Australian Institute of Criminology

Skip to content


This report presents the findings of the eighth annual survey of the fraud experiences of Australian Government agencies reported under the Commonwealth Fraud Control Guidelines, May 2002 (the Guidelines). The current report is based on information from the 2009–10 financial year, supplied by Australian Government agencies before 30 September 2010 in response to a secure, online questionnaire conducted by the Australian Institute of Criminology (AIC). At the outset, the nature of the Commonwealth’s fraud control arrangements is presented with a review of the nature and extent of public sector fraud risks Australian Government agencies currently face.

Commonwealth Fraud Control Guidelines

The Australian Government first released its fraud control policy in 1987. Changes in technology and Australian Public Service (APS) operations, particularly the use of third-party providers of services, led to reviews of the policy in 1994, 1999 and 2011. As a result of the 1999 review, the then Minister for Justice and Customs issued new Commonwealth Fraud Control Guidelines in May 2002 under rule 19 of the Financial Management and Accountability Act 1997 (FMA). The Guidelines apply to all agencies governed by the FMA Act and to bodies governed by the Commonwealth Authorities and Companies Act 1997 (CAC) that receive at least 50 percent of funding for their operating costs from the Australian Government or an Australian Government agency. The Guidelines do not apply to a CAC Act agency that does not receive this level of funding. Such agencies are, however, strongly encouraged to comply with the best practice standards set out in the Guidelines. Agencies are responsible for determining their funding status to ascertain whether the Guidelines apply to them.

Under the current Guidelines, agency chief executives are required to take a holistic and ongoing approach to fraud risk management as part of their governance obligations. They need to ensure that their staff are appropriately trained in fraud prevention, detection and investigative techniques. Chief executives are accountable to their portfolio minister for implementing a fraud control plan and for reporting on fraud within and against their agencies annually to enable the preparation of this fraud report.

Before 2006–07, the Attorney-General’s Department (AGD) was responsible for receiving and analysing information from agencies and producing the annual fraud report. In October 2006 the then Minister for Justice and Customs amended the Guidelines and transferred these responsibilities to the Australian Institute of Criminology (AIC). More general responsibilities for fraud control policy remain with AGD. The AIC was also asked to consider how best to enhance the quality of the annual fraud report to ensure that its findings could be used effectively to develop the Australian Government’s fraud control policy. Under paragraph 8.13 of the Guidelines, agencies are required to collect information on fraud victimisation and fraud control and to provide it to the AIC by 30 September each year.

In March 2011, AGD released an updated version of the Commonwealth Fraud Control Guidelines. The results of the 2009–10 data collection reported in this volume relate to the 2002 Guidelines, which were current at the time agencies completed the survey. Next year’s report for 2010–11 will traverse the period of change in the Guidelines—the revised Guidelines of March 2011 were operational at the time agencies completed the survey in September 2011. Information on the changes to the Guidelines will be reported in the 2010–11 report. For this report, however, reference to ‘the Guidelines’ is to the May 2002 version.


The nature of fraud

Fraud involves the use of dishonest or deceitful means to obtain some unjust advantage. Dishonesty is the key attribute that distinguishes fraudulent from innocent conduct. Rather than defining dishonesty in legislation, it is usually a matter of fact for juries to determine in criminal cases. Anyone can be a target of fraud, be it an individual or an organisation, and victims can be targeted by individuals or organised groups of individuals. Defining fraud is difficult because of the range of conduct that can involve dishonesty. The lack of an agreed operational definition of fraud is one of the enduring limitations to effective quantification of the scale of the problem. Fraud is not a new phenomenon but, as technology continues to advance and its use increases, there are additional challenges for those attempting to prevent and control fraud. Identity-related fraud and other technology-enabled frauds are increasingly areas of concern for both the public and private sectors. According to KPMG (2010), fraud and misconduct in all sectors remain serious issues in Australian and New Zealand.

Types of fraud

Credit card fraud

In the late 1990s a study by the AIC revealed that the credit/debit card industry was being targeted by organised crime, with vulnerabilities arising from the way in which credit/debit cards were issued and payments processed (Smith & Grabosky 1998). A continuing concern is the likelihood of hackers and other fraudsters gaining access to card numbers and other personal information electronically (Choo, Smith & McCusker 2007). In 2010, the KPMG Fraud and Misconduct Survey found that corporate credit card fraud represented 10 percent of all public sector frauds in Australia and New Zealand (KPMG 2010). Compared with the same KPMG survey conducted in 2008, credit card fraud decreased by three percent, while cheque fraud reduced by two percent to zero in 2010, which may be indicative of increased protections to prevent credit card fraud and the decreasing use of cheques. Data from the Australian Payments Clearing Association Ltd (APCA 2010) reveal that from 1 July 2009 to 30 June 2010 fraud perpetrated on Australian-issued payment instruments amounted to $200,232,941 involving 749,628 transactions, which represented 0.0099 percent of the value of all transactions during that year. APCA data also show that from 2008–09 to 2009–10 the total number of credit/charge card transactions increased by 10 percent, while from 2008–09 to 2009–10 the total number of fraudulent credit/charge card transactions increased by 37 percent. Although separate data are not available for public and private sectors, or organisations and individuals, it is clear that credit card risks arise for all who make use of them.

Financial reporting fraud

Auditing standard ASA 240 (AUASB 2006) identifies two types of financial reporting fraud:

  • misstatements resulting from misappropriation of assets; and
  • misstatements from fraudulent financial reporting.

Fraudulent financial reporting involves intentional misstatements, including omissions of amounts or disclosures in the financial report, to deceive financial report users. Fraudulent financial reporting may be accomplished by the following:

Manipulation, falsification (including forgery), or alteration of accounting records or supporting documentation from which the financial report is prepared; misrepresentation in, or intentional omission from, the financial report of events, transactions or other significant information; or intentional misapplication of accounting principles relating to amounts, classification, manner of presentation, or disclosure (AUASB 2006: 12).

This type of activity has contributed to a number of high-profile corporate collapses in Australia and the United States in recent years (eg Enron and WorldCom in the United States). As a result of these collapses, the US Government passed the Sarbanes-Oxley Act 2002, which tightened reporting requirements for companies and increased penalties for financial crime (Kroll 2007).

Intellectual property theft

With increasing electronic storage and transmission of information, managing and protecting intellectual property (IP) has become a high priority for organisations. Digitisation provides opportunities for IP theft without the theft becoming obvious or the thief being identifiable. Electronic surveillance and data-capture technologies can be used to steal commercial-in-confidence information or may be directed at electronic IP. Enhanced reverse engineering techniques (stripping down and analysing competitors’ products) also facilitate unauthorised access and exploitation of IP (Choo, Smith & McCusker 2007). The PwC (2010) survey found that 15 percent of respondents reported that IP affected their organisation; however, less than one-quarter of respondents believed that their organisation was well prepared to deal with significant IP theft (Ernst & Young 2010). As such, the PwC (2010) survey found a strong trend towards increased spending to protect information security. Governments, too, are at risk of IP theft, and the present survey includes loss of IP as one of the fraud categories for agencies to report on.

Social security fraud

Social security fraud involves giving false or misleading information, or omitting relevant information, to a government agency to receive a social security benefit to which one is not entitled. Benefits include unemployment benefits, disability pensions and family allowances.

In Australia, Centrelink administered $84.2b in payments to 7.02 million customers in 2009–10 alone. Centrelink’s large customer base leaves it particularly vulnerable to fraud. In 2009–10, Centrelink undertook 3.5 million eligibility and entitlement reviews, which resulted in 613,498 payments being cancelled or reduced and generated customer debts totalling $486m. These reviews identified the total number of incidents of customer non-compliance Centrelink identified for the year, a proportion of which entail criminal acts of dishonesty. Centrelink also makes use of the ‘Australian Government services fraud tip-off line’, which receives reports of suspected fraud against Centrelink, Medicare, the Pharmaceutical Benefits Scheme and the Child Support Program. In 2009–10, based on tip-offs alone, Centrelink conducted 43,726 customer entitlement reviews, which resulted in $101.8 million in debts and savings. In relation to incidents of serious non-compliance or fraud in 2009–10, Centrelink reviewed and investigated 24,517 suspected incidents of fraud worth approximately $76m. Of these, 4,608 cases of serious non-compliance or fraud were referred to the Commonwealth Director of Public Prosecutions for consideration of prosecution in 2009–10. Of these, 3,461 Centrelink cases were prosecuted, with a successful conviction rate of 99.3 percent and only 25 acquittals (Centrelink 2010: 72). Despite sophisticated fraud control measures, individuals still seek to obtain benefits illegally from Centrelink (see Box 1).

Box 1: Social security fraud

The defendant’s mother was in receipt of a Widows and Age pension from Centrelink. The defendant was his mother’s carer until her death on 4 May 1997. On 17 March 1998 the defendant represented to Centrelink that his mother was still alive and in receipt of her pension by applying for an advance payment, ostensibly on her behalf. Between 19 March 1998 and 19 June 2006 the defendant accessed his mother’s bank account and obtained more than $92,000. The defendant was in poor health and used the money for gambling. The defendant was charged with two counts of making a false representation to obtain a benefit from the Commonwealth pursuant to section 29B of the Crimes Act 1914 and one count of dishonestly causing a loss pursuant to section 135.1(5) of the Criminal Code Act 1995. On 31 March 2010 in the District Court at Parramatta the defendant was sentenced to a total of 16 months imprisonment to be served by way of home detention, to be released on recognisance after 10 months.

Source: CDPP (2010: 18)

Extent of fraud

It is difficult to obtain consistent data on fraud in Australian jurisdictions because of different information systems, legislative definitions, data collection practices and prosecution activity. Despite this, it is known that a substantial amount of fraud occurs in the Australian community, affecting individual consumers, businesses and government agencies.

Problems of measurement

There are many impediments to measuring fraud accurately. Part of the problem lies in the absence of agreed definitions, which has prevented data from being collected uniformly and consistently. Official statistics collected by police and other criminal justice agencies also only reflect matters that have come to the attention of the authorities. In the case of fraud, it is well known that such crimes are often undetected, unreported or not proceeded with by law enforcement agencies (Smith & Grabosky 1998). This creates difficulties for those seeking an accurate picture of the extent of the problem. Some victims, such as those who have given money to fraudulent and non-existent charities, may never realise that they have been victimised. Others, such as businesses and government agencies, may be unaware that employees have stolen inventory or stock.

Official statistics, particularly those relating to fraud and dishonesty offences, have limitations. The first of these, despite the best efforts of those involved, relates to accuracy. In addition, any changes in police detection rates, for example, or other factors that increase crime reporting and detection, can affect the number of incidents which appear in official statistics (Victorian Parliament Drugs and Crime Prevention Committee 2004). Similarly, changes in police agency resources and crime classification and recording practices can dramatically affect crime rates.

The other principal source of information on the extent of fraud comes from victim surveys and surveys of offenders. These may be carried out by interview or through self-report surveys. Surveys typically involve samples in which a small representative group is questioned and its responses used to predict the likely situation in an entire population. This, of course, introduces the possibility of error in predictions and the need for statistical controls to combat this. There are also problems of reliability (whether repeated surveys elicit the same answers from the same subjects) and validity (whether the survey is measuring what it is intended to measure) (Victorian Parliament Drugs and Crime Prevention Committee 2004).

In the case of public sector fraud, little information is available from victimisation surveys, as data gathered from organisations are rarely reported in a way that enables the experiences of public sector agencies to be disaggregated from the experiences of private sector organisations surveyed.

The circumstances and complexity of the offence may also make constructing a meaningful survey difficult. Problems of telescoping information (that is, including events outside the survey period), exaggerating facts or reporting selectively—all common problems with surveys and personal interviewing—can affect the accuracy of information gathered using conventional techniques. There may also be problems of veracity, where a manager may be reluctant to report circumstances that may be personally incriminating or which may attract negative publicity for the organisation. Finally, there may also be problems arising from organisational incentives which can skew the relative attractiveness of classifying losses as bad debt rather than fraud (eg when a credit card payment or other debt remains unpaid after only one or two initial payments).

Due to the difficulties in measuring the extent of fraud, generating an accurate picture of the cost of fraud has also been problematic. The difficulties in assessing the cost of fraud have been outlined previously by the AIC (Mayhew 2003; Rollings 2008). Alongside the challenges of obtaining good-quality data, there are also problems that stem from the volume of ‘hidden’ fraud. Hidden fraud, as defined by Mayhew (2003), consists of the frauds that, because of the level of deception involved in the incident, will go undetected and remain unknown to police and even the victims involved. As well as these problems of measurement, the costs of detected fraud are not always known, as victims might not be able to accurately estimate their losses. The result is that calculations of financial loss and other impacts can, at best, only be estimates and will invariably be lower than the actual loss suffered.

Problems of underreporting

Perhaps the greatest difficulty in assessing the extent of fraud lies in the fact that organisations are reluctant to officially report their experiences of fraud. This is evident from the results of KPMG’s biennial surveys of its clients on their experiences of fraud and how they deal with it (KPMG 2010, 2009, 2006).

The results of the KPMG Fraud and Misconduct Survey 2010 were derived from responses to a survey distributed among 18 sectors of Australia’s and New Zealand’s largest public and private sector organisations (KPMG 2010). The survey sought information about fraud incidents in the respondents’ business operations from February 2008 to January 2010. Usable responses were received from 214 organisations, representing just over 10 percent of the surveys distributed. It was found that 60 percent of major fraud incidents reported in the survey were referred to the police, which is a drop of three percent from the 2008 KPMG survey. This left 40 percent of fraud matters handled without police involvement. A range of other responses were reported, including internal and external investigations and the immediate dismissal of the individual in question. Some 59 percent of matters were dealt with by internal investigation, and in 37 percent of matters immediate dismissal occurred (KPMG 2010). In the case of fraud against Australian Government agencies, the Commonwealth Fraud Control Guidelines require agencies to deal with most matters internally, which means that less than one percent of incidents are referred for police investigation.

In 2010, a survey was undertaken of fraud perpetrated against not-for-profit organisations in Australia and New Zealand (BDO Chartered Accountants and Advisers 2010). Of the 272 responses received about perceptions and levels of fraud, only 43 percent indicated that they had reported cases of fraud to police—an increase of two percent in respondents who reported to the police from the 2008 not-for-profit survey. The not-for-profit sector reported having dismissed a greater number of employees who had committed fraud than KPMG reported, at 64 percent.

The reasons for non-reporting of fraud are well known. Some organisations may be unaware that employees have stolen stock or misappropriated equipment or misused services. In the case of online fraud, difficulties may arise in locating the offender, who may be a resident overseas or have used an anonymous re-mailing system to carry out the fraud. Often, the victims of economic crime may be unwilling to incur further time and expense in pursuing legal remedies (Smith 2008). There may also be a belief that there is inadequate proof, or that the matter is not serious enough to warrant police attention. There may also be a fear of reprisals if matters are reported or that the resultant publicity of security weaknesses could result in victims being targeted again, or a fear of losing business or of damaging commercial reputations. Many public sector agencies often do not like to admit that they have a problem (Smith 2008).

A victimised government agency may believe that adverse publicity could result in a loss of confidence among the general public or clients (PwC 2007). In KPMG’s 2010 survey, organisations surveyed indicated ‘minor nature of the incident’, ‘money/property was returned’ and ‘a lack of evidence’ as their main reasons for not reporting matters to the police (KPMG 2010:15). PwC (2007) found that when the fraud was committed by a person external to the company, the matter was more likely to be made public. In addition, the reluctance to spend money to recover debts and ‘sending good money after bad’, can lead to writing off losses rather than reporting and investigating them (Smith 2008: 387).

Estimates of extent and cost of fraud

Despite the difficulties associated with measuring the cost of fraud, there have been attempts through surveys and other means to demonstrate the extent of the problem in Australia and overseas. Research on the extent of fraud is sparse and often conducted by individual agencies using a small sample. While this means there is little generalisable data, there is information about specific fraud incidents experienced by companies, particularly those in the private sector. However, due to the inherent difficulties in measuring fraud, it is likely that some estimates will greatly understate the actual incidence and losses involved.


Fraud has been identified as the most expensive crime category in Australia. According to ABS (2011) reported statistics, fraud and deception-related offences was the largest category of all federal offences from all levels of Australian courts. According to KPMG’s 2010 Fraud Barometer for Australia, the cases going before Australian courts exceeded $100m (KPMG 2011). Rollings (2008) estimated that in 2005 slightly fewer than 100,000 cases of fraud were officially recorded by police, but that this, using Mayhew’s (2003) methodology, was probably only 25 percent of all the fraud cases that had actually occurred. Accordingly, there could have been approximately 400,000 cases of fraud that actually occurred in 2005 (Rollings 2008).

This finding is echoed in KPMG’s ninth biennial fraud survey in 2010, which reported that at least 50 percent of surveyed private entities experienced a fraud and 61 percent of the public sector experienced fraud (KPMG 2010). Recorded fraud in Australia was estimated to cost $5.88b in 2001–02, or 30 percent of the cost of all crime (Mayhew 2003). The total cost of fraud, including intangible costs and recovery costs, was estimated at $8.5b in 2005 using a slightly different method of calculation to that used by Mayhew in 2003 (Rollings 2008).

Findings from the 2010 KPMG survey showed the collective total value of public and private sector fraud costing $345.4m, an increase from the 2008 value of $301.1m (KPMG 2010). This figure, however, excludes personal fraud, which reportedly cost Australians $977m in 2006–07 (ABS 2008). Individual fraud losses were typically between $10,000 and $100,000; however, a small number of respondents reported having lost more than $1m in a single fraud (KPMG 2010). The public sector alone experienced more than $15.6m in fraud losses during the two-year period to January 2010 (KPMG 2010). Despite these estimates being derived using differing methodologies, the increase over this time can be attributed to increasing fraud, consistent with other international findings.

Money was often not recovered following major fraud incidents. According to KPMG’s survey results, no losses were recovered in 61 percent of major fraud incidents reported. This represented a substantial deterioration from the 2008 results, where no losses were recovered in 42 percent of major fraud incidents reported in the survey (KPMG 2010, 2008).

Not surprisingly, the size of an organisation correlated with the level of risk for fraud. In all three KPMG surveys (2010, 2008, 2006), it was found that the level of fraud was higher in larger organisations. In 2010, the most common type of major fraud was theft of cash (18%), followed by false invoicing (11%), consistent with the 2008 findings. Fraud was more likely to be committed by outsiders rather than an employee of an agency; however, the largest frauds were ‘inside jobs’ and, consistent with previous years, internal controls were the most effective means of detecting fraud (KPMG 2010). PwC found in its 2009 survey that, while internal audit remained vital to the detection of fraud, there was a clear decrease in detecting fraud through this method, whereas anti-fraud controls, especially risk management, were reported as having detected an increasing number of frauds in the 2009 survey.

International environment

Between November 2009 and February 2010, Ernst & Young (2010) conducted its eleventh global fraud survey and interviewed 1,409 respondents from 36 countries. Almost four percent (n=52) of respondents were from Australia. Of these, eight percent had experienced a significant fraud incident within the preceding two years, somewhat less than the global average of 16 percent. However, measures required to manage and mitigate the risk of fraud were not increasing at a comparable rate with the increased occurrence of fraud (Ernst & Young 2010).

In July and August 2010, Kroll (2010) commissioned the Economist Intelligence Unit to conduct a worldwide survey on fraud. More than 800 senior executives took part in this survey, with 29 percent of the respondents based in North America, 25 percent in Europe, 24 percent in the Asia–Pacific region (47 percent of which were from China and India) and 11 percent each from Latin America, the Middle East and Africa. The survey covered 10 industries, with no fewer than 50 respondents drawn from each industry group. The survey found that 88 percent of companies were affected by at least one fraud in the preceding year, which remains broadly consistent across regions and preceding surveys. The average company surveyed lost US$1.7m to fraud compared to US$1.4m in 2009.

The 2010 Kroll survey examined fraud experiences more deeply than previous surveys and uncovered a range of emerging trends in risk, including increased risk of theft of information and electronic data; corporate information technology systems increasingly being under threat; companies being unprepared for increasing regulatory efforts against corruption; and fraud being most often an inside job (Kroll 2010). In the Asia–Pacific region, Kroll (2010) reported that 92 percent of companies were affected by fraud, up from 82 percent in 2009. Specifically, IP theft (16%) and money laundering (9%) were reportedly the highest of any region in the previous 12 months (Kroll 2010). Much of the fraud exposure (34%) was attributable to high staff turnover in the region (Kroll 2010).

The 2010 Report to nations on occupational fraud and abuse, compiled by the Association of Certified Fraud Examiners, is based on 1,843 cases of occupational fraud reported by Certified Fraud Examiners who investigated them in more than 100 countries. These investigations found that typical organisations lost around five percent of their annual revenue to fraud, translating to a median loss of US$160,000, but nearly one-quarter of the frauds totalled at least US$1m. The Certified Fraud Examiners determined that frauds were more likely to be detected through tip-offs than by any other means. Interestingly, it was found that small organisations were disproportionately victimised by occupational fraud, often due to a lack of ‘anti-fraud controls compared to larger counterparts, which makes them particularly vulnerable to fraud’ (ACFE 2010: 4). This finding is not supported by KPMG (2010), which found that organisations with fewer than 500 employees experienced less fraud than organisations with more than 500 employees.

BDO Chartered Accountants and Advisers (2010) conduct biennial surveys on fraud in the not-for-profit sector in Australia and New Zealand. The most recent survey was conducted in 2010 and involved a sample of 272 organisations—a reduction from the 384 organisations surveyed in 2008. Of these, 15 percent had experienced fraud in the previous two years, compared with 16 percent in 2008 and 19 percent in 2006. A total of $1,071,851 was lost to fraud, representing $14,291 per incident. Cash theft (24%) accounted for the largest type of fraud, often committed by paid employees in their thirties or forties over an average period of 10 months. As also found in similar surveys, fraud increased as turnover increased and in 67 percent of frauds no money was recovered. This represented an increase of 23 percent from the 2008 survey. Internal controls were the most common way to detect fraud: 40 percent of frauds were discovered through this method and a further 31 percent detected through tip-offs.

The PwC (2009) Economic Crime survey questioned 3,037 respondents from 54 countries using a web-based questionnaire. Of these respondents, 30 percent reported experiencing at least one fraud incident in the previous two years. As with KPMG’s findings, fraud incidents increased with employee numbers. The most common method for detecting fraud incidents was identified as ‘chance’.

Perpetrators of fraud

In its survey of business fraud in Australia and New Zealand KPMG (2010) found that 65 percent of major frauds, which resulted in 98 percent of losses, were committed by employees within the victim organisations, who generally acted alone. KPMG (2010) found that in public sector agencies, 90 percent of frauds were committed internally, with management responsible for more of the total value of fraud than non-management employees (85% compared with 7%). Only eight percent of the total value of fraud was committed by external parties.

Similarly, in 2006 and 2008, fraud was most likely to be perpetrated by an employee within the non-financial sector (54% and 57% respectively); however, as the counting rules changed between 2008 and 2010, direct comparisons cannot be made. These findings contrast the situation experienced by Australian Government agencies, where the vast majority (99.6%) of fraud incidents were perpetrated by individuals outside agencies.

Using the results of the survey, KPMG (2010 17) created a profile of the ‘typical’ fraudster across all sectors, who was likely to be:

  • a male, non-managerial employee of the victim organisation, acting alone with no known history of dishonesty;
  • a male, aged 38 years and earning $113,000 per annum;
  • employed by the organisation for a period of five years and having held the current position for three years at the time of detection;
  • motivated by greed, misappropriating cash to an average value of $229,000; and
  • detected by the organisation’s internal controls 12 months after the commencement of the fraud.

The profile contained characteristics which were largely the same as the ‘typical’ fraudster identified in 2006 and 2008 (KPMG 2010) and closely followed the profile of convicted serious fraud offenders found by the AIC and PwC in 2003 (Smith 2003).

In relation to the motivations of offenders, previous research by the AIC and PwC (Smith 2003) and KPMG (2010) has shown that fraud offences are most often committed as a result of gambling problems, either as a means of obtaining funds for gambling or as a way of settling gambling debts. Increasingly, however, the primary driver of fraud is personal greed and a desire to maintain a certain lifestyle, which reportedly accounted for almost 93 percent of respondents to the 2010 KPMG survey. Given the full impact of the global financial crisis, personal financial difficulties also provide an important motivator (3%) (KPMG 2010; see Levi & Smith 2011 for a discussion of the role of the global financial crisis on the incidence of fraud). Identifying individuals who may be affected by these factors represents a valuable way of preventing fraud.

In relation to ‘the absence of capable guardians’ as a reason for why fraud occurs, relevant factors can be grouped into five categories:

  • regulatory failures (breach of regulatory provisions);
  • accounting/auditing failures (failure to detect accounting irregularities);
  • security failures (computer security weaknesses, poor cash controls etc);
  • prudential failures (failure to conduct creditworthiness checks etc); and
  • personnel failures (eg staff screening, supervision and monitoring).

The study by the AIC and PwC (2003) found the following evidence of these factors. Overall, prudential failures to do with providing finance and credit and verifying the backgrounds of applicants for finance were the highest areas of risk, followed by personnel failures involving inadequate supervision and control of staff in organisations. Accounting and auditing failures were also frequently present and arose in almost one-quarter of cases. In the private sector, prudential failures represented the highest risk category, while in the public sector there were similar numbers of cases involving prudential failures and accounting and auditing failures (Smith 2003).

The nature and extent of public sector fraud

Types of public sector fraud

As with all types of crime, there are three generally recognised requirements for fraud to occur. There must be the presence of an opportunity, a suitably motivated offender and the absence of capable guardianship to prevent the crime from taking place (Clarke & Mayhew 1980). If all three elements are present, then the risk of fraud is enhanced. In the public sector, opportunities arise for both internal and external fraud. The principal opportunities for internal fraud arise from poor risk management, lax internal controls and deficient recruitment practices. Risks for external fraud arise from the provision of new benefits, new taxes, procurement and the use of consultants.

The introduction of the Clean Energy Future legislative package in 2011 in Australia, which is a core element of the Kyoto Protocol, poses new public sector fraud risks for Australian Government agencies. Some of the potential risks associated with carbon reduction schemes include the possibility of fraudulent reporting of emissions and manipulation of the financial instruments and transactions used in the schemes. Potential fraud vulnerabilities may be averted through targeted risk prevention planning activities.

Since the introduction of the European emissions trading scheme, there have been two major fraud attacks resulting from poor levels of security. The first, in February 2010, was a phishing attack in which traders were asked to revalidate their information via a fabricated web link, which led to the theft of 250,000 carbon allowances worth over €3m at the time (Macalister & Webb 2011). The second occurred in late January 2011, when cyber thieves stole around €30m worth of carbon allowances from several national registries in the European emissions trading scheme (Lockhart 2011). These attacks have met with criticism concerning the level of security required along with ‘calls for an EU-backed insurance fund to be established to cover any such losses’ (Macalister & Webb 2011). It is evident that ‘no system could ever be 100 percent fraud proof, despite promises by the commission to tighten software security in the light of the growing problem with fraud’ (Macalister & Webb 2011). More recently, the Australian Crime Commission has also raised concerns over the potential for carbon reduction schemes to be manipulated by organised crime groups for financial gain (Barrett 2011).

New technologies have also provided new fraud risks for government. Risks have arisen with e-government in connection with online benefit payments and e-tax systems. New payment systems such as chip/PIN cards and online banking have created further opportunities while reducing other risks. The use of mobile devices and wireless networks in the public sector creates other vulnerabilities. These include conventional risks associated with the misuse of identities and documents used for identification, as well as the risk of offenders gaining unauthorised access to computers and wireless networks which have inadequate security measures in place.

Fraud can also arise in connection with the corruption of public servants who may conspire with others to provide access to secure systems in return for a benefit (see Smith & Jorna 2011). In KPMG’s (2010) latest survey, collusion between criminals and insiders was found to be present in 23 percent of cases, a slight increase from the 2008 survey. This figure is greater than the results in the 2008–09 and 2009–10 Fraud against the Commonwealth reports, which found just over seven percent (n=10 in both years) of agencies experienced frauds involving collusion between internal and external parties.

Grabosky (1991: 7) described three areas in which government agencies may be vulnerable to fraud:

There are three basic modes of government activity in which fraud can occur—paying, collecting and contracting. Governments bestow a variety of benefits, subsidies, and payments to individuals and organisations. Not all recipients are entitled to what they receive. Governments collect revenues from individuals and organisations, in the form of taxes and duties, or as payment for services. There are those who do not pay what is due.

Governments themselves are consumers of goods and services. There are those providers of goods and services who charge the government for goods not delivered or for services not rendered, or who knowingly provide defective or substandard products. Beyond this, governments control billions of dollars of capital resources, some of which are vulnerable to conversion for private use by unauthorised persons.

Governments may also be vulnerable to other frauds, such as identity fraud, corruption and theft. Direct theft may occur where employees steal petty cash or remove government property. More covert forms of theft involve the abuse of government facilities, such as the unauthorised use of motor vehicles and computers. Corruption can be involved when government employees abuse their position by accepting bribes to grant licences for which there is no entitlement or to charge governments for goods or services which are not in fact provided (Grabosky, Smith & Dempsey 2001). Government departments may also be grossly overcharged or purchase specific goods and services that they would not need if not for the corruption of insiders.

Identity fraud can affect governments through people claiming benefits they are not entitled to or by gaining employment through using a false or fraudulent identity. However, identity frauds inadvertently facilitated by the government can then extend to frauds being committed against the private sector. For example, by fraudulently gaining citizenship or a work visa, perpetrators are then presented with the opportunity to commit fraud against new employers or companies by using the documents and status the government has inadvertently provided. Likewise, identity frauds committed against, or using intellectual property from, the private sector can then provide offenders with the basis from which to defraud the government. Therefore, the risks of fraud against the government operate in two parallel directions, both increasing and being increased by frauds committed against the private sector.

It is difficult to properly characterise such acts and know whether they should be described as crimes of theft, or merely ‘leakage’ of government resources due to poor internal controls. The scale of such conduct also varies considerably from the trivial—an extended lunch break—to the serious—a large-scale revenue fraud. In the private sector it is now accepted that the ‘risk of fraud is part of doing business’ (Kroll 2009: 2) and that ‘fraud is one of the most problematic issues for business worldwide’ (PwC 2007: 4).

While 59 percent of organisations surveyed had policies in place to encourage activities to ensure due diligence of suppliers and business partners, these may not be effective (KPMG 2010). According to survey results, around 25 percent of Australian companies infrequently or never conduct risk assessments on companies before acquiring services and up to 54 percent infrequently or never conduct risk assessments after the acquisition (Ernst & Young 2010). As such, ongoing development of prevention and management techniques is required in both the public and private sectors to protect revenue, expenditure and property from fraudulent and dishonest activities.

The threat to governments often differs based on whether the fraud is committed by an employee or an external party. Internal and external fraud incidents can be counted as separate phenomena as, except in cases of collusion between internal and external parties, the methods used to carry out attacks and the desired benefits are often different. The benefits obtained through fraud can be either tangible or intangible and the methods used are highly variable. Examples of possible methods used in fraud attempts against government agencies include:

  • hacking into, or interfering with, a Commonwealth computer system;
  • creating and using a false identity to obtain income support payments;
  • using Commonwealth systems to gain access to other systems without authority;
  • charging the Commonwealth for goods or services that are incomplete or not delivered;
  • hiding or disposing of assets by bankrupts to avoid paying creditors; and
  • making false statements under the Commonwealth Electoral Act 1918.

Box 2: Excise fraud

A shipment arrived in Australia containing a concealed shipment of 3,000,000 cigarettes, which was not declared. The contents of the shipment were concealed among car batteries to avoid an excise duty payment of $715,200. Australian Customs and Border Protection Service seized the cigarettes on detection and the defendant was charged with one count of dishonestly causing a loss to the Commonwealth. Further, the defendant had used a false name in the organisation of the offence to avoid detection. The defendant pleaded guilty and was sentenced to two years imprisonment to be released forthwith on condition that he be of good behaviour for two years.

Source: CDPP 2010

Extent of public sector fraud

There has been little systematic quantitative research undertaken into the nature and extent of the losses that governments have sustained through fraud, other than the AIC’s annual surveys. Although some, but by no means all, agencies record information on the extent of fraud for their own internal fraud control purposes, they rarely share this information publicly. Often all that is known is what is mentioned in brief summaries provided in annual reports or media reports of cases involving prominent figures. Many governments would prefer that their fraud experiences are never made public to avoid criticism for not having appropriate preventive measures in place. The problem was described in the United Kingdom as follows:

Fraud is massively underreported. Fraud is not a national police priority, so even when reports are taken, little is done with them. Many victims therefore don’t report at all. So, the official crime statistics display just the tip of the iceberg, and developing a strategic law enforcement response is impossible because the information to target investigations does not exist (Attorney-General’s Office 2006: 7).

The United Kingdom National Fraud Authority (NFA) highlighted in its National fraud indicator report the importance of disseminating information on fraud in the public domain to enhance the understanding of it, as highlighted below:

Although the figure is significant in its own right, providing an unmistakable indicator of how serious an issue fraud is for the United Kingdom, it serves a wider purpose. It enables the counter-fraud community ... to better target its approach to tackling fraud. It provides signposting to fraud trends and hotspots and establishes a benchmark to measure success. It also provides the impetus to encourage industry and government to invest the necessary levels of resource required to combat a crime that deeply affects the public and private sectors and individuals (NFA 2010:3).

The ninth KPMG biennial fraud survey in 2010 isolated the public sector responses, which provided a snapshot of the prevalence of fraud in the public sector. Based on the responses provided, total public sector loss was estimated to be more than $15.6m, which only represented five percent of the total fraud estimated across all sectors in the reporting period (KPMG 2010).

At an international level, the NFA (2010) attempted to estimate the cost of fraud in the United Kingdom, concluding that in 2009–10 national public sector losses in the United Kingdom were conservatively estimated at £38.4b per annum, which equated to £621 per adult of the United Kingdom population. This figure took into account, the public (£21.2b) and private sectors (£12b), and individual (£4b) and charity sector (£1.3b) frauds (NFA 2011:7).

At a local level in the United Kingdom in 2008–09, public sector losses were estimated at £21.2b per annum, which was a significant increase from the 2008–09 estimates of £17.6b (NFA 2010). Public sector frauds were broken down as follows:

  • £15 b in tax fraud;
  • £1.5b in fraud relating to benefits and tax credits;
  • £2.1b in frauds against local government; and
  • £2.6b in frauds against central government (NFA 2011:7).

Although not costing as much as in the United Kingdom, public sector fraud in Australia is considerable, costing the Australian Government almost half a billion dollars in 2009–10, as reported below. It appears, however, that the extensive fraud control measures adopted in recent years might be starting to pay dividends, with reported fraud declining in Australia in recent years.