inquiry into auditor-general's reports on internal control

Inquiry into Auditor-General's Reports on Internal Control Systems

and Fraud Risk Management

Report No. 48 Finance and Administration Committee August 2014

Parliamentary

LAWHEL

Typewritten Text

LAWHEL

Typewritten Text

LAWHEL

Typewritten Text

LAWHEL

Typewritten Text

LAWHEL

Typewritten Text

Inquiry into Auditor-General's Reports on Internal Control Systems

and Fraud Risk Management

Report No. 48 Finance and Administration Committee August 2014

ii Finance and Administration Committee

Finance and Administration Committee iii

Finance and Administration Committee Chair Mr Steve Davies MP, Member for Capalaba

Deputy Chair Mr Curtis Pitt MP, Member for Mulgrave

Members Mrs Liz Cunningham MP, Member for Gladstone

Dr Bruce Flegg MP, Member for Moggill

Mr Reg Gulley MP, Member for Murrumba

Mrs Freya Ostapovitch MP, Member for Stretton

Mr Mark Stewart MP, Member for Sunnybank

Staff Ms Deborah Jeffrey, Research Director

Dr Maggie Lilith, Principal Research Officer

Ms Lynette Whelan, Executive Assistant

Ms Debbie Mohi, Executive Assistant (from 8 October 2013 to 22 April 2014)

Ms Louise Johnson, Executive Assistant (from 30 April 2014 to 24 June 2014)

Ms Julie Fidler, Executive Assistant (from 8 August 2014)

Contact details Finance and Administration Committee

Parliament House George Street Brisbane Qld 4000

Telephone +61 7 3406 7576

Fax +61 7 3406 7500

Email [email protected]

Web www.parliament.qld.gov.au/fac

Acknowledgements

The Committee thanks those who briefed the Committee, gave evidence and participated in its inquiry. In particular the Committee acknowledges the assistance provided by the Department of the Premier and Cabinet, Queensland Treasury and Trade, Department of Science, Information Technology, Innovation and the Arts, Department of Housing and Public Works, Queensland Health, and the Public Trustee of Queensland. The Committee also wishes to acknowledge the assistance provided by the Auditor-General and staff from the Queensland Audit Office.

mailto:[email protected]

http://www.parliament.qld.gov.au/fac

iv Finance and Administration Committee

Finance and Administration Committee v

Contents

Abbreviations viii

Glossary ix

Chair’s Foreword xi

Recommendations xii

1 Introduction 1 1.1 Role of the Committee 1 1.2 Auditor-General reports reviewed 1 1.3 Inquiry Process 2 1.4 Report 2

2 Auditor-General Reports – Internal Control Systems 3 2.1 Report No. 5: 2012 Results of audits: Internal control systems 3

2.1.1 Audit objective and coverage 3 2.1.2 Summary of Audit results 4 2.1.3 Key recommendations in the Audit report 5 2.1.4 Departmental responses in the Audit report 6

2.2 Report No. 6: 2013-14 Results of audits: Internal control systems 7 2.2.1 Audit objective and coverage 7 2.2.2 Summary of Audit results 7 2.2.3 Key recommendations in the Audit report 8 2.2.4 Departmental responses in the Audit report 8

2.3 Report No. 1: 2014-15 Results of audit: Internal control systems 2013-14 10 2.3.1 Audit objective and coverage 10 2.3.2 Summary of Audit results 11 2.3.3 Key recommendations in the Audit report 12 2.3.4 Departmental responses in the Audit report 12

3 Auditor-General Reports – Fraud risk management 13 3.1 Audit objective and coverage 13 3.2 Summary of Audit results 13 3.3 Key recommendations in the Audit report 14 3.4 Departmental responses in the Audit report 14

4 Background – Internal Control Systems 15

5 Fraud Risk Management: Background 17

6 Guidance and role of central agencies 26

vi Finance and Administration Committee

7 Financial controls 27 7.1 Effectiveness of financial controls 27 7.2 Control environment 28 7.3 Risk Management 28 7.4 Control activities 29 7.5 Information and communication 30 7.6 Monitoring and review 30 7.7 Committee comments 31

8 Fraud controls 32 8.1 Effectiveness of fraud controls 32 8.2 Effectiveness of prevention strategies 33 8.3 Committee comments 33 8.4 Policies and plans 33 8.5 Procurement and payment methods 34 8.6 Approval of expenditure 35 8.7 Monitoring and review 36 8.8 Recordkeeping controls for financial records 38 8.9 Trained and experienced staff 39 8.10 Continuous data analysis and monitoring 41 8.11 Committee comments 43

9 IT Governance 44 9.1 Identity Management and Email Services and Information and Communication Technology

Consolidation 44 9.2 Committee Comments 47

10 Fraud control: setting the standard 48 10.1 Policy development 49 10.2 Management commitment 50 10.3 Awareness, education and training 51 10.4 Committee comments 53

11 Fraud control: tools and systems 54 11.1 Fraud risk assessments 55 11.2 Prevention: employment screening and due diligence 55 11.3 Detection: analysing data 56 11.5 Committee comments 58

12 Fraud control: Reporting and monitoring 59 12.1 Assessment 60 12.2 Investigations 60 12.3 Monitoring and statutory reporting 60 12.4 Committee comments 61

Finance and Administration Committee vii

Appendices 62 Appendix A – Officers appearing on behalf of departments at the public hearing (Auditor-General Report No. 5: 2012 Internal Control Systems) – Wednesday 30 October 2013 63 Appendix B – Officers appearing on behalf of departments at the public hearing (Auditor-General Report No. 9: 2012-13 Fraud Risk Management) – Wednesday 2 April 2014 64 Appendix C – COSO internal control framework 65 Appendix D – Queensland Health Risk matrix 69

Abbreviations and Glossary Internal Control Systems and Fraud Risk

viii Finance and Administration Committee

Abbreviations

ANAO Australian National Audit Office

CEO Chief Executive Officer

CFO Chief Financial Officer

CLT CEO Leadership team

CMC Crime and Misconduct Commission

COSO Committee of Sponsoring Organisations

DAFF Department of Agriculture, Fisheries and Forestry

DATSIMA Department of Aboriginal and Torres Strait Islander and Multicultural Affairs

DEHP Department of Environment and Heritage Protection

DETE Department of Education, Training and Employment

DEWS Department of Energy and Water Supply

DHPW Department of Housing and Public Works

DPC Department of Premier and Cabinet

DSITIA Department of Science, Information Technology, Innovation and the Arts

DTMESBCG Department of Tourism, Major Events, Small Business and the Commonwealth Games

EIC Education and Innovation Committee

FAA Financial Accountability Act 2009

FAC Finance and Administration Committee

FAR Financial Accountability Regulation 2009

FPMS Financial and Performance Management Standard 2009

GOCs Government owned corporations

HHS Hospital and Health Services

ICT Information and Communication Technology

ICTC Information and Communication Technology Consolidation

IDES Identity Management and Email Services

LSA Legislative Standards Act 1992

PSBA Public Safety Business Agency

PWC PriceWaterhouse Coopers

QAO Queensland Audit Office

QGCIO Queensland Government Chief Information Office

QGEA Queensland Government Enterprise Architecture

QSS Queensland Shared Services

QTT Queensland Treasury and Trade

SAP Systems Applications and Products

Internal Control Systems Abbreviations and Glossary

Finance and Administration Committee ix

Glossary

Acts All Acts referred to in this report refer to Queensland Acts unless otherwise specified

CITEC CITEC is the Queensland Government’s primary information and communication service provider

the Committee Finance and Administration Committee

Abbreviations and Glossary Internal Control Systems and Fraud Risk

x Finance and Administration Committee

Internal Control Systems and Fraud Risk Chair’s Foreword

Finance and Administration Committee xi

Chair’s Foreword

This report presents a summary of the Committee’s inquiries into Auditor-General's Reports on Internal Control Systems and Fraud Risk Management. The Committee found during the course of its inquiries that the issues raised are interrelated and therefore agreed to present the findings of all four audit reports to encompass the issues examined.

The Committee wishes to stress the need for departments to be proactive in their management of fraud as this activity is a continually evolving process. The maintenance of internal controls is a substantial part of this process. The Committee also considered that testing of fraud and internal controls is essential in ensuring that systems are working as anticipated. It also considers that the sharing of information will also assist in both promoting awareness and ensure that any lessons learned in one department are available to others.

The Committee has made thirteen recommendations aimed at assisting departments in combating fraud activity.

On behalf of the Committee, I wish to thank the Auditor-General and his staff and departmental officers for meeting with the Committee and for their cooperation in providing information to the Committee on a timely basis.

Finally, I would like to thank the other Members of the Committee and the committee secretariat for their hard work and support.

Steve Davies MP Chair August 2014

Internal Control Systems and Fraud Risk

xii Finance and Administration Committee

Recommendations

Recommendation 1 31

The Committee recommends that all significant information on internal controls is shared between departments, and that one department has the responsibility of disseminating this information.

Recommendation 2 31

The Committee recommends that the government continue to invest in the upgrading of IT systems to enable the use of automated delegations systems for financial transactions.

Recommendation 3 33

The Committee recommends that DPC and/or QTT continue to monitor the types of risk strategies being implemented in all departments.

Recommendation 4 40

The Committee recommends that DPC and QTT expand and continue to conduct fraud awareness training for all departments.

Recommendation 5 43

The Committee recommends that DPC coordinate with DSITIA to implement a standardised (whole-of-government) policy on IT controls, data analysis and monitoring.

Recommendation 6 43

The Committee recommends that DPC and DSITIA conduct a comprehensive review of all departments’ user access systems and procedures and to ensure that any weaknesses are identified and rectified.

Recommendation 7 47

The Committee recommends that DPC and/or QTT coordinate with DSITIA to regularly review data mining and data analytics capabilities in all departments.

Recommendation 8 53

The Committee recommends that departments conducts surveys to identify areas of concern or gaps particularly where early warnings or ‘red flags’ have been previously ignored and to ensure policies or clear reporting avenues are available to employees and the learnings from these surveys be coordinated by DPC and/or QTT and shared with all departments.

Recommendation 9 53

Regular testing of fraud prevention protocols are also considered to be mandatory in each department. The Committee recommends that DPC and/or QTT liaise with all departments to conduct random testing of fraud prevention protocols.

Recommendation 10 53

The Committee recommends that DPC and/or QTT undertake an analysis of the level of fraud awareness in the departments and maintain statistical information on the reporting of suspected fraudulent activities as a record of vigilance in the workplace.

Internal Control Systems

Finance and Administration Committee xiii


The Committee recommends that fraud awareness training be followed up with ongoing monitoring by DPC and/or QTT to ensure that employees’ awareness level remains consistently high in all departments.


The Committee recommends that DPC and/or DSITIA investigate the data analytics testing and to examine whether there is a whole-of-government sharing of information.


The Committee recommends that DPC and/or QTT investigate whether communications of outcomes of fraud investigations are being distributed to business units and all departments, and that a standard procedure for such communiques be implemented.


xiv Finance and Administration Committee

Internal Control Systems and Fraud Risk Introduction

Finance and Administration Committee 1

1 Introduction

1.1 Role of the Committee

The Finance and Administration Committee (the Committee) is a portfolio committee established by the Parliament of Queensland Act 2001 and the Standing Orders of the Legislative Assembly on 18 May 2012.1 The Committee’s primary areas of responsibility are:

Premier and Cabinet; and

Treasury and Trade.

One of the functions of the Finance and Administration Committee (FAC), as prescribed in section 95 of the Parliament of Queensland Act 2001 is to consider the annual and other reports of the Auditor-General. In reviewing the reports the Committee invites the Auditor-General to provide briefings to highlight the key findings and issues.

These briefings enable the Committee to question the Auditor-General and provide the members with a better appreciation of the significance of issues raised. The Committee assesses issues together with agency responses and, if considered beneficial to the public interest, will examine the matter further. This examination may take the form of written responses, briefings/meetings or public hearings.

1.2 Auditor-General reports reviewed

The Auditor-General reports reviewed are Report No. 5: 2012 Results of audits: Internal control systems; Report No. 9: 2012-13 Fraud Risk Management; Report No. 6: 2013-14 Results of audits: Internal control systems; and Report No. 1: 2014-15 Results of audit: Internal control systems 2013-14.

The Auditor-General tabled Report No. 5: 2012 on 28 June 2012. The report summarises the results from the interim phase of the 2011-12 financial audits of departments, statutory bodies and government owned corporations. It also contains the results of audits where areas of control were emphasised during the audit process.

The Auditor-General tabled Report No. 9: 2012-13 on 19 March 2013. The report examined whether selected Queensland public sector agencies were effectively managing fraud risks. Recognised best practice criteria were used to assess the control measures in three agencies for preventing, detecting and responding to fraud.

The Auditor-General tabled Report No 6: 2013-14 on 19 November 2013. The report summarises the results of QAO’s initial control evaluations and of their selective testing of the financial reporting controls that operated within the 20 government departments during the 2012–13 financial year. These departments represent the bulk of the General Government Sector revenues and expenses.

The Auditor-General tabled Report No 1: 2014-15 on 11 July 2014. The report summarised the results of the QAO’s evaluations of the financial controls systems and selective testing of controls which operated within the 21 government departments during 2013-14 financial year. The effectiveness of delegation of financial responsibility in the 21 government departments was scrutinised and compared to five public sector agencies. The risk assessment process used by accountable officers in managing their respective entities’ financial risks was also examined in this audit.

These reports are available from the QAO web site https://www.qao.qld.gov.au/Reports-to-Parliament 1 Parliament of Queensland Act 2001, s88 and Standing Order 194

https://www.qao.qld.gov.au/Reports-to-Parliament

https://www.qao.qld.gov.au/Reports-to-Parliament

Introduction Internal Control Systems and Fraud Risk

2 Finance and Administration Committee

1.3 Inquiry Process

The Committee of the Legislative Assembly considers the Auditor-General’s reports when they are tabled and then refers the report to the relevant parliamentary committee. Auditor-General’s Report No. 5: 2012, Report No. 9: 2012-13, Report No. 6: 2013-14 and Report No. 1: 2014-15 were referred to the Committee for consideration.

The Committee resolved to conduct an inquiry to consider the results of Auditor-General's Report No. 5 for 2012 Results of audits: Internal Control Systems on 28 June 2012. The Committee resolved to conduct an inquiry to consider the results of Auditor-General’s Report No 9: 2012-13 Fraud Risk Management on 5 June 2013. The Committee also agreed to incorporate the results of the audits included in Auditor-General’s Report Nos 6 for 2013-14 and 1 for 2014-15 as part of its inquiries.

The Committee agreed to invite the Education and Innovation Committee (EIC) to provide input into any or all of the topics examined in the report as that committee’s responsibility includes Information Technology. The Committee, jointly with the EIC, held a private briefing with officers from Queensland Auditor-General’s office on Wednesday 22 August 2012 to discuss the Auditor-General’s report.

Subsequent to this briefing, the Committee agreed to allow departments time to consider the Auditor-General’s report and to implement the Auditor-General’s recommendations. The Committee wrote to the Department of the Premier and Cabinet (DPC) in June 2013 to obtain an update on the Auditor-General’s recommendations outlined in the report.

The Committee held a public hearing with officers from DPC, Queensland Treasury and Trade (QTT), the Department of Science, Information Technology, Innovation and the Arts (DSITIA) and the Queensland Audit Office (QAO) on Wednesday 30 October 2013 regarding internal control systems.

The Committee held a public hearing with officers from QAO, Queensland Health, Department of Housing and Public Works (DHPW) and the Public Trustee of Queensland on Wednesday 2 April 2014 to discuss fraud risk management.

A list of officers who gave evidence at the public hearings is contained in Appendices A and B respectively. Transcripts from the hearings have been published on the Committee’s website and are available from the Committee secretariat.

1.4 Report

This report draws attention to the issues raised in the Committee’s examination of the Auditor-General’s Reports.

The Committee found during the course of its inquiries that the issues raised in the Auditor-General’s reports are interrelated. The Committee agreed to present the findings of all four audit reports to encompass the issues covered in the audits.

The recommendations in this report are addressed to the Premier, the Treasurer and Minister for Trade, the Minister for Science, Information Technology, Innovation and the Arts, the Minister for Health and the Minister for Housing and Public Works as the responsible ministers.



2 Auditor-General Reports – Internal Control Systems

2.1 Report No. 5: 2012 Results of audits: Internal control systems

2.1.1 Audit objective and coverage

The Auditor-General explained that internal controls operate at both financial transaction and account balance levels to produce reliable financial information and to ensure compliance with prescribed requirements. For these reasons, internal controls were examined as part of the audit of the selected entity’s financial statements.2

QAO used the Committee of Sponsoring Organisations of the Treadway Commission (COSO) model at the planning stage of the audit. This is because the planning stage is where it is determined ‘whether or not in design those controls exist and are likely to operate to reduce the risk of fraud or error’.3 Refer to Appendix C for a full explanation of the COSO model.

The objective of the audit was to summarise the results from the interim phase of the 2011-12 financial audits of departments, statutory bodies and government owned corporations. The Auditor-General emphasised that the controls within the organisation or department audited is examine and if they look effective, those controls are tested. He advised the Committee:

We only need to test controls that we intend to rely on as part of our financial audit. Hence the report we put into parliament is not a survey of all internal financial control. It is really only a report on those controls that we ended up looking at.4

The audit report contained the results of audits where areas of control were emphasised during the audit process, and the following areas were examined in greater detail because of their importance at that time:

Effectiveness of financial controls

Effectiveness of fraud controls

IT Governance

The elements of the COSO model may be tested where the controls are those relied on as part of a financial audit.

Hence the report we put into parliament is not a survey of all internal financial control. It is really only a report on those controls that we ended up looking at.5

The Auditor-General stated:

Our primary responsibility in fact in relation to this is to report back to the management of the entities. Under the auditing standards, if we find significant weaknesses in internal control we are bound to tell the management of the entity about those weaknesses whether we relied on them or not, and we give these risk ratings so that management can understand the significance of the weakness. We will either give it a high risk rating, which is something that is very serious and needs to be addressed very quickly, or we give it a moderate risk rating, which is something that says, ‘The control is not operating as intended or is not likely to have stopped the error occurring. It is something you should address as a matter of course but do it hopefully within the next we months.’ So that is the context of this report.6

2 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 7 3 Mr Greaves, Transcript 30 October 2013: 2 4 Mr Greaves, Transcript 30 October 2013: 2 5 Mr Greaves, Transcript 30 October 2013: 2 6 Mr Greaves, Transcript 30 October 2013: 2



2.1.2 Summary of Audit results

The report found that financial control weaknesses were identified in 25 (13 per cent) of the 196 departments, GOCs and statutory bodies audited, with 221 significant control issues reported to those charged with the governance of these entities, primarily entity boards and chief executives, or their equivalents. The report also noted that weaknesses in internal financial control would increase the risk of error, both intentional and unintentional.7

Figure 1 highlights the number of significant control weaknesses reported by type of entity.8

Figure 1: Significant control weaknesses reported Source: Queensland Audit Office, Report No. 5: 2012 Internal Control Systems, June 2012: 10

The Auditor-General concluded that the number of control issues identified during the audits demonstrates that significant scope remains for improvement in this area of fundamental governance responsibility.

Audit Report No. 5 2012 assessed the following prevention criteria:

adequacy of fraud control policies and plans

whether procurement methods were linked to fraud risk

control over financial delegations

monitoring and review of vendor master files

control over payment documentation

provision of specific training on fraud prevention.9

In regards to the effectiveness of fraud controls, the assessment of entity fraud prevention strategies identified 11 departments as not having at least two of the six basic elements operating at level to minimise the risk of fraud occurring.10

Nine of the 13 departments were reported to not have fraud control plans to identify key risks that needed to be monitored on an ongoing basis. In addition, seven of the 13 departments audited had not provided guidance to employees on procurement methods to be used to minimise fraud for the various types of expenses. Other findings included:

Around 17,000 departmental staff have a financial delegation, with between four per cent and 48 per cent of staff within individual departments having a financial delegation.

All departments had performed a recent review of their vendor master file to identify duplicate and redundant vendors.

7 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 1 8 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 10 9 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 17 10 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 1



No specific training was provided to employees in fraud control and prevention.

Nine of the 13 departments did not perform detailed analytical review or data mining procedures to highlight irregular or unusual transactions.11

Several internal control issues were identified during the audit. These included:

lack of criminal history checking

lack of controls over preventing duplicate payments

missing reports and documentation and

inadequate monitoring and checking that controls were operating effectively.

The Auditor-General considered that these issues may contribute to an environment where fraud can occur and remain undetected.

Report No. 5 2012 noted that all departments had performed a review of their vendor master files during early 2012, in response to the fraud incident at Queensland Health.12

Two major IT programs – Identity Management and Email Services (IDES) and Information and Communication Technology Consolidation (ICTC) were also examined as part of Report No. 5 2012. Audit of the governance of these two IT programs were conducted in 2010 and 2011, and there were recommendations for improvements to the management of these key IT infrastructure programs. The Auditor-General reported that benchmarks for benefits and pricing for both the IDES and ICTC programs were not put in place at the start of the programs, making it difficult to establish whether the current pricing is reasonable and that the expected benefits will be realised.

2.1.3 Key recommendations in the Audit report

The Auditor-General made eight recommendations as follows:

1. All public sector entities should document their internal financial control framework and systemically assess its effectiveness.

2. Departments should establish fraud control plans targeted to their specific fraud risks.

3. Departments should establish guidance for staff as to what procurement methods should be employed for the different types of expenditure processed, following a risk assessment that includes consideration of fraud risk and the cost-effectiveness of control.

4. Departments should regularly review their financial delegations with a view to limiting them to only those employees who require it as part of their normal roles and responsibilities.

5. Departments should review their recordkeeping activities especially over electronic financial transactions, to maintain appropriate documentation trails.

6. Departments should provide specific fraud training to staff, customised to their particular fraud risks.

7. Departments should establish detailed analytical review or data mining procedures as a fraud detection countermeasure function of either internal audit or their finance function.

8. Accountability for the IDES and ICTC programs should be assigned to a system owner or sponsoring group able to make decisions on the future of these programs.13

11 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 15 12 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 17 13 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 2



2.1.4 Departmental responses in the Audit report

A copy of the report was provided to the DPC, QTT and the DSITIA with a request for comments to the Auditor-General. In their response, DPC stated that work was being undertaken at the whole-of-Government level. These include:

a review of all departments of their financial delegations

development of a training package for all departments in relation to the importance of internal controls, including early fraud warning signs and employee responses, to be facilitated by QTT and to be released by the end of June 2012

development of a better practice procurement and risk matrix by the Queensland Government Chief Procurement office to guide all departments by June 2012

vendor master data creation and cleansing controls have been reviewed by all departments (completed in February 2012) and remedial action taken, where appropriate

departments are undertaking an assurance audit of all fraud and corruption controls by 30 June 2012.14

QTT explained that they place ‘a high priority on the establishment and maintenance of robust, cost-effective internal controls and risk management practices within the public sector’.15 Their response to the audit report also stated that:

…departments have been undertaking significant work to review and strengthen their internal controls. For example, financial delegations and vendor master data cleansing and creation controls have been reviewed and remedial action taken, where appropriate, detailed process mapping has been undertaken, and fraud and corruption controls audits based on guidelines issued by the Crime and Misconduct commission have been conducted.16

QTT provides support to departments and statutory bodies in a number of methods, in particular through the development of policy and guidance documents, such as the ‘Financial Accountability Handbook’; the ‘Financial Management Tools, the Statutory Body Guide’; and ‘A Guide to Risk Management’. QTT also facilitates monthly chief financial officer (CFO) meetings, which provide a network for CFOs to discuss topical issues of common interest. They reported that measures undertaken, and reinforced by the financial internal controls training, will mitigate some of the issues identified in the report.17

In response to the Auditor-General’s comments on training, QTT advised that financial internal controls training package had been finalised and being rolled out in the second half of 2012.18 This training is further explained in the respective headings in the next section. In regards to detailed analytics or data mining, QTT advised that they undertake analysis over high-risk areas including corporate cards and Office of State Revenue transactions.19

DSITIA advised that they were undertaking an analysis of IDES, ICTC and CITEC’s financial and business model.20

14 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 31-32 15 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 34 16 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 34 17 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 34 18 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 35 19 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 35 20 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 36



2.2 Report No. 6: 2013-14 Results of audits: Internal control systems


Auditor-General’s Report No 6: 2013-14 summarises the results of initial control evaluations and of selective testing of the financial reporting controls that operated within 20 government departments during the 2012-13 financial year.

The Director-General of each department is responsible for establishing and effectively maintaining adequate financial control throughout the financial year. The CFO is required under the FAA to give a certificate each year to his or her Director-General that includes a statement about whether the department's financial internal controls are operating efficiently, effectively and economically.

The role of QAO is to examine beyond the certificate to establish whether it was underpinned by robust processes to provide adequate assurance to the Director-General. The QAO considers the internal controls capability of each entity when planning financial audits by first evaluating their design and implementation. Depending on the outcome of the initial evaluation, the operation of selected financial controls may be tested, but only if they are considered efficient and effective and can be relied on.21

The report recognises that the controls tested in each department will vary between agencies and years, and considered the control over the use of corporate cards in all departments.

The main theme in the report is the results of the QAO’s detailed assessment of the three primary mechanisms used by the Director-General of each department to monitor the health of their own internal control frameworks. These are:

CFO certifications

internal audit activities

audit committee oversight22


Although the total number of control weaknesses identified has declined, the audit report noted that internal control structures are not yet as strong as they need to be for risk of fraud and material error to be reduced to acceptable levels.23

The control environment sets the context within which control activities are undertaken. While most aspects of the control environment in departments audited were sound, eight departments had policies and strategies that could be improved.24

The Auditor-General noted in particular:

…a high risk issue was raised with the Department of Community Safety about the department's corporate card policies and procedures, which are tailored to their routine operations rather than management of procurement of essential services in times of major emergency events like cyclones and floods. This is a high risk issue as management of these events is a prime function of the department.25

21 Queensland Audit Office, Report No. 6: 2013-14 Results of audits – Internal Control Systems, November 2013: 1 22 Queensland Audit Office, Report No. 6: 2013-14 Results of audits – Internal Control Systems, November 2013: 1 23 Queensland Audit Office, Report No. 6: 2013-14 Results of audits – Internal Control Systems, November 2013: 1 24 Queensland Audit Office, Report No. 6: 2013-14 Results of audits – Internal Control Systems, November 2013: 2 25 Queensland Audit Office, Report No. 6: 2013-14 Results of audits – Internal Control Systems, November 2013: 2




The report notes that the control matters raised in the report have been represented separately to each department as required by auditing standards, with the intent that where weaknesses and areas for improvement have been identified, they take their own remedial action. Accordingly, no additional overall recommendations were included in the report.26


A copy of Report No. 6: 2013-14 was provided to the following departments for comment:

Department of Aboriginal and Torres Strait Islander and Multicultural Affairs

Department of Agriculture, Fisheries and Forestry

Department of Communities, Child Safety and Disability Services

Department of Education, Training and Employment

Department of Energy and Water Supply

Department of Environment and Heritage Protection

Department of Health

Department of Housing and Public Works

Department of Justice and Attorney-General

Department of Local Government, Community Recovery and Resilience

Department of National Parks, Recreation, Sport and Racing

Department of Natural Resources and Mines

Department of Police and Community Safety

Department of the Premier and Cabinet

Department of Science, Information Technology, Innovation and the Arts

Department of State Development, Infrastructure and Planning

Department of Tourism, Major Events, Small Business and the Commonwealth Games

Department of Transport and Main Roads

Queensland Treasury and Trade27

Many organisations noted the Auditor-General’s report and recommendations and have either implemented relevant actions or were in the process of reviewing and applying actions where appropriate.

DPC and QTT have dual responsibilities as both independent departments and central agencies. The responses from these agencies were as follows:

26 Queensland Audit Office, Report No. 6: 2013-14 Results of audits – Internal Control Systems, November 2013: 5 27 Queensland Audit Office, Report No. 6: 2013-14 Results of audits – Internal Control Systems, November 2013: 59



Response provided by DPC dated 13 November 2013:

…The Department of the Premier and Cabinet (DPC) supports the direction of the report, noting that, while the number of control weaknesses has declined across government, there is still room for improvement in departmental control structures.

In relation to the key finding regarding the effective use of corporate purchasing cards, I advise the following:

DPC provides guidelines to officers on the preferred payment methods for the different types and quantum of expenditure. Currently ail expenditure under $2000 is to be paid by corporate purchasing card, as opposed to direct invoice, with this process monitored by Financial Services on a daily basis. This ensures that the most cost effective payment method is chosen in every situation. However, DPC experiences some barriers to the use of corporate purchasing card, most commonly that suppliers do not accept the card as a form of payment. Over 95 per cent of low value (less than $2000) invoices paid by direct invoice are paid via that method because the supplier does not have facilities to accept the corporate purchasing card as payment. This limitation greatly restricts DPC's capacity to achieve the savings that you have outlined in your report.

In addition to this, DPC, together with Queensland Shared Services (QSS), has commenced the roll out of the SAP ECC eForm functionality. The eForm functionality will replace the paper based accounts payable process and automate the payment of supplier invoices. Indicative pricing provided by QSS is that the processing fee for direct invoices will drop to $9.40 per invoice, as opposed to the current pricing of $18.80. It is anticipated that this price may drop even further as the functionality is rolled out to more agencies. This automated process will result in significant savings for many departments…28

Response provided by QTT dated 15 November 2013:

…The report makes reference to Queensland Treasury in the context of the dual responsibilities currently assigned to the Chief Finance Officer (CFO).

The report emphasises that responsibilities of both the CFO and Head of Internal Audit (HIA), as prescribed in sections 77 and 78 of the Financial Accountability Act 2009 (the FA Act), need to be given an appropriate level of attention by the nominated officers. It also stresses that apart from their perceived and actual independence, it is not clear that one officer has the capacity to effectively discharge the delegated responsibility of both operations.

In 2012-13 the internal audit function of Treasury was outsourced to PriceWaterhouse Coopers (PWC). The CFO was nominated as the HIA. The appointment had due regard to the requirements for the appointee to be a public service employee, or other employee of the State, with professional membership of specific accountancy or internal audit bodies. The CFO was in the best position to ensure the operation of the function at an appropriate level within the department.

28 Queensland Audit Office, Report No. 6: 2013-14 Results of audits – Internal Control Systems, November 2013: 65



In giving effect to the appointment, Treasury was cognisant of concerns regarding the independence of the functions. In particular, the Financial Accountability Handbook prescribes that where the same officer does undertake both roles, to maintain an appropriate level of independence, the following should occur:

reports from the outsourced internal audit function should be submitted

direct to the accountable officer and the internal audit provider should be given the opportunity to communicate directly with the accountable officer without the HIA in attendance; and

at least one meeting per year should be held between the internal audit function and the audit committee.

Both of these conditions have been met by Treasury and are documented in the Internal Audit Charter and the Audit and Risk Management Committee Charter. While I acknowledge your view that this may not be an appropriate model for Treasury, I am satisfied that in practical terms the independence has been provided for and the risks mitigated.

In this regard, the Government has a strong focus on ensuring value for money is obtained on all public sector expenditure. This has meant that a number of departments have moved to outsourced or co-sourced internal audit arrangements. Treasury has derived significant value from the expertise that PWC has been able to bring to the function.

Going forward, Treasury may suggest to Government that the FA Act be amended to allow an accountable officer to nominate a non-public service employee to the role of HIA, thus allowing the partner (or lead auditor) of the outsourced provider to assume the responsibilities outlined in the FA Act. The minimum qualifications would remain applicable to the person nominated to the HIA role. Your views on this would be appreciated…29

2.3 Report No. 1: 2014-15 Results of audit: Internal control systems 2013-14


The Auditor-General tabled Report No. 1: 2014-15 on 11 July 2014. This recent report summarised the results of the QAO’s evaluations of the financial controls systems and selective testing of controls which operated within the 21 government departments during 2013-14 financial year. The effectiveness of delegation of financial responsibility in the 21 government departments was scrutinised and compared to five public sector agencies. The risk assessment process used by accountable officers in managing their respective entities’ financial risks was also examined in this audit.

Two agencies were excluded in this audit. These were the Public Safety Business Agency (PSBA) and the Queensland Fire and Emergency Services, which were created in November 2013 as a result of the September 2013 Keelty review of emergency services.30

The Auditor-General considered the effectiveness of the financial information and compliance with prescribed requirements as part of their annual audit of each entity’s financial statements. The audit involved considering the design of relevant controls under each of the five core elements of the integrated control structure. Each department’s key internal control was reviewed and evaluated to assess it capacity to prevent and detect errors that may result in a material misstatement of the financial statements.31

29 Queensland Audit Office, Report No. 6: 2013-14 Results of audits – Internal Control Systems, November 2013: 66-67 30 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 8 31 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 6-7



Significant control deficiencies were assigned a high or moderate risk rating as follows:

High risk – applied when a serious control weakness or breakdown in the operation of a key control or combination of key controls, indicating the risk of material error or fraud in the financial statements is unacceptably high has been identified. In these cases, management action and a detailed plan is required to be implemented within three months.

Moderate risk - applied when a significant control weakness or breakdown in the operation of a control that is not likely to prevent or detect the errors for which it was designed has been identified. A moderate risk rating requires management action with a detailed plan to be implemented within six months.

Low risk - applied when weaknesses or breakdowns of a procedural or housekeeping nature, and where controls relate to immaterial areas were identified in the audit. These require management action with a detailed plan to be implemented within twelve months.32


The Auditor-General noted that there have been improvements to the control environment, and issues from prior years have been addressed.33 In respect to control activities, the audit reported a significant decrease in the number of department with weaknesses. The improvement was attributed to the maturing of financial control systems in place since the machinery of government changes in 2012.34

Information systems security remains an area of audit concern. Key findings in regards to the information systems security are:

Inadequate review of user roles and system access. Ineffectual segregation of duties across expenditure, payroll and revenue could increase the risk of errors or fraud being undetected as a single person may be able to process a transaction without independent checks.35

Users having inappropriate access to sensitive or restricted transactions which could result in fraud or information leaks.36

Vulnerability to external attack from the internet.37

Management of ‘privileged’ accounts, including restricting access to these accounts and monitoring of account activity.38

The audit found that shared service arrangements are not documented to clarify respective responsibilities and performance expectations and that some entities are not monitoring their legal compliance obligations.39

32 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 7 33 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 10 34 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 11 35 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 9 & 11 36 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 12 37 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 2 38 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 2 39 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 9



The report identified areas of improvement since the previous audit of internal controls as follows:

Most departments have improved the design of the processes by better documenting how the process will work, consulting earlier with the Director-General and audit committees and clearly aligning and describing the significant financial reporting risks.40

The number of outstanding matters in regards to high-risk audit issues has significantly decreased. Some departments have instituted or are initiating internal or external peer review of their internal audit function as part of continuous improvement.41

Composition and number of audit committees have been addressed. Although one department has more than the maximum number of six members on the audit committee, this reflects the need of the Director-General.42

The QAO noted that there has been an improvement since their 2007 survey of risk management but there were still 97 deficiencies identified across all elements of risk management control.43 Seventeen of the 24 entities reviewed have prepared strategic and operational plans and have updated operational and strategic risk registers for 2013-14. The risk management frameworks of the 24 entities satisfy minimum requirements but risks and treatments put in place to mitigate risks are not being reported nor actively monitored, reviewed or updated.44

The Auditor-General found that financial delegations across the entities are well aligned with their organisational structure and the lines of authority to approve expenditure are articulately clearly. There is scope for improvement in the monitoring and reviewing of financial delegations.45


The control matters raised in the report have been represented separately to each department as required by auditing standards, with the intent that where weaknesses and areas for improvement were identified, each department takes its own remedial action.46 No separate recommendations were included in the report.


Under section 64 of the Auditor-General Act, if the Auditor-General proposes to include in a matter in a report to the Parliament, he must give written advice of the matter to entity and include a fair summary of any response in the report.47

The written responses include commentary on recommendations addressed directly to the departments but not detailed in the report. The report includes responses from the following:

Minister for Environment and Heritage Protection;

Department of Communities, Child Safety and Disability Services (DCCSDS);

Department of National Parks, Recreation, Sport and Racing (DNPRSR);

Department of Science, Information, Technology, Innovation and the Arts (DSITIA) and

The Public Trustee.

40 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 13 41 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 14 42 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 14 43 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 15 44 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 15, 17 45 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 27 46 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 4 47 Auditor-General Act 2009, s64



Agencies were in agreement with the findings and confirmed where and what action was being taken to address the recommendations.

3 Auditor-General Reports – Fraud risk management

3.1 Audit objective and coverage

Auditor-General’s Report No. 9: 2012-13 is a performance audit on how fraud risk was being managed in three selected agencies following the audit Report No. 5 2012 titled Results of audits: Internal control systems.48

The Auditor-General reported that the Australian public sector had experienced more than 20 major frauds costing nearly $60 million. Report No. 9: 2012-13 highlighted that public sector staff cuts may compromise staff loyalty and commitment to corporate values. In addition, a lack of job security and major structural change can result in an increase in the opportunity and motivation to commit fraud. Effective fraud control strategies should be applied in those circumstances.49

The three agencies selected for audit were DHPW, Queensland Health and the Public Trustee. The audit which was conducted between May and November 2012 assessed:

how organisations prevent fraud from occurring in the first instance

how organisations discover fraud as soon as possible after it has occurred

how organisations respond appropriately to an alleged fraud when it is detected.50

These agencies were assessed against 15 best practice criteria which broadly covered prevention, detection and response.51 The Auditor-General outlined that the 15 attributes of best practice fraud control programs52 came from a range of sources including:

Australian Standard AS 8001-2008 Fraud and Corruption Control

the Australian National Audit Office’s Fraud Control in Australian Government Entities – Better Practice Guide 2011

the Crime and Misconduct Commission’s Fraud and corruption control: guidelines for best practice 2005.53

3.2 Summary of Audit results

The audit found that even though QTT provides broad guidelines to fraud prevention and detection in their Financial Accountability Handbook, there was no strategic whole-of-government approach to fraud control. The three agencies audited have policies and different processes for managing fraud risks and there was also no clear documentation of who was responsible and/or accountable for fraud control. Position descriptions or performance management systems, even for officers in fraud control positions, did not include fraud and corruption control.54

48 Ms Campbell, Transcript 2 April 2014: 2 49 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 1 50 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 10 51 Ms Campbell, Transcript 2 April 2014: 2 52 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management:,March 2013: Appendix B 53 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 7 54 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 2



The report outlined that one agency did not have a fraud control plan, and while all three agencies were in the process of developing fraud control documentation, some lacked communication strategies to raise staff awareness of fraud.55

Fraud risk assessments were not carried out routinely and a number of risks were identified in two of the agencies. Only one agency had dedicated data analytic capability. The audit undertook ‘fraud risk assessments at two of the agencies and identified a number of risks which could affect probity, transparency and value for money.’56

In regards to the response and monitoring process of the fraud risk management framework, even though all three agencies have processes in place to manage and handle investigations, there were limited use of these capabilities to improve fraud prevention. In addition, there was little strategic use of the information from all three agencies’ records and statistical data kept on fraud 57

3.3 Key recommendations in the Audit report

The Audit report consisted of four recommendations as follows:

1. All public sector agencies should assess their fraud control program against the better practice principles in this report and, as required, implement a plan to address deficiencies identified by this self-assessment.

Where the following are not in place, agencies should:

2. conduct and regularly update their fraud risk assessments

3. implement routine data analytics over areas identified as inherently susceptible to fraud

4. use their fraud data to inform ongoing development of fraud control programs.58

3.4 Departmental responses in the Audit report

Queensland Health, DHPW, the Public Trustee of Queensland, Metro North, Metro South, Gold Coast, Cairns and Hinterland, Sunshine Coast and Townsville Hospital and Health Services were sent a copy of Report No. 9: 2012-13 for comment. Their full responses are shown in pages 30 – 40 of the audit report.

The Director-General Queensland Health acknowledged the key findings and advised that they recently completed a ‘Fraud Risk and Control Improvement Project’. Their department had also implemented the findings of the report. Queensland Health outlined that the outcomes of the project have led to significant improvements to the department’s approach to fraud risk management. The Director-General also noted that a Fraud and Corruption Working Group which focuses on sharing recent fraud related incidents, risk assessments, risk registers, data analytics and best practice to ensure all parts of the organisation have adequate fraud control coverage had been established.59 All recommendations from Report No. 9: 2012-13 had been implemented by the department.60

The Townsville Hospital and Health Services (HHS) agreed to develop a comprehensive plan to address the shortcomings in their governance framework and to review the remaining recommendations as an ongoing process.61

55 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 2 56 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 3 57 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 3 58 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 4 59 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 30 60 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 31 61 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 32-33



The Public Trustee of Queensland advised that they work to implement recommendations had been advanced. For example, they have implemented various data analytical processes to review information for unusual or suspicious transactions.62

The Chief Executive Officer, Sunshine Coast HHS agreed with all the recommendations, with two of the four recommendations highlighted as ongoing processes.63

The Director-General, DHPW, supports the recommendations made but suggested two minor changes to the report. These were clarifications to comments on pages 21 and 25 of Report No. 9: 2012-13.64

The Chief Executive of Metro South HHS agreed with the recommendations and explained that a ‘Fraud Policy and Fraud Control Program’ was being developed with an anticipated completion date of 30 June 2013.65

4 Background – Internal Control Systems

Internal controls are the processes established, operated and monitored by an entity’s management. These processes may include elements such as policies, procedures and systems to assist with the preparation of accurate financial records, external and internal reports, preventing fraud or corruption and safeguarding assets. The CEO and the executive management team are responsible for establishing and maintaining internal controls.66

The Auditor-General considered that:

A strong control environment is one where written policies and procedures are enforced, internal controls are appropriately implemented and employees are educated about fraud and its consequences is one of the best deterrents and methods of curtailing fraud.67

Internal controls can also be effective in ensuring the entity is compliant with relevant laws and regulations and can assist in adapting to a changing business and operating environment.68

In 2005, the CMC published its best practice guidelines on fraud and corruption control. These guidelines were informed by a survey undertaken in 2004 titled ‘Profiling the Queensland public sector’. The best practice guidelines identify that the survey provided an insight into operational areas and functions perceived to have high fraud and corruption risk. These included financial functions such as the receipt of cash, revenue collection and payment systems, salaries and allowances, entertainment expenses along with procurement; and purchasing functions which included e-commerce activities, tendering, contract management and administration.69

The CMC’s guidelines also highlighted that internal controls are essential once an agency has established its risk profile and ‘an effective internal control system should safeguard agency assets, facilitate internal and external reporting and help the agency comply with relevant legislation’.70

62 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 34-36 63 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 37 64 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 38 65 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 40 66 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 5 67 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 5 68 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 5 69 Queensland Crime and Misconduct Commission, Fraud and Corruption control: guidelines for best practice, March 2005: 16 70 Queensland Crime and Misconduct Commission, Fraud and Corruption control: guidelines for best practice, March 2005: 24



Internal controls cannot guarantee that there will be no error or fraud in the entity but processes in place can help reduce the risk of error and fraud and provide guidelines for entities and stakeholders as well as instil public confidence. Internal controls also increase the likelihood of detecting issues in a timely manner. The Auditor-General stated:

….internal financial controls are a subset of all internal controls, and together internal financial controls operate to reduce the risk of fraud or error in financial statements, but they do not and cannot eliminate all risks altogether. The cost of attempting to do that would outweigh any benefits in terms of trying to improve the reliability of financial reporting.71

However having a balanced approach to managing risk is the key to successfully achieving an entity’s objectives as excess control may not add any value (Figure 2).72 For example, the Auditor-General noted:

Some entities now require three executives to certify and authorise expenditure above $1,000. The questions then asked are: how long is it now taking to process payments when you need three executives to sign off on a payment …. and what extra cost is this adding to the processing?73

Figure 2: Approach to risk Source: KPMG Australia, The KPMG Review Internal Control: A Practical Guide, October 1999: 15

Entities are responsible for ensuring that effective internal control measures are put in place. In particular, accountable officers are required to establish and maintain appropriate systems of internal controls.

The following legislation applies:

Financial Accountability Act 2009 (FAA) (section 61) – Accountable Officers are to ensure the operations of the department are carried out efficiently, effectively and economically and are to establish and maintain appropriate systems of internal controls.

Financial and Performance Management Standard 2009 (FPMS) (section 8) - Departments are to establish cost-effective internal control structures.

71 Mr Greaves, Transcript 30 October 2013: 2 72 KPMG Australia, The KPMG Review Internal Control: A Practical Guide, October 1999: 15 73 Mr Greaves, Transcript 30 October 2013: 3



Section 77 of the FAA outlines the role of the chief finance officer (CFO) as follows:

(1) Each accountable officer must -

(a) nominate either of the following to be the person responsible for the financial administration of the department (the chief finance officer) -

(i) an appropriately qualified employee of the accountable officer’s department;

(ii) with the approval of the Treasurer – an appropriately qualified public service employee or other employee of the State; and

(b) delegate to the chief finance officer the following responsibilities for the department (the minimum responsibilities) -

(i) financial resource management including the establishment, maintenance and review of financial internal controls;

(ii) budget management;

(iii) preparation of financial information including annual financial statements to facilitate the discharge of the department’s statutory reporting obligations;

(iv) provision of advice on the effectiveness of accounting and financial management information systems and financial controls in meeting the department’s requirements;

(v) provision of advice concerning the financial implications of, and financial risks to, the department’s current and projected services;

(vi) development of strategic options for the department’s future financial management and capability.

5 Fraud Risk Management: Background

Fraud is broadly defined as ‘dishonestly obtaining a benefit by deliberate deception or other means’.74 The dishonest activity can include the deliberate falsification, or concealment, destruction or use of falsified documentation for normal business purpose or the improper use of information or position.75

Section 408C of the Criminal Code Act 1899 defines fraud as:

(1) A person who dishonestly –

(a) applies to his or her own use or to the use of any person –

(i) property belonging to another; or

(ii) property belonging to the person, or which is in the person’s possession, either solely or jointly with another person, subject to a trust, direction or condition or on account of any other person; or

(b) obtains property from any person; or

74 Commonwealth of Australia, Attorney-General’s department Commonwealth Fraud Control Guidelines, March 2011: 5 75 Standards Australia, Fraud and Corruption Control (AS 8001 – 2008), 2008



(c) induces any person to deliver property to any person; or

(d) gains a benefit or advantage, pecuniary or otherwise, for any person; or

(e) causes a detriment, pecuniary or otherwise, to any person; or

(f) induces any person to do any act which the person is lawfully entitled to abstain from doing; or

(g) induces any person to abstain from doing any act which that person is lawfully entitled to do; or

(h) makes off, knowing that payment on the spot is required or expected for any property lawfully supplied or returned or for any service lawfully provided, without having paid and with intent to avoid payment; commits the crime of fraud.

Since 1993 KPMG has undertaken a biennial Fraud Survey. The latest survey, undertaken in 2012, found that between 1997 and 2012 reported fraud had increased from $105 million to $373 million per annum. KPMG identified that fraud is fluid and it is critical for organisations to understand this and that their frameworks must evolve as creatively as the crime evolves.76

The Auditor-General advised that fraud in public sector agencies can cause not only financial loss but also damage reputation. In addition, fraudulent activity can have an effect on employee morale and undermine the public’s confidence in the delivery of public services.77

Fraud and misconduct can occur in the following categories of risk:

Fraudulent financial reporting – improper revenue recognition, overstatement of assets or understatement of liabilities

Misappropriation of assets – embezzlement, payroll fraud, external theft, procurement fraud, royalty fraud, counterfeiting

Revenue or assets gained by fraudulent or illegal acts – over-billing customers, deceptive sales practices, accelerated revenue, bogus revenue

Expenses or liabilities avoided by fraudulent or illegal acts – tax fraud, wage and hour abuses, falsifying compliance data provided to regulators

Expenses or liabilities incurred for fraudulent or illegal acts – commercial or public bribery, kickbacks

Other misconduct – conflicts of interest, insider trading, discrimination, theft of competitor trade secrets, antitrust practices, environmental violations.78

76 KPMG Australia, Survey of fraud, bribery and corruption in Australia and New Zealand, 2013: 6 77 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 5 78 KPMG Australia, Fraud risk management. Developing a strategy for prevention, detection, and response, 2006: 4



KPMG identified evidence to show that the size of fraud is proportion to the size of an organisation and the more complex the structure of an organisation, the more vulnerable it is to fraudulent activity. It was reported that over 83 per cent of fraud committed between 1997 and 2012 occurred in organisations which had over 1,000 employees (Figure 3).79 This highlights that it is more difficult and more expensive to maintain adequate control systems in large complex organisations.

Figure 3: Total fraud by organisation size Source: KPMG Australia, Survey of fraud, bribery and corruption in Australia and New Zealand, 2013: 7

The KPMG survey of 281 (private and public sector) organisations revealed that even though the majority of fraud is committed by an internal person (usually an employee), a significant proportion of fraud is committed by external offenders (Figure 4).80 This is most likely influenced by industry type; for example, credit card fraud can be a major challenge for financial organisations as are false insurance claims for the insurance sector.81

Figure 4: Major fraud by perpetrator type (% of incidents) Source: KPMG Australia, Survey of fraud, bribery and corruption in Australia and New Zealand, 2013: 9

79 KPMG Australia, Survey of fraud, bribery and corruption in Australia and New Zealand, 2013: 7 80 KPMG Australia, Survey of fraud, bribery and corruption in Australia and New Zealand, 2013: 9 81 Ferguson, C. Fraud in Australia. Insights, Melbourne Business and Economics: Volume 12, November 2012: 1

http://insights.unimelb.edu.au/vol12/07_Ferguson.html [22 August 2014]

http://insights.unimelb.edu.au/vol12/07_Ferguson.html



Males were responsible for 68 per cent of reported frauds and 88 per cent of major frauds by value i.e. larger sum (Figure 5).82

Figure 5: Number and value of major frauds by gender 2006 - 2012 Source: KPMG Australia, Survey of fraud, bribery and corruption in Australia and New Zealand, 2013: 10

KPMG’s data, collected over a 10-year period, show that there has been a shift in motivation to committing fraud. Greed or lifestyle was the main motivation prior to 2010 but personal financial pressure has now become the main motivation, in particular since the global financial crisis.83

An earlier study, in 2010, found that the greatest threat to an organisation from potential fraudulent activity is through poor internal controls and/or overriding of internal controls that are in place. Figure 6 shows that 32 per cent of fraud committed in 2010 was from poor internal controls with 22 per cent from internal controls being overridden by the fraudster.84

Figure 6: Factors contributing to the largest fraud incident Source: KPMG Australia, Fraud and Misconduct Survey 2010, Australia and New Zealand, 2010: 12

82 KPMG Australia, Survey of fraud, bribery and corruption in Australia and New Zealand, 2013: 10 83 KPMG Australia, Survey of fraud, bribery and corruption in Australia and New Zealand, 2013: 12 84 KPMG Australia, Fraud and Misconduct Survey 2010 Australia and New Zealand, 2010: 12



The above study reported that 42 per cent of fraud committed was detected through internal controls,85 which highlights the importance of an effective fraud risk management program.

The results from the 2013 KPMG survey also indicated that more needs to be done in terms of creating effective fraud risk management in many of the organisations examined. In particular, the data in the study showed that ‘red flags’ were being ignored and organisations needed to improve their fraud prevention strategies.86

QTT’s Guide to Risk Management, produced in 2011, provides an overview of the key concepts of risk management and guidelines for all agencies in managing risk. QTT outlines that an effective risk management:

improves planning processes by enabling the key focus to remain on core business and helping to ensure continuity of service delivery

reduces the likelihood of potentially costly ‘surprises’ and assists with preparing for challenging and undesirable events and outcomes

contributes to improved resource allocation by targeting resources to the highest level risks

improves efficiency and general performance

contributes to the development of a positive organisational culture, in which people and agencies understand their purpose, roles and direction

improves accountability, responsibility, transparency and governance in relation to both decision-making and outcomes. This is particularly important for public sector agencies, which exist to deliver beneficial outcomes for the Queensland Government, industry and the community, and

adds value as a key component of decision-making, planning, policy, performance and resource allocation, when subject to continual improvement.87

Section 61 of the Financial Accountability Act 2009 (FAA) stipulates that all agencies are to establish and maintain appropriate risk management systems.

QTT‘s guide outlines the relationship between risk management principles, framework and process (Figure 7).

85 KPMG Australia, Fraud and Misconduct Survey 2010 Australia and New Zealand 2010: 12 86 KPMG Australia, Survey of fraud, bribery and corruption in Australia and New Zealand, 2013: 26 87 Queensland Treasury and Trade, A Guide to Risk Management, July 2011: 7



Figure 7: Relationship between risk management principles, framework and process Source: Queensland Treasury and Trade, A Guide to Risk Management, July 2011: 7

The principles contained in the QTT guide were taken from AS/NZS ISO 31000, which is the Standard prepared by Joint Standards Australia/Standards New Zealand Committee OB-007, Risk Management.

A summary of these principles are as follows:

1. Creates and protects value

Good risk management contributes to the achievement of an agency’s objectives through the continuous review of its processes and systems.

2. Be an integral part of organisational processes

Risk management needs to be integrated with an agency’s governance framework and become a part of its planning processes, at both the operational and strategic level.

3. Be part of decision making

The process of risk management assists decision makers to make informed choices, identify priorities and select the most appropriate action.

4. Explicitly address uncertainty

By identifying potential risks, agencies can implement controls and treatments to maximise the chance of gain while minimising the chance of loss.

5. Be systematic, structured and timely

The process of risk management should be consistent across an agency to ensure efficiency, consistency and the reliability of results.



6. Based on the best available information

To effectively manage risk it is important to understand and consider all available information relevant to an activity and to be aware that there may be limitations on that information. It is then important to understand how all this information informs the risk management process.

7. Be tailored

An agency’s risk management framework needs to include its risk profile, as well as take into consideration its internal and external operating environment.

8. Take into account human and cultural factors

Risk management needs to recognise the contribution that people and culture have on achieving an agency’s objectives.

9. Be transparent and inclusive

Engaging stakeholders, both internal and external, throughout the risk management process recognises that communication and consultation is key to identifying, analysing and monitoring risk.

10. Be dynamic, iterative and responsive to change

The process of managing risk needs to be flexible. The challenging environment we operate in requires agencies to consider the context for managing risk as well as continuing to identify new risks that emerge, and make allowances for those risks that no longer exist.

11. Facilitate the continual improvement of organisations

Agencies with a mature risk management culture are those that have invested resources over time and are able to demonstrate the continual achievement of their objectives.88

In September 2013, the CMC published its report on its examination of a $16.69 million fraud committed on Queensland Health. The report provides comment on key learnings from the experience. The report notes that the situation at Queensland Health demonstrated that an agency having in place a full range of governance systems, management mechanisms and regulatory frameworks could still be subject to fraud by an employee intent on subverting the system.89

The key learnings include90:

Any agency can harbour a high-risk employee

Overseas criminal history check was not undertaken and a fabricated CV and academic credentials were not verified.

Detailed knowledge of the different financial systems and mechanisms involved in disbursing large amounts of funding in one of Queensland’s largest and most complex departments was used to personal advantage.

Camouflaging criminal activity by disarming suspicion, taking advantage of relationships with colleagues and avoiding awkward questions.

88 Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government Entities Better Practice Guide,

Fraud Control Strategies – Overview, March 2011: 31 89 Crime and Misconduct Commission, Fraud, financial management and accountability in the Queensland public sector: An examination of

how a $16.69 million fraud was committed on Queensland Health, September 2013: 27 90 Crime and Misconduct Commission, Fraud, financial management and accountability in the Queensland public sector: An examination of

how a $16.69 million fraud was committed on Queensland Health, September 2013: 27-28



Supervisors, managers, colleagues and subordinates should be alert to patterns of inappropriate or difficult behaviours and manage them promptly and objectively.

Internal weaknesses will put agencies at risk

low levels of compliance with existing policy and procedures by other staff – the policies and procedures were broadly adequate to ensure a reasonable level of probity. However, staff failed either to follow policies and procedures in relation to approving expenditure or to understand the principles they represented. Staff did not see the importance of thorough cross-checking and the requirement for two signatures on forms as a fraud control mechanism. Staff who are responsible for signing or countersigning documents need to understand that each signature appoints to a statement by the signer that they have checked the details of the proposal and are satisfied that it is legitimate and in accordance with the proper business and procedures of the agency.

failure of financial management and accountability – normal financial reporting processes where side-stepped and supervisors failed to challenge the failure to submit reports. Control of a cost centre was retained after leaving the position responsible for it. Separation of accounting functions, a key financial control mechanism, was not adhered to including being both the officer with budget accountability and the officer responsible for preparing the budget reports.

failures in supervision and management – a fundamental function of supervisors and managers is to ensure that the conduct and work performance of those employed at public expense are of a satisfactory quality and must be objectively assessed. Inappropriate workplace behaviour should not be dismissed as personal eccentricity.

inadequate change management processes that failed to identify risk and failed to provide effective follow-up review process – any organisational restructure which leads to changes in roles and responsibilities should as a matter of course, include a clarification of roles and responsibilities, an analysis of changes in procedure and workflow following from it and a detailed analysis of the risk exposures which the change entails. Deficiencies in this process let to the roles and responsibilities not being clearly understood and resulted in retention of responsibility of a cost centre which allowed a continuation of the fraud.

low awareness of the risk of fraud among staff at all levels – Supervisors and subordinates failed to consider the possibility of misconduct or internal fraud by a staff member. Behaviours which are generally regarded as indicators of probably fraudulent activity were dismissed. These behaviours include: repeated submission of urgent payment requests without adequate documentation; continuing failure to produce appropriate documentation despite serious questions being raised by audit; jealous retention of functions or files related to a previously held position; and poor workplace conduct and performance generally such as erratic attendance, missed deadlines and poor-quality work.



failure to properly investigate information provided in audits and complaints and evaluate it in a wider context – important indicators of fraudulent activities were received including formal complaints that questioned honesty and internal and external audits that identified financial irregularities or non-compliance with policies. There was a failure to: link all complaints about an officer; conduct thorough inquiries; identify potential patterns of questionable behaviour; consider a complaint in the context of all the information available in a workplace, rather than responding to issues in isolation; recognise that complaints are not just a matter for an ethical standards unit, but are of equally vital concern to supervisors, managers and senior managers; and be alert to the possibility that even a longstanding and familiar staff member might be committing fraud.

The CMC identified five main areas in which agencies should be particularly vigilant and made recommendations in each of these areas as follows91:

Financial management

That agencies redesign their grants/outsourcing/expenditure arrangements, to include due diligence to establish that organisations receiving public monies are suitable for, and capable of, delivering the required services.

That agencies redesign their grants/outsourcing/expenditure payment processes, to ensure that payments of public monies cannot be made or continue to be made without clear demonstration that detailed delivery requirements have been met.

Managerial standards and accountability

That agencies implement policies and programs to ensure that:

1. Candidates for roles with management or supervisory responsibilities are positively vetted for a skill-set appropriate to the role.

2. Existing officers with supervisory or management roles have proper skills in and understanding of the functions and duties of effective supervision.

3. Agencies initiate programs to manage and remedy the performance of managers who fail to effectively perform their supervisory functions.

Acceptance of gifts and benefits

That agencies undertaking restructures or other organisational changes implement a strict productivity and risk based analysis of work flows, procedures and accountabilities to ensure that local and overall efficiency is not compromised.

Fraud awareness and prevention

In light of the QAO reports and Queensland Health investigation, that agencies as a matter of urgency:

1. Undertake a full review of their fraud control and awareness policies and procedures, ensuring that these are up to date and that there is effective alignment between governance controls and actual work processes.

2. Undertake a systematic implementation of fraud awareness training for all staff, appropriate to their function and level.

91 Crime and Misconduct Commission, Fraud, financial management and accountability in the Queensland public sector: An examination of

how a $16.69 million fraud was committed on Queensland Health, September 2013: 31-35



6 Guidance and role of central agencies

Fraud and corruption is covered by a range of legislation, policies and public sector standards and guidelines.92 The issue has also been investigated generically and when specific instances arise by QAO, central and other agencies. Of concern to the Committee was that adequate action had been taken subsequent to the audits and other investigations.

Several different publications are available to assist departments or organisations achieve effective and efficient internal control strategies. For example, QTT released the Financial Accountability Handbook in 2009 following the implementation of the FAA, the Financial and Performance Management Standard 2009 (FPMS) and the Financial Accountability Regulation 2009 (FAR). The handbook acts as a guide for departments and statutory bodies to meet their obligations under the financial legislative framework. These obligations include the development and application of effective and economical internal controls in the management of financial resources within a department of statutory body.93

Online guides are available; for example QTT and DPC collaborated on ‘A Guide to Risk Management’ which provides guidance in the identification and management of agency, cross-agency and whole-of-Government risks.94 Other resources include reports from the QAO (e.g. Report to Parliament No. 6 for 2007, Beyond Agency Risk) and CMC Guides (e.g. CMC’s Guide for Dealing with Suspected Official Misconduct in Queensland Public Sector Agencies and Guidelines for Best Practice).

In June 2013 the Committee wrote to DPC and QTT seeking further information and an update on departmental actions following the Auditor-General’s recommendations. The Committee sought clarification on a number of issues such as implementation or actions being undertaken to address the concerns in Report No. 5 2012.

DPC and QTT responded jointly in July 2013 outlining their role as central agencies. DPC advised that in addition to supporting and advising the Premier and Cabinet, they are responsible for providing leadership for the Queensland public sector.95 QTT is responsible for budget and finance matters and administers the Financial Accountability Act 2009 (FAA) and its subordinate legislation. The FAA outlines the functions of accountable officers, including the responsibility ‘to establish and maintain appropriate systems of internal control and risk management’. Under this legislation, responsibility and accountability for internal controls rests with the accountable officer of the department (i.e. the Director-General or Chief Executive Officer).96

DPC drew attention to the CMC’s Fraud and corruption control: guidelines for best practice which provided guidance to agencies.97

QTT advised the Committee that despite their role to provide guidance tools and framework and documentation, each agency’s audit and risk management committee ought to examine that ‘material and work out which risks are applicable to them and make that judgement about how much it is sensible to invest in mitigating that risk’.98

DPC emphasised that internal controls are an integral part of the governance of a department, and the chief financial officer is delegated responsibility for the establishment, maintenance and review of financial internal controls.

92 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 8 93 Queensland Treasury and Trade, Financial Accountability Handbook: Information Sheet 3.1 – Risk, Identification and Management: 1 94 Queensland Treasury and Trade, Financial Accountability Handbook: Message from the Under Treasurer, November 2012 95 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 July 2013: 1 96 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 July 2013: 2 97 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 July 2013: 2 98 Mr Beavers, Transcript 30 October 2013: 3



Since the audit, DPC explained that there has been a particular focus on internal controls in departments and that the government had already undertaken to address some of the issues. They advised that a joint letter from DPC and QTT was sent to all accountable officers in which a summary of their responsibilities under the legislation and policies in regards to the internal controls was outlined. They also stated:

….. all departments were encouraged to undertake a reassessment of their governance framework and internal controls.99

The Committee was also informed that the CEO leadership Team (CLT) was the appropriate body for overseeing the actions of departments with respect to internal controls. It is the responsibility of the accountable officers to provide quarterly updates directly to the CLT.100

The subsequent audit of internal controls by the QAO in 2014 noted the improvements in departments’ audited to their control environment and that issues from prior years have been addressed.101 The Auditor-General advised that Committee that he was satisfied that the overall number of control issues has reduced since the 2012-13 audit. He added:

I was pleased because what that means is that the internal control systems are maturing in the government organisations that we audit. We take from that indicator that they are strengthening, which does not eliminate the risk of fraud but certainly reduces or goes towards reducing the risk of fraud.102

7 Financial controls

7.1 Effectiveness of financial controls

Internal controls include the systems, policies and activities established by public sector entities to ensure the effectiveness and efficiency of their operations, reliability of financial reporting, and compliance with applicable legislation.103

The QTT’s Financial Accountability Handbook considers that internal controls comprise of financial internal controls and non-financial internal controls.

Financial internal controls (for example, payment approvals and authorisations, financial delegations, processing of remittances, banking requirements, and accounting reconciliations) assist in ensuring that an agency’s financial transactions are appropriately authorised, processed and recorded.

Non-financial controls include controls and processes applicable to agency information systems and operational requirements that are used to achieve agency objectives and delivery of agency services, and include:

internal accounting controls, which are guidelines and procedures related to the keeping of books and records, and

administrative accounting controls, which are those controls that ensure agency transactions are processed in accordance with management’s general or specific authorisations.104

99 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 July 2013: 3 100 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 July 2013: 3 101 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014, 10 102 Mr Greaves, Transcript 15 July 2014: 55 103 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 9 104 Queensland Treasury and Trade, Financial Accountability Handbook: Information Sheet 3.2, November 2012: 2



QTT also outlined that internal controls should include procedures or mechanisms that:

review risk profiles on a regular basis

ensure compliance with internal policies and procedures

ensure compliance with applicable laws, regulations and accounting standards

reduce the possibility of error, fraud or other irregularities through processes such as delegations of authorities and segregation and rotation of duties, and

ensure that activities underpinning agency objectives are complete, correctly recorded in the agency’s financial system and ultimately reflected in the agency’s financial and performance reports.105

As there is no ‘one-size-fits-all’ set of internal controls, each public sector entity is responsible for developing measures for managing the risks to which their operations are exposed.106

The Auditor General noted that the financial audit assessment is made up of key internal controls over the reliability of financial reporting, and any weaknesses identified are raised with management for corrective action.107

7.2 Control environment

One of the categories of internal controls is the control environment, which incorporates an organisation’s attitude towards control and reflects their core beliefs or values. COSO considers the control environment to be the foundation for all other components of internal control in that it provides discipline and structure.108

The Auditor-General emphasised the importance of planning and accountability documents in providing an organisation’s goals, strategies and policies in managing their finances and information system security.109

Areas of concern included incomplete ICT strategic plans, disaster recovery plans or strategic asset management plans and lack of documented and approved ICT policies and procedures.110

The Committee sought information from the departments regarding internal control procedures for security clearance levels and security of workplaces. In most departments, electronic security identification (ID) access passes are issued to staff and visitors are issued with passes after checking of ID. In addition, some departments undertake pre-employment criminal history checks.111

7.3 Risk Management

The COSO framework emphasises that all risks from internal and external sources within an organisation must be assessed. The identification and analysis of relevant risks forms the basis for determining how these risks should be manage.112

The Auditor-General added that it is not only important to identify and manage risks but to formulate responses to deal with them if the risks eventuate. In addition, committing to risk management will result in sound management practice and increase community confidence.113

105 Queensland Treasury and Trade, Financial Accountability Handbook: Information Sheet 3.2, November 2012: 2 106 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 9 107 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 9 108 COSO, Internal Control – Integrated Framework Executive Summary, 1992: 2 109 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 10 110 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 10 111 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014 112 COSO, Internal Control – Integrated Framework Executive Summary, 1992: 2 113 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 11



The audit found that the areas of concern related to monitoring risks and their treatment, and managing the risks to IT systems.114

7.4 Control activities

Control activities are the policies and procedures that assist ensure management directives are adhered to. Control activities occur throughout all levels and all functions in an organisation and can include a range of activities such as approvals, authorisations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.115

The Auditor-General advised that effective controls can provide early warning of weaknesses or susceptibility to error, support for timely reporting and the early identification of irregularities.116

Major issues identified included inadequate segregation of key duties across expenditure and payables, employee expenses and benefits, and revenue and receivables, which increase the risk of users having access to two or more functions within a process that may lead to inappropriate activities such as fraudulent payments or misappropriation. The audit also noted that there was inadequate expenditure approvals, with instances of duplicate vendors and duplicate payments identified; inadequate control over employment appointments and lack of criminal history checks prior to employment; and lack of control over inventory discrepancies management.117

In the most recent audit, the Auditor-General noted that departments continue to use manual authorisation of expenditure. A manual authorisation consists of a paper-based expenditure voucher which requires the delegate's signature, supported by the name and position title of the signing officer. The expenditure voucher usually requires a second signature from a recommending officer, which adds an extra layer of protection. Expenditure vouchers are then processed, based on these elements being present on the documentation.118

The audit report noted that:

A limitation of manual authorisation is the reliance on the user's knowledge of the correct and appropriate use of financial delegations. Signatures can also be forged so fraudulent transactions can be processed. 'One for one' checks of signature specimens are generally not conducted to confirm the identification of the authorising officer.

With a manual system of financial delegations, entities cannot analyse the approval of transactions easily. This can affect management's ability to review whether financial delegations are being used efficiently and effectively within the organisation.119

The Auditor-General stated that the analysis of authorisations through IT systems is not constrained by the inherent limitations of a manual paper based voucher system and access to approve expenditure transactions can be restricted to appropriate individual financial delegates which can limit the amount of financial delegation errors and opportunities for fraud.

114 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 11 115 COSO, Internal Control – Integrated Framework Executive Summary, 1992: 2 116 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 11 117 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 11 118 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 33 119 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 33



Other potential benefits of IT based systems over manual authorisation include:

system segregation of duties for recommending and approving transactions

automated, system-controlled approval workflows for financial transactions

a complete electronic audit trail from purchase to pay

the ability to analyse and report the efficiency and effectiveness of the use of financial delegations within the entity.120

7.5 Information and communication

COSO highlighted the importance of identifying, capturing and communication pertinent information in a form and timeframe to enable people to carry out their responsibilities in an organisation.121 COSO states that:

Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting.122

The Auditor-General outlined that prior audits in 2010 and 2011 had identified significant weaknesses in the management of IT risks within departments and weaknesses in network security. Half of the departments audited at that time had not adequately progressed recommendations to improve their controls over computer networks. The 2011 audit also reported that a whole of government IT business continuity management strategy to prioritise system recovery in the event of a disaster had not been implemented. Since then, the Queensland Government Chief Information Office produced a draft whole of government business continuity management and disaster recovery implementation framework, although this framework is incomplete.123

7.6 Monitoring and review

Monitoring of internal controls involves assessing the quality of the systems’ performance and their effectiveness over time. COSO suggests that:

Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures.124

Areas of concern identified in the audit related to ongoing monitoring activities which should occur in the course of an entity’s operations. These included inadequate monitoring and review of reports and processes across non-current assets, expenditure and payables, employee expenses and benefits, and information systems. The monitoring and review weaknesses meant that detecting unauthorised or inappropriate transactions was more difficult.125

120 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 33 121 COSO, Internal Control – Integrated Framework Executive Summary, 1992: 2 122 COSO, Internal Control – Integrated Framework Executive Summary, 1992: 2 123 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 12-13 124 COSO, Internal Control – Integrated Framework Executive Summary, 1992: 3 125 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 13



The Committee sought information from departments regarding whether electronic financial transactions are being recorded and maintained and what internal controls protocols are applied to them. The departmental response indicated that the majority of financial transactions are recorded in the relevant IT system, including SAP. This allows for audit trail and reporting capability. Minimum retention periods are required by the Queensland State Archives.126

7.7 Committee comments

The Committee notes that all departments had been encouraged to undertake a reassessment of their governance and internal controls and that the CLT is being provided with respective departmental actions.

The Committee was pleased that Report No. 1: 2014-15 showed a significant decline in the number of control weaknesses and an improvement in financial controls in all departments. It is however unclear whether improvement strategies are currently shared between all departments and whether significant information in regards to internal controls is disseminated to DPC or QTT. The Committee considers that sharing of information between all departments is useful in highlighting areas of internal controls that require addressing within respective departments.

Recommendation 1

The Committee recommends that all significant information on internal controls is shared between departments, and that one department has the responsibility of disseminating this information.

The Committee considers that the use of an automated delegations system for financial transactions rather than a manual based system would limit errors and reduce the capacity for fraudulent activity. The Committee also considers that an automated delegations system could be utilised when data analysis is undertaken. However, any automated delegations system needs to be supported by an adequate system of ensuring that delegations remain both accurate and current.

The Committee is aware that some departments are in the process of upgrading their information systems to incorporate automated workflow systems for the financial transactions which enables the use of automated delegations.

Recommendation 2

The Committee recommends that the government continue to invest in the upgrading of IT systems to enable the use of automated delegations systems for financial transactions.

126 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014



8 Fraud controls

8.1 Effectiveness of fraud controls

The importance of an effective system of internal controls as both a preventative and detective countermeasure to the incidence of fraud has been regularly highlighted in Auditor-General’s reports.127

An effective fraud control framework comprises the implementation of a number of key control strategies, which are interdependent. ANAO highlights that these strategies should be subjected to a process of review and enhancement to remain effective.128

Report No. 5 2012 highlighted that fraud is an ever-present and ongoing risk in the management of public sector assets so the strategies that departments have to prevent and detect fraud were also examined.129

The Auditor-General emphasised that internal controls were responsible for detecting around half of frauds but the effectiveness of internal control structures within departments is being increasingly challenged because of:

regular transfers of functions and staff both within departments, and as part of machinery of government changes - there have been four significant restructures in the past six years increasing the risk that lines of responsibility, authority and accountability become blurred thereby weakening the control environment

the loss of experienced and key staff through voluntary separation programs - during the current financial year in excess of 4,200 non front-line departmental staff have accepted a voluntary separation package leading to a heightened risk of loss of corporate knowledge and experience in the ‘back office’ where most internal financial control activities operate

the need to do more with less as required by budget savings - increasing the risk that resources will be diverted from necessary internal control monitoring measures, such as internal audit.130

A survey of 214 organisation from the private and public sector in 2010 found that 42 per cent of fraud committed was detected through internal controls.131 Given that internal controls played a significant role in detecting fraud, there needs to be more emphasis within departments on internal controls.

QTT responded to the audit agreeing that departments undergoing MOG changes at that time had resulted in staff being exposed to unfamiliar systems. In addition, they acknowledged that the loss of experience staff could result in weaker internal controls.132 Since then, QTT has been actively providing fraud awareness training to staff through different avenues including online options.133

127 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 16 128 Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government Entities Better Practice Guide,

Fraud Control Strategies – Overview, March 2011: 25 129 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 15 130 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 16 131 KPMG Australia, Fraud and Misconduct Survey 2010 Australia and New Zealand 2010, 12 132 Queensland Audit Office, Report No 5: 201 Internal Control Systems, June 2012: 34 133 Mr Beavers, Transcript 30 October 2013: 5



8.2 Effectiveness of prevention strategies

One of the key objectives in a fraud risk management approach is prevention. Controls are designed to reduce the risk of or prevent fraud from occurring in the first instance.134 Prevention of fraud should be an integral part of the organisation and is more than management establishing a set of policies, plans and procedures to be complied with by a department.135

QTT’s 2011 report titled ‘A Guide to Risk Management’ suggests that an agency’s risk strategies should work in conjunction with the agency’s risk profile. Once this has been established, a risk matrix can be developed. These risk matrixes should be agency as well as division, branch, work unit or project specific.

At its public hearing, the Committee was advised that Queensland Health had developed a comprehensive risk matrix which outlines the area of consequence in the event of a risk occurring.136 A copy of this matrix is contained in Appendix D.


The Committee is concerned by internal control structures challenges highlighted by the Auditor-General. As internal controls play a significant role in detecting fraud, the Committee believes that ongoing vigilance should be encouraged by management in all departments. The Committee also encourages QTT and DPC to continue to provide fraud-awareness training as an ongoing exercise instead of relying on online presentations.

In departments (or divisions within departments) where there are significantly higher risk/s for fraud, the Committee considers that more detailed risk management strategies should be developed. The Committee sought an update from each of the departments of their fraud control plans. The Committee believes that all departments have taken some steps to address internal control and to put in place fraud control plans. The Committee also notes that the Auditor-General stated in Report No. 1: 2014-15 that with improved internal control structures now in place, departments are able to focus on making their internal control systems more efficient.

Recommendation 3

The Committee recommends that DPC and/or QTT continue to monitor the types of risk strategies being implemented in all departments.

8.4 Policies and plans

A fraud control policy or plan is developed during the fraud risk management process, and should be reviewed at least every two years.

An effective monitoring of an entity’s fraud control strategies is invaluable in assessing the continued relevance and priority of the strategies that are in place. ANAO has identified that the following two key questions should be asked in the monitoring and review process of any fraud control plan:

Is it up to date?

Is it effective?137

134 KPMG Australia, Fraud Risk Management. Developing a Strategy for Prevention, Detection, and Response: 2010, 11-12 &27 135 Queensland Audit Office, Report No 5: 2012-13 Internal Control Systems, June 2012: 16 136 Correspondence from Ms S Middleditch, Deputy Director-General, Department of Health to FAC dated 16 April 2014: 1 137 Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government Entities Better Practice Guide,

Fraud Control Strategies – Overview, March 2011: 75-76



Report No. 5 2012 emphasised that an effective fraud control plan sets out a department’s strategies for the prevention, detection and investigation of fraud and clearly identify:

the consequence and likelihood of potential fraud risks occurring in the department

an assessment of fraud risks after considering the effectiveness of existing internal controls in preventing fraud

an action plan to reduce fraud risk to an acceptable level.138

The audit found that a majority of the department (nine of the 13 departments audited) did not adequately address one of more of the criteria in their fraud control plan. The Auditor-General recommended that fraud control plans be established in all departments.139

The Committee requested an update on the implementation of fraud control plans in all departments. DPC coordinated a response from all departments. The majority of the departments outlined that they have implemented fraud control plans or fraud control framework. Two departments reported that their fraud control plans have been completed but were undergoing an approval or implementation process.140

8.5 Procurement and payment methods

QTT’s Financial Accountability Handbook outlines the ways in which procurement can occur; for example through the use of purchase orders, direct invoices, corporate cards or petty cash. Each of these has different risks, benefits and administrative costs.141

It was reported that over an 18 month period to December 2009 the most common incidents of fraud have occurred in payroll, procurement and expense. The fraud activities ranged from false invoicing, bribery and kickback schemes to inventory theft and substandard goods.142

Some of the common ‘red-flags’ to be alert for in procurement fraud include:

Poor or non-existent record keeping.

Higher price/lower quality goods.

Excessive entertaining of procurement staff by suppliers.

Deviations in communications between procurement staff and suppliers, such as calls or text messaging to mobile phones.

Procurement staff demanding extended periods of notice before they allow an audit to take place.143

The Auditor-General explained that organisational structure of some of the largest government departments in the Queensland public sector have multiple lines of authority, complex financial delegations and remote transaction processing. The report found that the departments audited had not adequately assessed fraud risk associated with different procurement and payment methods.144

138 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 17 139 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 17 140 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014 141 Queensland Treasury and Trade, Financial Accountability Handbook: Information Sheet 3.15 – Fraud Control, October 2013: 3 142 Deloitte Forensic, Preventing procurement fraud and corruption, 2009: 2 143 Deloitte Forensic, Preventing procurement fraud and corruption, 2009: 2 144 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 17



In addition, purchase and payment for goods and services are most commonly made either by a corporate credit card, by direct invoice or by a purchase order based payment. The report outlined:

The direct invoice method involves the purchase of an item and financial approval after the date of purchase, while for the purchase order method, financial approval of purchases is made before a purchase occurs. Corporate credit cards are usually limited to low value, low risk or infrequent transactions to limit the risk of misuse.145

Direct invoice method is most commonly used, with five department using direct invoices for over 50 per cent of all payments. The Auditor-General noted that this is the most risky form in terms of fraud, with payments typically reliant on a signature from someone with an appropriate financial delegation.146

The audit also identified that seven departments had not provided adequate guidance to staff as to what type of procurement method should be employed to minimise fraud risk for various types of expenditure.147 It therefore recommended that departments should establish guidance for procurement methods to be used for different types of expenditure processed.

8.6 Approval of expenditure

The Financial Accountability Handbook considers that financial delegations should be reviewed at least annually. In circumstances where there have been significant changes within the department, changes should be made more frequently so that financial delegations remain current. In the event of an agency restructure or staff changes, financial delegation assigned ought to be withdrawn as needed. QTT further notes that a process should be in place to make the necessary changes to financial delegation when there is a change in staff, and whether officers with a delegation are required to continue to need it for their normal responsibilities.148

Audit report No. 5 2012 found that nearly 17,000 departmental staff had the delegated responsibility to authorise departmental expenditure. This figure represents between 4 per cent and 48 per cent of staff in the individual departments. The Auditor-General expressed concerns that a higher number of staff that had the ability to authorise expenditure could result in a greater risk of inappropriate payments being made. This will mean that controls to ensure payments are appropriately and correctly authorised could become more difficult to maintain.149

The Auditor-General explained that although in some instances, there were delegations in place:

.. what was not necessarily happening was the people exercising that delegated authority actually understanding what was expected of them and what was required of them when they were exercising the delegated authority.150

The audit recommended that all departments review their financial delegations regularly, and to limit these delegations only to employees who require the responsibility as part of their normal roles.

In June 2013, the Committee wrote to DPC to seek an update on whether a review of financial delegations had been undertaken at the whole-of-government level. DPC advised that such reviews could only be undertaken at departmental level in line with the FAA.151

145 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 18 146 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 18 147 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 18 148 Queensland Treasury and Trade, Financial Accountability Handbook: Information Sheet 3.15 – Fraud Control, October 2013: 3-4 149 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 18 150 Mr Greaves, Transcript 30 October 2013: 5 151 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 July 2013: 4



QTT advised that their role (as with DPC’s and QAO’s) is to support departments by providing guidance tools such as ‘framework and documentation’, and then:

… it becomes a matter for each agency’s audit and risk management committee to have a very pragmatic look at that material and work out which risks are applicable to them and make that judgement about how much it is sensible to invest in mitigating that risk.152

The Committee was informed by DPC that their financial delegations are reviewed on an annual basis as outlined in the department’s Financial Management Practice Manual. DPC outlined that their last review was undertaken in January 2012 with another scheduled for December 2012.153

DPC also clarified that QTT had undergone a significant review of their Instrument of Financial Delegations in January 2012 to ensure that financial delegations were granted where they required and the risk was managed. QTT’s Instrument of Financial Delegations also undergoes a total review at least every six months.154

QTT explained at the departmental briefing:

In 2012, in the lead-up to the publication of the report, there was a big push within government to address some of those issues that arose out of the Barlow matter. I guess the three major streams of work were in relation to what we call vendor cleansing, financial delegations reviews and fraud training. Since then we have been able to confirm again this year with the agencies involved that that work is still continuing. So I think the heightened effort that arose out of the Barlow matter has been continued.155

The Auditor-General reported that there was no evidence of misuse of delegated authority in a scrutiny of financial delegations in Report No. 1: 2014-15. However, the strength of controls and information about exercise of delegation varied. Noncompliance was attributed to a lack of understanding of staff responsibilities and roles arising from confusion over relieving arrangements or restructuring events. The Audit-General considered that there were further opportunities to improve the monitoring and review of financial delegations.156

8.7 Monitoring and review

To be effective, all internal control systems or fraud control strategies must be monitored. The monitoring process assesses the quality of the system’s performance through ongoing monitoring activities and/or separate evaluations.157 The benefits of monitoring and evaluation/review include:

assessing the continued relevance and priority of fraud strategies in the light of current and emerging risks

testing whether fraud strategies are targeting the desired population

ascertaining whether there are more cost-effective ways of combating fraud.158

152 Mr Beavers, Transcript 30 October 2013: 3 153 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 July 2013: 4 154 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 July 2013: 5 155 Mr Beavers, Transcript 30 October 2013: 3 156 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 27 & 28 157 COSO, Internal Control – Integrated Framework Executive Summary: 1992: 3 158 Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government Entities Better Practice Guide,

Fraud Control Strategies – Overview, March 2011: 75



The review process should encompass possible causal links and develop an evaluation strategy to achieve a balance between fraud prevention and detection strategies. There also needs to be a stronger focus on incentives to reduce potential loss from fraud rather than discovering fraud after the fact.159

In the monitoring and review process, internal control deficiencies that have been identified can be reported through to management, with more serious matters reported to CEO or board level.160

QTT emphasised that strong controls must be implemented over vendor master data, which includes:

the initial creation of a new vendor record – approval from an authorised officer, based on original documentation provided by the vendor, ABN checked, address checked, and with independent checks and reviews of input by officers appropriately segregated from the vendor master file maintenance function

amendments to vendor master data - must be at the request of the vendor, based on original documentation, and with independent checks and reviews of input by officers appropriately segregated from the vendor master file maintenance function

conducting regular reviews of all vendor master data – master data should be subject to periodic review and the data cleansed, such as identifying and blocking invalid, inactive or duplicate vendors. Again, outputs from the review and cleanse process should be subject to independent reviews by an officer appropriately segregated from the vender master file maintenance function

access restricted to vendor master data – in the absence of robust compensating controls, officers with access to vendor master data should not have access to the accounting system operations and processes relating to procurement or expenditure.161

The Auditor-General noted that duplicate and erroneous payments can arise from poor control over vendor information. In particular, significant losses and fraud has occurred in cases where vendor information has been manipulated. At the time of the audit, none of the departments had implemented monitoring controls for vendor creation or changes. However, as a result of the Queensland Health fraud risk, all departments performed a review of their vendor master file in early 2012.162

DSITIA stated that management and the policy arrangements around how IT systems are used effectively are important in that there is some segregation of duties where one person can access only one part of the system. This is made more effective if there are in-built control environments.163

The Auditor-General recommended in Report No. 1: 2014-15 that the assignment of financial delegations should be reviewed at least annually and updated more regularly as positions and organisation structure changes. The audit report outlined that all entities have undertaken review of financial delegations within the past 12 months even though the review period was not specified within some of their policies.164 The Committee noted that all departments had varied testing frequencies on their financial delegations; for example, DAFF reported that they undertake a quarterly compliance checks and testing whilst DATSIMA explained that they conduct an analytic once a year for the entire department. 165,166


Fraud Control Strategies – Overview, March 2011: 75 160 COSO, Internal Control – Integrated Framework Executive Summary, 1992: 3 161 Queensland Treasury and Trade, Financial Accountability Handbook: Information Sheet 3.15 – Fraud Control, October 2013: 4 162 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 18-19 163 Mr Burnheim, Transcript 30 October 2013: 9 164 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 30 165 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014: 38 166 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014: 57



8.8 Recordkeeping controls for financial records

A key component of good corporate governance and business practice is sound record keeping. Good record keeping enables the management of corporate information, and is necessary to meet legal and accountability requirements. The Auditor-General explained that it also provides an ‘audit trail’ to support and substantiate the accuracy and validity of transactions.167

ANAO’s 2001 report highlighted significant developments in electronic transactions. The report outlined that the increasing reliance on automated recordkeeping systems and implementation of government business and information provision online presents new challenges for recordkeeping management.168

Report No. 5 2012 reiterated that payment of goods and services are increasingly made based on electronic invoices from suppliers and customers. The Auditor-General cautioned that there is an increased risk of duplicate payments, alteration of documentation and other fraudulent practices through electronic means if electronic documentation for payments made are not retained or stored.169 Simple data collection tools such as the ability to ‘search for duplicate vendor invoices’, or ‘matching invoices to purchase order details’ can prevent fraudulent payments.170 The Auditor-General advised that departmental staff should be provided with further guidance on recordkeeping.171

The audit included a review of the processing of financial records to determine whether there was adequate audit trail between departments and QSS. It also examined whether both paper and electronic records were appropriately stored and in compliance with the Public Records Act 2002. The audit found:

limited review and analysis of the risks associated with processing transactions through a shared service provider, including departments’ responsibility for complying with relevant legislation relating to the retention and disposal of public records

limited training and awareness programs provided to staff about recordkeeping requirements, increasing the risk that these requirements are not understood or adhered to

inconsistent practices for processing and retaining paper or electronic documents between the entity and the service provider, increasing the risk of fraudulent or duplicate payments due to multiple paper and electronic copies of supporting documents

inconsistent practices for the capture and retention of emails, with some entities relying on users to manage and store emails relating to business transactions and some emails with scanned documents not retained once the transaction is processed.172

The Auditor-General recommended that all departments review their recordkeeping activities, in particular electronic financial transactions, to ensure that there are adequate documentation trails.173

167 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 19 168 Commonwealth of Australia, Australian National Audit Office, The Auditor-General Audit Report No. 45 2001-02, Assurance and Control

Assessment Audit: Recordkeeping, May 2002: 27 169 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 19 170 Grant Thornton Australia, Newsletters Using audit tools to detect fraud, September 2009

http://www.grantthornton.com.au/Publications/Newsletters/fr_0909a.asp [31 March 2014] 171 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 19 172 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 19 173 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 19

http://www.grantthornton.com.au/Publications/Newsletters/fr_0909a.asp



The Committee requested from all departments an update of their electronic recordkeeping activities. All departments (except for DEHP and DATSIMA) explained that considerable steps are being undertaken to maintain their electronic transactions. DEHP outlined that there is no extensive use of automatic workflow within their financial management environment, whilst DATSIMA does not undertake any electronic financial transaction as these are monitored by QSS. 174,175

The PSBA advised that vendor data cleansing within the SAP finance system is performed annually with assistance from QSS to review and block duplicate vendors and payments to vendors with no activity for 15 months or more.176

8.9 Trained and experienced staff

The Auditor-General emphasised that all employees have a significant role in preventing and detecting fraud in a workplace. In particular, with the size and diversity of the Queensland public sector, inconsistencies in the approach to fraud awareness experience and knowledge could be an additional risk in fraud management.177 ANAO suggested that fraud awareness training for employees is an effective way in preventing, detecting and responding to fraud. The training for all staff and in particular managers is beneficial in ensuring that common behavioural signs that fraud is occurring are recognised.178

However the Auditor-General found that none of the departments had specific fraud training customised to particular circumstances within their departments. In addition, seven departments conducted code of conduct training which covers high level fraud and misconduct and only one department incorporated fraud management policy as part of their new employee induction.179

At the time of the audit, the movement or loss of staff through the Voluntary Separation Program (VSP) potentially resulted in the loss of corporate knowledge and experience, especially in regards to appropriate internal controls. The Auditor-General recommended that specific fraud training should be provided to staff in all departments.180

The CMC also found that the low awareness of the risk of fraud among staff at all levels in Queensland Health contributed to the ability of a fraud to be perpetuated on the department. The CMC recommended that fraud awareness training be conducted.181

DPC advised the Committee that ‘one of the actions undertaken was the development of a whole-of-Government financial internal controls training’. QTT facilitated the development of the training which was released in June 2012 and was made available to all Queensland Government staff from the Govnet website.182

In following up on the recommendations about training, the Committee sought clarification on how staff training could be an effective tool against the prevention of fraud. The Auditor-General explained that ‘training goes to a broader issue of awareness and understanding of the employees about the potential for fraud’ and it is one of the elements of the COSO model examines the control environment.183

174 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014: 42 175 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014: 58 176 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014: 21 177 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 19 178 Commonwealth of Australia, Australian National Audit Office, The Auditor-General Audit Report No. 45 2001-02, Assurance and Control

Assessment Audit: Recordkeeping May 2002: 42 179 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 20 180 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 20 181 Crime and Misconduct Commission, Fraud, financial management and accountability in the Queensland public sector: An examination of

how a $16.69 million fraud was committed on Queensland Health, September 2013: 34-35 182 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 July 2013: 5 183 Mr Greaves, Transcript 30 October 2013: 5



The Auditor-General stated that :

Part of that control environment is that you actually have employees who understand the important of control, why it is there and what risks it is trying to prevent. The training is about getting them to under that.184

Other reports also reveal that employees’ awareness along with their obligations in regards to fraudulent activities begins with communication and training. In addition, training should include initiatives that are based on respective job functions and risk areas.185

QTT advised the Committee that a whole-of-Government Fraud Awareness Day was held on 12 February 2013. The purpose of the day was to promote fraud awareness and considerations within the public service.186 QTT outlined that over 400 individuals registered to attend the day and representatives included those from public sector entities as well as local councils (e.g. Gold Coast and Redland City Councils), service providers including Metro South Hospital and Health Service and Queensland Urban Utilities.187

The Committee enquired as to how effective QTT’s training had been and what was the level of uptake of the training provided. In addition, the Committee asked QTT how the uptake of training was monitored. QTT also outlined that Powerpoint presentations had been released to all departments about fraud training. The Committee was advised that the online approach was adopted for QTT staff because:

(a) it is flexible for employees as they can do it at a time that suits them and (b) … have a system that tracks who has done it and who has not, so we can follow that through.188

The Committee sought further information on the types of fraud control plans in addition to training in all departments. Eight departments advised that staff training are or have been incorporated in their fraud control plans in.189 Employee fraud awareness training is discussed further in section 10 of this report.

The Auditor-General outlined in Report No. 1: 2014-15 that staff awareness of risk management can be further improved in 17 of the 24 entities examined. He noted that training in risk management in one-third of the entities was ad hoc and informal or conducted by departmental officers as needed. However, communication and training strategies were in place in larger departments, statutory bodies and GOCs.190

Recommendation 4

The Committee recommends that DPC and QTT expand and continue to conduct fraud awareness training for all departments.

184 Mr Greaves, Transcript 30 October 2013: 5 185 KPMG Australia, Fraud Risk Management. Developing a Strategy for Prevention, Detection, and Response: 2006, 12-13 186 Responses to Questions taken on notice at Public departmental briefing 30 October 2013: 1 187 Responses to Questions taken on notice at Public departmental briefing 30 October 2013: 2 188 Mr Beavers, Transcript 30 October 2013: 5 189 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014 190 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 21



8.10 Continuous data analysis and monitoring

Fraud detection strategies are those which highlight the fraudulent activity as soon as possible. The Auditor-General explained that monitoring and detection act as strong deterrents to potential fraudulent activity and strategies should be widely promoted in departments to foster a zero tolerance to fraud.191

Report No. 5 2012 found that the majority (nine out of 13) of the departments did not have detailed analytical review or data mining procedures in place.192

The use of data mining or data analysis to detect fraud, misconduct or error is beneficial in that it can be used for analysis of suspicious transactions or identification of unusual relationships (for example banking details). In addition, data analysis can be used to assess the effectiveness of internal controls such as password sharing, identification of irregular trends and examination of large volumes of transactions.193

ANAO suggest that there are two types of data mining or data analysis; these are:

Retrospective review - extraction of historical data (usually data relating to more than one year) for analysis.

Continuous auditing or continuous monitoring - the collection and analysis of current data on a real or near real-time basis, e.g. daily, weekly or monthly, and used to provide the internal auditor with information regarding risk and controls.194

The Auditor-General found that detailed data analytics or data mining as a detection countermeasure to fraud to be an area for improvement for all departments. The report outlined:

One department processes three million financial transactions per month, and such volumes emphasise the need to highlight unusual or irregular transactions to management on a regular and ongoing basis, such as transactions that have bypassed normal processing controls.

Continuous data analysis together with management review and questioning of budgetary outcomes, particularly at a cost centre level, would provide a powerful detective capability for departments as well as a strong deterrent.195

The Auditor-General recommended that all departments implement detailed analytical review or data mining procedures as either part of their internal audit or their finance function.196

The Committee queried the effectiveness of the IT policy being implemented. DSITIA explained that QSS relies on seven SAPs and carries out two different functions. Firstly, they have an internal controls environment in which processing and a management assurance framework is undertaken; secondly they provide an assurance report to their 18 client departments.197

191 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 20 192 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 20 193 Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government Entities Better Practice Guide,

Fraud Control Strategies – Overview, March 2011: 57-58 194 Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government Entities Better Practice Guide,

Fraud Control Strategies – Overview, March 2011: 58 195 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 20 196 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 20 197 Mr Burnheim, Transcript 30 October 2013: 9



The Committee noted that some departments reported that reviews are undertaken to address staff access to electronic information. For example, DTMESBCG and DAFF explained:

Quarterly user access reviews are undertaken by the Finance Unit of the department's SAP finance system user access profiles in order to identify and remove any high risk user access with conflicted system profile permissions.198

The DETE outlined that they have strong entity level controls including segregation of duties and systems access to prevent an employee to:

Gain access to electronic records without proper authority or approval.

Make an electronic payment to a non-existent vendor.

Improperly transferring money from an agency account to an associate or an account under their control.

Use agency funds to purchase goods or services electronically for private benefit.199

Some departments such as DEWS stated that their system controls such as access and security and system change control processes are managed by QSS.200 Similarly, DATSIMA advised that QSS make payments, receipt cash etc. on behalf of the department.201

The Committee sought information from departments regarding the preventative strategies that have been put in place to identify ‘hot spots’. The Committee was advised that data analytics was used by internal audit. Some departments indicated that they have recently purchased appropriate software to facilitate better data analytics and continuous controls monitoring.202

QTT has incorporated data analytics as an annual review within the three year Internal Audit Plan, as endorsed by the QTT Audit and Risk Management Committee. Internal Audit utilised data analytics as a mechanism to target key risk transactions associated with the use of corporate credit cards and for accounts payable. The outcomes of this work helped inform continuous improvement activities and compliance with policies. They consider that data analytics will help to address potential risk areas in a timely manner, refine existing mitigating controls and inform development of continuous monitoring over potentially problematic transactions.203

Report No. 1:2014-15 included an assessment of the 49 internal control objectives in the QSS control environment. Although 14 moderate and two high risk control issues were identified in the audit, these were corrected were either resolved during the audit or within reasonable time frames.204 However the Auditor-General emphasised that information security remains a primary area of concern. Security weaknesses included:

Inadequate review of system user roles and their activities

Users having inappropriate access to sensitive or restricted activities

Vulnerability to external attack from the internet

Management of ‘privilege’ accounts, including restricting access to these accounts and monitoring of account activity.205

198 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014: 38 & 65 199 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014: 19 200 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014: 45 201 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014: 58 202 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014 203 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014: 9 204 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 3 205 Queensland Audit Office, Report No. 1: 2014-15 Results of audits: Internal Control Systems 2013-14, July 2014: 2




The Committee recognises that attempts have been made to address the issues identified in the audit reports. However, the Committee is concerned that there are still gaps in internal controls in the IT area as highlighted in Report No. 1: 2014-15. As there is an increasing reliance on IT systems particularly in the monitoring of data, the Committee considers that this issue be examined as a whole-of-government approach by the relevant department.

The Committee has concerns that user access weaknesses are not fully addressed despite the fraud case at Queensland Health. The Committee believes that considerable attention ought to be given to user access weaknesses and that departments should regularly review this area to avoid users having inappropriate access.

Recommendation 5

The Committee recommends that DPC coordinate with DSITIA to implement a standardised (whole-of-government) policy on IT controls, data analysis and monitoring.

Recommendation 6

The Committee recommends that DPC and DSITIA conduct a comprehensive review of all departments’ user access systems and procedures and to ensure that any weaknesses are identified and rectified.



9 IT Governance

The updated COSO internal framework (2013) incorporates the challenges arising from different factors including the greater use and dependence on technology in all organisations.206 As most organisations are now highly dependent on information technology systems, IT controls should be given more attention. It is therefore essential that IT controls be incorporated as an integral component of governance controls.207

The Auditor-General outlined that IT systems need to operate reliably at both a whole of government and departmental level. In addition, the information contained in those systems must be protected from theft, misuse, disruption and unauthorised access so processes must be put in place to identify any risks and threats.208

9.1 Identity Management and Email Services and Information and Communication Technology Consolidation

Previous audits (Report No. 4 for 2011 and Report No. 7 for 2010) had recommended improvements to the management of two key IT infrastructure programs - Identity Management and Email Services (IDES) and Information and Communication Technology Consolidation (ICTC). The 2012 audit found that there was no effective whole of government sponsoring group in place during the development of these programs.209

Other key findings were:

That the take up by departments of both IDES and ICTC is currently far lower than was originally planned and

Benchmarks for benefits and pricing were not put in place at the start of the programs, making it difficult to establish whether the current pricing is reasonable and that the expected benefits will be realised.210

The Auditor-General recommended that accountability for the IDES and ICTC programs should be assigned to a system owner or sponsoring group able to make decisions on the future of these programs.211

The DSITIA responded to the audit report and advised that an analysis was being undertaken on IDES, ICTC and CITEC’s financial and business model.212

206 COSO, Internal Control – Integrated Framework Executive Summary, May 2013: 1 207 Deloitte, Why information technology controls can’t be ignored, CEO/CFO Certification News, May 2005

http://www.deloitte.com/view/en_CA/ca/services/ceocfocertification/2b21cb79791fb110VgnVCM100000ba42f00aRCRD.htm [26 March 2014]

208 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 24 209 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 24 210 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 23 211 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 27 212 Queensland Audit Office, Report No 5: 2012 Internal Control Systems, June 2012: 36

http://www.deloitte.com/view/en_CA/ca/services/ceocfocertification/2b21cb79791fb110VgnVCM100000ba42f00aRCRD.htm



DSITIA advised that the analysis of the programs have now been completed. They clarified that:

The IDES program was in fact terminated or halted midstream. It did not achieve its objectives and a series of activities have occurred since then. Government has undertaken an ICT audit which looks at a number of issues including the most appropriate means for government to procure ICT services in the future, as well as portfolio, program and project governance to ensure we do have the appropriate management framework in place for the future. There has also been the development of an ICT strategy and action plan. The findings within the Commission of Audit also provide some direction in terms of management of ICT programs into the future.213

DSITIA added that an IT management framework has been put in place to manage ICT governance.214

The Queensland Government Chief Information Office (QGCIO) provides agencies with guidance and support on improving the delivery of Government services and developing best practice approaches to ICT management.215 The QGCIO is responsible for providing advice to all agencies and executive government on issues such as:

setting ICT strategy, policies and standards

adopting better practice for ICT investment management

identifying and managing risks, including ‘over the horizon’ risks

developing proposals for major whole-of-government investments

identifying and managing strategic workforce capability issues

improving contract outcomes

facilitating strategic relationships with industry partners.216

The QGCIO developed the ‘Queensland Government Enterprise Architecture’ (QGEA) which comprises ICT policies ‘to provide guidance in ICT initiatives to improve compatibility and cost-effectiveness across all government’.217 This QGEA framework:

defines classification framework covering business processes and services, the information they use, and the applications, technology and information security elements that support them

formalises the types and structure of ICT policy documents, their usage and relationships to other types of QGEA 2.0 documents

describes the current state of the government's investment in information and ICT

provides processes for development, management, approval and compliance of strategy, policy and related documents.218

213 Mr Spina, Transcript 30 October 2013: 4 214 Mr Spina, Transcript 30 October 2013: 4 215 Queensland Treasury and Trade, Financial Accountability Handbook: Information Sheet 3.3 – Information and Communication

Technology (ICT), October 2013: 2 216 Queensland Government Chief Information Office, About us http://www.qgcio.qld.gov.au/about-us [1 April 2014] 217 Queensland Treasury and Trade, Financial Accountability Handbook: Information Sheet 3.3 – Information and Communication

Technology (ICT), October 2013: 2 218 Queensland Government Chief Information Office, Queensland Government enterprise architecture 2.0

http://www.qgcio.qld.gov.au/products/about-the-qgea [1 April 2014]

http://www.qgcio.qld.gov.au/about-us

http://www.qgcio.qld.gov.au/products/about-the-qgea



DSITIA advised the Committee that the establishment of an IT management framework has commenced with a Director-General (DG) council having responsibility to manage ICT governance. The DG council will examine any ‘high-risk, high-cost’ ICT projects and provide advice to DSITIA.219

QTT explained that the size, nature and complexity of an agency’s systems and processes are related to the scope of their ICT internal control activities. In general, the control activities should be developed and implemented accordingly:

Application – test the operation of ICT applications to ensure that the applications correctly accept, manipulate, store and provide data and information to users

Security and access – regulate the operation of the ICT system by agency users, management and others, and ensure external parties cannot breach network security

Accounting – monitor processing controls applicable to the recording of financial and other transactions, complying with general accounting principles, specific regulatory requirements and agency management needs

Management and administration – monitor activities in overseeing the operations of ICT-related activities

New system implementation – governance structures established with accountability for delivering project outputs and beneficial outcomes, capable and appropriately skilled project managers, project and program management methodologies which include requirements for comprehensive reporting structures, sufficient parallel testing of systems prior to implementation, change management focused on seamless business integration and contingency planning, and

Business continuity – processes and plans need to be in place (and regularly tested) to ensure continuity of business following natural disasters or other external events.220

DSITIA further explained that all programs now follow the PPP methodology with more complex or riskier ICT programs obligated to undergo ‘an independent program assurance process to provide independent advice to the program boards’.221

The Committee queried whether there is software in place across all agencies and whether it was optional or a standard for all departments. DSITIA explained that their department was responsible for the shared services model, and that the organisation, QSS that sits within their department is responsible for the financial processing of 18 departments (with exception of Health and Education). DSITIA outlines that they have a ‘critical mass that can look across 18 departments to see what is going on.’ 222

However, one of the challenges faced by DSITIA is that much of the software technology in many departments is considered out-dated. The Committee also queried whether there were sufficient analytical skills currently in the agencies to manage data analytics as these can also be appropriately used as preventative fraud controls. DSITIA conceded that there may not be enough ‘people who are skilled in data analytical work’.223 But the Committee was advised that better delivery options such as software being used as a service (e.g. outsourcing) rather than owned in-house was being examined.224

219 Mr Spina, Transcript 30 October 2013: 4 220 Queensland Treasury and Trade, Financial Accountability Handbook: Information Sheet 3.3 – Information and Communication

Technology (ICT), October 2013: 2-3 221 Mr Spina, Transcript 30 October 2013: 4 222 Mr Burnheim, Transcript 30 October 2013: 8 223 Mr Spina, Transcript 30 October 2013: 7 224 Mr Burnheim, Transcript 30 October 2013: 8



QTT added that they engaged PWC to be an internal auditor following results from a previous report which suggested that more could be done with their data analytics. QTT explained that PWC were able to assist immediately because as internal auditors, they would have expertise and knowledge and software capabilities. The outcome was a two-year data analytics plan in their department.225

DSITIA reiterated that the QSS system has now been in place for a decade and they consider that they now have a fairly strong centralised model where the assurance models and internal controls are considered to be fairly robust.226 The Auditor-General noted this but emphasised that part of the problem identified in the audit was the ‘lack of clarity as to who was responsible for what’.227 However, it is acknowledged that since then there has been a much clearer understanding of responsibilities and ‘there is clear documentation of where the control resides’.228

The Committee sought an update from all departments on their strategies data mining and analytical review. All departments reported various ways in which they conduct data testing. For example, regular reviews of key expenditure or high vulnerability areas such as payroll or ‘accounts payable and receivable’ is undertaken on a monthly basis.229 In addition, those departments which have in place a Fraud and Corruption Committee receive a biannual data analytics and regular controls monitoring summary reports.230 Some departments (e.g. DAFF) indicated that they are working with QSS to address the risk of fraudulent and unauthorised approvals of financial transaction by ensuring that data contained within the department's SAP Finance System is authorised, current and valid.231

9.2 Committee Comments

The Committee is pleased to note that some improvements have been made in regards to IT governance. The Committee understands that the IT area is one that needs regular monitoring and updating to prevent vulnerabilities being exposed to fraudulent activity. The Committee also considers that further work could be done to clarify or define areas of responsibilities for data mining or analytical monitoring within each department.

Recommendation 7

The Committee recommends that DPC and/or QTT coordinate with DSITIA to regularly review data mining and data analytics capabilities in all departments.

225 Mr Beavers, Transcript 30 October 2013: 8 226 Mr Burnheim, Transcript 30 October 2013: 10 227 Mr Greaves, Transcript 30 October 2013: 10 228 Mr Brahman, Transcript 30 October 2013: 10 229 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014, 3 & 18 230 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014, 18 231 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014, 38



10 Fraud control: setting the standard

An effective fraud prevention strategy incorporates an ‘ethical organisational culture, a strong awareness of fraud among employees and other stakeholders and an effective internal control framework’.232

ANAO issued a ‘Better Practice Guide’ on fraud control in 2011 which outlines that an effective fraud control plan should consist of the following features (Table 1).

Table 1: Key features of an effective fraud control plan

Key features Comments

An outline of the structure of the organisation.

Include reference to specific fraud control structures in this section of the plan

A statement of the entity’s attitude, definition and approach to fraud.

This statement should match that included in the entity’s Fraud Policy and be endorsed by the Chief Executive.

Demonstrated links to an up-to-date risk assessment.

This promotes the link between fraud risk and fraud control. Example should be provided to demonstrate this.

Summary of the fraud risks identified. This promotes awareness among staff of the fraud risks faced by an organisation.

Outline the key controls in place to address all identified high-rated fraud risks.

Information should be provided on the types and nature of fraud controls to inform employees within the organisation. Where possible links should be made to the organisation’s business planning process.

Address both internal and external fraud risks.

Employees need to be aware of the existence of internal and external fraud.

Include a timeline for taking actions on all strategies.

This timeline should include realistic deadlines and include monitoring of the implementation of these strategies and controls.

Assign ownership for the design, implementation and evaluation of identified fraud controls.

The assignment of ownership is critical in establishing accountability and prmoting complicance with the fraud control plan. These responsibilityes should also be highlighted in individual performance agreements.

Reinforce the responsibilities that all employees have for fraud control.

This provides another avenie to remind employees of their responsibilities in relation to fraud control.

Detail how employees can report and respond to suspected fraud.

This will provide employees with enough information on how, and to whom, they should report suspected instances of fraud.

Outline how fraud is investigated within the organisation.

Information relating to the investigation process enables employees to understand how fraud is investigated and treated within their organisation.

Establish performance indicators and related targets.

Appropriate performance indicators enable the adequate monitoring of the outcomes of proposed fraud control strategies.

Include a summary of relevant awareness-raising and training strategies.

This provides information on the fraud awareness-raising activities that are undertaken.

Source: Australian National Audit Office, Fraud Control in Australian Government Entities, Better Practice Guide, Fraud Control Strategies – Overview, March 2011, 38

232 Commonwealth of Australia, 01 Fact Sheet AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines, August 2010: 1-2

http://www.finance.gov.au/sites/default/files/COV_216905_Risk_Management_Fact_Sheet_FA3_23082010_0.pdf [25 August 2014]

http://www.finance.gov.au/sites/default/files/COV_216905_Risk_Management_Fact_Sheet_FA3_23082010_0.pdf



Fraud control forms part of an organisation’s internal control process which incorporates policies, procedures and systems. Internal control systems were addressed in the Auditor-General’s Report No. 5 2012 and in sections 3 – 6 of this report. This part of the report will focus predominantly on fraud control aspects as highlighted in the Auditor-General’s Report No. 9: 2012-13. These are:

Fraud control – policy development, management commitment, awareness and training

Techniques for preventing and detecting fraud

Assessing, reporting, investigating and monitoring fraud

10.1 Policy development

The CMC fraud and control guidelines recommend that all agencies implement a fraud and corruption program, which provides the necessary guidelines and is readily available to management and staff.233 Fraud control encompasses four key fraud control strategies which address preventing, detecting, responding to fraud and the ongoing monitoring, reporting and evaluation of those strategies.234

Other preventative measures that could be included in a fraud control plan are guidelines for managing conflicts of interest, employment screening, fraud awareness training, service providers screening, higher risk processes or activities analysis and effective anti-corruption programs.235

The Auditor-General emphasised that there was a need for an overarching fraud control plan in every agency. The strategy should include an implementation plan which addresses ways to prevent, detect and respond to fraud and that the plan should be subjected to a regular review.236 In addition, a fraud control officer has the responsibility for the plan, and oversees its implementation and in the agency.237

The Auditor-General found that one agency lacked a fraud control plan or a nominated fraud control officer. It was also reported that even though 80 per cent of staff surveyed in Report No. 9: 2012-13 knew about their organisation’s fraud and corruption control policies, the staff did not know who was responsible for the policy.238

The Committee was advised that there had been a considerable improvement in the development of fraud policies by all departments. The DPHW explained that there is now an updated fraud and corruption prevention policy, which incorporated new information on red flags to help employees identify potentially fraudulent behaviours.239 Similarly, Queensland Health acknowledged that the audit findings led to their department starting and completing successfully a fraud risk and control improvement project.240

233 Queensland Crime and Misconduct Commission, Fraud and Corruption control: guidelines for best practice, March 2005: 2 234 Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government Entities, Better Practice Guide,

Fraud Control Strategies – Overview, March 2011: 27 235 Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government Entities Better Practice Guide,

Fraud Control Strategies – Overview, March 2011: 41-47 236 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 12 237 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 13 238 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 13 239 Ms Turbit, Transcript 2 April 2014: 3 240 Ms Middleditch, Transcript 2 April 2014: 5



10.2 Management commitment

The ANAO suggests that management of an entity should demonstrate a high level of commitment to fraud control. A lack of or poor leadership in fraud prevention can result in a culture of complacency diminishing the chances of fraud being reported.241 As management effectively ‘sets the tone at the top’, they are best placed to consider key elements including allocating resources to fraud control and coordinating an approach to addressing fraud risk. Management also has a role in ensuring risk assessment is conducted across the organisation and to identify gaps or weaknesses.242

Standards of expected behaviour should be set by management at senior levels, who should also be providing clear and consistent messages about fraud control.243

One common method of communicating fraud control and raising awareness is through an organisation’s code of conduct. A comprehensive code of conduct will include guidance on major policies and practical guidance on risks as well as decision-making tools to assist in dealing with reporting of fraud.244

Report No. 9: 2012-13 noted that each agency had a fraud control policy which was approved by the chief executive and supported by senior management. However, it was unclear who had the responsibility for implementing the fraud control policy in one of the agencies, which led to some confusion on the delivery of messages and activities.245

The Auditor-General also reported that one agency lacked formal accountability for fraud control. In addition, none of the agencies included fraud and corruption management in position descriptions or performance management systems or criteria for employees.246

The Committee heard from the three departments that since the audit, they have a zero tolerance to fraud and corruption. For example, DPHW stated:

Fraud and corruption resistance is an important component of our integrity framework within the organisation that underpins our performance, professional standards and public confidence in the department.247

The Public Trustee also advised the Committee that as they are the state’s fiduciary and have an operational focus on managing assets and money for other people, fraud and a zero tolerance attitude towards their activities is adopted.248

Queensland Health advised that the timing of the audit was particularly welcomed as it was conducted six months after their significant fraudulent event. The findings from the audit led to the establishment of a fraud and corruption working group, chaired by their chief governance officer. The department stated:

The idea of this group is to focus very much on sharing recent fraud related incidences—including fraud trends across the department, risk assessments in our branches and divisions, risk registers, data analytics and best practice—to ensure that every part of our organisation, which of course is quite large, has adequate fraud control coverage.249


Fraud Control Strategies – Overview, March 2011: 9 242 KPMG Australia, Fraud Risk Management: developing a Strategy for Prevention, Detection, and Response, 2006: 9-10 243 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 6 244 KPMG Australia, Fraud Risk Management: developing a Strategy for Prevention, Detection, and Response, 2006: 11 245 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 14 246 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 15 247 Ms Turbit, Transcript 2 April 2014: 2 248 Mr Crofton, Transcript 2 April 2014: 4 249 Ms Middleditch, Transcript 2 April 2014: 5



The Auditor-General added that it is primarily management’s responsibility to identify fraud or to prevent fraud from occurring in the first place whilst his role involves ensuring financial statements are free from material error and fraud.250

10.3 Awareness, education and training

Fraud awareness training is an effective way in ensuring all employees have a general awareness of their responsibilities in dealing with fraud control. ANAO suggests that fraud awareness training should include various information including recognising fraudulent behaviour or ‘red flags’ and the steps to undertake if there are concerns about potential fraud.251 For example, the red flags or early warning signs of fraud activity that can be used to help identify possible fraudsters may include:

Table 2: Early warning signs for staff and/or workplaces at risk of fraud

Early warning signs: people Early warning signs: areas or activities

Unwillingness to share duties; refusal to take leave. Financial information reported is inconsistent with key performance indicators.

Refusal to implement internal controls. Abnormally high and increasing costs in a specific cost centre function

The replacement of existing suppliers upon appointment to a position or unusually close association with a vendor or customer.

Dubious record keeping.

A lifestyle above apparent financial means; the provision of gifts to other staff members.

High overheads.

Failure to keep records and provide receipts. Bank reconciliations not up to date.

Chronic shortage of cash or seeking salary advances. Inadequate segregation of duties.

Past legal problems (including minor previous thefts). Reconciliations not performed on a regular basis.

Addiction problems (substance or gambling). Small cash discrepancies over a period of time.

Source: Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government Entities Better Practice Guide, Fraud Control Strategies – Overview: March 2011: 56

A survey of 281 (private and public sector) organisations in 2013 showed that nearly half the respondents thought that warnings or indicators of fraud (‘red flags’) were ignored or they were uncertain. Although 51 per cent of the respondents were confident in their assertion that the ‘red flags’ were noted and acted upon, these results highlighted the need for ongoing training.252 It is therefore crucial that as part of any training, staff should be encouraged to not ignore the ‘red flags’ and to report these to the relevant authorities as outlined in their respective department’s fraud policies.253

Training and communications plans in an organisation should incorporate the development of fraud and misconduct awareness initiatives that are:

Comprehensive and based on job functions and risk areas

Integrated with other training efforts, whenever possible

Effective in a variety of settings, using multiple methods and techniques.254

250 Mr Greaves, Transcript 15 July 2014: 54-55 251 Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government Entities, Better Practice Guide,

Fraud Control Strategies – Overview, March 2011 :44 252 KPMG Australia, Survey of fraud, bribery and corruption in Australia and New Zealand, 2013: 29-30 253 Commonwealth of Australia, Australian National Audit Office, The Auditor-General Audit Report No. 45 2001-02, Assurance and Control

Assessment Audit: Recordkeeping, May 2002: 42 254 KPMG Australia, Fraud Risk Management: developing a Strategy for Prevention, Detection, and Response, 2006: 13



The Auditor-General emphasised that formal documentation such as fraud control policy or plans are only effective if all staff are aware of them.255

The Auditor-General’s office advised the Committee that employees were less likely to be alert to fraud risk if fraud specific education and awareness training is not provided.256

Although each agency provided induction training and raised awareness on ethics and integrity, specific fraud control messages had been previously excluded. Similarly, there was limited specific fraud awareness training although training was provided in official misconduct issues. The Report No. 9: 2012-13 noted that there had been some improvements in these areas with one agency implementing specific awareness training to support its fraud and corruption prevention policy. One agency had provided staff with training on official misconduct whilst in another agency fraud awareness training had been inconsistent and uncoordinated.257

The Committee was advised that QTT had conducted a whole-of-Government Fraud Awareness Day in February 2013, which was attended by over 400 individuals.258 Further to that day, online Powerpoint presentations had been released to all departments about fraud training. The Committee sought clarification on the outcomes from the training and was informed that a system is in place to ‘track who has done it and who has not’ and this can be followed up by respective departmental management.259

DPHW stated:

Considerable work has actually happened within the organisation in respect of the fraud awareness campaign….. We have an annual misconduct prevention briefing, which focuses on fraud and corruption that was rolled out across the department from November last year. Every area of the department has identified that that briefing has been communicated to each of the areas. Further, we have proactively communicated fraud related information on a periodic basis to raise awareness and reinforce the prevention message.260

The Public Trustee is also in the process of developing a comprehensive online training course for all employees who are expected to attend and achieve a 100 per cent in terms of the assessment attached to the course.261

The departments also advised that regular training or briefings for staff have been conducted since the audit. For example, Queensland Health successfully conducted their fraud awareness month in February, which incorporates a fraud awareness challenge for attendees.262 These challenges include having targeted discussions around case studies are sent to divisions, which will assist supervisors and staff in gaining further understanding into ‘what fraud is’, ‘how to detect it’ and ‘what might occur if found guilty of fraudulent misconduct’.263

Queensland Health informed the Committee that they had observed an increase in vigilance and the reporting of suspected fraudulent activities from their staff since fraud awareness education was provided.264 Similarly, DHPW noted that there was increased awareness about fraud and more ‘conversation about it’ and this creates a more comfortable environment for staff to report any suspicions.265

255 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 6 256 Ms Campbell, Transcript 2 April 2014: 2 257 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 15 258 Responses to Questions taken on notice at Public departmental briefing 30 October 2013: 2 259 Mr Beavers, Transcript 30 October 2013: 5 260 Ms Turbit, Transcript 2 April 2014: 2 261 Mr Crofton, Transcript 2 April 2014: 4 262 Ms Middleditch, Transcript 2 April 2014: 5 263 Ms Middleditch, Transcript 2 April 2014: 8 264 Ms Middleditch, Transcript 2 April 2014: 9 265 Ms Turbit, Transcript 2 April 2014: 9-10




The Committee understands that basic fraud awareness training is being provided to employees in the public sector and that there has been an increased in awareness in those departments audited in Report No. 9: 2012-13. The Committee had earlier recommended that fraud awareness training be expanded to all departments.

The Committee believes that fraud awareness training should also be evaluated regularly to determine if objectives of the training were achieved and that awareness of responsibilities within the workplace has increased. The Committee is concerned that there has been no evaluation conducted to verify the success or levels of awareness of fraud across other agencies following the training provided.

The Committee is also concerned that as there is potential to become complacent in fraud awareness over time. As such, the Committee considers that there is some value in regular testing of the robustness of fraud prevention protocols within departments. By way of example, one tool regularly used by businesses or retailers to measure customer service excellence is the ‘mystery shopper’.

It is also unclear if all agencies (with exception of Queensland Health) have recorded an increase in vigilance or reporting of suspected fraudulent activities. The Committee considers that a monitoring or assessment of the level of fraud awareness should be conducted in all departments.

Recommendation 8

The Committee recommends that departments conducts surveys to identify areas of concern or gaps particularly where early warnings or ‘red flags’ have been previously ignored and to ensure policies or clear reporting avenues are available to employees and the learnings from these surveys be coordinated by DPC and/or QTT and shared with all departments.

Recommendation 9

Regular testing of fraud prevention protocols are also considered to be mandatory in each department. The Committee recommends that DPC and/or QTT liaise with all departments to conduct random testing of fraud prevention protocols.

Recommendation 10

The Committee recommends that DPC and/or QTT undertake an analysis of the level of fraud awareness in the departments and maintain statistical information on the reporting of suspected fraudulent activities as a record of vigilance in the workplace.

Recommendation 11

The Committee recommends that fraud awareness training be followed up with ongoing monitoring by DPC and/or QTT to ensure that employees’ awareness level remains consistently high in all departments.



11 Fraud control: tools and systems

The ANAO considers that a fraud risk assessment process should incorporate the context of the risk in the organisation, in that the organisation’s objectives and issues relating to the risk itself, its causes and impacts and the measures required must be considered. An organisation must also identify its internal and external fraud risks. ANAO advised that potential risks that could arise, for example as a result of changes in an IT system must be taken into account in the fraud risk assessment process.266 The Fraud Control Guidelines produced in 2011 also emphasises the importance of monitoring and reviewing a fraud risk assessment at least every two years.267

The ANAO identified a range of fraud preventative strategies that should be considered by any entity to manage its risks (Figure 8).

Figure 8: Fraud prevention measures Source: Taken from Australian National Audit Office, Fraud Control in Australian Government Entities, Better Practice Guide, Fraud Control Strategies – Overview, March 2011: 32

The ANAO explains that preventative measures at the base of the triangle need to be implemented by any entity to have an effective fraud control framework. Strategies at the apex of the triangle are more appropriate for entities with significant fraud exposure and/or significant resources to introduce those controls.268

The type of potential fraud risks may vary in the way in which the department conducts its business. For example, an entity’s whose function is to provide service delivery to the public through outsourcing or contracting with third-party providers may be exposed to fraudulent charges for services or goods that are not delivered.269


Fraud Control Strategies – Overview, March 2011: 37 267 Commonwealth of Australia, Attorney-General’s Department, Commonwealth Fraud Control Guidelines, 2011: 9 268 Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government Entities, Better Practice Guide,

Fraud Control Strategies – Overview, March 2011: 31 269 Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government, Entities Better Practice Guide,

Fraud Control Strategies – Overview, March 2011: 35



11.1 Fraud risk assessments

Fraud prevention strategies are considered to be the first line of defence and the most cost-effective method of controlling fraud in an organisation.270 The Auditor-General highlighted that prevention involves:

developing appropriate documentation and standard setting by management to minimise the agency’s exposure to fraud

raising employees’ awareness about the agency’s expectations and standards, as well as the employees’ obligations to report suspected fraud

risk identification for prioritising and addressing fraud risks, and putting appropriate controls in place.271

Report No. 9: 2012-13 outlined that none of the three agencies used specific fraud risk assessments to prioritise and direct fraud detection efforts and to identify fraud risks. The QAO stated:

While senior management was committed to fraud control, this was not being supported by visible processes to actively prevent, detect and respond to fraud.272

The Auditor-General suggested that without fraud risk assessments, the agencies are unable to correctly identify and address risks or determine whether their controls are effective.273 One of the three agencies last conducted an assessment of their fraud risk in 2009. The Auditor-General stated that the disparity between an agency’s fraud risk profile and its fraud control activities increases with the time period between assessments.274 It was found that fraud control in all the agencies were based on past experience rather than on a comprehensive assessment of their respective vulnerability to fraud.275

Since the audit, all departments have taken action to update their fraud strategies. DPHW noted that they specifically incorporated in their fraud and corruption framework the 15 better practice fraud control attributes identified in the QAO audit.276

11.2 Prevention: employment screening and due diligence

Australian Standard 4811-2006 specifies the guidelines for employment screening process, which allows for the verification of the identity, integrity and credentials of an individual (with their consent).277

The ANAO’s guide ‘Fraud Control in Australian Government Entities’ outlines some practical steps in screening of a new staff member. These should include:

verification of identity, including presentation of two different forms of identity documents

police criminal history search in all states and any countries where the individual has resided

reference checks with the two most recent employers and any public sector employer

270 Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government Entities, Better Practice Guide,

Fraud Control Strategies – Overview, March 2011: 31 271 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 6 272 Ms Campbell, Transcript 2 April 2014: 2 273 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 18 274 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 18 275 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 19 276 Ms Turbit, Transcript 2 April 2014: 3 277 AS 4811-2006 Employment Screening: 39



checking with any relevant professional licensing or registration board to determine whether an inquiry by a professional licensing or registration body is pending. Examples include such organisations as the Institute of Chartered Accountants in Australia, CPA Australia or the relevant State or Territory Bar Association

consideration through interview and any necessary follow-up of any employment history gaps and reasons for those gaps and

verification of qualifications through an independent source, for example, by calling the relevant institutions rather than relying on information or documentation provided by the individual.278

The audit found that all three agencies conducted employment screening of prospective staff including criminal history checks, but this was not applied to staff on temporary contracts because of costs and the time involved. Report No. 9: 2012-13 also noted that due diligence was carried out for suppliers and contractors, with one agency its staff in procurement roles to sign annual declarations of compliance with internal policies.279

11.3 Detection: analysing data

The ANAO considers fraud detection to be an important component of government programs, and suggest that there are two main categories for fraud detection: passive and active measures. Passive measures include controls or activities that do not require ongoing involvement of management, for example a reporting ‘hotline’.280

Notification by external party or employee accounts for 47 per cent of fraud detections for the largest frauds committed in Australia.281 Telephone ‘hotline’ and other reporting channels such as email or mail are options that are readily available for anyone and the reporting person can choose to remain anonymous.282 Although these options should be used only when alternative reporting mechanisms are ineffective or impractical, employees should be encouraged to report any suspicious behaviour or action.283

Active measures are those that require the assertive involvement of management. These measures are specifically designed to detect or assist in detecting fraud within an organisation. Examples of active measure fall into two main categories: monitoring and review activities, focused on employees and customers at risk; and data mining activities which includes targeted audits through hot spot analysis, internal audit, quality assurance and the analysis of management accounting reports.284


Fraud Control Strategies – Overview, March 2011: 42 279 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 19 280 Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government Entities, Better Practice Guide,

Fraud Control Strategies – Overview, March 2011: 53 281 KPMG Australia, Fraud and Misconduct Survey 2010 Australia and New Zealand, 2010: 12 282 KPMG Australia, Fraud risk management. Developing a strategy for prevention, detection, and response, 2006: 14 283 Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government Entities, Better Practice Guide,

Fraud Control Strategies – Overview, March 2011: 54 284 Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government Entities, Better Practice Guide,

Fraud Control Strategies – Overview, March 2011: 53 & 56



The Auditor-General emphasised that detection systems put in place can have a deterrent effect on potential fraudsters.285 Proactive data analysis such as auditing and monitoring systems is an important component of fraud detection. Auditing and monitoring activities should be performed in areas where:

there are specific concerns about a key procedure, account or position

there is a history of fraud or misconduct within the department/agency

there is high employee turnover or organisational change

in situations where the laws or regulations have changed significantly

there is a legal requirement to conduct an audit or where agencies are targeting enforcement actions.286

Proactive data analysis unlike retrospective-based analyses has the benefit of identifying the potentially fraudulent activity on a regular basis and thereby allowing for the organisation to focus on specific areas that pose particularly strong risks.287 The Auditor-General explained that there is considerable value in having data analytics as a complementary tool to fraud risk assessment in any fraud control program. For example, data analytics can be used to obtain a retrospective view to inform management decisions on ongoing monitoring therefore data analytics has a preventative role as it can be used to identify gaps in fraud control.288

Data analytics can be further used to:

test for suspicious activities or anomalous transactions (e.g. potential fraud)

identify areas where there are opportunities for efficiency improvements (e.g. rostering)

detect overpayments and cost recovery opportunities for the agency (e.g. duplicate invoicing)

facilitate the risk ranking of particular transactions or to target potential operational hot spots (e.g. particular business units or personnel).289

Report No. 9: 2013-13 found that only one agency had a dedicated data analytics capability but this was not widely known in the agency. The other two agencies audited had electronic data analysis but they were limited to procurement or other areas rather than for fraud detection.290

The audit also reported that existing controls in one agency were adequate to manage any potential risks identified. The QAO will re-examine the results of data analytics and the respective agencies’ detailed investigations in the next financial audit cycle.291

However the Auditor-General noted that the in house data analytics for two agencies were being improved and that an examination of data analytics had been conducted in further detail, and no transactions were found to be illegitimate.292

285 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013, 6 286 KPMG Australia, Fraud risk management. Developing a strategy for prevention, detection, and response, 2006, 15 287 KPMG Australia, Fraud risk management. Developing a strategy for prevention, detection, and response, 2006, 16 288 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013, 20 289 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013, 20 290 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013, 20 291 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013, 21 292 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013, 21



The DPHW confirmed that significant improvement had been made to their data analytics. The department explained:

On a monthly basis we have a range of tests that run across the department to identify anomalies which are indicators of fraud—for example, in relation to the vendor master data, if there is an invalid vendor in there, if there is a cancelled vendor or if there are blank ABNs—so there are a number of tests we run across the vendor master file. With corporate card data, we look at things like weekend transactions, consecutive invoices numbering or multiple payments to vendors by one employee, so there is a raft of tests that we have started. We have a whole program going to 30 June 2015 that is a rollout of the data analytics framework within the organisation.293

Similarly, the Public Trustee outlined that the audit had ‘prompted their office to reconsider the data analytics of routine almost automated computer reports information that can be garnered in an effort to identify potential fraud’.294 Information from discrete investigation is fed back into the data analytics program so that changes, where required, can be made. In addition, the department also reviews their ‘analogs and sister organisations (where possible) in other jurisdictions’.295


The Committee is pleased that significant improvements have been made by the audited departments in their data analytics and in respective fraud and corruption programs. The Committee is still uncertain about the testing of the data analytics i.e. what systems are in place to regularly test for gaps in the data analytics programs. Further, the Committee also believes that methods or testing and findings are shared between all government departments and agencies.

Recommendation 12

The Committee recommends that DPC and/or DSITIA investigate the data analytics testing and to examine whether there is a whole-of-government sharing of information.

293 Ms Turbit, Transcript 2 April 2014: 3 294 Mr Crofton, Transcript 2 April 2014: 5 295 Mr Crofton, Transcript 2 April 2014: 5



12 Fraud control: Reporting and monitoring

The ANAO considers fraud response to be a key element of the overall fraud control framework, and which usually begins with a fraud investigation process.296 The Auditor-General outlined that agencies need to have mechanisms in place and the capacity to address and respond appropriately to suspected fraud. Investigations can be conducted either internally, or by an external organisation or by an oversight or law enforcement agency. An investigation and appropriate action or prosecution for fraudulent activities plays an important deterrent role to other potential fraudsters. The process usually also involves the recovery of any losses of public money.297 Subsequent corrective actions may also include examining the cause of the control breakdown, mitigating the risks and ensuring controls are strengthened.298

ANAO suggest that regular monitoring and revision of all fraud control plans ensures that the intended outcomes for an organisation are met.299

The process of testing the effectiveness fraud control plan could include:

ensuring risk assessments have been undertaken appropriately

awareness-raising and training are evaluated and are shown to work well in practice

allegations are recorded, analysed and followed-up in a timely fashion

cases of fraud are dealt with according to applicable external and internal standards

remedies are applied appropriately

information on cases of fraud are used to update the fraud risk assessment and strengthen controls

accurate information is provided to the Audit Committee on a timely basis.300

Reporting of the outcomes of fraud control activities undertaken can also act as a deterrent to potential fraudsters. In addition, reviewing of fraud controls will assist agencies in better administering their future programs, for example gaps or weaknesses can be identified and reviewed.301

The Auditor-General emphasised the need for an effect fraud control policy throughout Report No. 9: 2012-13 and that fraud control strategies should be subjected to regular monitoring, evaluation and review.302


Fraud Control Strategies – Overview, March 2011: 63 297 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 6-7 298 KPMG Australia, Fraud risk management. Developing a strategy for prevention, detection, and response, 2006: 18 299 Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government Entities, Better Practice Guide,

Fraud Control Strategies – Overview, March 2011: 73 300 Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government Entities, Better Practice Guide,

Fraud Control Strategies – Overview, March 2011: 76 301 KPMG Australia, Fraud risk management. Developing a strategy for prevention, detection, and response, 2006: 21-22 302 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 7



12.1 Assessment

The Auditor-General notes that the assessment process is the responsibility of an organisation or agency’s integrity unit. Investigation of a fraudulent activity and the type of response required to address the activity is dependent on the extent and seriousness of the fraud.303 The ANAO suggests that this should then be followed by an investigation into the situation that allowed for the fraudulent activity to occur. The investigation should examining whether the fraud was committed as a result of a one-off action by one person, or through inadequate internal controls and whether there was collusion where internal controls had been overridden by two or more people.304

12.2 Investigations

The Auditor-General emphasised the importance of an organisation’s investigation policy and processes. He considered that these must reflect the legislative, policy and practical requirements that are crucial for a successful prosecution of a fraud activity.

Report No. 9: outlined that in the event where an investigation uncovers fraud, the agency should:

maximise the recovery of stolen funds or property

report the matter to the appropriate external agency

identify and address the control weaknesses which permitted the fraud to occur.305

The audit found that two (of three) agencies have dedicated integrity units which were responsible for managing all suspected fraud complaints, and the third agency has a fraud control officer. One of the integrity units had developed a consistent approach to responding to suspicions of fraud and plays an important role in updating the code of conduct training and annual fraud risk awareness briefing documents.306

DPHW advised the Committee that their integrity services unit undertakes a yearly review of fraud and corruption matters and identifies any systematic matters to be incorporated in their misconduct prevention plan the following year.307

The Committee was advised that fraud reporting guidelines were in place in all departments and some departments have either appointed a fraud control officer or a fraud control group/committee, or an integrity unit.308

12.3 Monitoring and statutory reporting

All agencies audited are aware of the legislative requirements in regards to referring suspected or actual fraud to relevant agencies, and reporting of fraud matters is to the audit and risk committee. However, the audit found that instead of the reporting being a standing agenda item, most of the reporting was done on an ad hoc basis.309 The Auditor-General commented that there was scope for all agencies to improve communication of outcomes of investigations and lessons learnt to their business units.310

303 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 24 304 Commonwealth of Australia, Australian National Audit Office, Fraud Control in Australian Government Entities, Better Practice Guide,

Fraud Control Strategies – Overview, March 2011: 76 305 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 24 306 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 25 307 Ms Turbit, Transcript 2 April 2014: 4 308 Correspondence from Mr J Grayson, Director-General, DPC to FAC dated 30 May 2014 309 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 26 310 Queensland Audit Office, Report No. 9: 2012-13 Fraud risk management, March 2013: 25



The Committee was advised that improvements in all audited departments had been made following Report No. 9: 2012-13. In regards to HHSs, Queensland Health provided assistance in explaining to them their legislative responsibilities and their responsibilities being part of the government as statutory bodies. Queensland Health considered that they have now established their own capabilities and understanding of their responsibilities around corruption, misconduct and fraud related activities.311


The Committee is satisfied that issues identified in the audit report have been substantially addressed by the departments, and that monitoring action is being undertaken by respective management. The Committee supports the Auditor-General’s views that there was further scope for improved communication of outcomes of fraud investigations to business units as well as to other departments. The Committee considers that an open and transparent communication on fraud investigations will act as a deterrent to potential fraudsters.

The Committee considers that fraud is a continually evolving process and departments need to be proactive in combating fraudulent activity.

Many of the responses to the Committee’s questions indicated the involvement of departmental internal audit and audit committees. The Committee considers that audit committees should take an active role in the prevention and deterrence of fraud. Audit committees should also set the agenda for ensuring that an effective ethics and compliance program are adopted by management. Audit committees should also take an active interest in ensuring that appropriate action is taken when fraud is discovered. Audit committees are also the ally of both external and internal audit in ensuring that timely action is taken and they follow up on any proposed actions.

The Committee also believes that the sharing of outcomes of investigations with business units within each department can assist with identifying gaps in knowledge, policies or processes.

Recommendation 13

The Committee recommends that DPC and/or QTT investigate whether communications of outcomes of fraud investigations are being distributed to business units and all departments, and that a standard procedure for such communiques be implemented.

311 Ms Middleditch, Transcript 2 April 2014: 7

Appendices Internal Control Systems and Fraud Risk


Appendices

Internal Control Systems and Fraud Risk Appendices


Appendix A – Officers appearing on behalf of departments at the public hearing (Auditor-General Report No. 5: 2012 Internal Control Systems) – Wednesday 30 October 2013

Mr Alex Beavers, Deputy Under Treasurer, Queensland Treasury and Trade

Mr Andrew Greaves, Auditor-General, Queensland Audit Office

Mr Andrew Spina, Deputy Director-General, Government ICT, Department of Science, Information Technology, Innovation and the Arts

Mr Brahman, Assistant Auditor-General, Queensland Audit Office

Ms Lee Clayton, Principal Accountant, Fiscal and Financial Management Branch, Queensland Treasury and Trade

Mr Michael Burnheim, Assistant Director-General, Shared Services, Department of Science, Information Technology, Innovation and the Arts

Mr Phil Richardson, Director, Economic Policy, Department of the Premier and Cabinet

Appendices Internal Control Systems and Fraud Risk


Appendix B – Officers appearing on behalf of departments at the public hearing (Auditor-General Report No. 9: 2012-13 Fraud Risk Management) – Wednesday 2 April 2014

Mr Michael Booth, Assistant Auditor-General, Queensland Audit Office

Ms Terry Campbell, Assistant Auditor-General, Queensland Audit Office

Mr Mark Crofton, Acting Public Trustee, Public Trustee of Queensland

Ms Caroline Hannigan, Director Governance and Executive Directorate, Public Trustee of Queensland

Mr Lee Hutchison, A/Chief Governance Officer, Queensland Health

Ms Susan Middleditch, Deputy Director-General, System Support Services, Queensland Health

Ms Donalee Moriarty, Acting Executive Director, Executive Services, Communications and Performance, Department of Housing and Public Works

Ms Susan Murphy, Manager, Integrity Services, Department of Housing and Public Works

Mr Tim Murphy, Executive Director, Investment Services and Chief Finance Officer, Public Trustee of Queensland

Ms Robyn Turbit, Assistant Director-General, Corporate and Executive Services, Department of Housing and Public Works

Mr Malcom Wilson, Chief Finance Officer, System Support Services, Queensland Health



Appendix C – COSO internal control framework

The Committee of Sponsoring Organisations of the Treadway Commission (COSO) is a joint initiative of the five United States (US) based private-sector organisations below:

American Accounting Association

American Institute of Certified Public Accountants

Financial Executives International

Institute of Management Accountants

The Institute of Internal Auditors312

COSO was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative that examined causal factors leading to fraudulent financial reporting. The aim of COSO is to provide leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.313

COSO published Internal Control – Integrated Framework in 1992. The report established a common definition of internal control that services the needs of different parties for assessing and improving their control systems.314

Since then, the framework has gained broad acceptance and is now widely used around the world. The COSO framework is well known for its design, implementation and evaluation of the effectiveness of internal control. COSO sponsors and disseminates frameworks and guidance based on in-depth research, analysis and best practices.315

COSO outlines the components of an internal control framework (Figure 9) as:316

The control environment – provides discipline, process and structure. Senior management demonstrates the tone from the top regarding the importance of internal control and expected standards of conduct. Other control environment factors include the integrity, ethical values and competence of the people within an entity.317

Risk assessment – involves a process to identify and analyse internal and external risks to achieving objectives. It also takes into consideration how risks should be managed. Risk assessment is required to be consistent to be effective.318

Control activities – include policies and procedures to help ensure management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities occur at all levels within an organisation and include processes such as approvals, authorisations, reviews of operating performance and segregation of duties.319

Information and communication – involves the communication of control responsibilities throughout the entity and providing information in a form and timeframe that allows officers to discharge their responsibilities. To be effective, communication flow has to be clear from management enabling all employees to understand their role in internal controls.320

312 Committee of Sponsoring Organizations of the Treadway Commission http://www.coso.org/aboutus.htm [4 March 2014] 313 Committee of Sponsoring Organizations of the Treadway Commission http://www.coso.org/aboutus.htm [4 March 2014] 314 Committee of Sponsoring Organizations of the Treadway Commission http://www.coso.org/guidance.htm [4 March 2014] 315 Queensland Audit Office, Report No 5: 2012-13 Internal Control Systems: June 2012: 6 316 Queensland Audit Office, Report No 5: 2012-13 Internal Control Systems: June 2012: 7 317 COSO, Internal Control – Integrated Framework Executive Summary, 1992: 2 318 COSO, Internal Control – Integrated Framework Executive Summary, 1992: 2 319 COSO, Internal Control – Integrated Framework Executive Summary, 1992: 2 320 COSO, Internal Control – Integrated Framework Executive Summary, 1992: 2

http://www.coso.org/aboutus.htm

http://www.coso.org/aboutus.htm

http://www.coso.org/guidance.htm



Monitoring of controls – includes observing internal controls in practice and the assessment of the effectiveness of the internal controls. There is a direct relationship between an entity’s objectives and the components of what is needed to achieve the objectives.321

Figure 9: Components of an internal control framework Source: Victorian Auditor-General’s office from Queensland Audit Office, Report No. 5: 2012 Internal Control Systems, June 2012: 6

It should be noted having internal controls cannot ensure an entity’s success. COSO report noted:

An internal control system, no matter how well conceived and operated, can provide only reasonable - not absolute - assurance to management and the board regarding achievement of an entity's objectives.322

The COSO report also outlined the roles and responsibilities for an internal controls system:

Management: The CEO is ultimately responsible and assumes ownership of the system. The CEO is responsible for setting the tone that affects integrity, ethics and other factors of a positive control environment. Senior managers, in turn, assign responsibility for establishment of more specific internal control policies and procedures to personnel responsible for the unit's functions.

Board of Directors: Provides governance, guidance and oversight to management.

Internal Auditors: Play a significant monitoring role in evaluating the effectiveness of control systems and contribute to ongoing effectiveness.

Other Personnel: All employees produce information used in the internal control system or take other actions needed to effect control. All personnel should be responsible for communicating upward problems in operations, noncompliance with the code of conduct, or other policy violations or illegal actions.323

321 COSO, Internal Control – Integrated Framework Executive Summary, 1992: 3 322 COSO, Internal Control – Integrated Framework Executive Summary, 1992: 4 323 COSO, Internal Control – Integrated Framework Executive Summary, 1992: 4



COSO suggested that with significant changes in businesses and operating environments, which are becoming increasingly complex and technological driven, an update to the 1992 framework was required.

An updated guidance on internal control was released in 2013. The five components in Figure 9 are unchanged in that there is still a requirement to consider the five components to assess the effectiveness of internal control systems. The updated framework includes enhancements and clarifications intended to ease use and application. For example, the financial reporting category of objectives now includes other forms of reporting such as non-financial and internal reporting. Other changes include expectation for governance oversight; expectations for competencies and accountability; and the use of, and reliance on, evolving technologies.324

COSO’s updated framework is expected to further assist organisations in designing and implementing internal controls.

There are seventeen principles representing the fundamental concepts associated with each of the five components of the framework. These principles supporting the components are:

Control Environment

1. The organisation demonstrates a commitment to integrity and ethical values.

2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

4. The organisation demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

5. The organisation holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Risk Assessment

6. The organisation specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

7. The organisation identifies risks to the achievement of its objectives across the entity and analyses risks as a basis for determining how the risks should be managed.

8. The organisation considers the potential for fraud in assessing risks to the achievement of objectives.

9. The organisation identifies and assesses changes that could significantly impact the system of internal control.

Control Activities

10. The organisation selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

11. The organisation selects and develops general control activities over technology to support the achievement of objectives.

12. The organisation deploys control activities through policies that establish what is expected and procedures that put policies into action.

324 COSO, Internal Control – Integrated Framework Executive Summary, May 2013: i



Information and Communication

13. The organisation obtains or generates and uses relevant, quality information to support the functioning of internal control.

14. The organisation internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

15. The organisation communicates with external parties regarding matters affecting the functioning of internal control.

Monitoring Activities

16. The organisation selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

17. The organisation evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.325

Although internal control provides reasonable assurance in achieving objectives, there are limitations and an effective system can still fail. Internal controls can be affected by ‘faulty’ or bias judgement in decision making. Human failures such as simple errors or collusion of two or more people in overriding internal controls can result in internal control failure. Other limitations include suitability of objectives established as a precondition to internal control and other external events which are beyond the organisation’s control. Management should take into consideration these limitation when selecting, developing or deploying controls in respective organisations.326

325 COSO, Internal Control – Integrated Framework Executive Summary, May 2013: 6-7 326 COSO, Internal Control – Integrated Framework Executive Summary, May 2013: 9



Appendix D – Queensland Health Risk matrix327

327 Responses to Questions taken on notice at Public departmental briefing 2 April 2014: 3-4

Risk Analysis Matrix Part 1 Department of Health Consequence Table (for Department of Health use only)

The Consequence table shall be used as applicable to determine the area of consequence most affected if a risk should occur.

__ ~ _- t ~eg~glbi~ -~--_Miru>r - ' Moderate _---~Major • ·.-.- -~_ ... _Extreme __ _ Strategic Adverse The consequences The consequences The consequences The consequences affect Planning occurrence or affect efficiency or affect efficiency or affect efficiency or the Department's ability

more significant effectiveness of some effectiveness of some effectiveness of some to deliver on its strategic consequences aspects of the aspects of the aspects of the objectives and extend to nearly real ised objectives of the objectives of the objectives of the whole-of-health system

branch plan possibly divisional plan possibly strategic plan which critical impacts including its projects, Including its projects, are critical to the programs, services programs, services or Department and people/stakeholders people/stakeholders

Work Health and No injury. First aid Medical treatment Lost time Injury or Serious injury or illness Reportable fatality {as Safety treatment only. No injury. A full serious injury or illness with 11ermanent defined by S35 Work

time lost shift/workday has not without 11ermanent im(lairment {as Health & Safety Act been lost lm(lairment (as defined defined by S36 Work (QLD) 2011)

by S36 Work Health & Health & Safety Act saf ety Act (QLDJ 2o11) (QLD) 2011)

Delivery of Safe No harm. (Could Minimal harm. First Temporary harm. Permanent harm/loss Loss of life. (Could Services (Clinical) express as a SAC3) aid treatment only. (Could express as a of function/disability. express as a SACl)

(Could express as a SAC2) (Cou ld express as a SAC3) SACl)

Health Service Possible disruption Disruption to service Disruption of a service Disruption of a single Inability to deliver a Delivery to single service delivery with resulting in the service across multiple service across multiple

Q/ delivery workarounds inability to meet locations or multiple locations or multiple ... Ill available agreed service KPis services in a single services within a single ·;:

location locat ion c.. 0 Business Potential or actual Disruption to Disruption to business Widespread disruption Widespread and ... c.. Operations disruption causing business funct ions/outputs in to business cascading failures of c.. Ill manageable delays functions/outputs one area, exceeding functions/outputs disruption to business If) to non-critical but still within MAO timeframes. exceeding MAO functions/outputs Ill

business maximum acceptable Some effective timeframes. Very significantly exceeding Ill ·;: functions/outputs outage (MAO) times. workarounds. Rapid limited effective MAO. No worka rounds Q/ Workarounds recovery expected workarounds. Possible available. Prolonged ... ·;: possible through prolonged recovery recovery. Significant u Q/ management and backlog backlog processing

::c coordinat ion processing Ill

Financial Negligible impact Minor Impact on Moderate impact on Major impact on Extreme long-term -~ Q. (DoH) on budget/finances for budget/finances for budget/finances for impact on c.. budget/finances example 0.5 - 2% example example 5 -10% budget/finances for Ill for example variation of allocated 2 - 5% variation of variation of allocated example >10% variation Q/ If) 0 - 0.5% variation operating budget allocated operating operating budget. May of allocated operating :I I of allocated budget. May need need CBRC submission budget. May need

Ill operating budget adjustment of for funds emergency funding by ·;: Department budget Treasury Q/ ---------- ---------- ------------- ------ --------------- ------- -.. -- ......... ----- ·--·------------- ------------ -- ----- --------- ----------------... Other examples: Net cash flow Net cash flow impact Net cash f low impact Net cash flow impact Net cash flow impact > ·;: u impact of < between $200,000- between $2M- $10M. between $10M - $40M Q/ $200,000 $2M Accounting write-down $40M. Accounting write down u c Accounting write- Accounting write- of assets or increase in Accounting write- of assets of> $40M or Q/ :I down of assets of< down of assets Life Cycle costs down of assets or increase in Life Cycle C' $200,000 between $200,000- between $2M -$10M increase in Life Cycle costs of> $40M Q/ If) $2M costs between $10M - Deficit of> 0.5% (> c 0 $40M $7.5M in 2013-14) of u b.O Deficit of 0- 0.5% Annual Departmental c ($7.5M In 2013-14) of Operating budget ~ Annual Departmental :I Operating budget l!}

Legal and No long term No long term Minimal long term May result in long M ay result in long term Regulatory consequences. Not consequences consequences. term consequences consequences. Potent ial

likely to result in ant icipated. Potential Potential for and ongoing for significant claim, claim, litigation or for claim or litigation investigation initiated investigation by litigation or prosecution. prosecution by regulatory regulatory authority. May result in criminal

authority. May result in Potential for serious conviction that carries a claim or litigation claim, litigation or penalty of imprisonment

prosecut ion. May result in criminal conviction

Project/Program Time or schedule <2% time or schedule <5% t ime or schedule <10% timeor >10% time or schedule Performance delays are avoided slippage slippage schedule slippage slippage

·Negiigitile-rni-piic_t_ -- • Ni(niilia(5r1ort--ierni • • • • 'N!iicier'at'e-inlp-ac·t-cin • • • • ·-Major impact c,;; · · · · · · · · • o6fec-ti..ie5 i:ai1 noi ·tie···-on achieving impact on achieving achieving objectives objectives requiring reached objectives objectives requiring review or changes in activities

changed ways and resource allocation

Reputat ion Isolated Complaints and/or Negative regional Sustained negative Sustained negative complaints from negative local media media coverage. May statewide media national media individuals that can attention be noted In statewide coverage. May be coverage. May be noted be managed locally media noted in national In International media

media

FINAL 09.07.13

The Department of Health Procedure for Risk Assessment and Treatment shall be used when determining

the level of risk.

Part 2 likelihood table

The Likelihood shall be used to rate how likely/ how often a risk is expected to occur. When assessing

likelihood, use either description or probability.

Ill~ Ill iTiit!i.l ~.!am~~ llf1 • • • •n l\'1

Almost Certain The risk/event will likely occur in most circumstances. >90%

Likely The risk/event will probably occur at least once. 60-90%

Possible The risk/event could be expected to occur at some time. 30-60%

Unlikely The risk/event could occur at some time but is not expected. 5-30%

Rare The risk/event may occur only in exceptional circumstances. <5%

Part 3 Risk Matrix

The matrix shall be used follow ing consequence and likelihood assessment. The results are used t o

determine the risk rat ing contained in the risk matrix. The level of risk rating sha ll consist of a word and

numeric va lue. The numeric value assists with priorit ising risks wh ich are rated in t he same word category.

Almost Certain Medium (7) Medium (11) High (17)

Likely Medium (G) Medium (10) High (16)

Possible Low(3) Medium (9) High (15) High (18) High (22)

Unlikely Low (2) Medium (8) Medium (12) Medium (14) High (21)

Rare Low(1) Low(4) Low (5) Medium (13) High (19)

Part 4 Response to Risk

High

Medium

Low

As soon as possible (and within 1 month) commence treatment planning for moderation

Monthly- review by risk owner until effectively moderated. This includes risk treatment status updates

Monthly- provide risk update as relevant to governing body or management team (e.g. Project Board, Divisional Leadershi Tea Executive Committee or Executive Mana and risk stakeholders

Within 1 month- commence t reatment pla nning for moderation

Monthly- review by risk owner until risk is effectively moderated. This includes r isk treatment status updates.

Monthly- provide risk update as relevant to governing body or management team and risk stakeholders

Within 3 months- evaluate for treatment planning requirements based on cost/benefit and resource prioritisation

Quarterly - Review by risk owner. This includes risk treatment update (If applicable).

As requ ired, provide risk update as relevant to governing body or management team and risk stakeholders

Maintain effectiveness o f current controls and manage by routine procedures.

Monitoring and review schedule should be considered based on potential rapid escalation/volatility of the risk

As required, provide risk update as relevant to governing body or management team and risk stakeholders

•Note: See Risk Profile Process Map for further guidance on Executive Risk Profile Requirements

FINAL 09.07.13

inquiry into auditor-general's reports on internal control

Documents