Fraud and Corruption Control

Tabled: 29 March 2018

2 Fraud and corruption control framework

To achieve better practice in managing fraud and corruption, the Australian Standard suggests that entities develop a framework that includes:

  • risk assessments to inform fraud and corruption controls
  • a Fraud and Corruption Control Plan outlining the entity's approach to controlling the risk of fraud and corruption, from prevention through to detection and recovery
  • training and other activities to develop staff awareness of fraud and corruption risks and how to respond.

The Standing Directions under the Financial Management Act 1994 require agencies to establish a Fraud, Corruption and Other Losses Policy, implemented across the agency.

We assessed whether fraud and corruption frameworks were in place to govern the activities of MPV, MMRA and PTV. We also considered if the frameworks were consistent with Standing Directions requirements and better practice principles set out in the Australian Standard.

2.1 Conclusion

MPV and MMRA would have been subject to DEDJTR's Fraud, Corruption and Other Losses Policy and Fraud and Corruption Control Plan as a business unit and administrative office. However, DEDJTR only finalised its policy and plan in late February 2018. DEDJTR's protracted delay in finalising and approving these documents meant it was not compliant with the Standing Directions under the Financial Management Act 1994, which required a policy to be in place from 1 July 2017, or better practice requirements of the Australian Standard.

Without a final approved DEDJTR policy and plan, MPV and MMRA developed their own Fraud and Corruption Control Plans. They intended these to also incorporate the elements of a Fraud, Corruption and Other Losses Policy, as required under the Standing Directions. PTV developed a Fraud and Corruption Control Plan compliant with the Australian Standard. This plan also included the requirements of a Fraud, Corruption and Other Losses Policy under the Standing Directions

DEDJTR can do more to assure itself that all of its staff know how to identify and respond to fraud and corruption. DEDJTR does not consistently maintain records of attendance at integrity training. There are limited records to demonstrate, or readily check, that all staff in positions exposed to high risks of fraud and corruption have received integrity training. While DEDJTR Integrity Services maintains records of completion of online integrity modules, these modules are mandatory only for new starters in DEDJTR.

In addition, DEDJTR staff are reporting poor promotion of the Protected Disclosure Act 2012, and DEDJTR's internal audit program has given insufficient attention to high-risk activities undertaken by MPV, including procurement. These gaps undermine messages from DEDJTR's leadership that preventing, detecting and responding to fraud and corruption is an organisational priority.

PTV provided extensive mandatory fraud and corruption training to its staff, and its internal audit activity has appropriately considered fraud and corruption risks.

2.2 Risk assessment

The Australian Standard recommends that entities complete a preliminary assessment of fraud and corruption risks to inform the development of a Fraud and Corruption Control Plan. This risk assessment should consider risks inherent in the entity's industry and core business and should help determine the scope of controls outlined in the plan.

We examined whether MPV, MMRA and PTV had conducted risk assessments to inform their Fraud and Corruption Control Plans.

MPV

MPV conducted fraud and corruption risk assessments in early 2014 and December 2015. The 2015 assessment identified multiple risks and proposed steps for mitigation, but did not outline who was responsible for mitigating risks. There is little evidence to confirm how the mitigation strategies were considered or implemented. One undated document provided by DEDJTR listed the 12 risks identified and noted a number were complete and a number were estimated for completion in mid-2016. The risk assessment identified accounts payable fraud and poor contract management as high-priority risk areas. Proposed steps to mitigate these risks, included:

  • regular analysis of contract variations
  • exception reporting
  • computer-assisted techniques to identify procurement splitting (where contracts are split into parts of lesser value, so that certain controls do not apply) and instances where vendors were consistently engaged by the same project manager.

MPV's Fraud and Corruption Control Plan did not reference the identified risks of low-value procurement fraud, accounts payable fraud and the manipulation of project management data. The plan also did not include the mitigation controls suggested by the risk assessment.

We note that a large number of the recommendations made in the risk assessment referred to the use of data analytics, and we discuss DEDJTR's progress in implementing a data analytics program in Section 2.7. We also note that DEDJTR would have captured MPV in this program had it remained as a business unit in DEDJTR.

We identified concerns with the comprehensiveness of the risk assessment. MPV identified the risk of abuse of power as unlikely. The assessment identified staff accepting inappropriate gifts as an indication of the intent to corruptly influence. As detailed in Section 3.5, MPV staff accepted gifts, benefits and hospitality from suppliers. We confirmed that 46 per cent of accepted offers of gifts, benefits and hospitality came from contractors and vendors. MPV's mitigation strategy was running fraud and corruption awareness training to acquaint staff with the available avenues to report fraud and corruption, but as detailed in Section 3.5, it did not take sufficient action to avoid the general risks associated with public sector officers accepting offers from suppliers.

MMRA

MMRA's master risk register confirms that fraud and corruption risks have been considered and rated within the broader risk program. The register assigns identified risks to owners with detailed mitigation strategies and includes an implementation status.

MMRA has implemented the mitigation strategies suggested in the risk assessment. For example, the assessment identified the inappropriate access of information as a significant risk. A suggested strategy was conducting an internal cyber-security audit, which commenced in mid-2017.

MMRA's risk assessment reflects fraud and corruption risks that were not identified in the MPV or PTV risk registers, although they would be equally relevant—for example, 'kickbacks' for existing employees assisting candidates to secure roles at MMRA. However, this particular risk did not flow through to the Fraud and Corruption Control Plan and, as discussed in Section 3.4, MMRA was not controlling for this risk by using conflict of interest declarations for recruitment panel members.

PTV

PTV has conducted thorough fraud and corruption risk assessments. The assessments include detailed mitigation strategies and assign identified risks to owners. We noted one instance where an identified risk did not flow through to the Fraud and Corruption Control Plan. PTV identified cyber security threats as a high-level risk and detailed potential causes, consequences and controls, but did not reflect this in the Fraud and Corruption Control Plan.

Although PTV is managing the risk, including this information in the plan would make the plan stronger by detailing how PTV is mitigating risks specific to its operating environment.

2.3 Fraud and Corruption Control Policies and Plans

Under the Standing Directions, DEDJTR and PTV must establish a Fraud, Corruption and Other Losses Policy. The Australian Standard suggests the development of a Fraud and Corruption Control Plan that outlines an entity's approach to controlling fraud and corruption.

We assessed whether Fraud, Corruption and Other Losses Policies and Fraud and Corruption Control Plans compliant with the Standing Directions and consistent with the Australian Standard had been developed and implemented to support MPV, MMRA and PTV.

MPV and MMRA

As a business unit and administrative office, MPV and MMRA would have been subject to the policy and plan of their portfolio department, DEDJTR. DEDJTR only finalised its Fraud, Corruption and Other Losses Policy and Plan in 2018. The plan and policy had been in draft form since October 2015, and while they had been reviewed and revised during this time, they were not approved and finalised until late February 2018. As these documents were not finalised, DEDJTR did not have an agency-wide policy to prevent and manage fraud and corruption, and did not comply with the mandatory Standing Directions under the Financial Management Act 1994, which required a policy to be in place from 1 July 2017, or better practice under the Australian Standard.

Prior to the finalisation of the policy and plan, DEDJTR had reported that it relied on its 2015 Integrity Framework to give effect to its fraud and corruption control activities. The DEDJTR Integrity Framework is a valuable high-level document outlining a strategic approach for promoting a culture of integrity in DEDJTR and, as a new department, where it intended to direct its efforts to implement integrity structures, processes and resources. While the Integrity Framework is a positive indication of the culture that DEDJTR wants to develop, it does not provide the focus and detail of a Fraud, Corruption and Other Losses Policy or Fraud and Corruption Control Plan. As the Integrity Framework does not provide the necessary detail on preventing, detecting and responding to fraud and corruption, it is not compliant with the Standing Directions or consistent with the Australian Standard. The Integrity Framework describes a Fraud and Corruption Control Plan as a first line of defence and in October 2015 stated that DEDJTR was drafting such a plan.

During the course of this audit, the DEDJTR Integrity Services Unit acknowledged the delay in finalising its policy and plan. DEDJTR advised us, when the documents were in draft form, that it expected the finalised policy and plan would largely formalise controls that were already in place. However, DEDJTR is yet to fully implement certain controls, including a suite of due diligence policies and a data analytics program. DEDJTR has committed to finalising these controls in 2018.

The case studies in Figures 2A and 2B reflect the sophistication of fraud attempts faced by DEDJTR.

In March 2016, although unsuccessful, DEDJTR was subject to an attempted phishing attack seeking payment of $400 000. A year later, in April 2017, DEDJTR was subject to another phishing attack, this time successful.

Figure 2A
Case study: Attempted phishing scam in 2016

In March 2016, DEDJTR was subject to an attempted phishing attack that was successfully blocked. An external party sought payment of $400 000.

The scam took the form of an email from an executive officer seeking urgent payment of an invoice.

The request was feasible, based on the executive's business area, but a senior finance officer declined to process the request as the amount exceeded the executive's financial delegation and there was no purchase order.

DEDJTR investigated the matter and found that the email was from an external party using a 'masked' email address. DEDJTR also found that most of the information used to construct the invoice and emails to make them look plausible was available on DEDJTR or whole-of-government websites.

The attack was successfully blocked but DEDJTR reviewed and strengthened its controls after it concluded that it could have succeeded if:

  • the invoice had been for a less ambitious amount
  • the request was handled by an area where internal controls were not working as effectively
  • a purchase order had been created by a staff member feeling pressured, given the invoice appeared to have been sent by a senior officer
  • the purchase order process had been circumvented by requesting a credit card payment (for smaller amounts).

Source: VAGO based on DEDJTR information.

Figure 2B
Case study: Successful phishing scam in 2017

In April 2017, DEDJTR was the victim of a second phishing scam and made four payments totalling more than $294 000 to a bank account falsely represented as belonging to an existing supplier.

The existing supplier alerted DEDJTR that it had not received payment and that DEDJTR may have been the victim of a phishing scam.

DEDJTR contacted its bank and the bank recovered nearly $290 000. DEDJTR wrote‑off about $4 600. An employee did not comply with internal controls, and processed a request to change bank account details without first verifying the information provided.

In response to this incident, DEDJTR strengthened its controls. DEDJTR now requires vendors to complete a form and provide supporting documentation to change bank details. An authorised officer then reviews and assesses the request against publicly available information about the vendor.

A memorandum to the Secretary in July 2017 regarding this incident noted that DEDJTR's Fraud and Corruption Control Plan would be finalised in 'the coming weeks'. The plan was finalised in February 2018.

DEDJTR's internal audit function has reviewed the revised controls and is currently auditing their effectiveness given they have been in place for six months, which is a positive indicator of DEDJTR's efforts to manage ongoing phishing attempts.

Source: VAGO based on DEDJTR information.

IBAC has noted that leadership is key to creating an ethical culture and the 'tone from the top' is essential. These case studies highlight the importance of strengthening the culture and awareness of fraud and corruption risks. While DEDJTR's Integrity Framework is a positive step towards building and maintaining an integrity culture, a finalised Fraud, Corruption and Other Losses Policy and Fraud and Corruption Control Plan, which are communicated to staff, could have significantly reinforced these efforts at the time. Without a final approved DEDJTR policy and plan, MPV and MMRA developed their own Fraud and Corruption Control Plans.

MPV

MPV developed a Fraud and Corruption Control Plan but it remained in draft form. The DEDJTR Integrity Services Unit advised that MPV's director of governance and business was responsible for the plan, but this director left MPV in December 2016. MPV continued to operate until 31 March 2017.

The MPV draft Fraud and Corruption Control Plan did not reference key aspects that we would expect in a plan compliant with the Standing Directions and consistent with the Australian Standard, including:

  • policies or procedures to report fraud and corruption to external agencies
  • how matters would be investigated
  • internal reporting requirements.

MPV's failure to finalise and review its Fraud and Corruption Control Plan, and develop associated procedures, is concerning given it managed significant projects on behalf of the government.

MMRA

MMRA applied the Australian Standard by developing a Fraud and Corruption Control Plan. This was superseded in February 2017 by a plan that MTIP developed to cover all of its entities. This plan also meets the requirements of a Fraud, Corruption and Other Losses Policy under the Standing Directions

The MTIP plan references relevant internal policies and procedures, as well as external resources, including IBAC's Investigation Guide. The plan also highlights management's commitment to fraud and corruption control, with reference to mandatory annual fraud and corruption awareness training for all staff. MTIP tailored the plan to reflect its business context.

PTV

PTV developed a Fraud and Corruption Control Plan in September 2014, which is consistent with the Australian Standard and has been subject to regular reviews. This plan also meets the requirements of a Fraud, Corruption and Other Losses Policy under the Standing Directions. PTV also developed a separate and detailed Fraud and Corruption Response Procedure. Access to this procedure is restricted to safeguard PTV's investigative approach when responding to fraud and corruption. PTV's plan and response procedure demonstrate its commitment to this initiative after Operation Fitzroy.

Fraud and Corruption Control Plans

The Australian Standard provides a detailed template for use by entities and the plans we reviewed strongly align with this. The plans describe:

  • roles and responsibilities for the management of fraud and corruption in the agency
  • relationships with other agency procedures and policies
  • mechanisms for the communication and awareness of fraud and corruption
  • terms and definitions.

However, we found one significant example where the plans did not reflect the agencies' specific risks or practices—the MPV, MMRA and PTV plans all had identical sections for supplier vetting, copied directly from the Australian Standard. None had tailored this section to reflect their specific procurement environments, risks or actual practices. This raises the risk that there may not be adequate controls in this area—see Section 4.3 for further information.

2.4 Staff training

The Australian Standard suggests that entities train staff to be aware of fraud and corruption, and educate them on how to respond.

The Australian Standard notes that employees do not identify a significant proportion of fraud and corruption at an early stage because they are unable to recognise warning signs, are unsure how to report concerns or lack confidence in the available reporting systems. Various IBAC investigations have found that corrupt conduct went undetected for a number of years, highlighting the importance of training as a preventative activity.

We assessed the training provided to MPV, MMRA and PTV staff to determine whether it was consistent with recommendations in the Australian Standard.

MPV, MMRA and PTV

The MPV, MMRA and PTV training material is consistent with the Australian Standard. It includes:

  • definitions, costs and examples of fraud and corruption
  • IBAC's role and investigations
  • warning signs for fraud and corruption and internal controls
  • references to the Victorian Public Sector Code of Conduct and relevant policies
  • reference to the DEDJTR Integrity Framework
  • details on how to make a protected disclosure and use DEDJTR's 'report a concern' mechanism (an online portal that allows for anonymous reporting).

The training was mandatory for MPV, MMRA and PTV but only MMRA and PTV were able to provide records of attendance to confirm compliance.

The DEDJTR Integrity Services Unit provided training to MPV staff, which the Chief Executive Officer mandated. DEDJTR has advised that records of attendance were completed but they could not be located for the purposes of this audit. By not maintaining documentation, DEDJTR could not provide assurance that MPV staff had received sufficient information to respond effectively to fraud and corruption.

In response to Operation Fitzroy PTV committed to changing the culture and encouraged and equipped staff to identify, report and act on integrity matters. In the two years following the investigation, PTV ran an extensive mandatory training program on fraud and corruption risks, including specialised training for those involved with the management of contracts and procurements, and for members of the fraud and corruption control response team. PTV subsequently developed online training modules with a dedicated focus on fraud and corruption. PTV's ongoing training program reflects good practice and demonstrates PTV's commitment to fraud and corruption control.

DEDJTR Integrity Services Unit

The training material we reviewed is consistent with the Australian Standard. The material described vulnerable areas in DEDJTR, referenced relevant policies, provided opportunities for discussing integrity dilemmas and encouraged staff to contact the Integrity Services Unit if they had concerns.

Documentation provided by the DEDJTR Integrity Services Unit shows that its staff frequently conduct integrity training to raise awareness and education across DEDJTR. The DEDJTR Integrity Services Unit delivers three types of face‑to-face integrity training:

  • integrity conversations delivered to senior staff which consist of information sharing on key integrity matters
  • integrity training sessions which are scenario-based and engage participants in more formal learning
  • induction sessions.

In instances where business units requested the training, the business unit kept attendance records. The DEDJTR Integrity Services Unit has not consistently maintained records of staff who completed face-to-face training. As a result, DEDJTR cannot demonstrate or readily check that staff in positions exposed to high risks of fraud and corruption have received integrity training.

The DEDJTR Integrity Services Unit has introduced online integrity modules, which include a fraud and corruption component. DEDJTR has designed the modules for staff to complete each year. However, completion is mandatory only for new employees who are completing induction. DEDJTR has provided records that show 728 new staff completed the online modules as part of their induction program in 2016–17, and 34 managers have completed training since a manager's integrity toolkit was launched in late 2017.

DEDJTR can improve its preventative approach to fraud and corruption by ensuring wider reach of its training offerings, such as mandatory online modules, and recording staff completion of training to identify gaps.

2.5 Staff awareness, including protected disclosures

Fraud and corruption is secretive and difficult to detect. IBAC describes public sector employees as 'best placed' to identify suspicious conduct by their colleagues or concerns about external parties, such as contractors and suppliers. Public sector employees need to know how to report concerns and have confidence that their employer will protect them from any reprisals. Promotion of key integrity polices and processes, including the Protected Disclosure Act 2012, is vital. This increases the capacity of staff to detect and report possible instances of fraud and corruption.

We assessed VPSC survey results for DEDJTR (including MPV and MMRA) and for PTV staff to determine if key integrity polices and processes are promoted effectively.

VPSC People Matter Survey

There has been communication with staff by PTV, MMRA and DEDJTR, on behalf of MPV, about broad integrity issues, in the form of emails, staff bulletins, forums and training. However, levels of staff awareness of certain integrity policies and procedures, reported in the VPSC People Matter Survey, do not always reflect these efforts.

DEDJTR and PTV provide information to staff on the Protected Disclosure Act 2012 (which provides critical protections to individuals reporting improper conduct) during induction sessions and integrity training. They also have dedicated intranet pages, which guide staff about making a protected disclosure. PTV has information regarding disclosures in its Fraud and Corruption Control Plan. DEDJTR has recently established a new workplace conciliator role. DEDJTR anticipates that this role will promote staff awareness of a range of avenues for reporting issues or concerns, including protected disclosures. The role will work collaboratively with the Integrity Services Unit.

Every year, VPSC runs the People Matter Survey, which asks, among other things, if participants have seen or heard communication about particular policies in the past 12 months.

Figure 2C shows the results for 2016 and 2017. The data reflect particularly low awareness by DEDJTR and PTV staff of the promotion of processes to support the Protected Disclosure Act 2012 and reporting of improper employee conduct. Results for DEDJTR include MMRA and MPV staff. As the results also reflect the wider department, and MMRA and MPV only make up a small proportion of the total DEDJTR staffing numbers, the survey results are not necessarily reflective of MMRA or MPV staff responses.

Figure 2C
Reported promotion of integrity policies

Policy

DEDJTR
2017

DEDJTR
2016

PTV
2016

Code of Conduct

73%

77%

67%

Public sector values

71%

74%

49%

Processes for reporting improper employee conduct

51%

49%

71%

Processes to support the Protected Disclosure Act 2012

27%

29%

48%

Policy on giving and receiving of gifts and benefits

88%

83%

88%

Policy to assist employees to avoid conflicts of interest

70%

69%

76%

Note: PTV did not participate in the People Matter Survey in 2017 and MPV was no longer in existence.

Source: VAGO based on VPSC data.

These results show good levels of reported promotion of certain policies, such as gifts and benefits and the Code of Conduct. However, these results call into question the effectiveness of promotion activities and training provided to staff by DEDJTR in relation to protected disclosures.

For PTV, the results may reflect that it cannot receive protected disclosures, though this does not negate the need for its staff to know how to make one. Comparing DEDJTR's 2017 People Matter Survey results with like departments shows that its promotion of processes for reporting improper employee conduct and processes to support the Protected Disclosure Act 2012 are below the departmental averages of 64 per cent and 37 per cent respectively.

If protected disclosure policies are not effectively promoted, staff are less likely to use this mechanism. This reduces the ability to detect fraud and corruption and means that individuals wishing to report improper conduct may not receive the protections available to them under the Protected Disclosure Act 2012.

2.6 Internal audit

Internal audits are an important part of an effective control environment for fraud and corruption. Internal audits can monitor controls, detect weaknesses and make recommendations to strengthen controls. Under the Standing Directions, internal audit plans must include audits of business processes or units likely to be vulnerable to fraud, corruption and other losses.

We assessed whether internal audits in MPV, MMRA and PTV were considering fraud and corruption risks.

MPV

As a DEDJTR business unit, MPV was included in DEDJTR's internal audit activities, which cover a large and varied portfolio. Despite being responsible for complex projects and undertaking high levels of procurement, MPV was not subject to the same levels of internal audit activity as MMRA and PTV, which maintain their own internal audit functions.

In 2016–17, DEDJTR's internal audit program included only one audit with a specific focus on MPV. This was a follow-up audit to determine whether MPV had implemented the outstanding recommendations highlighted in our 2015 performance audit Follow up of Managing Major Projects. It did not assess fraud and corruption controls.

Although DEDJTR has conducted internal audits into vulnerable areas, these audits have not covered processes that MPV, as a business unit, maintained separately to DEDJTR. For example, DEDJTR completed an internal audit of accounts payable, but the audit did not include MPV's accounts payable system, which was separate to DEDJTR's.

In addition to DEDJTR's internal audit function, in late 2015, MPV engaged a contractor to complete data analytics work to assess fraud and corruption risks. Further discussion of MPV's response to the findings of this assessment are contained in Section 2.2. The contractor identified the following risks:

  • procurement splitting
  • variations to contracts being inaccurately reflected
  • opportunity for bank account details to be manipulated in the electronic payment file
  • opportunities for MPV staff to authorise payments which exceeded their financial delegations.

DEDJTR advised that as MPV would merge to become a statutory authority, it was not considered a high-risk area for DEDJTR's internal audit program, which also had to consider resourcing and budget constraints. DEDJTR also advised that as a relatively new department, it focused its internal audit program on core business processes affecting the whole department at this time.

We consider that MPV was a risk area for fraud and corruption, due to MPV undergoing significant organisational change, continuing to manage large procurements, working closely with the private sector and maintaining separate processes to DEDJTR.

MMRA

MMRA operates its own internal audit function and conducted more than 30 internal audits during 2016–17. Fraud and corruption risks were appropriately covered, with almost half of the 2016–17 audits focusing on potentially vulnerable areas, including:

  • contract management
  • gifts, benefits and hospitality
  • contractor and staff recruitment
  • the fraud and integrity control environment
  • conflicts of interest and confidentiality.

MMRA clearly linked internal audit activity to the risks it identified in risk assessments. MMRA identified the inappropriate access of information as a significant risk. Controls for this risk include internal audits, the development of security plans, and the maintenance of usage and access logs. MMRA is currently conducting an internal audit on cyber security, which includes assessing the physical security of data, and having the internal auditors try to use deception and non-standard testing methods to gain access to data, systems and applications.

PTV

PTV's internal audit program is appropriately considering fraud and corruption risks. PTV's 2016–17 internal audit program planned 10 audits, with five considering vulnerable areas including:

  • delegations of authority
  • payroll processes
  • asset management.

PTV operates an outsourced internal audit model, with PTV's internal audit division managing the contract. In an outsourced internal audit model, it is important that the team that manages the contract is properly resourced. This includes representation at a senior level to ensure audit teams properly rate the seriousness of audit findings and that business units appropriately respond.

During Operation Fitzroy, IBAC was concerned about the ad hoc auditing processes of PTV's outsourced internal audit provider. IBAC also questioned the effectiveness of PTV's audit and risk management function. IBAC did not fully explore this issue in its investigation, but we found evidence to support this concern. The case study in Figure 2D describes a 2013 internal audit conducted prior to IBAC's investigation and is an example of improperly classified audit findings that PTV did not act on appropriately at that time.

Figure 2D
Case study: Inappropriate rating of audit findings

In August 2013, PTV's outsourced internal audit function completed a report on procurement. The report identified a lack of controls over information in the vendor master file as a low-level finding. Internal audit testing at PTV found:

  • suppliers without an ABN
  • suppliers with duplicated bank account details and ABNs
  • suppliers with no bank account details
  • duplicate or similar supplier names in the master file.

The internal audit concluded that a 'lack of controls over the vendor master file creation and maintenance activities increases the risk of fictitious vendors being set up, which may potentially lead to fraudulent activities and financial losses. Inaccurate, incomplete, duplicated or outdated information in the supplier master file increases the risk of payments made to inaccurate or inappropriate suppliers and reduces the effectiveness of expenditure tracking and reporting.'

According to the report, a low-level audit finding:

  • represents a minor control weakness
  • will have a minimal impact on internal business only
  • should not decrease the public's confidence in PTV
  • should be addressed in 9–12 months, subject to competing priorities.

The audit's low-level classification and response did not reflect the actual risk and the events that followed. IBAC's Operation Fitzroy investigation began a month later, in September 2013, and identified significant losses through control weaknesses in PTV's procurement framework, including controls over information in the supplier master file. The investigation received significant media attention and had a negative impact on PTV's public reputation.

Source: VAGO based on PTV information.

This case study illustrates what can occur when there is inadequate oversight over the classification of findings and associated response. In 2015 PTV created a new senior role to oversee the audit and risk function. In December 2017 PTV restructured to create an Internal Audit Division and Head of Audit position. If the role operates as intended this should provide sufficient oversight of the internal audit function to prevent this situation recurring.

2.7 Data analytics

The Australian Standard suggests implementing a fraud and corruption detection program, which should include data mining and real-time computer system analysis to identify suspected fraudulent transactions. Data analytic tools enable analysis of large data sets and work to identify patterns, trends and possible anomalies, and can detect potential instances of fraud and corruption.

DEDJTR is responsible for the payroll and accounts payable functions for MMRA and maintains the vendor master file for PTV. Accounts payable and payroll systems facilitate high numbers of transactions every day including payments to vendors for goods and services and salary payments to employees. These information systems are an important source of information to detect common types of fraud and corruption, including false invoicing and illegitimate payments.

One of the initiatives in DEDJTR's November 2015 Integrity Framework was that the Integrity Services Unit would develop and maintain a suite of data analytics for use as a management tool. The framework noted that as at October 2015 there was limited use made of data analytics. In April 2016, DEDJTR provided dedicated resources to develop its data analytics capability.

In May 2016, the DEDJTR Integrity Services Unit commenced its first data matching exercise, which compared vendor and payroll data. The exercise did not identify any instances of fraud or corruption. However, there were caveats on this exercise, including that the DEDJTR Integrity Services Unit did not undertake any checks to verify the completeness and integrity of the data it received for testing.

In late 2017, DEDJTR began implementing business-as-usual data analytics for MTIP users, which includes MMRA. DEDJTR anticipates it will fully embed its data analytics program across the broader department by June 2018.

The data analytics program will not only assist DEDJTR in detecting potential instances of fraud and corruption, but will also improve compliance and business process reporting across DEDJTR. It is a positive initiative by DEDJTR to control for fraud and corruption.

In late 2015, MPV engaged a contractor to complete data analytics. Further discussion of MPV's response to the findings of this assessment is contained in Section 2.2.

Back to Top