Show download pdf controls
  • Fraud and risk management

    The Public Governance, Performance and Accountability Act 2013 (PGPA Act) sets out minimum standards for the management of fraud. These include conducting fraud risk assessments, developing and implementing a fraud control plan, and having mechanisms for preventing, detecting and investigating fraud. It also requires that agencies establish and maintain appropriate systems and internal controls for risk oversight and management.

    Fraud management

    The Commonwealth Fraud Control Framework outlines the Australian Government's requirements for fraud control, including that government entities put in place a comprehensive fraud control program that covers prevention, detection, investigation and reporting strategies.

    Fraud against the Commonwealth is a criminal offence that impacts directly on Australians. It reduces the funds available for delivering public goods and services, and undermines public confidence in the government. The ATO considers and addresses fraud risks from external sources, and addresses potentially fraudulent activity occurring within our organisation.

    Crime in the tax and superannuation systems

    Our approach to addressing the threat of crime in the tax and superannuation systems is to ensure coordinated, cohesive and deliberate action is taken against those who choose to commit such crimes. We use our own resources and work with our partners both domestically and internationally.

    The ATO contributes to the understanding and broader treatment of tax fraud and related crimes. We lead and participate in domestic and international taskforces, forums and bodies, and are the lead agency in the Serious Financial Crime, Black Economy and Phoenix taskforces. These taskforces provide a nationwide, whole-of-government response to serious financial crime and related serious non-compliant behaviour.

    Through our involvement in the Organisation for Economic Co-operation and Development (OECD), the Financial Action Task Force and, more recently, the Joint Chiefs of Global Tax Enforcement (the J5 Alliance), we are developing a shared understanding and approach to addressing serious financial crime internationally. Our programs ensure we have comprehensive strategies to identify, prevent and treat crime in the Australian tax and superannuation systems.

    Internal fraud prevention and investigations

    We take potential fraudulent activity from within the ATO very seriously. Recognising that our culture is key to supporting the behaviour we expect to see, we appointed Dr Simon Longstaff AO as an independent integrity adviser. This role focuses on education, support and advice, rather than conformance and governance. Dr Longstaff is eminent in the ethics field and is currently the Executive Director of The Ethics Centre.

    In 2017–18, we also reviewed and refreshed our overarching Fraud and Corruption Control Plan, commissioned an independent assessment of our Corruption Risk Profile, and established an Integrity Unit to provide a focal point for integrity – articulating the ATO’s integrity expectations and using a wide range of intelligence sources to identify and analyse any integrity risks and emerging trends.

    Potentially fraudulent activity from within the ATO is identified using reports received from a variety of channels – both internal and external. All reports are considered and assessed and appropriate action taken, including collaboration with the Australian Federal Police if necessary. In 2017–18, we assessed 635 allegations or reports, of which:

    • 162 were substantiated
    • 200 were unsubstantiated
    • 61 were not able to be determined
    • 212 remain open at the end of the year.

    Unauthorised access continues to be the largest category of substantiated allegations, and is identified through proactive monitoring and integrity scanning. Previously, only samples of the ATO population were included in an integrity scan. Now the entire ATO population is scanned, and more frequently. Unauthorised access predominantly involves access to the employees’ own records, or those of their family members or other people they are connected to. While such access may not result in any fraud, the fact that it is actively examined shows the seriousness with which the ATO treats the matter.

    We also work at the project and business area level to minimise the risk of internal fraud and corruption. We invest extensively in fraud prevention activities and support, such as:

    • regular face-to-face education and awareness sessions with staff, about fraud and corruption issues
    • the mandatory Security, Privacy and Fraud staff training package, which must be completed prior to accessing taxpayer records
    • a range of staff self-help material and contemporary communication products, which are continually being developed and refreshed.

    Risk management

    The whole-of-government requirements for risk management are set out in section 16 of the PGPA Act – specifying that agencies have a duty to establish and maintain an appropriate system of risk oversight, management and internal control – and in the Commonwealth Risk Management Policy.

    The Commissioner of Taxation and the other members of the ATO Executive team promote a positive and sensible approach to risk management, and support continuous improvement of risk practice across the ATO.

    In 2017–18, the ATO refreshed its approach to risk management. We implemented an updated Enterprise Risk Management Framework, and established an Enterprise Risk Management Committee, chaired by the Chief Operating Officer.

    The ATO Chief Risk Officer directs a corporate risk and assurance program of work, framed against the strategic objectives in the ATO corporate plan 2017–18, along with targeted risk advisory activities in support of key governance committees. Underpinning this is a continued effort to shift to a positive risk culture and a streamlined approach to risk management.

    Internal audit arrangements

    Our Audit and Risk Committee provides independent assurance and advice on the ATO's risk control and compliance frameworks; reviews the management of strategic risks; and monitors the effectiveness and performance of the risk management framework. The Audit and Risk Committee is, in turn, supported by specialised subcommittees for financial statements and performance statements. The committee complies with section 45 of the PGPA Act and section 17 of the PGPA Rule (on audit committees for Commonwealth entities).

    The Chief Internal Auditor directs a comprehensive program of assurance, audit and advisory services. This work assists the Commissioner, the Audit and Risk Committee and the ATO Executive to achieve their business objectives. They work together to develop and maintain efficient and effective systems of internal control, risk management and corporate governance. The ATO’s Internal Audit branch works with internal and external scrutineers on matters of mutual interest, coordinating assurance activity and reducing duplication of audit effort.

    Conformance with obligations

    The ATO's ‘Conformance with obligations’ program provides assurance that we are meeting our legislative and policy obligations, and managing key risk matters appropriately. If non-conformance is identified, we address any relevant issues and restore compliance.

    ATO business areas complete quarterly conformance statements, providing attestations and evidence of their overall level of conformance with legislative and policy obligations. These statements also outline how they manage potential risks and instances of regulatory non-compliance. Findings from conformance statements are reported quarterly to the Audit and Risk Committee.

    Our integrity reporting uses quantitative measures in selected areas of risk. This provides oversight to the ATO Executive and Audit and Risk committees, as well as the relevant business area.

    Using this approach ensures responsibilities and accountabilities are shared between various parts of the ATO, including:

    • business area management – to implement strategies, controls or recommended improvements
    • organisational ‘group’ or appropriate corporate areas – to provide ATO level of assurance
    • Internal Audit – to provide independent advice.

    Alternative strategies and practices that reduce the risk of open non-conformance have been part of the process since March 2018.

      Last modified: 26 Oct 2018QC 57065