Fraud and Corruption Policy

Table of contents

Commonwealth Fraud and Corruption Control Framework 2024

This Policy binds all non-corporate Commonwealth entities (NCEs) from 1 July 2024
and is considered better practice for corporate Commonwealth entities (CCEs) and
Commonwealth companies.

Application of the policy

The Commonwealth Fraud and Corruption Policy (the Policy) has been developed to support the accountable authorities of Australian Government entities to effectively discharge their responsibilities under section 10 of the Public Governance, Performance and Accountability Rule 2014 (the Fraud and Corruption Rule), as required by section 21 of the Public Governance, Performance and Accountability Act 2013 (PGPA Act) or if required under an order made pursuant to subsection 22(1) of the PGPA Act.

Consistent with the Fraud and Corruption Rule, the objectives of the Policy are to:

  • protect public resources, including money, information and property
  • protect the integrity and good reputation of entities and the Commonwealth, and
  • provide for accountability in entities as to implementation of their fraud and corruption control arrangements.

Reflecting the requirements set out in the Fraud and Corruption Rule, the Policy outlines the actions that the Australian Government considers necessary for accountable authorities to establish and maintain an appropriate system of fraud and corruption control for their entity.

The words ‘must’, ‘required’, ‘requires’ and ‘requiring’ indicate mandatory actions which accountable authorities or officials of NCEs must take. While these actions are mandatory, they may be applied in a way that is proportionate to the level of fraud and corruption risk involved in the entity’s activities and operating context. These actions are in addition to the actions required by the Fraud and Corruption Rule. NCEs must also ensure that their fraud and corruption control arrangements are developed in the context of the entity’s overarching risk management framework as described in the Commonwealth Risk Management Policy.

The use of the words ‘may’, ‘encouraged’ or ‘consider’ convey discretionary actions which represent better practice. Accountable authorities and officials are encouraged to implement these actions.

Policy Element 1 – Fraud and corruption risk assessments

Fraud and corruption risk assessments help entities identify, understand and document their exposure to fraud and corruption, the associated risks and their existing control arrangements.

The Fraud and Corruption Rule requires accountable authorities to take all reasonable measures to prevent, detect and respond to fraud and corruption relating to the entity, including by:

  1. conducting assessments of fraud and corruption risks regularly and when there is a substantial change in the structure, functions or activities of the entity.

1.1. Entities must assess fraud and corruption risks at the enterprise level, including shared and emerging risks, at least every 2 years or when there are substantial or emerging changes in the structure, activities or functions of the entity. Entities may reassess these risks more frequently if needed having regard to other factors such as:

  1. the potential exposure, nature, velocity and severity of the fraud or corruption risks identified 
  2. the entity’s risk appetite and tolerance relating to fraud and corruption
  3. any other factors relevant to the entity.

1.2. Entities must identify the activities, functions or programs that are at the highest risk from fraud or corruption and decide whether it is appropriate and how frequently to undertake targeted fraud and corruption risk assessments of these areas having regard to the factors outlined at 1.1.

1.3.  Entities must decide whether it is appropriate to undertake targeted fraud and corruption risk assessments when designing, implementing or reviewing policies, programs or initiatives. 

1.4. Entities must take measures to consult with other entities where fraud and corruption risks impact on the responsibilities of the other entity, in accordance with any legislative obligations or powers dealing with information sharing.

For further guidance go to Fraud and Corruption Guidance - Element 1.

Policy Element 2 – Fraud and corruption control plans

Fraud and corruption control plans help entities document, communicate, manage and monitor the current or planned activities to manage the entity’s identified fraud and corruption risks.

The Fraud and Corruption Rule requires accountable authorities to take all reasonable measures to prevent, detect and respond to fraud and corruption relating to the entity, including by:

  1. developing and implementing control plans to deal with fraud and corruption risks, and updating the plans as soon as practicable after conducting an assessment mentioned in paragraph (a).

2.1. Entities must document and implement a fraud and corruption control plan or plans that address the risks identified through fraud and corruption risk assessments.

2.2. Entities must periodically review and monitor fraud and corruption control plans to ensure they remain relevant and proportionate to risks identified in risk assessments.

For further guidance go to Fraud and Corruption Guidance - Element 2.

Policy Element 3 – Effectiveness of controls

Periodically reviewing the effectiveness of controls helps entities ensure their most important controls are operating effectively in mitigating the entity’s identified fraud and corruption risks.

The Fraud and Corruption Rule requires accountable authorities to take all reasonable measures to prevent, detect and respond to fraud and corruption relating to the entity, including by:

  1. conducting periodic reviews of the effectiveness of the entity’s fraud and corruption controls.

3.1. Entities must periodically review the effectiveness of fraud and corruption controls.

  1. Entities may prioritise reviewing controls related to their highest risk activities, functions and programs.
  2. Entities may be guided by the nature, velocity and severity of the risks and how critical the controls are in mitigating the risk in determining the frequency with which specific controls are reviewed.

3.2. Where, as a result of a review, an entity determines that a risk treatment is required, entities must include this in their relevant fraud and corruption control plan or plans.

For further guidance go to Fraud and Corruption Guidance - Element 3.

Policy Element 4 – Governance and Oversight

Appropriate governance and oversight structures that are proportionate to the operating environment of an entity and integrated with an entity’s risk management framework are essential for effective fraud and corruption management.

The Fraud and Corruption Rule requires accountable authorities to take all reasonable measures to prevent, detect and respond to fraud and corruption relating to the entity, including by:

  1. ensuring that the entity:
    1. has governance structures and processes to effectively oversee and manage risks of fraud and corruption relating to the entity; and
    2. has officials who are responsible for managing risks of fraud and corruption relating to the entity; and
    3. keeps records identifying those structures, processes and officials.

4.1. Entities must establish and document governance arrangements and processes that support the effective oversight and management of fraud and corruption risks to the entity in accordance with section 10 of the Public Governance, Performance and Accountability Rule 2014 and this Policy in a manner that is proportionate to those risks.

4.2. Entities must identify and document the roles and responsibilities of specific officials, positions or internal governance bodies, including but not limited to the accountable authority, chief risk officer (if applicable) and senior executives, in relation to preventing, detecting, responding and reporting on fraud and corruption.

4.3. Entities must maintain an appropriate level of capability to effectively manage fraud and corruption risks, with a focus on prevention.

4.4. Entities must ensure officials who are primarily engaged in fraud and corruption control activities have relevant education in fraud and corruption control and maintain an appropriate level of capability to carry out their duties.

4.5. Entities must document the entity’s:

  1. overall commitment to managing and responding to fraud and corruption risks
  2. appetite and tolerance relating to fraud and corruption risks
  3. arrangements for preventing, detecting, responding to and reporting on fraud and corruption, and
  4. decisions made in relation to the management of fraud and corruption risk.

For further guidance go to Fraud and Corruption Guidance - Element 4.

Policy Element 5 – Prevention

Prevention is the most efficient and cost-effective means of minimising the risk of fraud and corruption and can eliminate or reduce the harmful consequences to Commonwealth entities and third parties, including significant financial and reputational harm.

The Fraud and Corruption Rule requires accountable authorities to take all reasonable measures to prevent, detect and respond to fraud and corruption relating to the entity, including by:

  1. ensuring that the entity has appropriate mechanisms for preventing fraud and corruption, including by ensuring that:
    1. all officials of the entity are made aware of what constitutes fraud and corruption; and
    2. risks of fraud and corruption are taken into account in planning and conducting the activities of the entity.

5.1. Entities must ensure officials at all levels are aware of their responsibilities for fraud and corruption risk management.

5.2. Entities must promote a culture of integrity, including requiring officials to undertake training in integrity, fraud and corruption awareness on induction and more regularly as appropriate.

5.3. Entities must consider measures to prevent and mitigate fraud and corruption risks when designing, implementing, delivering and undertaking government initiatives.

5.4. Entities must have arrangements in place to prevent fraud or corruption that could arise in relation to activities undertaken for or on behalf of the entity by contractors, consultants and third-party service providers.

For further guidance go to Fraud and Corruption Guidance - Element 5.

Policy Element 6 – Detection

Detection of fraud and corruption can involve a range of mechanisms including: reporting channels for officials, third-party service providers and members of the public, automated transaction monitoring, account reconciliation, management reviews and audits, and data matching and analytics.

The Fraud and Corruption Rule requires accountable authorities to take all reasonable measures to prevent, detect and respond to fraud and corruption relating to the entity, including by:

  1. ensuring that the entity has appropriate mechanisms for:
    1. detecting fraud and corruption, including processes for officials of the entity and other persons to report suspected fraud or corruption confidentially.

6.1. Entities must have arrangements in place that actively seek to detect instances of fraud or corruption.

6.2. Entities must ensure that members of the public, officials, contractors, consultants and third-party service providers have access to, and are made aware of, mechanisms to confidentially, and where appropriate anonymously, report suspected fraud and corruption, and that they are protected from reprisals, including in accordance with the National Anti-Corruption Commission Act 2022 (NACC Act) and the Public Interest Disclosure Act 2013.

For further guidance go to Fraud and Corruption Guidance - Element 6.

Policy Element 7 – Investigation and other responses

Effective responses to fraud or corruption incidents can involve a range of administrative, civil and criminal interventions, including containment, disruption, investigation, referrals to the Australian Federal Police or National Anti-Corruption Commission (or the Inspector General of Intelligence and Security for intelligence agencies), disciplinary action, recovery, remediation and where appropriate, prosecution.

The Fraud and Corruption Rule requires accountable authorities to take all reasonable measures to prevent, detect and respond to fraud and corruption relating to the entity, including by:

  1. ensuring that the entity has appropriate mechanisms for:
    1. investigating or otherwise responding to fraud or corruption or suspected fraud or corruption

7.1. Entities must have appropriate arrangements in place, including response plans, and investigate or otherwise respond to suspected incidents of fraud and/or corruption relating to the entity.

7.2. Entities must establish and document criteria for making decisions at critical stages in the management of a suspected fraud or corruption incident including decisions to investigate, refer the matter to another entity, apply civil or administrative remedies, or to take no further action in response to a suspected fraud or corruption incident.

7.3. Entities must report all instances of potential serious or complex fraud offences to the Australian Federal Police (AFP) except in the following circumstances:

  1. where entities have the appropriate skills and resources needed to investigate potential criminal matters, including to prepare a brief of evidence for referral to the Commonwealth Director of Public Prosecutions (CDPP); and/or
  2. where legislation sets out specific alternative arrangements.

7.4. Entities must ensure that their officials comply with obligations under the NACC Act, including obligations to refer instances of suspected serious or systemic corrupt conduct to the National Anti-Corruption Commission.

7.5. Entities must have regard to the Australian Government Investigations Standard (AGIS) in developing an approach to conducting administrative, civil, or criminal investigations.

7.6. Entities must ensure that fraud and corruption investigations are carried out by appropriately qualified personnel as set out in the AGIS.

7.7. If an entity engages external investigators, the entity must ensure that, as a minimum, they meet the required investigations competency requirements set out in the AGIS.

7.8. Where an investigation gathers enough evidence to substantiate a criminal charge, an entity must consider referring the matter to the CDPP.

7.9. Entities must take measures to consult with other entities where a potential fraud or corruption incident impacts on the responsibilities of the other entity, in accordance with any legislative obligations or powers dealing with information sharing.

7.10. Entities must take all reasonable measures to recover financial losses. This may require working with the AFP and/or CDPP in cases of criminal activity.

7.11. Where, as a result of an investigation, an entity determines that a risk treatment is required, the entity must include this in their relevant fraud and corruption control plan or plans.

For further guidance go to Fraud and Corruption Guidance - Element 7.

Policy Element 8 – Recording and reporting

Recording and reporting incidents of fraud or corruption or suspected fraud or corruption requires effective information management systems to capture allegations and instances of fraud and corruption, or attempted fraud and corruption, and the subsequent response and outcomes. Reporting should provide data about the nature, extent and location of fraud and corruption against the entity. A feedback loop of internal reporting can support an entity to maintain appropriate oversight over mechanisms for preventing, detecting and responding to fraud and corruption, and remain compliant with the Fraud and Corruption Rule and Policy.

The Fraud and Corruption Rule requires accountable authorities to take all reasonable measures to prevent, detect and respond to fraud and corruption relating to the entity, including by:

  1. ensuring that the entity has appropriate mechanisms for:
    1. recording and reporting incidents of fraud or corruption or suspected fraud or corruption.

8.1. Entities must record and manage information about incidents of fraud or corruption or suspected fraud and corruption against the entity.

8.2. Entities must report information about fraud and corruption risks and incidents through the governance arrangements and processes that support effective fraud and corruption risk oversight and management.

8.3. Entities are encouraged to collaborate and share information and intelligence to prevent, detect and respond to fraud and corruption in accordance with any legislative obligations or powers dealing with information sharing.

8.4. The Australian Institute of Criminology (AIC) must publish an annual report on fraud and corruption relating to Commonwealth entities by 31 July each year.

8.5. To facilitate the AIC annual report:

  1. all entities must provide information for the previous financial year in the form requested by the AIC;
  2. the AFP must provide information on all fraud and corruption incidents referred to, accepted or declined by the AFP during the previous financial year, in a form requested by the AIC;
  3. the NACC must provide information for the previous financial year, on the number of:
    1. voluntary referrals of corruption issues;
    2. mandatory referrals of corruption issues;
    3. corruption issues dealt with by the Commissioner under Division 1 of Part 6 of the Act;
    4. corruption issues that the Commissioner investigated
    5. corruption issues that the Commissioner investigated jointly with a Commonwealth agency or a State or Territory government entity
    6. corruption issues that the Commissioner referred to a Commonwealth agency for investigation
    7. corruption issues that the Commissioner referred to a Commonwealth agency or a State or Territory government entity for consideration
    8. corruption issues in relation to which the Commissioner decided to take no action.
  4. the CDPP must provide information on all fraud and corruption incidents handled by the CDPP during the previous financial year, in a form requested by the AIC; and
  5. all information covered by this paragraph must be provided to the AIC by the date requested by the AIC each year.

For further guidance go to Fraud and Corruption Guidance - Element 8.

Was this page helpful?