Fraud and Corruption Control Framework 2014-16F Director-General’s Foreword This framework sets out the standards for accountability that I expect of all staff. It aims to minimise opportunities for fraudulent and/or corrupt activities in line with our zero tolerance policy. A proactive approach enables the department to manage fraud and corruption risk at an acceptable level in an environment that is becoming increasingly complex. The complexities inherent in our work increase opportunities for fraud and corruption: the ever changing environment in which we operate the growing convergence of the public and private sectors, and the increase in cooperative and or strategic partnerships. All departmental staff must demonstrate a commitment to preventing and detecting fraud and corruption. Effective governance arrangements, ethical leadership and decision making, accountability and performance improvement underpin our controls. This framework will help us to prevent, detect and respond to fraudulent and/or corrupt behaviour. This will ensure our stakeholders continue to be confident of the quality of our services to the community. Dr Jim Watterston Director-General Contents Introduction ··························································································································· 1 Purpose ··············································································································································· 1 Risk-management approach ·············································································································· 1 Structure ············································································································································· 1 Goals and objectives ·························································································································· 2 What are fraud and corruption ························································································ 2 Common examples of fraud and corruption ····················································································· 3 Fraud and corruption control policy statement ·························································· 3 Fraud and corruption control plan ························································································· 4 ANAO conditions ································································································································ 4 CMC 10-element model ····················································································································· 4 DETE fraud and corruption control model ························································································ 4 ANAO conditions in practice ·············································································································· 4 Ethical leadership and culture ······································································································· 5 Legislation and governance ··········································································································· 5 ANAO control strategies ··································································································································6 Roles and responsibilities ·················································································································· 7 DETE control strategies ···················································································································· 10 CMC elements in practice ················································································································ 11 Element 1: Agency-wide integrated policy ·················································································· 11 Element 2: Risk assessment ········································································································· 11 Element 3: Internal controls ········································································································ 13 Element 4: Internal reporting ······································································································ 15 Element 5: External reporting ····································································································· 16 Element 6: Public interest disclosures ························································································· 18 Element 7: Investigations ············································································································ 19 Element 8: Code of Conduct ········································································································ 21 Element 9: Staff education and awareness ················································································· 22 Element 10: Client and community awareness ·······················································································23 Monitoring, review and continuous improvement ········································································ 24 Appendix 1: Legislation and other instruments ············································································ 25 Appendix 2: Definitions ··············································································································· 26 Attachment 1: Risk Assessment Worksheet ················································································· 27 Attachment 2: Risk Matrix··········································································································· 28 Introduction Purpose The purpose of the Fraud and Corruption Control Framework (Framework) is to: minimise opportunities for fraud and corruption (whether committed by internal or external parties) protect public monies, property, and information and organisational and individual rights and maintain the effectiveness of departmental operations. Its implementation will ensure that our workforce acts legally, ethically and in the public interest. The Framework is based upon five best-practice fraud and corruption control resources: Queensland Crime and Misconduct Commission - Fraud and corruption control guidelines for best practice (CMC Guidelines) Queensland Audit Office – Fraud risk management – Report to Parliament 9: 2012-13(QAO Report) The Australian Minister for Home Affairs and Minister for Justice – Commonwealth Fraud Control Guidelines (Commonwealth Guidelines) Australian National Audit Office – Fraud Control in Australian Government Entities – Better Practice Guide (ANAO Better Practice Guide) and Standards Australia – AS 8001-2008 Fraud and Corruption Control (the Standard) Risk-management approach As an integral part of the department’s Enterprise Risk Management Framework, this Framework includes proactive measures designed to enhance system integrity (prevention measures) and reactive responses (reporting, detecting and investigative activities). Structure The Framework consists of a suite of tools and resources including: the department’s Fraud and Corruption Control Policy Statement its Fraud and Corruption Control Plan its Fraud and Corruption Control Risk Assessment its Fraud and Corruption Control Procedure Code of Conduct, Ethical Decision Making and Internal Controls training modules. In addition, the department is currently developing a Fraud and Corruption Control website, which will complement the Framework with factsheets, case studies, checklists and a downloadable library of best practice fraud and corruption control resources. The framework should be read in conjunction with: Legislative Framework Corporate Governance Framework Enterprise Risk Management Framework Developing Performance Framework Page |1 Goals and objectives Through the Department’s Fraud and Corruption Control Policy and Plan, the Framework aims to clearly articulate: the department’s commitment to a zero-tolerance attitude towards fraud and corruption its approach to controlling fraud and corruption the embedding of a strong and proactive fraud and corruption control ethos within the department’s organisational structure departmental roles and responsibilities for fraud and corruption control strategies implemented within the department to prevent, detect and respond to fraud and corruption a summary of: o the fraud risks (internal and external) associated with the department’s functions o the controls in place to minimise the opportunity for fraud and corruption o their implementation details and protocols for the reporting of suspected fraud or corruption against the department What are fraud and corruption? Fraud and corruption can take many forms. Fraudulent and corrupt conduct by public officials may fall within the category of ‘official misconduct’ under the Crime and Misconduct Act 2001. In addition, many forms of fraud and corruption are offences under the Criminal Code Act 1899. These include false claims, stealing, and misappropriation of property, false pretence, forgery and receipt or solicitation of secret commissions. The following definitions of “fraud”, “corruption” and “misconduct” and “official misconduct” are used throughout this document. Fraud Any deliberate deceitful conduct or omission designed to gain an advantage to which a person or entity is not entitled. It is the intentional use of false representations or deception to avoid an obligation, gain unjust advantage or in the context of public administration, commonly referred to as ‘rorting the system’. Corruption Behaviour that may involve fraud, theft, the misuse of position or authority or other acts which are unacceptable to an organisation, its clients or the general community. It may also include other elements such as breaches of trust and confidentiality. Misconduct Inappropriate or improper conduct in an official capacity or inappropriate or improper conduct in a private capacity that reflects seriously and adversely on the public service”. Official misconduct: Serious misconduct relating to the performance of an officer’s duties, that is dishonest or lacks impartiality, or involves a breach of trust, or a misuse of officially obtained information. The conduct must be a criminal offence or a breach of discipline serious enough to warrant dismissal. The act may be official misconduct even if the person: is no longer a public official, or was not at the time but is now a public official Page |2 committed the misconduct outside Queensland did not receive money or a personal benefit. Attempting to influence a public official to act improperly is also classed as official misconduct. Common examples of fraud and corruption Internal External corporate card misuse, such as payment for personal expenses including fictitious names on the payroll system delayed terminations abuse of position and power, including accepting or offering bribes or gifts nepotism submitting false travel claims consistently recording incorrect hours of work on timesheets unauthorised use of government vehicles theft or unauthorised use of public funds or physical resources, such as office supplies and stationery clients deliberately claiming benefits for which they are ineligible external providers making claims for services that were not provided the provision of false or misleading information failure to provide information when obliged to do so inappropriate influence over grants and subsidies applications manipulation of a procurement process Collusion • inappropriate involvement with suppliers, including ‘kickbacks’ such as entertainment and hospitality unlawful or unauthorised release of information knowingly making or using forged or falsified documentation failing to declare and appropriately manage conflicts of interest Fraud and corruption control policy statement We are committed to excellence in service performance and in meeting our statutory obligations. This includes maintaining a fraud and corruption prevention culture. We have zero tolerance for fraud and corruption. We provide all staff and relevant stakeholders with education and training in ethics and fraud awareness to ensure that we all understand our responsibilities and obligations. Our organisational values and culture, governance and risk management frameworks, and controls work together to prevent, detect and respond to potential or actual fraudulent or corrupt conduct. We will deal appropriately with all allegations of fraud and corruption. All staff are obliged to report suspected fraudulent and/or corrupt activities to their supervisor or manager, Internal Audit Branch (IAB) or the Ethical Standards Unit (ESU), who will investigate and deal with the allegation. We will refer any instances of official misconduct to the Crime and Misconduct Commission (CMC) and/ or the Queensland Police Service for investigation and possible prosecution. We will pursue the recovery of any losses incurred from fraud and corruption activities, after considering all relevant issues. Page |3 Our policy aligns with the CMCs Fraud and Corruption Control – Guidelines for Best Practice 2005and the Australian Standard AS8001-2008 Fraud and Corruption Control. Fraud and corruption control plan Our Fraud and Corruption Control plan is based on the ANAO’s conditions that are essential for a sound fraud control environment, and the CMC’s recommended 10-element model.1,2 ANAO conditions The ANAO’s three conditions for a sound control environment are: Ethical leadership and culture –strong ethical values and high standards of ethical behaviour Legislation and governance –legislation and policies that promote accountability, are transparent, and incorporate robust governance structures Control strategies –actions to prevent, detect and respond to fraud and corruption, which are reviewed and improved continuously. CMC 10-element model The CMC’s recommended integrated control model comprises 10 key elements and is consistent with Australian and overseas best practices. The elements are interrelated, with each one playing an important role. The elements are set out in the table below: Element 1 Department-wide Policy Element 2 Risk Assessment Element 3 Internal Controls Element 4 Internal Reporting Element 5 External Reporting Element 6 Public Interest Disclosures Element 7 Investigations Element 8 Code of Conduct Element 9 Staff Training and Awareness Element 10 Client and Community Awareness Our approach to fraud and corruption control also aligns with Australian Standard 8001 – 2008: Fraud and Corruption Control. Fraud and corruption control model DETE’s Fraud and Corruption Control model (Figure 1) demonstrates the way in which the department integrates the ANAO’s conditions and the CMC’s 10 key elements with its fraud and corruption control prevention, detection and response strategies. 1 2 Australian National Audit Office, Fraud Control in Australian Government Entities – Better Practice Guide March 2011 Crime and Misconduct Commission, Fraud and Corruption Control – Guidelines for Best Practice 2005 Page |4 Figure 1: DETE’s Fraud and Corruption Control Model ANAO conditions in practice Ethical leadership and culture Senior managers must lead by example and behave in a way consistent with the Code of Conduct for the Queensland Public Service and DETE’s Standard of Practice. The Code of Conduct and the Standard of Practice provide all employees with ethics principles, values and standards of conduct to guide behaviour in the workplace. They are important corruption resistance tools to promote ethical behaviour and, in conjunction with the Framework and the best practice principles outlined in the department’s Enterprise Risk Management Framework, to support the effective and efficient management of fraud and corruption risks across the agency. Legislation and governance The Framework is underpinned by legislation, Australian standards and best practice guidelines, including: Page |5 Financial Accountability Act 2009– commits the department to protecting its revenue, expenditure and property from fraudulent activity Public Sector Ethics Act 1994 – sets out the ethics principles and values for public service agencies and public officials, and provides standards of conduct consistent with the ethics principles and values Crime and Misconduct Commission Fraud and Corruption Control – Guidelines for Best Practice 2005 – provide the model for developing and implementing the fraud and corruption control policy and plan. ANAO control strategies The ANAO’s control strategies are referenced in conjunction with the CMC elements for fraud and corruption control in the “Control Strategies” section of this paper, which commences on page 11. Appendix 1 includes a full list of the applicable legislation and other instruments, while the Department’s Policy and Procedure Register sets out all departmental procedure-specific legislation and governance instruments. The department’s rigorous governance structure ensures legislative requirements are addressed effectively, transparently and with accountability. As illustrated in Figure 2, consistent with the Enterprise Risk Management Framework, the department’s governance structures support fraud and corruption control at the strategic, corporate and operational levels. Figure 2: Governance Structures STRATEGIC CORPORATE AND OPERATIONAL DIRECTOR-GENERAL (DG) AUDIT & RISK MANAGEMENT COMMITTEE (ARMC) EXECUTIVE MANAGEMENT BOARD (EMB) FRAUD & CORRUPTION CONTROL COMMITTEE (FCCC) EMB sets and reviews departmental strategic direction, priorities and performance objectives. ARMC provides the Director General with independent audit and risk management advice FCCC reports to ARMC and EMB at least annually, advises ARMC on fraud and corruption matters and through its Chair may escalate matters to the DG, ARMC or EMB as appropriate EMB BUSINESS AS USUAL PROGRAMS OF CHANGE DIVISIONS BOARDS BRANCHES PROGRAMS BUSINESS UNITS PROJECTS Corporate and operational management structures provide for clear lines of reporting, accountability and responsibility to support appropriate, open and transparent decision making. Page |6 Roles and responsibilities While fraud and corruption control is the responsibility of every employee, the table below details specific roles and responsibilities. ROLE Director-General RESPONSIBILITY • overall accountability for prevention and detection of fraud and corruption within DETE • legislated responsibility to exercise authority, on behalf of the department • manage the department’s operations ensuring service delivery is effective and economical, and in the process avoids waste and extravagance • manage public resources of the department efficiently, responsibly and in a fully accountable manner • define goals and objectives in accordance with its mandate and governance framework • implement policies and priorities responsibly • ensure impartiality and integrity in the performance of the department’s functions • ensure accountability and transparency in the department’s operational performance • maintain accurate records and accounts, and report on these as required • promote continual evaluation and improvement of department’s management practices Deputy Director-General, Corporate Services • delegated authority as the Fraud and Corruption Control Coordinator and acts as ‘champion’ to drive the fraud and corruption control regime • Chair of the Fraud and Corruption Control Committee • oversee the implementation and management of the fraud and corruption control framework • take steps to ensure that all areas assume appropriate responsibility for fraud and corruption control and perform their functions according to the framework and relevant legislation • ensure all areas of operation take the appropriate steps to implement effective risk management practices, including risk assessment of fraud and corruption in accordance with the enterprise risk management framework • ensure the scope and nature of the education, training and awareness programs are comprehensive and designed to assist employees, contractors and clients to recognise, detect and prevent fraud and corruption • provide advice to the Director-General and the EMG as necessary on fraud and corruption matters • provide accurate and timely advice to the Audit and Risk Management Committee through the Internal Audit Branch on any fraud and corruption matters • display ethical leadership and high personal standards of behaviour consistent with the Code of Conduct for the Queensland Public Service and the department’s Standard of Practice • visibly adhere to the department’s ethical framework and promote adherence by all employees • contribute to effective risk management strategies in accordance with the department’s enterprise risk management framework and Deputy Directors-General, Assistant Directors-General, Regional Directors, Executive Directors, Directors and Managers Page |7 ROLE Deputy Directors-General, Assistant Directors-General, Regional Directors, Executive Directors, Directors and Managers (Cont) Audit and Risk Management Committee (ARMC) Fraud and Corruption Control Committee (FCCC) Director Ethical Standards Unit RESPONSIBILITY ensure risk management practices are adhered to throughout their area of control • develop strong internal controls to assist with fraud and corruption prevention in their area of responsibility • ensure all employees are made aware of and attend appropriate education, training and awareness sessions to allow for a skilled and knowledgeable workforce, including public sector ethics education, training and awareness internal controls and financial or procurement training • ensure effective employee communication about the process for identifying and reporting on potential fraudulent and corrupt activities • ensure where a public interest disclosure is made, the procedure for making and managing a public interest disclosure is adhered to • follow the mandatory internal or external reporting requirements for reporting suspected official misconduct, including fraud or corruption • advise the Director-General, outlining audit matters and certain risks to the department, including potential fraud and corruption matters and put forward pertinent recommendations regarding these. • review governance processes to ensure all matters relating to alleged fraud and corruption or unethical conduct are dealt with appropriately • review currency, comprehensiveness and relevance of the enterprise risk management framework, policy and procedure for identifying, monitoring and managing significant business risks, including the identification and management of risks related to fraud • review the internal audit plan annually to ensure it covers key fraud and corruption risks and that there is appropriate coordination with the external auditor, Queensland Audit Office • submit recommendations to the Director-General to approve the internal audit plan, reviewing its scope and progress and any significant changes to it, including any potential difficulties or restrictions on the scope of activities • advise the ARMC and make recommendations in relation to fraud and corruption matters • implement and monitor the fraud and corruption program • review and evaluate the effectiveness of compliance with relevant legislation and best practice requirements for fraud and corruption control • ensure the ESU fulfils the legislative function on behalf of the Director-General to investigate all allegations of suspected official misconduct • ensure a proactive approach to public sector ethics by promoting an ethical culture, practice and decision making through education and training programs • implement, maintain and review the fraud and corruption control framework • ensure the fraud and corruption control framework undergoes a biennial review or more frequently as required • oversee the secretariat function for the FCCC • develop strategies in consultation with other key areas to achieve an effective fraud and corruption regime • identify appropriate training and awareness options and develop strategies in consultation with Internal Audit Branch to achieve an Page |8 ROLE Director Ethical Standards Unit (Cont) Ethical Standards Unit Internal Audit Branch All employees RESPONSIBILITY effective Fraud and Corruption Control regime • as CMC liaison officer report suspected official misconduct, criminal and other matters to the appropriate external agency: o Crime and Misconduct Commission o Queensland Police Service o Queensland Ombudsman o Queensland Audit Office • conduct investigations into reports of suspected official misconduct, including fraudulent or corrupt practices • manage the department’s fraud and corruption hotline – 1800 727 031 • manage and coordinate all public interest disclosures made to the department and ensure adequate support and certain protections are afforded the discloser in accordance with Public Interest Disclosure Act 2010 • review Standard of Practice at least once every two years • develop and maintain ethics related policies and procedures for building and sustaining integrity and accountability; for example, Standard of Practice, public interest disclosure procedure and guidelines, conflicts of interest, notification of other employment, lobbying and the fraud and corruption framework • provide secretariat function for FCCC • develop public sector ethics related education and training material to promote an ethical culture and performance; such as the ethical decision making awareness, internal controls and fraud awareness • provide advice and direction to employees on the correct protocol for reporting matters to external agencies • provide independent appraisals, examination and evaluation of the department’s activities and assist management with the detection of suspected fraud and corrupt activities • undertake scheduled audits, which include examining established controls to determine if these are robust enough to reduce the risks of fraud and corruption, including the identification of work practices that may lead to fraudulent and corrupt activities • undertake targeted audit activities to specifically identify any indication that fraud may have occurred, be alert to opportunities that could allow fraudulent activities • report in writing any suspected activities of fraudulent or corrupt practices identified during an internal audit function to the Director, ESU for assessment and possible investigation or referral to the appropriate external agency • contribute to the development of improved systems, policies and procedures to enhance the department’s resistance to fraud and corruption including: o safeguarding assets and other resources under their control o having a clear understanding of their obligations regarding any losses, deficiencies and shortages that may be identified while at work o ensuring all personal claims are accurate with no deliberate omissions (recording accurate hours of work on timesheets) • fulfil their obligation to report wrongdoing in accordance with section 1.1 (d) of the Code of Conduct for the Queensland Public Service and section 4.1 of the department’s Standard of Practice • actively seek education and training to learn and maintain knowledge and skills required to undertake their duties Page |9 ROLE All employees (Cont) RESPONSIBILITY • gain an understanding of the policies, procedures and guidelines that pertain to their role and work within the requirements of these • follow the requirements for internal reporting of suspected fraud and corruption DETE Control Strategies The following strategies constitute the department’s action regarding reporting, processing, resolving and responding to suspected fraud and corruption within the department and its funded services, when: a person suspects fraud or corruption is occurring within the department the suspected fraud and corruption constitutes misconduct or official misconduct on the part of an employee: and/or it is appropriate that suspicions be addressed directly by the ESU or referred externally The CMC’s 10-element model of fraud and corruption control, which the department has adopted as the basis of its Fraud and Corruption Control strategy, falls into three key categories of control: Prevent–as the first line of defence, to reduce the risk of fraud and corruption occurring Detect –discover and investigate fraud and corruption when it occurs Respond–take corrective action and remedy the harm caused by fraudulent and corrupt behaviour. The elements are categorised below, followed by a discussion of each element, and its alignment with the ANAO conditions for better practice fraud and corruption control. Table 1: Key Fraud and Corruption Control Strategies KEY CONTROL ELEMENT CATEGORIES Agency-wide integrated policy Demonstrate the department’s resolve to combat fraud and corruption Code of Conduct Set out expectations and standards of ethical behaviour within the department Staff education and awareness Client and community awareness Risk assessment Internal controls P D PURPOSE R Ensure a well-informed workforce with the capacity to recognise and respond to the risks of fraud and corruption Maintain public trust and forestall potentially unacceptable practices from external parties Provide a comprehensive understanding of the department’s internal and external vulnerabilities Mechanisms to eliminate or minimise risks Internal reporting Mechanism for employees to report potential fraudulent or corrupt activities and other alleged wrongdoing Public Interest Disclosures Investigations External reporting COMMUNICATE INTENT LIMIT OPPORTUNITIES REINFORCE ZERO TOLERANCE Responsibility for receiving and managing all allegations of wrongdoing received under Public Interest Disclosure Act 2010 Ensure allegations of fraud and corruption are actioned appropriately and investigated competently Mechanism for the Director-General to report any suspected fraudulent or corrupt activity to the appropriate external agency P a g e | 10 CMC elements in practice CMC Element 1: Agency-wide integrated policy ANAO conditions: legislation, ethical leadership and culture The department is committed to excellence in fulfilling public expectations of service performance and in meeting its statutory obligations. Its Fraud and Corruption Control Framework, is one of a suite of policies and procedures designed to achieve this. It works with other government and departmental legislation, frameworks, policy and other instruments to provide guidance to staff and forms the keystone of fraud and corruption prevention. A list of related instruments is at Appendix 1. CMC Element 2: Risk assessment ANAO conditions: Legislation and governance, control strategies Fraud and corruption risk assessment is an integral part of the department’s overall risk management framework and provides the department with an understanding of its fraud and corruption vulnerabilities and possible strategies to eliminate or minimise those risks. Fraud and Corruption Control Committee DETE’s risk-based approach to fraud and corruption control was strengthened in June 2012, by the establishment of its Fraud and Corruption Control Committee, which is responsible for monitoring and coordinating department-wide fraud and corruption mitigating mechanisms. Chaired by the Deputy Director General, Corporate Services, who champions fraud and corruption control across the department, the Committee’s membership consists of the Assistant DirectorGeneral Finance and Chief Financial officer, the Assistant Director-General Human Resources and the Assistant Deputy-General, Strategy and Performance. The Head of Internal Audit is an observer/advisor to the committee and the Ethical Standards Unit undertakes its Secretariat role. The clearly designated responsibility with which the Committee is tasked aligns with recommendations in the Guidelines and the Standard. It also demonstrates DETE’s corporate understanding of and commitment to fraud and corruption control and ensures a consistent, integrated and high profile approach to the management of fraud and corruption risk. Risk assessment responsibility The Director-General is the accountable officer under the Financial Accountability Act 2009 and has ultimate legislative responsibility and accountability for ‘establishing and maintaining suitable systems of internal control and risk management’. The Executive Management Board provides oversight of strategic risks. Deputy Directors-General and Assistant Directors-General support the Director-General with oversight of corporate risks. Executive Directors, Regional Directors, Directors, principals and TAFE managers provide oversight of operational risks. All employees are required to comply with the department’s Risk Management policy and apply risk management processes within their work unit. Fraud and corruption risk assessment Fraud and corruption risk assessments are carried out in accordance with the department’s Enterprise Risk Management Framework. P a g e | 11 The department’s enterprise risk management procedure and process, risk assessment criteria, fact sheets and tools to support the completion of fraud and corruption risk assessments are located in the department’s Policy and Procedure Register. Fraud and corruption risk assessments are to be conducted by each division on their specific functions/processes every two years. Potential fraud and corruption risks are identified as risks to the department’s functions/processes and as such are classified under the Enterprise Risk Management Framework as operational risks and recorded accordingly in the department’s online risk register, the Enterprise Risk Assessor (ERA). Key risks and associated control activities were identified through a department-wide fraud and corruption risk assessment in August 2013. Fraud and corruption risk identification and the development and assessment of their control activities form part of DETE’s continual process of risk review, which also takes into account changing circumstances and operating environments, both internal and external to the organisation. Risk areas for fraud and corruption The department has identified a number of functions/processes considered to be areas of high vulnerability to fraudulent and corrupt activity. As a minimum, fraud and corruption risks are to be identified and assessed for the following areas: Accounts payable and receivable Procurement Contract management Recruitment Payroll Regulation Corporate card Purchasing Asset management Timesheets Funds and grants management Information management Also as a minimum, the following specific matters should be examined: enforcement of existing financial management standards, policies and practices governing contracts and the supply of goods and services proper recording of assets and provisions for known or expected losses the collection, storage, management, handling and dissemination of information segregation of functions, especially in regulatory, financial and cash handling areas work activities which have little supervision or are open to collusion or manipulation work practices associated with compliance and enforcement activities work practices and ethical standards for accredited agents, certifiers etc. formal or structured reviews of accounting and administrative controls effectiveness of measures for reporting suspected fraud, corruption and other forms of official misconduct compliance of staff training with requirements of the Code of Conduct for the Queensland Public Service and the department’s Standard of Practice workplace grievance practices and their relationship with other OH&S issues measures to ensure quick and decisive action on all suspected fraud and corruption situations. In addition to the assessment of risk, suitable operational practices to detect fraudulent or corrupt activity are to be implemented including: establishing effective accounting and management controls routine and random auditing of decisions and operational records P a g e | 12 identifying variations from normal accounting procedures or work practices recognising deviations or exceptions in outcomes from expectations monitoring key indicators (red flags) of potential fraud and/or corruption. Responsible officers will develop fraud and corruption resistant work practices and subsidiary control plans as necessary. The worksheets and rating methodology for risk assessment (Attachments 1 and 2) should be used to ensure consistency across the risk evaluation process. Recommended processes for risk assessment and management are discussed in detail in DETE’s Enterprise Risk Management Process document. CMC Element 3: Internal controls ANAO conditions: Legislation and governance, control strategies Controls are used to manage risks identified through the risk assessment process. Our internal control system consists of structures, policies, procedures, processes, tasks, information systems and other tangible and intangible activities that record and manage risks. Our internal control structure complies with the FPMS requirement that accountable officers establish and implement a cost-effective internal control structure, including: a strong emphasis on accountability, best practice management of departmental resources an organisational structure and delegations which support the objectives and operations of the department employment of qualified and competent officers training and performance assessment of officers efficient, effective and economic operations of the internal audit function compliance with all financial legislative requirements appropriate separation of duties between officers of the accountable officer’s department or the statutory body preserving the integrity, accuracy and reliability of the agency’s ICT systems It also aligns with best practice requirements that internal control procedures should include: transparent operations, such as well-defined and publicised service standards, performance indicators and targets easily accessible information client opportunity to provide feedback transparent decision-making to highlight potential nepotism, favouritism or conflict of interest agency appropriate procedures through identification of fraud and corruption risks and matching control measures separation of functions through physical access controls, division of duties, different security access levels for information The department’s internal control procedures include basic checks and balances which are carried out to ensure: completeness, relevance and accuracy timeliness of the department’s accounting and other transactions and records safeguarding of assets compliance with any prescribed requirements P a g e | 13 In line with the QAO report, DETE’s internal controls specifically address identified fraud risk and are regularly reviewed, with internal policies and procedures documented and promoted to relevant staff. They also include all the elements of internal control identified in AS 8001:2008. All employees must be continually alert to early warning signs of fraud, corruption or official misconduct. Common red flags for possible fraud or corruption include: over-familiar relationships between employees, suppliers and contractors disregard of internal controls employees demonstrating a reluctance to take leave, particularly where they have cash control or debt collection responsibilities employees remaining later at work than other employees, or accessing work premises unnecessarily after other staff have left, unreconciled accounting records, including corporate card transactions and/or poor followup of outstanding accounts The integration of internal controls into management practices requires the inclusion of accountability in annual and long term planning, job descriptions and performance reviews of executive management, line managers and supervisors, reflecting their responsibility for identifying system deficiencies that facilitate fraud and corruption. Our controls include (but are not limited to): governance committees, organisational structures, delegation of authority, strategic and operational plans, the annual report, and the Service Delivery Statement resource management, budget management and the Establishment Management Framework position descriptions, merit based recruitment and selection processes, pre-employment screening, training, and the Developing Performance Framework ICT systems including SAP, One School (transactions, records, operating programs and systems producing ICT information), TRIM (Data collection and exchange), OnePortal intranet and DETE internet (internal and external communications), MyHR (human resources recording and reporting), information systems standards, assets registers (physical resources) and reporting mechanisms, including adequate audit trails Financial Management Practice Manual, School Accounting Manual and other procedures published in our Policy and Procedure Register Investigations into cases of fraud and corruption show strong links between the incidence of fraud and corruption and poor internal control systems. As a result the assessment of internal control effectiveness is a crucial step in the fraud and corruption risk assessment process. The Internal Audit Branch supports the department’s efforts to establish and maintain systems integrity through an established audit program. The audit program includes periodic risk based assessments of the department’s business units using best practice methodologies to assess levels of compliance with existing internal controls. The Branch also contributes to the efficient and effective management of departmental operations, by safeguarding agency assets, facilitating internal and external reporting and helping the department comply with relevant legislation. P a g e | 14 CMC Element 4: Internal reporting ANAO condition: Legislation and governance, control strategies Reporting suspected wrongdoing is vital to our agency’s integrity and that of the Queensland public sector, with research studies and surveys consistently showing that staff provide the most compelling source in detecting fraud and corruption3. The Code of Conduct requires all staff to report suspicious actions or potential wrongdoing. Students, customers, parents, caregivers, or members of the public can also make a complaint about fraud and corruption, anonymously if they wish. Matters relating to official misconduct will be referred for investigation as a priority. Complaints may also be lodged by agencies including the CMC, QCOT, QPS, QSA and UPA. They can be lodged by telephone, email, hard copy correspondence, via the department’s iRefer electronic complaints lodgement system or through the Fraud and Corruption Hotline; 1800 727 0314. The following departmental procedures, located in the Policy and Procedure Register, explain how to report suspected wrongdoing, including fraud and corruption: Managing Employee Complaints Complaints Management – state schools Information privacy complaints, and Making and Managing a Public Interest Disclosure under the Public Interest Disclosure Act 2010. Characteristics of internal reporting Our internal reporting system addresses the CMC requirements for an internal reporting system; that it: receive information about identified risks and suggestions for system improvements receive information about suspected acts of fraud and/or corruption maintain, as far as possible, the confidentiality of the parties involved convey information to the relevant officer (supervisor or manager) ensure appropriate assessment and investigation ensure compliance with additional external reporting requirements provide feedback to the discloser, demonstrating that the information was taken seriously and acted upon Internal reporting arrangements As per the Guidelines, DETE’s internal reporting system takes into account the agency’s size, structure, function and geographic reach. Reporting to immediate supervisors or managers is encouraged, with supervisory staff responsible for reporting to more senior management. As one of Queensland’s largest public sector agencies, DETE has a dedicated Ethical Standards Unit (ESU) to which reports can be submitted, if the employee concerned prefers not to report to their immediate supervisor. The Director ESU has an unrestricted line of access to the Director-General, enabling the Director-General to fulfil their legislative reporting responsibility to external bodies. 3CMC Fraud and Corruption Control Guidelines for Best Practice, 2005 P a g e | 15 Fraud and corruption reporting guidelines Employees should report suspected wrongdoing to their immediate supervisor or manager, in the first instance. Should staff be reluctant to report any concerns immediately or feel appropriate action has not been taken by the supervisor or manager who received the complaint, alternative reporting options include: o a more senior manager o Director, Ethical Standards Unit o Head of Internal Audit o Fraud and Corruption Hotline 1800 727 031 o directly to the CMC Supervisors and managers are required to report information regarding suspected fraud and/or corruption incidents immediately to the Ethical Standards Unit A climate of trust and accountability should be developed so employees are aware that all efforts will be made to maintain confidentiality and appropriate action will be taken Objectivity and a perception of it will be increased by the identification of a senior, qualified neutral officer to receive reports such as the Director, ESU Under section 38 of the Crime and Misconduct Act 2001, the Director, ESU has an unrestricted line of access to the Director-General for timely and effective advice so that the Director-General can fulfil their legislative responsibilities for reporting to external bodies when appropriate Fraud and corruption reporting management system DETE’s complaints management system, Resolve, managed by the ESU is used to capture, report, analyse and escalate all detected fraud and corruption incidents. It also takes the role of a fraud and corruption register, with monthly Case Status Reports – Fraud and Corruption (Case Status Reports) being extracted from Resolve and provided to the Fraud and Corruption Control Committee for ongoing monitoring and analysis. Data can also be used to provide the department with information for other reporting purposes, and facilitate continuous improvement of its fraud and corruption resistance capacity. As set out in AS 8001:2008, the Case Status Reports include the following information with regard to each incident reported: Date and time of report Date and time that incident was detected How the incident came to the attention of management The nature of the incident Value of loss Action taken following discovery of the incident. CMC Element 5: External reporting ANAO conditions: Governance, legislation, control strategies Queensland’s public sector integrity framework includes several independent statutory bodies which promote accountability, integrity and good governance: Crime and Misconduct Commission (CMC) P a g e | 16 Queensland Audit office (QAO) Queensland Ombudsman Queensland Integrity Commissioner Office of the Information Commissioner Their integrity-building activities are supplemented by the law enforcement role of the Queensland Police Service (QPS). The integrity agencies offer a range of external reporting channels and advice, depending on the nature and scope of the alleged misconduct. In addition, the department has an external reporting responsibility to the QPS for certain types of misconduct. In some instances there are legal obligations for external reporting. The role of each of the bodies and our reporting obligations to them is: Government Body/Role Reporting Obligations Crime and Misconduct Commission (CMC) receives complaints about possible misconduct and determines the most appropriate action to deal with them Queensland Ombudsman Provides oversight for all public interest disclosures made to the Queensland Government. Oversight agency for all public interest disclosures made to the Queensland government. Queensland Audit Office (QAO) Provides independent audit services to the Queensland Parliament, all state public sector entities and local governments. Monitors and reports on compliance and other operational practices and its recommendations can identify risks and assist agencies in forestalling fraud and corruption. Director-General or delegate notifies the CMC under the Crime and Misconduct Act 2001 if the department suspects a report of wrongdoing involves official misconduct. Under the Public Interest Disclosure Act 2010and the Public Interest Disclosure Standard No. 1, agencies are required to provide regular reports the Ombudsman about their PIDs Queensland Integrity Commissioner (QIC) Established by Parliament to maintain and enhance the integrity of the Queensland public sector, the Commissioner is also responsible for maintaining the Register of Lobbyists and monitoring compliance with the Integrity Act 2009 and the Lobbyists Code of Conduct. Office of the Information Commissioner (OIC) Initially established under the repealed Freedom of Information Act 1992 (Qld), the OIC continues under the Right to Information Act 2009 and the Information Privacy Act 2009 to promote access to government-held informant and to protect people’s personal information. Queensland Police Service (QPS) Upholds and enforces the law Under s21 of the Financial and Performance Management Standard 2009, the Director-General must report any suspected material loss to the Auditor General within six months of becoming aware of the loss. A material loss is defined in the standard as a loss of money of more than $500, or the loss of other property valued at over $5,000. Agencies are also responsible to inform the QAO of any loss they suspect to be the result of an offence under the Criminal Code or other Act. Professional lobbyists breaching the Lobbyists’ Code of Conduct should be reported to the Commissioner. The OIC deals with privacy complaints and makes decisions where privacy conflicts with the public interest. Director-General, or delegate reports: suspected fraud and/ or corruption arising out of P a g e | 17 Government Body/Role Reporting Obligations criminal conduct under the Criminal Code Act 1899, or other Act any suspected material loss which may have occurred as a result of official misconduct or the commission of a criminal offence in accordance with the Criminal Code Act 1899, Crime and Misconduct Act 2001, Financial and Performance Management Standard 2009, or other Act. We also report to the Public Service Commission through the Director, ESU in relation to our integrity and accountability. Where a matter falls within the jurisdiction of more than one external integrity body, the agency must ensure that it is reported to each one that is relevant. As recommended by the CMC Guidelines, DETE has developed sound reporting policies and procedure to cater for these potentially overlapping requirements. In accordance with the Crime and Misconduct Act 2001, complaints about fraud and the outcome of preliminary investigations will be reported to the appropriate agencies above. The Director ESU should be contacted prior to matters being reported to an external agency, for advice on correct reporting protocols. CMC Element 6: Public Interest Disclosures ANAO conditions: Legislation and governance, control strategies A public interest disclosure (PID) is a disclosure of information of public interest, involving wrongdoing within the public sector, made to a proper authority. Under the Public Interest Disclosure Act 2010 (PID Act), a proper authority is defined as a public sector entity or a member of the Legislative Assembly. The department strongly supports the principles embodied in the PID Act, which provide for certain protection from reprisal for persons making a PID, with the intent of the PID legislation being to ensure that persons making a complaint of wrongdoing can do so without fear of retribution. From the perspective of fraud and corruption control, a public service officer may make a PID if they report information about another employee that may relate to: unlawful, corrupt, negligent or improper conduct that could amount to official misconduct maladministration that adversely affects anyone’s interests in a substantial and specific way negligent or improper management by a public officer public sector entity or a government contractor resulting or likely to result in a substantial waste of public funds. We are committed to promoting the public interest by facilitating disclosures of wrongdoing and ensuring that PIDs are managed thoroughly, impartially, in a timely manner and in accordance with the Act. The management of a PID includes initial evaluation, including a risk assessment and the determination of appropriate action, which may include investigation. If an investigation is conducted the discloser will be kept informed of its progress and outcome, and will be provided with protection from reprisal action. P a g e | 18 As recommended in the CMC Guidelines, DETE has a stand-alone PID procedure, Making and managing a public interest disclosure under the Public Interest Disclosure Act 2010 (Qld) (WRF-PR013), which is consistent with the Code of Conduct for the Queensland Public Service and DETE’s Fraud and Corruption Control policy. DETE’s PID procedure covers: the context in which a PID is appropriate how, when and where to make a disclosure who can make a disclosure to whom a disclosure may be made assessment and investigation of disclosure allegations available support and protection mechanisms the investigation process PID-related roles and responsibilities and confidentiality DETE also has a program to actively encourage an ethical work climate and an atmosphere of transparency and responsible reporting, which includes compulsory Code of Conduct, Standard of Practice and internal controls training, and a team of officers trained to receive and manage PIDs, and to offer support and protection for disclosers. As with all internal reporting of suspected wrongdoing, we: exercise due process and natural justice in managing PIDs make all attempts to preserve confidentiality provide appropriate protection to the person who made the PID maintain all necessary records securely, and report appropriately. CMC Element 7: Investigations ANAO conditions: Legislation and governance, control strategies All reports, information, complaints and notifications concerning alleged employee misconduct are referred to the ESU. If there is a possibility that an incident constitutes official misconduct, the CEO is required under the Crime and Misconduct Act, 2001 to report the matter to the CMC. As both fraud and corruption generally fall within the definition of official misconduct, the majority of fraud and corruption matters automatically need to be reported. The CMC may choose to investigate the matter itself, refer it back to the department, or work with the department to investigate the matter. Any allegation involving criminal offences against the department, by employees or external parties, needs to be referred to the QPS. In the event the QPS does not lay criminal charges, but the information requires further enquiry because the allegation raises a reasonable suspicion of employee misconduct which, if proven, would be likely to result in formal disciplinary action, an ESU investigation will be commenced. Investigations may involve matters of suspected fraud, corruption, misappropriation, maladministration, theft and other matters where the conduct of an employee, if substantiated, could amount to official misconduct and may result in disciplinary action, including dismissal. P a g e | 19 DETE’s fraud and corruption investigation practices The department’s own fraud and corruption investigative practices comply with the CMC’s Guidelines, its investigative toolkit Facing the facts - A CMC guide for dealing with suspected official misconduct in Queensland public sector agencies and the Standard. Specialist training is provided to departmental investigators, to ensure the integrity and professionalism of their investigative work. Fraud and corruption investigations are conducted by experienced, senior personnel who are independent of the business unit in which the alleged fraudulent or corrupt conduct occurred. Investigations and any resultant disciplinary proceedings are always legislatively compliant and conducted in an atmosphere of transparency, with the overall guiding principles being independence and objectivity. Information arising from, or relevant to, investigations is not disseminated to any person not required by their position description to receive the information and in light of the seriousness of fraud and corruption allegations, investigations are overseen by the Fraud and Corruption Control Committee. In planning and undertaking fraud and corruption investigations, the department follows the steps outlined by the CMC: Determining the scope and nature of investigations Confirming the responsibilities and powers of the investigator Conducting investigations in accordance with the rules of procedural fairness Gathering the evidence Concluding the investigation Education and awareness Employee responsibilities in relation to investigations are clearly set out in section 4.1 of the department’s Standard of Practice which states “Employees must co-operate with an investigation being conducted in connection with the administration, management and operation of the department to ensure the best possible outcomes”. Policies and procedures In addition to its Fraud and Corruption Control Policy Statement, the department has a Fraud and Corruption Control Procedure and an Investigations fact sheet, which discusses departmental investigations, employees’ legislative obligations, misconduct and official misconduct, the investigation process, the balance of probabilities, procedural fairness and natural justice, interviews and what each party can expect from the other during an investigation. When the department deems an investigation into alleged official misconduct, including fraud or corruption, necessary: all employees are obliged to respect the rights of all involved and maintain confidentiality pending a full investigation into an alleged wrongdoing managers and supervisors must ensure due process and encourage confidentiality any person disclosing alleged wrongdoing must be advised of the outcome of the investigation as soon as practicable, and the outcome may be subject of review by the CMC. P a g e | 20 Outcomes of investigations where complaints of alleged fraud and/ or corruption have been substantiated may be published, when appropriate to do so and where confidential records can be maintained. CMC Element 8: Code of Conduct ANAO conditions: Legislation and governance, ethical leadership and culture The Code of Conduct for the Queensland Public Service and the DETE-specific Standard of Practice provide guidance on the standards of conduct expected of all employees and others associated in any significant way with the department. They include ethics principles and values; and The Standard of Practice also provides advice and guidance for employees in making ethical decisions, especially in circumstances where the ‘correct’ or ‘best’ course of action may not be clear. Implementation of the FCCP will be based on the standards of conduct outlined in the Code of Conduct and Standard of Practice, with breaches subject to disciplinary provisions when appropriate. The code and Standard of Practice are based upon four ethics principles: 1. 2. 3. 4. Integrity and impartiality Promoting the public good Commitment to the system of government Accountability and transparency As tools which outline the department’s ethical framework, it is outside the scope of the code and Standard of Practice to cover all ethical situations which may arise. To assist in the resolution of complex issues, including those relating to fraud or corruption, employees should seek the advice of their supervisors, managers or senior management when appropriate. The value of the code and Standard of Practice as deterrents to misconduct depends substantially on the perception that their provisions are enforced swiftly and equitably. Accordingly, prompt and impartial action is taken by the department in the event that a reasonable suspicion exists of fraud, corruption or official misconduct. The code and Standard of Practice reflect the corporate and business ethos of the department. As such, their agency-wide implementation will promote integrity, encourage ethical behaviour, and strengthen departmental resistance to fraud and corruption. In compliance with their responsibilities under the Public Sector Ethics Act 1994, the department’s CEO ensures that departmental employees are given access to appropriate education and training about public sector ethics through mandatory training at orientation and regular refreshers thereafter. The ESU will review of the Standard of Practice biennially or more frequently if required. On an ongoing basis, the Director, ESU will also review the need to develop any other related policies and procedures, ethical awareness training or employee development materials. P a g e | 21 CMC Element 9: Staff education and awareness ANAO conditions: Governance, ethical leadership and culture Legislative background The Public Sector Ethics Act 1994 requires agencies to provide appropriate education and training for their employees. Mandatory training Mandatory public sector ethics education and training completed by all new employees through the DETE induction program. Ongoing ethics related education and training is undertaken by all employees at regular intervals during their employment with the department. The public sector ethics education and training module includes: Ethical Decision-Making training and awareness, including Code of Conduct Internal Controls training fraud and corruption (including Public Interest Disclosure) training and awareness. It is available to employees through a variety of delivery modes: face-to-face training on-line ethical decision making training available via the Learning Place train-the-trainer package TAFE institutes, on-line, through the institutes’ learning management system (LMS) ethics- related resources published on One Portal, developed by ESU and available to all employees DETE induction website (mandatory induction). Formal information-sharing and the inclusion of fraud and corruption control components in induction training is the responsibility of both central and regional management. Employees whose knowledge of, and skills in, financial management are lacking are particularly vulnerable and specific training should be provided for these officers. Employees in smaller, rural and remote locations as well as those who perform a high level of resource and financial management should also receive specific fraud and corruption control training. Departmental education and awareness strategies With the oversight of its Fraud and Corruption Control Committee, the department uses a variety of education and awareness strategies to foster an ethical organisational culture and strengthen the department’s resistance to fraud and corruption: displaying notices about the Code of Conduct and Standard of Practice, and the expectation of ethical behaviour, throughout the workplace making a copy of the Code of Conduct and Standard of Practice available to all new employees demonstrating executive management commitment to fraud and corruption control, with senior executives leading by example and participating in training sessions the appointment of the Deputy Director-General Corporate Services as Chair of the Fraud and Corruption Control Committee and champion of fraud and corruption control across the organisation P a g e | 22 dissemination of advice about fraud and awareness strategies and internal controls emanating from meetings of the Fraud and Corruption Control Committee development of a fraud and corruption control newsletter establishment of communities of practice Fraud and Corruption Policy and Fraud and Corruption Control Plan made accessible to all employees dissemination of Public Interest Disclosure Policy and advice about the department’s PID support program Fraud and Corruption Control website on intranet function-specific training about fraud and corruption control to employees working in high-risk areas online Internal Controls training ethics awareness announcements on divisional home pages and division-specific publications online resources including brochures, factsheets and PowerPoint presentations ethics-related announcements in the department’s Education Views publication, for dissemination to the general public as well as employees the inclusion of fraud and corruption control KPIs in departmental financial sustainability benchmarks embedding fraud and corruption control in the department’s enterprise risk management program reinforcement of agency’s zero tolerance attitude to fraud and corruption demonstrated by prompt response taken to incidents Future training programs will include the provision of guidelines on the identification of misconduct risk and the ‘red flag’ indicators of potential fraud. Training will also include information about public sector accountability and ethical standards, as well as offering case studies and scenarios for ethical decision making. CMC Element 10: Client and Community Awareness ANAO conditions: legislation and governance, ethical leadership and culture The Fraud Corruption and Control Framework and other relevant policies and procedures are published on our internet site to make them accessible for all community members. The department’s external communication will emphasise the integrity of the department and its commitment to the highest standard of probity in all its dealings. It will give the community confidence in its dealings with us, and ensure that external providers, such as contractors, suppliers, third party providers, and funding recipients are aware of our zero tolerance policy. This message will be augmented by the ethical actions of employees at all times. We promote our fraud corruption and control policy by: publishing the Fraud and Corruption Control Framework and procedure on the department’s internet and employee portal gaining P&C commitment and ensuring a documented process for reporting potential fraudulent and/or corrupt activities incorporating probity compliance declarations and provisions into our standard contract arrangements providing a fraud reporting hotline - 1800 727 031 publishing pertinent complaint data as Open Data. P a g e | 23 The department’s zero tolerance of fraud should be highlighted, and measures be taken to ensure the department’s fraud and corruption prevention goals are reported, in its Annual Report. Monitoring, review and continuous improvement The processes that support continuous improvement of the Framework include: reviewing the Framework every two years (or following a significant change within the department) including: o control strategies, to ensure appropriate balance between prevention and detection o control appropriateness and effectiveness of design and operation updating fraud and corruption risk assessment to ensure fraud and corruption risks are captured and managed review of individual fraud and corruption cases to identify the cause, areas of control weakness, where possible measure the loss or cost of fraud, and identify lessons learned. Contact Director, Ethical Standards Unit Ph: (07) 3237 0255 Fax: (07) 3235 9996 ethicalstandards@dete.qld.gov.au PO Box 15033 City East Qld 4002 P a g e | 24 Appendix 1: Legislation and other Instruments Fraud and Corruption Control Legislation Public Sector Ethics Act 1994 (Qld) Public Service Act 2008 (Qld) Public Service Regulation 2008 (Qld) Education (General Provisions) Act 2006 (Qld) Education (General Provisions) Regulation 2006 (Qld) Public Interest Disclosure Act 2010 (Qld) Crime and Misconduct Act 2001 (Qld) Financial Accountability Act 2009 (Qld) Financial Accountability Regulation 2009 (Qld) Financial and Performance Management Standard 2009 (Qld) Criminal Code Act 1899 (Qld) Substantive policy Code of Conduct for the Queensland Public Service DETE Standard of Practice Related procedures Criminal History Checks Complaints Management – State Schools Contact with Lobbyists and Former Senior Government Representatives Conflict of Interest Intellectual Property and Copyright Use Maintaining the Security of Department Information and Systems Making and managing a public interest disclosure under the Public Interest Disclosure Act 2010 (Qld) Managing employee complaints Receipt of Gifts and Benefits by Employees of the Department Risk Management Acceptable Use of the Department's Information, Communication and Technology (ICT) Network and Systems Standards, guidance and best practice Crime and Misconduct Commission: Fraud and Corruption Control - Guidelines for Best Practice Facing the facts - A CMC guide for dealing with suspected official misconduct in Queensland public sector agencies Standards Australia: AS 8001-2003 - Fraud and Corruption Control Australian National Audit Office:Fraud Control in Australian Government Entities – Better Practice Guide 2011 Australian Minister for Home Affairs and Minister for Justice: Commonwealth Fraud Control Guidelines Queensland Department of Treasury and Trade: Financial Accountability Handbook 2012 A Guide to Risk Management 2011 Financial Management Tools 2012 P a g e | 25 Appendix 2: Definitions Code of Conduct - The Code of Conduct for the Queensland Public Service is a whole of government code of ethics that provides a framework of ethical principles, values and standards of conduct that guide employees in their work performance, professional standards, and how they should conduct their relationships with others. The Public Sector Ethics Act 1994 defines the ethical principles and values arising from these principles. The Public Interest Disclosure Act 2010 complements the Public Sector Ethics Act 1994 by providing legal protection for the reporting of certain wrongdoing that adversely affects the public interest. The department’s Standard of Practice is a supplementary document which assists all employees to apply the Code of Conduct of the Queensland Public Service and provides agency-relevant examples that directly relate to how the Code is to be applied within the department. Employee – For the purposes of this document and in accordance with the Code of Conduct for the Queensland Public Service an employee is defined as: “any Queensland public service agency employee whether permanent, temporary, full-time, part-time or casual; any volunteer, student, contractor, consultant or anyone who works in any other capacity for a Queensland public service agency” Fraud and corruption risk assessment - The application of risk management principles and techniques to the assessment the risk of fraud and corruption. Investigation - An inquiry or examination to ascertain facts; the act or process of investigating. Risk - The chance of something occurring that will have a negative impact upon objectives. It is measured in terms of likelihood and consequences .Residual risk is the remaining level of risk after risk treatment measures have been taken. Risk management - The term applied to a logical and systematic method of identifying, analysing, assessing, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable organisations to minimize losses and maximize positive outcomes. The department has introduced an Enterprise Risk Management Framework which builds on the existing risk management practices across the department and reflects current best practice and international standard. All departmental employees are strongly encouraged to become familiar with the Enterprise Risk Management Framework 2010-2014to ensure a consistent approach to managing risk within the department. Senior management - Personnel associated with the department at the executive and senior management, director or principal level and those senior officers who have authority over the direction or management of the department. P a g e | 26 ATTACHMENT ONE RISK ASSESSMENT WORKSHEET Each agency work unit should develop label descriptions to suit its own business processes and operating environment IDENTIFICATION Area being assessed Specific Risks Likelihood A = Almost certain B = Likely C = Unlikely D = Rare Consequences I = Insignificant II = Minor III = Moderate IV = Major V = Extreme Likelihood ANALYSIS EVALUATION RISK TREATMENTS Risk Degree Current Controls or Mitigating Factors Control Improvements Consequences Risk exposure Risk exposure VH = Very high risk – immediate action required H = High risk - senior management attention required M = Medium risk - management responsibility must be specified L = Low risk – manage by routine procedures P a g e | 27 ATTACHMENT TWO RISK MATRIX Consequence Insignificant Minor Moderate Major Critical Medium Medium High Extreme Extreme Likely Low Medium High High Extreme Possible Low Medium Medium High High Unlikely Low Low Medium Medium High Rare Low Low Low Low Medium Likelihood Almost Certain = Risk tolerance Likelihood of occurrence Almost certain Is almost certain to occur within the foreseeable future or within the project lifecycle Likely Is likely to occur within the foreseeable future or within the project lifecycle Possible May occur within the foreseeable future or within the project lifecycle Unlikely Is not likely to occur within the foreseeable future or within the project lifecycle Rare Will only occur in exceptional circumstances. P a g e | 28