Executive summary

This report presents the findings of the eighth annual survey of the fraud experiences of Australian Government agencies reported pursuant to the Commonwealth Fraud Control Guidelines 2002 (the Guidelines). It is the fourth survey undertaken by the Australian Institute of Criminology (AIC) and the fifteenth survey undertaken on behalf of the government since 1995–96. The Guidelines require the AIC to produce a report each year on fraud experienced by Australian Government agencies and the fraud control arrangements agencies use to minimise the risk of fraud. The current report is based on information from the 2009–10 financial year, supplied by Australian Government agencies to the AIC before 30 September 2010. Relevant agencies completed a secure online survey. As required under the Guidelines, this report includes additional data provided by the Australian Federal Police (AFP) and the Commonwealth Director of Public Prosecutions (CDPP) on fraud investigations and prosecutions, respectively. A review was also undertaken of other research into public sector fraud derived from various fraud surveys completed in recent years by market research organisations and consultancies. The results of this were compared with the findings of the current survey.


Crimes involving dishonesty, collectively known as fraud, have been estimated to cost Australia many billions of dollars each year. Fraud affects all sectors of the community, extending from individuals who have responded to online offers to make ‘quick money’, to large companies and government departments that have suffered fraud at the hands of their employees or members of the public. Fraud risks arise in connection with all government activities but may have particular importance in connection with implementing large-scale, new government programs.

In the private sector, estimates of personal fraud losses for 2006–07, reported by respondents to the national survey of households conducted by the Australian Bureau of Statistics, totalled $977m (ABS 2008), while respondents to KPMG’s survey of Australian and New Zealand businesses in 2010 reported losses of $345.4m over the two-year period 2008–10 (KPMG 2010).

Fraud against the Commonwealth may be committed by individuals outside agencies (external fraud) who seek to claim benefits or obtain some other financial advantage dishonestly, or by those employed by agencies (internal fraud), including staff and contractors. The incidence and financial impact of internal fraud is generally lower than of external fraud, although both deplete government resources and have a negative impact on the administration of agencies.

Fraud in the public sector deprives governments of income for providing services to their communities while fraud in the private sector can seriously harm, businesses and individuals alike. The 152 Australian Government agencies that responded to the present survey reported experiencing almost 706,000 incidents of fraud (internal and external), worth almost $498m during 2009–10. This was almost 17 percent less than the amount lost in 2008–09, and almost 12 percent fewer reported incidents than in 2008–09. Reported losses arising from internal fraud, however, increased by almost 10 percent between 2008–09 and 2009–10, with more than $2m lost in 2009–10.

These totals under-represent the true value of fraud losses, as only 43 percent of agencies that experienced fraud specified a loss in 2009–10 (26 out of the 61 agencies that experienced fraud). This was an improvement on the situation in 2008–09, when only 40 percent of agencies that experienced fraud specified a loss (23 out of 58 agencies that experienced fraud). The ability to quantify a loss depends on various factors, including the availability of evidence of what transpired, whether the investigation had been finalised and the nature of the dishonesty practised. Some instances where intangible losses are involved are difficult to quantify.

Responses vary when fraud is identified within agencies. Some responses are obligatory under official policies and laws, and others are optional depending on the scale and circumstances of the offence. Often, however, fraud is not reported officially and sometimes repeat victimisation occurs—occasionally by the same offender against the same agency. Both government and business have developed an extensive range of responses to this problem over the past decade, notably in response to changes in information and communications technology and the resulting increased vulnerability to computer-enabled crime.

2009–10 survey

This report examines the fraud experiences of Australian Government agencies during the 2009–10 financial year. It includes evidence of the type and cost of detected incidents, the number of incidents investigated and the prevention and control measures adopted by agencies during this period.

The questionnaire used to collect information from agencies in 2009–10 varied slightly from that used in 2008–09, with changes designed to improve the clarity of questions and to deal with feedback from responding agencies provided during the year. The differences were, however, not marked enough to prevent comparisons between the results collected for the two years.

In March 2011, the Attorney-General’s Department (AGD) released an updated version of the Commonwealth Fraud Control Guidelines. The results of the 2009–10 data collection in this report relate to the 2002 Guidelines, which were current when agencies completed the survey. The 2010–11 report will traverse the period of change in the Guidelines, as the revised Guidelines of March 2011 were operational at the time agencies completed the survey in September 2011. Information on changes to the Guidelines will be reported in the 2010–11 report, along with details of the new questionnaire agencies completed in September 2011. These changes were made in light of the revised guidelines introduced to clarify the types of fraud and dishonesty agencies are required to report on. For this report, however, reference to ‘the Guidelines’ will be to the May 2002 version.

Participating agencies

Under paragraph 8.13 of the Guidelines, reporting on fraud and fraud control is required by all Australian Government agencies governed by the Financial Management and Accountability Act 1997 (FMA Act) and by agencies governed by the Commonwealth Authorities and Companies Act 1997 (CAC Act) that receive at least 50 percent of funding from the Australian Government or an Australian Government agency.

Australian Government agencies that do not fall within these criteria are not required to report. They are, however, encouraged to do so and to comply with all aspects of the Guidelines. Each year, the number of agencies invited to participate differs slightly from the number that respond because new agencies are created and others are removed or amalgamated. There is also a small number each year that choose not to participate for various reasons, including interests of national security. Of the agencies that respond, some are excluded from the analysis because they do not meet the FMA Act or CAC Act eligibility criteria.

In 2010 an invitation to complete the questionnaire was sent to 191 Australian Government agencies. Completed responses were received from 175 agencies, although this was reduced to 152 after removing those agencies not covered by the FMA Act or CAC Act eligibility criteria. The revised total number of respondents included in the analysis (n=152) represented 80 percent of those invited to participate. Of these, 103 (68%) were FMA Act agencies and 49 (32%) were CAC Act bodies.

In 2008–09 invitations were sent to 177 agencies, of which 166 responded and 149 were analysed (84% of those invited). In 2008–09 the responses analysed were from 101 FMA Act agencies and 48 CAC Act agencies, while in 2009–10 the responses analysed were from 103 FMA Act agencies and 49 CAC Act agencies. The proportion of agencies governed by these two Acts was the same in 2008–09 and 2009–10 (FMA Act=68% in both years and CAC Act=32% in both years).

In 2009–10, of the 152 agencies whose responses were analysed in this report, 139 (89%) were the same agencies analysed in 2008–09. Only four of the 16 agencies whose responses were analysed in 2009–10, but which were not included in the 2008–09 survey, reported instances of fraud in 2009–10 (a total of 70 fraud incidents—37 incidents from one agency, 30 from another, two from another and one from another agency). In making comparisons between the two years, therefore, it was apparent that the vast majority of responses came from the same agencies.

Fraud prevention and control

Under the Guidelines, agencies are required to undertake a risk assessment every two years. The majority of agencies (62%) completed their most recent risk assessment in the current financial year (2009–10). The number of agencies that completed a risk assessment more than two years before that remained the same as it was in 2008–09, at four percent. The number of agencies that reported never having had a risk assessment also remained the same as in 2008–09, at two percent. Investigations revealed that the fraud control arrangements in these agencies generally fell within broader risk management activities, rather than as separate procedures dedicated to fraud risk. This resulted in these agencies responding that they had not undertaken a ‘fraud-specific’ risk assessment. Future surveys will seek information from agencies on this question differently to avoid confusion over how risk assessments are undertaken.

The majority of agencies (56%) completed their most recent fraud control plan in the current financial year. Similar to risk assessments, three percent of agencies completed their last fraud control plan more than two years earlier. However, the number of agencies that had never had a fraud control plan increased from one percent in 2008–09 to two percent in 2009–10. As with the risk assessment question, these agencies had a more general risk management plan in place rather than a ‘fraud-specific’ one, which led them to answer this question in the negative.

Fraud victimisation

Almost the same percentage of agencies reported fraud victimisation in 2009–10 as in 2008–09 (40% in 2009–10, 39% in 2008–09). Slightly more agencies reported external fraud (34%) than internal fraud (31%), while nearly one-quarter had experienced both types of fraud (24%). Seven percent of agencies reported incidents of collusion between individuals within agencies and those outside agencies in 2009–10, the same as in the preceding year. In total, 705,547 incidents of fraud (internal and external) were reported in 2009–10 by 61 agencies —a reduction of almost 12 percent of the number of incidents from the 800,698 reported in 2008–09.

There were considerably more reported incidents of fraud alleged against persons external to agencies (external fraud) than against employees and contractors (internal fraud). In 2009–10, 47 agencies reported 3,001 incidents of internal fraud. For the five specified categories of internal fraud, incidents relating to ‘financial benefits’ affected the largest proportion of agencies (20%, n=30). For the specific subcategories of internal fraud, ‘leave and related entitlements’ affected the highest number of agencies experiencing internal fraud (n=19, 40%), which differed from 2008–09, when misuse of government credit cards affected the largest number of agencies (38%).

Agencies reported 702,941 incidents of external fraud, some of which may have involved allegations of non-compliance with regulatory instruments rather than actual incidents of financial crime. Most incidents related to ‘entitlements’; however, this only affected a small number of the largest agencies. One agency reported 75,644 incidents related to entitlements, while another reported 613,996 incidents which were comparable in scale to those reported by these agencies in 2008–09. For external fraud, the type of incident affecting the greatest number of agencies involved ‘financial benefits’ (21%).The specific category of fraud that affected the greatest number of agencies was ‘theft of telecommunications or computer equipment (including mobile devices)’ (n=18, 35%). It was found that smaller agencies, with 500 or fewer employees, were less likely to report fraud incidents than those with more than 500 employees. However, while the smaller agencies reported fraud at lower rates, they were not completely immune. Eighteen percent of smaller agencies reported experiencing at least one fraud incident, while 83 small agencies reportedly did not experience any fraud.

Cost of fraud victimisation

The total loss reported by agencies was $497,573,820, although only 42 percent of agencies that experienced fraud specified a loss.

Fifty-three percent of agencies that reported experiencing an internal fraud incident reported a financial loss in 2009–10 totalling $2,039,162, compared with 60 percent in 2008–09 totalling $1,856,707—an increase of almost 10 percent.

Fraud related to ‘misuse of entitlements’ was the most costly internal fraud category, with agencies reporting more than $1.2m lost to this fraud type alone.

Fifty-one agencies experienced an incident of external fraud, worth $495,534,658 in 2009–10, although only 65 percent of agencies that experienced an incident of external fraud specified a loss. This was a 17 percent decrease in reported losses from external fraud from 2008–09. The largest external fraud losses arose from fraud relating to ‘entitlements’, with a total estimated loss of $487m in 2009–10 compared with $489m in 2008–09. For both internal and external fraud, there were several agencies that suffered losses they were unable to quantify.

In 2009–10, some 40 percent of total reported losses were recovered by agencies, with $196,735,497 recovered. This was a considerable increase in the proportion of losses recovered in 2008–09, when $139,312,337 was recovered. The vast majority of funds recovered related to external fraud.

Fraud detection and investigation

Detection of fraud incidents was most likely to occur through internal controls such as audits or internal investigations. This was true for both internal and external fraud incidents.

As required by the Guidelines, agencies generally investigated incidents of fraud themselves rather than referring them to an external agency or investigator. In the case of internal fraud, 85 percent (n=2,553) of incidents were investigated within agencies, while 94 percent (n=659,899) of external fraud incidents were investigated within agencies.

The majority of agencies reporting fraud identified at least one suspect. Almost 94 percent of those agencies that reported internal fraud identified a suspect, while 88 percent of agencies that reported external fraud identified a suspect.


In 2009–10 agencies referred a total of 5,428 incidents involving external fraud and 94 incidents involving internal fraud for police investigation or prosecution by the Commonwealth Director of Public Prosecution (CDPP). Of these incidents, 34 internal fraud incidents and 134 external fraud incidents were sent to the Australian Federal Police (AFP), 25 internal fraud incidents and 101 external fraud incidents were sent to state and territory police, and 35 internal fraud incidents and 5,193 external fraud incidents were sent to the CDPP in 2009–10. The fact that more external fraud incidents were referred for prosecution is, arguably, a reflection of the much larger number of incidents of external fraud detected each year.

Australian Federal Police

Apart from the information provided by agencies in response to this year’s survey, the Guidelines also require the AFP and CDPP to provide information on matters dealt with during the previous year. These agencies adopt different definitions and categories for collecting data from those used by reporting agencies themselves, thus making their statistics on referrals not directly comparable with agency data.

During 2009–10 the AFP accepted 94 fraud referrals and declined 29. Of these, 24 matters resulted in legal action (this included some matters initially referred in previous years). The AFP advised that the number of referrals had decreased since 2008–09 due to changes in business rules for recording undeclared currency matters. For example, in 2009–10 cases were recorded only if they proceeded either by arrest or summons. Losses involved in the 94 matters accepted for investigation during 2009–10 were estimated to amount to almost $39m.

Commonwealth Director of Public Prosecutions

In 2009–10, 5,010 defendants were referred to the CDPP for prosecution involving allegations of fraud. Of these, 4,913 were prosecuted, resulting in 4,180 convictions and 29 acquittals. It should be noted that prosecutions undertaken by the CDPP in 2009–10 may relate to cases that had been referred to the CDPP in previous years. Accordingly, some cases that agencies referred to the CDPP in 2009–10 may have been prosecuted in later years. Charges against those prosecuted for fraud in 2009–10 involved alleged financial losses of almost $100m. The CDPP secured more than $59m by way of reparation under the Crimes Act 1914 (Cth) and pecuniary orders under the Proceeds of Crime Act 1987 (Cth). These recoveries related only to monies recovered during 2009–10.


This year’s report provides policy-relevant information about the types of fraud Australian Government agencies experienced and the methods used to commit them. In future years, the results from the annual questionnaire will provide trend data which will assist agencies in preparing fraud control policies and allocating resources for preventing and investigating fraud. Future reports will also seek to further explore the problem of external fraud, which accounts for by far the largest proportion of fraud detected by agencies—particularly for large agencies. It would be useful to explore why these large agencies have apparently good levels of protection against internal fraud yet remain vulnerable to external fraud risks. Future reports will also place greater emphasis on the profile of those committing fraud against the Commonwealth by including specific questions on the ‘most serious fraud’ case of internal fraud experienced during the preceding financial year.

This report, like previous AIC reports, shows the need for more consistent data-recording practices and measurement of fraud within agencies, particularly concerning the extent to which regulatory non-compliance ought to be included in the scope of the Guidelines and survey. Feedback from agencies highlights the fact that the definition of fraud in the 2002 Guidelines has been interpreted inconsistently by some Australian Government agencies. With the introduction of revised Guidelines in 2011 and improved data collection procedures which will clearly distinguish between non-compliance and fraud, future Fraud against the Commonwealth reports will be able to quantify more precisely the true nature and extent of the fraud experiences of all Australian Government agencies, both internally and externally.