Commonwealth Fraud Control Framework 2014

Table of contents

Introductioniii

Agency statusiv

Fraud rule A1

Fraud policyB1

Fraud guidanceC1

Introduction

Fraud is a threat that affects every Commonwealth entity in all areas of business, including benefits, taxation, procurement, grants and internal procedures. Estimates of what fraud costs Australians vary, but even conservative estimates put the cost at over $1 billion a year.

Fraud against the Commonwealth is a criminal offence that impacts directly on Australians. It reduces the funds available for delivering public goods and services and undermines public confidence in the Government.It also creates risks for public health and safety though faulty construction, untested pharmaceuticals, unnecessary medical procedures and dumping of toxic waste.

Fraud threats are becoming increasingly complex. Not only are entities at risk of fraud from external parties and internal officials, but increased provision of online services and exposure to overseas markets has created new threats from overseas criminals. Further, organised criminals are actively seeking to infiltrate Commonwealth entities to access government information and are committing fraud to fund other illegal activities.

In order to manage these risks, the Government has developed the Commonwealth Fraud Framework (Framework) under the Public Governance, Performance and Accountability Act 2013 (PGPA Act). The Framework consists of three tiered documents:

  • section 10 of the Public Governance, Performance and Accountability Rule 2014 – a legislative instrument binding all Commonwealth entities setting out the key requirements of fraud control
  • the Commonwealth Fraud Control Policy– a Government Policy binding non-corporate Commonwealth entities setting out procedural requirements for specific areas of fraud control such as investigations and reporting, and
  • Resource Management Guide No. 201, Preventing, detecting and dealing with fraud – a best practice document setting out the Government’s expectations in detail for fraud control arrangements within all Commonwealth entities.

The Framework was developed in line with the cultural change in Commonwealth resource management under the PGPA Act, which reflects a move from a compliance approach to a principles-based framework.The Framework maintains the core elements of fraud control: rigorous risk assessments; fraud control plans, and appropriate prevention, detection and investigations measures. However, while all entities face fraud risks, each entity faces different fraud risks. What may be an effective fraud control in one entity may be unnecessary or insufficient in another. The Framework allows Commonwealth entities to manage their fraud risks in a way which best suits the individual circumstances of the entity.

The Government takes fraud extremely seriously and is determined to ensure entities take all measures to control fraud and properly manage public resources in a way that maximises benefits for the Australian people.

Agency status

The Commonwealth Fraud Framework consists of three tiered documents, each with a different binding effect as set out in the table below.

Non-corporate Commonwealth entities must comply with the fraud rule and fraud policy. While they are not bound by the fraud guidance, the Government considers it as best practice and expects that agencies will follow the fraud guidance where appropriate in meeting the requirements of the fraud rule and policy.

Corporate Commonwealth entities must comply with the fraud rule. While they are not bound by the fraud policy or fraud guidance, the Government considers both documents as best practice for corporate Commonwealth entities and expects that these entities will follow the fraud guidance and fraud policy where appropriate in meeting the requirements of the fraud rule.

Fraud Rule / Fraud Policy / Fraud Guidance
Non-corporate / Binding / Binding / Best practice
Corporate / Binding / Best practice / Best practice

1

Fraud rule

Section 10 of the Public Governance, Performance and Accountability Rule 2014

This rule binds all Commonwealth entities.

Part22—Accountable authorities and officials

Division1—Requirements applying to accountable authorities

10 Preventing, detecting and dealing with fraud

Guide to this section

The purpose of this section is to ensure that there is a minimum standard for accountable authorities of Commonwealth entities for managing the risk and incidents of fraud. It is made for paragraphs 102(a), (b) and (d) of the Act.

A 1

The accountable authority of a Commonwealth entity must take all reasonable measures to prevent, detect and deal with fraud relating to the entity, including by:

(a) conducting fraud risk assessments regularly and when there is a substantial change in the structure, functions or activities of the entity; and

(b) developing and implementing a fraud control plan that deals with identified risks as soon as practicable after conducting a risk assessment; and

(c) having an appropriate mechanism for preventing fraud, including by ensuring that:

(i)officials in the entity are made aware of what constitutes fraud; and

(ii)the risk of fraud is taken into account in planning and conducting the activities of the entity; and

(d) having an appropriate mechanism for detecting incidents of fraud or suspected fraud, including a process for officials of the entity and other persons to report suspected fraud confidentially; and

(e) having an appropriate mechanism for investigating or otherwise dealing with incidents of fraud or suspected fraud; and

(f) having an appropriate mechanism for recording and reporting incidents of fraud or suspected fraud.

A 1

Fraud policy

Commonwealth Fraud Control Policy

This policy binds all non-corporate Commonwealth entities and is considered best practice for corporate Commonwealth entities.

Purpose

  1. The Commonwealth Fraud Control Policy (the Policy) has been developed to support the accountable authorities of non-corporate Commonwealth entities (entities) to effectively discharge their responsibilities under the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and section 10 of the Public Governance, Performance and Accountability Rule 2014 (the fraud rule). Under section 21 of the PGPA Act, the accountable authority of a noncorporate Commonwealth entity must govern the entity in a way that is not inconsistent with the policies of the Australian Government.
  2. The Policy sets out the key procedural requirements which the Government views as necessary for accountable authorities to establish and maintain an appropriate system of fraud control for their entity. Consistent with the fraud rule, the objectives of the requirements are to:
  • protect public resources, including money, information and property, and
  • protect the integrity and good reputation ofentities and the Commonwealth.

Scope

  1. Consistent with the Commonwealth Risk Management Policy corporate Commonwealth entities are not required to comply with this Policy, but should review and align their fraud control frameworks and systems with this Policy as a matter of good practice.
  2. Non-corporate Commonwealth entities must comply with this Policy by virtue of section 21 of the PGPA Act.
  3. Non-corporate Commonwealth entities must ensure that their fraud control arrangements are developed in the context of the entity’s overarching risk management framework as described in the Commonwealth Risk Management Policy.
  4. This Policy commences immediately after the commencement of section 10 of the PGPA Act rule or 1 July 2014, whichever is the later.

Introduction

  1. The fraud rule sets out the key principles of fraud control which all accountable authorities must comply, but allow entities flexibility to develop measures which are adapted to the risks of that entity’s own arrangements.
  2. The procedural requirements in this Policy supplement the fraud rule and aim to ensure key elements of fraud control are maintained by entities. The procedures relate to fraud control activities in particularly sensitive areas, where there is a high risk of significant impact to the entity if they are not appropriately maintained. The procedures are also intended to ensure the necessary level of accountability.
  3. As with the fraud rule, additional information on implementing the requirements in this Policy are set out in guidance issued by the Minister for Justice – Resource Management Guide No 201 Preventing, detecting and dealing with fraud (fraud guidance).

Commonwealth fraud control procedures

  1. For the purposes of the Policy, the fraud rule and fraud guidance, fraud is defined as ‘dishonestly obtaining a benefit or causing a loss by deception or other means’. This definition is based on the fraudulent conduct offences under part 7.3 of the Criminal Code Act 1995, in addition to other relevant offences under chapter 7 of the Criminal Code.
  2. In addition to the requirements set out in the fraud rule, the accountable authority must ensure that the entity meets the following procedural requirements:

Prevention and training

  1. Entities must document their instructions and supporting procedures that assist officials to deal with fraud.
  2. All officials and contractors must take into account the need to prevent and detect fraud as part of their normal responsibilities.
  3. Entities must ensure that officials who are primarily engaged in investigating fraud as a minimum meet the required fraud control competency requirements set out in the Australian Government Investigations Standards (AGIS) within 12months of being engaged in investigating fraud.
  4. Entities must ensure officials primarily engaged in fraud control activities possess or attain relevant qualifications or training to effectively carry out their duties within 12months of being engaged in fraud control activities. Relevant qualifications include a Certificate IV in Government (Fraud Control) or equivalent for officials primarily engaged in fraud risk assessment, and a Diploma of Government (Fraud Control) or equivalent for officials primarily engaged in the coordination and management of fraud control activities.

Outsourcing

  1. Outsourcing does not remove the responsibility of the accountable authority to manage fraud risk. However, when an entity provides third-party services for another entity, the entity delivering the service retains responsibility for meeting the first entity’s obligations under this Policy and the fraud rule.

Investigations

  1. Entities must take into consideration the requirements of the AGIS when developing systems and processes for the detection and investigation of fraud.
  2. Entities must maintain appropriately documented procedures setting out criteria for making decisions at critical stages in the management of a suspected fraud incident. The procedures must be consistent with the Policy and in accordance with any relevant requirements under the AGIS.
  3. Entities must appropriately document decisions to use civil, administrative or disciplinary procedures or to take no further action in relation to a suspected fraud incident.
  4. An entity is responsible for investigating instances of fraud or suspected fraud against it, including investigating disciplinary matters, unless the matter is referred to and accepted by the Australian Federal Police (AFP) or another law enforcement agency.
  5. Where a law enforcement agency declines a referral, entities must resolve the matter in accordance with internal and external requirements such as the AGIS and relevant entity specific criteria.
  6. The AFP has the primary law enforcement responsibility for investigating serious or complex fraud against the Commonwealth. Entities must refer all instances of potential serious or complex fraud offences to the AFP in accordance with the AGIS and AFP referral process, except in the following circumstances:

a)entities that have the capacity and the appropriate skills and resources needed to investigate potential criminal matters and meet the requirements of the Commonwealth Director of Public Prosecutions (CDPP) in preparing briefs of evidence and the AGIS for gathering evidence, or

b)where legislation sets out specific alternative arrangements.

  1. Investigations must be carried out by appropriately qualified personnel as set out in paragraph3. If external investigators are engaged, they must as a minimum have the required investigations competency requirements set out in the AGIS.
  2. Entities must have in place investigation processes and procedures that are consistent with the AGIS. Entities must also comply with the Prosecution Policy of the Commonwealth.
  3. Entities must take all reasonable measures to recover financial losses caused by illegal activity through proceeds of crime and civil recovery processes or administrative remedies.
  4. Where an investigation discloses potential criminal activity involving another entity’s activities or programs, the investigating entity must report the matter to that entity in accordance with the Privacy Act 1988 and the Australian Privacy Principles.

Reporting

  1. Entities must have procedures in place to manage information gathered about fraud against the entity.
Australian Institute of Criminology report on fraud against the Commonwealth
  1. All entities must collect information on fraud and provide it to the Australian Institute of Criminology (AIC), by 30 September each year to facilitate production of an AIC annual report on fraud against the Commonwealth and fraud control arrangements. The AIC must provide this annual report to the Attorney-General’s Department (AGD) within six months of receiving the information collected under paragraphs 17, 18 and 19.
  2. In addition to providing data under paragraph 17 to the AIC, the AFP is to provide annual information to the AIC on all fraud incidents against the Commonwealth referred to, accepted or declined by, the AFP during the previous financial year. The precise data items will be agreed between the AFP and the AIC.
  3. In addition to providing data under paragraph 17 to the AIC, the CDPP is to provide annual information to the AIC on all fraud incidents handled by the CDPP during the previous financial year. The precise data items will be agreed between the CDPP and the AIC.
Attorney-General’s Department report on compliance
  1. The AIC must provide the relevant information it collects under paragraphs 17, 18 and 19 within sixmonths of receiving it to the AGD to facilitate production of an AGD annual report on wholeofgovernment compliance with the requirements of the fraud rule and this Policy.
Reporting to Ministers or Presiding Officers
  1. Accountable authorities must provide a report annually to their Minister or Presiding Officers, which includes:
  • fraud initiatives undertaken by the entity in the reporting period, including an evaluation of their impact on fraud prevention, detection and response
  • planned fraud initiatives yet to be implemented
  • information regarding significant fraud risks for the entity, and
  • significant fraud incidents which occurred during the reporting period.

Glossary of terms

Accountable authority – The person or group of persons who has responsibility for, and control over, a Commonwealth entity’s operations as set out under section 12 of the PGPAAct.

Commonwealth entity –A department of state, a parliamentary department, a listed entity or a body corporate established by a law of the Commonwealth.

Commonwealth official (official) –An individual who is in, or forms part of, the entity as set out under section 13 of the PGPA Act.

Corporate Commonwealth entity – A Commonwealth entity that is a body corporate and legally separate from the Commonwealth.

Non-corporate Commonwealth entity – A Commonwealth entity that is not a body corporate and legally part of the Commonwealth.

Serious and complex fraud – Fraud which due to its size or nature is too complex for most entities to investigate (further information serious and complex fraud can be found in the fraud guidance).

B1

Fraud guidance

Resource Management Guide No. 201 - Preventing, detecting and dealing with fraud

This guidance supports the fraud rule and fraud policy and is considered best practice for all Commonwealth entities.

Contents

Resource Management Guide No. 201C2

AudienceC2

Key PointsC2

Abbreviations and AcronymsC2

GlossaryC3

Part 1 – IntroductionC4

Part 2 – The Legislative FrameworkC4

Part 3 – Objectives and ScopeC6

Part 4 – Definition of FraudC7

Part 5 – Role of Accountable AuthoritiesC9

Part 6 – Risk AssessmentC9

Part 7 – Fraud Control PlansC11

Part 8 – Fraud Prevention, Awareness and TrainingC12

Part 9 – Outsourcing ArrangementsC14

Part 10 – Detection, Investigation and ResponseC14

Part 11 – Quality Assurance and ReviewsC19

Part 12 – ReportingC20

C1

Fraud guidance

Resource Management Guide No. 201 –

Preventing, detecting and dealing with fraud

Audience

This guide is intended for accountable authorities and Commonwealth officials.

Key points

This guide:

  • is issued by the Minister for Justice to assist accountable authorities to meet their obligations under the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and section 10 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) and the Commonwealth Fraud Control Policy.
  • provides best practice guidance for fraud control arrangements within entities
  • commences on 1 July 2014, when the PGPA Act and PGPA Rule take effect, and
  • is available on the Attorney-General’s Department website at <

Abbreviations and acronyms

ACCCAustralian Competition and Consumer Commission

ACLEIAustralian Commission for Law Enforcement Integrity

AFPAustralian Federal Police

AGDAttorney-General’s Department

AGISAustralian Government Investigations Standards

AICAustralian Institute of Criminology

ANAOAustralian National Audit Office

APSCAustralian Public Service Commission

ASICAustralian Securities and Investments Commission

CCPMCase Categorisation and Prioritisation Model

CDPPCommonwealth Director of Public Prosecutions

Corporate entityCorporate Commonwealth entity

Non-corporate entityNon-corporate Commonwealth entity

OfficialCommonwealth Official

PGPA ActPublic Governance, Performance and Accountability Act 2013

PGPA RulePublic Governance, Performance and Accountability Rule 2014

Glossary

accountable authority: the person or group of persons who has responsibility for, and control over, a Commonwealth entity’s operationsas set out under section 12 of the PGPAAct.

Commonwealth official: an individual who is in, or forms part of, the entity as set out under section 13 of the PGPA Act.

Commonwealth entity: a department of state, a parliamentary department, a listed entity or a body corporate established by a law of the Commonwealth.