The 'Fraud against the Commonwealth: Report to Government 2014-15' by Penny Jorna and Russell G Smith
comments on
the level of fraud risk affecting Commonwealth entities and the government’s approach to preventing and responding to acts of dishonesty perpetrated within and against the Commonwealth. For the three years 2012-13 to 2014-15, 417,480 incidents of suspected fraud were detected worth over $1.208b with more than one third of Commonwealth entities experiencing fraud. During the three years, 3,699 defendants were prosecuted for fraud by the Office of the Commonwealth Director of Public Prosecutions. In 2014-15, almost one third of sentences imposed involved actual imprisonment.
The report deserves to be read in detail, noting that not all fraud involves welfare recipients and that there aren't detailed findings about the cost of enforcement (of interest given past claims by Canberra than large-scale fraud justifies the erosion of privacy and incidents such as the #
CentrelinkFail). The report states
Key findings
During the three years examined, 2012–13 to 2014–15, more than one-third of Commonwealth
entities reported experiencing fraud. The proportion of entities experiencing fraud increased
from 40 percent of responding entities in 2012–13 to 42 percent of entities in the 2014–15
financial year. As with previous reports, the majority of incidents were alleged to have involved
people external to the entities.
Over the three years, 417,480 incidents of suspected or proved fraud were reported by
Commonwealth entities.
During the same period, entities reported monetary losses totalling approximately $1.208b,
comprising $207m in 2012–13, $673m in 2013–14 and decreasing to $329m in 2014–15.
Entities recovered $50.4m during the reference period, although this may have included
monies recovered from fraud losses sustained in earlier years.
Experience of fraud
Between 2012–13 and 2014–15, the percentage of entities experiencing internal fraud
increased, (from 28% to 31%). The percentage of entities experiencing external fraud also
increased, but to a lesser extent, from 30 percent to 32 percent.
Each year, entities with more than 1,000 staff experienced more fraud than smaller entities
with 500 or fewer staff.
Extent of fraud
In each year, the number of internal fraud incidents reported declined, with a 12 percent total
reduction from 1,685 incidents of internal fraud in 2012–13 to 1,485 incidents in 2014–15. This
decline was generalised across all entities that experienced internal fraud, rather than a few
entities experiencing reductions in large numbers.
As with earlier reports, substantially larger numbers of external fraud incidents were reported
than internal fraud incidents. In 2014–15 there were 154,221 incidents of suspected external
fraud detected, compared with 1,485 incidents of suspected internal fraud. There were some fluctuations in the numbers of external fraud incidents detected over the three years. In 2012–13 there were 133,969 incidents detected, and in 2013–14 the number of incidents
reported reduced to 123,876; however, in 2014–15 the number of reported external fraud
incidents increased substantially, to 154,221, representing a 24 percent increase between
2013–14 and 2014–15.
In addition to questions asked about suspected incidents of internal or external fraud,
respondents answered questions about their experience of fraud involving collusion between
staff and individuals outside the public sector. The number of incidents involving collusion
fluctuated over the three years, ranging from 17 in 2012–13, down to four in 2013–14 and
increasing substantially in 2014–15 to 107. The percentage of entities experiencing collusion
over the three-year period remained steady at 2–3 percent.
The number of incidents of fraud that could not be classified (as either internal, external or
collusion) also varied over the three-year period, from one incident in 2012–13, to 428 in
2013–14 and decreasing to 30 in 2014–15.
In addition to incidents of fraud experienced, the census also asked about the number of
individuals suspected of committing fraud. Over the three-year period the number of suspects
identified was lower than the number of incidents reported. In 2014–15 there was a reduction
of 26 percent in the number of suspects identified for internal fraud incidents and a 91 percent
reduction in the number of suspects identified with external fraud incidents. The reasons for
this decline may include entities not always being able to identify suspected individuals,
particularly when investigations have just commenced, or changes in fraud reporting processes
within some large entities that resulted in fraud allegations being handled differently.
How fraud was committed
Respondents were asked to indicate two main aspects of how the fraud incidents they detected
had been committed: their focus (that is, the target of the alleged fraudulent activity, or the
benefit to be derived from the illegal conduct) and the method of carrying out the alleged
fraud (such as misuse of technology, information, identity etc).
Internal fraud
The largest number of entities reported suspected internal fraud incidents involving financial
benefits, such as obtaining cash without permission, or misuse of government credit cards,
with around 20 percent of entities reporting this type of internal fraud each year. Although
more entities experienced an incident of fraud targeting financial benefits, in terms of the
numbers of incidents experienced, the most prevalent type involved misuse of information.
Over the three years there was a steady increase in the number of incidents categorised as
misuse of information, from 721 incidents in 2012–13 to 811 incidents in 2014–15.
In relation to the methods by which internal fraud incidents had allegedly been committed, the method affecting the highest percentage of entities was misuse of documents and/or information. However, between 2013–14 and 2014–15 there was a slight increase in the
number of entities experiencing fraud committed through the misuse of information and
communications technologies (ICT) and corruption (increasing from 11% of entities in 2013–14
to 12% of entities in 2014–15 inclusive). The number of internal fraud incidents
overwhelmingly involved the misuse of ICT. In 2014–15 there was an increase in the number of
incidents of internal fraud committed via misuse of identity and misuse of documents/
information.
External fraud
Fraud involving financial benefits was the most frequently reported type of external fraud over
the three years, with the proportion of entities experiencing such fraud increasing from 21
percent in 2012–13 and 2013–14 to 25 percent in 2014–15.
The greatest number of external fraud incidents related to government entitlements. This
category of external fraud continued to increase, from 90,773 incidents in 2012–13, to 110,698
incidents in 2013–14 and to 125,047 in 2014–15. Fraud of this nature most often involved
three subtypes: revenue fraud, visa/citizenship fraud and social security fraud.
Misuse of documents was the most commonly reported method of committing external fraud.
The number of entities experiencing external fraud involving corruption declined from 17
percent of entities in 2012–13 to 10 percent of entities in 2014–15. While the largest
percentage of entities experienced external fraud involving misuse of documents, the number
of incidents experienced within that category declined from 62,382 incidents in 2012–13 to just
2,908 incidents in 2014–15, while at the same time the number of incidents involving misuse of
identity rose from 16,967 incidents in 2012–13 to 98,573 incidents in 2014–15. These changes
were largely due to one large entity changing the way in which it classified misuse of
documents and misuse of identity, and to an increased government focus on identity crime and
misuse (AGD 2012).
Cost of fraud
The total reported cost of fraud each year is likely to be an underestimate of actual losses
incurred. There are a number of reasons for this difference:
• The research findings are limited to entities that participated in the census and were able to
detect (and then quantify losses from) fraud incidents.
• Fraud investigations are becoming longer, which may mean details will not be known for
several years to come.
• Some types of fraud cannot be quantified in dollar terms, such as loss of information or
accessing ICT systems. While these may cause substantial reputational damage to entities, there is generally a low dollar value (in terms of entity losses) associated with such frauds,
although other non-financial impacts can be substantial.
• In addition, there are many associated costs involved with fraud incidents and investigations
which are not quantified in the present research, such as time and cost of investigation,
monetary value associated with replacing employees, and other indirect costs that may
arise with a fraud investigation.
Therefore, the present report was only able to provide an
estimate of the cost of fraud to the Commonwealth based on data provided by entities from
the questionnaires.
Over the three-year period, between 20 and 34 percent of entities were unable to quantify the
value of the losses experienced.
The present study asked respondents to indicate the total amount thought to have been lost
from fraud incidents, prior to the recovery of any funds and excluding the costs of detection,
investigation or prosecution. The responses indicated estimated losses at the time of reporting,
as opposed to final losses determined once investigations or criminal action was concluded.
Separate questions asked about amounts recovered by entities.
For the three years included in the report, entities reported fraud losses totalling approximately
$1.208b, increasing from $207m in 2012–13 to $673m in 2013–14 and reducing to $329m in
2014–15. The large amount in 2013–14 was due to one entity attempting to quantify the cost
of fraud incidents for the first time in 2013–14, while the reduction in 2014–15 was due to the
same entity changing the way its losses were quantified.
External fraud caused the vast majority of fraud losses, with external fraud totalling $1.2b over
the three years (99% of all losses incurred). The total reported amount lost due to internal
fraud incidents totalled $11.3m.
Over the three years, internal fraud losses increased by 23 percent between 2012–13 and
2014–15. Losses due to external fraud incidents fluctuated over the three years.
Entities were also asked to indicate how much had been recovered using various means. Their
responses related to amounts recovered during the financial year in question and did not
necessarily reflect amounts lost due to fraud incidents in the same financial year that
recoveries were made. Over the three years, $1.8m of internal fraud losses and $48.6m of
external fraud losses were recovered, totalling $50.4m. This equates to approximately four
percent of the total losses reported over the three financial years. However, because the
recovery process may in some cases take years to finalise, monies recovered within any given
financial year may not necessarily align with monies lost in that financial year. As such, it is
difficult to determine how much money is ultimately recovered by entities that relate to frauds
included in any specific year.
The majority of funds were recovered through the use of criminal proceedings, although
administrative remedies and other means were also common ways of recovering lost monies.
How fraud was detected
Between 2012–13 and 2014–15 fraud was most often detected through internal controls, such as auditing or internal investigation of both internal and external fraud incidents. The next most common method used for detecting fraud incidents was by staff. Detection of external fraud incidents differed from internal fraud, with ‘other’ methods being the second most commonly reported method of detection; however, a large number of those related to community notifications, which might be considered external whistleblowers.
Only three incidents of internal fraud were detected via the media over the three years. In
contrast, the number of external fraud incidents detected via the media increased, from five
incidents in 2012–13 to 31 incidents in 2014–15.
Entities with a dedicated fraud control section were more likely to detect fraud incidents than
entities without a dedicated fraud control section. This may be because entities with a
dedicated fraud control section are likely to be larger entities with more fraud risks, and
because an entity with a dedicated fraud section may actively look for incidents involving fraud
and potential misconduct.
Investigations within entities
The Commonwealth Fraud Control Framework (AGD 2014) requires entities themselves to
investigate routine or minor instances of fraud, and to discipline responsible parties. The
findings presented in this report indicate that entities do indeed conduct the vast majority of
initial investigations or reviews of fraud allegations. For example, over the three-year period,
between 83 and 93 percent of internal fraud incidents were investigated internally by the
entity, using an investigation, review or administrative review. As noted above, only a small
number of entities without a dedicated fraud control section reported detecting fraud
incidents; in 2014–15 over half of those entities still conducted a review/assessment or
investigation of the alleged fraud incident.
As with internal fraud investigations, the vast majority of external fraud incidents were
primarily investigated by entities themselves, accounting for between 65 and 97 percent of
alleged external fraud over the three-year period.
Between 2012–13 and 2014–15, the number of fraud control staff engaged in fraud prevention
and investigation duties steadily decreased, from 843 people employed in a fraud prevention
capacity in 2012–13 to 804 people in 2014–15.
Police investigations
Over the three years, just over five percent (5.4%) of detected internal fraud incidents were
referred to police, prosecution or other organisations for investigation or prosecution (259
incidents referred in total), with just under four percent (3.8%) of external fraud incidents
referred to other organisations for investigation or prosecution (15,626 incidents).
Information about the number of referrals received and accepted by the Australian Federal
Police (AFP) was also gathered. The AFP accepted 203 of the 239 fraud referrals made to it over
the three years. In 2014–15 there was a decrease in the number of matters referred to the AFP
and the subsequent matters accepted by the AFP. As of 30 June 2015 the AFP was investigating
160 fraud-related matters with an estimated loss value of $1.8b.
Prosecution of fraud
Over the three years, 4,214 defendants in fraud-type cases were referred to the Office of the
Commonwealth Director of Public Prosecutions (CDPP). Of these, the CDPP prosecuted 3,699
defendants, the majority involving direct referrals from entities rather than referrals via law
enforcement agencies.
Between 2013–14 and 2014–15, there was an increase of 17 percent in the number of
defendants referred to the CDPP for prosecution. In total, however, the number of defendants
prosecuted declined, from 1,271 in 2013–14 to 1,033 in 2014–15.
The total amount initially charged in fraud-type prosecutions decreased from $41m in 2013–14
to $25m in 2014–15. The number of convictions declined during the census period, by 22
percent between 2012–13 (1,062 defendants convicted) and 2014–15 (833 convictions).
In 2014–15 there was a change in the most frequently imposed sentence for proved fraud
offences. In previous years (2012–13 and 2013–14) the most frequently imposed sentence was
a recognisance order; however, a fully suspended term of imprisonment was the most
frequently imposed sanction in the current year, followed by recognisance orders. The use of
custodial sentences again increased over the three-year period, from 12.5 percent of cases in
2012–13 to 17.3 percent of cases in 2014–15. The sentence imposed depended greatly upon
the nature and seriousness of the offence(s) and the various factors relating to each individual
defendant, although the increase in harsher sentencing may indicate a change in courts’ views
regarding fraud offences.
Fraud compliance and prevention
Most non-corporate entities (over 92% each year) met the Commonwealth Fraud Control
Framework (AGD 2014) requirement to provide the Australian Institute of Criminology (AIC)
with data on fraud incidents and compliance with the terms of the framework.
Over the three years, there was a slight increase in the percentage of entities with a dedicated
fraud control section to deal with the prevention, investigation and control of fraud risk—from
74 percent of entities in 2012–13 to 77 percent in 2014–15. The number of staff employed in
fraud control activities increased overall, from 3,160 staff in 2012–13 to 3,588 staff in 2014–15.
However, the number of fraud control staff with a specific fraud qualification reduced, from 45
percent of all staff in a fraud control section in 2012–13 to 33 percent in 2014–15.
The Commonwealth Fraud Control Framework (AGD 2014) requires a fraud risk assessment to
be conducted by entities regularly or when there has been a substantial change to the activities
or functions of the entity. Over the three years examined, the percentage of entities complying with this requirement remained high. In 2012–13, 94 percent of entities had completed a fraud
risk assessment within the previous two years; in 2013–14, 95 percent of entities had done so;
in 2014–15, the percentage reduced slightly to 92 percent.
A high proportion of respondent entities in 2014–15 had completed a fraud control plan within
the previous two financial years (91%, N=140). This was similar to the 92 percent (N=152)
which had done so in 2013–14, although it was a decline from the 94 percent (N=153) which
had done so in 2012–13.
Fraud awareness training (43% of respondents), compliance with the Commonwealth Fraud
Control Framework (39% of respondents) and strong internal controls (21% of respondents)
were some of the most frequently cited suggestions for what had made a difference to an
entity’s fraud prevention in 2014–15.
Fraud risks for the Commonwealth
In the Commonwealth, fraud may be perpetrated by employees or contractors of an entity
(internal fraud) as well as by members of the public who have dealings with the government
(external fraud), such as when they are obtaining benefits or paying taxes. Fraud risk factors are
diverse when dealing with the Commonwealth, as fraud may arise through third-party
contractors, procurement processes, provision of government-funded grants, or even overseas
cyber attacks.
The principal risks of internal fraud arise from inadequate or outdated internal controls, poor
recruitment practices, and insider threats (where staff are compromised or groomed by
external parties). External fraud risks arise in connection with the provision of new benefits,
failing to build appropriate prevention measures into program and policy design, inadequate
procurement practices, new government-funded programs where fraud risks have not been
adequately assessed, and Machinery of Government (MoG) changes resulting in new and
changing functions for entities.
Between 2012–13 and 2014–15, the number of incidents of external fraud involving the misuse
of identity rose by over 450 percent. Identity crime and misuse of documents and information
are ongoing areas of risk for Commonwealth entities. Potentially, with more government
services moving online, establishing one’s identity and the use of identity documents will
remain a concern for entities, with effort required to reduce fraud involving these activities.
Belcher review and changes to the questionnaire
The Belcher Red Tape Review was undertaken in 2015, and the report recommended several
changes in relation to fraud reporting and the AIC’s annual census (Belcher 2015). These
included suggestions for reducing the burden associated with completion of the online
questionnaire, and combining the Attorney-General Department’s (AGD’s) annual fraud control
compliance report to government with the AIC fraud report to government.
Consultations were undertaken with entities to determine how best to improve and streamline
the questionnaire. As a result, the key changes to the 2016 questionnaire will include:
• changing the unit of measurement in the new questionnaire to fraud ‘investigations’
undertaken each year rather than fraud ‘incidents’;
• moving the questions about fraud control, in the previously identifiable section collected for
the AGD, to the start of the 2016 questionnaire;
• including additional conditional response questions in the online questionnaire, to enable
those for whom a section is not applicable to proceed quickly to other sections without
having to provide responses;
• adding a new section that examines the most costly external fraud investigations in addition
to the previous questions about the most costly internal fraud investigations;
• enabling respondents to respond to both internal and external fraud questions in the one
set of questions, to reduce the overall burden of the questions; and
• changing the categories of fraud ‘focus’ and ‘methods of committing fraud’ to ensure the
categories are mutually exclusive and as exhaustive as possible.
The purpose of these changes is to increase the internal consistency of how entities report
fraud to allow for greater comparisons between census years.
How the information was gathered
Each year Commonwealth entities were invited to participate in an annual census about their
experience of fraud incidents, how they managed fraud risks and the entities’ compliance with
the former Commonwealth Fraud Control Guidelines (AGD 2011) and the new Commonwealth
Fraud Control Framework (AGD 2014) that came into effect on 1 July 2014. The period
examined in this report covers the earlier guidelines and the new framework and the
differences they may involve. The framework (AGD 2014) consists of:
• section 10 of the Public Governance, Performance and Accountability Rule 2014 (Fraud
Rule);
• Commonwealth Fraud Control Policy (Fraud Policy); and
• Resource Management Guide No. 201: Preventing, detecting and dealing with fraud (Fraud
Guidance).
Although the three-year period examined is covered by both the guidelines and the framework,
for the purposes of this report reference will be made to the 2014 framework now applicable
throughout the Commonwealth.
Under the 2014 framework (AGD 2014), fraud against the Commonwealth was defined as
‘dishonestly obtaining a benefit, or causing a loss, by deception or other means’ (AGD 2014:
4.1). Entities were asked to provide information about all suspected and proved incidents of
internal and external fraud against the Commonwealth. Further details relating to the data
collection procedures are provided in the Methodology section ...
Information was provided by 163 entities in 2012–13 (with 162 responses included for
analysis), 166 entities in 2013–14 and 154 entities in 2014–15 (for 2013–14 and 2014–15, all
responses were included for analysis). Each year, this represents over 80 percent of those
invited to participate.
The data collection periods for all three years covered a period of considerable change for the
Australian Public Service, as the government implemented a number of MoG changes. A MoG
change consists of a variety of organisational or functional changes affecting the Commonwealth (Department of Finance 2015). These changes were relevant to the collection
of fraud information because of the alteration in the number of responding entities as well as
changes in their functions during the financial years in question. In some instances MoG
changes may have led to investigations being terminated by one entity and taken over by
another, which may occasionally have led to inaccuracies in reporting.
Respondents were asked to provide information by completing a secure, online questionnaire
that recorded results anonymously (without naming individual entities or individual suspects).
The aim was to canvass the experience of fraud across the Australian government as a whole,
rather than by identifying what each individual entity had experienced.
Further information on the investigation and prosecution of fraud incidents within the
Commonwealth was also provided by the AFP and the CDPP for matters handled within each
year (regardless of when they were committed).
Last year's Parliamentary Joint Committee on Corporations and Financial_Services 'Whistleblower Protections'
report comments
Effective whistleblowing provides an essential service in fostering integrity and accountability while deterring and exposing misconduct, fraud and corruption. A recent analysis of whistleblower protections across G20 countries found Australia's laws to be comprehensive for the public sector, but lacking in the private sector. However, the Moss Review of the Public Interest Disclosure Act 2013 (PID Act) identified many flaws and areas for reform of the PID Act. Evidence to the inquiry, as well as consideration of existing laws, indicates that whistleblower protections remain largely theoretical with little practical effect in either the public or private sectors. This is due, in large part, to the near impossibility under current laws of:
protecting whistleblowers from reprisals (i.e. from retaliatory action);
holding those responsible for reprisals to account;
effectively investigating alleged reprisals; and
whistleblowers being able to seek redress for reprisals.
Another significant issue identified by the committee is the fragmented nature of whistleblower legislation. In particular, significant inconsistencies exist not only between various pieces of Commonwealth public and private sector whistleblower legislation, but also across the various pieces of legislation that apply to different parts of the private sector. The committee has made a number of recommendations to address these issues based on a detailed comparison of three separate Acts.
The committee has recommended separate public and private whistleblower protection legislation. However, the committee recognises that it would be the preference of Labor and Green committee members that a single Act be proceeded with in the first instance.
The committee's work on this inquiry was greatly assisted by a substantial body of academic work over the past two decades on whistleblower protections. The committee has used the best practice guidelines set out in the Breaking the Silence report as a systematic basis for conducting its inquiry and structuring this report. The table overleaf summarises the best practice criteria for whistleblowing legislation and the areas where the committee is recommending reforms.
One of the committee's main recommendations is the establishment of a Whistleblower Protection Authority (to be housed within a single body or an existing body) that can support whistleblowers, assess and prioritise the treatment of whistleblowing allegations, conduct investigations of reprisals, and oversight the implementation of the whistleblower regime for both the public and private sectors.
The committee notes the Moss review recommendation to ensure that the whistleblower regime is focussed on serious misconduct such as fraud and corruption. The committee considers that, for whistleblowing associated with serious misconduct, it is likely that reprisals would be a form of corrupt conduct (that is, dishonest or unethical or criminal conduct to obtain personal benefit by a person entrusted with a position of authority). It is therefore the committee's view (assuming that the Moss Review recommendations are implemented) that the most appropriate body to house the Whistleblower Protection Authority is a body that has a demonstrated track record in identifying and investigating corruption and bringing those responsible to account.
Best practice criteria for legislation and recommendations for reform
Best Practice Criteria for Whistleblowing Legislation
1 Broad coverage of organisations
Broaden to cover the private sector, and ensure consistency by bringing all private sector legislation into a single Act.
2 Broad definition of reportable wrongdoing
Broaden the private sector definition of disclosable conduct to a breach of any Commonwealth, state or territory law.
3 Broad definition of whistleblowers
Provide protections for both former and current staff that could make a disclosure, or are suspected of making a disclosure.
Provide appropriate protection for recipients of disclosures and those required to take action in relation to disclosures.
4 Range of internal / regulatory reporting channels
Adopt a tiered approach comprising:
(i) internal disclosure;
(ii) regulatory disclosure; and
(iii) external disclosure (in appropriate circumstances).
Protect internal disclosures in the private sector, including in registered organisations.
5 External reporting channels (third party / public)
6 Thresholds for protection
Align thresholds for protection across the public and private sectors.
7 Provision and protections for anonymous reporting
Allow for anonymous disclosures across the public and private sectors.
8 Confidentiality protected
Protect the confidentiality of the disclosures and the whistleblower's identity.
9 Internal disclosure procedures required
An appropriate body to set and promote standards for internal disclosure procedures in the private sector.
10 Broad protections against retaliation
Align the public and private sector with the protections, remedies and sanctions for reprisals in the Fair Work Registered Organisations Act 2009.
11 Comprehensive remedies for retaliation
12 Sanctions for retaliators
13 Oversight authority
Establish a Whistleblower's Protection Authority (to be housed within a single body or an existing body) that has as its priority to support whistleblowers, that has the power to investigate reprisals, and that will oversight the implementation of the whistleblower regime.
14 Transparent use of legislation
Annual reports to Parliament for both the public and private sectors in consistent format to facilitate comparison.