ATO logo

ATO Fraud and Corruption Control Plan 2026

The ATO Fraud and Corruption Control Plan outlines our approach to managing fraud and corruption risks.

Last updated 29 January 2026

Foreword

I am pleased to introduce the ATO’s 2026 Fraud and Corruption Control Plan (the Plan), which sets out our approach to managing fraud and corruption risks across the Australian Taxation Office listed entity, including the Tax Practitioners Board (TPB) and the Australian Charities and Not-for-profits Commission (ACNC).

As the Accountable Authority of the Australian Taxation Office listed entity, I am responsible under section 10 of the Public Governance, Performance and Accountability (PGPA) Rule 2014, and the supporting Commonwealth Fraud and Corruption Control Framework, to take all reasonable measures to prevent, detect and respond to fraud and corruption. This includes documenting and implementing a fraud and corruption control plan and reviewing it regularly to address emerging risks.

We have no tolerance for fraudulent or corrupt behaviour. These behaviours undermine trust in Australia’s tax system and can cause significant harm to the community. Our commitment is to minimise risks to reduce the occurrence and impact of fraud and corruption through strong prevention strategies, early detection, and effective response. This Plan provides practical guidance for ATO officials and stakeholders on recognising risks, integrating controls into decision-making, and knowing how to seek advice or report concerns.

The environment in which we operate is increasingly complex. Fraud and corruption threats are evolving rapidly, driven by technological change, cybercrime and organised criminal activity. Insider threats remain a critical focus area, requiring vigilance and robust security measures. These challenges demand that we think ahead, strengthen our controls, and act decisively when risks materialise. To reinforce this, enhancing counter-fraud measures is now one of our enterprise priorities in the Australian Taxation Office corporate plan 2025–26, focusing on support and prevention first, with direct consequences for repeated or deliberate non-compliance.

Implementing this Plan is central to maintaining the integrity of our systems and aligns with the ATO’s broader integrity framework and the Australian Public Service reform agenda. Through leadership, governance and collaboration, we will continue to protect the revenue that funds essential services for Australians.

Each of us has a role in safeguarding the integrity of the ATO and I encourage you to familiarise yourself with the Plan and incorporate its requirements into your daily work. By actively identifying risks, reporting suspected fraud or corruption, and upholding the highest standards of conduct, we can maintain the trust that the Australian community places in us.

Thank you for your continued vigilance and commitment.

Commissioner of Taxation
Registrar of the Australian Business Register,
Australian Business Registry Services, and
Register of Foreign Ownership of Australian Assets

Introduction

The Commissioner of Taxation is responsible for administering Australia’s tax system and aspects of Australia’s superannuation system. For the purposes of the Public Governance, Performance and Accountability Act 2013 (PGPA Act), the Commissioner is the accountable authority for the Australian Taxation Office (ATO), the Tax Practitioners Board (TPB) and the Australian Charities and Not-for-profits Commission (ACNC), including the ACNC Advisory Board. The Commissioner is also Registrar of the Australian Business Register (ABR), Australian Business Registry Services (ABRS) and the Register of Foreign Ownership of Australian Assets.

The ATO, the TPB and the ACNC share various services and processes and comply with common policies and instructions. All staff of the listed entity are ATO employees and have a role in building and maintaining integrity and dealing with risks through action, leadership and governance.

When required, the ATO will collaborate and share data with external agencies such as the AFP, law enforcement and other multijurisdictional agencies to investigate allegations of fraud or corruption.  

The Plan documents the strategic and operational approach to controlling fraud and corruption affecting the Australian Taxation Office listed entity. It ensures compliance with the requirements of section 10 of the Public Governance, Performance and Accountability (PGPA) Rule 2014 (PGPA Rule) and Commonwealth Fraud and Corruption Control Framework and supports agency requirements for an insider threat program with obligations listed in the Protective Security Policy Framework (PSPF) and associated with the TOP SECRET-Privileged Access (TS-PA) Standard.

To meet these obligations, the Plan:

  • outlines the ATO’s fraud and corruption control framework
  • articulates the ATO’s approach to managing fraud and corruption risks
  • explains strategies the ATO uses to train officials and raise organisational awareness
  • supports the ATO’s Integrity Framework and is reinforced through governance and reporting arrangements
  • incorporates the legislative requirements for an insider threat program in the ATO.

ATO landscape

The ATO, including the TPB and ACNC, interacts with a vast number of taxpayers, clients and partners in the community and each group has different requirements and outcomes they seek from the tax, superannuation and registry systems.

Image shows the ATO landscape for 2024–25: 12.6 million individuals not in business; 942,500 employers; 224,800 not-for-profit organisations; 46,500 public and multinational groups linked to 104,500 entities; 4.9 million small businesses, plus an additional 2.6 million individuals linked through their influential role (director, partner, shareholder, beneficiary); 653,900 super funds, including 653,500 self-managed super funds, 157 large super funds, and 649,100 small APRA-regulated super funds; 271,700 privately owned and wealthy groups linked to 1.3 million entities; 38,200 tax practitioners, comprising 27,200 registered and active tax agents and 11,000 active and registered BAS agents.

Risk tolerance

The ATO does not tolerate any fraudulent or corrupt behaviour, and we manage this by taking all reasonable measures to prevent, detect and respond to fraud and corruption risk, including malicious insider activity.

The ATO acknowledges that, in its interactions with taxpayers and service providers, and in the delivery of services, it cannot prevent, detect or respond to all fraud and corruption risks. The ATO will:

  • analyse and take associated steps to protect the tax system and taxpayers, by minimising the occurrence and impact of fraud, corruption, and related crimes
  • assess all alleged instances of fraud or corruption and further investigate as appropriate
  • actively manage and minimise risk (including integrity and insider threat risk) through robust controls, continuous monitoring and a strong culture of accountability
  • pursue disciplinary, administrative, civil or criminal actions as appropriate
  • seek to prosecute through the courts, where appropriate.

Fraud

The Commonwealth Fraud and Corruption Control Framework defines fraud as 'dishonestly obtaining (including attempting to obtain) a gain or benefit, or causing a loss or risk of loss, by deception or other means'.

A benefit includes information as well as financial benefits. For an activity to be fraudulent, it must be dishonest and lead to a direct or indirect benefit to an individual or group. Fraud can be committed by parties internal or external to the ATO.

Internal fraud is committed by ATO officials or contractors and can include:

  • unauthorised (or attempted) access to taxation records without a business reason
  • the disclosure of taxpayer information or ATO processes
  • falsely claiming benefits
  • falsifying time sheets
  • corporate credit card fraud
  • falsifying qualifications
  • use of ATO fleet vehicles for personal use
  • using government assets for personal benefit
  • collusion between ATO staff and external parties for personal or financial gain (for example, procurement)
  • an ATO staff member committing external fraud activities (for example, GST fraud).

External fraud is committed by parties external to the ATO such as:

  • a legitimate taxpayer using their own identity to commit fraud
  • an authorised representative using their position and knowledge to misrepresent a legitimate taxpayer and commit fraud
  • a fraudster using the identity of another person to commit fraud.

Examples of external fraud include (but are not limited to):

  • staying out of the system to knowingly and intentionally evade taxation obligations
  • deliberately exploiting any of the 4 pillars of compliance (registration, lodgment, correct reporting and payment) to generate a fraudulent benefit such as a refund or tax concession
  • stealing information.

Failing to prevent and detect fraud early leads to losses in information or revenue. This can undermine the community’s confidence in the integrity of the tax system, as well as potentially causing harm to individuals.

Corruption

The National Anti-Corruption Commission Act 2022 describes 4 types of corrupt conduct. A person engages in corrupt conduct if they:

  • are a public official and they breach public trust
  • are a public official and they abuse their office as a public official
  • are a public official or former public official and they misuse information they have gained in their capacity as a public official
  • do something that adversely affects a public official’s honest or impartial exercise of powers or performance of official duties (any person can engage in this type of corrupt conduct, even if they are not a public official themselves).

A person also engages in corrupt conduct if they try or plan to do any of those things.

Examples of corruption can include:

  • abuse of office (for example, provision of sensitive information to facilitate external fraud committed by others)
  • biased decision-making by officials
  • nepotism (particularly in relation to employment)
  • collusion for personal gain
  • noble cause (when an individual/s use unethical or illegal methods such as unauthorised access or the disclosure of ATO information to achieve what they believe to be a just outcome).

Fraud and corruption risks

Internal

An annual review of the internal fraud and corruption environment provides an opportunity to be proactive in identifying areas of emerging risk. This is done by examining internal data (such as allegations and/or incidents), global trends, national issues, and case studies or insights from across the Australian Public Service (APS). This process, which is undertaken by Fraud Prevention and Internal Investigations (FPII), has confirmed there are 3 enduring internal fraud and corruption risks to the ATO:

  1. Misuse of tax-specific expertise.
  2. Abuse of decision-making authority.
  3. Unlawful access, use or disclosure of tax information.

A forward work program for internal fraud and corruption control is built around the overarching priority to focus on insider threat, supported by these 3 enduring risk themes and allows the ATO to take a more strategic approach to identify and deal with possible risk.

Robust policies, governance and controls help us monitor and manage these risks effectively. This includes:

  • enterprise and business risk assessments (for standards and ethical conduct, internal fraud and corruption, insider threat and personnel security), and
  • internal assessments that deal with more day-to-day operational issues as they arise and gauge the chance for opportunistic fraud and corruption to occur through
    • conflicts of interest – undeclared or perceived
    • corruption
    • administrative fraud
    • revenue fraud
    • misuse of ATO facilities
    • misuse of ATO IT facilities
    • release of information (including unauthorised access to systems and data).

Insider threat – key focus area

An insider is a current or former ATO officer or contracted individual who has legitimate or indirect access to ATO personnel, information, systems, technology, assets or facilities.

An insider threat arises when an insider – either intentionally or unintentionally – uses their access in a way that causes harm or negatively affects the ATO. This may include compromising national security, undermining Australia’s sovereignty, revenue or prosperity, or posing a threat to life.

Insider threats can be complex. Individuals may act with intent or may be unaware that their behaviour is harmful. Understanding the motivations and circumstances behind insider acts is critical to managing the risk.

An example of an intentional insider act is disclosing classified or privileged ATO information to a third party – such as a business, criminal organisation or foreign power – in exchange for personal gain or for a noble cause.

Examples of unintentional insider acts include:

  • clicking on suspicious email links that compromise ATO systems
  • misplacing or loaning a security pass, electronic device or sensitive document
  • being unknowingly exploited by a third party (for example, a foreign power, criminal group, associate or friend)
  • sharing privileged information in public or social settings
  • providing information to a colleague who lacks the appropriate clearance or need-to-know.

The ATO takes a proactive approach to managing insider threat risks. We assess the threat landscape and implement measures to prevent, detect and respond to internal fraud, corruption and insider activity. This includes fostering a strong integrity culture, delivering targeted education and awareness, and maintaining robust security controls.

External

External fraud comes from outside the ATO and relates to threats to revenue or information held by the ATO (including information relating to individuals) and is a shared risk.

The ATO undertakes regular enterprise external fraud risk assessments and targeted external fraud risk assessments on activities at the highest risk from external fraud. The risk assessment process is focused on ensuring the ATO is taking all reasonable measures to prevent, detect and respond to external fraud.

Activities which are currently subject to targeted risk assessments include:

  • dishonestly reporting to the ATO
  • dishonestly accessing ATO systems
  • dishonestly not meeting registration, lodgement or payment obligations.

External fraud is recognised as an enterprise priority in the Australian Taxation Office corporate plan 2025–26. The ATO has a dedicated program (Counter Fraud Program) and funding to help ensure we take all reasonable measures to prevent, detect and respond to external fraud. This program will:

  • deploy more advanced controls, such as real-time monitoring capabilities
  • increase secure messaging to increase taxpayer visibility and control over activity on their ATO record
  • enhance the ATO app to support taxpayers distinguish between genuine contact from the ATO and an imitation scam call.

These new measures will:

  • strengthen ATO preventative and detection capabilities
  • support other external fraud strategies – including existing collaboration with domestic and international partners – to identify, disrupt and bring consequence to the most serious offenders, who pose the greatest risk to the tax and superannuation systems.

Although the ACNC and TPB manage different external fraud risks, some of these risks have a connection to ATO risks.

Fraud and corruption control framework

The ATO fraud and corruption control framework is consistent with all legislative requirements of the Australian Government. It consists of governance, risk management and policy. The ATO implements the fraud and corruption control framework using the prevention, detection and response model, which aligns to section 10 of the PGPA Rule:

  • Prevention – the first line of defence; includes proactive strategies designed to help reduce the risk of fraud and corruption occurring.
  • Detection – measures designed to uncover incidences of fraud and corruption when they occur.
  • Response – reporting, assessment, investigation, analysis, referral, prosecution and recovery measures to address fraud and suspected fraud and corruption.

Prevention

Prevention strategies are the first line of defence against fraud and corruption. They include proactive measures designed to help reduce the risk of fraud and corruption.

Preventing fraud and/or corruption upfront minimises the need for the ATO to detect and respond. The ATO has a suite of tailored prevention and education strategies that aim to protect the system and taxpayers against fraud and corruption.

Key elements of the ATO’s prevention activity include:

  • development and implementation of this Plan
  • engagement and education strategies, including integrity masterclasses and targeted face-to-face training, to build strong awareness of what fraud and corruption are and what to do about it (referred to in the Chief Executive Instructions [CEIs], policies and procedures)
  • regular integrity reporting to increase ownership and visibility of risk
  • robust recruitment, integrity and security vetting processes such as defined onboarding and screening procedures
  • a program of regular risk assessments and reviews, including development and maintenance of 'Three Tier Models' that consider all the ways taxpayers interact with the tax system. The models enable us to make informed decisions regarded current and future strategy delivery and investment.
  • risk evaluation and differentiated treatment strategies that are shaped by the changing risk environment
  • identifying and treating vulnerabilities in business processes that pose potential fraud threats to the tax, superannuation and registry systems
  • actively assessing control vulnerabilities in the system and identifying treatments needed, mandatory online training for all officials, and targeted awareness sessions
  • a suite of targeted internal communications products, which includes the consequences of fraud and corruption, supported by self-help material
  • developing interactive products that educate on specific risk themes, such as insider threat and support signature annual events (Security, Integrity and Fraud Awareness [SIFA] week)
  • an external communications program that outlines the consequences of committing external fraud, including a section on ato.gov.au dedicated to the fight against tax crime
  • implementing the Counter Fraud Program to invest in preventative measures to stop fraud before it occurs.

The ATO has continued to increase its focus on prevention measures to reduce the risk of external fraud and has brought stronger controls prior to any transactions being undertaken. These activities include:

  • stronger proof of identity processes
  • greater assurance over digital access
  • enhanced security features on the ATO app
  • promoting online access strength to taxpayers
  • increased sophistication of models and early warning systems
  • detecting and treating vulnerabilities or any gaps in business processes that pose potential fraud threats
  • an online System Integrity Centre of Excellence to help officials consider system integrity and fraud impacts
  • delivering a rolling external fraud risk assessment program that ensures risks are managed and treated
  • mandatory training covering awareness of external fraud, and ATO official and contractor responsibilities for reporting suspected fraud
  • contributing to the Australian Government Digital ID System, which provides a secure, verified identity and authorisation solution to enable online access to government and other services.

Detection

The ATO employs measures designed to uncover incidents of fraud and corruption when they occur but acknowledges that not all occurrences or incidents can be identified. However, all reasonable measures to detect fraudulent or corrupt behaviour is undertaken by the ATO.

Detection activities by the ATO involve:

  • system monitoring and scanning
  • collecting and monitoring a combination of internal and external data sources and information to detect fraud or corruption in close to real time
  • proactive detection analytics based on predetermined parameters
  • internal and external audits
  • dedicated reporting mechanisms to receive both internal and external fraud tip-offs confidentially
  • systematic reviews and analysis of fraud referrals to identify possible trends
  • annual disclosures about changes in circumstances and external interests for officials with relevant security clearances
  • data modelling and intelligence analysis to identify potential fraudulent and corrupt behaviour, including identity crime models to stop systemic attacks on the system
  • intelligence sharing with, and collaborating across, law enforcement and integrity agencies and international jurisdictions, and private and private sector alliances.

Response

The ATO uses measures including reporting, assessment, investigation, analysis, referral and recovery to respond to suspected fraudulent or corrupt behaviour.

Response activities by the ATO include:

  • triage and assessment of all reports and allegations to decide an appropriate response (including whistleblowing)
  • pursuing disciplinary, administrative, civil or criminal actions, as appropriate
  • pursuing the recovery of fraudulently or criminally obtained benefits, where appropriate
  • maintaining appropriate fraud insurance
  • undertaking investigations in accordance with the Australian Government Investigations Standards (AGIS)
  • undertaking joint investigations with the National Anti-Corruption Commission (NACC), other law enforcement bodies and agencies and referral to the AFP in line with referral guidelines
  • appropriate reporting, including to external scrutineers
  • establishment of specialist roles and responsibilities to manage and deal with fraudulent or corrupt activities, including ensuring these roles are appropriately qualified as per legislative requirements
  • containment of fraud events using the Fraud Event Management Framework
  • declaring and responding to emergency external fraud events as they arise
  • helping taxpayers whose identity has been compromised to adopt stronger security, and improving how we address fraudulent activity on their ATO account
  • taking firm action on areas of suspected fraud and ensuring adequate consequences for dishonest behaviour
  • participation in the following multi-agency international, national and state serious and organised crime forums and working parties to share intelligence and investigate, disrupt and prosecute serious financial crimes
    • Illicit Tobacco Taskforce
    • Shadow Economy Taskforce
    • Phoenix Taskforce
    • Serious Financial Crime Taskforce
    • Fraud Fusion Taskforce
    • Joint Chiefs of Global Tax Enforcement (J5).

Control testing

In line with the Commonwealth Risk Management Framework, the ATO ensures that the effectiveness of fraud and corruption controls is periodically reviewed.

The ATO ensures that:

  • preventative, detective or corrective controls are in place
  • the controls in place are effective and proportionate to the level of risk to be managed
  • each control has a clearly designated owner who regularly reports on the implementation, testing and effectiveness of the control.

For further information on risk controls, see Risk management.

Internal audit

Internal audit plays a critical role in strengthening the control framework in the ATO by:

  • providing independent assurance over the effectiveness of controls
  • identifying anomalies through data analytics.

While not responsible for investigating fraud, audits can highlight exceptions – such as duplicate travel claims, unusual taxi fares or credit card use during leave periods – for referral to dedicated fraud and integrity teams for further review.

Australian Taxation Office listed entity

Under Schedule 1 of the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) the Commissioner of Taxation is the accountable authority for the Australian Taxation Office listed entity, which includes the:

  • Tax Practitioners Board (TPB)
  • Australian Charities and Not-for-profits Commission (ACNC), and ACNC Advisory Board.

The ATO, TPB and ACNC share various services and processes, and comply with common policies and instructions including:

  • CEIs
  • the Commonwealth Risk Management Policy
  • the ATO Integrity Framework
  • the fraud and corruption responsibilities outlined in this Plan. 

Tax Practitioners Board

The TPB's role is to ensure tax practitioner services are provided to the public under appropriate standards of professional and ethical conduct.

In addition to those undertaken by the ATO, the TPB has additional processes in place to prevent, detect and respond to fraud.

ATO officials supporting the TPB ('TPB officials') comply with the ATO’s Internal Fraud and Corruption and External Fraud CEIs and other relevant organisational processes. Compliance assurance is achieved through:

  • internal detection programs
  • the ATO’s Speak Up channel, which allows TPB officials to report integrity concerns
  • accountabilities to report issues of concern to the ATO and TPB audit and risk committees.

Other ways to raise and address issues of concern are:

  • weekly executive meetings
  • monthly board meetings
  • quarterly performance reporting.

The TPB, supported by the CEO Secretary, works in partnership with the ATO’s external fraud areas to share intelligence and develop appropriate fraud reporting and management processes for those issues that need a joint approach, recognising that external fraud in relation to tax agents is likely to be a precursor to external fraud on the broader tax system.

The TPB, supported by the CEO Secretary, will continue to work with the ATO’s external and internal fraud areas as the complexity and advancement of techniques used by those seeking to commit fraud evolves.

The TPB leverages its strong relationship with Treasury to suggest legislative and policy framework changes based on its observations of tax practitioner behaviour in the system. Where appropriate, advice and recommendations are provided to mitigate the risk of fraud and corruption.

Attempted fraud that does not relate to the ATO, such as attempts to fraudulently register as a tax practitioner, are managed by the TPB and reported to relevant authorities, as required.

Australian Charities and Not-for-profits Commission

The ACNC is the national regulator of charities, with the role of promoting public trust and confidence in Australian charities.

In addition to the processes undertaken by the ATO, the ACNC has additional measures in place to prevent, detect and respond to fraud.

ACNC officials comply with the Internal Fraud and Corruption and External Fraud CEIs. For example, ACNC officials:

  • must complete mandatory ATO training
  • receive email communications from the ATO on a range of matters (including internal fraud and corruption)
  • can utilise the ATO’s Speak Up channel to report integrity concerns.

While ACNC officials do not have access to taxpayer information, they do have access to charity information. Internal fraud or corruption in the ACNC can include:

  • accessing or disclosing non-public charity information without authorisation
  • using ACNC or ATO assets or information for personal benefit.

As the national regulator of charities, the ACNC manages external fraud relevant to the Commonwealth charity registration and regulatory system. The ACNC works in partnership with other government regulators (such as the ATO) on issues that require a joint approach, recognising that external fraud in relation to charity status can be a precursor to external fraud on the broader tax system.

Reporting fraud and corruption

Officials and contractors must report incidents of suspected fraud or corruption. Reports remain confidential. The ATO also provides anonymous tip-off forms and supports whistleblowing protections.

Table 1: Mechanisms for reporting fraud or corruption

Type

Reporting channels

Internal

Reports about internal fraud or corruption

Email: Speakup@ato.gov.au

Phone: 1800 061 187

Online: Complete the Report internal fraud or corruption form

Anonymous Fraud Alert Form on myATO

PublicInterestDisclosure@ato.gov.au

Discuss it with your manager

External

Reports from members of the community

Online: complete the tip-off form

The form is also available in the Contact Us section of the ATO app

Phone: 1800 060 062

Mail, posting to:

Australian Taxation Office
Tax Integrity Centre
PO Box 188
ALBURY  NSW  2640

External

Reports from ATO, ACNC and TPB officials and contractors about suspected external fraud

ATO, ACNC and TPB officials and contractors who suspect external fraud against the tax, superannuation or registry systems are required under the External Fraud CEI to report the matter to Fraud and Criminal Behaviours in accordance with endorsed procedures.

ATO, ACNC and TPB officials and contractors must consider reporting any external fraud allegations in relation to the tax, superannuation and registry systems, made to them by members of the community or identified by them when they are not at work. Allegations are to be reported following endorsed procedures.

 

Law enforcement agencies can report external fraud involving serious and organised crime groups to TaxCrimeIntelligence@ato.gov.au. The information will be triaged and sent to the relevant area.

Reports of misconduct of a registered charity should be raised with the ACNCExternal Link and complaints about tax practitioners to the TPBExternal Link.

Public interest disclosure

The Public Interest Disclosure Act 2013 (PID Act) seeks to promote integrity and accountability in the APS by:

  • encouraging and facilitating the disclosure of information about alleged serious wrongdoing
  • protecting those who make such disclosures
  • ensuring that disclosures are properly actioned.

The ATO will act on disclosures as appropriate, support and protect disclosers and witnesses from reprisal action and continue to work closely with the Commonwealth Ombudsman to ensure all standards and responsibilities are met. As required by legislation, a person must be a current or former public official to report under the Public Interest Disclosure scheme.

To make a Public Interest Disclosure a person can:

Where a disclosure is made in good faith but does not meet the criteria for investigation under the PID Act, the ATO will still treat the matter with appropriate seriousness, provide support and as soon as reasonably practicable take steps to refer the conduct disclosed for investigation under another process, law or power.

Tax whistleblower

There are arrangements in place to better protect individuals who make eligible disclosures about the alleged tax misconduct of another entity. There are legislative conditions that need to be met to qualify for protection as a tax whistleblower. The provisions are set out under Part IVD of the Taxation Administration Act 1953.

The Tax whistleblower protection regime CEI sets out ATO employees responsibilities for managing disclosures of alleged tax misconduct, submitted by members of the community, under the Whistleblower Protection regime in part IVD of the Taxation Administration Act 1953.

Commencing 1 July 2024, the TPB can receive protected tip-offs directly from the public. These laws extend whistleblower protections to individuals who ‘blow the whistle’ about a related entity to the TPB, where they believe the information may assist the TPB in performing its functions or duties under the Tax Agent Services Act 2009 (TASA).

Whistleblowers play a critical role in the early detection and regulation of tax practitioner misbehaviour. This is why the TPB encourages and welcomes anyone to provide the TPB with information about malicious practices by tax practitioners, unregistered agents or scheme promoters that would be harmful to the public or undermine the Australian tax system.

Under the tax whistleblower legislation, the ACNC is not an eligible recipient.

National Anti-Corruption Commission

The National Anti-Corruption CommissionExternal Link (NACC) is an independent Commonwealth agency that detects, investigates and reports on serious or systemic corruption involving public officials. This includes ATO, ACNC and TPB employees, secondees, contractors, consultants and suppliers.

The NACC operates under the National Anti-Corruption Commission Act 2022External Link which defines its jurisdiction and what corrupt conduct is.

The Assistant Commissioner Fraud Prevention and Internal Investigations has delegation from the Commissioner of Taxation (as the accountable authority) to refer serious or systemic corruption issues to the NACC for potential investigation.

Officials who suspect a corruption issue should report in the first instance to the ATO’s Speak up channel and where appropriate it will be referred to the NACC.

Alternatively, officials may also choose to report serious or systemic corruption directly to the NACC as a voluntary referral. However, the NACC may choose not to investigate a corruption issue and, in those cases, may refer matters back to the ATO.

Maintaining integrity

The Public Governance, Performance and Accountability Act 2013 (PGPA Act) contains the legal obligations of Commonwealth entities in relation to their governance, performance, accountability, and use and management of public resources. Under the PGPA Act, the Commissioner has specific duties as the accountable authority to:

  • properly govern the ATO
  • establish an appropriate risk and control system
  • encourage officials to cooperate with others to achieve common objectives
  • consider the effects of imposing requirements on others
  • keep the respective minister and the finance minister informed.

To meet governance obligations under the PGPA Act and ensure conformance with other legislative requirements, including the proper administration of the tax and superannuation systems, the ATO has an overarching framework which is represented under 2 key areas: the governance structure, and the governance pillars.

Governance structure includes the following key committees:

  • Audit and Risk Committee
  • ATO Executive
  • other ATO committees.

Governance pillars are grouped into 4 key pillars that form the basis of the Audit and Risk Committee mandatory assurance reporting:

  1. Financial reporting
  2. Performance reporting
  3. Risk oversight and management
  4. Internal control.

There has been a shift across the commonwealth with the APS reform agenda. Released in 2023, the Louder than Words: An APS Integrity action planExternal Link identifies opportunities for system-wide improvements to improve integrity at all levels of the APS. It makes 15 recommendations across 3 areas: culture, systems and accountability.

The ATO Integrity Framework outlines the mechanisms and policies that underpin a pro-integrity culture in the ATO. The framework is supported by governance and reporting arrangements that ensure the ATO is an integrity-based organisation.

We continue to embed a pro-integrity culture at the ATO, dealing with identified risks through action, leadership and governance. This is achieved through:

  • using tools and methodologies to strengthen system integrity
  • developing comprehensive policies and procedures to support decision-making
  • ensuring individuals have the appropriate security clearance for their position
  • reporting and managing conflicts of interest declarations
  • reporting internal and external performance and activities
  • transparently participating in independent review and reporting arrangements
  • requiring officials to undertake fraud and corruption training
  • implementing an integrity communication plan to ensure staff receive regular education and support.

Code of conduct

The APS values, employment principles and code of conduct shape the ATO’s culture and integrity. All officials must behave in a way that upholds and meets the standards of conduct in line with APS and ATO values and have a responsibility to report misconduct and not turn a blind eye to unacceptable behaviour.

If an official is found to have breached the Code of Conduct, a sanction delegate may decide to impose a sanction under subsection 15 of the Public Service Act 1999.

The sanctions available range from a reprimand through to termination of employment.

Risk management

Risk management is the responsibility of all officials as it ensures the ATO understands risks, achieves outcomes efficiently and effectively, and complies with various statutory obligations and public sector guidelines, such as the PGPA Act and the Commonwealth Risk Management Policy.

The ATO's Risk Management CEI and Risk Management Framework (RMF) were developed to provide a structured, enterprise-wide approach to managing risk, including risk methodology and management processes.

The framework is administered in line with the requirements of the Commonwealth Risk Management Policy and aligned with the AS/NZ ISO 31000:2018 Risk Management Guidelines. The framework also incorporates the ATO's governance approach consistent with the 3 lines of defence model being Business Lines, Enterprise Risk Management and Internal Audit.

The ATO's RMF aims to provide a consistent, integrated, and effective approach to the management of risk and is embedded into day-to-day business practices. Understanding, adapting, and responding to changes in our operating environment is vital to delivering on our organisational objectives. Effective risk management utilises strategic insights to respond to emerging uncertainties and support informed decision making, which leads to enhanced performance.

The 3 core components of the RMF include:

  1. Policy and governance – all officials must adhere to the Risk Management CEI, and risk governance mechanisms must be established to ensure risk management is embedded into the decision-making activities of the Australian Taxation Office listed entity.
  2. Risk management process (including appetite and tolerance) – the risk management process is the organisation’s structured method to identify, analyse, evaluate, manage, and assure risks, with reference to risk appetite and tolerance settings.
  3. Risk culture and capability – the RMF supports a culture where our people manage and communicate risk across all levels of the Australian Taxation Office listed entity, and they are encouraged to adopt positive risk behaviours.

The ATO, ACNC and TPB each maintain specific roles to manage risk. Some of these roles and functions are shared. However, due to operational independence, organisational size and differing risk management needs, some roles are specific to the ATO, ACNC and TPB.

The full listing of all the roles and responsibilities are available in the Risk Management CEI and ATO Control Owners for specific risks can be found in the ATO Risk Register.

Security risk management

Security risk management is at the core of everything we do. Risk management allows the ATO business to be undertaken in an environment where resources can be most effectively targeted towards those areas of highest risk.

The ATO’s role as the principal revenue collection agency of the Australian Government and holder of significant personal taxpayer information makes it an attractive target for a range of threat actors. The sensitive, privileged and classified information that Australian Government personnel hold and the unique access they possess make them highly valued targets. The ATO security environment is constantly changing and will continue to evolve. Managing protective security risks across the ATO is shaped by the Risk Management Framework (RMF) and Protective Security Policy Framework (PSPF) plus the polices in the ATO's Risk Management Process Factsheets and Risk Management Process Tools.

Managing the ATO’s protective security risks involves consideration of:

  • security threats
  • the criticality of our assets
  • the effectiveness of our controls (vulnerability) to understand the potential likelihood and consequences of our security risks.

These 3 processes are outlined in the PSPF requirements and are based on the Australian Standard: HB 167 – Security Risk Management (HB 167).

By combining these 3 processes with the RMF 4-step risk identification process, we ensure consistency with ATO risk management processes, while fully considering the protective security environment to identify a comprehensive list of security risks.

Procurement and contract management

The ATO applies robust due diligence, probity, and integrity controls across all stages of the procurement and contract management lifecycle. These controls are designed to mitigate fraud and corruption risks associated with business associates (suppliers). Controls are proportionate to the scope, scale and risk of the procurement activity and are aligned with the Commonwealth Procurement Rules, broader Government procurement framework and ATO procurement policies, and include ongoing due diligence and contractual safeguards.

Prior to engagement, suppliers and their personnel may be subject to vetting processes to assess their integrity and suitability, such as financial viability checks, Statement of Tax Record verification and pre-engagement integrity checks. As part of ongoing risk management, the ATO may conduct periodic due diligence reviews of suppliers to reassess fraud and corruption risks, monitor compliance, and apply enhanced controls where risk profiles change, or new information emerges.

ATO contracts may include provisions that enable audits, require cooperation with investigations and due diligence, and allow for termination or reporting in response to fraud or corruption. Ethical conduct is also promoted through clear expectations communicated to suppliers with reference to relevant standards and obligations and is supported by the Commonwealth Supplier Code of Conduct, National Anti-Corruption Commission Act requirements and Ethical Business Relationship statements.

Key responsibilities

Everyone in the ATO has a responsibility to mitigate the risk of fraud and corruption. However, some positions and organisational bodies play a more important role.

Table 2: Governance and oversight responsibilities

Role

Responsibility

Commissioner of Taxation

Accountable authority responsible for taking all reasonable measures to prevent, detect and respond to fraud and corruption for the Australian Taxation Office listed entity, which includes the TPB, ACNC and ACNC Advisory Board. The Commissioner is also responsible for ensuring effective protective security arrangements, including measures to counter insider threats.

ATO Audit and Risk Committee

Provides independent advice and assurance to the Commissioner about the risk oversight and management of systems in place to implement the ATO’s Fraud and Corruption Control Plan.

Deputy Commissioners

 

Ensure the obligations of the Commonwealth Fraud and Corruption Control Framework are met, within their area of responsibility, including undertaking regular risk assessments, documenting controls, testing effectiveness of controls, managing vulnerabilities, and ensuring any required treatments are in place.

Consider all fraud risks when a new measure, system or process is being designed. If the change introduces fraud risks, key controls must be documented and tested.

Consider fraud risks when changes are made to existing systems and processes. If the change introduces or changes fraud risks, an assessment must be undertaken.

Reconsider fraud risks when relevant new information or intelligence comes to hand.

Deputy Commissioner

Integrity, Assurance and Law

Enterprise risk owner for ‘Standards and Ethical Conduct’ in the Australian Taxation Office corporate plan and responsible for oversight and management of key strategies to address risks.

Security Committee

Ensures protective security policies and business continuity management capabilities are managed effectively across the ATO.

Chief Security Officer

In accordance with the Protective Security Policy Framework (PSPF), the Commissioner as the accountable authority has appointed a Chief Security Officer responsible for directing all areas of security to protect the ATO's people, information (including ICT) and assets.

The CSO has oversight and decision-making authority for all ATO security arrangements across governance, information, personnel, and physical security areas.

 

Table 3: Internal fraud and corruption

Role

Responsibility

Assistant Commissioner

Fraud Prevention and Internal Investigations (FPII)

Business risk owner for internal fraud and corruption, insider threat and personnel.

Leads an independent function supporting the Commissioner on internal fraud and corruption control, personnel security, integrity and the insider threat program.

This role is also responsible for developing this Plan.

Fraud Prevention and Internal Investigations

Responsible for implementing measures and strategies to prevent, detect and respond to internal fraud and corruption.

FPII is also responsible for the management and oversight of the ATO’s insider threat program, Public Interest Disclosure scheme, NACC obligations, personnel security and integrity.

This includes arrangements for the ACNC and TPB.

 

Table 4: External fraud

Role

Responsibility

Deputy Commissioner

Fraud and Criminal Behaviours

Enterprise risk owner for external fraud in the tax, superannuation, and registry systems. Has accountability and authority to declare and respond to external fraud events.

Leads the external fraud strategy development and treatment plan management across the ATO.

Leads the Fraud and Criminal Behaviours business line.

Fraud and Criminal Behaviours business line

Leads Australia’s efforts domestically and internationally to prevent, detect and respond to the most serious external fraud and financial crime in the tax, superannuation and registry systems.

Coordinates and delivers civil and criminal treatment to bring effective consequences to the highest priority external fraud and financial crime.

Collects and monitors data and information to detect external fraud and financial crime in close to real time.

Manages new and serious outbreaks of external fraud and financial crime and rapidly contains these threats.

External fraud sub-risk owners

Lead external fraud sub-risk management, including risk assessment, strategy development and treatment in accordance with the ATO Risk Management Framework and the Commonwealth Fraud and Corruption Control Framework.

Serious Financial Crime Taskforce Chief (ATO only)

Provides day-to-day oversight of the Serious Financial Crime Taskforce (SFCT) and is responsible to the SFCT CEO’s Board.

 

Table 5: Related entities

Role

Responsibility

ACNC Commissioner

 

 

TPB Secretary*

Manages external fraud risks associated with the charity registration and regulatory systems.

Report to the Audit and Risk Committee.

*Note: The TPB Chair, together with the TPB Secretary, are responsible for managing the TPB’s external fraud risk.

 

Table 6: Supporting functions

Role

Responsibility

Risk Committee

Responsible for positively influencing the ATO’s ability to manage key areas of risk associated with strategic objectives and ensuring risks are being managed effectively and consistently with the Enterprise Risk Management Framework (ERMF).

Provides assurance to the ATO Executive (along with the Audit and Risk Committee) that risk is being effectively identified and appropriately managed, with a strong focus on setting clear accountabilities, tolerances, and monitoring to ensure it remains within acceptable levels.

Strategy Committee

Ensures strategy coherence by making decisions or recommendations to the ATO Executive in relation to strategies and priorities with significant internal or external impacts within the context of the ATO’s strategic direction and the operating environment.

External Fraud Integrity Advisory Committee

Responsible for providing advice on maintaining an appropriate system of external fraud control so that the ATO meets its obligations under the PGPA Act and Commonwealth Fraud and Corruption Control Framework.

External Fraud Risk Assurance Committee

Ensures external fraud risks are managed efficiently and effectively and in accordance with risk and fraud policy including the ATO Enterprise Risk Management Framework, PGPA Act and the Commonwealth Fraud and Corruption Control Framework.

Counter Fraud Program Assurance Committee

Responsible for exercising governance responsibilities with respect to the ATO's resource allocation, investment, risk management and delivery of the Counter Fraud Program.

 

Other roles and responsibilities that reduce fraud and corruption risk include:

  • ATO People, which advises on ATO integrity strategy and approaches, and informs training, awareness, and communication strategies and supports conduct and behaviour concerns across all employment types through actions under the APS Code of Conduct
  • Senior executives, who provide strong leadership and foster a culture of integrity, awareness, and reporting
  • Business line managers, who ensure risk management principles are applied in the operation of their business line
  • all ATO staff and contractors, who have an ongoing responsibility to undertake mandatory training and identify and report suspected fraud and corruption.

Governance reporting requirements

Regular performance and conformance reporting is an important part of effective governance and provides assurance and oversight over the appropriateness of the ATO’s control arrangements to prevent, detect and respond to fraud and corruption.

The ATO undertakes the following internal and external reporting.

Table 7: ATO internal and external reporting

Audience

Requirement

Timeframe

Commissioner of Taxation

Oversight as the accountable authority under the Public Governance, Performance and Accountability Act 2013, National Anti-Corruption Commission Act 2022, and the Principal Officer under the Public Interest Disclosure Act 2013.

Monthly or as required

Deputy Commissioner Integrity, Assurance and Law

Regular reports on current status of internal fraud and corruption risk-related activity and investigations, and as the enterprise risk owner for Standards and Ethical Conduct.

Fortnightly or as required

Deputy Commissioner Fraud and Criminal Behaviours

Regular reports on current status of external fraud risk-related activity and investigations.

Monthly

Audit and Risk Committee (ARC)

Oversight of the ATO, TPB and ACNC in accordance with section 45 of the Public Governance, Performance and Accountability Act 2013.

Quarterly

Risk Committee

Ensures risks are being managed effectively across the ATO consistent with the Enterprise Risk Management Framework.

Monthly

Security Committee

 

 

 

Ensures protective security policies and business continuity management capabilities are managed effectively across the ATO.

Monthly

Strategy Committee

Ensure strategy coherence by making decisions or recommendations to the ATO Executive in relation to strategies and priorities with significant internal or external impacts within the context of the ATO’s strategic direction and the operating environment.

Monthly

Minister

Conformance with Public Governance, Performance and Accountability Act 2013 and Element 8 of the Fraud and Corruption Guidance.

Annually or as required

Australian Institute of Criminology (AIC)

In accordance with the Commonwealth Fraud and Corruption Control Policy all non-corporate commonwealth entities must collect information on fraud and corruption and complete an annual fraud census to the AIC.

Annually

Commonwealth Ombudsman

Compliance with the Public Interest Disclosure Act 2013.

Bi-annual or as required for operational matters

External scrutineers

External scrutiny promotes good governance practices, transparency, accountability, and fairness. The ATO’s external scrutineers provide independent assessments of ATO administration of the tax system and the Australian Business Register and assurance of ATO financial reporting:

The ATO’s external scrutineers are:

  • the Australian National Audit Office (ANAO), which conducts financial statement audits and performance audits
  • the Tax Ombudsman, which
    • investigates tax complaints (except those related to freedom of information [FOI] matters) and particular actions by tax officials
    • reviews systemic issues in tax administration and makes recommendations for improvement
  • the Commonwealth Ombudsman, which
    • responds to non-tax elements of cross-agency complaints (for example, those which have a child support element), and Public Interest Disclosures
    • conducts its own investigations on systemic issues
  • the Office of the Australian Information Commissioner, which investigates privacy and FOI issues
  • the Australian Public Sector Commission (APSC), which will be reviewing the ATO as part of its Capability Review program that will take a structured look at our organisational ability to meet future objectives and challenges.

Transparency with internal investigation activities

The ATO treats all parties involved in an investigation with respect and courtesy and makes sure all investigation activities are undertaken in accordance with relevant legislation, government policies and standards including the:

  • National Anti-Corruption Commission (NACC)
  • Australian Government Investigations Standards (AGIS)
  • Commonwealth Director of Public Prosecutions (CDPP)
  • Commonwealth Ombudsman (for the Public Interest Disclosure Act 2013).

QC103803