Fraud Control Plan 2011
Chapter Four
Monitoring the Process: Awareness and Training
Monitoring Fraud Risk
The risk environment is constantly changing and managers and employees need to be aware of any potential risks that may emerge in their area of responsibility when new processes, systems and technologies are introduced and when fraud incidents occur. To deal with these changes, risk identification and assessment (including treatment plans, strategies and control mechanisms) need to be part of a continual process of review. It is the responsibility of managers to ensure their processes and control systems are updated in accordance with changes to their financial or administrative operations. It is also the responsibility of managers to make sure any weaknesses or failures in controls are identified and strengthened.
The Central Fraud Index
Currently there is a comprehensive fraud control review process in place in the department. The CEU reports to the Audit and Risk Committee and the Ethics Committee three times a year to provide a summary of identified fraud incidents across the department. This provides the committees with a basis for monitoring and assessing whether performance indicators are being met. The CEU also manages a fraud caseload that provides insight into trends in fraudulent activity. As an additional reporting measure, CEU completes a Control Plan summary report at the conclusion of each fraud-related case.
An effective fraud control policy ensures there is an appropriate level of awareness and communication among managers. One way in which new risks are identified is through the actual occurrence and detection of fraud. The department has a rigorous system in place for investigating such fraud allegations. However, due to the critical need for confidentiality during the investigation process, which may take several months, and due to other privacy considerations, there was previously limited scope for the CEU to provide timely information to line managers on any new risks and their need for treatment.
To address this gap, the department established a change management strategy for handling new fraud risks as they occur. At the core of this strategy is the "Central Fraud Index". The Index, maintained by FSB/FMB works on the same principle as other DFAT wide registers, such as the Risk register. This new index builds upon the pre-existing reporting and monitoring procedures.
The index aims to provide generic information at the earliest opportunity on a broad range of fraud-related incidents, which will include smaller scale incidents that arise from deficient administration, weak procedures or accidental errors. This holistic approach provides a better picture of the department's performance and success in minimising and preventing fraud as well as an opportunity to identify emerging trends and system failures.
As illustrated in this flow chart, when any fraudulent related incident is committed either in Canberra, at post, in a State and Territory Office or within an attached agency, the affected business unit is required to report the incident to the CEU. At this stage of the process, the CEU establishes a preliminary investigation/assessment of the allegation.
Note: Cause & effects of fraudulent act/s identified are to be reported to the Director, Evaluation & Audit Section for their information.
In addition to this reporting requirement, the affected business unit must document any incident with financial management procedures or control implications by completing a Report of Suspected Financial Breakdown (See Attachment D). After the CEU establishes there is a case to investigate, summary details of the incident will be passed to the Assistant Secretary FSB.
This reporting will be in accordance with the Commonwealth and the department's privacy and confidentiality guidelines. Affected business units are required to provide information on the fraud risk in a generic fashion that does not identify the staff member under investigation. The information, will however, provide enough relevant detail about the incident to ensure it is appropriately understood allowing other managers within the department to make initial assessments within their business unit to gauge the level of risk they may be exposed to.
The Assistant Secretary FSB will then ensure information about the identified new fraud risk is circulated to the relevant area by recording the fraud act on the DFAT Fraud Central Index. This will enable FSB/FMB to conduct a review of the risk rating (as identified in this fraud control plan) and advise the CEU of any upgrade in the risk rating that may be required and subsequent control measures introduced. These steps establish a formalised feedback process, which informs line managers of procedures that need to be put in place to avert the recurrence of future fraud incidents.
Fraud Awareness and Training
The Secretary has responsibility for ensuring that there is a high level of communication and information regarding fraud control and that departmental staff and contractors maintain a high level of awareness regarding fraud issues and responsibilities. However, all employees are responsible for ensuring they have fulfilled the necessary training requirements in ethics, conduct and fraud in order to gain a sound understanding of the department's approach to managing fraud risks.
To ensure departmental employees are well equipped to carry out their duties the department has implemented a key awareness strategy. The strategy requires that all departmental training in relation to induction (A-based officers and Locally Engaged Staff), short term and long term deployments and mandatory refresher courses must include a Fraud Control Plan module. This module will cover:
- purpose of 'The Plan'
- individual staff responsibilities set out in 'The Plan'
- relevant responsibilities according to position/role within the department according to the 'The Plan'
- how to report suspected fraud
The success of a Fraud Control Plan as a whole depends on the extent to which everyone contributes to the assessment of fraud risk and embraces the philosophy of actively managing it. The CEU can now tailor specific training to areas that face unique fraud risks to address the learning and development needs of particular staff.
Attachment A - Frequently Asked Questions
How do I identify fraud?
The range of fraudulent activities is as broad as human ingenuity will allow within the confines of the particular resources at risk. The threat of fraudulent activity increases where:
- ongoing system controls such as reconciliations are not uniformly observed
- IT passwords are not appropriately protected
- delegations and authorisations are not enforced (or understood)
- particular staff members have influence over other staff in the workplace
- there is a lack of effective supervision by managers.
Such practices in the workplace can be potential indicators of fraud.
Fraud often comes to light through irregularities and anomalies. Staff should be attentive to exploring the reasons and background behind such instances.
What should I do if I suspect fraud?
Staff are aware of the close public scrutiny of the work of the department both in Australia and overseas and the obligation this places on all staff to maintain the highest standards of ethical conduct and administrative probity. To uphold these high standards the department has a workplace culture that does not tolerate unethical behaviour and recognises the duty of all staff to report fraud promptly, should it occur. If staff believe that fraud may be occurring, they are encouraged to:
- report the matter in confidence to their supervisor, who should in turn contact the CEU. Staff may also contact CEU directly
- avoid jumping to conclusions, but rather observe developments carefully
- make notes on what they have seen or heard
- note any action they have taken
- refrain from writing on any documents retained, minimise handling and ensuring appropriately security in the event the material concerned is forensically examined and/or used in future criminal or administrative proceedings
- inform only those who need to know
- not alert the person or persons suspected of fraud or remove any items from their possession as this could (a) compromise the success of possible future criminal prosecution or civil proceedings or (b) prevent the person(s) from receiving appropriate protection from public disclosure of an allegation
How do I report Fraud?
When staff suspect fraud they should report it at the first available opportunity in a confidential manner.
The steps for reporting suspected fraud:
- maintain the confidentiality of your report
- record what you have seen and heard, and the actions you take
- retain all related documents, ensure minimal handling and do not mark documents in any way
- report the matter to at least one of the following: your section supervisor, Conduct and Ethics Unit (CEU) email "Conduct@dfat.gov.au", First Assistant Secretary, Corporate Management Division (FAS CMD), Head of Mission (HOM) or Senior Administrative Officer (SAO) as soon as possible.
What happens in a fraud investigation?
When a matter is reported, CEU examines the initial information to determine whether a formal investigation is warranted. If a formal investigative process is necessary, a CEU investigator will either visit the overseas mission, state office or other work area directly or provide step-by-step guidance to management on how an investigation is to be conducted.
How does the department make decisions about police involvement?
The department generally investigates suspected fraud cases in-house. The department has trained and experienced investigators in CEU, APO and PSO. In some cases the department may need to seek the assistance of the Australian Federal Police. The ANAO has produced a decision-making matrix to guide Commonwealth agencies in what should be referred to the Australian Federal Police, which is used by CEU in its decision-making process.
What protection is there for whistleblowers?
The legitimate role of the 'whistleblower' is recognised in the Public Service Act 1999. Section 15 of the Act requires that each agency establish procedures to investigate reported breaches of the Code of Conduct. Section 16 of the Act provides protection to whistleblowers, stating that people working in, or for, an APS agency "…must not victimise or discriminate against, an APS employee because the APS employee has reported breaches (or alleged breaches) of the Code of Conduct…" DFAT policy and procedures relating to whistleblowers are set out in the DFAT Conduct and Ethics Manual.
Attachment B - Risk Assessment Matrix
LIKELIHOOD |
Insignificant Minimal impact on non-core business operations. |
Minor Some impact on the business areas in terms of delays, system quality, reduction in client service etc but it should be possible to handle the risk at the operational level. |
Moderate A significant impact on the business area through a reduction in business performance to the extent that targets cannot be met. It could involve a significant increase in costs and/or limited client dissatisfaction. |
Major An extensive impact on the business area, leading to reduction in business performance. It could involve considerable client dissatisfaction, loss of revenue, excessive costs, delays in achieving key objectives, and/or breaching legislative obligations. |
Catastrophic An extreme impact meaning core activities could not be performed. It would involve a critical business failure, and could expose the organisation to severe criticism, major financial or non-financial damage and/or extensive disruption to community services, natural resources, etc. |
|---|---|---|---|---|---|
| Almost certain Has occurred at least annually in DFAT in the past, or circumstances are in train that will cause it to happen. |
Moderate |
Significant |
High |
Extreme |
Extreme |
| Likely Has occurred in the last few years in this or other similar agencies, or circumstances are expected to cause it to happen. |
Moderate |
Moderate |
Significant |
High |
Extreme |
| Possible Has occurred at least once in the history of DFAT, or is considered to have a 1 in 20 chance of occurring in the short term. |
Low |
Moderate |
Moderate |
Significant |
High |
| Unlikely Has rarely occurred in DFAT and/or similar agencies, and is considered to have a 1 in 100 chance of occurring in the short term. |
Low |
Low |
Moderate |
Moderate |
Significant |
| Rare Possible but has not occurred to date in this or any similar agency; very much less than a 1 in 100 chance of occurring in the short term. |
Low |
Low |
Low |
Moderate |
Moderate |
The options for treating risks should be considered carefully, particularly for those risks which have received an overall rating of extreme, high, significant or moderate.
In general, the higher the overall level of risk, the greater the required level of management attention, as follows:
Extreme
Requires:
- handling by Departmental Executive
- consultation with the Minister
- immediate plan to introduce new controls to reduce the residual risk
- expectation of financial expenditure
High
Requires:
- the Departmental Executive to note the residual level of risk
- advice to the Minister
- a plan to introduce new control measures that reduce the residual risk
- expectation of additional financial expenditure
- acceptance of the residual risk by the work unit if no new control measures are possible
Significant
Requires:
- clearly allocated responsibility for managing the risk at senior levels.
- additional controls to reduce or avoid the risk, possibly involving additional cost.
- acceptance of the residual risk by the work unit if no new control measures are possible
Moderate
Requires:
- clearly allocated responsibility for managing the risk in the work unit.
- an examination of possible cost-effective options to reduce or avoid the risk.
- advice to senior management where the consequences are major or catastrophic.
Low
Requires:
- clearly allocated responsibility for managing the risk in the work unit.
- management through existing processes and procedures.
- unlikely to require extra resources or senior managerial attention.
Avoid the risk |
Treat the level of risk The consequences of occurrence might be reduced by contingency planning, disaster recovery plans, effective contractual arrangements or better stakeholder consultation. |
Share or transfer the risk The possibility that sharing the risk might also create new risks or modify the old risks should also be considered. |
Accept the risk In accepting risk, managers should be aware of possible consequences. |
Recording Your Risk Assessment Rating
The following risks were identified for (risks identified within your functional area, refer to Attachment B for Risks identified in 2011 FCP):
Using the attached Risk Assessment Matrix taken from the Department's Risk Management Toolkit (See Risk Management Handbook) please enter your assessment for each of these risks in the table below, along with a brief description of the reason for the likelihood and consequence ratings chosen.
Risk |
Probability rating |
Reason for probability rating |
Consequence rating |
Reason for consequence rating |
Overall risk rating |
|---|---|---|---|---|---|
1 |
|||||
2 |
|||||
3 |
|||||
4 |
Options for Risk Treatment
Risks defined as low should not require any additional treatment beyond the normal controls or procedures mandated by legislative or departmental requirements. In general, these risks can be handled appropriately through normal day-to-day management attention.
It is important, however, that the options for treating risks which received an overall rating of extreme, high or moderate are identified and assessed rigorously.
As part of this process you have already completed questionnaires which asked you to examine past controls in place for this activity, identify recently introduced controls and/or recommend additional control measures.
We ask you now to consider whether any of the following risk treatment options should be considered for risks which you rated as 'extreme', 'high' or 'moderate':
- avoid the risk by not proceeding with the policy, program, project or activity which would incur the risk;
- treat or share the level of risk by reducing the probability of occurrence or the consequences of occurrence. For example, the probability of occurrence might be reduced by such things as more research, stronger controls, revised organisational arrangements, improved project management, increased monitoring, improved training or better planning. The consequences of occurrence might be reduced by contingency planning, disaster recovery plans, effective contractual arrangements or better stakeholder consultation;
- transfer the risk by shifting responsibility for the risk to another party. This might be done by contract, insurance, legislation or administrative processes. It is essential where risk is transferred that principles of fairness and equity are observed so clients or others in a poor position to accept the risk are not unfairly disadvantaged; or
- accept the risk where the risk cannot be avoided, transferred or reduced, or where the cost of doing so cannot be justified. Where risk is accepted there should be awareness of possible consequences.
The selection of the appropriate action requires balancing the cost of particular risk management options against the benefits to be derived from taking the risk.
The risk treatment actions proposed for the work unit should be documented as per the table below. To ensure that these actions are realistic and do not lead to the 'over-control' of risk, the resource implications of the treatment should also be listed.
Risks |
Overall Rating |
Proposed Risk Treatment Actions |
Resource Implications |
|---|---|---|---|
1 |
|||
2 |
|||
3 |
|||
4 |
Attachment C - Questionnaire and Risk Assessments
Set out below is the format and content of the standard questionnaire, risk assessment matrix and risk treatment matrix completed by functional areas of the department responsible for managing identified fraud risks:
Questionnaire
1. Fraud risks
- Please list the number of frauds that have taken place since the last (2011) plan?
- What potential fraud risks have been identified since the last plan? Please list.
- What has driven these new fraud risks?
- What risks, if any, no longer exist (please list) and why?
2. Control measures
- What new control measures, if any, have been implemented since the last plan? Please list.
- What has driven the implementation of these new control measures?
- What control measures, if any, are no longer applicable (please list) and why?
3. What significant changes in technology, hardware or terminology have occurred since the last plan that would impact on this issue?
4. Changes in process
- Please list any elements of the process that are now managed differently or have been outsourced.
- Further to your previous response (4.a), why has the management of these processes changed?
5. Review, Implementation and Monitoring
- Having completed the questionnaire (Q1-4), what further control measures are recommended (please list) and why, indicating the timeframe within which these measures will be implemented?
- Please provide appropriate performance indicators and targets indicating how you intend to monitor the implementation of all control measures, both new and existing, in relation to this issue.
Attachment D - Report of Suspected Financial Breakdown
Central Fraud Index No:
CEU Case No.
DATE:
CANBERRA:
STATE OFFICE:
POST:
ATTACHED AGENCY:
DESCRIPTION OF INCIDENT:
FINANCIAL PROCEDURE OR CONTROL MEASURE IMPLICATED:
FCP REVIEWED