Contents
| About this Volume | 1 |
| Diagnostic Checklists: | |
| Integrated Macro Policy | 2 |
| Responsibility Structures | 3 |
| Fraud Risk | 4 |
| Employee Awareness | 6 |
| Customer and Community Awareness | 7 |
| Fraud Reporting Systems | 8 |
| Protected Disclosures | 9 |
| External Notification | 10 |
| Investigation Standards | 11 |
| Conduct and Disciplinary Standards | 13 |
Volumes 1 and 2 outlined the fraud control model proposed by this Guide and went on to provide discussion of each of
the model's ten attributes. This volume has been created to assist agencies to monitor and review all elements of their strategy.
Ten checklists are provided, matching up with each of the attributes of the model. Each checklist contains a review
objective and provides a series of focus questions to guide research and analysis. The checklists are not intended to be
exhaustive nor to be treated as mandatory. They simply provide a basic review framework. Before making use of the
checklists reviewers should become familiar with the issues to be considered under each attribute. This can be achieved
through examination of Volume 2.
It is again emphasised that the model presented in this Guide does not seek to be highly prescriptive at the detailed level.
It is both the responsibility and prerogative of each agency to assess their own situation, determine their own needs and decide
how best to deal with each attribute. In the spirit of the model the checklists should not be used in a strict compliance fashion.
Reviewers must develop an opinion on the adequacy of action taken by the agency. A "yes" is not required to each item
on each checklist. Reviewers should seek to understand the issues involved and the reasoning behind the agency acting as it
has on each of the various matters.
Review Objective
To determine the extent to which the agency has developed a clearly identifiable, holistic and functionally integrated fraud
control strategy.
Review Program Notes
1.1 Establish the extent to which the agency has established a comprehensive fraud control strategy. Sight the Strategy. If
a single document does not exist, identify all relevant documents (policy directives, circulars, manuals etc.) which articulate any
relevant elements of the agency's strategy.
1.2 Review the material collected under 1.1 to determine the extent to which each of the following attributes are addressed in some fashion (#):
(#) note: each of these attributes will be subject to separate detailed review at checklists 2-10
1.3 Is it apparent that the policies and actions of the agency under different attributes have been developed in view of the
agency's needs and what will be most appropriate and effective for its situation? Has suitable research and analysis been
undertaken in this respect? Has the issue of cost effectiveness been addressed?
Notes
1.4 Is it apparent that the policies and actions of the agency under the various different attributes complement each other
and operate in an integrated and cohesive manner? Any contradictions/conflicts?
1.5 If a fraud control strategy is in existence; when was the last review of the strategy conducted? Have the
recommendations for improvement from the review been prioritised and timetabled?
1.6 If the agency does not have a fraud control strategy, has a timetable for implementation been prepared?
Reviewer's Conclusion
Review Objective
To determine the extent to which the agency has clearly and effectively assigned responsibility for the implementation and
coordination of all aspects of the fraud control strategy across all aspects of the agency's operations.
Review Program Notes
2.1 Determine the actual lines of authority and coordination mechanisms for fraud control established within the agency
(e.g. a Fraud Committee; Fraud Prevention Manager; other various committees, units or positions with relevant
responsibilities; etc.)
2.2 Are all such responsibilities clearly documented in the policy?
2.3 Are there any areas of apparent duplication, overlap, conflict, confusion or lack of coverage?
2.4 Are delegations, authorities and definitions of roles sufficiently clear? Are they adequate? Are they generally accepted?
Notes
2.5 Where committees are utilised, review the regularity, purpose and scope of meetings, and attendance by designated
members.
2.6 Has fraud prevention and control become the exclusive domain of elite groups within the agency?
Reviewer's Conclusion
Review Objective
To evaluate the adequacy of measures taken by the agency to identify specific areas of fraud risk and develop appropriate countermeasures and actions plans.
Review Program Notes
3.1 Establish whether a fraud risk assessment has been carried out. What form of assessment was used? Was the methodology and conduct of the review apparently sound?
Notes
3.2 If a risk assessment was performed, review the analysis with regard to detail and completeness. At the minimum it should:
3.3 If a risk assessment was performed, were any deficiencies or areas/issues of concern identified? Were appropriate
countermeasures and/or action plans developed and implemented in response to these (e.g. fraud control plans,
systems/functions audit & review plans, system/control modifications)?
3.4 If a risk assessment was performed, how long ago was it done? Have there been any major changes to the agency's
operations or environment since then? If more than 3 years ago, has it been reviewed/revisited in some fashion?
3.5 If a formal risk assessment of some fashion has not been performed, are there any plans to conduct one? How well
placed does the agency appear to be in respect of fraud risk identification?
3.6 Has a fraud database been established in some fashion? Is it periodically examined to analyse trends and obtain
strategic information?
Reviewer's Conclusion
Review Objective
To determine the extent to which the agency has implemented a plan of action to raise awareness and modify attitudes
within the organisation concerning fraud.
Review Program Notes
4.1 Has the agency implemented some form of fraud awareness and culture change programs? Is it apparent that such
activity been developed with sensitivity to the needs and nature of both the employees and the organisation? Are efforts in this
regard programmed to continue over time? Is there an ongoing planned development of approach or emphasis in this area?
4.2 Has the agency developed systems and assigned responsibility for researching and/or monitoring best- practice for
particular areas of activity which would assist in fraud-proofing systems and operations? To what extent has such
best-practice information been distributed to line managers at the operational level?
4.3 Is there any evidence of staff/managers at the operational level taking initiatives in terms of identifying desirable
modifications to operational practices and local monitoring and control arrangements?
4.4 Are reports of fraud situations being submitted by employees? Are such reports being made anonymously or with
names? Have reports proven to be factual and helpful?
4.5 Have financial monitors or operational managers observed any unexplained improvements in aspects such as:
Notes
4.6 Is it otherwise evident that fraud awareness and culture change activities have been effective? Does the agency have
any means of assessing effectiveness in this regard?
Reviewer's Conclusion
Customer and Community Awareness
Review Objective
To assess the adequacy of actions taken to raise the level of customer and community awareness of the agency's ongoing
efforts regarding fraud prevention and control.
Review Program Notes
5.1 Has the agency implemented some form of community awareness and (if applicable) customer attitude change
programs with respect to the prevention and control of both internal and external fraud against the organisation?
5.2 Does the agency's annual report include a clear statement concerning the agency's stance on fraud and corruption, and
provide an outline of the agency's fraud control strategy?
5.3 Has the agency been able to go further in its public information by publishing information on:
5.4 Is it evident that community and customer awareness and attitude change activities have been effective in terms of:
Reviewer's Conclusion
Review Objective
To determine the extent to which the agency has adequate and effective arrangements and systems implemented for the
internal reporting of suspected or known fraud situations.
Review Program Notes
6.1 Determine if the agency has an active formal fraud reporting system in place.
6.2 Have officers or positions authorised to receive reports of fraud been clearly designated and documented? Do these
nominees appear to be appropriate, given the agency's structure, the nature of its business, customers and employees?
6.3 Have procedures to report fraud been documented and distributed in an appropriate manner to reach all employees?
6.4 Have any mechanisms been developed to facilitate and encourage reports from customers or the general public of
suspected fraud in any form (external or internal)?
6.5 Have employees been made aware that a complaint of corrupt conduct can be made directly to ICAC?
6.6 Review the files or folios maintained of complaints received for proper documentation and processing in a timely
manner.
6.7 Were known complainants advised of the outcome of their report, including grounds for discontinuation of any
investigation?
6.8 Review available material and research as appropriate for evidence to indicate that reports of fraud have been
considered at an appropriate level and that confidentiality has been maintained.
Notes
6.9 Do the agency's policies, systems and actual practices represent effective implementation of the ICAC's suggested
approach for reporting of corrupt conduct within agencies?
Reviewer's Conclusion
Review Objective
To determine whether the agency has developed appropriate mechanisms and policies to protect complainants from being
disadvantaged as a result of reporting fraudulent activities.
Review Program Notes
7.1 Have staff been made aware of the importance of reporting fraudulent situations? Has fraud reporting been, and does
it continue to be, actively encouraged by the agency?
7.2 Have policies/guidelines concerning acceptable behaviour for complainants been formally established, documented
and promulgated?
7.3 How suitable do fraud reporting, investigating and final resolution systems and procedures appear to be to protect the
best interests of complainants?
7.4 Is there any available evidence that employees having made reports of fraudulent activity may have subsequently been
penalised, victimised or disadvantaged in some form?
7.5 Is there an appropriate internal mechanism available for use by any complainant who may feel they have been
disadvantaged?
Notes
7.6 Review available material and undertake research as appropriate to assess the apparent extent to which the agency
demonstrably supports in practice all complainants who act in good faith.
7.7 Do the agency's policies, systems and actual practices represent effective compliance with all formal requirements of
disclosure protection legislation? To what extent could it be said that the agency has addressed the full spirit of legislation and
any other directives or guidelines regarding disclosure protection?
Reviewer's Conclusion
Review Objective
To determine the extent to which the agency has implemented arrangements for the reporting of suspected or known fraud
situations to external authorities.
Review Program Notes
8.1 Is there a clear formal policy in respect of external reporting to bodies such as:
8.2 Have clear and specific arrangementsbeen developed in terms of protocols to be used, reporting criteria, orms of reporting, responsibilities and processes for external reporting?
Notes
8.3 Do the agency's policies, systems and actual practices effectively address the ICAC Guidelines for reporting of
corrupt conduct to the Commission? (this check should include a review of the reporting criteria and form of reporting used by
the agency in terms of those suggested by the Commission)
Reviewer's Conclusion
Review Objective
To determine the extent to which the agency has developed appropriate, effective and efficient mechanisms and policies
for the handling of suspected fraud situations from first alert to final conclusion of a matter.
Review Program Notes
9.1 Determine by research and discussion the extent to which actual practice may vary from formal policy with respect to preliminary assessments, full investigation, and Police and ICAC notification: depending perhaps on factors such as:
9.2 Are designated or specialist officers responsible for conducting any internal investigations completely clear as to when
and how to proceed in any given fraud situation?
Notes
9.3 Are operational and line management officers in the organisation completely clear as to when and how to proceed in
any given fraud situation?
9.4 Are preliminary investigation and handling arrangements suitable so as not to prejudice or hinder any further or formal
investigation, whether internal or external? Particular attention should be given to procedures and expertise utilised at the
preliminary phases to ensure that any form of evidence will not be lost or contaminated.
9.5 Have staff received appropriate training to be able to effectively perform their designated roles and functions in fraud
handling? This will depend on the form of fraud handling and investigation policy determined by the agency and subsequently
the roles and responsibilities of the various officers involved. In addition to specialist investigation, audit or review staff,
consideration may need to be given to the role and training needs of operational staff and line managers in this context.
9.6 Are adequate reporting systems in operation to keep executive management, relevant line managers and any other
relevant parties (internal or external) informed of the ongoing status of fraud investigations?
9.7 Has responsibility been clearly assigned, and relevant systems developed, to ensure that full and complete records are
maintained of all fraud reports and situations? Who ensures that records are complete in all respects? How is this achieved in
practice?
9.8 Are records of all reports of fraud and all fraud investigations securely maintained? Is the possibility of tampering with
or unauthorised removal of material from official records, now or in the future, reasonably prevented? How would it be
detected if it occurred?
Reviewer's Conclusion
Conduct and Disciplinary Standards
Review Objective
To determine the extent to which the agency has established policies, standards, systems and procedures relating to
conduct and discipline which support the fraud control strategy.
Review Program Notes
10.1 Does the agency have a formal "code of conduct"? If not, are there other relevant organisational or personnel
policies and documents which may serve in this role?
10.2 Does the agency's code of conduct and/or other policy/practice instruments send a strong and clear message on
corrupt conduct generally? Does it specifically address fraud?
10.3 Has the agency clearly defined and formally stated its position on disciplinary action in terms of fraud? Has it defined and promulgated courses of action to be taken and the nature of penalties to be applied? Are there clear determinations in terms of such aspects as:
10.4 Do the agency's policies and standards on discipline effectively complement and support the particular message and
emphasis of its fraud control strategy?
10.5 Have systems and procedures been fully developed and documented to enable matters of conduct and discipline in
relation to fraud to be effectively actioned as per the agency's stated policies? Have all organisational roles, responsibilities and
authorities been clearly defined? Are they properly understood by those involved?
Notes
10.6 Have the agency's intentions (in terms of its conduct and discipline policies and standards) and processes to be
followed been formally documented and promulgated in such a manner to ensure that official written material will reach all
employees?
10.7 Consider the likely effectiveness of communication actions taken. Have any means of communicating to employees
other than in writing been used? Factors such as the agency's size, hierarchical structure, functional structure, categories and
nature of employees may need to be taken into account.
Reviewer's Conclusion