Commonwealth Fraud and Corruption Control Framework 2024: Effective Detection Mechanisms

The new Commonwealth Fraud and Corruption Control Framework

The Commonwealth Fraud and Corruption Control Framework 2024 is a comprehensive set of regulations and guidelines designed to help Australian Government entities effectively manage fraud and corruption risks. It consists of three main components:

• Fraud and corruption rule: A legislative instrument that sets out the minimum standards for managing the risk of fraud and corruption for all PGPA Act entities from 1 July 2024.
• Fraud and corruption policy: This policy is binding for all Non-Corporate Commonwealth Entities (NCEs) from 1 July 2024, outlining procedural requirements entities must implement to establish and maintain effective fraud control measures.
• Fraud and corruption guidance: Provides additional guidance on the Australian Government's expectations for fraud and corruption control arrangements, supporting the Fraud Rule and Fraud Policy.

The 2024 Framework has been updated to include a specific focus on corruption, expanding its application beyond fraud to detect and deal with corrupt conduct. It requires entities to have governance structures, responsible officials for managing risks, and periodic reviews of fraud and corruption controls. The amendments aim to align the Framework with Australian Government policies, and industry standards, and strengthen counter-fraud and corruption efforts.

The framework will come into effect on 1 July 2024.

Who is affected by the new framework?

All entities under the Public Governance, Performance and Accountability (PGPA) Act, including all PGPA Act entities, must adhere to the Commonwealth Fraud and Corruption Control Framework 2024. Additionally, the Fraud and Corruption Policy within the framework is binding for all Non-Corporate Commonwealth Entities (NCEs) from July 1, 2024, further expanding the scope of entities mandated to comply with the framework.

Why is a fraud and corruption control framework necessary?

A fraud and corruption control framework is essential to safeguard public resources, maintain transparency, and uphold the integrity of government operations. By implementing stringent regulations and guidelines, the framework aims to prevent the diversion of resources, ensure fair governance, and protect the public interest from fraudulent and corrupt activities

Amendments and updates

• Inclusion of corruption: The most significant change in the new framework is the broadening of its application to include corruption, aligning it with the National Anti-Corruption Commission.
• Enhanced oversight and governance: The amendments introduce new clauses requiring entities to establish governance structures, appoint officials responsible for managing fraud and corruption risks, and regularly review the effectiveness of their control measures.
• Support and resources: To assist entities in meeting their obligations under the amended framework, the Commonwealth Fraud Prevention Centre will release additional resources, including guidance, information sheets, webinars, and training sessions in early 2024.

Effective detection mechanisms to counter fraud and corruption

The Commonwealth Fraud and Corruption Control Framework emphasises the importance of detection mechanisms to identify fraud and corruption within Australian Government entities. Effective reporting mechanisms play a crucial role by enabling timely detection and appropriate responses to fraudulent activities. The framework outlines several key reporting mechanisms that are considered effective:

1. Mechanisms for detecting incidents: These mechanisms involve establishing processes and systems that can identify potential instances of fraud or corruption. This includes regular monitoring, data analysis, audits, and internal controls to flag any suspicious activities.
2. Investigation procedures: Reporting mechanisms should include clear procedures for investigating suspected incidents of fraud or corruption. This involves conducting thorough inquiries, gathering evidence, and following established protocols to ensure a comprehensive investigation.
3. Recording and reporting incidents: Entities are required to have systems in place to record and report incidents of fraud or corruption. This includes maintaining accurate records of investigations, outcomes, and any actions taken in response to detected incidents.
4. External reporting obligations: Effective reporting mechanisms extend to external reporting requirements. Entities must have processes in place to report incidents to relevant external entities such as law enforcement agencies, the National Anti-Corruption Commission, or the Commonwealth Director of Public Prosecutions as necessary.

By implementing robust detection and reporting mechanisms as outlined in the Commonwealth Fraud and Corruption Control Framework, Australian Government entities can enhance their ability to detect, investigate, and respond to instances of fraud and corruption effectively.

Fraud and Corruption Rule

The Fraud and Corruption Rule is a legislative instrument that sets out the minimum standards for accountable authorities of Commonwealth entities to manage the risk of fraud and corruption. It is binding for all entities subject to the Public Governance, Performance and Accountability Act 2013 (PGPA Act).

The Rule requires accountable authorities to take all reasonable measures to prevent, detect, and respond to fraud and corruption relating to their entity. This includes conducting regular risk assessments, developing and implementing control plans, reviewing the effectiveness of controls, ensuring appropriate governance structures and processes are in place, and having mechanisms for preventing, detecting, investigating, and reporting fraud and corruption incidents.

Fraud and Corruption Policy

The Fraud and Corruption Policy is an Australian Government policy that supports accountable authorities in effectively discharging their responsibilities under the Fraud and Corruption Rule. It is binding for all Non-Corporate Commonwealth Entities (NCEs) and is considered better practice for Corporate Commonwealth Entities (CCEs) and Commonwealth companies.

The Policy outlines the specific actions that the Australian Government considers necessary for accountable authorities to establish and maintain an appropriate system of fraud and corruption control. It covers eight key elements:

1. Conducting fraud and corruption risk assessments
2. Developing and implementing fraud and corruption control plans
3. Reviewing the effectiveness of controls
4. Establishing governance and oversight arrangements
5. Implementing prevention strategies
6. Establishing detection mechanisms
7. Investigating and responding to incidents
8. Recording and reporting fraud and corruption

The Policy provides detailed requirements for each element, which can be applied in a way that is proportionate to the level of fraud and corruption risk involved in an entity's activities and operating context. The Policy aims to protect public resources, maintain the integrity and reputation of entities and the Commonwealth, and ensure accountability in the implementation of fraud and corruption control arrangements.

Fraud and Corruption Guidance

The following sections break down the key elements of the framework's guidance, offering easy-to-understand explanations and recommendations. Entities can use this guidance as a reference tool to ensure compliance with the framework and strengthen their overall fraud and corruption control measures.

1. Risk assessments

Regular risk assessments enable organisations to develop an informed understanding of their exposure to fraud and corruption threats, implement tailored control plans, and ensure proper management of public resources as required by the PGPA Act.

Actionable steps:

• Conduct enterprise-level fraud and corruption risk assessments at least every 2 years or when substantial changes occur to get a holistic view across the entire entity
• Identify high-risk activities, functions, and programs and determine if targeted, in-depth risk assessments are needed
• Perform initial impact assessments during the design of new policies, programs, and initiatives to assess inherent risks and build in preventive controls
• Consider shared risks that may impact other entities and emerging risks by consulting stakeholders and enabling information-sharing
• Integrate fraud and corruption risk management with broader enterprise risk management processes
• Regularly monitor the fraud and corruption threat environment through various methods beyond scheduled assessments

2. Control plans

Control plans document existing and planned preventative, detective, and corrective controls, designated owners responsible for implementation and monitoring, and help ensure risks are mitigated proportionately.

Actionable steps:

• Develop a control plan after conducting enterprise or targeted fraud and corruption risk assessments
• Update control plans promptly when risk assessments are reviewed or new risks emerge
• Tailor control plans to the organisation's specific circumstances, risks and complexity
• Include existing controls that mitigate risks, new treatments to implement with timeframes, and assigned control owners
• Consider integrating control plans into broader business, risk or management plans
• Implement access controls and protective markings for control plans as they contain sensitive information
• Periodically review and monitor control plan relevance and effectiveness following risk assessment reviews

3. Effectiveness of controls

Regular control reviews allow organisations to proactively identify control gaps or weaknesses, challenge assumptions about control design and operating effectiveness, and provide assurance that prevention, detection and response efforts are adequate.

Actionable steps:

• Determine which critical controls to review based on the nature, velocity and severity of related risks
• Focus review efforts on controls for the highest-risk activities, functions and programs
• Tailor the depth and comprehensiveness of control reviews to the organisation's circumstances and risk exposure
• Understand fraud/corruption enablers and each control's design/purpose to develop appropriate review metrics
• Update risk assessments after control reviews to reflect updated residual risk levels
• Update control plans with any new/changed risk treatments required based on review findings

4. Governance and oversight

Effective fraud and corruption management requires an appropriate governance structure that is proportionate to the organisation's operating environment and integrated with its overall risk management framework. Strong governance helps ensure risks are overseen and managed effectively.

Actionable steps:

• Formalise governance arrangements proportionate to the organisation's risk profile and integrate them with the broader risk management framework
• Clearly define and document the roles and responsibilities of officials and bodies involved in prevention, detection, response and reporting
• Maintain appropriate fraud/corruption control capabilities focused on prevention, based on assessed risks and risk tolerance
• Ensure officials primarily engaged in fraud/corruption control have relevant qualifications/training and provide ongoing professional development
• Document the overall commitment, risk appetites, key roles, and arrangements for managing fraud/corruption risks (e.g. in a plan/handbook)
• Make governance information accessible to raise awareness among all staff, contractors and third parties

5. Prevention measures

Preventing fraud and corruption is the most efficient and cost-effective way to minimise risks and harmful consequences to entities. A strong prevention approach promotes a culture of integrity through training and awareness, designing robust controls into policies/programs from the outset, and exercising due diligence over third-party contractors/providers. Investing in prevention helps maintain public trust, avoid financial/reputational damage, and ensure program outcomes are achieved.

Actionable steps:

• Provide comprehensive fraud/corruption awareness and integrity training for all staff on an ongoing basis
• Embed fraud/corruption risk assessments into policy/program design and transformation initiatives
• Ensure staff involved in planning activities can identify/mitigate fraud and corruption risks
• Conduct thorough due diligence on third-party contractors/providers before engaging them
• Make prevention responsibilities clear to contractors and consider extending training to them
• Implement reporting mechanisms for staff, contractors and the public to raise concerns confidentially
• Promote an open organisational culture that encourages active fraud/corruption risk management

6. Detecting fraud and corruption

Effective fraud and corruption detection mechanisms are vital. Early detection enables intervention to minimise impacts. While reports from staff and the public are important, entities must also establish proactive detection activities focused on high-risk areas. These include monitoring, reviews, audits, data analytics and fraud/corruption loss measurement. Confidential reporting channels that protect disclosers must be established and actively promoted.

Actionable steps:

• Implement mechanisms for staff, contractors and the public to confidentially report suspected fraud/corruption.
• Promote and raise awareness of the reporting channels across the entity and externally
• Establish procedures to handle public interest disclosures in line with legislative requirements
• Conduct proactive detection activities like transaction monitoring, data analytics and fraud reviews
• Focus detection efforts and resources on the highest risk activities identified through risk assessments
• Consider data matching across internal/external data sources to identify potential issues
• Measure fraud and corruption losses to gauge the scale and nature of the problem

7. Investigation

Establishing appropriate mechanisms to investigate and respond to suspected fraud and corruption incidents is critical. Responses can range from administrative actions to criminal prosecutions and should be outlined in an incident response plan. Effective investigations followed by proportionate responses help minimise financial and reputational damage while demonstrating that fraud/corruption is treated seriously. Meeting reporting obligations to law enforcement and oversight bodies is also important.

Actionable steps:

• Develop an incident response plan covering decision criteria, communication protocols, agency referrals etc.
• Have mechanisms to investigate matters not accepted by AFP or NACC, potentially outsourcing investigations
• Report serious/complex fraud to AFP and suspected corruption by staff to NACC as required
• Ensure investigators meet minimum qualification standards set by the Australian Government Investigation Standard
• Take reasonable measures to recover financial losses through civil, administrative or criminal avenues
• Analyse incidents to identify control vulnerabilities and implement treatments in control plans
• Share relevant information on incidents with other affected entities while complying with disclosure regulations

8. Recording and reporting fraud and corruption

Effective recording and reporting mechanisms are critical for entities to capture data on fraud and corruption allegations, investigations, outcomes and estimated losses. This data provides insights into the threat environment and enables oversight of prevention, detection and response efforts. Comprehensive reporting increases transparency and assures the accountable authority that fraud/corruption is being appropriately managed in line with legislative requirements, including annual reporting to the Australian Institute of Criminology (AIC).

Actionable steps:

• Implement systems to accurately record all fraud/corruption allegations, investigations, responses and outcomes
• Prepare regular internal reports analysing fraud/corruption data for governance committees and executives
• Share information and intelligence on fraud/corruption risks and incidents with other entities where appropriate
• Report required annual fraud/corruption data and statistics to the AIC by the due date
• Notify the responsible Minister of significant fraud/corruption issues, risks, incidents and initiatives
• Consider reporting significant non-compliance matters to the Minister for Finance as required
• Leverage fraud/corruption data to identify trends, update risk assessments and optimise controls

How Elker helps in the detection and prevention of fraud and corruption

Elker is an anonymous reporting and case management tool designed to help Australian Commonwealth entities detect fraud and corruption effectively.

Elker can assist Commonwealth entities in meeting their obligations by providing a secure and confidential channel for employees, contractors, and the public to report suspected instances of fraud and corruption. Elker empowers individuals to report suspicious activities anonymously, without fear of retaliation, leading to the timely detection of fraud and corruption.

Elker's advanced case management system streamlines the investigation process, a critical component of the framework's requirements. When a report is submitted through Elker, the system allows the whistleblower to select the appropriate stakeholders to notify and provides avenues for secure two-way communication. This feature ensures that the details provided are comprehensive and actionable, even when the source remains anonymous. By facilitating efficient communication and collaboration during investigations, Elker supports Commonwealth entities in their efforts to thoroughly investigate and respond to incidents of fraud or corruption under the framework's guidelines.

If you would like to find out more, book a tour of the platform.