subject: amendment of fraud and corruption prevention policy · the last significant amendment to...

Item G01 Governance Committee 12/09/16

N O R T H S Y D N E Y C O U N C I L R E P O R T S

Report to General Manager Attachments:

1. Draft Fraud and Corruption Prevention Policy (D5-21)

2. Current Fraud and Corruption Prevention Policy (D5-21) 3. Audit Office Fraud Control Improvement Kit

SUBJECT: Amendment of Fraud and Corruption Prevention Policy AUTHOR: Jon Paul Agnew, Risk Manager ENDORSED BY: Adrian Panuccio, Chief Operating Officer EXECUTIVE SUMMARY: Amendment to Council’s Fraud and Corruption Prevention Policy D5-21, with streamlined and consistent wording. FINANCIAL IMPLICATIONS: Additional training costs are yet to be estimated, but funding will be provided from surplus revenue if needed. Comment by Responsible Accounting Officer: Funding for the project is appropriate. RECOMMENDATION: 1. THAT the amended Fraud and Corruption Prevention Policy be adopted.

Report of Jon Paul Agnew, Risk Manager Re: Amendment of Fraud and Corruption Prevention Policy

(2)

LINK TO DELIVERY PROGRAM The relationship with the Delivery Program is as follows: Direction: 5. Our Civic Leadership Outcome: 5.3 Council is ethical, open, accountable and transparent in its decision

making 5.7 Risks are minimised and continuity of Council's critical business

functions is ensured BACKGROUND The last significant amendment to the Fraud and Corruption Prevention Policy was in February 2013. Control of the Policy was transferred to the Chief Operating Officer in September 2014. These proposed amendments have been drafted in consultation with MANEX, the Audit and Risk Committee, and Internal Audit. CONSULTATION REQUIREMENTS Community engagement is not required. SUSTAINABILITY STATEMENT The following table provides a summary of the key sustainability implications: QBL Pillar Implications Economic Fraud and corruption prevention promotes transparent and accountable

expenditure of Council’s resources, particularly in procurement.

Governance The proposed amendments promote sound and transparent governance.

DETAIL Council’s Fraud and Corruption Prevention Policy D5-21 has been revised and the proposed amendments are summarised as follows: 1. Simplified Statement of Intent;

2. Better adaptation in the definitions of the wording of the Independent Commission Against

Corruption Act 1988, which is not well-suited to simple transposition;

3. Definition of “prompt” added to clarify the expectation that action be taken immediately and without delay;

4. Superfluous and outdated wording replaced in clauses 4.1, 4.2 and 4.5;

Report of Jon Paul Agnew, Risk Manager Re: Amendment of Fraud and Corruption Prevention Policy

(3)

5. Clause 5.1 updated with text from former definition clause 3.4;

6. Clause 5.2 (formerly in 5.1) separates the role of the Internal Auditor from the Audit and

Risk Committee;

7. Clauses 5.4 and 5.5 (formerly 5.3) separated to emphasise differing requirements of managers and supervisors. Superfluous wording replaced in clause 5.5(b) (formerly 5.3(b));

8. Clauses 5.6 to 5.8 (formerly 5.4 to 5.6) reworded to better reflect the Code of Conduct -

Councillors and Staff. The requirement “to stop fraudulent behaviour and to discourage others who may be inclined to commit similar conduct” is impracticable and has been removed;

9. References updated in clause 6; and

10. Appendix A guidelines rationalised and completely re-written to align with the latest

Audit Office best practice guidance. The main departure is that Council does not publish a “fraud database” on its website or elsewhere, although there is disclosure in audit reports and access can be applied for under GIPA.

Council will complement the policy amendment with fraud and corruption prevention training for staff in high risk roles. It may be necessary to source additional funding for the training budget when the staff numbers are finalised.

D5-21 FRAUD AND CORRUPTION PREVENTION POLICY

Page 1 of 9

Adopted by Council #

Policy Owner:

Chief Operating Officer

Category:

5. Our Civic Leadership

1. STATEMENT OF INTENT

1.1. North Sydney Council is committed to high ethical standards and aims to have a framework of policies, systems and culture that effectively minimise the risk of fraud and corruption by:

a) demonstrably influencing culture and behaviour within a testable fraud control environment;

b) maintaining employee morale and public confidence in Council;

c) protecting Council’s assets;

d) encouraging staff and others to report suspected or detected fraud or corruption;

e) providing standards to report and deal fairly with matters pertaining to fraud;

f) ensuring that fraud and corruption prevention is a living element of Council’s culture; and

g) ensuring that a tangible fraud prevention environment is apparent at all levels and in all work areas of Council.

1.2. This policy complements Council’s Enterprise Risk Management Policy.

2. ELIGIBILITY

2.1. This policy applies to all Councillors, employees of Council, any external entity providing goods or services to Council, and to any user of Council services or facilities.

3. DEFINITIONS

3.1. Corruption (See also Section 8 of the Independent Commission Against Corruption Act 1988):

a) Any conduct of a public official that constitutes or involves the dishonest

FRAUD AND CORRUPTION PREVENTION POLICY Page 2 of 9


or partial exercise of any of his or her official functions, or

b) Any conduct of a public official or former public official that:

i) constitutes or involves a breach of public trust, or

ii) involves the misuse of information or material that he or she has acquired in the course of his or her official functions, whether or not for his or her benefit or for the benefit of any other person.

c) Any conduct of any person (whether or not a public official) that adversely affects, or that could adversely affect, either directly or indirectly:

i) the honest or impartial exercise of official functions by any public official, any group or body of public officials or any public authority, or

ii) the exercise of official functions by any public official, any group or body of public officials or any public authority and which could involve any of the following matters:

official misconduct (including breach of trust, fraud in office, nonfeasance, misfeasance, malfeasance, oppression, extortion or imposition),

bribery, blackmail, obtaining or offering secret commissions, fraud, theft, perverting the course of justice, embezzlement, election bribery, election funding offences, election fraud, treating, tax evasion, revenue evasion, currency violations, illegal drug dealings, illegal gambling, obtaining financial benefit by vice engaged in by others, bankruptcy and company violations, harbouring criminals, forgery, treason or other offences against the Sovereign, homicide or violence,



matters of the same or a similar nature to any listed above,

any conspiracy or attempt in relation to any of the above.

3.2. Limitation on nature of corrupt conduct (See also Section 9 of the Independent Commission Against Corruption Act 1988):

a) Despite clause 3.1 conduct does not amount to corrupt conduct unless it could constitute or involve:

i) a criminal offence, or

ii) a disciplinary offence, or

iii) reasonable grounds for dismissing, dispensing with the services of or otherwise terminating the services of a public official.

3.3. Fraud - The deliberate and premeditated use of deception to gain advantage from a position of trust and authority. It includes acts of omission, theft, the making of false statements, evasion, manipulation of information and numerous other actions of deception.

3.4. Prompt – Done immediately and without delay.

4. PROVISIONS

4.1. Expectations:

a) Councillors and council staff are expected to maintain a high standard of ethical conduct in all activities, particularly with respect to resources, information, decision-making and authority.

b) All staff are expected to develop, encourage, insist upon and implement sound financial, legal and ethical decision-making within their responsibility levels.

c) All staff and Councillors are expected to be familiar with and act in accordance with Council’s Code of Conduct - Councillors and Staff. Council expects similar standards from the people and organisations that do business with Council.

d) All staff and Councillors must declare any interests in relation to matters they are currently considering, investigating or making a decision on.

e) Fraudulent acts against Council are unacceptable and may constitute a criminal offence.



4.2. Council’s Enterprise Risk Management Framework facilitates a holistic approach to the risk of fraud and corruption.

4.3. Council will rely on fraud-specific best practice authorities to identify and assess fraud risk in keeping with its Enterprise Risk Management Framework.

4.4. The three elements for prevention of fraud covered by this Policy come from the Australian Standard AS8001-2008, Fraud and Corruption Control are:

a) Structural elements - sound ethical culture, senior management commitment, periodic assessments of fraud and corruption risks, management and staff awareness, and fraud and corruption control planning;

b) Operational elements - internal controls, fraud detection programmes, mechanisms for reporting suspicions of fraud or corruption, dealing with detected or suspected fraud or corruption, line management accountability for the control of fraud and corruption risk, internal audit strategy, policy for the protection of whistleblowers (protected disclosures), allocation of resources to control fraud and corruption risks, insurance and pre-employment screening; and

c) Maintenance elements - review of the effectiveness of the fraud and corruption control strategies, ongoing monitoring of the ethical culture and review and adjustment of the fraud and corruption control plan.

4.5. Council’s internal Counselling and Disciplinary Policy provides an equitable, fair and consistent approach to managing staff misconduct. It allows for the imposition of penalties including, but not limited to, formal warning, demotion, suspension without pay, and termination.

5. RESPONSIBILITY / ACCOUNTABILITY

5.1. Council’s Audit and Risk Committee and/or Senior Management Team (MANEX) are responsible for Fraud Control Health Checks from time to time, and for the instigation of improved control initiatives. The Audit and Risk Committee, in consultation with the General Manager, establishes regular and systematic audit reviews of Council’s key and at risk systems, procedures and operations, fraud and corruption prevention framework, with a particular focus on risks identified in the Enterprise Risk Register.

5.2. The Internal Auditor may be directed or requested to conduct investigations.

5.3. Council’s Chief Operating Officer is responsible for ensuring that this Policy is maintained and regularly reviewed.



5.4. Managers and Supervisors are expected to lead by example and to demonstrate integrity and fairness in decision making and be open and honest in their dealings with others.

5.5. Managers must ensure that the following fraud prevention elements are evident in the workplace (see also clause 4.4):

a) Positive attitude towards internal control, as expressed through interest, involvement, policies and procedures;

b) Enhanced performance and control through the selection, leadership and development of staff; and

c) Monitoring of systems, whether informal information gathering, active supervision or formal information systems.

5.6. Any Councillor or staff member who suspects or detects fraud or corruption must report it in accordance with Council’s Code of Conduct - Councillors and Staff. Staff must also promptly report it to the Department Manager(s), Director(s), General Manager, and/or Public Officer.

5.7. Department Manager(s), Director(s), General Manager, and/or Public Officer must act promptly to investigate and mitigate risk when fraud or corruption is suspected or detected.

5.8. Council must report annually on fraud and corruption related code of conduct complaints in accordance with Council’s Code of Conduct - Councillors and Staff.



6. RELATED POLICIES / DOCUMENTS / LEGISLATION

The Policy should be read in conjunction with the following Council policies and documents:

Audit and Risk Committee Charter

Code of Conduct - Councillors and Staff

Code of Conduct - Contractors, their Staff and Business Associates

Code of Conduct - Precinct Office Bearers and Members

Code of Conduct - Volunteers and Community Representatives

Counselling and Disciplinary Policy (staff policy)

Delegations of Authority Manual

Enterprise Risk Management Policy

Fraud Prevention Policy Guidelines (Appendix A)

Gifts and Benefits Policy

Internal Audit Charter

Internal Reporting - Public Interest Disclosures Policy

Procurement Policy

Procurement Manual (internal)

Social Media Policy (staff policy)

Web Access and Email Policy (staff policy)

The Policy should be read in conjunction with the following documents/legislation:

Australian Auditing Standard ASA 240

Australian Standard AS8001-2008 Fraud and Corruption Control

Australian Standard AS/NZS ISO 31000:2009, Risk management - Principles and guidelines

“Governance Health Check” issued jointly by the LGMA and the ICAC

ICAC “Practical Guide to Corruption Prevention” ISBN 0 7310 7206 5

Independent Commission Against Corruption Act 1988

Local Government Act 1993

Local Government (General) Regulation 2005

Local Government Tendering Guidelines for Local Government January 2006

Model Code of Conduct and Procedures (March 2013), Office of Local Government

NSW Audit Office Fraud Control Improvement Kit



Privacy and Personal Information Protection Act 1998

Public Interest Disclosures Act 1994

Version Date Approved Approved by Resolution No. Review Date 1 4 June 2007 Council 348 2008/09 2 16 February 2009 Council 61 2012/13 4 18 February 2013 Council 61 2016/17 5 15 September

2014 Council 394 2016/17

6 TBA TBA TBA 2020/21



APPENDIX A: FRAUD AND CORRUPTION PREVENTION POLICY GUIDELINES

1. Purpose of these guidelines These guidelines explain how Council ensures:

successful implementation of the Fraud and Corruption Prevention Policy; and

continuous improvement of the associated fraud and corruption prevention framework.

2. Fraud and corruption prevention framework Council’s framework is modelled on the attributes set out in the Fraud Control Improvement Kit published by the Audit Office of New South Wales:

a) Leadership - The General Manager and Directors are committed to fraud and corruption prevention, and work with the Audit and Risk Committee, Internal Audit and staff to ensure successful implementation of the Policy and framework.

b) Ethical framework – Council’s Fraud and Corruption Prevention Policy and related policies set out acceptable standards of ethical behaviour. They make clear that fraud and corruption are not tolerated by Council, and that unethical behaviour may meet with disciplinary action. These policies are readily available to staff and are included in the induction process.

c) Responsibility structures - Senior management, the Audit and Risk Committee, the Internal Auditor and staff have clearly defined responsibilities for fraud and corruption prevention. Fraud and corruption prevention is accounted for in Council’s business plans and is supported with adequate resources and training.

d) Fraud and Corruption Prevention Policy - The Policy takes a holistic, enterprise-wide approach to fraud and corruption risk management. It has strong links to Council’s other policies on ethical behaviour and is reviewed regularly for continuous improvement.

e) Prevention systems - Fraud and corruption risk assessment is part of Council’s enterprise risk management process, and is regularly reviewed and reported to the Audit and Risk Committee. Detected fraud and corruption is recorded in Council’s Risk Event register for remedial action and insurance purposes. Council undertakes pre-employment screening. Council’s Information Technology strategy is aligned with organisational objectives and IT risks are included in the Enterprise Risk Register.

f) Fraud awareness - Staff are provided with a comprehensive awareness programme to ensure appreciation and understanding of responsibilities for preventing, detecting and reporting fraud and corruption. This begins with the induction process and is reinforced with periodic refresher training and circulars. Customers and the community are encouraged to report suspicions of fraud and corruption and are provided with easy to use channels to make reports. Council’s



codes of conduct set out ethical standards and mutual obligations for customers and the community.

g) Third party management systems - Staff are given targetted training and education for dealing with contractors and suppliers. Council’s contract management system includes structured risk-based due diligence and standardised contract wordings that make clear Council’s commitment to fraud and corruption prevention. Council’s codes of conduct set out ethical standards and mutual obligations for contractors and suppliers. Contractors and suppliers are encouraged to report suspicions of fraud and corruption and are provided with easy to use channels to make reports. Staff are regularly required to disclosure conflicts of interest and secondary employment.

h) Notification systems - Council supports staff who report fraud and corruption, and supports managers acting on those reports. There are well-publicised, clear and consistent options for staff to report fraud and corruption internally and externally. Staff can feel confident of protection from reprisal and demonstrated action will be taken in response to reports. Council’s policies, systems and procedures support reporting and ensure appropriate reporting to senior management and the Audit and Risk Committee.

i) Detection systems - Council has well documented risk-based internal controls to prevent, detect and correct fraud and corruption. Routine checks and audits are undertaken of activities, processes controls and transactions. Data is monitored and reviewed for early detection and intervention. Council has a well developed risk-based internal audit programme for fraud and corruption prevention, with audit recommendations assigned to responsible officers with timeframes for response.

j) Investigation systems - Reports of fraud and corruption must be investigated promptly and to the highest standards. Investigations will be allocated sufficient resources and will be conducted by appropriately qualified and experienced personnel, and referred to an independent investigator where warranted. The investigation and decision-making process must be properly documented and proportionate to the scale of the fraud or corruption. The Counselling and Disciplinary Policy provides an equitable, fair and consistent approach to managing staff misconduct, including the imposition of penalties. Council will hold fidelity guarantee or equivalent insurance to protect against the financial consequences of fraud.

3. Enterprise Risk Management The Policy relies on Council’s Enterprise Risk Management process to systematically identify, assess and control fraud and corruption risks. Information is compiled from many sources, including event reports and internal audits. Assessments, controls and treatment plans are recorded in the Enterprise Risk Register and reported regularly to the Audit and Risk Committee.

D5-21


Re-adopted by Council 15 September 2014

Policy Owner:

Chief Operating Officer

Category:

5. Our Civic Leadership

1. STATEMENT OF INTENT

1.1 North Sydney Council is committed to high ethical standards and aims to have effective policies, systems and a culture that minimises the risk of fraud in our operations. The purpose of this Policy is for Council to provide a statement on its commitment and process in preventing fraud and corruption. This policy complements Council’s Enterprise Risk Management Policy.

1.2 This Policy establishes the framework for Council’s fraud control strategies. It

aims to:

a) demonstrably influence culture and behaviour by generating a testable fraud control environment;

b) maintain employee morale and public confidence in Council; c) protect Council's assets; d) encourage staff and others to report suspected fraud or potential fraud; e) provide standards to report and deal fairly with matters pertaining to

fraud; f) ensure that fraud prevention is a living element of Council’s culture; and g) ensure that a tangible fraud prevention environment is apparent at all

levels and in all work areas of Council. 2. ELIGIBILITY

2.1 This policy applies to all Councillors, employees of Council, any external entity providing goods or services to Council, and to any user of Council services or facilities.

3. DEFINITIONS

3.1 Corruption - Defined in Sections 8(1) and (2) of the Independent Commission Against Corruption Act 1988 as:

8(1)a. any conduct of any person (whether or not a public official) that adversely

affects, or that could adversely affect, either directly or indirectly, the honest or impartial exercise of official functions by any public official, any group or body of public officials or any public authority, or



8(1)b. any conduct of a public official that constitutes or involves the dishonest or partial exercise of any of his or her official functions, or

8(1)c. any conduct of a public official or former public official that constitutes or

involves a breach of public trust, or 8(1)d. any conduct of a public official or former public official that involves the misuse

of information or material that he or she has acquired in the course of his or her official functions, whether or not for his or her benefit or for the benefit of any other person.

8(2) Corrupt conduct is also any conduct of any person (whether or not a public

official) that adversely affects, or that could adversely affect, either directly or indirectly, the exercise of official functions by any public official, any group or body of public officials or any public authority and which could involve any of the following matters:

a) official misconduct (including breach of trust, fraud in office,

nonfeasance, misfeasance, malfeasance, oppression, extortion or imposition)

b) bribery c) blackmail d) obtaining or offering secret commissions e) fraud f) theft g) perverting the course of justice h) embezzlement, i) election bribery j) election funding offences k) election fraud l) treating m) tax evasion, n) revenue evasion o) currency violations p) illegal drug dealings q) illegal gambling r) obtaining financial benefit by vice engaged in by others s) bankruptcy and company violations t) harbouring criminals u) forgery v) treason or other offences against the Sovereign w) homicide or violence x) matters of the same or a similar nature to any listed above y) any conspiracy or attempt in relation to any of the above.

3.2 Limitation on nature of corrupt conduct - Defined in Sections 9 of the

Independent Commission Against Corruption Act 1988 as: 9(1) Despite section 8 conduct does not amount to corrupt conduct unless it could constitute or involve:

(a) a criminal offence, or (b) a disciplinary offence, or



(c) reasonable grounds for dismissing, dispensing with the services of or otherwise terminating the services of a public official

3.3 Fraud - is a deliberate and premeditated use of deception to gain advantage from

a position of trust and authority. It includes acts of omission, theft, the making of false statements, evasion, manipulation of information and numerous other actions of deception1.

3.4 The Audit and Risk Committee, in consultation with the General Manager, establishes regular and systematic audit reviews of Council’s key and at risk systems, procedures and operations, with a particular focus on risks as identified in the Enterprise Risk Register.

4. PROVISIONS

4.1 Expectations:

a) Councillors and council staff are expected to maintain a high standard of ethical conduct in all activities, in particular with respect to resources, information, decision-making and authority.

b) All staff are expected to develop, encourage, insist upon and implement sound financial, legal and ethical decision-making within their responsibility levels.

c) All staff and Councillors are expected to be familiar with and act in accordance with the Council’s Code of Conduct - Councillors and Staff. The Council expects similar standards from the people, agencies or organisations that do business with the Council.

d) All staff and Councillors must declare any interests in relation to matters they are currently considering, investigating or making a decision on.

e) Fraudulent acts against the Council are unacceptable and may constitute a criminal offence.

4.2 Council has adopted an Enterprise Risk Management Framework, generally

conforming to Australian Standard AS/NZS ISO 31000:2009, Risk Management - Principles and Guidelines. This facilitates a holistic approach to Risk Management, including the risk of fraud.

4.3 Council will rely on fraud-specific best practice authorities to identify and assess

fraud risk in keeping with its Enterprise Risk Management Framework.

4.4 The three elements for prevention of fraud covered by this Policy come from the Australian Standard AS8001-2008 “Fraud and Corruption Control” are:

1 Source: Audit Office NSW



a) Structural elements - sound ethical culture, senior management commitment, periodic assessments of fraud and corruption risks, management and staff awareness, and fraud and corruption control planning;

b) Operational elements - internal controls, fraud detection programs, mechanisms for reporting suspicions of fraud or corruption, dealing with detected or suspected fraud or corruption, line management accountability for the control of fraud and corruption risk, internal audit strategy, policy for the protection of whistleblowers (Protected Disclosures), allocation of resources to control fraud and corruption risks, insurance and pre-employment screening; and

c) Maintenance elements - review of the effectiveness of the fraud and corruption control strategies, ongoing monitoring of the ethical culture and review and adjustment of the fraud and corruption control plan.

4.5 Council has in place an internal, staff only, Counselling and Disciplining Policy

(last reviewed by MANEX in May 2004). There is no specific disciplinary action defined for a breach of code of conduct. The policy briefly defines the investigation process, the counselling and discipline process and the termination process.

Section 4.8.3 indicates that disciplinary action will be determined by

management and may include but not be limited to those penalties referred to in the Local Government State Award.

5. RESPONSIBILITY/ACCOUNTABILITY

5.1 Council’s Audit and Risk Committee and/or Senior Management Team (MANEX) is responsible for Fraud Control Health Checks from time to time and for the instigation of improved control initiatives, as may be necessary. Special investigations may be directed to the Internal Audit function (i.e. Internal Auditor).

5.2 Council’s Chief Operating Officer is responsible for ensuring that this Policy is maintained and regularly reviewed.

5.3 Managers/Supervisors are expected to lead by example and to demonstrate

integrity and fairness in decision making and be open and honest in their dealings with others. Managers must ensure that the following fraud prevention elements are evident in the workplace (relates to section 4.4):

a) Positive attitude of management towards internal control. Expressed

through interest, involvement, policies and procedures; b) The selection and development of quality staff whose practices

demonstrate high ethical standards. The appropriate application of leadership and training to all staff will enhance the quality of performance and therefore control; and



c) The monitoring of systems, whether informal information gathering, active supervision or formal information systems.

5.4 Managers/Supervisors are required to promptly advise the General Manager,

Director, Department Manager and/or Public Officer of instances of suspect or actual fraud. When fraud is detected, managers must take prompt action both to stop fraudulent behaviour and to discourage others who may be inclined to commit similar conduct.

5.5 Any Councillor or staff member who suspects fraudulent or corrupt behaviour must report it in accordance with Council’s Code of Conduct - Councillors and Staff.

5.6 In accordance with Council’s Code of Conduct - Councillors and Staff (clause

13.33) the General Manager must report annually to the Council on code of conduct complaints (number, nature and outcomes).

6. RELATED POLICIES/DOCUMENTS/LEGISLATION

The Policy should be read in conjunction with the following Council policies and documents:

Audit and Risk Committee Charter Code of Conduct - Councillors and Staff Code of Conduct - Contractors, their Staff and Business Associates Code of Conduct - Precinct System Code of Conduct - Volunteers and Community Representatives Counselling and Disciplinary Policy (staff policy) Delegations of Authority Manual Enterprise Risk Management Policy Fraud Prevention Policy Guidelines (Appendix A) Gifts and Benefits Policy Guidelines for the Identification and Analysis of Risk Exposures Internal Audit Charter Internal Reporting - Public Interest Disclosures Policy Internal Reporting - Public Interest Disclosures Procedures Performance Audit and Improvement Action Plan Performance Audit and Improvement Strategy Procurement Policy Procurement Guidelines for Council Officers and Information for

Tenderers Procurement Manual Social Media Policy (staff policy) Web Access and Email Policy (staff policy)

The Policy should be read in conjunction with the following documents/legislation:



Australian Auditing Standard AUS 210 Australian Standard AS8001-2008 Fraud and Corruption Control Australian Standard AS/NZS ISO 31000:2009, Risk management -

Principles and guidelines “Governance Health Check” issued jointly by the LGMA and the ICAC ICAC “Practical Guide to Corruption Prevention” ISBN 0 7310 7206 5 Independent Commission Against Corruption Act 1988 Local Government Act 1993 Local Government (General) Regulation 2005 Local Government Professionals Governance Health Check 2004 Local Government Tendering Guidelines for Local Government January

2006 Model Code of Conduct and Procedures (March 2013), Office of Local

Government NSW Audit Office Fraud Control Improvement Kit Privacy and Personal Information Protection Act 1998 Public Interest Disclosures Act 1994

Version Date Approved Approved by Resolution No. Review Date 1 4 June 2007 Council 348 2008/09 2 16 February 2009 Council 61 2012/13 4 18 February 2013 Council 61 2016/17 5 15 September 2014 Council 394 2016/17



APPENDIX A: FRAUD AND CORRUPTION PREVENTION POLICY GUIDELINES

1. Application of these Guidelines The purpose of these guidelines is to ensure that Council’s Fraud and Corruption Prevention Policy meets the objectives of the NSW Audit Office’s Fraud Control Improvement Kit, as well as Council’s Enterprise Risk Management Policy. Through implementation of this Policy, Council can:

a) monitor the ongoing effectiveness of this Policy; b) assess whether, and where in Council, fraud prevention initiatives need to be enhanced;

and c) develop specific actions for improving implementation of this Policy.

2. About the Policy Council’s Fraud Prevention Policy is based on the strategic model developed by the NSW Audit Office, as endorsed by the NSW Premier's Department and the Office of Local Government. This embodies 10 critical success factors for the effective control of fraud. These are:

1. Integrated policy - Council has a Fraud and Corruption Prevention Policy, which supports existing policies and procedures that relate to corruption prevention. The policy will provide authority to the Audit and Risk Committee on the development of strategies to prevent, detect and report suspected cases of fraud or corruption against Council by both internal and external parities.

2. Responsibility structures - Council will take active measures to prevent any act of fraudulent or corrupt behaviour by employees, clients or service providers. Council has a number of mechanisms in place to assist in the prevention of fraud or corrupt behaviour and expects its directors and line managers to put effective controls in place along with reporting mechanisms.

3. Fraud and corruption risk assessment - The Audit Office of NSW in its “Developing an Effective Strategy” has identified that the carrying out of a fraud risk assessment is considered to be a key part of the audit process of both the internal and external auditors. Directors are responsible in ensuring that risks in their directorates are identified, assessed and regularly reviewed along with the implementation of strategies to mitigate those risks.

4. Risk Register - Risk assessments are captured in Council's Enterprise Risk Register along with related controls and treatments. Risk Register information is regularly reported to the Audit and Risk Committee in a standardised format.

5. Employee and Councillor awareness - the prevention, detection and reporting of

fraudulent or corrupt behaviour is the responsibility of every Councillor and employee of



Council. To assist in providing awareness and recognition of this responsibility and to develop a culture where fraudulent and corrupt behaviour is reported and detected, it is essential that:

a) All Council employees are aware of their responsibility in contributing towards the elimination of fraud and understand the ethical behaviour expected of them and their roles;

b) Council develops appropriate KPI’s on the measurement of fraud control and incorporates in unit business plans; and

c) Council provides compulsory training in fraud and corruption detection and necessary awareness materials.

6. Client and community awareness - conducting business with various external agencies

can expose Council to potential areas of risk. To minimise this exposure to risk Council must actively promote to the community the acceptable standards, ethics and behaviour expected whilst dealing with Council, which will include:

a) A clear statement from the General Manager in the Annual Report of Council’s stance on fraud and corruption, providing an outline of the fraud control strategies used by Council;

b) Ensuring all tender documentation, contracts and other binding agreements have a section outlining what Council considers to be acceptable ethical behaviour;

c) Awareness programs that will encourage external parties to report suspected fraudulent or corrupt behaviour by Council staff to Council;

d) Ensuring that procurement agreements contain correct information, particularly when it involves quantities and service delivery timeframes;

e) Ensuring service delivery agreements include components dealing with standards of propriety and ethics; and

f) Ensuring awareness programs are targeted to key parties, including developers, contractors, suppliers, consultants, part-time staff and the community in general.

7. Fraud and corruption reporting systems - it is important that awareness programs are

supported by effective internal fraud detection and reporting systems. An appropriate reporting structure has been developed through the adoption and use of several policies, which include Internal Reporting - Public Interest Disclosures Policy and Code of Conduct (various). These policies and procedures need to be reviewed on a regular basis (at least every four years) to ensure that they meet the objectives of the legislation and in particular the making of disclosures under the Local Government Act 1993. When reviewing these policies factors that could impede effective reporting of fraud should be considered, including the following matters identified by ICAC:

a) Cultural antipathy to “dobbing in your workmates”; b) Immediate supervisor’s possible involvement or association with those involved; c) Disinclination to report if past experience has shown that “nothing happens”

and/or that those who report receive negative treatment, for example being labelled as “troublemakers”;



d) Appropriate insulation/separation of the principal officer and senior management from junior employees; and

e) Lack of clear and appropriate rules for referral and/or action where corrupt conduct is suspected.

8. Detection systems - Council through its Internal Reporting - Public Interest Disclosures

Policy substantially outlines the procedure that needs to be followed in relation to making a disclosure under the Public Interest Disclosures Act 1994. Failure to effectively protect employees or councillors can impede Council’s ability to uncover and prevent fraudulent or corrupt behaviour. Council is committed to supporting and protecting all complainants in identifying fraudulent and corrupt behaviour within Council.

9. External notification - in order for Council to meet its statutory obligations it will have systems in place to:

a) Report all matters requiring reporting to external bodies, including, the ICAC, the Ombudsman, the Police and the Office of Local Government (whichever is appropriate);

b) Ensure that the reporting is undertaken in a timely and confidential manner; and c) Ensure that all Council employees are aware that if the General Manager has

reasonable grounds to suspect a corrupt or fraudulent act then he/she has no discretion in the reporting of fraud to ICAC and the Police if relevant in accordance with legislative requirements.

10. Investigation standards - having comprehensive fraud control strategies and awareness

programs will ensure Council is more likely to detect fraudulent and corrupt behaviour. Council will ensure that:

a) All employees receive compulsory training to improve understanding of the need to report suspected fraud;

b) Investigations that follow are competent, thorough and conducted with the highest standards;

c) All instances of reported suspected fraud will be investigated by Council to establish whether a basis exists for further action;

d) Confidentiality of the person who made the disclosure in accordance with the Public Interest Disclosures Act 1994, Privacy and Personal Information Protection Act 1998 and Local Government Act 1993 is maintained;

e) Investigation is carried out in an objective and impartial manner; f) Investigation standards used are industry accepted, following best practice

guidelines issued by such bodies as the Ombudsman and ICAC; g) Investigations result in a report to the Audit and Risk Committee including any

recommendations on what measures Council may take; and h) Investigations make use of resources in the most effective way, and engage

external assistance if deemed appropriate by the General Manager.



Whilst carrying out the investigation, Council is to consider whether or not the relevant acts warrant referral to appropriate agencies as identified in this plan or in the relevant policies.

11. Conduct and disciplinary standards - a clear message will be sent to all Council staff and

Councillors that fraud against Council either from within or outside is unacceptable and that offenders will face appropriate action.

Council has a number of policies and codes in place which outline the standards expected of staff and councillors, including a Code of Conduct - Councillors and Staff (training is compulsory and is provided to all new and existing employees) and Council’s Statement of Values.

3. What Council wants to achieve

Council’s strategy is to have in place fraud risk identification and assessment processes designed to:

a) Be undertaken on a regular basis; b) Quantify the level, nature and form of fraud risks; and c) Determine actions to mitigate exposures identified in the fraud risk assessment.

4. Function Council has adopted an Enterprise Risk Management Framework in compliance with the AS/NZS ISO 31000:2009, Risk Management - Principles and Guidelines. This facilitates a holistic approach to Risk Management, including the risk of fraud. The enterprise risk management process pursuant to AS/NZS ISO 31000:2009 requires risk identification and assessments in all areas of Council. Priority risk areas are defined, where specific Risk Control needs and actions may be identified. Council utilizes the NSW Audit Office Fraud Control Improvement Kit to assist in fraud risk identification and assessments within its Enterprise Risk Management program.

5. Risk Areas Some high Fraud Risk Exposure areas identified within Local Government are:

a) Developer inducement to Councillors or Staff to approve development applications or rezoning;

b) Regulatory and enforcement activities; c) Non disclosure of a pecuniary or non pecuniary interest; d) Undisclosed election funding; e) Tender and quotation rigging; f) Bribes from suppliers and contractors;



g) Contractor related matters - claiming for work not undertaken, use of lower quality material;

h) Payroll related offences - overtime abuse, hours not worked; i) personnel recruitment, deployment and records; j) Sale/misuse of information; k) finance receipt and expenditure; and l) Theft of plant and equipment.

Some lower Fraud Risk Exposure areas identified within Local Government are:

a) Theft of cash; b) issue of penalty and other notices; c) engagement of contractors and consultants; d) computer data security; e) remote telecommunication access e.g. Internet; f) purchase and control of stores and equipment; g) use of stores and equipment; h) use of motor vehicles; i) lease/loan of equipment; and j) administrative activities.

6. Fraud Control Actions 6.1 Fraud Prevention Measures to prevent fraud will be continually monitored, reviewed and developed. An element of fraud risk prevention will include a Fraud Risk Assessment. Council will conduct Fraud Risk Assessments every four years to inform fraud reduction and control policies and strategies. Fraud risk assessments must examine internal and external operating environments and must involve identifying areas of council business that have high fraud risks. 6.2 Fraud Detection Council will employ a number of fraud detection mechanisms (actions) to ensure early detection of suspicious or fraudulent behaviours. Fraud detection may include monitoring staff and transactions and maintaining and developing internal security. Fraud control actions are developed through the Audit and Risk Committee and endorsed for implementation by MANEX. MANEX is updated on the progress of the fraud control actions. 6.3 Fraud Investigation



If the General Manager has reason to suspect that fraud has occurred, the ICAC must be immediately notified. The circumstances must then be investigated and the General Manager will decide whether the organisation will conduct an administrative fact-finding investigation, or a criminal investigation in association with the Police and the ICAC. 6.4 Policy Delivery and Monitoring The General Manager is responsible for ensuring the ongoing developing and implementing Council’s Fraud and Corruption Prevention Policy and monitoring its effectiveness. Trends, activities, complaints and compliments are monitored for signs of irregularity. The General Manager reports to the Council on fraud risk issues ensuring that risks are identified and acted on. Council staff will receive appropriate training to improve awareness of fraud risks and fraud management within the workplace.

Audit Office of New South Wales I Fraud Control Improvement Kit I February 2015

20

Resource one: Fraud control checklist Attribute 1: Leadership 1. CEO and senior management commitment to fraud control: CEO visibly endorses fraud control activities senior managers demonstrate their commitment to mitigate fraud risks.

2. Clearly defined CEO and senior management accountability and responsibility: senior management assigned responsibility for implementing the fraud control framework senior managers’ individual performance agreements contain performance measures and indicators relating to

successful fraud control. Attribute 2: Ethical framework 3. Clear policies setting out acceptable standards of ethical behaviour: staff have easy access to all ethical behaviour policies ethical behaviour policies are included in the induction process.

4. Demonstrated compliance with the ethical framework: staff annually evidence their commitment to acceptable standards of behaviour.

5. Employees can articulate obligations to ethical behaviour and the organisation’s position on fraud: staff understand fraud is not tolerated and the consequences of committing fraud.

Attribute 3: Responsibility structures 6. Management and all staff have clearly defined responsibilities for managing fraud: staff are aware of the responsibility structure in the organisation responsibilities for fraud control are contained in role descriptions, where appropriate.

7. Fraud management is integrated with core business: managing fraud risks included in business plans.

8. Resources are allocated to managing fraud. fraud committee established and/or a Fraud Prevention Manager appointed.

9. Clearly defined roles for audit and risk committee and auditors: proactive and influential audit and risk committee internal audit work covers controls over high risk fraud areas.

10. Staff with responsibility for fraud control and staff in high risk fraud areas are provided with training: refresher and knowledge update training are provided on an ongoing basis training program is integrated within a wider education and awareness campaign.

Audit Office of New South Wales I Fraud Control Improvement Kit I February 2015 21

Attribute 4: Fraud control policy 11. Risk-based policies appropriate to the organisation: appropriate policies address the level and nature of internal and external fraud risks fraud control policy addresses the ten attributes of fraud control.

12. Holistic and integrated: fraud control policy does not operate in isolation and has strong links to other ethical behaviour policies.

13. Regularly reviewed, current and implemented: fraud control policy is responsive to changes in the operating environment and reviewed at least every two years.

Attribute 5: Prevention systems 14. Proactive and integrated fraud risk assessment: fraud risk assessment is part of organisation’s enterprise risk management process risk assessment reviewed after substantial change and at least every two years.

15. Planning, follow up and accountability: fraud control plan in place and outcomes reported to senior managers and audit and risk committee.

16. Analysis of and reporting on suspected and actual frauds: fraud database established containing all reports of fraud, action taken and outcomes database kept up to date and published on website.

17. Ethical workforce: pre-employment screening.

18. IT security strategy: specific IT security strategy aligned with the organisation’s business strategy cybercrime included as a risk on the risk register.

Attribute 6: Fraud awareness 19. Comprehensive staff education and awareness program: ongoing ethical behaviour and fraud education and awareness program fraud control message repeated and reinforced using a variety of communication channels fraud control expectations included in the induction process staff have a good understanding of what fraud is guidance material deals with real life situations, conflicts and fraud risks staff face in their work area.

20. Staff awareness of fraud control responsibilities: staff have a good appreciation and understanding of their responsibilities for preventing, detecting and reporting

fraud.

Audit Office of New South Wales I Fraud Control Improvement Kit I February 2015

22

21. Customer and community awareness: publicity campaigns developed where appropriate customers and the community encouraged to report suspicions of fraud and provided with easy to use channels

to make reports customers and the community have confidence in the integrity of the organisation statement of business ethics setting expectations and mutual obligations.

Attribute 7: Third party management systems 22. Targeted training and education for key staff: targeted training and education programs for staff with responsibilities for dealing with third parties.

23. Third party due diligence and clear contractual obligations and accountabilities: structured risk-based due diligence before engaging contractors or third parties contracts and service level agreements include clear accountabilities for managing the risk of fraud position descriptions for staff with responsibilities for managing third parties include accountabilities for managing

fraud risks. 24. Effective third party internal controls: specific internal controls relating to third parties in place checks and reviews carried out on dealings with third parties.

25. Third party awareness and reporting: contractors and suppliers understand organisation will not tolerate corruption including fraudulent dealings statement of business ethics setting expectations and mutual obligations reporting mechanisms established for reporting suspected fraud contractors and suppliers encouraged to provide information if they suspect fraud is occurring.

26. Staff disclosure of conflicts of interest and secondary employment: staff regularly required to disclosure conflicts of interest and secondary employment records of conflicts of interest and secondary employment reviewed and kept up-to-date.

Attribute 8: Notification systems 27. Culture that supports staff reporting fraud and management acting on those reports: well-publicised options for staff to report fraud staff feel confident they will be protected from reprisal action demonstrated action taken in response to reports of fraud.

28. Polices, systems and procedures that support reporting: reporting system appropriate to organisation different channels available to report fraud feedback and follow-up with internal reporters.

29. Processes to support upward reporting: actual and suspected frauds reported to CEO and audit and risk committee fraud database published on organisation’s website.

Audit Office of New South Wales I Fraud Control Improvement Kit I February 2015 23

30. External reporting: staff are clear on policy and procedures for external reporting external reporting in accordance with legislation and policy clear and consistent approach to external reporting.

Attribute 9: Detection systems 31. Robust internal controls: well documented risk-based internal controls routine checks of activities, processes controls and transactions range of internal controls that ‘prevent, detect and correct’.

32. Monitoring and review: available data monitored and reviewed to ensure irregularities and warning signals are picked up early early warning signs acted on quickly and red flag behaviour recognised.

33. Risk-based internal audit program: internal audit program evaluates the potential for fraud and how fraud risk is managed internal audit recommendations assigned to individuals with timeframes for response.

Attribute 10: Investigations systems 34. Clear documented investigation procedures: reports of fraud investigated promptly and to the highest standards investigations are independent sufficient resources allocated, including budget.

35. Investigations conducted by qualified and experienced staff: investigations conducted by appropriately qualified personnel with recognised qualifications and appropriate

experience. 36. Decision-making protocols: documented decision-making processes proportionate responses to incidents of fraud.

37. Disciplinary systems: staff understand fraud will not be tolerated and the perpetrators will face disciplinary action commitment to taking action against the perpetrators of fraud consistent application of sanctions.

38. Insurance: consider a fidelity guarantee insurance policy to protect against the financial consequences of fraud.

subject: amendment of fraud and corruption prevention policy · the last significant amendment to...

Documents