include conflict of interest or favouritism in the recruitment process by a delegate. Salaries Salary payments may be incorrect, unauthorised or invalid and/or payroll ghosting. Leave Leave entitlement, flex and medical information/documents may be falsified or dishonestly recorded. Travel Risks include inappropriate/unauthorised travel or misuse of CabCharge. Travel plans may be changed without corresponding changes to travel allowance being made. Travel allowance or remote locality leave fares may be overstated or fraudulent. CabCharge Motor vehicles and fuel Risk relating to staff members using departmental vehicles and fuel for private purposes. Special Accounts Risks relating to inappropriate expenditure, financial management, and financial system failures, taxation rates, interest rates, exchange rates, loss of revenue and increase in costs. 5.5.3 Overview of the fraud risks Overall, 69 potential fraud risks were assessed across the Department. Of the 69, 17 had low materiality which did not require formal documented fraud risk assessments. Of the remaining 52, individual fraud risk assessments were conducted and their residual risk ratings summarised in table 5.5.4. Of the 52 assessed risks, 49 or 94.2% were assessed as having an acceptable Low to Moderate residual risk level. The remaining three risks or 5.8% out of the 52 risks were rated High. On this basis the overall potential for fraud in PM&C is considered Low to Moderate. At the time of the assessment, no independent control testing was conducted for the individual existing controls. Risk owners’ assessments of the residual risk ratings were relied upon to determine the overall PM&C risk profile. Hence, there is an opportunity for PM&C Internal Audit to test the control framework to ensure its adequacy. Notwithstanding the above, there is a need for ongoing monitoring of the internal control environment to ensure the risks do not escalate. New or emerging risks need to be identified early and managed appropriately to prevent fraud. FRAUD CONTROL PLAN, VERSION 2014 – 2016 11 5.5.4 Risk assessment analysis A summary of the functional areas’ activity risks, the total number of risks in each of the functional activities and the residual risk ratings is provided in the table below. Functional activities Number of identified risks Very High High Moderate Minor Low ICT 3 0 2 0 1 0 Corporate 16 0 1 10 3 2 Programme 33 0 0 15 12 6 Total 52 0 3 25 16 8 Percentage 100% 0.0% 5.8% 48.0% 30.8% 15.4% In accordance with the PM&C Risk Management Framework, treatment strategies must be identified and implemented for risks rated High or Very High. Risk identified as Moderate is acceptable if the potential benefit outweighs the consequences of the associated risk. Low or Minor risk is acceptable and requires no treatment. All risks must be monitored to ensure they do not escalate. 6. Detection (Reporting), Investigations and Response Fraud detection, investigation and response are key elements of the overall fraud control framework. Paragraphs (d) and (e) of section 10 of the PGPA Fraud Rule require PM&C to have appropriate mechanisms for detecting (reporting) and investigating fraud. These mechanisms have been developed by PM&C in accordance with the requirements of the AGIS. Despite prevention activities, fraud is still most likely to occur. A summary of actions to improve the overall fraud control environment through systems, internal controls and processes are detailed in the Fraud Risk Action items at Appendix B. 6.1 Reporting Fraud Under the Secretary’s Instructions 1.2, staff must report all incidents of suspected or potential fraud immediately to the GARB. PM&C can also receive reports of alleged fraud from internal and external audits and reviews, members of the public, external contractors, service providers and other Government agencies, including law enforcement bodies. Internal and external guidelines for reporting fraud to PM&C have been published on PM&C’s internet, intranet and extranet sites. These include: • • • the Fraud Hotline: (02) 6152 3598; fraud Helpdesk email: fraud@pmc.gov.au; and fraud Reporting Form: Fraud reporting form | Intranet. FRAUD CONTROL PLAN, VERSION 2014 – 2016 12 6.2 Public Information and Disclosure Act On 15 January 2014, the PID Act commenced. On the same day the Whistleblowing provisions under the PS Act were repealed. The PID Act builds on practices established to protect APS employees who ‘blow the whistle’ on suspected breaches of the APS Code of Conduct. Other entities connected with the Australian Government are covered by the PID Act, and new avenues of reporting suspected wrongdoing are available. The emphasis of the scheme is on disclosures being made and investigated within government. PID is the reporting of wrongdoing in the Commonwealth public sector where investigation and correction is in the public interest. This may include conduct which employees reasonably believe: • • • • • • • contravenes a law; is corrupt; perverts the course of justice; results in wastage of public funds or property; is an abuse of public trust; unreasonably endangers health and safety or endangers the environment; and is maladministration, including conduct that is unjust, oppressive or negligent. Disclosure does not include disagreements with government policy or expenditure. More detailed information about the PID Act and how to make a disclosure can be found on PM&C’s internet and intranet sites at Public Interest Disclosure Act Procedures. 6.3 External Performance Reporting 6.3.1 Annual and Statistical Reporting PM&C is required to provide an annual return to the AIC prior to 30 September each year. The information provided includes statistical data on suspected fraud, matters under investigation, completed matters, whether the fraud was proven or not, and whether the matter was dealt with by way of criminal, civil or administrative remedy. 6.3.2 Australian National Audit Office The Australian National Audit Office (ANAO) is responsible for assessing key aspects of an entity’s fraud control arrangements to effectively prevent, detect and respond to fraud, as outlined in the PGPA Fraud Rule. 6.4 Investigation Prior to the AAO in September 2013, PM&C outsourced its fraud investigation function. PM&C now has an in-house capability to conduct internal and external fraud investigations in accordance with the AGIS. FRAUD CONTROL PLAN, VERSION 2014 – 2016 13 The purpose of a fraud investigation is to gather evidence relating to a specific fraud allegation(s) to determine the facts relating to the matter and to assist in deciding what, if any, action should be taken in relation to the matter(s). Under the PGPA Rule, PM&C is required to investigate instances of alleged fraud and to document the reasons for decisions, irrespective of whether the initial assessment results in the matter being referred for a criminal investigation. PM&C’s FCIS observes the PGPA Rule requirements and the AGIS, which provide guidance on investigation competency standards for Commonwealth employees and investigation service providers. The FCIS is responsible for: • • • • receiving and investigating allegations of internal and external fraud; managing the Fraud Control Plan, including monitoring of its implementation; developing and delivering fraud awareness training; and mandatory reporting on fraud-related matters for PM&C. PM&C’s Investigators (APS 4-6) are required to have a minimum of the Cert IV, Government Investigation, Senior Investigators (EL1), the Diploma, Government Investigation, and Managers (EL2), the Advanced Diploma Government Investigation. The FCIS utilises a secure and restricted access, an entity-based case management system using cases, case notes, incident and information reports, tasks and task results to fully manage all aspects of an investigation. This system also provides for data and intelligence management, which in turn supports timely and accurate reporting. 6.4.1 Compliance Non-compliance with terms and conditions of funding agreements is a particular issue for PM&C. However, non-compliance may not constitute fraud. For fraud to be established there must have been intent to commit the fraud. Non-compliance may occur because of a lack of understanding or awareness of obligations, because compliance is difficult or it may be deliberate. The Programme Integrity Branch, Indigenous Affairs Group, is responsible for the Department’s programme risk and compliance frameworks. The Branch undertakes a proactive, risk-based approach to compliance activities. This includes the development of an intelligence led assurance programme that identifies and addresses areas of risk through compliance activities such as desktop reviews, spot audits and site visits that incorporate known fraud indicators and enablers of serious non-compliance. The Branch reports on systemic issues and trends, feeding back lessons learned to improve programme outcomes with an aim to ensuring Departmental staff and funded organisations understand their obligations with respect to compliance. The Compliance Operations Section, Programme Integrity Branch, works closely with the FCIS, Governance, Audit and Reporting Branch in making decisions at a number of critical stages in the management of serious non-compliance or a suspected fraud. When referrals FRAUD CONTROL PLAN, VERSION 2014 – 2016 14 to either Branch are received, the information goes through an assessment process to determine whether the issues relate to fraud or serious non-compliance in connection to PM&C funding. If the information falls outside the jurisdiction of either Branch to take action, it may be referred to another area in PM&C, an external agency, or simply retained for intelligence purposes. 6.4.2 Internal audit Internal audit provides an independent and objective review and advisory mechanism to: • • provide assurance to the Secretary that the financial and operational controls designed to manage the Department’s risks and achieve objectives are operating in an efficient, effective and ethical manner;8 and assist management in improving PM&C’s business performance. Internal audit can provide advice on the risk of fraud, advise on the design or adequacy of internal controls to minimise the risk of fraud occurring, and assist management to develop fraud prevention and monitoring strategies.9 6.5 Referral 6.5.1 Referrals to law enforcement agencies PM&C will refer matters to the AFP in accordance with the requirements of the AFP Case Categorisation and Review Model. This includes matters that are considered serious, complex, involves cross-agency issues, or are of a politically sensitive nature. In certain circumstances matters should also be brought to the attention of the Prime Minister and the Minister of Justice at the time of referral. If the AFP declines to investigate a matter, it will advise PM&C of the reasons in writing at the earliest opportunity and, in any case, within 28 days (unless another period is agreed). The AFP may also suggest alternative methods of handling the matter and may assist PM&C by executing search warrants and providing other forms of assistance. If additional information becomes available that shows that the matter is more serious than first indicated, PM&C may again refer the matter to the AFP for consideration.10 When a matter involves offences under state or territory law, PM&C will consider referring it to the responsible state or territory police service or other relevant authority for investigation. 6.5.2 Commonwealth Director of Public Prosecution Referrals Prosecutions are important in deterring fraud and in educating officers and the public generally about the seriousness of fraud. The Australian Government’s policy on prosecution of criminal offences is set out in the Prosecution Policy of the Commonwealth, which is available on the Commonwealth Director of Public Prosecutions (CDPP) website. ANAO Better Practice Guide—Public Sector Internal Audit – An investment in assurance and business improvement, 2007, p.4. Business improvement, 2007, p.4. 9 Resource Management Guide No 201 July 2014 10 Resource Management Guide No 201. 2014 8 FRAUD CONTROL PLAN, VERSION 2014 – 2016 15 If the AFP or another law enforcement agency declines to investigate a potential offence, PM&C may, if it has investigated the matter and obtained sufficient evidence, subsequently refer the matter to the CDPP for consideration of prosecution action. Briefs should be prepared in accordance with the Guidelines for dealings between Commonwealth investigators and the CDPP. If PM&C sends a brief of evidence to the CDPP to consider prosecution action, and the CDPP advises that a prosecution will not proceed, PM&C remains responsible for resolving the matter and for considering other available remedies, in accordance with the relevant criteria under the PGPA Act and PGPA Rule. PM&C should also consider civil, administrative or disciplinary proceedings for which a lower standard of proof is required. 6.5.3 Proceeds of Crime Referrals PM&C will take all reasonable measures to recover financial losses caused by illegal activity through proceeds of crime and civil recovery processes or administrative remedies. In this context, ‘benefit’ is not simply financial, but should include consideration of deterrent value and other non-financial benefits such as public interest and integrity of the government’s or PM&C’s reputation. Appendix A - Fraud Control Responsibilities for all staff The table below summarises additional fraud control responsibilities for staff, managers and committees. WHO RESPONSIBILITIES / ACTION All staff Familiarise themselves with the Plan and to consider fraud control in the performance of their duties. Behave ethically and in accordance with guidance on employee behaviour in the performance of their duties. Immediately report suspected incidents of fraud and misconduct. Comply with and apply ICT, Social Media Policy, Official Travel Policy and APS Values and Code of Conduct. All Managers and Executive Advise staff on procedures for resolving ethical dilemmas through the APS Code of Conduct and the FCP. Foster an environment which promotes the highest standards of ethical behaviour. Governance, Audit & Reporting Branch Conduct internal audits of risk, governance and control processes within PM&C. Maintain communication with the FCIS to notify of suspected fraud activities within FRAUD CONTROL PLAN, VERSION 2014 – 2016 16 WHO RESPONSIBILITIES / ACTION PM&C. Ensure appropriate processes are in place to manage PM&C’s fraud risks in accordance with the Guidelines. Review and maintain PM&C’s fraud control policies and instructions and ensure they are communicated to all staff. Communicate to all staff their responsibilities in preventing, detecting and reporting fraud. Provide Fraud Awareness Training to Staff. Support programme areas and the Network on compliance issues, fraud, risk, due diligence, and matters of internal serious misconduct. Formally update the Plan as required. Regularly review fraud risks and develop cost-effective strategies, processes and procedures to reduce risk to acceptable levels. Implement monitoring, review and reporting processes to report the incidence of fraud within PM&C and advise management actions to address weaknesses in fraud risk controls. Manage the conduct of investigations into suspected fraudulent activity, and where necessary, engage services of the AFP or other agencies. Refer matters to the CDPP in accordance with the Prosecution Policy of the Commonwealth. Independently review processes, systems and controls where fraud is detected, to ensure lessons learned are recorded and communicated to relevant stakeholders and governance committees. Actively and appropriately pursue the recovery of money or property lost through fraud. Conduct operational compliance activities to address serious non-compliance with funding agreements by service providers. Proactive collection and analysis of intelligence, and dissemination to stakeholders where appropriate Credit Card Comply with and apply PM&C’s Credit Card Business Rules. FRAUD CONTROL PLAN, VERSION 2014 – 2016 17 WHO RESPONSIBILITIES / ACTION Holders Fuel Card Holders Comply with and apply PM&C’s Fuel Card Business Rules. Division and Branch Managers Identify and manage individual fraud risks originating in or relevant to their Group/Branch and implement risk treatments identified in this Plan. People, Capability & Performance Educate, investigate and manage issues relating to behavioural and ethical standards, such as the APS Code of Conduct and Values (below a criminal threshold). FRAUD CONTROL PLAN, VERSION 2014 – 2016 18 Appendix B – Summary of Action Items Fraud risk improvement action items Ref 1. Activity Awareness Strategy Action Development of resources to support managers and staff Ensure staff induction includes fraud awareness training. This should be revised on an annual basis to reflect changing fraud risk environment Ensure the mandatory fraud eLearning module is completed by all new staff Dissemination to staff of fraud policy (SI 1.2) 2. 3. 4. Awareness Awareness Awareness Responsibility Timing FCIS Ongoing FCIS Dec 2014 FCIS Ongoing Communication to all staff of their responsibilities with regard to prevention, detection and reporting Ensure updates and changes to fraud control advised to staff FCIS Ongoing Provide regular updates on fraud risk management to staff on the intranet, extranet and internet sites FCIS Ongoing Publicly available information on the Department’s attitude and approach to fraud control Advise staff of the Department’s attitude to fraud control when the revised Fraud Control Plan is published on the intranet FCIS Sep - Oct 2014 Advise the public of the Department’s attitude to fraud control on the internet site including advising how to report cases of possible fraud FCIS Sep - Oct 2014 Advise staff on the procedures for resolving ethical dilemmas such as conflict of interest All staff Ongoing Foster an environment which promotes the highest standards of ethical behaviour FRAUD CONTROL PLAN, VERSION 2014 – 2016 19 Ref Activity Strategy Action Responsibility Timing 5. Fraud Control Plan Maintain Fraud Control Plan Formal update of the FCP every two years and when there are significant functional changes FCIS Sep. 2014 6. Fraud Policy Statement Maintain Fraud Policy Statement Formal update of the FPS every two years and when there are significant functional changes FCIS Sep. 2014 7. Fraud Risk Assessment Conduct Fraud Risk Assessments Liaise with business areas to support them to review / develop their FRAs All Branches / Programme Areas Ongoing (6 monthly) 8. Report Update fraud reports for governance committees GARB to provide Audit Committee with fraud trend information to assist in monitoring the levels of internal and external fraud committed across the Department Audit Committee Ongoing (quarterly) 9. Committee Audit Committee Establish investigation / Serious Non-compliance Committee to review investigation matters GARB Ongoing 10. Fraud cases Cases transferred from other entities during AAO 18 Sep. 2013 GARB to ensure that the integrity of any historical cases transferred from other agencies to PM&C is adequately maintained during its migration to a new case management the JADE Intelligence System. FCIS As necessary Case referral to AFP GARB to refer instances of suspected fraud to the appropriate law enforcement agency such as the AFP or state police for investigation FRAUD CONTROL PLAN, VERSION 2014 – 2016 20 FCIS As necessary Ref 11. 12. 13. 14. 15. 16. Activity Fraud cases Investigations Investigations Investigations Investigations Investigations Strategy Action Responsibility Timing Cases transferred from other entities during AAO 18 Sep. 2013 GARB to ensure that the integrity of any historical cases transferred from other agencies to PM&C is adequately maintained during its migration to a new case management the JADE Intelligence System. FCIS As necessary Case referral the AFP GARB to refer instances of suspected fraud to the appropriate law enforcement agency such as the AFP or state police for investigation FCIS As necessary AGIS standards GARB to ensure Investigations are conducted by appropriately qualified investigators in accordance with the requirements of the AGIS Quality Assurance Standards Fraud investigations undertaken by the Department may be subject to Quality Assurance Reviews by the AFP Staff Responsibility All departmental staff and contractors have a responsibility to fully assist with any fraud investigation Case referral to the to the Minister for Justice through the Prime Minister Politically sensitive investigations deemed by PM&C as appropriate for referral to the AFP should be brought to the attention of the Minister for Justice through the Prime Minister. This will enable the Government to be informed at the earliest opportunity. Investigations software Investment in case management system to collect fraud data to meet the requirements of the PGPA FRAUD CONTROL PLAN, VERSION 2014 – 2016 21 FCIS As necessary FCIS As necessary FCIS As necessary MSD As necessary FCIS Oct. 2014 Ref Activity Strategy Action Responsibility Timing FCIS As necessary FCIS As necessary Rule 17. Compliance Protocol with Compliance Integrity Branch Establish a protocol to support communications between Compliance Integrity Branch and GARB (to minimise duplication of assessments / incident reports) 18. System review Review case management systems Review case management systems and templates 19. Prosecution A zero tolerance approach Where an investigation has been undertaken other than by a law enforcement agency, investigators will prepare a report that makes recommendations to the FAS, MSD on whether to refer a matter to another law enforcement agency FCIS 20. Resolution Review of systems and procedures (post fraud) If a fraud is detected, the control system involved will be independently reviewed to identify improvements FCIS As necessary Formal reporting to the Audit Committee FCIS & Governance, Risk Management & Assurance Section As necessary If deemed cost effective, will actively pursue the recovery of lost money or property FCIS 21. Recovery of money/property lost through fraud FRAUD CONTROL PLAN, VERSION 2014 – 2016 22 As necessary As necessary References External Commonwealth Procurement Rules 2012 Summarises the rules for all procurements. Criminal Code Act 1995 Defines possible offences and penalties relating to fraud. Crimes Act 1914 Authorises and prescribes activities relevant to the conduct of investigations. Evidence Act 1995 The primary source of statutory evidence law applying in relation to proceedings in federal courts and Australian Capital Territories courts. Privacy Act 1988 Prescribes the manner in which private information can be obtained, utilised and shared. Prosecution Policy of the Commonwealth Underpins all of the decisions made by the CDPP throughout the prosecution process and promotes consistency in decision making. Public Governance, Performance and Accountability Act 2013 Consolidates into a single piece of legislation the governance, performance and accountability requirements of the Commonwealth and relevant entities. Public Governance, Performance and Accountability Rule 2014 Sets a minimum standard for accountable authorities of Commonwealth entities for managing the risk and incidents of fraud. Public Service Act 1999 Provides the legal framework for APS employees. The Act also establishes the APS Values and Code of Conduct. Internal Secretary’s Instructions Provide guidelines on the Department’s Financial Management framework, including responsibilities relating to fraud control and reporting and the identification and management of risk. Fraud Control and Fraud Reporting Contains fraud prevention and detection information and details of how to report fraud. FRAUD CONTROL PLAN, VERSION 2014 – 2016, 23
