Skip to main content

Commonwealth Fraud and Corruption Control Framework

Publisher
Attorney-General's Department
Publication date
February 2024

The Minister for Finance and the Attorney-General have announced the new Commonwealth Fraud and Corruption Framework which will come into effect on 1 July 2024.

This follows the recent amendments to section 10 of the Public Governance, Performance and Accountability (PGPA) Rule 2014 (the Fraud Rule) to include corruption, and strengthen the requirements for Commonwealth entities to prevent, detect and deal with fraud and corruption. These amendments will become the Fraud and Corruption Rule.

To reflect these amendments, the Attorney-General’s Department (AGD) has updated the Fraud Policy and is revising Resource Management Guidance 201 – Preventing, detecting and dealing with fraud.

The Commonwealth Fraud Control Framework 2017 will continue to apply until 30 June 2024.

Commonwealth Fraud and Corruption Control Framework 2024

The Framework is designed to support Australian Government entities to effectively manage the risks of fraud and corruption.

The Framework consists of 3 parts:

  • Fraud and Corruption Rule (Section 10 of the PGPA Rule 2014)
  • Fraud and Corruption Policy
  • Fraud and Corruption Guidance (Resource Management Guidance 201 – Preventing, detecting and dealing with fraud and corruption).

Fraud and Corruption Rule

This is a legislative instrument binding for all PGPA Act entities from 1 July 2024. It sets out the minimum standards for accountable authorities of PGPA Act entities in relation to managing the risk and incidents of fraud and corruption relating to their entity.

Read the Fraud and Corruption Rule

Fraud and Corruption Policy

This Policy is binding for all Non-Corporate Commonwealth Entities (NCEs) from 1 July 2024. Corporate Commonwealth Entities (CCEs) and Commonwealth Companies are encouraged to adopt the Fraud and Corruption Policy as better practice. The Fraud and Corruption Policy sets out the procedural requirements entities must implement to establish and maintain an appropriate system of fraud and corruption control for their entity.

Read the Fraud and Corruption Policy

Fraud and Corruption Guidance

This provides further guidance on the Australian Government’s expectations for fraud and corruption control arrangements for all Commonwealth entities. An Exposure Draft of Resource Management Guide (RMG) 201 - Preventing, detecting and dealing with fraud and corruption was distributed to Senior Officials in December 2023 for consultation. The Attorney-General’s Department is currently reviewing feedback and will release the RMG in early 2024.

Why has the Framework been updated?

The changes are part of a suite of reforms to improve the standards of integrity across the public sector.

The Fraud and Corruption Rule amendments bring it into alignment with Australian Government policies including the Commonwealth Risk Management Policy 2023 and the Australian Government Investigation Standards 2022, along with industry standards, and will strengthen the Commonwealth’s counter fraud and corruption efforts.

What has changed in the 2024 Framework?

The most significant change for the Fraud and Corruption Rule is to expand its application to corruption as well as fraud – requiring Commonwealth entities to take steps to prevent, detect and deal with corrupt conduct. This complements the National Anti-Corruption Commission’s (NACC) prevention and investigation functions.

In addition, there are also new clauses requiring entities to:

  • have governance structures and processes to effectively oversee and manage risks of fraud and corruption relating to the entity
  • have officials who are responsible for managing risks of fraud and corruption relating to the entity
  • periodically review the effectiveness of the entity’s fraud and corruption controls.

What support is available?

To support entities meet their obligations under the amended Fraud and Corruption Rule and Fraud and Corruption Policy, the Commonwealth Fraud Prevention Centre will release the following additional resources in early 2024:

  • Fraud and Corruption Guidance
  • Information Sheets and resources about the changes to the Framework
  • A series of webinars, training and briefings to help Australian Government officials understand and implement the new requirements.

Please refer to this page for further updates, join our mailing list below or reach out to fraudreview@ag.gov.au for more information.

What consultation has taken place?

In February 2023, the Commonwealth Fraud Prevention Centre consulted broadly via a consultation paper discussing proposed changes to section 10 of the PGPA Rule 2014. In June 2023, the Centre sought feedback on the draft Fraud and Corruption Control Policy 2024 and the final draft of the Policy was distributed in November 2023 for red line comments. We would like to thank the many entities that contributed feedback throughout this engagement. Your feedback was considered in the drafting of the amendments to the Rule and Policy. In December 2023, an Exposure Draft of Resource Management Guide 201: Preventing, detecting and dealing with fraud and corruption was provided to all PGPA entities for consultation.

Recent newsletter articles are also linked below:

The new Framework – Frequently asked questions

Definitions

What is corruption?

For the purposes of this Framework, corruption in relation to an entity is defined broadly consistently with the NACC Act and is any conduct that does or could compromise the integrity, accountability or probity of public administration. This includes:

  • any conduct of any person (whether or not a staff member of a Commonwealth agency) that adversely affects, or that could adversely affect, either directly or indirectly:
    • the honest or impartial exercise of any staff member’s powers as a staff member of a Commonwealth agency; or
    • the honest or impartial performance of any public official’s functions or duties as a public official;
  • any conduct of a staff member of a Commonwealth agency that constitutes or involves a breach of public trust;
  • any conduct of a staff member of a Commonwealth agency that constitutes, involves or is engaged in for the purpose of abuse of the person’s office;
  • any conduct of a staff member of a Commonwealth agency, or former staff member of a Commonwealth agency, that constitutes or involves the misuse of information or documents acquired in the person’s capacity as a staff member of a Commonwealth agency.

Corruption may be criminal or non-criminal in nature and may affect any aspect of public administration. For example, an official being offered or accepting a bribe, or engaging in fraud against the entity.

What is fraud?

For the purposes of this Framework, fraud is defined as ‘dishonestly obtaining (including attempting to obtain) a gain or benefit, or causing a loss or risk of loss, by deception or other means.’ This definition is still based on the dishonesty offences under Chapter 7 of the Criminal Code but extends to attempts to dishonestly obtain a benefit, causing a risk of loss to the Commonwealth.

Fraud elements

Are entities required to have a standalone enterprise-level fraud and corruption risk assessment?

For many entities, it may be appropriate to integrate enterprise-level fraud and corruption risks into enterprise-level risk assessments. Entities with higher exposure to fraud and corruption risks should develop a standalone enterprise-level fraud and corruption risk assessment, to better identify, analyse, evaluate and treat their fraud and corruption risks within pre-defined levels of risk appetite or tolerance.

Are entities required to undertake fraud and corruption risk assessment for all of their activities, functions and programs?

Officials responsible for managing fraud and corruption in an entity will be responsible for deciding which activities, functions and programs require targeted fraud and corruption risk assessments and how often these assessments need to be reviewed. These decisions should be made and documented through the governance arrangements established to manage fraud and corruption risk within an entity, having regard to factors outlined in paragraph 1.1 of the Policy.

What should be included in a fraud and corruption control plan?

Fraud and corruption control plans help entities document, communicate, manage and monitor the current or planned activities to manage the entity’s identified fraud and corruption risks. At a minimum control plans should include:

  • existing preventative, detective and corrective controls the entity has in place to address identified fraud and corruption risks, including how these controls mitigate the identified risks
  • new treatments the entity will implement to further mitigate the identified fraud and corruption risks, including implementation timeframes
  • designated control owners who are required to monitor and report on the implementation, testing (where relevant), and effectiveness of controls.

Should a control plan be a standalone document?

Fraud and corruption control plans do not have to be developed as standalone documents, and can be integrated within the risk assessment documentation. Entities that have large or complex operating environments, or who have higher exposure to fraud and corruption risk, may choose to develop a standalone fraud and corruption control plan, or develop multiple control plans.

Are entities required to review the effectiveness of all fraud and corruption controls?

It is impractical and inefficient for entities to review the effectiveness of every fraud or corruption control. Therefore, to ensure these reviews are appropriate, cost-effective and proportionate to the entity’s risks, entities should focus their effort and resources on the controls related to their highest risk activities, functions and programs.

When determining which controls should be reviewed, entities may also be guided by the nature, velocity and severity of specific risks and how critical the controls are in mitigating the risk.

The approach an entity takes to review controls should be proportionate to its circumstances and fraud and corruption risks. For example, some entities may choose to review critical controls in a limited and targeted way, while entities with large or complex operating environments, or have higher exposure to fraud and corruption risk, may implement more comprehensive processes to review multiple controls across integrated control environments.

How should entities document their governance arrangements for managing fraud and corruption risks?

The Fraud and Corruption Rule will require entities to keep records of the structures, processes and officials responsible for fraud and corruption risk management. The Fraud and Corruption Policy will also require NCEs to document arrangements for the management of fraud and corruption risks. This will need to specify the entity’s:

  • overall commitment to managing and responding to fraud and corruption risks
  • risk appetite and tolerance statements relating to fraud and corruption
  • key roles and responsibilities of relevant officials and committees (where relevant)
  • arrangements for preventing, detecting, responding and reporting on fraud and corruption.

This information can be documented in a way that best suits the operating environment of the entity, noting the desirability of integrating fraud and corruption risk management within the broader risk management framework of entities. For example, this information could be included within an entity’s corporate plan or broader risk management framework. Some entities may choose to create a standalone document, for example a Fraud and Corruption Control Strategy, Policy or Handbook.

How can entities prevent and mitigate fraud and corruption risks when designing, implementing, delivering and undertaking government initiatives?

The level of complexity in how fraud and corruption risk assessment and control is embedded into the planning and activities of the entity should be proportionate to the nature and severity of the risks faced by the entity.

The assessment of risks is an integral part of good policy or program design. Identifying the potential for fraud or corruption early on creates a unique opportunity to plan and implement policies, programs and activities (including transformation initiatives) in a way that reduces the risks of fraud and corruption before they cause harm.

Entities will need to ensure officials involved in planning the activities of the entity are capable of taking risk into account. This involves understanding how to identify and mitigate the risks and impacts of fraud and corruption when designing policies, programs and transformation initiatives.

How can entities prevent fraud and corruption associated with activities undertaken by contractors, consultants and third party service providers?

There is already a range of existing guidance to help entities reduce the integrity-related risks that could arise in relation to activities undertaken for or on behalf of the entity by contractors, consultants and third-party service providers. For example:

Entities will be encouraged to make third-party providers aware of the Commonwealth’s position on fraud and corruption, including their own fraud and corruption control responsibilities when delivering goods or services for or on behalf of the Commonwealth. In some situations, it may be appropriate for entities to extend these awareness raising programs to provider staff and service recipients to also help them understand their rights and obligations, which can help deter and detect fraudulent, corrupt and other unscrupulous conduct by third party providers.

How can entities actively seek to detect instances of fraud and corruption?

Proactive detection of fraud and corruption can include monitoring high-risk areas, internal reviews and audits, intrusion detection systems, conducting reviews focused on risk, data matching and analytics. The activities an entity implements to actively detect or measure instances of fraud and corruption are likely to be influenced by risk assessments. To ensure these activities are appropriate, cost-effective and proportionate to the entity’s risks, entities should focus their effort and resources on their highest risk activities, functions and programs.

What are the arrangements and protocols entities should put in place to investigate or otherwise respond to fraud or corruption or suspected fraud or corruption?

An entity’s response plan should outline how the entity will respond to a fraud and corruption incident, including protocols for:

  • decision-making in response to incidents, including containment
  • communicating clearly and responsively with the public
  • engaging effectively with Ministers and stakeholders (including the media)
  • providing timely notifications to relevant agencies, e.g. the Australian Federal Police (AFP), the NACC or the Australian Cyber Security Centre.

Entities will also need to establish and document criteria for making decisions at critical stages in the management of a suspected fraud or corruption incident. This includes decisions to:

  • investigate or to refer the matter to the AFP or the NACC (in line with obligations under the NACC Act), or
  • take no further action.

It also includes subsequent decisions on the actions resulting from an investigation, such as applying civil or administrative penalties, or referral of a brief of evidence to the Commonwealth Director of Public Prosecutions.

Criteria for responding to a fraud or corruption incident will ideally reflect an entity’s particular circumstances. It is important for criteria for determining the response to go beyond assessing the immediate financial impact to include factors such as deterrence, security and integrity implications.

Who should entities refer a matter to if it involves both suspected serious or complex fraud and suspected serious or systemic corrupt conduct?

Where potential serious or complex fraud involves conduct by a staff member of an agency that could be a corruption issue, entities must comply with their mandatory referral obligations to refer that conduct to the NACC (and/or the Inspector-General of Intelligence and Security in the case of an intelligence agency).

What type of information should entities be recording?

Entities will need to have appropriate mechanisms for recording, reporting, analysing and escalating allegations and instances of fraud and corruption, or suspected fraud and corruption, and any subsequent investigations and outcomes.

As the fraud and corruption threat environment is constantly changing, entities should prepare regular reports to update relevant governance committees, senior executive and relevant business areas. This feedback loop of internal reporting can support an entity to maintain appropriate oversight over mechanisms for preventing, detecting and responding to fraud and corruption, and remain compliant with the Fraud and Corruption Rule and Policy.

Recording information about allegations and instances of fraud and corruption will also help entities respond to the updated AIC Census from next year. Information required by the AIC will include allegations or detections of suspected fraud or corruption, investigations commenced and finalised, targets and methods of fraudulent or corrupt conduct, investigative outcomes, and estimated fraud and corruption losses and recoveries.

Was this page helpful?