Fraud controls in local councils

Overview

Many local councils need to improve their fraud control systems, according to a report released today by the Auditor-General for New South Wales, Margaret Crawford. The report highlights that councils often have fraud control procedures and systems in place, but are not ensuring people understand them and how they work. There is also significant variation between councils in the quality of their fraud controls.

Executive Summary

Fraud can directly influence councils’ ability to deliver services, and undermine community confidence and trust. ICAC investigations, such as the recent Operation Ricco into the former City of Botany Bay Council, show the financial and reputational damage that major fraud can cause. Good fraud control practices are critical for councils and the community. 

The Audit Office of New South Wales 2015 Fraud Control Improvement Kit (the Kit) aligns with the Fraud and Corruption Control Standard AS8001-2008 and identifies ten attributes of an effective fraud control system. This audit used the Kit to assess how councils manage the risk of fraud. It identifies areas where fraud control can improve. 

The following shows the attributes of a fraud control improvement kit including investigation systems, detection systems, leadership, ethical framework, responsibility structures,  fraud control policy, prevention systems, fraud awareness, third party management systems and notification systems.
Exhibit 1: Fraud control improvement kit attributes
Source: Audit Office Fraud Control Improvement Kit 2015.

We looked at the extent to which councils have implemented controls through a self-completed survey. Eighty-three of the 128 NSW local councils completed the survey. We also conducted research into fraud control elsewhere, held discussions with selected councils and fraud control experts, and incorporated relevant findings from our first year of financial audits.

Conclusion

The strength of fraud control systems varies significantly across New South Wales local councils, and our survey found that many need to improve significantly. Of the 83 councils that completed our survey:

  • 5 have implemented most of the controls recommended by the kit
  • a further 40 have implemented half or more of the recommended controls
  • 38 have implemented less than half the recommended controls.

While 65 of the 83 councils that completed the audit survey have fraud control policies, 52 councils do not have fraud control plans that direct resources to address the specific fraud risks they face. In the last two years only 15 councils that completed the survey have assessed their fraud risks to identify a need for refreshing or improvement. 

The audit also identified a pattern of councils putting in place a policy, procedures or systems but not ensuring people understand these or how they work. We found that less than one-third of surveyed councils:

  • regularly train staff to identify and respond to suspected fraud 
  • tell staff or the public how to report suspected fraud and how they investigate these reports.

This increases the potential that staff may not adhere to specific fraud control practice requirements, contributing to the sector wide weaknesses in awareness and notification systems identified by the audit. 

Despite several New South Wales state entities collecting data on suspected fraud, the cost, extent, and nature of fraud in local councils is not clear. Collaboration between state agencies and councils to address inconsistencies in data collection could provide a clearer picture to the public and councils on the incidence of fraud.

1. Key findings

Many councils have substantial room for improvement in their fraud control systems

The findings from the audit survey completed by 83 councils show that: 

There is significant variation between councils in their fraud control systems 
  • 5 councils have implemented most of the controls recommended by the Kit
  • a further 40 councils have implemented half or more of the recommended controls 
  • 38 councils have implemented less than half the recommended controls.
Councils do not conduct regular reviews to ensure their fraud control approach is appropriate to the fraud risks they face
  • 52 councils do not have fraud control plans 
  • only 15 councils conducted any form of fraud risk assessment in the last two years 
  • 19 councils have conducted fraud control health checks in the last three years.
The lack of information and training of staff creates weaknesses in fraud awareness and notification systems 
  • 48 councils provide fraud awareness training or information to new staff, however only 29 provide regular training for existing staff
  • 36 councils ask new staff to complete a conflict of interest declaration
  • 67 councils ask new staff to sign a code of conduct, but only seven make this an annual requirement.
Councils provide limited information about fraud control to the public 

Fifty-one of the councils that responded to our survey have their fraud control policy on their website. However:

  • only six conduct community awareness or communication campaigns to make the public aware of their fraud control approach 
  • 34 have information on their website that tells the public how they can report suspected cases of fraud
  • 14 report their fraud control activities in their annual reports. 

Five of the surveyed councils did not have a Public Interest Disclosure (PID) policy

Five councils surveyed reported that they do not have a PID policy. PID policies are a requirement of the Public Interest Disclosure Act 1994 (PID), and are an important component of councils’ notification control systems. The purpose of a PID policy is to establish a reporting system for public officials to report allegations of impropriety without fear of reprisal. Organisational processes and procedures for reporting wrongdoing such as fraud are vital to good governance. 

There is no clear picture of the overall level of fraud within councils

Councils and state entities collect extensive data on incidents of suspected fraud. Local communities have a limited view of whether their council has been the subject of complaints about suspected fraud, or the nature and outcome of such complaints. 

Comparative performance reporting on fraud control practice may drive better practice in councils

The NSW Office of Local Government recently commenced work to develop a performance measurement framework for councils. Including performance measures for fraud control practice in this framework would help drive sector wide improvement. 
 

2. Observations for the sector

The findings of this audit highlight areas where councils could improve their fraud control practice including:

  1. tailoring fraud control plans to their circumstances and specific risks
  2. systematically and regularly reviewing their fraud risks to keep their plans up-to-date
  3. effectively communicating fraud risks, and how staff and the community can report suspected fraud 
  4. ensuring that they comply with the Public Interest Disclosure Act 1994.

3. Recommendations

That the Office of Local Government: 

  1. work with councils to ensure they comply with the Public Interest Disclosure Act 1994
  2. work with state entities and councils to develop a common approach to how fraud complaints and incidences are defined and categorised so that they can:
    • better use data to provide a clearer picture of the level of fraud within councils
    • measure the effectiveness of, and drive improvement in councils' fraud control systems.

1. Introduction

Fraud can disrupt the delivery and quality of services and threaten the financial stability of councils.

Recent reviews of local government in Queensland and Victoria identify that councils are at risk of fraud because they purchase large quantities of goods and services using devolved decision making arrangements. The Queensland Audit Office in its 2014–15 report 'Fraud Management in Local Government' found that ‘Councils are exposed to high-risks of fraud and corruption because of the high volume of goods and services they procure, often from local suppliers; and because of the high degree of decision making vested in councils'. They also highlight some common problems faced by councils including the absence of fraud control plans and failure to conduct regular reviews of their internal controls. Also, in 2008 and 2012 the Victorian Auditor-General identified the importance of up-to-date fraud control planning, clearly documented related policies, training staff to identify fraud risks and the importance of controls such as third party management. 

Investigations into councils by the NSW Independent Commission Against Corruption (ICAC), such as the recent Operation Ricco, show the impact that fraud can have on councils. These impacts include significant financial loss, and negative public perceptions about how well councils manage fraud. The findings of these investigations also show the importance of good fraud controls for councils.

Operation Ricco

In its report on Operation Ricco, the ICAC found that the Chief Financial Officer (CFO) of the City of Botany Bay Council and others dishonestly exercised official functions to obtain financial benefits for themselves and others by causing fraudulent payments from the Council for their benefit. It also identified the CFO received inducements for favourable treatment of contractors.

The report noted that there were overwhelming failures in the council’s procedures and governance framework that created significant opportunities for corruption, of which the CFO and others took advantage.

It found weaknesses across a wide variety of governance processes and functions, including those involving the general manager, the internal audit function, external audit, and the operation of the audit committee.

Source: Published reports of ICAC investigations July 2017.

1.1 The regulatory framework

The NSW Local Government Act 1993 and Model Code of Conduct

The Local Government Act 1993, section 440 requires local councils to adopt a code of conduct that incorporates the provisions of the ‘Model Code of Conduct for Local Councils in NSW, November 2015’ (the Model Code). 

The Model Code describes the expectations for ethical conduct in councils, including avoiding fraudulent behaviour. It sets out ‘the minimum requirements of conduct for council officials in carrying out their functions’. The Model Code applies to elected councillors, staff, and contractors. 

Councils' fraud control practice should reflect their compliance with the requirements of the Model Code.

Exhibit 2: Model Code of Conduct for Local Councils in NSW

Part 3 General Conduct Obligations

3.1 You must not conduct yourself in carrying out your functions in a manner that is likely to bring the council or holders of civic office into disrepute. Specifically, you must not act in a way that:

a)      contravenes the Act, associated regulations, council’s relevant administrative requirements and policies

b)      is detrimental to the pursuit of the charter of a council

c)      is improper or unethical

d)      is an abuse of power or otherwise amounts to misconduct

e)      causes, comprises or involves intimidation, harassment or verbal abuse

f)       causes, comprises or involves discrimination, disadvantage or adverse treatment in relation to employment

g)      causes, comprises or involves prejudice in the provision of a service to the community. (Schedule 6A)

3.2 You must act lawfully, honestly and exercise a reasonable degree of care and diligence in carrying out your functions under the Act or any other Act. (section 439)

3.3 You must treat others with respect at all times.

Source: Office of Local Government Model Code of Conduct for NSW Local Councils 2015.  

1.2 About the audit

This audit provides a sector-wide snapshot of how local councils manage the risk of fraud. To understand this, we asked councils to complete a survey to assess their fraud controls against the ten fraud control attributes set out in our Fraud Control Improvement Kit

To identify risks and opportunities to improve fraud control practices we also: 

  • reviewed data collected by councils and New South Wales Government entities 
  • conducted workshops and interviews with councils 
  • conducted interviews with industry experts and other stakeholders.

We also considered relevant findings from our first year of financial audits of local councils. 

2. Fraud control snapshot

The strength of fraud control systems varies significantly across New South Wales local councils, and many councils we surveyed need to improve significantly. 

Most surveyed councils do not have fraud control plans that direct resources to mitigating the specific fraud risks they face. Few councils reported that they conduct regular risk assessments or health checks to ensure they respond effectively to the risks they identify. 

There are sector wide weaknesses that impact on the strength of councils' fraud control practice. Less than one-third of councils that responded to the survey:

  • communicate their expectations about ethical conduct and responsibility for fraud control to staff 
  • regularly train staff to identify and respond to suspected fraud
  • inform staff or the wider community how to report suspected fraud and how reports made will be investigated.

The audit also identified a pattern of councils developing policies, procedures or systems without ensuring people understand them, or assessing that they work. This reduces the likelihood that staff will actually use them. 

In general, metropolitan and regional councils surveyed have stronger fraud control systems than rural councils. 

Newly amalgamated councils are operating with systems inherited from two or more pre-amalgamated councils. These councils are developing new systems for their changed circumstances.

Five councils surveyed reported that they did not comply with the Public Interest Disclosure Act 1994

Observations for the sector:
Councils should improve their fraud controls by:

  • tailoring fraud control plans to their circumstances and specific risks
  • systematically and regularly reviewing their fraud risks and fraud control systems to keep their plans up to-date
  • effectively communicating fraud risks, and how staff and the community can report suspected fraud 
  • ensuring that they comply with the Public Interest Disclosure Act 1994.

Recommendation:
That the Office of Local Government: 

  • work with councils to ensure they comply with the Public Interest Disclosure Act 1994.
     

2.1 Fraud control survey

Our survey of councils provides a snapshot of fraud control in the sector

We asked all 128 New South Wales local councils to complete a survey to assess their fraud controls against the ten attributes set out in the Audit Office’s Fraud Control Improvement Kit. Eighty three councils, or 65 per cent, completed the survey. 

Exhibits 3 and 4, show that most metropolitan and regional councils, and almost half of rural councils, participated in the survey. This is a high response rate for a voluntary survey and allows us to provide a snapshot of fraud controls in the sector. See Appendix two for a summary the survey data.

The following image shows the NSW regional and rural councils that participated in the Audit Office fraud control survey. Most regional councils and half of the rural councils took part.
Exhibit 3: New South Wales regional and rural local councils that completed the fraud control survey
The following map shows the metropolitan councils in NSW who participated in the Audit Office fraud survey. Most councils took part in metro areas.
Exhibit 4: Metropolitan Sydney councils that completed the fraud control survey
Source: Audit Office research and analysis 2018.

2.2 Overall fraud control practice

The strength of fraud controls varies significantly across NSW local councils 

Based on the responses to our survey, many councils need to significantly improve their fraud control systems. Of the 83 councils that completed our survey: 

  • 5 have implemented most of the controls recommended by the Kit
  • a further 40 have half or more of the controls 
  • 38 have implemented less than half the controls.

Each council’s fraud control approach needs to be appropriate to the fraud risks it faces. All surveyed councils have implemented some controls against each of the ten attributes listed in the Kit. However, there is substantial room for improvement in many councils. 

Exhibit 5 shows a summary of coverage of fraud control attributes across the sector and by council type. All surveyed councils had only partial coverage on prevention systems, fraud awareness, and notification systems. Rural and regional councils also have partial coverage on responsibility structures. These councils should review these areas to identify opportunities for improvement.

The following diagram is a summary of fraud controls coverage. See the paragraph before exhibit 5 for the full details.
Exhibit 5: Summary of fraud controls
Notes:
1    Low coverage = less than one third of controls in place.
2    Partial coverage = less than two thirds of controls in place.
3    Good coverage = more than two thirds of controls in place.
Source: Audit Office research and analysis 2018.

There is a sector wide weakness in prevention systems in councils

Around two thirds of councils surveyed did not have fraud control plans and only 15 have conducted any form of risk assessment within the last two years, as recommended by the Kit. 

The lack of fraud control plans in these councils is a significant gap in their fraud control practices. Councils without fraud control plans have no basis to assess whether their fraud strategies are sound, coordinated, purposely implemented and reviewed. 

Rural councils told us that they have difficulty implementing some fraud controls because they lack resources and capability. That said, some rural councils reported that they have adopted approaches to address the challenges of their size, location and capabilities. For example, some have established partnerships with comparable size councils to share skilled staff to implement the required fraud control practices. 

There are sector wide weaknesses in councils' notification and fraud awareness systems

Most councils surveyed need to improve their notification and fraud awareness systems. 

Fraud awareness controls in the Kit involve activities to ensure that staff and others understand council’s expectations of them in relation to fraud prevention. Notification systems controls are mechanisms to report suspected fraud and activities to ensure that staff and the public know how to report suspected fraud.

The risk that fraud will not be identified or reported increases when notification and fraud awareness controls are weak. 

Fraud control health checks help identify improvement opportunities, but are not widely used

Only 32 of the 83 surveyed councils reported that they had undertaken a fraud control health check in the last five years. Fraud control health checks help to identify areas where fraud controls may need refreshing or improving. They are also a useful way to measure staff understanding of fraud control policy. 

2.3 Fraud control practice by attribute

Senior management in councils is committed to effective fraud control

Leadership

Leadership that models ethical behaviour and communicates expectations regarding conduct is fundamental to fraud control. The kit identifies two common elements of leadership namely:

  • CEO and senior management commitment to fraud control 
  • clearly defined CEO and senior management accountability and responsibilities.

All surveyed councils report that senior management demonstrated the two elements for leadership identified in the Kit. 

We also found that 60 councils conduct regular staff surveys of their organisational culture. These measure staff views on issues such as:

  • how effectively council promotes ethical behaviour 
  • the commitment of council's leadership team to ethical conduct
  • how safe staff feel reporting unethical conduct to their direct supervisor
  • council's commitment to act in response to reports of unethical conduct.

Work currently underway by the Ethics Centre underlines the importance of leadership in fraud control and links this with organisational culture. Experts from the Ethics Centre told us that the absence of good leadership can undermine the most robust procedural framework. 

ICAC’s Operation Magnus illustrates the impact that a lack of senior management commitment to ethical conduct can have for councils. 

Exhibit 6: Operation Magnus

The ICAC found the former General Manager of Burwood Council, and other council officers, engaged in corrupt conduct in the course of their administration of staff and use of Council resources. Amongst other things, the General Manager:

  • failed to manage appropriately his conflict of interest in the recruitment to Council of his friend, and in the payment of $41,400 above his friend’s contracted remuneration 
  • procured work on units in which he had a personal interest from Council officers during Council time
  • took adverse managerial action against four Council whistleblowers.
Source: Published reports of ICAC investigations April 2011.

The Model Code provides the ethical framework for councils

Ethical framework

An organisation's fraud control framework is part of a much bigger ethical framework that guides the values of the organisation and provides standards for behaviour and decision-making. The ethical framework sets the organisational culture that is fundamental to the success of a fraud control framework.

The Model Code provides the ethical framework for councils. All surveyed councils have measures that meet the requirementsof the Model Code and most would also meet the requirements of the consultation draft Model Code released by the OLG in December 2017. 

However, the Kit recommends that staff also sign both a code of conduct and a conflict of interest declaration as evidence of their commitment to ethical behaviour. 

Of the 83 councils that completed our survey: 

  • 67 ask staff to sign a code of conduct when they commence employment, however only seven councils make this an annual requirement 
  • 63 councils have a policy relating to conflict of interest. Only 36 of these ask staff to complete a conflict of interest declaration on commencement of employment and only 29 make this an annual requirement.

Responsibility for fraud control oversight is not always clear

Responsibility structures

A comprehensive responsibility structure is required to implement an organisation's fraud control framework. Key elements of this structure include:

  • management and all staff have clearly defined responsibilities for managing fraud
  • integration of fraud management with core business
  • resources allocated to managing fraud

In 35 surveyed councils, the responsibility for oversight of fraud control is part of one or more senior managers' role descriptions. Rural and regional councils are less likely to include this in senior management role descriptions. 

Of the 83 councils that completed our survey: 

  • 48 councils agreed that they had integrated fraud management with their core business
  • 45 agreed that sufficient resources were allocated to the management of their fraud risks. 

The Auditor-General’s Report on Local Government 2017 reports on the 2016–17 financial audits of council financial statements. It notes that an effective audit, risk and improvement committee is an important part of good governance. While councils are not currently required to have an audit, risk and improvement committee, 53 councils do not have a functioning audit committee. Changes outlined in section 428A of the Local Government Amendment (Governance and Planning) Act 2016 will require councils to establish an audit risk and improvement committee by March 2021. The report recommends that councils should early adopt the proposed requirement to establish an audit, risk and improvement committee. (p58)

Most councils have a fraud control policy

Fraud control policy

Organisations need to have policies, systems and procedures in place that minimise the risk of fraud throughout the organisation. These should include risk-based policies appropriate to the organisation that are holistic and integrated. Organisations need to review them regularly to ensure they remain current.

 
Sixty-five surveyed councils report they have a stand-alone fraud control policy which includes most of the characteristics listed in the Kit such as:

  • a definition of fraud 
  • the organisation's commitment to investigating and prosecuting fraud
  • employee responsibilities relating to fraud prevention
  • how they will carry out investigations.

There were 18 councils surveyed reported that they did not have a fraud control policy. This is a significant gap in practice for these councils. 

Only 42 surveyed councils have reviewed their policy in the last two years. Newly amalgamated councils are operating with systems inherited from two or more pre-amalgamated councils. The nine newly amalgamated councils that completed the survey report that they are establishing new stand-alone fraud control policies that will apply to their council. 

Few councils have fraud control plans or undertake regular risk assessments

Prevention

Fraud prevention systems are a cost effective way to minimise fraud in an organisation. As with all aspects of the fraud control framework, the prevention strategies used by an organisation should be proportionate to the fraud risks involved. They should include:

  • proactive and integrated risk assessments
  • planning and follow up accountability mechanisms

These should be reviewed after substantial change and at least every two years.

Of the 83 councils that completed the survey only:

  • 31 have fraud control plans 
  • 15 have conducted any form of fraud risk assessment in the last two years.

Councils without fraud control plans have limited assurance that they are effectively mitigating the specific risks they face. Regular risk assessments help ensure the fraud controls remain contemporary and effective. 

The Auditor-General's report on Local Government 2017 reinforces the survey results. This report found instances where councils could strengthen their risk management practice (Section 5.2 of volume).

The report on Local Government 2017 also found that just under half of the councils audited did not have an adequate information security policy. The Kit notes that a 'key element of a prevention system is a specific IT security strategy, which is aligned with the organisation's business strategy. This reflects the significant reliance on technology and the potentially serious consequences of a breach of IT security’.

In our survey, we asked councils to identify the top three control weaknesses found through their health checks. One of the common weaknesses in prevention systems was that no recent risk assessment had been completed.

Councils provide only limited training and information on fraud

Fraud awareness

Staff in an organisation are a prime source of information on suspected frauds. To make best use of this valuable resource, staff need to be aware of what fraud is, common types of fraud they may encounter, their responsibilities and how to report suspected frauds. Importantly, organisational culture must encourage reporting of suspected fraud.

Awareness of what fraud is, how to recognise it, and what to do in response is critical to controlling the incidence of fraud. Many councils do not ensure that their staff have good fraud awareness. Of the 83 councils that completed the survey only:

  • 48 provide fraud awareness training or information to new staff
  • 28 provide fraud awareness training or information to contracted-in staff
  • 29 provide fraud awareness training for existing staff at regular intervals.

Councils have implemented most recommended controls on third party management 

Third party management

Third party management systems include:

  • targeted training and education for key staff
  • due diligence and clear contractual obligations and accountabilities
  • effective third party internal controls
  • third party awareness and reporting
  • staff disclosure of conflicts of interest and secondary employment

Exhibit 7 shows that most councils have implemented controls relating to conflicts of interest, duplicate payments, consultants and contractors, and payment on confirmation of services received. More than half have implemented all the third-party management systems recommended in the Kit. 

However, we identified some gaps in practice. For example, of the 83 councils who completed the survey:

  • 26 do not have processes to manage phantom vendor fraud. Phantom vendor fraud occurs when an employee establishes a fictitious vendor and submits false invoices for payment or where an invoice does not exist to support payment
  • 28 do not have processes to manage potential kickback or bribery. Kickback or bribery involves an employee misusing their position to award contracts to firms in return for personal gain such as payments of money, employment of family members outside proper recruitment processes, or other gratuities 
  • 37 do not have processes to manage potential bid rigging. Bid rigging is collusive price-fixing behaviour by firms to coordinate their bids on procurement or project contracts, including arranging the bidding process to guarantee selection of a vendor
  • only 36 councils reported their contracts with third parties clearly set out accountabilities for managing fraud risk.

While 63 councils surveyed reported that their code of conduct or ethics applies to staff of consultants and contractors while engaged in providing services to the council, only 17 per cent said they provided fraud awareness information or training for these people on commencement of the contract.

Exhibit 7: Third-party management systems
Councils have procurement controls and processes to manage the following: Yes No
Conflicts of interest 75 8
Phantom vendor fraud 57 26
Split purchase orders/split orders 66 16
Kickbacks or bribery 54 28
Duplicate payments 69 13
Bid rigging 45 37
Tender splitting 61 22
Consultants and contractors  71 12
Payment on confirmation of services received provided by consultants or contractors  70 13

Note: Nil responses to some questions account for differing totals in this chart.
Source: Audit Office survey results 2017. 

Several councils told us that successive ICAC investigations highlight the risks from, and possible responses to, gaps in third-party management practice. Operation Jarek, summarised in Exhibit 8, shows the impact that poor third-party management controls can have for councils.

Exhibit 8: ICAC Operation Jarek

Operation Jarek

The ICAC found that staff and former staff from 14 local Councils engaged in corrupt conduct by accepting gift vouchers and other gifts from suppliers as an inducement to continue placing orders with their companies or as a reward for placing orders with the companies. It also found staff from supplier companies had engaged in corrupt conduct through their involvement in offering these gifts.

The Commission noted that agencies generally focused on having rules around the acceptance of gifts. However, they did not consider corruption risks in the broader relationship between buyer and supplier, or the opportunity for corruption in their procurement and inventory management systems.

Source: Published reports of ICAC investigations October 2012.

Common weaknesses in third-party systems identified through surveyed council health checks were: 

  • transparency in selection and supplier management 
  • conflicts of interest for procurement
  • collusion and improper relationships
  • absence of payroll audit trail. 

Councils usually document notification systems but rarely communicate these to the public

Notification systems

Organisations should encourage employees and external parties to report unethical behaviour, including fraud. Employees must understand that they can make reports without fear of reprisal and be confident that they will be taken seriously and acted upon.

While most surveyed councils have documented notification mechanisms for reporting fraud, they conduct very few activities to make sure that people are aware of those mechanisms. 

The results shown in Exhibit 9 demonstrate that most surveyed councils do little to ensure that staff or the public are aware of their fraud notification systems. Of the 83 councils that completed the survey only around half undertake awareness activities to ensure that staff and the public know how they can report suspected fraud to council and only:

  • 4 have community awareness campaigns that provide information to the public about how to report conduct that they suspect may be fraudulent 
  • 34 have information on their website to make customers and the public aware of how they can report suspected cases of fraud. 
Exhibit 9: Notification systems
Council awareness raising activities on reporting suspected cases  Yes No
Fraud awareness training on reporting suspected fraud 38 44
Internal communications such as newsletters, bulletins, all staff emails, or intranet posts 40 43
Information on council's website directed to staff 39 44
Community awareness campaigns for the wider public 4 78
Information on council's website directed to the public 34 49

Note: Nil responses to some questions account for differing totals in this chart.
Source: Audit Office survey results 2017. 

Five surveyed councils do not comply with the Public Interest Disclosure Act 1994 because they do not have a Public Interest Disclosure policy

Councils are public authorities and must have a Public Interest Disclosure (PID) policy that outlines their requirements to report potential fraud. Seventy-eight councils reported to us that they have these policies, however five reported they did not. These five councils do not comply with the Public Interest Disclosure Act 1994

Organisational processes and procedures for reporting wrong doing are vital to good governance, according to the Griffith University report 'Whistleblowing Processes & Procedures - A New National Snapshot'. This research links the strength of reporting processes to community views of an organisation's integrity and the likely organisational response to a complaint about misconduct. 

ICAC investigations also show that weak mechanisms to encourage fraud reporting can be factors in fraud perpetrated in councils. For example, Operation Churchill identified the failure of notification systems as one factor in the fraudulent conduct of a council officer that resulted in considerable damage to council's finances and reputation. 

Exhibit 10: Operation Churchill

The ICAC found that a Willoughby City Council development officer engaged in corrupt conduct by exercising his official functions to favour various business owners. The ICAC found that Council's development assessment approval system enabled individual officers to expedite development approvals in return for benefits such as cash, gifts, free meals, free massages and sexual services. 

The ICAC also found that the Council's culture of accepting gifts and benefits, and the lack of communication with its community, exacerbated the risk of fraud and corruption.

Source: Published reports of ICAC investigations June 2011.

While councils report good coverage of detection controls, our financial audits highlight a need for regular review in this area

Detection systems

It is important for an organisation to take ownership of its fraud risk and implement effective detection systems to mitigate these risks. An organisation should have:

  • robust internal controls
  • monitoring and review processes
  • risk-based internal audit programs

Exhibit 11 shows that most councils reported they have most of the detection controls recommended in the Kit. However, staff rotation in high-risk areas is a practice in only 12 councils.

Exhibit 11: Detection controls
  Yes No
Segregation of duties in high-risk areas 82 1
Staff rotation in high-risk areas 12 71
Regular reviews and checks to detect irregularities in high-risk areas 68 15
Reconciliations 80 3
Analysis of management accounts and financial statements 81 2
Delegations manual 76 7
Systems and IT controls 82 1
Staff act in high-risk positions when permanent staff are on leave 71 7
Council's internal audit plan covers high-risk fraud areas 62 5
Note: Nil responses to some questions account for differing totals in this chart.
Source: Audit Office survey results 2017. 

While the survey results indicate that councils say they have most of the controls recommended in the Kit, weaknesses identified in the financial audits and council's own health checks demonstrate the importance of regular review of controls to ensure they are effective. 

The Auditor-General's Report on Local Government 2017 identified instances of weaknesses in detection controls (Section 5.3 of volume). These included weaknesses relating to:

  • no review of changes to details in the payroll master file
  • segregation of duties, such as manual journals not reviewed by an independent officer
  • inadequate supporting documentation for manual journals posted
  • delegations including staff with access to process manual journals beyond the requirements of their job.

While almost all councils we surveyed said they had system and IT controls, the Report on Local Government 2017 found weaknesses in IT access controls. These included:

  • informally documented and inconsistently applied user access controls
  • inappropriate privileged access, inadequate review and insufficient retention of access logs to monitor the activities of privileged system users
  • user developed applications which allowed users to by pass access controls (Section 6.2 of volume).

Common weaknesses in detection systems identified through council health checks were: 

  • weak IT system controls including poor passwords, multiple privileged users
  • risk of asset disposal or use for personal benefit 
  • collusion to lower asset value for personal gain during disposal/sale
  • lack of review of vehicle log books 
  • poor controls to ensure effective and efficient maintenance 
  • insufficient segregation of duties in procurement, accounts payable, finance
  • lack of monitoring of records and transactions, including incomplete reconciliations of funds.

Councils need to ensure they have formal processes to investigate suspected fraud

Investigation systems

Investigation is typically the last stage of the fraud control framework. Successful investigation systems document how the organisation will conduct fraud investigations and disciplinary procedures in relation to fraud perpetrators.

Of the 83 councils that completed the survey:
•    51 have documented policies and procedures in relation to fraud investigation 
•    47 have documented disciplinary procedures for fraud perpetrators. 

This is a significant gap in practice in those councils without these policies and procedures. Documenting policies and procedures in relation to fraud control increases the likelihood that staff and members of the community will report suspected fraud. As noted in the Griffith University report 'Whistleblowing Processes & Procedures - A New National Snapshot' people are less likely to report potential fraud if they do not believe that council will investigate this fairly.

3. Reporting of fraud in local councils

Despite several New South Wales state entities collecting data on suspected fraud, the cost, extent, and nature of fraud in local councils is not clear. 
There are weaknesses in data collection and categorisation. Several state entities receive complaints about councils. These entities often do not separate complaints about fraud from other complaint data, do not separate local council data from other public-sector data, and do not separate complaints about council decisions or councillors from complaints about council staff conduct. Complaints about one incidence of suspected fraud can also be reported multiple times. 
Collaboration between state entities and councils to address these weaknesses in data collection could provide a clearer picture to the public and councils on the incidence of suspected fraud. Better information may also help councils decide where to focus fraud control efforts and apply resources more effectively.
Including measures for fraud control strength and maturity in the OLG performance framework may also improve practice in councils. Further, OLG may want to consider how a revised Model Code could better drive fraud control practice in councils.
Recommendations
That the Office of Local Government:
  •  work with state entities and councils to develop a common approach to how fraud complaints and incidences are defined and categorised so that they can:
    • better use data to provide a clearer picture of the level of fraud within councils
    • measure the effectiveness of, and drive improvement in councils' fraud controls systems

3.1 Current reporting of fraud in councils

There is no clear picture of the overall level of fraud within local councils

Councils and state entities collect extensive data on suspected fraud in local councils. However, the extent and incidence of fraud in councils is not clear. These entities do not generally differentiate complaints about fraud from corrupt or improper conduct in data they collect. The same complaint can be received by several entities, leading to multiple counting and reporting. 

ICAC, the NSW Ombudsman, OLG and the NSW Police all report data on complaints about councils. The reports include complaints about suspected fraud. Most complaints about potential fraud are received by OLG, ICAC and the NSW Ombudsman. The data reported by these entities generally does not tell us whether a complaint is serious or if it relates to fraud.

Councils can resolve complaints relating to fraud that they receive directly and may report these in their annual reports. They also report serious complaints to the OLG as a breach of the Model Code of Conduct. The OLG compiles data on breaches of the Model Code and reports these in its annual reporting. For example, in 2015–16 the OLG received 1,926 complaints regarding alleged breaches of the Model Code. Of these 74 complaints were sufficiently serious to warrant formal investigation but OLG did not identify whether they related to suspected fraud. 

Where state entities report only state-wide totals, local communities cannot see whether their council has been the subject of complaints about suspected fraud, the nature of those complaints or the result of the complaints. Along with the OLG, ICAC and the NSW Ombudsman report data on a sector wide basis.

3.2 Opportunities for Improvement

There is limited collaboration among state entities on reporting of suspected fraud in councils 

Feedback from our interviews with these state entities highlights an opportunity for better cooperation to deliver a clearer picture of the incidence of fraud in councils to the public. This data may also be useful for developing councils’ fraud control practices and measuring effectiveness. 

Existing barriers to data sharing reported to us include:

  • no common definition of fraud 
  • entities do not differentiate complaints about fraud from other forms of corrupt or improper conduct 
  • entities do not report complaints about councillors, members of staff, contractors or volunteers separately
  • the potential for duplication in data collection 
  • entities only reporting sector wide totals.

Comparative performance reporting on fraud control practice may drive better practice in councils

The OLG recently commenced work to develop a performance measurement framework for councils. Including performance measures for fraud control practice in this framework may be useful in driving sector wide practice improvement. 

Appendices