FRAUD
CONTROL PLAN
M a y 2 0 2 4
CONTENTS
1. EXECUTIVE SUMMARY .............................................................. 4
1.1 INTRODUCTION ............................................................................... 4
1.2 OVERALL ASSESSMENT OF FRAUD ENVIRONMENT ......................................... 4
2. OVERVIEW ............................................................................... 6
2.1 ROLE OF THE OFFICE......................................................................... 6
2.2 STRUCTURE OF THE OFFICE ................................................................. 6
2.3 DEFINITION OF FRAUD FOR THE OFFICE ................................................... 7
2.4 ORGANISATION CULTURE .................................................................... 7
3. FRAUD CONTROL PRINCIPLES .................................................. 8
3.1 RESPONSIBILITIES FOR FRAUD CONTROL ................................................. 8
3.2 FUNCTIONAL RESPONSIBILITIES, STRATEGIES AND ACTIONS .......................... 9
3.3 PROSECUTION POLICY ..................................................................... 12
3.4 PUBLIC INTEREST DISCLOSURE (WHISTLE-BLOWER) POLICY & PROCEDURES ...... 12
3.5 CONFIDENTIALITY .......................................................................... 12
4. FRAUD INVESTIGATION ......................................................... 13
4.1 HOW TO REPORT A SUSPECTED FRAUD ................................................... 13
4.2 WHAT HAPPENS TO A REPORT ONCE IT IS MADE? ....................................... 13
4.3 OUTCOME OF INVESTIGATION ............................................................. 14
4.4 WHAT ARE MY RIGHTS? .................................................................... 14
4.5 DISTINCTION BETWEEN CODE OF CONDUCT AND MANAGEMENT ISSUE ............. 15
4.6 THRESHOLD REPORTING REQUIREMENTS ................................................ 15
4.7 ANNUAL REPORTING OBLIGATIONS ....................................................... 16
4.8 INVESTIGATION PROCESS – FLOWCHART ............................................... 17
5. FRAUD RISK ASSESSMENT ..................................................... 18
5.1 FRAUD RISK ASSESSMENT METHODOLOGY ............................................... 18
5.2 RISK ASSESSMENT ......................................................................... 18
5.3 STRATEGIES TO ADDRESS FRAUD RISKS ................................................. 18
ATTACHMENT A – DEFINITION OF FRAUD ................................... 19
ATTACHMENT B – RISK REGISTER ............................................... 20
FRAUD CONTROL PLAN
Page 3
1. EXECUTIVE SUMMARY
1.1 Introduction
Accountable Authorities are required under section 10 of the Public Governance,
Performance and Accountability Rule 2014 (PGPA) and the Commonwealth Fraud Control
Framework to assess the risk of fraud, develop and implement fraud control strategies
and review the effectiveness of these strategies for their agency.
Specifically, section 10 of the PGPA rule states that ‘The accountable authority of a
Commonwealth entity must take all reasonable measures to prevent, detect and deal with
fraud relating to the entity including by… developing and implementing a fraud control
plan that deals with identified risks as soon as practicable after conducting a risk
assessment”. This Fraud Control Plan has been designed to meet a number of aims,
including:
to comply with statutory obligations
to provide user friendly policy and guidance on fraud prevention, detection and
investigation, and
to contribute to the governance structures within the Office, in particular maintaining
the Office’s ongoing commitment to continually improve control structures and
governance.
This document analyses the exposure of the Office to fraud and the resultant fraud risk
after considering existing controls. It should be read in the context of the Corporate Plan,
Annual Report, Risk Management Framework and the Commonwealth Fraud Control
Framework issued by the Attorney General’s Department to assist accountable authorities
in meeting their obligations under the PGPA Act and PGPA Rule.
1.2 Overall assessment of fraud environment
A detailed assessment of all fraud risks in the context of the operating environment of
the Office found that there is low fraud risk exposure. This assessment identified 8
separate fraud risks. It was considered that these risks were being adequately treated
by existing controls.
Despite an overall low fraud risk, in analysing the fraud environment the following trends
and factors should be considered in fraud management going forward:
1. Ongoing work pressures in a fast-paced, complex operating environment with
constrained resources;
FRAUD CONTROL PLAN
Page 4
2. The management and maintenance of the properties and administration of the
honours system with administered funds;
3. A reduced capacity for or priority on delegate review and separation of duties
controls; and
4. Increase in confidential information being stored digitally and the associated
security of cloud-based solutions.
Given the potential for these factors to increase the inherent risk of fraud occurring, it
would be prudent to continue the Office’s emphasis on fraud awareness and control,
ensuring staff and managers are aware of the changing risk environment.
Management remain responsible for ensuring controls are in place and are operating
effectively to control the identified risks.
All staff of the Office are required to be aware of and understand the Fraud Control Plan
and contribute to its effective implementation, thereby actively assisting to prevent,
detect and deal with fraud in the Office.
FRAUD CONTROL PLAN
Page 5
2. OVERVIEW
2.1 Role of the Office
The Office facilitates the performance of the Governor-General’s role through the
organisation and management of official duties (which are constitutional, statutory,
ceremonial and community in nature), the management and maintenance of the official
properties (Government House in Canberra and Admiralty House in Sydney), and
administration of the Australian honours and awards system.
2.2 Structure of the Office
The Office has six branches: Strategic Engagement, Property and Projects, Honours and
Awards, Finance, Communications and Creativity, and People and Culture which all report
through the Deputy Official Secretary to the Official Secretary in their capacity as
Accountable Authority.
The Strategic Engagement branch provides direct support to the Governor-General by
planning, organising and managing a forward program of national and international
engagements; advising on contextual matters, and other issues. Representational
activities at Government House and Admiralty House fall within the responsibilities of this
branch, and other responsibilities include handling visits by guests to Government House
and Admiralty House, and the day-to-day running of both households.
The Property and Projects branch manages and co-ordinates projects across all aspects of
the Office’s work with the main programs dedicated to the Property Works Program (capital
projects related to the official properties) and the Digital Transformation Program. The
branch also manages the upkeep of both properties (buildings and grounds) and physical
security.
The Honours and Awards branch receives and researches nominations and
recommendations for honours and awards for Australians who provide distinguished
service to the community and the nation. The branch supports two Councils and one
Committee which make recommendations to the Governor-General on honours matters.
It also undertakes Office reception and anniversary correspondence roles.
The Finance branch, headed by a Chief Financial Officer (CFO), is responsible for ensuring
the Office’s compliance with finance legislation, financial and management accounting and
budgeting, and also provides advice on procurement, tax, and governance related matters.
The Communications and Creativity branch manages external communications with the
public, including speeches, messages, photography, and social media. The branch
produces information about the work of the Office, including engaging with community
groups and the public about the Honours and Awards systems.
FRAUD CONTROL PLAN
Page 6
The People and Culture branch provides human resources services for the Office, including
ensuring the Office is compliant with Work Health and Safety regulations.
2.3 Definition of fraud for the Office
The Office recognises that a proactive fraud control plan is an integral part of its
Governance Framework. The Office has adopted the definition of fraud as contained in
the Commonwealth Fraud Control Framework. This definition is based on the dishonesty
offences under chapter 7 of the Criminal Code.
Fraud is:
“Dishonestly obtaining a benefit, or causing a loss by deception or other
means.”
Fraud is not restricted to obtaining monetary or material benefit. The benefits of
fraudulent acts can either be tangible or intangible. They may include such things as
unauthorised monetary gain, unauthorised release of information, provision of false or
incomplete information as well as other benefits or advantages, including use of property
for inappropriate use, avoidance of disciplinary action and personal favours. The source
of fraud may be internal (staff) or external (persons outside the organisation).
Fraud against the Commonwealth is an offence under various provisions of the Crimes Act
1914. It can also constitute an offence, or be an ingredient of an offence, under other
legislation administered by the Office (e.g. a loss of superannuation entitlements under
the Crimes (Superannuation Benefits) Act 1989).
Internal fraud also constitutes a breach of the Office’s Code of Conduct, which can result
in reprimand, demotion or dismissal.
Attachment A expands on the definition of fraud for the Office.
2.4 Organisation culture
The opportunity for fraud within an organisation is influenced by the culture and context
in which a business operates. The Office has a sound financial control framework within
which it operates and has tested policies and procedures. This environment reduces the
opportunity for fraud to occur and remain undetected.
As an organisation the Office has high standards of professionalism, integrity and ethical
behaviour. These are promoted, instilled and fostered in all staff including through the
example set by senior management and through regular Fraud and Ethics Awareness
training which is mandatory for all staff. This Plan will contribute to this strong control
environment.
FRAUD CONTROL PLAN
Page 7
3. FRAUD CONTROL PRINCIPLES
3.1 Responsibilities for Fraud Control
3.1.1 The Official Secretary to the Governor-General
The Official Secretary is responsible for the corporate governance of the Office and has
overall responsibility for fraud control and for ensuring compliance with the
Commonwealth Fraud Control Framework.
3.1.2 The Deputy Official Secretary
The Deputy Official Secretary (DOS) with the Chief Financial Officer (CFO) is responsible
for investigating instances of fraud. It may be appropriate that some instances are referred
to the Australian Federal Police for further investigation. Any investigation reports will be
considered by DOS and may be forwarded to the relevant agency for action as appropriate.
3.1.3 The Chief Financial Officer
The Chief Financial Officer is responsible for coordinating fraud control strategies to
prevent and detect fraud in the Office. Furthermore, any staff member who becomes aware
of or suspects fraudulent activity within the Office has the responsibility of reporting it
through the appropriate channels (often their manager or supervisor) to the CFO. Should
the CFO be suspected, the report should go to the DOS.
3.1.4 Management and Team Leaders
Managers are responsible for assisting with fraud prevention by exhibiting to staff a
genuine and strong commitment to fraud control, and maintaining good policies and
practices.
Management (at all levels) must adopt a firm approach to dealing with fraudulent activity
and penalising unacceptable behaviour. This is to deter and discourage attempts to commit
fraud. It is management and team leaders’ responsibility to ensure that it is widely
understood that the potential sanction outweighs any perceived benefit from fraudulent
activity.
3.1.5 All Staff
All staff must uphold the Office’s Code of Conduct and preserve the integrity and good
reputation of the Office. All staff are to ensure that Office procedures and policies are
followed to minimise the possibility of fraud, report any suspected instances and assist in
the identification and notification of fraud risks.
3.1.6 Management Committee
The Office’s Management Committee is responsible for overseeing the process of
developing and implementing the Fraud Control Plan, providing assurance to the Audit
Committee that the entity has appropriate processes and systems in place to prevent,
FRAUD CONTROL PLAN
Page 8
detect and effectively respond to fraud; and providing regular reports to the Audit
Committee on investigation activity (if applicable).
3.1.7 Audit Committee
The objective of the Committee is to provide independent advice to the Official
Secretary, in the context of and with due consideration of the Office’s primary objectives
and risks culture on the appropriateness of the Office’s:
(a)
financial reporting
(b)
performance reporting
(c)
system of risk oversight and management, and
(d)
system of internal control.
3.2 Functional Responsibilities, Strategies and Actions
The key strategies and actions for each fraud control function within the Office are as
follows:
Areas and Strategies Action
Responsibility
Awareness:
1. Maintenance of on-
Provide appropriate fraud awareness
CFO / Director
going fraud awareness
training for all staff
People and
program
Culture
Include practical fraud awareness
information within this plan.
2. Communication to
Ensure fraud awareness information
CFO
all staff of their
including this Fraud Control Plan is
responsibilities with
available on the intranet
regard to preventing,
detection and
reporting.
3. Foster an
Advise staff on the procedures for
Director People
environment which
resolving ethical dilemmas through the and Culture
promotes the highest
Office’s Code of Conduct.
standards of ethical
behaviour
Prevention & Detection:
4. Implementation of
Formal update every two years, or
CFO, provided
a fraud risk
earlier when significant changes in
to the Audit
assessment program
operations or occurrence of fraud takes Committee
place.
FRAUD CONTROL PLAN
Page 9
Areas and Strategies Action
Responsibility
5. Implement
As required.
CFO
strategies to reduce
fraud risk
6. Test the operating
effectiveness of
As required.
CFO
controls
Areas and Strategies Action
Responsibility
Monitoring:
7. Maintenance of the
Ensure fraud risk management is
CFO with
Office’s management
considered when management systems
monitoring by
reporting regimes to
and reports are reviewed and updated –
Audit
assist in identification
particularly in relation to availability of
Committee
exception reporting and incorporation of
audit findings related to fraud into the
Fraud Control Plan.
Investigation:
The Office will refer instances of
CFO / DOS
suspected fraud to the Australian
8. Conduct of
investigations
Federal Police or a third party
accredited organisation for
investigation, where appropriate.
Investigations will be conducted in
accordance with the requirements of
the Commonwealth Fraud Control
Framework.
Prosecution:
Investigators will prepare a report that
DOS
9.
makes recommendations to the Deputy
A zero tolerance
approach
Official Secretary on whether to refer a
matter to the Director of Public
Prosecution (DPP), who make the final
determination on legal action.
Resolution:
If a fraud is detected the control
CFO / DOS
10.
system involved will be independently
Review of Systems
and Procedures (post
reviewed to identify improvements.
fraud incident)
Formal reporting to the Audit
Committee
FRAUD CONTROL PLAN
Page 10
Areas and Strategies Action
Responsibility
11. Recovery of
If deemed cost effective the Office will
CFO / DOS
money/property lost
actively pursue the recovery of lost
through fraud
money or property.
FRAUD CONTROL PLAN
Page 11
3.3 Prosecution Policy
Where relevant the Office will refer to the Prosecution Policy of the Commonwealth.
Decisions to initiate action for the prosecution of any person who commits fraudulent acts
or misuses information will be made on the basis of all available information and the
reasonable prospect of a conviction being secured. Staff may also face sanctions for
breach of the Code of Conduct as set out in the Office’s Enterprise Agreement. All due
processes will be followed where such action is contemplated.
3.4 Public Interest Disclosure (Whistle-blower) policy &
procedures
The Office undertakes to protect all persons who report fraud. Staff who report evidence
or suspicions of fraud can be confident that their identity and information will be treated
in the strictest confidence, and that such action will in no way be permitted to adversely
affect their position or prospects within the organisation. To this end the Office undertakes
that no member of staff or contractor who reports a suspected fraud in good faith shall
suffer harassment, retaliation or adverse employment consequence. An employee who
retaliates against someone who has reported a violation in good faith will be subject to
discipline up to and including termination of employment.
The Public Interest Disclosure Policy & Procedure is intended to encourage and enable
employees and others to raise serious concerns within the Office prior to seeking resolution
outside the Office.
Anyone filing a complaint concerning a violation of the Code of Conduct or suspected
fraudulent activity must be acting in good faith and have reasonable grounds for believing
the information disclosed indicates misconduct or fraud. Any allegations that prove not to
be substantiated and which prove to have been made maliciously or knowingly to be false
will be viewed as a serious disciplinary offence and will not be protected by the Public
Interest Disclosure Policy & Procedures.
3.5 Confidentiality
All investigations regarding suspected fraudulent actions will remain confidential in
accordance with the Privacy Act 1988. Persons making allegations should also be aware
that care needs to be taken to avoid unfounded and incorrect accusations, therefore taking
care to only discuss the allegations with those that need to know. Overt discussion of an
allegation(s) may unnecessarily and prematurely alert the individual(s) against whom
allegations have been made who may in turn destroy evidence of fraud, and by making
statements the Office could be exposed to legal liabilities for damages arising from a
wrongful accusation.
FRAUD CONTROL PLAN
Page 12
4. FRAUD INVESTIGATION
4.1 How to report a suspected fraud
A staff member who suspects that a fraudulent activity is occurring should:
1. Note observations:
Do not jump to conclusions
Observe the suspected conduct and make notes of anything seen or heard
Note their own actions
Securely store any documents as possible evidence
Do not write on, mark or alter the documents which are believed to be associated
with the suspected fraudulent activity in any way.
2. Report concerns:
Seek appropriate advice from a Manager, Director or CFO/DOS;
Report concerns to CFO/DOS. If possible, reports of fraud should be made in writing,
and should identify:
-
the nature of the fraud
-
the amount involved or scope of fraud
-
the names of person/s perpetrating the fraud
-
how the fraud was discovered
-
details of any evidence obtained in respect to the fraud
-
the name of the person reporting the fraud.
Confidentiality and protection of persons reporting fraud is paramount and anonymous
reports of fraud are not encouraged as matters reported in this manner may be difficult to
pursue. For example where further information or clarification is required during the course
of an investigation anonymity may hamper investigators.
However, well substantiated anonymous reports will receive due and proper consideration.
3. Inform only those who need to know:
To prevent possible destruction of evidence by those involved in the fraud who are
“tipped off”; and
As protection against any pressure from those at the centre of the allegations.
4. Maintain confidentiality:
To protect the rights of a person suspected of fraudulent activity who may in fact
be innocent.
4.2 What happens to a report once it is made?
Initial investigation into reported fraud will be made by CFO/DOS who will determine
whether there is any basis for further action.
FRAUD CONTROL PLAN
Page 13
All incidents of fraud by definition constitute a breach of the Office’s Code of Conduct1. All
investigations will therefore follow the procedural guidelines for investigation of a breach
of Code of Conduct (Human Resources Policy and Operational Guidelines – Policy Number
10).
The DOS may appoint an Authorised Officer within the organisation to undertake enquiries
or may acquire the services of external experts. If during the course of the investigation
it is determined that criminal sanctions may be appropriate the matter may be referred to
the Australian Federal Police.
4.3 Outcome of investigation
Staff aggrieved by the conduct of any investigations may raise their concerns in an
appropriate manner with management, or if necessary through an appropriate,
independent body such as the Commonwealth Ombudsman, or the Auditor-General.
4.4 Rights of the accused
Anyone suspected of committing fraud is considered to be innocent until proven guilty. If
you are to be interviewed by a Fraud Investigator or feel you are suspected of committing
improper behaviour or an offence, you have the right to:
expect that your affairs will not be disclosed to and discussed by people not concerned
with the matter
expect any interviews or investigations will adhere to the principles of natural justice
expect that interviews or investigations are not seen as imputing guilt
say nothing and not participate in an interview
not answer a question if you feel the answer may implicate you in the fraud
seek whatever advice you think is necessary, before the interview
have a solicitor, representative or other person present, whilst being interviewed
have an interpreter present if necessary
request access to documents relating to the investigation.
1 Misconduct includes any act that may cause a conflict of interest and any illegal action as determined by Australian Law.
Fraud is a Crime according to Sections 134-137 of the Commonwealth Criminal Code.
FRAUD CONTROL PLAN
Page 14
4.5 Distinction between Code of Conduct and Management
Issue for Fraud-Related Matters
It may at times be difficult to make a clear distinction between a management issue and
a serious breach of the Code of Conduct as the difference may sometimes appear minimal.
In some instances, what is reported as suspected fraud, may be appropriately dealt with
through normal management processes. Managers should seek immediate advice to
ensure that accusations of fraud are treated seriously from the outset. Further an incident
which may appear, at the outset, to be only a minor issue, could turn into a major matter
and require a full investigation by either the Australian Federal Police or the Director of
Public Prosecutions.
In general terms, the two major categories of incidents can be described as follows:
Breach of the Code of Conduct: an incident that may result in criminal proceedings,
termination of employment, reduction in classification, a reduction in or deductions from
salary by way of a fine.
Management issue: an incident that may result in a reprimand, closer supervision and
monitoring of performance, revision of the current Performance Agreement and/or
counselling.
When a Supervisor or Manager is confronted with an issue and is not certain whether or
not the situation should be dealt with only by management or may require further
investigation, they should seek advice from the DOS or CFO.
4.6 Threshold reporting requirements
Subject to the conditions mentioned above, instances of fraud should be reported to the
AFP where:
the monetary value of the fraud case exceeds $500
any non-financial benefit or advantage gained results in a significant loss to the Office
or
the DOS determines that the fraud undermines confidence in a program, system or
government.
Fraudulent activity falling below the reporting threshold will be reported where there is
reasonable cause to believe that the activity:
is part of a conspiracy or involves collusion
is part of a pattern of activity or is linked with previous patterns of activity (either of
an individual or an organisation)
is linked to multiple offences
involves bribery or other forms of corruption
FRAUD CONTROL PLAN
Page 15
involves the use of a corporate credit card or
involves disclosure of sensitive or classified information.
The Office will pursue all means open to it to recover losses caused by illegal activity,
irrespective of whether a prosecution is undertaken, including the use of proceeds of crime
legislation and civil recovery action - where cost effective - or administrative remedies.
The requirement for the Office to report information on fraud does not detract from the
Official Secretary’s authority to determine the appropriate remedy to be applied, i.e.
prosecution, administrative action, civil remedy, recovery action, use of internal
disciplinary procedures, or whether further action will be taken in the matter.
4.7 Annual reporting obligations
At the end of each financial year the Official Secretary will certify that he is satisfied that
the agency has prepared a fraud risk assessment and fraud control plan, and has in place
appropriate fraud prevention, detection, investigation, reporting and data collection
procedures and processes that meet the specific needs of the Office and comply with the
Commonwealth Fraud Control Framework.
FRAUD CONTROL PLAN
Page 16
4.8 Investigation Process – Flowchart
Document complaint,
assessment
undertaken & reason
for decision not to
Initial Assessment
NO
pursue
(usually by recipient of
Is there
complaint – e.g.
cause for
If not already
Manager/ Director/
concern?
reported, report to
CFO/DOS)
CFO/DOS. CFO/DOS
YES
either undertakes
further investigation
via Preliminary
Assessment – OR
recommends formal
Preliminary
Is there
Inquiry by an
Assessment (normally
cause for
Authorised Officer
by CFO)
concern?
NO
Document
assessment & reason
for decision not to
Inquiry by Authorised
pursue
Officer – Officer has
discretion to determine the
Document
exact procedure for the
YES
assessment –
investigation
recommend Inquiry
by Authorised
Officer
Authorised Officer
produces report &
OR
recommended action
CFO* reviews actions
CFO* reviews actions
CFO* reviews actions
recommended by
recommended by
recommended by
Authorised Officer and
Authorised Officer and
Authorised Officer and
recommends action (eg:
recommends DOS appoints
recommends DOS refers
sanction under Code of
external investigator
matter to Australian
Conduct or no further
Federal Police
action) to DOS.
* Should the CFO be the subject of the investigation, DOS will undertake the review of actions
recommended by the Authorised Officer and make a recommendation to the Official Secretary
on an appropriate course of action. If either the DOS, or both the DOS and CFO are
suspected, the matter should then be brought to the Official Secretary’s attention through
appropriate channels for further action.
FRAUD CONTROL PLAN
Page 17
5. FRAUD RISK ASSESSMENT
5.1 Fraud risk assessment methodology
The fraud risk assessment was undertaken in accordance with the Commonwealth Fraud
Control Framework and followed the Leading Practice Guide developed by the
Commonwealth Fraud Prevention Centre. The process included the review and updating
of the previous fraud risk assessment and this Fraud Control Plan.
The fraud risk associated with each function / activity has been assessed by key members
of staff from the Office. The assessment of the fraud environment is that overall there is
a low fraud risk exposure for the Office. This conclusion is reached by considering all
the risks in context, and the fact that the majority of the risks identified are being
adequately mitigated by existing controls.
5.2 Risk assessment
As part of its commitment to minimising the incidence of fraud, and thereby loss to the
Commonwealth, management assesses the Office’s fraud environment. Based on the
latest assessment in December 2023 management consider the overall fraud risk exposure
for the Office remains low. This conclusion was reached after undertaking a detailed
assessment of all the fraud risks in the context of the operating environment of the Office.
The criteria applied to assess risks are outlined in the Office’s Risk Management
Framework.
This assessment identified 8 separate fraud risks which were considered as being
adequately treated by existing controls. Three risks are assessed as having a residual risk
rating of medium and five risks have a rating of low. The risks are detailed at Attachment
B.
Management remains responsible for ensuring controls are in place and are operating
effectively to control the identified risks.
5.3 Strategies to address fraud risks
The CFO is responsible for monitoring and reporting on fraud control strategies for the
Office which could include:
Periodic review of the fraud risk register and consideration of control effectiveness
Provision of regular fraud awareness, risk and security training to all staff
Periodic assessment of the effectiveness of fraud awareness programs in place
Review of related fraud risks at the completion of each internal audit assignment
Officials engaged in the management of fraud control receive appropriate training.
The audit committee receives reports from the CFO which it uses in considering its
advice to the Official Secretary.
FRAUD CONTROL PLAN
Page 18
ATTACHMENT A – DEFINITION OF FRAUD
Fraud is:
“Dishonestly obtaining a benefit, or causing a loss by deception or other
means.”
This definition includes:
theft
obtaining property, a financial advantage or any other benefit by deception
causing a loss, or avoiding or creating a liability by deception
providing false or misleading information to the Commonwealth, or failing to provide
information where there is an obligation to do so
making, using or possessing forged or falsified documents
bribery, corruption or abuse of office
unlawful use of Commonwealth computers, vehicles, telephones and other property
or services
relevant bankruptcy offences, and
any offences of a like nature to those listed above.
Examples of fraud include:
hacking into, or interfering with a Commonwealth computer system
charging the Commonwealth for goods or services that are incomplete or not
delivered
using a false identity to obtain income support payments
using Commonwealth systems to gain access to other systems without authority
hiding or disposing of assets by bankrupts to avoid paying creditors, and
making false statements under the Commonwealth Electoral Act 1918.
Common methods of fraud and misconduct include:
accepting or offering bribes
collusive bidding
selling waste and scraps for personal gain
using facsimile signatures
running private business with official assets
substituting old goods for new
leave transactions unrecorded
recording transactions (expenditure/receipts/ deposits) for incorrect amounts
theft of official purchasing authorities such as order books
stealing or borrowing (without authority) supplies/equipment
damaging or destroying documentation
illegally using copies of records or receipts
forged endorsements
altering amounts or details on documents
over-claiming expenses
using imaging and desktop publishing technology to produce apparent original
documents
writing off recoverable assets or debts
unauthorised transactions
selling information
issuing cheques to false persons and companies, and
entering false persons on the payroll.
FRAUD CONTROL PLAN
Page 19
ATTACHMENT B – RISK REGISTER
Fraud Risk 1
Fraud risk
Misuse of confidential or highly sensitive information by staff or
description
contractors for personal gain.
Fraud risk factors Sensitive information released to unauthorised third party by staff member
with access.
Increase in use of digital storage and cloud computing increases the
likelihood of unauthorised access to confidential information via IT systems.
Poor culture of protection of password privacy and integrity.
Remote working during pandemic changing the way data is accessed and
stored.
Inherent likelihood Possible
Inherent consequence Moderate
Inherent risk
Medium
Key c
ontrols
Ethical culture among staff reinforced with regular fraud awareness
identified
training.
All staff must read and sign Code of Conduct and workplace behaviours
agreements on commencement.
Staff security cleared to appropriate level for tasks they are performing.
Locked secure containers for sensitive documents.
Requirements for username and password for access to network and
workstations.
Password syntax control and Multi-Factor Authentication.
Clear desk policy including spot checks.
Part of Fedlink network, which includes automatic classification of emails.
Process to identify security breaches.
Separate IT threat risk assessment prepared and continuous
improvements to IT controls being addressed, including for cloud based
solutions.
Residual likelihood Rare
Residual consequence Moderate
Residual risk
Low
Fraud risk owner
DOS – confidential information regarding the Governor-General and
personnel
MIT is responsible for ensuring IT controls are adequate
Director Honours – confidential information regarding the issuing of Honours
Action required
DPC / CFO - Delivery of Fraud Awareness Training (ongoing)
MIT – Assessing IT threat risk (ongoing)
Maintain existing controls.
FRAUD CONTROL PLAN
Page 20
Fraud Risk 2
Fraud risk
Perceived or actual misuse of position in procurement by conflicts of
description
interest, inappropriate dealings and or undue influence on decisions and
actions.
Fraud risk factors Issuing contracts / choosing suppliers and undertaking purchasing for personal
benefit.
Volume and value of procurements associated with projects and system
changes.
Inherent likelihood Possible
Inherent consequence Moderate
Inherent risk
High
Key c
ontrols
Ethical culture among employees and Code of Conduct.
identified
Procurements are undertaken in line with Commonwealth Procurement
Rules and Accountable Authority Instructions on Procurement.
Reviews and spot checks by internal audit and finance team over
compliance.
Compliance survey process.
Sub-Committee and Management Committee oversight over capital
projects and other areas of significant expenditure.
Conflict of interest outlined in Code of Conduct, behavioural agreements,
tendering documents and probity requirements. Register maintained by
Director of People and Culture.
Residual likelihood Rare
Residual consequence Moderate
Residual risk
Low
Fraud risk owner
CFO
Action required
Deliver internal audit program including compliance audits.
Report on adherence to processes including implementation of system based
non-compliance reporting.
Compliance checks conducted by Finance Team.
Systematise Compliance Survey process to support reporting of results to
the Management and Audit Committees (quarterly).
Maintain existing controls.
FRAUD CONTROL PLAN
Page 21
Fraud Risk 3
Fraud risk
Perceived or actual misuse of position in the issuing of honours and
description
awards through conflicts of interest, inappropriate dealings and or undue
influence on decisions and actions
Fraud risk factors
Falsifying research and adding inappropriate nominees to be considered for
awards.
Inherent
Possible
likelihood
Inherent
Major
consequence
Inherent risk
High
rating
Key controls
Ethical culture among employees reinforced with regular fraud awareness
identified
training.
Code of conduct and performance agreements in place. All staff must
read and sign Code of conduct and Office values on engagement.
Strong ethic amongst Honours staff toward the protection and integrity of
awards.
Council makes final recommendations – separate to the Office.
Strong physical control on information about honours candidates including
clear desk policy.
Residual
Unlikely
likelihood
Residual
Major
consequence
Residual risk
Medium
rating
Fraud risk owner
Director of Honours
Action required
Ensure internal audit ‘health checks’ report on adherence to processes
(biennial or as per internal audit program).
Maintain existing controls.
FRAUD CONTROL PLAN
Page 22
Fraud Risk 4
Fraud risk
Misuse of Public Monies and Credit cards by misappropriation or theft
description
Fraud risk factors Unauthorised use of credit cards.
Fraudulent Petty Cash claims.
Unauthorised purchases made via accounts payable.
Inherent
Possible
likelihood
Inherent
Moderate
consequence
Inherent risk
Medium
rating
Key controls
Cash & Credit Cards
identified
Daily and Monthly credit card limits.
Categories of purchases limited to business merchants.
Delegate approval required for credit card statements.
Finance team conduct a monthly reconciliation of the use of credit cards.
Minor Petty Cash holdings controlled through monthly reconciliation
process.
Accounts Payable (purchasing)
Separation of duties between purchasing on accounts and approval of
payment of account including creation of vendors.
System controls in Purchasing Workflow.
Separation of duties in drawdown from OPA process and bank payment
process.
All areas subject to external ANAO audit and internal audit spot checks.
Residual
Rare
likelihood
Residual
Minor
consequence
Residual risk
Low
rating
Fraud risk owner
CFO
Action required
Annual refresher training and ensure internal audit ‘health checks’ report on
adherence to processes.
Maintain existing controls.
FRAUD CONTROL PLAN
Page 23
Fraud Risk 5
Fraud risk
Misuse of physical assets by misappropriation or theft
description
Fraud risk factors
Misappropriation of inventory.
Misuse/ theft of physical assets (including excessive personal use of
resources).
Inherent
Possible
likelihood
Inherent
Moderate
consequence
Inherent risk
Medium
rating
Key controls
Inventory
identified
Inventory receipting, movements and usage recording processes in place.
Monthly inventory stocktakes (liquor) and bi-annual stocktakes (medals).
Medals stock held in lockable storage with limited access.
Assets
Barcoded and recorded on Asset Register (including portable and
attractive), included in rolling asset stocktake program .
IT loan register used to assign IT assets.
Logbook for vehicle to monitor usage.
All areas subject to external ANAO audit and internal audit spot checks.
Residual
Rare
likelihood
Residual
Moderate
consequence
Residual risk
Low
rating
Fraud risk owner
CFO
Action required
Annual refresher training and ensure internal audit ‘health checks’ report on
adherence to processes (as per internal audit program).
Maintain existing controls.
FRAUD CONTROL PLAN
Page 24
Fraud Risk 6
Fraud risk
Fraudulent claims for payroll / entitlements
description
Fraud risk factors Failing to submit leave forms, overstating entitlement benefits.
Falsifying overtime / flex records.
‘Ghost’ employees created for personal gain.
Terminations not processed allowing payments to continue.
Inherent
Unlikely
likelihood
Inherent
Moderate
consequence
Inherent risk
Medium
rating
Key controls
Managers are required to review and monitor timesheets.
identified
Leave applications are lodged electronically through the HRMIS and
require supervisors’ approval.
Salary variation report created and reviewed each pay period – reconciled
with budget and costing files.
Termination process must be instigated before entitlements are paid this
includes removal of records from payroll system. Exit procedures checklist
followed.
Payroll function outsourced – changes must be documented by delegated
staff member and are documented (segregation of duties).
Internal audit spot check reviews.
Residual
Rare
likelihood
Residual
Moderate
consequence
Residual risk
Low
rating
Fraud risk owner
Director People and Culture
CFO
Action required
Risk is adequately managed with routine procedures.
Ensure internal audit ‘health checks’ report on adherence to processes
(biennial or as per Internal Audit program).
Maintain existing controls.
FRAUD CONTROL PLAN
Page 25
Fraud Risk 7
Fraud risk
Personal travel claimed as business travel
description
Fraud risk factors Personal travel booked through travel providers.
Cab charge may be used for personal trips.
Staff claim travel allowances for which they are not entitled.
Inherent
Possible
likelihood
Inherent
Moderate
consequence
Inherent risk
Medium
rating
Key controls
Delegate approval required to generate a movement requisition.
identified
Travel booking procedures and booking policy.
Travel allowance is treated as a reimbursement rather than being paid in
advance.
Cab charge vouchers are maintained securely and reconciled monthly.
Residual
Rare
likelihood
Residual
Minor
consequence
Residual risk
Low
rating
Fraud risk owner
CFO
Action required
Risk is effectively managed by current routine procedures.
Periodic internal audit ‘health checks’ report on adherence to processes (as
per Internal Audit program).
Maintain existing controls.
FRAUD CONTROL PLAN
Page 26
Fraud Risk 8
Fraud risk
Misappropriation of Official Gifts
description
Fraud risk factors Gifts may be received and not recorded on the register.
Gifts may be stolen / removed from current location.
Gifts relocated to outside the Office may be misappropriated.
Inherent
Possible
likelihood
Inherent
Moderate
consequence
Inherent risk
Medium
rating
Key controls
Gifts received are recorded and added to the asset register.
identified
Gifts are stored with limited access.
Official Gifts Policy and the relevant Accountable Authority Instructions.
Residual
Rare
likelihood
Residual
Moderate
consequence
Residual risk
Low
rating
Fraud risk owner
Manager Household
Action required
Risk is effectively managed by current routine procedures.
Maintain existing controls.
FRAUD CONTROL PLAN
Page 27
