FOI 2024 387 Outcome Documents.pdf

FOI/2024/387 - Document 2
Table of Contents
Secretary’s statement ................................................................................................................................................................ 2
Policy Statement ........................................................................................................................................................................ 3
Definitions .................................................................................................................................................................................. 3
Governance ................................................................................................................................................................................ 4
Awareness and culture ............................................................................................................................................................... 5
Fraud and corruption risks ......................................................................................................................................................... 6
Control strategies ....................................................................................................................................................................... 7
Reporting .................................................................................................................................................................................... 9
Monitoring and review ............................................................................................................................................................. 10
Further Information ................................................................................................................................................................. 10

Page 2

FOI/2024/387 - Document 2
Secretary’s statement
The Department of the Prime Minister and Cabinet (PM&C) provides high-quality
advice and support to the Prime Minister, the Cabinet, and portfolio Ministers. PM&C
is a key adviser to the Australian Government on domestic policy, national security and
international matters, and leads a number of large-scale taskforce projects. The
Department has a varied and broad role including a grants program that could expose
the Commonwealth to fraud and corruption risk.
Fraud and corruption are threats that affect every Commonwealth entity in all areas of
business. Fraud against the Commonwealth is a criminal offence that impacts all
Australians. It reduces funds available for delivering public goods and services and
undermines public confidence in government.
PM&C’s Fraud and Corruption Control Plan (the Plan) documents the Department’s approach to control ing fraud and
corruption. The Plan outlines at a high level how PM&C prevents, detects and responds to fraud and corruption and ensures
compliance with the requirements of section 10 of the Public Governance, Performance and Accountability Rule 2014 (Cth)
(PGPA Rule) and Commonwealth Fraud Control Framework 2017. The Plan is aligned and integrated with the PM&C Risk
Management Policy and Framework (RMPF) which supports the identification and management of fraud and corruption risks
at the strategic and operational levels.
All PM&C employees (SES and non-SES), individuals engaged as contractors via labour-hire firms (i.e. not PM&C employees),
secondees into PM&C and third parties engaged by the Department, play a crucial role in reducing the Department’s
exposure to fraud and corruption. The Plan is intended as guidance to support staff in the prevention, detection and
response to fraud and corruption.

Mr Philip Gaetjens
Secretary
Department of the Prime Minister and Cabinet

Page 3

FOI/2024/387 - Document 2
Policy Statement
PM&C has zero tolerance for dishonest, fraudulent or corrupt behaviour. This means PM&C will take all steps necessary to
prevent, detect and respond to fraud and corruption relating to the Department and will:
•  Promote awareness of fraud, corruption and ethics to employees.
•  Assess and, where appropriate, investigate all allegations of fraud and corruption.
•  Seek to recover losses caused by illegal activity through proceeds of crime and civil recovery processes.
•  Criminal y prosecute where appropriate.
•  Apply appropriate civil, administrative or disciplinary penalties, including termination of employment.
Definitions
Fraud
Fraud is defined in the Commonwealth Fraud Control Framework, as “dishonestly obtaining a benefit or causing a loss by
deception or other means”.
Fraud can be committed by staff (internal fraud) or by persons external to the Department (external fraud). It may also be
committed jointly between an employee and outside party. Offences of fraud against the Commonwealth may be prosecuted
under a number of different Commonwealth laws.
Examples of the type of conduct by employees, contractors or third party providers that would fall within the Department’s
definition of fraud include (but is not limited to):

•  theft or misuse of Commonwealth information, intel ectual property or confidential information (including funding
proposals, procurement information, personal records)
•  misuse of Commonwealth program funding and grants
•  misuse of Commonwealth resources, including unlawful use of, or unlawful obtaining of, property, equipment,
material or services
•  abuse of official position in order to obtain a benefit for oneself or another
•  misuse of entitlements (e.g. expenses, leave, travel al owances or attendance records, including abuse of time off in
lieu)
•  misuse of facilities (e.g. unauthorised use of PM&C venues, information technology, mobile devices, and
telecommunication systems)
•  accounting fraud (e.g. unauthorised use of credit cards, false invoices, misappropriation)
•  causing a loss, or avoiding and/or creating a liability
•  providing false or misleading information and/or documents to the Commonwealth, or failing to provide information
(when an obligation exists)
•  making, or using forged or falsified documents; and
•  release or use of misleading information for the purposes of deceiving, misleading or to hide wrongdoing.
Corruption
Corruption is a form of misconduct closely related to fraud, and is defined in the Australian Standard 8001-2008 – Fraud and
Corruption Control, as “Dishonest activity in which a director, executive, manager, employee or contractor of an entity acts
contrary to the interest of the entity and abuses their position of trust in order to achieve some personal gain or advantage for
themselves for another person or entity”.
Page 4

FOI/2024/387 - Document 2
Examples of corrupt conduct may include (but is not limited to):

•  abuse of office - for example a PM&C employee, contractor and/or third party provider requesting, soliciting,
receiving or accepting bribes (including non-monetary bribes), in order to secure a contract or influence decisions)
•  engaging in serious conflicts of interest in circumstances that the employee knows to be improper or against a policy
or regulation
•  nepotism  - for example favouritism towards friends or family members in recruitment; and
•  collusion  -  for example failing to follow procurement processes to give preferential treatment to a third party
provider, contractor or consultant to achieve an outcome or financial gain

Non-compliance
Non-compliance is a broad term for any failure to comply with legal requirements. These requirements may be in the form of
legislation, regulation, funding agreements, administrative rules, licensing conditions, etc. One example of this is the
requirement for al  APS employees to act in accordance with the APS Code of Conduct, which is set out in section 13 of the
Public Service Act 1999. (PS Act).
This includes where parties try to comply but make mistakes (accidental non-compliance), or where parties exploit
ambiguities or opportunities that are non-compliant (opportunistic non-compliance).
Unethical Behaviour
The APS Values and Code of Conduct describe a work ethic expected of the public service that includes honesty, diligence,
avoidance of conflict of interest, and proper use of information. Breaches of this code of conduct may involve unethical
behaviour, and PM&C’s professional standards team has formal procedures for examining any potential breach.
Governance
Key responsibilities
All PM&C employees should understand what constitutes fraud and what to do if they suspect fraudulent activity. All PM&C
employees are expected to comply with legislative requirements and internal policies, behave in accordance with the APS
Values and Code of Conduct, and identify and report fraud and corruption risks. SES employees also have an additional
responsibility to demonstrate strong leadership by fostering and supporting a culture of integrity, awareness and reporting.
Fraud awareness and prevention training is included as part of the induction package for al  new employees, with annual
refresher training available for existing staff
Certain positions and committees have additional responsibilities, including:
•  The Secretary: is the accountable authority responsible, under the Public Governance, Performance and
Accountability Act 2013 (PGPA), for governing the organisation in a way that promotes the proper use of public
resources. This includes taking all reasonable measures to prevent, detect and respond to fraud and corruption
relating to PM&C employees, services or third parties who interact with the Department. The Secretary may
delegate some authority to other accountable officers and committees.
•  The Chief Operating Officer (COO): has the corporate responsibility for overseeing the implementation of fraud
prevention and control for PM&C, in line with section 10 of the PGPA Rule.
•  The Chief Risk Officer (CRO): the COO as the CRO champions and facilitates objectivity in risk identification and
management and drives best practice and innovation to improve the risk culture.
Page 5

FOI/2024/387 - Document 2
•  The Chief Financial Officer (CFO): has accountability for setting PM&C’s financial framework and ensuring that risks
associated with the Department’s appropriations and expenditure are addressed.
•  The Chief People Officer (CPO): facilitates training to assist employees comply with their risk management and
fraud awareness obligations, and assists with HR-related fraud and corruption investigations.
•  The Chief Information Officer (CIO) / Chief Security Officer: facilitates the protection of PM&C information security
and access control.
•  The Fraud Control Officer (FCO): Assistant Secretary Governance and Strategy Branch as the FCO has operational
responsibility for the delivery and implementation of a fit for purpose fraud and corruption control plan including
maintaining reporting procedures and driving awareness.
•  The Audit and Risk Committee (ARC): oversights PM&C’s systems of risk management, including fraud and
corruption risk, and provides independent advice to the Secretary on the appropriateness of these.
•  The Executive Board: considers current and emerging risks, which may include fraud and corruption, in the context
of the Department’s strategic objectives.
•  The Fraud Control Team: is responsible for designing, implementing and evaluating fraud strategies and
countermeasures.
•  Division Heads: are responsible for ensuring their teams understand and comply with relevant legislation,
regulations, procedures and policies.
Reporting
Regular reporting is an important part of effective governance and provides assurance over the appropriateness of PM&C’s
control arrangements to prevent, detect and respond to fraud and corruption.
PM&C conducts the following internal and external reporting:
•  Quarterly reporting to the Executive Board within the context of the Department’s current and emerging strategic
risks.
•  Quarterly to the Audit and Risk Committee who provides oversight and advice to the Accountable Authority in
accordance with section 45 of the PGPA Act.
•  Annually to the Australian Institute of Criminology (AIC). All non-corporate Commonwealth entities are required to
collect information on fraud and complete an annual fraud questionnaire to the AIC in accordance with the
Commonwealth Fraud Control Policy.
•  Annual y to the Commonwealth Ombudsman in relation to public interest disclosures.
•  Annual y, in accordance with section 17AG PGPA Rule, PM&C must certify in the Annual Report that the Department
has prepared fraud risk assessments and a Fraud and Corruption Control Plan, and has in place appropriate fraud
prevention, detection, investigation, reporting and data col ection processes.
Awareness and culture
All new PM&C officials, including contractors, consultants and secondees must complete a fraud awareness training as part
of the employee induction program and annually thereafter. PM&C also maintains regular communications targeted at
promoting fraud awareness and an aware and ethical organisational culture that supports reporting.

Page 6

FOI/2024/387 - Document 2
Fraud and corruption risks
Risk identification
The Department’s Risk Management Framework guides the management of fraud and corruption related risk. PM&C
regularly conducts risk assessments at the Department, Division and project level to ensure that appropriate systems of
control are maintained. This includes the consideration and assessment of fraud and corruption risks. Targeted fraud and
corruption risk assessments are also conducted as required. Fraud risk assessments are reviewed on an annual basis or more
frequently as triggered by changes to the Department’s functions.

A summary of the key fraud and corruption risks for the Department are listed below. A comprehensive Fraud Control Risk
Assessment is reviewed and updated annually.

Internal and external risks
The Department assesses internal and external factors when identifying exposure to fraud risk. PM&C’s fraud risk
assessments evaluates fraud at the operational level focusing on areas such as:
Administrative  fraud
Occurs when PM&C staff use resources for purposes other than for which they
were provided.  This can involve stealing property for personal use, manipulating
salaries, fraudulent overtime claims or failing to record leave taken.
Information
Risks relating to staff inappropriately using IT system access to dishonestly create,
Management
delete and modify PM&C data and records; and theft or unauthorised copying of
intangible assets.
Credit Cards
Risks relating to staff using Credit Cards dishonestly to receive cash or purchase
personal goods and services.
Procurement and
Risks relating to liability issues, contractual obligations, probity, legislative and
Contracting
regulatory obligations, conflict of interest, and service level agreements. Also any
time staff or external parties deceitfully obtain benefits to which they are not
entitled, such as where purchase orders fraudulently raised for goods and services.
This also includes failing to appropriately declare potential conflicts of interest.
Recruitment
Risks relating to an applicant making a false claim or providing false
documentation or submitting false referee reports.  Other risks may include
conflict of interest or favouritism in the recruitment process by a delegate.
Grants
Risks relating to inappropriate provision, administration, use and acquittal of
Program funding.
Internal controls
Risks associated with lack of an adequate internal control framework including
delegations, accountability and segregation of duties.

Conflicts of interest
A conflict of interest is a circumstance which places an employee in a position where their personal interests could conflict
with their public duties. Apparent (or perceived) conflicts of interest are as important to manage and mitigate as actual
conflicts. The APS Code of Conduct requires APS employees to disclose and take reasonable steps to avoid any conflict of
interest in connection with APS employment. Conflicts of interest, real or apparent, cannot always be avoided. Where this is
the case, the Code of Conduct requires employees to disclose details of any material personal interest of the employee in
Page 7

FOI/2024/387 - Document 2
connection with their employment. PM&C’s Conflict of Interest policy provides a framework for reporting and managing
potential conflicts of interests. Undisclosed real or apparent conflicts of interest may constitute a breach of the APS Code of
Conduct.
Insider threat
Trusted insiders can intentionally or unknowingly assist external parties in conducting activities against the organisation or
can commit malicious acts for self-interest. They are employees or contractors who are either self-motivated or may be
targeted by external parties (e.g. organised crime) to take advantage of legitimate access to information, methodologies,
technology assets and premises. This conduct can enable fraudulent behaviour. Section 13(10) of the PS Act provides that an
APS employee must not improperly use inside information or the employee's duties, status, power or authority to gain, or
seek to gain, a benefit or an advantage for the employee or any other person; or to cause, or seek to cause, detriment to the
employee's agency, the Commonwealth or any other person. Our control measures include pre-employment screening,
requirements to declare conflicts of interest (real and apparent), security clearances, and segregation of duties, system
controls and the sharing of intel igence information.
Control strategies
PM&C’s approach to fraud control is consistent with Commonwealth legislative requirements and uses three main strategies
to combat fraud and corruption: prevention, detection and response.
Prevention
Fraud prevention strategies include proactive measures designed to reduce the risk of fraud and corruption occurring by
increasing fraud prevention awareness, encourage reporting of suspected incidents and ensuring the right mitigation controls
are in place. To be effective, fraud prevention requires a number of interdependent control strategies including an effective
fraud risk management approach, a robust ethical organisational culture that does not tolerate fraud and a strong awareness
of fraud among staff, suppliers and an effective internal control framework.
Key components of PM&C’s fraud and corruption prevention strategy are:
•  Compliance with relevant policies and procedures including:
o  Development and implementation of the Fraud Control Plan.
o  Promotion and adherence to APS Code of Conduct.
o  Conflict of interest and probity requirements for all relevant personnel.
•  Risk management including:
o  Maintaining a current Departmental Fraud Risk Assessment.
o  A robust system of controls including:
  recruitment and vetting processes to ensure the eligibility and suitability of personnel who have access
to Australian Government resources
  contract and service level provisions with service providers that administer grants on behalf of the
Department to ensure that fraud risk is managed appropriately throughout the process
  ICT security and physical security
  procurement and contract management processes; and
  sound financial processes, appropriate segregation of duties and financial system controls.
•  Communications and training:
o  Staff are required to undertake mandatory fraud awareness induction training. Staff assigned with key
responsibilities under the Fraud and Corruption Control Plan eg the Fraud Control Officer are required to
undertake additional Fraud Awareness and prevention training.
Page 8

FOI/2024/387 - Document 2
o  An annual communication plan to promote awareness of fraud prevention measures via internal channels and
encourage reporting of instances of suspected fraudulent or corrupt behaviour.

•  Testing:
o  Regular testing of fraud prevention and detection policies, procedures and controls to ensure they remain
robust and fit for purpose including internal audit, management initiated reviews, health checks and pressure
checks.
o  External audit review of internal controls as part of the annual financial statements auditing process.
Detection
PM&C supplements the preventative strategies with fraud and corruption detection measures with the objective of early
discovery and limiting exposure if an event does occur.

The Department has implemented a number of detection strategies including:
•  Fraud reporting mechanisms that allow for both internal and external reports in a confidential manner. This includes the
promotion of the Department’s fraud reporting online form and the Public Information Disclosure reporting procedure.
Staff are also required to report conflicts of interest and any gifts and benefits they receive.
•  Assurance processes including the Department’s Internal Audit program, management assurance surveys, external audit
and management initiated reviews to test the effectiveness of controls, policies and procedures. Claims processes for
Commonwealth-funded programs administered by PM&C will seek to detect fraudulent claims.
•  Monitoring changes in circumstance: PM&C staff are required to disclose changes in circumstances and external
interests to Australian Government Security Vetting Agency (AGSVA).
•  Monthly checks to ensure segregation of duties, and internal financial system controls are operating as they should and
no issues have arisen.
•  Credit card compliance through monthly checks as well as in-built system controls to flag inappropriate or personal
transactions with a day or two of the transaction.
Response
Any al eged fraudulent or corrupt behaviour that is reported to or detected by PM&C wil  be handled appropriately.
PM&C’s fraud and corruption response strategy includes:
•  review and assessment of all reports and allegations to determine an appropriate response
•  undertaking investigations in accordance with Australian Government Investigations Standards
•  application of agreed standards for compliance and consequences for detected fraud, in programs administered by
PM&C
•  referral to the Australian Federal Police (AFP) or other law enforcement agency as appropriate
•  pursuing disciplinary, administrative, civil or criminal actions as appropriate
•  pursuing the recovery of fraudulently or criminal y obtained benefits where appropriate.
Investigations
An investigation may be pursued when appropriate, as a response to the detection of potential fraud. The FCO is responsible
for conducting investigations of suspected internal and external fraud1 in accordance with the Commonwealth Fraud Control
1 Through an outsourced third party if necessary.
Page 9

FOI/2024/387 - Document 2
Framework and the Australian Government Investigation Standards (AGIS). During an investigation, the FCO may collaborate
with other government departments (both state and federal), and with regulatory and enforcement agencies.
Where the initial investigation discloses a complex situation beyond the Department’s investigative capability, external
expertise will be sought to carry out the investigation. Al  investigators used by the department are required to attain
minimum competency qualifications prescribed in the Framework. The decision to obtain such external expertise will be at
the discretion of the FCO. The Department has a panel of investigation providers that can be utilised as appropriate.
If required, the FCO wil  refer any allegations of suspected breaches of the APS Code of Conduct to People Branch.
Serious and complex fraud cases may be referred to the AFP. The AFP evaluates all referred fraud matters in accordance with
the Case Categorisation and Prioritisation Mode (CCPM). PM&C wil  seek guidance from the AFP about both the CCPM and
possible referrals (where there is any doubt). More information about reporting a crime to the AFP is available through the
AFP website.
Reporting
PM&C takes al  allegations seriously, and encourages reports of suspected fraud from internal and external parties. Al  staff
are expected to assist in identifying and reporting instances or events of suspected fraud. Reports can be made directly to the
Department, or submitted as a Public Interest Disclosure.
Reporting process
Suspected fraud related to PM&C employees, contractors and consultants contracted by the Department can be reported to
one of the following ways:

Online: Anonymous fraud reporting form on the PM&C website
Mail to: Fraud Control Officer - PO Box 6500 Canberra ACT 2600

When making a report of suspected fraud, you are encouraged to include the following information:
•  Information about the PM&C employee, contractor and/or contractor or relevant area that you suspect is involved
in fraud. Include as much detail as you can.
•  Details of the al eged fraud including how, when and where it occurred.
•  Your contact details (this is optional).
Public Interest Disclosure (PID)
Suspected wrongdoing, such as fraud or corruption, can also be reported to the Department as a Public Interest Disclosure.
The Public Interest Disclosure Act 2013 (PID Act) seeks to promote integrity and accountability of the Commonwealth public
sector by encouraging the disclosure of information about suspected wrongdoing, ensuring public officials who make a
disclosure are protected from adverse consequences, and ensuring that disclosures are properly investigated.
PIDs can be made orally or in writing:
•  by an employee to their supervisor
•  to an Authorised Officer; and
•  to xxxxxxxxxxxxxxxxxxxxxxxx@xxx.xxx.xx.
For further information, please refer to PM&C’s Public Interest Disclosure Procedures.
Page 10

FOI/2024/387 - Document 2
Management of reports
The FCO maintains appropriate systems to securely store, record, report and analyse al egations of fraud to ensure
appropriate response and satisfactory resolution. All reported allegations are recorded and documented in accordance with
Commonwealth requirements.
Privacy
The Department ensures the confidentiality of the information received from any party wishing to report a suspected case of
fraud. All reports are managed in accordance with PM&C’s Privacy Policy and the Privacy Act 1988 (Cth). Any personal (and
other) information provided to the Department when reporting suspected fraud is col ected and used only for the purpose of
investigating, and responding to, reported fraud al egations.

Where the report may be more appropriately considered by another agency or organisation, in Australia or overseas, we may
disclose this information (including your personal information) to that agency or organisation. This includes but is not limited
to a Federal, state/territory agency, Department or authority, and Federal or state/territory Minister as relevant.

The Department’s Privacy Policy provides more information about how we protect your personal information, and who to
contact if you have a privacy enquiry or complaint.
Monitoring and review
The Fraud and Corruption Control Plan is a strategic document which is reviewed and updated every two years. The Fraud
Control Risk Assessment is reviewed and updated annually, or more frequently in response to operational requirements.
The effectiveness of the controls described in this Plan is monitored through the Department’s assurance programs including
internal audit and reporting to senior executive (including the Executive Board) and advisory committees (including the
PM&C Audit and Risk Committee).
Further Information
Commonwealth Fraud Control Framework 2017
The Fraud Rule
Australian Government Investigations Standards
APS Values and Code of Conduct

Legislation

Public Governance, Performance and Accountability Act 2013 (PGPA Act)
Public Interest Disclosure Act 2013
Proceeds of Crime Act 2002
Public Service Act 1999
Criminal Code Act 1995 (Commonwealth)

Page 11