15 March 2018

Public Sector Fraud

The 'Fraud against the Commonwealth: Report to Government 2014-15' by Penny Jorna and Russell G Smith comments on
the level of fraud risk affecting Commonwealth entities and the government’s approach to preventing and responding to acts of dishonesty perpetrated within and against the Commonwealth. For the three years 2012-13 to 2014-15, 417,480 incidents of suspected fraud were detected worth over $1.208b with more than one third of Commonwealth entities experiencing fraud. During the three years, 3,699 defendants were prosecuted for fraud by the Office of the Commonwealth Director of Public Prosecutions. In 2014-15, almost one third of sentences imposed involved actual imprisonment.
The report deserves to be read in detail, noting that not all fraud involves welfare recipients and that there aren't detailed findings about the cost of enforcement (of interest given past claims by Canberra than large-scale fraud justifies the erosion of privacy and incidents such as the #CentrelinkFail). The report states
Key findings 
During the three years examined, 2012–13 to 2014–15, more than one-third of Commonwealth entities reported experiencing fraud. The proportion of entities experiencing fraud increased from 40 percent of responding entities in 2012–13 to 42 percent of entities in the 2014–15 financial year. As with previous reports, the majority of incidents were alleged to have involved people external to the entities.
Over the three years, 417,480 incidents of suspected or proved fraud were reported by Commonwealth entities.
During the same period, entities reported monetary losses totalling approximately $1.208b, comprising $207m in 2012–13, $673m in 2013–14 and decreasing to $329m in 2014–15. Entities recovered $50.4m during the reference period, although this may have included monies recovered from fraud losses sustained in earlier years.
Experience of fraud
Between 2012–13 and 2014–15, the percentage of entities experiencing internal fraud increased, (from 28% to 31%). The percentage of entities experiencing external fraud also increased, but to a lesser extent, from 30 percent to 32 percent. Each year, entities with more than 1,000 staff experienced more fraud than smaller entities with 500 or fewer staff.
Extent of fraud 
In each year, the number of internal fraud incidents reported declined, with a 12 percent total reduction from 1,685 incidents of internal fraud in 2012–13 to 1,485 incidents in 2014–15. This decline was generalised across all entities that experienced internal fraud, rather than a few entities experiencing reductions in large numbers.
As with earlier reports, substantially larger numbers of external fraud incidents were reported than internal fraud incidents. In 2014–15 there were 154,221 incidents of suspected external fraud detected, compared with 1,485 incidents of suspected internal fraud. There were some ffluctuations in the numbers of external fraud incidents detected over the three years. In 2012–13 there were 133,969 incidents detected, and in 2013–14 the number of incidents reported reduced to 123,876; however, in 2014–15 the number of reported external fraud incidents increased substantially, to 154,221, representing a 24 percent increase between 2013–14 and 2014–15.
In addition to questions asked about suspected incidents of internal or external fraud, respondents answered questions about their experience of fraud involving collusion between staff and individuals outside the public sector. The number of incidents involving collusion fluctuated over the three years, ranging from 17 in 2012–13, down to four in 2013–14 and increasing substantially in 2014–15 to 107. The percentage of entities experiencing collusion over the three-year period remained steady at 2–3 percent.
The number of incidents of fraud that could not be classified (as either internal, external or collusion) also varied over the three-year period, from one incident in 2012–13, to 428 in 2013–14 and decreasing to 30 in 2014–15.
In addition to incidents of fraud experienced, the census also asked about the number of individuals suspected of committing fraud. Over the three-year period the number of suspects identified was lower than the number of incidents reported. In 2014–15 there was a reduction of 26 percent in the number of suspects identified for internal fraud incidents and a 91 percent reduction in the number of suspects identified with external fraud incidents. The reasons for this decline may include entities not always being able to identify suspected individuals, particularly when investigations have just commenced, or changes in fraud reporting processes within some large entities that resulted in fraud allegations being handled differently. 
How fraud was committed
Respondents were asked to indicate two main aspects of how the fraud incidents they detected had been committed: their focus (that is, the target of the alleged fraudulent activity, or the benefit to be derived from the illegal conduct) and the method of carrying out the alleged fraud (such as misuse of technology, information, identity etc). 
Internal fraud 
The largest number of entities reported suspected internal fraud incidents involving financial benefits, such as obtaining cash without permission, or misuse of government credit cards, with around 20 percent of entities reporting this type of internal fraud each year. Although more entities experienced an incident of fraud targeting financial benefits, in terms of the numbers of incidents experienced, the most prevalent type involved misuse of information. 
Over the three years there was a steady increase in the number of incidents categorised as misuse of information, from 721 incidents in 2012–13 to 811 incidents in 2014–15. In relation to the methods by which internal fraud incidents had allegedly been committed, the method affecting the highest percentage of entities was misuse of documents and/or information. However, between 2013–14 and 2014–15 there was a slight increase in the number of entities experiencing fraud committed through the misuse of information and communications technologies (ICT) and corruption (increasing from 11% of entities in 2013–14 to 12% of entities in 2014–15 inclusive). The number of internal fraud incidents overwhelmingly involved the misuse of ICT. In 2014–15 there was an increase in the number of incidents of internal fraud committed via misuse of identity and misuse of documents/ information. 
External fraud 
Fraud involving financial benefits was the most frequently reported type of external fraud over the three years, with the proportion of entities experiencing such fraud increasing from 21 percent in 2012–13 and 2013–14 to 25 percent in 2014–15.
The greatest number of external fraud incidents related to government entitlements. This category of external fraud continued to increase, from 90,773 incidents in 2012–13, to 110,698 incidents in 2013–14 and to 125,047 in 2014–15. Fraud of this nature most often involved three subtypes: revenue fraud, visa/citizenship fraud and social security fraud.
Misuse of documents was the most commonly reported method of committing external fraud. The number of entities experiencing external fraud involving corruption declined from 17 percent of entities in 2012–13 to 10 percent of entities in 2014–15. While the largest percentage of entities experienced external fraud involving misuse of documents, the number of incidents experienced within that category declined from 62,382 incidents in 2012–13 to just 2,908 incidents in 2014–15, while at the same time the number of incidents involving misuse of identity rose from 16,967 incidents in 2012–13 to 98,573 incidents in 2014–15. These changes were largely due to one large entity changing the way in which it classified misuse of documents and misuse of identity, and to an increased government focus on identity crime and misuse (AGD 2012). 
Cost of fraud 
The total reported cost of fraud each year is likely to be an underestimate of actual losses incurred. There are a number of reasons for this difference:
• The research findings are limited to entities that participated in the census and were able to detect (and then quantify losses from) fraud incidents. 
• Fraud investigations are becoming longer, which may mean details will not be known for several years to come. 
• Some types of fraud cannot be quantified in dollar terms, such as loss of information or accessing ICT systems. While these may cause substantial reputational damage to entities, there is generally a low dollar value (in terms of entity losses) associated with such frauds, although other non-financial impacts can be substantial. 
• In addition, there are many associated costs involved with fraud incidents and investigations which are not quantified in the present research, such as time and cost of investigation, monetary value associated with replacing employees, and other indirect costs that may arise with a fraud investigation. 
Therefore, the present report was only able to provide an estimate of the cost of fraud to the Commonwealth based on data provided by entities from the questionnaires.
Over the three-year period, between 20 and 34 percent of entities were unable to quantify the value of the losses experienced.
The present study asked respondents to indicate the total amount thought to have been lost from fraud incidents, prior to the recovery of any funds and excluding the costs of detection, investigation or prosecution. The responses indicated estimated losses at the time of reporting, as opposed to final losses determined once investigations or criminal action was concluded. Separate questions asked about amounts recovered by entities.
For the three years included in the report, entities reported fraud losses totalling approximately $1.208b, increasing from $207m in 2012–13 to $673m in 2013–14 and reducing to $329m in 2014–15. The large amount in 2013–14 was due to one entity attempting to quantify the cost of fraud incidents for the first time in 2013–14, while the reduction in 2014–15 was due to the same entity changing the way its losses were quantified.
External fraud caused the vast majority of fraud losses, with external fraud totalling $1.2b over the three years (99% of all losses incurred). The total reported amount lost due to internal fraud incidents totalled $11.3m.
Over the three years, internal fraud losses increased by 23 percent between 2012–13 and 2014–15. Losses due to external fraud incidents fluctuated over the three years. Entities were also asked to indicate how much had been recovered using various means. Their responses related to amounts recovered during the financial year in question and did not necessarily reflect amounts lost due to fraud incidents in the same financial year that recoveries were made. Over the three years, $1.8m of internal fraud losses and $48.6m of external fraud losses were recovered, totalling $50.4m. This equates to approximately four percent of the total losses reported over the three financial years. However, because the recovery process may in some cases take years to finalise, monies recovered within any given financial year may not necessarily align with monies lost in that financial year. As such, it is difficult to determine how much money is ultimately recovered by entities that relate to frauds included in any specific year.
The majority of funds were recovered through the use of criminal proceedings, although administrative remedies and other means were also common ways of recovering lost monies. 
How fraud was detected 
Between 2012–13 and 2014–15 fraud was most often detected through internal controls, such as auditing or internal investigation of both internal and external fraud incidents. The next most common method used for detecting fraud incidents was by staff. Detection of external fraud incidents differed from internal fraud, with ‘other’ methods being the second most commonly reported method of detection; however, a large number of those related to community notifications, which might be considered external whistleblowers. Only three incidents of internal fraud were detected via the media over the three years. In contrast, the number of external fraud incidents detected via the media increased, from five incidents in 2012–13 to 31 incidents in 2014–15.
Entities with a dedicated fraud control section were more likely to detect fraud incidents than entities without a dedicated fraud control section. This may be because entities with a dedicated fraud control section are likely to be larger entities with more fraud risks, and because an entity with a dedicated fraud section may actively look for incidents involving fraud and potential misconduct. 
Investigations within entities 
The Commonwealth Fraud Control Framework (AGD 2014) requires entities themselves to investigate routine or minor instances of fraud, and to discipline responsible parties. The findings presented in this report indicate that entities do indeed conduct the vast majority of initial investigations or reviews of fraud allegations. For example, over the three-year period, between 83 and 93 percent of internal fraud incidents were investigated internally by the entity, using an investigation, review or administrative review. As noted above, only a small number of entities without a dedicated fraud control section reported detecting fraud incidents; in 2014–15 over half of those entities still conducted a review/assessment or investigation of the alleged fraud incident.
As with internal fraud investigations, the vast majority of external fraud incidents were primarily investigated by entities themselves, accounting for between 65 and 97 percent of alleged external fraud over the three-year period.
Between 2012–13 and 2014–15, the number of fraud control staff engaged in fraud prevention and investigation duties steadily decreased, from 843 people employed in a fraud prevention capacity in 2012–13 to 804 people in 2014–15. 
Police investigations 
Over the three years, just over five percent (5.4%) of detected internal fraud incidents were referred to police, prosecution or other organisations for investigation or prosecution (259 incidents referred in total), with just under four percent (3.8%) of external fraud incidents referred to other organisations for investigation or prosecution (15,626 incidents). Information about the number of referrals received and accepted by the Australian Federal Police (AFP) was also gathered. The AFP accepted 203 of the 239 fraud referrals made to it over the three years. In 2014–15 there was a decrease in the number of matters referred to the AFP and the subsequent matters accepted by the AFP. As of 30 June 2015 the AFP was investigating 160 fraud-related matters with an estimated loss value of $1.8b. 
Prosecution of fraud 
Over the three years, 4,214 defendants in fraud-type cases were referred to the Office of the Commonwealth Director of Public Prosecutions (CDPP). Of these, the CDPP prosecuted 3,699 defendants, the majority involving direct referrals from entities rather than referrals via law enforcement agencies.
Between 2013–14 and 2014–15, there was an increase of 17 percent in the number of defendants referred to the CDPP for prosecution. In total, however, the number of defendants prosecuted declined, from 1,271 in 2013–14 to 1,033 in 2014–15.
The total amount initially charged in fraud-type prosecutions decreased from $41m in 2013–14 to $25m in 2014–15. The number of convictions declined during the census period, by 22 percent between 2012–13 (1,062 defendants convicted) and 2014–15 (833 convictions). In 2014–15 there was a change in the most frequently imposed sentence for proved fraud offences. In previous years (2012–13 and 2013–14) the most frequently imposed sentence was a recognisance order; however, a fully suspended term of imprisonment was the most frequently imposed sanction in the current year, followed by recognisance orders. The use of custodial sentences again increased over the three-year period, from 12.5 percent of cases in 2012–13 to 17.3 percent of cases in 2014–15. The sentence imposed depended greatly upon the nature and seriousness of the offence(s) and the various factors relating to each individual defendant, although the increase in harsher sentencing may indicate a change in courts’ views regarding fraud offences. 
Fraud compliance and prevention 
Most non-corporate entities (over 92% each year) met the Commonwealth Fraud Control Framework (AGD 2014) requirement to provide the Australian Institute of Criminology (AIC) with data on fraud incidents and compliance with the terms of the framework.
Over the three years, there was a slight increase in the percentage of entities with a dedicated fraud control section to deal with the prevention, investigation and control of fraud risk—from 74 percent of entities in 2012–13 to 77 percent in 2014–15. The number of staff employed in fraud control activities increased overall, from 3,160 staff in 2012–13 to 3,588 staff in 2014–15. However, the number of fraud control staff with a specific fraud qualification reduced, from 45 percent of all staff in a fraud control section in 2012–13 to 33 percent in 2014–15. The Commonwealth Fraud Control Framework (AGD 2014) requires a fraud risk assessment to be conducted by entities regularly or when there has been a substantial change to the activities or functions of the entity. Over the three years examined, the percentage of entities complying with this requirement remained high. In 2012–13, 94 percent of entities had completed a fraud risk assessment within the previous two years; in 2013–14, 95 percent of entities had done so; in 2014–15, the percentage reduced slightly to 92 percent.
A high proportion of respondent entities in 2014–15 had completed a fraud control plan within the previous two financial years (91%, N=140). This was similar to the 92 percent (N=152) which had done so in 2013–14, although it was a decline from the 94 percent (N=153) which had done so in 2012–13.
Fraud awareness training (43% of respondents), compliance with the Commonwealth Fraud Control Framework (39% of respondents) and strong internal controls (21% of respondents) were some of the most frequently cited suggestions for what had made a difference to an entity’s fraud prevention in 2014–15. 
Fraud risks for the Commonwealth 
In the Commonwealth, fraud may be perpetrated by employees or contractors of an entity (internal fraud) as well as by members of the public who have dealings with the government (external fraud), such as when they are obtaining benefits or paying taxes. Fraud risk factors are diverse when dealing with the Commonwealth, as fraud may arise through third-party contractors, procurement processes, provision of government-funded grants, or even overseas cyber attacks.
The principal risks of internal fraud arise from inadequate or outdated internal controls, poor recruitment practices, and insider threats (where staff are compromised or groomed by external parties). External fraud risks arise in connection with the provision of new benefits, failing to build appropriate prevention measures into program and policy design, inadequate procurement practices, new government-funded programs where fraud risks have not been adequately assessed, and Machinery of Government (MoG) changes resulting in new and changing functions for entities.
Between 2012–13 and 2014–15, the number of incidents of external fraud involving the misuse of identity rose by over 450 percent. Identity crime and misuse of documents and information are ongoing areas of risk for Commonwealth entities. Potentially, with more government services moving online, establishing one’s identity and the use of identity documents will remain a concern for entities, with effort required to reduce fraud involving these activities. 
Belcher review and changes to the questionnaire 
The Belcher Red Tape Review was undertaken in 2015, and the report recommended several changes in relation to fraud reporting and the AIC’s annual census (Belcher 2015). These included suggestions for reducing the burden associated with completion of the online questionnaire, and combining the Attorney-General Department’s (AGD’s) annual fraud control compliance report to government with the AIC fraud report to government. Consultations were undertaken with entities to determine how best to improve and streamline the questionnaire. As a result, the key changes to the 2016 questionnaire will include:
• changing the unit of measurement in the new questionnaire to fraud ‘investigations’ undertaken each year rather than fraud ‘incidents’; 
• moving the questions about fraud control, in the previously identifiable section collected for the AGD, to the start of the 2016 questionnaire; 
• including additional conditional response questions in the online questionnaire, to enable those for whom a section is not applicable to proceed quickly to other sections without having to provide responses; 
• adding a new section that examines the most costly external fraud investigations in addition to the previous questions about the most costly internal fraud investigations; 
• enabling respondents to respond to both internal and external fraud questions in the one set of questions, to reduce the overall burden of the questions; and 
• changing the categories of fraud ‘focus’ and ‘methods of committing fraud’ to ensure the categories are mutually exclusive and as exhaustive as possible.
The purpose of these changes is to increase the internal consistency of how entities report fraud to allow for greater comparisons between census years. 
How the information was gathered 
Each year Commonwealth entities were invited to participate in an annual census about their experience of fraud incidents, how they managed fraud risks and the entities’ compliance with the former Commonwealth Fraud Control Guidelines (AGD 2011) and the new Commonwealth Fraud Control Framework (AGD 2014) that came into effect on 1 July 2014. The period examined in this report covers the earlier guidelines and the new framework and the differences they may involve. The framework (AGD 2014) consists of:
• section 10 of the Public Governance, Performance and Accountability Rule 2014 (Fraud Rule); 
• Commonwealth Fraud Control Policy (Fraud Policy); and 
• Resource Management Guide No. 201: Preventing, detecting and dealing with fraud (Fraud Guidance).
Although the three-year period examined is covered by both the guidelines and the framework, for the purposes of this report reference will be made to the 2014 framework now applicable throughout the Commonwealth.
Under the 2014 framework (AGD 2014), fraud against the Commonwealth was defined as ‘dishonestly obtaining a benefit, or causing a loss, by deception or other means’ (AGD 2014: 4.1). Entities were asked to provide information about all suspected and proved incidents of internal and external fraud against the Commonwealth. Further details relating to the data collection procedures are provided in the Methodology section ... 
Information was provided by 163 entities in 2012–13 (with 162 responses included for analysis), 166 entities in 2013–14 and 154 entities in 2014–15 (for 2013–14 and 2014–15, all responses were included for analysis). Each year, this represents over 80 percent of those invited to participate. The data collection periods for all three years covered a period of considerable change for the Australian Public Service, as the government implemented a number of MoG changes. A MoG change consists of a variety of organisational or functional changes affecting the Commonwealth (Department of Finance 2015). These changes were relevant to the collection of fraud information because of the alteration in the number of responding entities as well as changes in their functions during the financial years in question. In some instances MoG changes may have led to investigations being terminated by one entity and taken over by another, which may occasionally have led to inaccuracies in reporting.
Respondents were asked to provide information by completing a secure, online questionnaire that recorded results anonymously (without naming individual entities or individual suspects). The aim was to canvass the experience of fraud across the Australian government as a whole, rather than by identifying what each individual entity had experienced.
Further information on the investigation and prosecution of fraud incidents within the Commonwealth was also provided by the AFP and the CDPP for matters handled within each year (regardless of when they were committed).