DISER - Released under the FOI Act - LEX 67675
s 47F
From:
s 47F
Sent:
Friday, 21 August 2020 5:01 PM
To:
Greenwood, Emma
Cc:
Fraud Control Officer
Subject:
For information - Wrap up of 2018-20 Divisional Fraud Risk Assessment process –
Support for Business [SEC=OFFICIAL]
Attachments:
Attachment A Outcome of the independent review - Support for Business.docx
Good afternoon
For information, no action required
The Fraud Control Team (FCT) is currently preparing the 2019-20 Annual Certification of Fraud Control Measures for
the Secretary’s approval.
To ensure the team finalises all outstanding activities in respect of 2019-20, I’m writing to advise you of the
outcomes of the Fraud Control Team’s (FCT) review of the 2018-20 Divisional Fraud Risk Assessments, and provide
you with an update on the status of the 2020-22 Divisional Fraud Risk Assessment Process.
Wrap up for 2018-20 Divisional Fraud Risk Assessment Process
Following the completion of Divisional Fraud Risk Assessments in April-May 2019, and collation of the Enterprise
Fraud Risk Profile, the FCT presented the outcomes to Executive Board on 24 September 2019.
At the Executive Board meeting, the Secretary requested the 2018-20 Divisional Fraud Risk Assessments, which were
self-assessed by divisions, be independently reviewed by the FCT to take into account known risks and to verify risk
ratings.
The Fraud team reviewed all divisional fraud risk assessments and minor changes were made to some risk ratings.
Changes made to your DRFA are attached for information.
Risk treatments: As part of the review, the FCT also collated common risk treatments proposed by divisions and
identified some projects and activities that can be driven at a corporate level to address the risk treatments
proposed by divisions. The FCT will liaise with divisions and corporate teams to reduce these common risk areas, and
will continue to monitor the status of other risk treatments identified by divisions. Going forward, we are
considering a divisional report back on risks rated as high, but this will be rolled into the 2020-22 approach (see
below).
For information, the Secretary also requested the FCT consult other agencies on their fraud risk procedures to
ensure the department’s fraud risk methodology was aligned. The analysis of other agencies’ risk assessment
processes indicate that the department’s approach is consistent.
2020-22 Divisional and Enterprise Fraud Risk Assessment Process
In line with the department’s Fraud and Corruption Control Plan, the department updates divisional fraud risk
assessments at least every two years, or following significant organisational changes, and collates the divisional
fraud risk assessments to produce an Enterprise Fraud Risk Profile.
The FCT will soon commence the 2020-22 fraud risk assessment process. We intend to put a paper to EB in
September to outline the process and will be in touch with divisions after that. We are revamping the process for
2020-22 to include tailored fraud risk training so staff are more engaged in the issues and can draw linkages to their
work, and will provide new guidance and tools to support the completion of the fraud risk assessment. We will be
leveraging some new resources developed by law enforcement agencies during the COVID-19 response.
In the meantime, please feel free to reach out any time you require fraud control advice or assistance, including to
help inform the design of new initiatives.
1
Page 1 of 22
DISER - Released under the FOI Act - LEX 67675
Thanks, s 47F
s 47F
Manager
Audit and Fraud
Legal, Audit and Assurance Branch
Corporate and Digital Division
s 47E(d)
Department of Industry, Science, Energy and Resources | www.industry.gov.au
Supporting economic growth and job creation for all Australians
OFFICIAL
2
Page 2 of 22
DISER - Released under the FOI Act - LEX 67675
Attachment A: Outcome of the independent review of 2018-20 Divisional Fraud Risk Assessments
AusIndustry- Support for Business
Self-assessed
Fraud Control Team Review
Division
Risk
Likelihood
Consequence Rating
Likelihood Consequence
Rating
FCT Reasons
s 47E(a), s 47E(d)
1
Page 3 of 22
DISER - Released under the FOI Act - LEX 67675
AusIndustry - Support for Business
Fraud Risk Assessment and treatment plan 2018–20
Risk Assessment
Program/Project/Activity
2018-20 Fraud Risk Assessment
Branch/Division
AusIndustry - Support for Business
Objective/Purpose
To assure to the Assurance and Audit Committee that the identified fraud risks faced by the Department of Industry, Innovation and Science, have a regular assessment and review of proposed risk
State the objective to which the risk plan relates. Describe intent,
treatment strategies
purpose and outcomes
Context
• AusIndustry has undergone a structural realignment based on the ‘Mandate for Change’, Mark Evans report and other portfolio strategic reviews
List internal and external factors that influence this risk in relation to
• The government needs to meet the expectations of a modern public sector (with customers at the centre of everything we do)
achieving objectives
• Reform implementation and continuous improvement are complex and impact on workforce requirements
• The department is managing service delivery across a distributed network
Date last reviewed
31 May 2019
Assessment conducted by
AusIndustry – Support for Business Executive Officer
List al contributors
AusIndustry – Support for Business Assurance Manager
Clearance by (as per the risk action table)
AusIndustry – Support for Business Executive Committee
Risk identification
Controls
Analysis
Owner
Evaluation
Category
Description
Consequence
Current control(s)
Risk reference card
Risk owner
Is risk
Accept risk?
Risk
Describe the risk or event (what can What are the impacts of this occurring?
Such as existing policies; procedures; practice; governance committees; systems; technology;
Risk action table
within
Risk action
reference
happen)
quality improvement plans
Person/s responsible for
tolerance
table
card
•
List the cause (what wil cause
Include controls for shared risks
managing the risk
?
No – Complete
the event to occur?)
Tip—is there a corresponding control for each cause of risk?
Include shared risk
Risk
Treatment plan
•
Are any of the risks a shared
owners
tolerance
Yes – Optional
Likelihood Consequence Risk rating
risk?
Treatment plan
•
Are there any constitutional
risks?
Tip—Undertake a PESTLE or SWOT
analysis to help define risks
s 47E(a), s 47E(d)
1
Page 4 of 22
DISER - Released under the FOI Act - LEX 67675
s 47E(a), s 47E(d)
2
Page 5 of 22
DISER - Released under the FOI Act - LEX 67675
s 47E(a), s 47E(d)
3
Page 6 of 22
DISER - Released under the FOI Act - LEX 67675
s 47E(a), s 47E(d)
4
Page 7 of 22
DISER - Released under the FOI Act - LEX 67675
s 47E(a), s 47E(d)
5
Page 8 of 22
DISER - Released under the FOI Act - LEX 67675
s 47E(a), s 47E(d)
6
Page 9 of 22
DISER - Released under the FOI Act - LEX 67675
s 47E(a), s 47E(d)
7
Page 10 of 22
DISER - Released under the FOI Act - LEX 67675
s 47E(a), s 47E(d)
8
Page 11 of 22
DISER - Released under the FOI Act - LEX 67675
Risk Treatment Plan
Program/Project/Activity
2018-20 Fraud Risk Assessment
Branch/Division
AusIndustry - Support for Business
Date last reviewed
Risk
Risk treatment
Risk description
Risk rating
Risk owner
Treatment action/s
Responsibility
Implementation
Monitor & Review
Copy from risk plan
Copy from risk
Copy from risk plan Selecting the most appropriate treatment
Risk action table
Agreed timeframes for
Risk action table
plan
options involves balancing the costs and
implementation of risk
Treatment owner
Escalation
Frequency
Method
Status
efforts of implementation against the
treatment
expected benefits.
Person responsible for
Person for escalation/
The frequency progress How progress is
implementing treatment
reporting progress
is reported
reported
s 47E(a), s 47E(d)
9
Page 12 of 22
DISER - Released under the FOI Act - LEX 67675
Risk
Risk treatment
Risk description
Risk rating
Risk owner
Treatment action/s
Responsibility
Implementation
Monitor & Review
Copy from risk plan
Copy from risk
Copy from risk plan Selecting the most appropriate treatment
Risk action table
Agreed timeframes for
Risk action table
plan
options involves balancing the costs and
implementation of risk
Treatment owner
Escalation
Frequency
Method
Status
efforts of implementation against the
treatment
expected benefits.
Person responsible for
Person for escalation/
The frequency progress How progress is
implementing treatment
reporting progress
is reported
reported
s 47E(a), s 47E(d)
10
Page 13 of 22
DISER - Released under the FOI Act - LEX 67675
Risk
Risk treatment
Risk description
Risk rating
Risk owner
Treatment action/s
Responsibility
Implementation
Monitor & Review
Copy from risk plan
Copy from risk
Copy from risk plan Selecting the most appropriate treatment
Risk action table
Agreed timeframes for
Risk action table
plan
options involves balancing the costs and
implementation of risk
Treatment owner
Escalation
Frequency
Method
Status
efforts of implementation against the
treatment
expected benefits.
Person responsible for
Person for escalation/
The frequency progress How progress is
implementing treatment
reporting progress
is reported
reported
s 47E(a), s 47E(d)
11
Page 14 of 22
DISER - Released under the FOI Act - LEX 67675
DRAFT
Introduction
The fraud risk assessment process ensures that potential exposure to fraud is identified and appropriately managed. This process informs
development of the Department's Fraud Control Plan for 2016-18 including development of an Enterprise Fraud Risk Register.
This will also assist in providing assurance to the Secretary (who has overall responsibility for fraud control) that the appropriate
mechanisms for preventing, detecting and dealing with fraud are in place.
Divisional Fraud Risk Assessment (DFRA) Workbook
To assist you in conducting a DFRA, this workbook provides:
•
DFRA Worksheet - includes the draft outcomes based on discussions at your Division's fraud risk assessment workshop, together
with additional draft content and ratings * (in blue text) for your review and updating as necessary.
•
Definition of Fraud worksheet - extract of the Definition of fraud (including examples as defined in the Framework), Corruption and
Foreign Bribery
•
Risk Reference Card worksheet - extract of the department's risk reference card/matrix for completing your fraud risk ratings.
Some guidance to identifying and assessing the fraud risks
It is necessary to consider both internal and external fraud risks including corruption type fraud risks, as well as any new/emerging/unique
fraud risks. In particular, please ensure that your DFRA:
• Identifies the fraud risks (for the functions, programmes, activities and systems etc ) your Division and branches is responsible for.
• Assesses the likelihood, consequences, controls and proposed treatments to minimise fraud risks.
• Rating of fraud risks are aligned to the department’s risk matrix.
• Assignment of ownership for the fraud risks and proposed treatments is appropriately identified.
• Please avoid the use of acronyms or ensure the first reference to the acronym is spelt out.
• As this is a 'Sensitive' document, distribution should be limited to those staff in your area you identify need to be involved in the fraud
risk assessment process.
• The draft DFRA is returned to the Fraud.Prevention.Unit positional mailbox with your Head of Division approval/clearance by the
requested due date.
* Note whilst indicative fraud risk ratings may have been included in your draft DFRA, these should be considered whether appropriate in
your review and updated as necessary.
Ongoing monitoring and reporting
With fraud risk assessment being a continuous process, please ensure ongoing monitoring of your DFRA, such as:
• Monitoring fraud risks for changes (e.g. reviewing for changes in the fraud risk ratings).
• Taking action to implement the proposed treatments, including providing progress reports requested by the Fraud Prevention Unit.
• Organisational structure changes - reviewing for changes impacting on ownership of fraud risks and treatments.
• Future workshops - after your initial completed DFRA, you may wish to indicate any fraud risks which would benefit from a more
comprehensive fraud risk assessment e.g. areas identified as high risks.
If you have any questions or would like to discuss the process further, please contact the Fraud Prevention Unit, (s 47F
,
Assistant Manager, Fraud Prevention Unit on s 47F
, or s 47F
, Senior Fraud Prevention Officer on s 47F
Page 15 of 22
Draft Divisional Fraud Risk Assessment 2016-18 - Business Services Division
Limited Distribution
DISER - Released under the FOI Act - LEX 67675
Division:
Business Services Division (including BizLab)
HOD Approval/Clearance:
Chris Butler
Date Approved:
25 October 2016
Risk Identification
Risk Analysis
Risk Treatment
Monitoring and Review
Fraud
risk
Current fraud
Residual
type
risk rating
fraud risk
(Use drop down list)
rating
General
(Use drop
(Use drop down list)
down list)
Comments
Fraud Risk
Please include any
Fraud Risk
Treatment Owner
Division/Branc
Categories
general comments
Statement
Who is responsible for
h
(Use drop down
Consequences
Due Date
e.g. provide a brief
Risk
Identify possible
Causes
Existing Controls
Proposed Strategies/Treatments
implementing the
Source/area
list)
What are the impacts of this
Target date
reason for
No.
sources of fraud risk Why and how might this occur?
identifying the
rnal (E)
occurring?
What is currently done to manage this fraud risk?
ting What additional strategies/treatments can be implemented to manage this fraud risk?
proposed treatment
to implement
accepting any risks
- internal and
fraud risk
[May need
xte
nce
nce
(Role e.g. HOD, Name
rated high or above
external
r E
sk ra
of Division)?
updating]
without further
nt ri
l (I) o
Likelihood
mitigation
Conseque
Likelihood
Conseque
al fraud risk rating
Fraud Risk Owner
Who is accountable
(Role e.g. HOD,
Name of Division)? strategies
rna
Curre
Inte
Residu
s 47E(a), s 47E(d)
SENSITIVE
Page 2 of 8
Page 16 of 22
Draft Divisional Fraud Risk Assessment 2016-18 - Business Services Division
Limited Distribution
DISER - Released under the FOI Act - LEX 67675
Fraud
risk
Current fraud
Residual
type
risk rating
fraud risk
(Use drop down list)
rating
General
(Use drop
(Use drop down list)
down list)
Comments
Fraud Risk
Please include any
Fraud Risk
Treatment Owner
Division/Branc
Categories
general comments
Statement
Who is responsible for
h
(Use drop down
Consequences
Due Date
e.g. provide a brief
Risk
Identify possible
Causes
Existing Controls
Proposed Strategies/Treatments
implementing the
Source/area
list)
What are the impacts of this
Target date
reason for
No.
sources of fraud risk Why and how might this occur?
identifying the
rnal (E)
occurring?
What is currently done to manage this fraud risk?
ting What additional strategies/treatments can be implemented to manage this fraud risk?
proposed treatment
to implement
accepting any risks
- internal and
fraud risk
[May need
xte
nce
nce
(Role e.g. HOD, Name
rated high or above
external
r E
sk ra
of Division)?
updating]
without further
nt ri
l (I) o
Likelihood
mitigation
Conseque
Likelihood
Conseque
al fraud risk rating
Fraud Risk Owner
Who is accountable
(Role e.g. HOD,
Name of Division)? strategies
rna
Curre
Inte
Residu
s 47E(a), s 47E(d)
SENSITIVE
Page 3 of 8
Page 17 of 22
Draft Divisional Fraud Risk Assessment 2016-18 - Business Services Division
Limited Distribution
DISER - Released under the FOI Act - LEX 67675
Fraud
risk
Current fraud
Residual
type
risk rating
fraud risk
(Use drop down list)
rating
General
(Use drop
(Use drop down list)
down list)
Comments
Fraud Risk
Please include any
Fraud Risk
Treatment Owner
Division/Branc
Categories
general comments
Statement
Who is responsible for
h
(Use drop down
Consequences
Due Date
e.g. provide a brief
Risk
Identify possible
Causes
Existing Controls
Proposed Strategies/Treatments
implementing the
Source/area
list)
What are the impacts of this
Target date
reason for
No.
sources of fraud risk Why and how might this occur?
identifying the
rnal (E)
occurring?
What is currently done to manage this fraud risk?
ting What additional strategies/treatments can be implemented to manage this fraud risk?
proposed treatment
to implement
accepting any risks
- internal and
fraud risk
[May need
xte
nce
nce
(Role e.g. HOD, Name
rated high or above
external
r E
sk ra
of Division)?
updating]
without further
nt ri
l (I) o
Likelihood
mitigation
Conseque
Likelihood
Conseque
al fraud risk rating
Fraud Risk Owner
Who is accountable
(Role e.g. HOD,
Name of Division)? strategies
rna
Curre
Inte
Residu
s 47E(a), s 47E(d)
SENSITIVE
Page 4 of 8
Page 18 of 22
Draft Divisional Fraud Risk Assessment 2016-18 - Business Services Division
Limited Distribution
DISER - Released under the FOI Act - LEX 67675
Fraud
risk
Current fraud
Residual
type
risk rating
fraud risk
(Use drop down list)
rating
General
(Use drop
(Use drop down list)
down list)
Comments
Fraud Risk
Please include any
Fraud Risk
Treatment Owner
Division/Branc
Categories
general comments
Statement
Who is responsible for
h
(Use drop down
Consequences
Due Date
e.g. provide a brief
Risk
Identify possible
Causes
Existing Controls
Proposed Strategies/Treatments
implementing the
Source/area
list)
What are the impacts of this
Target date
reason for
No.
sources of fraud risk Why and how might this occur?
identifying the
rnal (E)
occurring?
What is currently done to manage this fraud risk?
ting What additional strategies/treatments can be implemented to manage this fraud risk?
proposed treatment
to implement
accepting any risks
- internal and
fraud risk
[May need
xte
nce
nce
(Role e.g. HOD, Name
rated high or above
external
r E
sk ra
of Division)?
updating]
without further
nt ri
l (I) o
Likelihood
mitigation
Conseque
Likelihood
Conseque
al fraud risk rating
Fraud Risk Owner
Who is accountable
(Role e.g. HOD,
Name of Division)? strategies
rna
Curre
Inte
Residu
s 47E(a), s 47E(d)
SENSITIVE
Page 5 of 8
Page 19 of 22
DISER - Released under the FOI Act - LEX 67675
[Draft]
Definition of Fraud
The Commonwealth Fraud Control Framework 2014 (Fraud Guidance) defines fraud against the
Commonwealth as
‘dishonestly obtaining a benefit, or causing a loss, by deception or other means’ .
This definition is based on the fraudulent conduct offences under part 7.3 of the Criminal Code, in
addition to other relevant offences under chapter 7 of the Criminal Code.
Examples of fraud against the Commonwealth may include (but is not limited to):
• theft
• accounting fraud (e.g. false invoices, misappropriation)
• misuse of Commonwealth credit cards
• unlawful use of, or unlawful obtaining of, property, equipment, material or services
• causing a loss, or avoiding and/or creating a liability
• providing false or misleading information to the Commonwealth, or failing to provide
information when there is an obligation to do so
• misuse of Commonwealth assets, equipment or facilities
• cartel conduct
• making, or using false, forged or falsified documents, and/or
• wrongfully using Commonwealth information or intellectual property.
A benefit is not restricted to monetary or material benefit, and can be tangible or intangible,
including the unauthorised provision of access to or disclosure of information. A benefit may also
be obtained by a third party rather than, or in addition to, the perpetrator of the fraud.
Fraud against the Commonwealth can take many forms and may target:
• revenue (e.g. income tax, GST fraud, customs duties)
• property (e.g. cash, computers, other portable and attractive items, stationery)
• information and intelligence (e.g. personal information or classified material)
• program funding and grants
• entitlements (e.g. expenses, leave travel, travel allowances, attendance records)
• facilities (e.g. unauthorised use of vehicles, information technology and telecommunication
systems), and
• money or property held in trust or confiscated.
Fraud can be committed by staff or contractors (internal fraud) or by persons external to the
Department (external fraud) such as clients, service providers or other members of the public. It
may also be committed jointly between an employee and outside party.
Definition of Corruption
AS/NZ 8001:2008 – Fraud and Corruption Control, defines corruption as:
“Dishonest activity in which a
director, executive , manager, employee or contractor of an entity acts contrary to the interest of the entity
and abuses his/her position of trust in order to achieve some personal gain or advantage for him or herself
for another person or entity” .
Page 20 of 22
DISER - Released under the FOI Act - LEX 67675
Complex fraud, which may also constitute corrupt conduct, can include instances where an employee of
group of employees are targeted and succumb to exploitation by external parties, or initiate the misconduct.
The Department must be alert to the risk of complex fraud involving col usion between agency employees
and external parties.
Foreign Bribery
The Australian Government Policy on foreign bribery states:
Australia has a zero tolerance approach to foreign bribery and corruption. Australia works actively with
foreign governments to stamp out bribery, and strongly discourages companies from making facilitation
payments.
The Australian Government supports ethical business practices, and the prosecution of those who engage in
illegal practices. This helps to improve Australia's investment opportunities overseas and is an important
aspect of Australia's global reputation.
Foreign bribery undermines the reputation of all Australian businesses and impacts negatively on business
and government relations.
Page 21 of 22
DISER - Released under the FOI Act - LEX 67675
[Draft]
Risk Reference Card (excerpt from the department's Risk Management Framework 2015-16)
Page 22 of 22