Auditor General’s overview
Fraud is an ever-present risk, including in the public sector, and experience tells us that risk can become real. When it does, money meant to fund services for some of the most vulnerable in our community is stolen for personal gain, and the trust between entities, their staff and the people they serve is damaged and needs to be regained.
In announcing additional funding for my Office to establish a Forensic Audit team, a first for an Australian audit office, the Government sent a clear signal that it expects the sector to do everything it can to minimise the risk of fraud and avoid its damaging consequences. It also reflected the opportunity for a cultural uplift in fraud awareness and resilience across the sector. Over the last 18 months we have been working hard building a capability that can be a catalyst for that change and this report provides transparency to the Parliament and accountability by my Office for that work.
I want to be clear with Parliament and the sector about where forensic audit fits and how it will operate. This new function is not a substitute for the responsibilities that entity management have in deterring and detecting fraud, nor does it duplicate the investigative and law enforcement roles of bodies like the Corruption and Crime Commission and the WA Police Force. Instead, we will fill the gap between, highlighting vulnerabilities to fraud where we find them, and reporting and referring to the relevant entity if we form a genuine suspicion of fraud.
My Office’s Forensic Audit team will deliver a risk driven program of audits to identify vulnerabilities to, and indicators of, significant fraud by combining strategic intelligence, data analytics and audit methodology. The Forensic Audit team will also support our other assurance activities in financial, performance and information systems audit.
We are “building by doing”, so at the same time as making significant progress developing the capability we need, we also have a number of audits in progress. They are focussing on identified risks in procurement, contract management and assets and are using the combined skills of the team. I will report my findings to Parliament in the appropriate way once those audits are complete.
An effective catalyst for change will depend on cooperative relationships across the sector, which we have been developing since the inception of the Forensic Audit team, and providing opportunities for the sharing of anti-fraud practices. To that end, we hosted the first Fraud Resilience Forum in October of this year with participants from 30 Western Australian public sector entities. We are also planning to deliver a better practice guide on fraud risk assessment in 2022.
I am proud to present this first Forensic Audit Report on the establishment phase of our new function and thank all in our Forensic Audit team for their contribution during this exciting chapter for the Office. I am sure that, based on the strong foundations we have laid, next year’s results report will show further increased capability and delivery, and a clear contribution to improving fraud resilience across the public sector.
The foundation of our forensic audit function
The request to develop a forensic audit capability
Recent fraud and misconduct cases across the Western Australian (WA) public sector, particularly the significant fraud by a former senior executive within the Department of Communities, highlighted a need to strengthen WA public sector entities’ resilience to fraud and corruption (Figure 1).
Concerns around integrity frameworks and fraud resilience were highlighted in both the 2018 Langoulant report (Special Inquiry into Government Programs and Projects) and the 2020 Red flags…red faces report by the Joint Standing Committee on the Corruption and Crime Commission.
Following a request from the Premier and then Treasurer to the Auditor General in December 2019, the State Government announced the Office of the Auditor General (OAG) would receive additional funding of $8.9 million over 2019-20 to 2022-23 to conduct targeted forensic audits of entities’ contract management and systems, supported by data analytics.
The Forensic Audit team was established in March 2020. While other Australian audit offices have data analytics and some investigative functions, we are the first jurisdiction with a dedicated forensic audit capability.
Purpose of forensic audit – improving resilience to fraud and corruption
Our purpose is to improve resilience to fraud and corruption across the WA public sector by conducting targeted, risk based, forensic audits that identify vulnerabilities to, and indicators of, significant fraud in State government entities. We are not currently funded to do this for local government entities.
We will report the findings of our audits to Parliament and entities, and share lessons and learnings across the entire sector.
Our findings can educate all public sector entities about vulnerabilities within fraud prevention and detection frameworks. We will also facilitate the exchange of best practice across the sector.
Our reports will detail fraud and corruption vulnerabilities that we identify and provide recommendations for improvement. Where we discover indicators of potential fraud or corruption, entities will be given relevant information and supporting evidence to enable them to investigate further.
We will provide Parliament with an annual results report, summarising our activities and results for the year and, as appropriate, public or confidential individual audit reports via our oversight committees (Public Accounts Committee and Estimates and Financial Operations Committee).
Should we obtain sufficient evidence to justify a reasonable suspicion of fraud or corruption by public officers, we will make referrals to, as relevant and appropriate, the Corruption and Crime Commission (CCC), Public Sector Commission (PSC) or the WA Police Force (Police) who may then conduct further investigation.
To improve resilience and overall accountability in the sector, our Forensic Audit team is already working closely with our other audit teams to build our collective view of financial misappropriation risk in the sector, and to inform our overall financial, performance, information systems and forensic audit programs and approaches to address those risks.
Forensic audit does not replace internal fraud management or external investigative and enforcement roles
Each public sector entity’s accountable authority is responsible for establishing governance arrangements and financial management controls, including the processes and systems to prevent and detect fraud or other unlawful activity. The best way to manage an entity’s risks is building strong integrity frameworks with multiple lines of defence. Integral to the strength of these frameworks is a culture that encourages ethical behaviours, built on the foundational mission of best serving the public interest with honesty, transparency and integrity.
The 4 lines of defence model (Figure 2) is a visual representation of the different mechanisms (defences) which all work together to provide a coordinated approach for managing the risk of something going wrong within entities, including the risk of fraud.
The model identifies 3 lines of defence within the entity. External auditors, regulators, parliamentary committees and other integrity and oversight bodies form the 4th line of defence. As important as this 4th line of defence is, the strength of an entity’s own first 3 lines are the main determinant of the effectiveness of their integrity framework in deterring and detecting fraud and corruption.
Primary responsibility for the detection, investigation and prevention of irregularities, fraud, illegal acts and errors always rests with entities. Integrity or accountability bodies should not be seen as a replacement for robust and standardised internal controls, management oversight and, internal audit committee support.
In the same way that our Forensic Audit team is not a substitute for management’s role in ensuring adequate fraud deterrence and detection in an entity, it is also not an investigative or law enforcement unit (Figure 3). We do not undertake misconduct or criminal investigations but will work closely with those bodies, not only as required after forming a reasonable suspicion of fraud in an entity, but to also understand fraud and corruption risks in the sector.
What we are building – a new and unique function
The journey so far
Forensic audit is a new and unique function for an Australian audit office. As such we are defining from scratch its purpose, key principles, ways of working and discovering constraints. Our approach is methodical and informed by principles and expertise drawn from the audit profession, and from other disciplines like counter-fraud and forensic financial investigations. We are bringing together the team, technology, tools and processes to deliver quality, rigour and productivity.
The forensic audit cycle
The forensic audit cycle continuously applies data analytics, strategic intelligence and audit methodology to recommend, conduct, evidence and inform audits (Figures 5 and 6).
How we target forensic audits
Our approach to targeting forensic audits is driven by an assessment of risk at a sector, entity and activity level supported by intelligence gathered through various mechanisms and data analytics.
Selecting an entity for a forensic audit does not mean we suspect fraud or corruption is occurring within that entity. Our intent is, preferably, to identify vulnerabilities in higher risk entities or activities that can be eliminated before actual fraud has occurred. But we are realists, and recognise our forensic audit work may detect wrongdoing that will need to be referred.
We assess entity risk by analysing indicators of internal deficiencies and fraud exposure, and activity risk by analysing an activity’s susceptibility to fraud.
Forensic audit targeting identifies a high-risk entity and its activities or a high-risk activity and the entities most significantly exposed to that activity (Figure 7). High risk entities intersecting with high-risk activities are prioritised for targeted forensic audits.
Our risk driven approach then examines those entities and activities to further profile potential fraud risks specific to the entity (e.g. the procurement process: one entity appears high risk in vendor management fraud whereas another entity may appear highly exposed to potential bid-rigging).
Conducting a forensic audit
Once activity and the potential fraud risks are identified (the audit scope), we engage with the entity to understand the processes associated with that fraud risk, consider the applicable tests and techniques to identify vulnerabilities to, or instances of that fraud, and the data needed to conduct the tests.
Any anomalies found by our data analytics will be reviewed and verified by our forensic auditors and shared with our intelligence function. This is an iterative process enabling us to refine our approach during the audit.
Identified vulnerabilities to, and potential instances of, fraud will be reported to the entity. Subject to those findings, opportunities for public sector improvement will be reported via public reports to Parliament or in our annual results report.
At each stage of the process the Forensic Audit team conducts a quality and risk review and seeks approval from the Auditor General to continue the audit and for any changes to scope, methods, timeline and budget.
Establishing a quality framework for forensic audit
Specific standards for forensic audit do not exist, so we are drawing on the principles in audit and accounting standards and other professional practices to underpin the development of our methodology and approach to forensic audit. In particular we have identified the ethical principles that underpin and guide our work (Figure 8).
We are developing and applying quality assurance processes at key stages and a methodology and governance framework to manage identified risks, test conclusions and ensure clear communication of findings and recommendations. This includes protocols around the data we collect, store and analyse, to ensure it is secure and protected, and with an awareness that it may at some point be of interest to law enforcement.
As an example, for our Public Building Maintenance1 performance audit (discussed at Supporting our Performance and Financial Audit teams on page 15) we engaged an external data analytics team to provide quality assurance of our data analytics work. We have incorporated their review recommendations for improvements into our forensic audit policy and processes, and have already applied these to subsequent work.
As audits progress, we will refine our framework to provide a robust process that is practical, efficient and appropriate to our work. The current key elements of our framework are:
- quality control
- identifying and proposing suitable topics
- planning and management of a forensic audit
- collecting and analysing robust evidence
- writing and delivering clear and concise reports
- learning lessons and sharing key issues.
Building our multidisciplinary team
We were fortunate to receive a highly experienced senior Australian Federal Police officer on a 12-month placement to establish the Forensic Audit team through initial recruitment and forming working relationships with relevant State and Commonwealth entities. This officer brought unique experience and new skills to the OAG, having been heavily involved in organisational capability building, including with entities involved in data analytics, probity in major procurements and financial crime.
From this strong foundation we continue building a team that is agile, adaptable and innovative to meet the challenges of changing fraud typologies and technologies.
Growing from 2 people in 2020 to 13 in 2021, we continue to build our multidisciplinary team’s diverse subject matter expertise (Figure 9) by investing in industry training in fraud risk management and detection, audit and data analytics.
Peer reviews assessed our early approach to a new function
We commissioned an external review of the establishment of our Forensic Audit team, engaging an experienced private sector forensic accounting professional to assess our early approach against best practice. The review considered the effectiveness of our initial processes and procedures, how we targeted our audits, technical infrastructure needs, skills mix and strategic plans. As well as providing assurance to our Executive team, the review allows us to provide comfort to Parliament and the community of the rigour of our approach and demonstrate our commitment to continuous review and improvement.
In confirming that our initial approach was sound, the establishment review:
- enabled a refinement of our purpose and enhanced our focus on the structures, processes and skills required over time to deliver on that purpose
- highlighted risks to manage including expectation gaps about what we do and educating stakeholders about how this unique function fits in the public sector integrity framework
- identified several recommendations in terms of our resources, activities and processes including:
- building our forensic team through specialist training
- consolidating relationships with other entities for intelligence sharing
- establishing a co-investment model for data analytics support across the OAG
- embedding an intelligence-led framework to identify and target high risk entities and select high fraud risk activities.
To efficiently and effectively target our forensic audit work we need to be intelligence-led and risk-driven. To help us accelerate the development of our intelligence capability we commissioned an additional external review into how we gather, use and share information and intelligence. An intelligence specialist with national security and State sector leadership experience provided recommendations that have enabled us to define and design an intelligence function that will identify existing and emerging areas of high fraud risk in the public sector.
The specific intelligence products the team produces will inform risk assessments and forensic audit selection and design. Over time the Forensic Audit team and products will provide similar support to our other audit divisions.
Embedding technological expertise
We have embedded data science specialists with auditors to create a unit that combines fraud risk, audit and data analytics capability.
Our data science specialists have been building our capabilities by:
- using recognised industry coding languages and working side-by-side with our auditors to design solutions for data preparation, exploration, testing and analysis
- developing data governance systems to ensure reliability, repeatability and auditability of our process
- working closely with the IT team to ensure the segregation and security of data, infrastructure support and hardware
- testing applicable supporting analytics software including an extensive pilot project testing system capability on audit data
- commissioning an external quality assurance review.
After piloting a number of approaches to address our ongoing technology needs, we are likely to use a hybrid of internally developed and externally sourced tools and technologies and continue to acquire and embed new software to ensure we meet industry standards. This will best enable us to customise our analysis to meet varying demands and continue key analytics activities such as developing repeatable fraud tests, preparing entity reporting dashboards, sharing files, automating data ingestion and tracking user activity efficiently.
As an example of our analytics activities, we are building a relational platform that can be used to repeatedly assess potential direct and indirect undisclosed connections between public sector entity staff and suppliers to those entities. This platform uses information taken from the State government entity and cross references it against Australian business records such as the Australian Business Register and the Australian Securities and Investments Commission’s company information.
Challenges with data access and analysis
Our forensic examinations require data from various sources and from multiple data systems within an entity. Data quality and extraction difficulties have presented significant challenges on several projects.
Across the WA public sector there is no common finance system or chart of accounts (data library) and there are very few ‘whole of government’ data sets. This is not dissimilar to many other jurisdictions. It means that almost every entity has its own finance system and, while there are common approaches, they are generally each configured in their own way, depending on the supplier, the age of the system and preferences and judgement of the entity’s implementation team. As a result, obtaining datasets is not simple and may require significant effort to extract, sort and cleanse before it can be analysed.
Since there are no sector wide policies on data consistency, it is common to receive data that is incomplete and populated with errors. Some common themes are:
- poor data entry / checking (additional ‘0’ entered or missing content)
- inconsistent data (e.g. using ‘Unit 1’, ‘1/’ or ‘u1’ to represent the same detail in an address).
We have also noted the following difficulties when engaging with entities to collect data for our examinations:
- absence of data dictionaries that explain the content of data fields within internal systems. This makes it difficult to understand the data provided and requires additional rework to ensure the accuracy of findings are not compromised by misinterpretation
- lack of knowledge around systems whereby the entity is unsure or unable to provide the data requested. Our requests will be focused on information expected within systems and, therefore, should be capable of extraction
- complications in accessing legacy system data.
We are committed to working with entities to minimise these delays, help them improve data quality across the public sector and make its extraction and use more efficient and repeatable.
Forming key relationships
The OAG’s Forensic Audit team continues to build working relationships with State and Commonwealth entities to support our audit activities. While our work is conducted independently in accordance with our legislation, we recognise the value of developing relationships to facilitate information referrals, advancing capability development and coordinating our approach to build integrity within the WA public sector. Key stakeholders with whom we are liaising are the CCC, PSC, Police, Department of Finance and the Australian Transaction Reports and Analysis Centre (AUSTRAC). We are also working towards signing memoranda of understanding where relevant and necessary to facilitate cooperation with several of these entities.
Appropriate sharing of information within our legislated mandates, while independently performing our respective roles, will improve our overall intelligence on public sector fraud risks, helping us to target our work efficiently and effectively. It will help each of us avoid duplicating or compromising work that may already be underway. We can also draw on collective expertise and share applicable models, methods and processes.
What we are doing
Forensic examinations are confidential while in progress, and as such we will not be publishing a forward audit program listing entities and audit topics. This is a substantial deviation from our longstanding performance audit approach where we consult openly with Parliament and entities on potential topics and publish current audits on our website. Table 1 is a summary of the current forensic audit program. Over time we envisage covering a range of activities, including those noted in our targeting process at Figure 7.
In line with our usual audit practice we will report matters of significance from our audits upon completion to entities and both Houses of Parliament, confidentially via our oversight committees or publicly as is appropriate for the matter at hand. Matters referred by us for further investigation will not be reported by us until investigations are concluded or another appropriate time.
Current forensic audits
We are currently undertaking 4 forensic audits:
- 2 audits examining potential undisclosed relationships and corrupt procurement practices involving in-sourced contractors
- 1 audit examining potential procurement, subsidies and expense fraud through the finance function
- 1 audit examining anomalous transactions for potential fraud related to high value assets including land.
These projects cover periods ranging between 3 and 10 years and involve analysis of both single entities and sector wide data.
In line with our method, after exploring available data, we applied a series of statistical techniques to highlight outlying transactions and patterns. The nature of the tests performed identified transactions and patterns that warrant further examination.
With specific reference to the sector wide project, data analytics results will provide a list of entities and transactions to target for further review. Engagement with entities will involve exploring certain transactions in more depth, including approval rationale, authorising officer approvals and value for money.
Supporting our Performance and Financial Audit teams
Using the capabilities and knowledge being developed in forensic audit to support and enhance our performance and financial audit work is a core objective, and explicitly included in our business plans over the next 2 years. This has already begun and within the first 18 months of Forensic Audit activity we have worked on a number of projects.
Conflict of interest analytics with Performance Audit
Forensic Audit assisted in our performance audit Public Building Maintenance2 by conducting a series of data analytic procedures and data matching exercises to identify undeclared conflicts of interest. Conflicts, whether undeclared, lacking transparency or poorly managed, are a key vulnerability to fraud and misconduct and not achieving value for money.
The forensic analysis identified transactions that were referred to the entity for further investigation. While the majority of these transactions were small by value, indicators of fraud risk made them worthy of further review. The entity has responded positively and engaged in further discussion with us around the testing we did so that it can strengthen its own deterrent and detection measures. If the entity identifies wrongdoing, it will refer it to the appropriate integrity agency.
Analytic dashboards with Financial Audit
To demonstrate how data analytics can help our audit work, we have taken data received in the financial audit of a small number of entities in the 2019-2020 and 2020-2021 financial years and built interactive dashboards for the Financial Audit teams. These dashboards help auditors with selecting samples for testing by visually representing anomalies, summarising specific lines of inquiry and allowing deeper exploration of questionable transactions.
Examples of the type of information we have included in these dashboards are shown in Figures 10, 11 and 12 (data is fictitious).
Anti-money laundering / counter-terrorism funding support to Financial Audit
The Commonwealth Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) has gained prominence in the financial services sector in recent years.
There are a few State government entities that operate in industries susceptible to facilitating money laundering and terrorism financing.
AUSTRAC is the Commonwealth Government entity responsible for detecting, deterring and disrupting criminal abuse of the financial system to protect the community from serious and organised crime by regulating certain business activities in the financial, bullion and gambling sectors.
Shortcomings in entities’ compliance controls elevate the risk of storing or laundering the proceeds of crime or facilitating the financing of terrorism going undetected. Non-compliance with the AML/CTF Act could also result in significant reputational damage and financial consequences for the State.
We are committed to working with State entities in the financial, gambling and remittance sectors to improve capacity to not only meet the obligations, but achieve best practice, in AML/CTF Act compliance.
While we have identified and raised several control deficiencies findings with entities during our audits, we are pleased that they are taking serious action to improve the robustness of their control environments relating to these legislative compliance and reputational risks.
AUSTRAC has found through its regulatory and enforcement activities that non-compliance by reporting entities across the board has commonly resulted from poor or insufficient governance practices and a lack of understanding of risk.
Reviewing the public sector’s fraud resilience maturity
As part of Forensic Audit’s intelligence led approach, we sought to understand the current state of fraud risk governance in State government entities. We requested entities complete a self-assessment questionnaire and provide key fraud and corruption risk management documentation as part of this year’s financial audits.
We have conducted a high-level desktop review of the material provided and considered it against the Australian Standard of Fraud and Corruption Control. Responses received suggest that the extent and maturity of resilience across the sector is inconsistent and entities can still do more to build resilience to the ongoing internal threat of fraud and corruption.
Focusing on a sample of State government entities3 we found:
- All respondents had policies and procedures in place in regard to integrity, fraud and corruption. However, some are yet to implement a central fraud and corruption control plan to bind policies and procedures into a cohesive framework.
- Over 90% advised they directed fraud related internal audits this year. Where engaged, external subject matter specialists appear to have provided useful findings and recommendations that would strengthen resilience to fraud.
- Around 70% of entities stated they have performed some fraud related data analytics. Most appear to have been through the finance or internal audit functions but it was not clear how extensive or consistent the analytics were and what was done with the results.
- Almost all affirmed they had conducted fraud risk assessments, but our review showed around a third of these fraud risk assessments may not reflect better practice.
Comprehensive fraud and corruption risk assessments are essential to understand exposure to fraud and control weaknesses and enable effective application of detective mechanisms such as internal audit and data analytics. Not applying the right resources when assessing fraud risks can leave entities exposed without realising it. Regularly examining fraud risks in controls and processes across all areas of operations is essential. This means doing more than listing fraud as a single risk in the enterprise risk register.
Based on these results, we will be compiling a fraud risk assessment better practice guide for the sector as a priority in 2022.
A catalyst for change in fraud and corruption resilience
Our purpose is to improve resilience to fraud and corruption across the WA public sector. To achieve our purpose, we will coordinate with other integrity entities so as not to duplicate efforts and follow the lead set by our Financial, Performance and Information Systems audit teams by providing the sector with more than just forensic audit reports.
To help generate an uplift in entity resilience, we will share lessons and learnings from our forensic audit work across the sector. We will do this by:
- making resources available where we see an unaddressed gap in the sector that fits within our mandate, the first of which will be a better practice guide on fraud risk assessment
- facilitating opportunities for entities to share experience and practice, the first of which was our inaugural Fraud Resilience Forum
- engaging with our stakeholders, as guided by our communication plan, to explain our purpose, capabilities and resources and gather their feedback to help inform our future development.
Communicating our message
To engage the entire public sector, our message around fraud and corruption prevention and detection must be clear and customised. We are developing a communications strategy that articulates how we convey our key messages to stakeholders including Parliament, other integrity entities (such as Police, PSC and CCC), entity leaders and audit committees.
Our key messages, some of which are expressed in this report, include highlighting the differences between financial, performance and forensic audit and explaining that our audits are focused on targeted areas of risk and not a review of an entity’s entire fraud integrity framework. In addition to our reports, other methods of sharing our key messages will include information sheets at entry meetings with audited entities and engagement in various public sector forums.
Resources for the sector
Better practice checklists4 regularly feature in performance audit reports. In addition to these, we have published 2 comprehensive stand-alone better practice guides on audit committees and financial statements that set out better practice principles which, when applied, support a strong governance framework and efficient and effective processes.
Having considered the State government’s fraud resilience maturity and to communicate our expectations, our Forensic Audit team will prepare a better practice guide on fraud risk assessment. These assessments provide assurance that the potential for fraud is being actively mitigated, ensuring appropriate management of public funds. As with all our guidance products, we will seek to maximise the value to the entire public sector by tailoring it for both State and local government entities.
Facilitating experience and practice sharing
We are aware many State government entities are proactively working in the integrity and counter fraud space and are keen to share insights and knowledge to build sector capability. To help share this knowledge, we launched a Fraud Resilience Forum with employees responsible for fraud control in 30 State government entities. We are happy to facilitate this Forum until such time as another State entity requests to do so.
The forum allowed us to introduce the forensic audit function and hold a panel discussion on fraud data analytics. To continuously improve the public sector’s fraud and corruption resilience and detection capability, we envisage this will become a regular event where other entities will take on hosting and speaking roles to share knowledge.
We will also use our Audit Committee Chair Forum and opportunities presented by other integrity entities, for example PSC hosted events, to raise awareness of fraud control and prevention approaches that public sector entities can adopt.
Matters referred to entities
The OAG’s Forensic Audit team is not an investigative or law enforcement body, and we have obligations under legislation to refer and report to those bodies in certain situations. We are building robust referral protocols to ensure we meet those obligations in the most effective way. Centralising the referral process within the Forensic Audit team will provide consistency in processing and assessing potential referrals from all our audit work.
Our work this year has resulted in referrals of information back to entities for additional review and shared with other integrity entities as necessary. Entities will remain responsible for conducting their own review of matters identified and, if not already referred by us, refer matters to the appropriate integrity agencies based on their internal investigations.
3 Forty-one entities account for around 95% of State financial activity. Our analysis was on responding entities within that group.