Fraud and Corruption Guidance
Table of contents
Resource Management Guide 201 – Preventing, detecting and dealing with fraud and corruption
This Guide supports the Fraud and Corruption Rule and Policy and provides further guidance
for fraud and corruption control arrangements for all Commonwealth entities. This guide
applies from 1 July 2024.
Fraud against the Commonwealth and corrupt conduct by officials are serious matters for Commonwealth entities and the community. Not only can they constitute a criminal offence, but fraud and corruption reduce funds available for delivering public goods and services, undermine the integrity of and public trust in government and can place public safety at risk. The Australian community rightly expects that entities and officials uphold their positions with integrity, acknowledge and fulfil their responsibilities as stewards of public funds, and make every effort to protect public resources. Strong frameworks help to limit opportunities to undermine the integrity of public institutions and support systems and practices to ensure misconduct can be identified and addressed promptly.
The Fraud and Corruption Control Framework
The Commonwealth Fraud and Corruption Control Framework (Framework), under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), is designed to support Australian Government entities effectively manage the risks of fraud and corruption. The Framework consists of three parts:
- Section 10 of the Public Governance, Performance and Accountability Rule 2014 – The Fraud and Corruption Rule is a legislative instrument binding for all PGPA Act entities. It sets out the minimum standards for accountable authorities of PGPA Act entities in relation to managing the risk and incidents of fraud and corruption relating to their entity.
- The Commonwealth Fraud and Corruption Policy – The Fraud and Corruption Policy is an Australian Government Policy which is binding for all Non-Corporate Commonwealth Entities (NCEs). Corporate Commonwealth Entities (CCEs) and Commonwealth Companies are encouraged to adopt the Fraud and Corruption Policy as better practice. The Fraud and Corruption Policy sets out the procedural requirements entities must implement in relation to specific areas of fraud and corruption control such as investigations and reporting.
- Resource Management Guide 201: Preventing, detecting and dealing with fraud and corruption – This provides further practical guidance on the fraud and corruption control arrangements for all Commonwealth entities.
Taking a proportionate approach to managing fraud and corruption risks
The purpose of the Framework is to provide a coherent system of governance and accountability across entities for protecting public resources from fraud and corruption. The Framework is also designed to operate in a way that recognises the different operating contexts of Commonwealth entities, and the different scale and nature of fraud and corruption risks that can result.
The Fraud and Corruption Rule sets the minimum standard for managing the risk and incidents of fraud and corruption. All Commonwealth entities must comply with these requirements.
While NCEs must also implement the Policy (and CCEs and Commonwealth companies are strongly encouraged to do so), the key procedural requirements outlined in the Policy can be implemented in a way that takes account of each entity’s unique operating context. This allows the officials responsible for managing risks of fraud and corruption relating to an entity to determine what are reasonable and appropriate mechanisms for that entity. What is reasonable and appropriate will vary based on the size and operations of an entity as well as the nature and complexity of an entity’s fraud and corruption risks.
Each accountable authority must establish a system of internal control for fraud and corruption that is fit for purpose to protect the entity from these risks. These decisions should be informed by an understanding of the fraud and corruption risks faced by an entity, and its appetite and tolerance for those risks, and be made and documented through the governance arrangements established to manage fraud and corruption risk within an entity. This is discussed in more detail under Element 4: Governance and oversight.
Interactions with the operation of the NACC Act
The National Anti-Corruption Commission (NACC) operates independently to deter, detect and prevent corrupt conduct involving Commonwealth public officials. The National Anti-Corruption Commission Act 2022 (NACC Act) establishes the jurisdiction and powers of the NACC, along with creating obligations for agency heads and certain other officials to refer corrupt conduct to the NACC. The Framework complements the work of the NACC by setting out the responsibility of all PGPA Act entities to proactively assess and manage fraud and corruption risks.
The definition of corruption under the Framework is consistent with the definition of corrupt conduct in the NACC Act and the Policy requires agencies to meet their obligations under the NACC Act. Referral obligations are discussed in more detail on this in Element 7: Investigation and other responses.
Ensuring compliance with the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule)
Section 17AG of the PGPA Rule requires the accountable authorities of NCEs to include the following in their annual reports:
- information on compliance with the Fraud and Corruption Rule; and
- a certification by the accountable authority that:
- fraud and corruption risk assessments and control plans have been prepared; and
- appropriate mechanisms for preventing, detecting incidents of, investigating or otherwise dealing with, and recording or reporting fraud and corruption that meet the specific needs of the entity are in place for the entity; and
- all reasonable measures have been taken to deal appropriately with fraud and corruption relating to the entity.
An effective system of reporting, governance and oversight of fraud and corruption risk provides assurance to an accountable authority that the entity is compliant with the obligations under the Rule. Compliance with the Fraud and Corruption Rule (and the Policy for NCEs) may be the subject of an audit by the Australian National Audit Office (ANAO).
Breaches of the PGPA Rule may attract criminal, civil, administrative or disciplinary penalties (including under the PGPA Act and the Public Service Act 1999).
Guidance for Element 1 – Fraud and corruption risk assessments
This chapter relates to paragraph 10 (a) of the Fraud and Corruption Rule and Element 1 of the Fraud and Corruption Policy.
Fraud and corruption risk assessments help entities identify, understand and document their exposure to fraud and corruption, the associated risks and their existing control arrangements.
Fraud and corruption risk assessments enable entities to develop an informed view of where fraud and corruption risks lie and implement fit-for-purpose control plans to mitigate the harmful impacts of fraud and corruption for victims, government and public outcomes, national security, industry, the environment and other areas. Fraud and corruption risk assessments play an important role in promoting the ‘proper’ use and management of public resources and establishing and maintaining systems relating to risk and control, in accordance with sections 15 and 16 of the PGPA Act. The active management of identified fraud and corruption risks, including appropriate governance, oversight and reviews of control effectiveness, provides assurance that these risks are being appropriately managed by the entity. Fraud and corruption control plans are discussed in more detail in Element 2: Fraud and corruption control plans.
A fraud and corruption risk assessment is a systematic process undertaken to identify and analyse risks to the entity, and, if required, determine what risk treatments are needed to keep the potential likelihood and consequences of risks to within the entity’s pre-defined levels of risk appetite or tolerance. An assessment of fraud risk and corruption risk can be conducted and documented together or separately.
Proactively addressing fraud and corruption requires an entity to establish and maintain an ongoing awareness of their fraud and corruption threat environment. The fraud and corruption risk assessment process should consider all significant factors likely to affect an entity’s exposure to fraud and corruption risks, including what assets (including information) need protection and what internal and external pressures affect risks. Collecting and managing information about fraud and corruption is discussed in more detail under Element 8: Recording and reporting fraud and corruption.
The Fraud and Corruption Rule requires Commonwealth entities to conduct fraud and corruption risk assessments regularly and when there is a substantial change in the structure, functions or activities of an entity. Examples of substantial changes may include machinery of government changes, changes to service delivery models, significant new programs or responsibilities or significant changes in programs, including expenditure and resourcing. Officials responsible for managing fraud and corruption risk within an entity should determine if changes warrant a reassessment of the entity’s fraud and corruption risk. The responsibilities of particular officials are discussed in more detail under Element 4: Governance and oversight.
The Policy refers to enterprise-level and targeted fraud and corruption risk assessments:
- Enterprise-level fraud and corruption risk assessments consider, and are used to monitor and manage, risks from the perspective of the entire entity.
- Targeted fraud and corruption risk assessments consider, and are used to monitor and manage, risks that may impact an entity’s specific activities, functions or programs – they are usually carried out where a high risk of fraud or corruption is identified.
It is important that entities determine the right balance between enterprise-level risk management and operational or targeted risk management, and ensure they ultimately function in alignment with one another.
Enterprise-level fraud and corruption risk assessments
NCEs must assess their enterprise-level fraud and corruption risks. This involves a high-level risk assessment of an entire entity’s exposure to fraud and corruption, which provides a landscape view of all activities, functions and expenditure areas across an entity and its operating environment. These assessments must include consideration of shared and emerging risks (see information on shared and emerging risks below).
For many entities, it may be appropriate to integrate enterprise-level fraud and corruption risk assessments into broader enterprise-level risk assessments. Entities with higher exposure to fraud and corruption risks should consider developing a standalone enterprise-level fraud and corruption risk assessment.
NCEs must assess their enterprise-level fraud and corruption risks at least every 2 years or where there are substantial or emerging changes in structure, activities or functions. Entities may also decide to reassess more frequently, having regard to factors outlined in paragraph 1.1 of the Policy. Entities are encouraged to regularly monitor and maintain ongoing awareness of their fraud and corruption threat environment through the use of various methods (see information on emerging risks below).
Targeted fraud and corruption risk assessments
NCEs must identify the activities, functions and programs that are at highest risk from fraud or corruption and decide whether it is appropriate to undertake targeted fraud and corruption risk assessments and how often these assessments need to be reviewed. NCEs must also decide whether it is appropriate to undertake targeted fraud and corruption risk assessments when designing, implementing or reviewing policies, programs or initiatives. These decisions should be made and documented through the governance arrangements established to manage fraud and corruption risk within an entity, having regard to factors outlined in paragraph 1.1 of the Policy. This approach allows entities to prioritise their efforts and maximise the impact of their fraud and corruption control capability and resources. Governance arrangements are discussed in more detail in Element 4: Governance and oversight.
Entities may undertake various types of targeted fraud and corruption risk assessments for specific activities, functions and programs depending on the purpose or circumstances in which the assessment is being undertaken. Targeted fraud and corruption risk assessments include:
- Thematic risk assessments – these focus on a group of functions or activities that are more susceptible to fraud and corruption, e.g. grants or procurement spending.
- Detailed risk assessments – these focus on activities, functions and programs that are at the highest risk from fraud or corruption. This type of risk assessment is more detailed and comprehensive compared to other types of fraud and corruption risk assessments.
- Initial impact assessments – these focus on new policies, programs and initiatives to make an early assessment of the inherent fraud and corruption risks and potential impacts.
Entities are encouraged to undertake initial impact assessments during the design of new policies, programs or initiatives. These assessments may inform factors such as eligibility criteria or data collection and can be used to mitigate the risks of fraud or corruption and promote integrity through good design. These assessments may also inform whether further targeted risk activity, such as a detailed assessment, is required. Designing integrity into policies, programs and initiatives is discussed in more detail in Element 5: Preventing fraud and corruption.
The Policy requires NCEs to consider shared and emerging risks when assessing fraud and corruption risks. The Policy also requires NCEs to take measures to consult with other entities where fraud and corruption risks impact the responsibilities of the other entity, in accordance with any legislative obligations or powers dealing with information sharing. CCEs are strongly encouraged to follow this requirement. Resource Management Guide 211, Implementing the Commonwealth Risk Management Policy (Elements 6 and 7) provides better practice advice on managing shared and emerging risks.
Section 15 of the PGPA Act requires accountable authorities to consider the effect of decisions on public resources generally, not only those for which the accountable authority is responsible. Where possible, entities should share and use information and intelligence about fraud and corruption for the purposes of managing shared risks. If the information contains personal information or is protected by non-disclosure duties and other secrecy offences, entities must consider legislative obligations as well as powers to facilitate information sharing. These may include provisions contained in their own legislation, and other legislation that enables information sharing between entities for specified purposes, for example, subsection 16A(1) of the Privacy Act 1988, Part VIID of the Crimes Act 1914, and the Data Availability and Transparency Act 2022.
Entities are also encouraged to consult with stakeholders within their entity responsible for managing related risks, such as the Agency Security Advisor, the Chief Information Officer or the Chief Risk Officer. This will avoid duplication of effort and enable opportunities to leverage complementary control measures to help combat fraud and corruption.
Guidance for Element 2 – Fraud and corruption control plans
This chapter relates to paragraph 10 (b) of the Fraud and Corruption Rule and Element 2 of the Fraud and Corruption Policy.
Fraud and corruption control plans help entities document, communicate, manage and monitor the current or planned activities to manage the entity’s identified fraud and corruption risks.
Control plans help entities ensure that fraud and corruption risks are appropriately and proportionately managed within pre-defined levels of risk appetite or tolerance. The absence of an effective control plan can negatively impact an entity’s efforts to manage fraud and corruption risks and increase an entity’s risk exposure.
The Fraud and Corruption Rule requires entities to develop and implement control plans to deal with fraud and corruption risks identified through risk assessments. Entities should update the plans as soon as practicable after conducting a fraud and corruption risk assessment or a re-assessment. This requirement applies to enterprise and targeted risk assessments. Fraud and corruption risk assessments are discussed in more detail in Element 1: Fraud and corruption risk assessments.
At a minimum, control plans should include:
- existing preventative, detective and corrective controls the entity has in place to address identified fraud and corruption risks, including how these controls mitigate the identified risks
- new treatments the entity will implement to further mitigate the identified fraud and corruption risks, including implementation timeframes, where the entity has determined that new or changed treatments are required
- designated control owners who are required to monitor and report on the implementation, testing (where relevant), and effectiveness of controls.
Control plans must focus on the specific controls, control owners, implementation and testing timeframes commensurate with assessed fraud and corruption risks. The design and content of control plans must be unique and proportionate to an entity in terms of its circumstances and fraud and corruption risks. For example, some entities may choose to integrate their control plans into existing or new business, risk or other relevant management plans. Entities may incorporate control plans into the documentation associated with specific fraud and corruption risk assessments. Other entities may choose to develop a standalone fraud and corruption control plan, or develop multiple control plans. This is a recommended approach for entities with large or complex operating environments, or entities that have higher exposure to fraud and corruption risk.
Entities should be aware that control plans include information that is valuable to those who might try to subvert the entity’s controls. To mitigate the risk of misuse, entities must consider who can access control plans and only provide them on a need to know basis, and ensure that appropriate classification and storage is informed by the Protective Security Policy Framework.
Documenting a control plan after assessing fraud and corruption risks at the enterprise level can support entities to also meet the requirement under the Rule for entities to keep records identifying structures, processes and officials responsible for managing risks of fraud and corruption relating to the entity. Documenting arrangements for the management of fraud and corruption risks is discussed in more detail under Element 4: Governance and oversight.
Entities must periodically review and monitor control plans to ensure they remain relevant and proportionate to risks identified in risk assessments. These reviews should follow from reviews of risk assessments.
Guidance for Element 3 – Reviewing control effectiveness
This chapter relates to paragraph 10 (c) of the Fraud and Corruption Rule and Element 3 of the Fraud and Corruption Policy.
Reviewing control effectiveness involves gathering information and data to determine whether a control is functioning as intended.
This chapter should be read in conjunction with Resource Management Guide 211, Implementing the Commonwealth Risk Management Policy (Element 5), noting that examining the effectiveness of fraud and corruption controls requires additional considerations, such as examining controls or a system of controls from the perspective of a fraudulent or corrupt actor.
Periodically reviewing controls helps entities ensure their most important controls are operating effectively in mitigating the entity’s identified fraud and corruption risks and provides assurance to accountable authorities that the entity’s efforts to prevent, detect and respond to fraud and corruption are adequate and effective. Reviewing control effectiveness allows entities to proactively identify and eliminate ‘blind spots’ and challenge assumptions about how effectively controls are operating to mitigate fraud and corruption risk. Review mechanisms also enable accountable authorities make more informed decisions about their appetite or tolerance for fraud and corruption risks.
Ineffective controls can lead to process inefficiencies and a sub-optimal use of public resources, without mitigating risk. Reviewing control effectiveness can lead to improved operational efficiency, effectiveness and compliance to mitigate the risk of fraud and corruption.
It is impractical and inefficient for entities to review the effectiveness of every fraud or corruption control. Therefore, to ensure these reviews are appropriate, cost-effective and proportionate to the entity’s risks, entities are encouraged to focus their effort and resources on the controls related to their highest risk activities, functions and programs.
When determining which controls should be reviewed, entities should be guided by the nature, velocity and severity of specific risks and how critical the controls are in mitigating the risk.
Resource Management Guide 211, Implementing the Commonwealth Risk Management Policy (Element 5) provides advice on the regularity of control testing, which could depend on the following factors:
- the critical nature of the control
- the risk appetite and tolerance of an entity
- recent changes to the internal or external operating environment of an entity.
Understanding the enablers of fraud and corruption, as well as the design and purpose of a control is fundamental to determining control effectiveness. This supports entities to identify and develop the right metrics and the most appropriate means for determining if a control is achieving its intended purpose.
The approach an entity takes to reviewing controls should be proportionate to its circumstances and fraud and corruption risks. For example, some entities may choose to review critical controls in a limited and targeted way, while entities with large or complex operating environments, or those that have higher exposure to fraud and corruption risk, may implement more comprehensive processes to review multiple controls across integrated control environments.
The effectiveness of controls has a direct influence on residual risk – that is, the likelihood, frequency, duration and impact of fraud and corruption occurring. Therefore, following a review of control effectiveness, entities should review and, if required, update any relevant fraud and corruption risk assessments.
If, as a result of a review, an entity determines that a new or changed risk treatment is required, entities must include this in their relevant fraud and corruption control plan or plans. Fraud and corruption control plans are discussed in more detail in Element 2: Fraud and corruption control plans.
Guidance for Element 4 – Governance and oversight
This chapter relates to paragraph 10 (d) of the Fraud and Corruption Rule and Element 4 of the Fraud and Corruption Policy.
Effective fraud and corruption management requires an appropriate governance structure that is proportionate to the operating environment of an entity and integrated with an entity’s risk management framework.
The Fraud and Corruption Rule requires entities to have governance structures and processes in place to effectively oversee and manage risks of fraud and corruption relating to an entity. While the nature and extent of fraud and corruption risks faced by entities will differ, the risks still require effective management and oversight. An effective organisational control system, which includes fraud and corruption control, will assist an entity to operate with integrity, improve accountability, and contribute to quality outcomes. It will also assist the accountable authority to comply with their obligations under the finance law.
The Commonwealth Risk Management Policy requires all NCEs to formalise their approach to the management of risk in a risk management framework. The Fraud and Corruption Policy also requires NCEs to establish and document governance arrangements and processes that support the effective oversight and management of fraud and corruption risks to the entity. These arrangements and processes should be proportionate to the risk profile of the entity or the particular policy, program or initiative. For some entities, it may be appropriate to establish specific fraud and corruption risk governance arrangements. However, all entities should ensure that their fraud and corruption risk governance arrangements are integrated with of the entity’s broader risk management framework.
Resource Management Guide 211, Implementing the Commonwealth Risk Management Policy (Element 1) provides advice on embedding risk management into the decision-making activities of an entity. This enables risk to be managed in a repeatable and consistent way when designing, implementing, delivering and undertaking government initiatives.
The Fraud and Corruption Rule requires entities to identify officials responsible for fraud and corruption control. The Policy requires NCEs to clearly define and document the roles and responsibilities of specific officials, positions or internal governance bodies in relation to preventing, detecting, responding and reporting on fraud and corruption. CCEs are strongly encouraged to follow this requirement. Resource Management Guide 211, Implementing the Commonwealth Risk Management Policy (Element 4) provides advice on the risk management responsibilities of officials.
The Policy also requires NCEs to maintain an appropriate level of capability to effectively manage fraud and corruption risks, with a focus on prevention.
To meet this requirement, an entity must determine what is reasonable and appropriate for their circumstances. This determination should be based on an informed understanding of the fraud and corruption risks faced by an entity and its appetite and tolerance for fraud and corruption risk. These decisions should also be made and documented through the governance arrangements established to manage fraud and corruption risk within an entity. Resource Management Guide 211, Implementing the Commonwealth Risk Management Policy (Element 8) provides advice on maintaining an appropriate level of risk management capability.
The Policy requires NCEs to focus their investment on prevention capability to reduce costs and minimise harms caused by fraud and corruption. CCEs are strongly encouraged to follow this requirement. Prevention strategies are discussed in more detail under Element 5: Preventing Fraud and Corruption.
The Policy requires NCEs to ensure officials engaged primarily in fraud and corruption control activities possess relevant education to effectively carry out their duties. This is to ensure those officials are appropriately skilled. For this reason, CCEs are strongly encouraged to follow this requirement.
If officials entering these roles do not have relevant experience, it is important for them to receive relevant training as soon as possible. Until an official has attained the relevant qualifications, entities are encouraged to ensure that appropriate supervision is provided.
Relevant training and qualifications vary for entities depending on their exposure to fraud and corruption risks. It is important that officials engaged in these functions are able to:
- understand the fraud and corruption landscape across their entity and the wider context, including relevant legislation
- understand different types of fraud and corruption, as well as causes and motivators
- recognise opportunities to develop controls, policies or processes to mitigate the probability, frequency, duration and impacts of fraud and corruption
- collaborate with others to design, implement and review controls.
Entities with a greater exposure to fraud and corruption may consider developing or accessing specialised training programs for relevant officials to ensure the potential risks to their business are minimised.
It is important for entities to ensure officials engaged in fraud and corruption control have ongoing professional development. Timeframes for refreshing the knowledge and skills of these officials can be determined by entities, ideally occurring at least every three years.
Officials who perform some fraud and corruption control functions, but are not primarily engaged in fraud and corruption control or investigation, do not need to attain the same level of education as officials engaged primarily in fraud and corruption control. However, entities should ensure these officials possess the relevant knowledge and skills to effectively perform those specific functions and have access to appropriate support and advice.
The Fraud and Corruption Rule requires entities to keep records of the structures, processes and officials responsible for fraud and corruption risk management. The Policy also requires NCEs to document the entity’s:
- overall commitment to managing and responding to fraud and corruption risks
- risk appetite and tolerance statements relating to fraud and corruption
- key roles and responsibilities of relevant officials and committees (where relevant)
- arrangements for preventing, detecting, responding and reporting on fraud and corruption.
This information can be documented in a way that best suits the operating environment of an entity, noting the desirability of integrating fraud and corruption risk management within the broader risk management framework of entities. For example, this information could be included within an entity’s corporate plan or broader risk management framework. Some entities may choose to create a standalone document, for example a Fraud and Corruption Control Strategy, Policy or Handbook.
It is important that this information is accessible to all officials, contractors and third parties working on behalf of an entity. Furthermore, promoting this information can assist in raising awareness, which supports entities to also meet the requirement under the Fraud and Corruption Rule to ensure that officials in an entity are made aware of what constitutes fraud and corruption and how to report it. Fraud and corruption awareness is discussed in more detail in Element 5: Preventing Fraud and Corruption.
Guidance for Element 5 – Preventing fraud and corruption
This chapter relates to paragraph 10 (e) of the Fraud and Corruption Rule and Element 5 of the Fraud and Corruption Policy.
Prevention is the most efficient and cost-effective means of minimising the risk of fraud and corruption and can eliminate or reduce the harmful consequences to Commonwealth entities and third parties, including significant financial and reputational harm. Prevention minimises the risks of adverse impacts from diminished program outcomes and a reduction in the quality of essential services for people that these services are intended to support. Investing in prevention strategies also helps to maintain public trust and confidence in the Australian community as to the integrity of the public sector. For these reasons, prevention should always be the primary focus of an entity’s fraud and corruption control plan or plans. See Element 2: Fraud and corruption control plans.
The Fraud and Corruption Rule requires accountable authorities to ensure that officials in an entity are made aware of what constitutes fraud and corruption. Fraud and corruption awareness and integrity training are important both as a deterrent and to assist officials to identify risks and red flags. Training should be included in all induction programs and entities are encouraged to have a rolling program of regular fraud and corruption awareness and prevention training for all officials. This training should include information on:
- how managing fraud and corruption aligns with the entity’s strategic goals and values (why it is important)
- the responsibilities for all officials to control fraud and corruption risks in their day-to-day work
- what fraud and corruption looks like, including common red flags
- how to respond to the red flags, including how to report suspected fraud or corruption confidentially.
Establishing and communicating reporting mechanisms is discussed in more detail in Element 6: Detecting fraud and corruption.
The Policy requires NCEs to promote a culture of integrity. This recognises that risk management frameworks, while important, cannot work on their own. It is essential that an entity’s culture promotes an open and proactive approach to managing fraud and corruption risk. Resource Management Guide 211, Implementing the Commonwealth Risk Management Policy (Element 3) provides advice on supporting a culture where risk is managed and communicated across all levels of an entity and individuals are encouraged to adopt positive risk behaviours.
The Fraud and Corruption Rule requires entities to have appropriate mechanisms for preventing fraud and corruption, including by ensuring that risks of fraud and corruption are considered in planning and conducting the activities of an entity. This includes when major new policies are being designed and developed or when there is a significant change in a policy or how it will be implemented.
The assessment of risks is an integral part of good policy or program design. Identifying the potential for fraud or corruption early on creates a unique opportunity to plan and implement policies, programs and activities (including transformation initiatives) in a way that reduces the risks of fraud and corruption before they cause harm. Assessing fraud and corruption risk is discussed in more detail in Element 1: Fraud and corruption risk assessments.
Entities must ensure officials involved in planning the activities of the entity are capable of understanding and managing risk. This involves understanding how to identify and mitigate the risks and impacts of fraud and corruption when designing policies, programs and transformation initiatives.
The extent to which fraud and corruption risk assessment and control is embedded into the planning and activities of an entity will depend on the nature and severity of the risks faced by an entity and the maturity of an entity’s capability for managing fraud and corruption risk more generally.
Under section 26 the PGPA Act, the accountable authority of an entity must govern the entity in a way that promotes the proper use and management of public resources for which the authority is responsible. ’Proper’ is defined under section 8 of the PGPA Act as efficient, effective, economical and ethical. Moreover, the duty of accountable authorities to establish and maintain systems relating to risk and control under section 16 of the PGPA Act includes managing consultants and independent contractors who work for the entity, even if they are not officials of the entity. The Australian Government Contract Management Guide provides guidance to support effective contract management at a practitioner level for Commonwealth entities.
Under the Fraud and Corruption Rule accountable authorities are required to take reasonable measures to prevent, detect and respond to fraud and corruption relating to their entity. The Policy further specifies that obligations of accountable authorities for managing fraud and corruption extends to the conduct of third parties related to the entity. These third parties include individuals (such as contractors and subcontractors) businesses and other third party organisations (such as a service provider) who deliver a program, support, goods or services for, or on behalf of an entity.
Entities should also take measures to ensure contractors, vendors and other third parties meet Commonwealth standards for integrity and accountability. The Protective Security Policy Framework (PSPF) mandates that pre-employment screening is the primary activity used to mitigate an NCE’s personnel security risks. Entities may use security clearances where they need additional assurance of the suitability and integrity of contractors. PSPF Policy 6: Security governance for contracted goods and service providers also guides how entities are to assess and manage security risks when procuring goods and services.
Entities must also comply with the Commonwealth Procurement Framework to reduce risks and promote transparency, integrity, assurance and accountability throughout procurement planning, evaluation, contract execution and in the delivery of contracted goods and services.
Due diligence checks are vital in helping entities make informed decisions about whether vendors, supplier companies (e.g. recruitment agencies or labour hire companies) or service providers are suitable to deliver goods or services for or on behalf of the Commonwealth. The process involves assessing a third party against a set of criteria to inform a decision. It often includes ‘fit and proper person’ tests, which relate to honesty, good character and integrity. Common disqualifying criteria include:
- criminal convictions
- links to organised crime
- previous insolvency or bankruptcy problems
- poor history of compliance with requirements
- conflicts of interest
- previous professional censures for false information
- previous disqualifications or cancellations or registrations
- professional misconduct.
Entities are encouraged to make third party providers aware of the Commonwealth’s position on fraud and corruption, including their own fraud and corruption control responsibilities when delivering goods or services for or on behalf of the Commonwealth. In some situations, it may be appropriate for entities to extend training or awareness raising programs to provider staff and service recipients to also help them understand their rights and obligations, which can help deter and detect fraudulent, corrupt and other misconduct. Establishing and communicating reporting mechanisms is discussed in Element 6: Detecting fraud and corruption.
Contractors and the staff of contracted service providers (including subcontractors) are also regarded as staff of an entity under the NACC Act. This means that the NACC’s jurisdiction extends to investigating potential serious or systemic corrupt conduct of service providers, and agency heads are under an obligation to refer such conduct to the NACC. More information can be found on the NACC’s website.
Guidance for Element 6 – Detecting fraud and corruption
This chapter relates to subparagraph 10 (f) (i) of the Fraud and Corruption Rule and Element 6 of the Fraud and Corruption Policy.
Detecting fraud and corruption can involve a range of mechanisms including: reporting channels for officials, third-party service providers and members of the public, automated transaction monitoring, account reconciliation, management reviews and audits, and data matching and analytics.
An effective fraud and corruption control system includes appropriate detection mechanisms. Fraud and corruption are crimes of deception and are deliberately concealed by those who perpetrate them. Finding fraud or corruption is a positive outcome as it enables entities to effectively deal with incidents, minimise the consequences through early intervention and address underlying causes and vulnerabilities. Detection also demonstrates and provides an assurance to officials in the entity and the public that entities have the ability to actively respond to fraud and corruption, and that fraud and corruption are taken seriously. This may deter potential perpetrators by increasing the perceived level of risk associated with committing such wrongful acts. For these reasons, detection should always be a key focus of an entity’s fraud and corruption control plan or plans. See Element 2: Fraud and corruption control plans.
Early detection of fraud and corruption is essential to enable early intervention, which can eliminate or reduce the impact. Receiving reports of fraud or corruption is a common means of detection for entities. However, it relies on a potential reporter observing what is most often a ‘hidden crime’. On this basis, the Policy requires NCEs to also establish mechanisms that actively detect instances of fraud and corruption. These can include active monitoring of high-risk activities, internal reviews and audits, intrusion detection systems, conducting reviews focused on risk, data matching and analytics and fraud and corruption loss measurement.
The type and frequency of activities an entity implements to actively detect or measure instances of fraud and corruption are likely to be influenced by risk assessments. To ensure these activities are appropriate, cost-effective and proportionate to the entity’s risks, entities should focus their effort and resources on their highest risk activities, functions and programs. Risk assessments are discussed in more detail Element 1: Fraud and corruption risk assessments.
The Policy requires NCEs to establish mechanisms for officials, third party service providers and members of the public to confidentially and where appropriate, anonymously, report suspected fraud and corruption. This includes channels for reporting under the Public Interest Disclosure Act 2013 (PID Act). Confidential reporting mechanisms and procedures enable officials and members of the public to report incidents, suspected incidents or concerning behaviours without fear of retribution or negative consequences. This can increase the likelihood of someone making a report. NCEs must also ensure they promote and publicise these mechanisms for reporting. Awareness raising is discussed in more detail in Element 5: Preventing fraud and corruption.
Protections for disclosers and processes under the PID Act
Fraud and corruption incidents regarding public officials are kinds of disclosable conduct that are covered by the Public Interest Disclosure Act 2013 (the PID Act). Public interest disclosures can also trigger referral obligations under the NACC Act for accountable authorities and authorised officers under the PID Act.
If the report constitutes a public interest disclosure, it is important to ensure it is handled in accordance with obligations under the PID Act. This includes allocation, notification, investigation and reporting requirements, as well as positive duties to protect officials from reprisals. The Commonwealth Ombudsman publishes information and guidance about the public interest disclosure scheme, which includes tools and resources to support both individuals and entities.
Similar protections apply to any person who discloses information about corruption to the NACC. More information can be found on the NACC’s website.
Entities should ensure their staff are aware of these requirements and obligations.
Guidance for Element 7 – Investigation and other responses
This chapter relates to subparagraph 10 (f) (ii) of the Fraud and Corruption Rule and Element 7 of the Fraud and Corruption Policy.
Responding to fraud and corruption can involve a range of administrative, civil and criminal interventions, including containment; disruption; investigation; referral to the AFP, NACC, IGIS or other integrity agencies; disciplinary action; recovery; remediation, and where appropriate prosecution.
An effective fraud and corruption control system includes appropriate response mechanisms. Effective responses provide assurance to officials within an entity, the accountable authority and the general public that suspected incidents of fraud and corruption are being appropriately managed. A strategic and planned approach to responding to fraud and corruption can also reduce the financial and reputational damage caused by fraud and corruption. For these reasons, response mechanisms should always be a key focus of an entity’s fraud and corruption control plan or plans. See Element 2: Fraud and corruption control plans.
The Policy also requires NCEs to establish response plans. This should outline how the entity will respond to a fraud and corruption incident, including protocols for:
- decision-making in response to incidents, including containment
- communicating clearly and responsively with staff and the public
- engaging effectively with Ministers and stakeholders (including the media)
- providing timely referral or notifications to relevant agencies, e.g. the AFP, the NACC or the Australian Cyber Security Centre.
The Fraud and Corruption Rule requires entities to have appropriate mechanisms for investigating or otherwise responding to fraud or corruption or suspected fraud or corruption. This includes mechanisms for responding to suspected fraud or corruption by third parties who deliver a program, support, good or service for or on behalf of the entity. Managing fraud and corruption in these circumstances is discussed in more detail under Element 5: Preventing fraud and corruption.
With the exception of matters that are accepted for investigation by the AFP or the NACC, an entity is responsible for investigating or responding to suspected instances of fraud and corruption relating to the entity. Where the AFP or NACC declines a referral, entities must resolve the matter through their own investigation and response mechanisms. Entities may outsource these investigations. While the Rule requires entities to conduct investigations, it does not confer specific investigative powers. Coercive powers will only be available when they are conferred on entities through specific legislation, such as legislation that triggers relevant provisions of the Regulatory Powers Act 2014.
The Policy also requires NCEs to establish and document criteria for making decisions at critical stages in the management of a suspected fraud or corruption incident. This includes decisions to:
- investigate or to refer the matter to the AFP or the NACC (in line with obligations under the NACC Act), or
- take no further action.
It also includes subsequent decisions on the actions resulting from an investigation, such as applying civil or administrative penalties, or referral of a brief of evidence to the CDPP.
Criteria for responding to a fraud or corruption incident will ideally reflect an entity’s particular circumstances. It is important to have criteria for determining the response to go beyond assessing the immediate financial impact to also include factors such as deterrence, security and integrity implications.
It is important for entities to ensure they have the appropriate authorisations in place to investigate a matter and maintain an appropriate level of managerial oversight (whether conducting its own investigation or when outsourcing the investigation).
Investigations may also put staff or others at risk. It is important that entities have appropriate protocols and training in place to ensure the safety of investigators and the privacy and safety of others involved in the investigation.
The Policy requires NCEs to report all instances of potential serious or complex fraud to the AFP. Entities are encouraged to seek guidance from the AFP about whether a matter is serious or complex and warrants a criminal investigation. Entities may discuss possible reports with the AFP if there is any doubt about whether it is appropriate to report a particular matter. The entity may also need to deal with other allegations and associated issues, such as breaches of the APS Code of Conduct, unless directed to stop action by the AFP.
Where potential serious or complex fraud involves conduct by a staff member of an agency that could involve corruption, entities must comply with their mandatory referral obligations to refer that conduct to the NACC (and/or the IGIS in the case of an intelligence agency).
If the AFP declines to further investigate a report of crime, it will advise the entity of the reasons in writing at the earliest opportunity. Entities must then resolve the matter through their own investigation and/or other appropriate response mechanisms.
If, after the AFP has advised an entity that it will not further investigate a report, additional information becomes available that shows that the matter is more serious or complex than first indicated, the entity may again report the matter to the AFP for evaluation.
If an agency head, as defined in the NACC Act, or an authorised officer under the PID Act becomes aware of a corruption issue within their agency, they must refer the issue to the NACC (or alternatively the IGIS in the case of an intelligence agency) if:
- the corruption issue concerns the conduct of a person who is, or was, a staff member of the agency while that person is, or was, a staff member of the agency, and
- the agency head or authorised officer suspects the issue could involve serious or systemic corrupt conduct.
A corruption issue refers to a whether a person:
- has engaged in corrupt conduct in the past
- is currently engaging in corrupt conduct, or
- will engage in corrupt conduct in the future.
The agency head or authorised officer must refer the corruption issue as soon as practicable after they become aware of it. The referral must explain why the agency head or authorised officer suspects the corruption issue could involve conduct that is serious or systemic and provide the NACC with all of the information and documents in their possession or control that relate to the corruption issue.
If the NACC determines the corruption issue could involve serious or systemic corrupt conduct, the NACC may investigate the issue alone or with the relevant entity. Alternatively, the NACC may decide to refer the corruption issue back to the entity to investigate (with or without oversight from the NACC), or to take no further action.
Unless the entity is directed to stop taking action by the NACC Commissioner, the entity must continue to investigate the matter or to deal with other allegations and associated issues, such as breaches of the APS Code of Conduct.
The Policy requires NCEs to refer to the Australian Government Investigations Standard (AGIS) in developing an approach to conducting administrative, civil, or criminal investigations. The AGIS establishes standards for personnel, information and evidence management, investigation practices and quality assurance. CCEs and Commonwealth companies are strongly encouraged to adopt the standard.
The Policy requires NCEs to ensure that officials engaged in investigating fraud and corruption against the Commonwealth meet the required fraud control competency requirements set out in the AGIS. This is to ensure the integrity and efficacy of investigations. CCEs and Commonwealth companies are strongly encouraged to follow these requirements.
If officials entering these roles do not have relevant experience, it is important they receive relevant training as soon as possible. Until an official has attained the relevant qualifications, entities are encouraged to ensure that appropriate supervision is provided.
Alternatively, if it is more appropriate to the entity’s context, entities may outsource investigations to appropriately qualified third parties.
Where an investigation gathers enough evidence to substantiate a criminal charge, an entity must consider referring the matter to the Commonwealth Director of Public Prosecutions (CDPP). The Prosecution Policy of the Commonwealth underpins all of the decisions made by the CDPP and applies to all Commonwealth prosecutions. Prosecutions are important in deterring fraud and corruption carries criminal penalties upon conviction and demonstrates to officials and the public generally about the seriousness of fraud and corruption. When referring matters to the CDPP for consideration of prosecution action, entities are encouraged to prepare briefs in accordance with the Guidelines for dealings between Commonwealth investigators and the Commonwealth Director of Public Prosecutions.
If an entity sends a brief of evidence to the CDPP to consider prosecution action, and the CDPP advises that a prosecution will not proceed, an entity remains responsible for resolving the matter appropriately using other available remedies. Entities are encouraged to consider civil, administrative or disciplinary proceedings for which a lower standard of proof is required. Entities can develop an enforcement and disruption strategy to ensure appropriate use of other remedies.
If an investigation identifies potential misconduct involving another entity’s activities or programs, it is important the investigating entity share this information with the other entity subject to any legislative provisions regulating the disclosure or use of information. For example, entities should consult with the Department of Foreign Affairs and Trade about any incidents that may involve a foreign official, or conduct oversees of a foreign citizen or a person who is not a permanent resident of Australia.
Entities should consider options to facilitate the sharing of relevant information with other affected entities. While legislation can sometimes place limitations on sharing of information, there are often exceptions or exemptions which in certain circumstances allow information to be collected and shared relating to fraud or corruption investigations, including through a general authorisation (such as item 2 of section 16A(1) of the Privacy Act 1988) or a specific authorisation (such as section 86E of the Crimes Act 1914).
It is important for entities to take all reasonable measures to recover financial losses through proceeds of crime and civil recovery processes or administrative remedies. Entities are encouraged to have arrangements in place for recovery action. In determining action, it is important that entities consider, in addition to the financial cost of the recovery, the deterrent value and other non-financial benefits, such as public interest and integrity of the government or an entity’s reputation.
Prevention through strengthened controls should be a priority response to detected indicators or incidents of fraud and corruption. Where a fraud or corruption incident is detected, the Policy requires NCEs to consider treatments to address identified vulnerabilities and include these in an entity’s fraud and corruption control plan or plans.
To assist with identifying appropriate treatments, entities should consider a post-incident process that considers:
- detailed analysis of the fraud or corruption incident, including methodology and impacts
- identification of vulnerabilities that were exploited and relevant treatments
- a feedback mechanism to facilitate continuous improvement to counter future incidents of fraud or corruption.
Guidance for Element 8 – Recording and reporting fraud and corruption
This chapter relates to subparagraph 10 (f) (iii) of the Fraud and Corruption Rule and Element 8 of the Fraud and Corruption Policy.
Recording incidents of fraud or corruption or suspected fraud or corruption involves using information management systems to capture data about allegations and instances of fraud and corruption, or attempted fraud and corruption, and the subsequent response and outcomes.
Reporting should provide data about the nature, extent and location of fraud and corruption against the entity. For NCEs, this information should be reported to responsible officials and relevant governance committees within an NCE. NCEs must also report data to the AIC each year. Due to the value of this reporting, CCEs are strongly encouraged to follow these requirements.
Entities must have appropriate mechanisms for recording, reporting, analysing and escalating allegations and instances of fraud and corruption, or suspected fraud and corruption. Recording and reporting on allegations or instances of fraud and corruption, and the outcomes of any subsequent responses, provides responsible officials with the evidence, insights and perspective needed to support effective fraud and corruption risk oversight and management. These are also critical for providing assurance to an accountable authority that all reasonable measures are being taken to manage fraud and corruption. This enables accountable authorities to fulfil additional obligations under the finance law, such as annual reporting requirements under section 17AG of the PGPA Rule.
Reporting also increases transparency and trust that entities are appropriately identifying and dealing with fraud and corruption.
Accurate and complete records ensure the entity has the necessary information and insights to effectively prevent, detect, disrupt and respond to fraud and corruption incidents and risks.
As the fraud and corruption threat environment is constantly changing, entities should prepare regular reports to update responsible governance committees, senior executives and relevant business areas. Reporting on suspected and actual instances of fraud and corruption provides important insights into the changing threat environment faced by the entity. This feedback loop of internal reporting can support an entity to maintain appropriate oversight of mechanisms for preventing, detecting and responding to fraud and corruption, and remain compliant with the Fraud and Corruption Rule and Policy. Governance and oversight are discussed in more detail in Element 4: Governance and oversight.
The Policy encourages entities to collaborate and share information and intelligence to prevent, detect and respond to fraud and corruption. Sharing information and intelligence can help other entities identify previously undetected fraud and corruption, enhance awareness of fraud and corruption risks (including shared and emerging risks), help entities make more informed decisions and improve the efficiency and effectiveness of fraud and corruption control across government. Sharing and using information and intelligence about fraud and corruption, including enabling legislation, is discussed in more detail in Element 1: Fraud and corruption risk assessments and Element 7: Investigation and other responses.
The AIC is required to collect information and publish an annual report on fraud and corruption relating to Commonwealth entities by 31 July each year. As well as ensuring the government and entities are well informed about the risks, this information helps the AIC and AGD develop a better understanding of fraud and corruption experienced by Commonwealth entities. It also facilitates public transparency about the level of fraud and corruption experienced by Commonwealth entities and promotes public trust by demonstrating how entities are managing fraud and corruption.
To facilitate this, the Policy requires NCEs to collect information on fraud and corruption and provide it to the AIC each year. While not mandatory for CCEs or Commonwealth companies, providing this information to the AIC is strongly encouraged and will contribute to providing a more informed picture of fraud and corruption across the Commonwealth.
Entities must ensure that they have the appropriate recording and reporting mechanisms in place to capture the information required by the AIC. The information required relates to allegations or detections of suspected fraud or corruption, investigations commenced and finalised, targets and methods of fraudulent or corrupt conduct, investigative outcomes, and estimated fraud and corruption losses and recoveries.
Section 19 of the PGPA Act requires an accountable authority to keep their Minister informed about the activities of an entity and significant issues that may affect an entity. Subject to any non-disclosure obligations, this may include information about:
- fraud or corruption initiatives undertaken or planned by the entity, including an evaluation of their effectiveness
- significant fraud or corruption risks facing the entity, especially new or emerging risks
- significant fraud or corruption incidents and responses, and
- referrals of matters to other entities, including the AFP, NACC or CDPP where appropriate, for further action.
Significant fraud or corruption matters may also need to be reported to the Minister for Finance when they involve significant non-compliance with finance law. Further guidance on reporting significant non-compliance can be found in Resource Management Guide 214, Notification of significant non-compliance with the finance law (section 19 of the PGPA Act).