Information in this guide is drawn from the experiences of 5 authorities in developing and implementing their detection systems. Since sharing this information to develop this guide, authorities’ detection systems and approaches have evolved and changed either as part of a continuous improvement approach or because of changed operating conditions. The Public Sector Commission has not evaluated these systems or formed any view that they are complete, appropriate or suitable systems for these authorities.
Authority A
Show moreAuthority A implemented a fraud and corruption detection system that produces exception reports and management dashboards, and informs internal audits. Following implementation of the system and communication of changes and updates to policies and procedures, it has experienced increased staff awareness of processes and controls to prevent, detect and respond to integrity breaches.
What does the detection system do?
The fraud and corruption detection system includes post-transactional review, data mining and real time computer system analysis to identify suspected fraudulent transactions and analyse management accounting reports.
The following detection activities are undertaken in-house:
- Exception reports: IT runs a query and provides the Microsoft Excel outputs for analysis.
- Management dashboards: Information needs are defined by the functional area, created by IT and used to compare undue expenditure variances.
- Internal audits: Data analytics reviews are conducted every 2 years using a similar methodology to exception reports.
What was the context for developing and implementing the system?
The project commenced with setting up a governance team. Development and implementation of the system aligned with best practice governance and integrity processes such as Office of the Auditor General and Australian Standards.
While a detection system is in place the preferred focus is on prevention.
How was the system rolled out?
In-house experts undertook a gap analysis of current practices against the authority’s governance and integrity best practices. A fraud and corruption control framework was developed. Following this, supporting tools, responsibilities, training, reporting and data analytics have been rolled out.
What have been the benefits?
There is increased staff awareness of processes and controls to prevent, detect and report issues relating to integrity, misconduct, fraud and corruption as well as possible consequences of integrity breaches.
What were the challenges and limitations?
Finite financial and staff resources. The solution was using the skills and expertise of the internal IT team that provides support and analysis capability for the detection system.
Authority B
Show moreFollowing reports by the Corruption and Crime Commission, Authority B used fraud data analytics to identify exceptions related to misconduct and corruption. Dashboards were used to visualise results. The detection system enabled internal teams to develop automated financial reporting and enhance compliance with procurement policy.
What does the detection system do?
A fraud data analytics program is applied across key areas including purchase orders and cards, accounts payable, invoices and supplier management. The program comprises 8 fraud data analytic tests including data profiling and exception identification.
The data models were built in SQL. Tableau is used to visualise the test results. The authority is considering running the same tests in the future and extending a further 6 tests across supplier and purchase order management.
What was the context for developing and implementing the system?
Following reports by the Corruption and Crime Commission, the authority’s executive requested an investigation/review of accounts payable transactions under $50,000. Due to complexities with legacy IT and financial systems, this involved investigators manually reviewing data using spreadsheets. Following a self-assessment using the Integrity Strategy, forensic data analytics were trialled. A scope of work was developed for prospective service providers seeking a proposal for service and a presentation of offerings.
How was the system rolled out?
The investigation and integrity team met with prospective service providers to discuss their products and services and to scope the fraud data analytic tests that met the authority’s requirements. The investigation and integrity team involved the financial services and human resources systems teams in developing the detection system.
What have been the benefits?
The detection system allowed for testing for any overt fraudulent activity and gave a good insight into the system’s strengths and weaknesses.
The exercise was beneficial for all parts of the authority involved. The finance area is now looking at enhancing an existing detection system for automated financial reporting, and procurement is looking at developing a detection system to enhance compliance with procurement policy to enforce separation of duties.
While not finding evidence of suspected fraud, some minor instances of policy breaches were found.
What were the challenges and limitations?
Initially, data quality was an issue but stakeholders worked with the service provider to format and cleanse data to perform the tests.
In the first instance, 2 years of data was scanned. This resulted in 70,000 exceptions to purchasing cards, 255 exceptions in accounts payable, 14 transactions in purchase to pay process and 141 exceptions in the supplier master list. Two investigators worked with relevant functional areas over 2 months to review all exceptions. Without the internal resources available, it would be difficult to detect and determine the exceptions found using the detection system.
Authority C
Show moreAuthority C launched its integrity framework with a focus on risk, positive education and awareness including better coordination and communication across key functional areas. This has resulted in better identification of process gaps, encouraging a speak up culture and the ability to review a larger volume of data.
What does the detection system do?
More than 40 largely automated data analytics tests, including business intelligence analytics, are performed across the authority.
The overarching objective was to improve fraud and corruption prevention and detection through data analytics that are business area owned controls which form part of business as usual activities. The analytics are also available to audit in delivering the annual audit plan.
What was the context for developing and implementing the system?
The integrity framework and integrity detection plan were originally developed and implemented to bridge the gap between prevention and response.
Integrity data analytics was identified as a strategy to better detect fraud and corruption and pinpoint where integrity related risks exist.
Daily, real time data analytics increases business intelligence capabilities, allowing quick implementation of corrective actions and controls to close any gaps.
How was the system rolled out?
To build credibility and relationships, consultation was undertaken with relevant functional areas to better understand data analytics already in place. Consultation was not limited to fraud and corruption prevention discussions but also considered business intelligence and improvement options. This created a supportive environment where functional areas were encouraged to speak up.
Objectives were tested continuously through inclusive conversations between the integrity and governance team, functional areas, external best practice consultants and industry.
An overarching governance framework was implemented to capture existing detection activities, record newly developed and improved data analytics, set out roles and responsibilities for key functional areas (including frequency and review of results), and describe the reporting structure for each routine as well as the security parameters and protocols for access to sensitive data.
What have been the benefits?
The insights gained by functional areas from the data analytics are very powerful and can help fuel prevention by identifying gaps in processes and areas that need extra assistance.
Feedback from the functional areas has been very positive regarding the ability of the analytics to automate previously manual processes through data feeds. The newly developed analytics assesses tens of millions of records as opposed to thousands.
Performance is being driven through meaningful and purposeful reporting, tailored to each audience. Messaging and reporting to senior management provides an opportunity to identify the need for specific integrity related education and awareness programs and training.
What were the challenges and limitations?
Key challenges included limited resources but internal facilitation was key to increasing the probability of success by driving ownership through functional areas.
Shifting culture and moving away from a compliance and reactive based approach to integrity awareness were challenging but have led to a greater focus on culture, integrity promotion and support of a speak up culture.
Authority D
Show moreAuthority D developed a detection system to initially perform pre-employment criminal history checks on prospective staff followed by current staff. The detection system includes 2 internal systems with an online interface that manage processes for mandatory staff criminal record checks. The detection system has supported the improvement of employment screening and other human resources onboarding processes.
What does the detection system do?
Pre-employment criminal history checks are mandatory in the authority. Electronic validation is used to prevent prospective staff from being entered into the human resources system without a valid clearance number issued. This means prospective staff cannot be entered into the system without a criminal record clearance.
A web service between the authority and Australian Criminal Intelligence Commission system, as well as an interface between the authority’s human resources and staff screening systems, prevents former staff with breaks in service from being re-employed until they obtain criminal record clearance.
A case management approach is in place for people who are identified as having criminal history. A screening committee determines their suitability for employment.
What was the context for developing and implementing the system?
The detection system was developed to reduce the risk of employing a person without a criminal record clearance being confirmed before employment. It was developed in-house.
How was the system rolled out?
Consultation with key internal and external stakeholders informed the development of the supporting policy. This also led to changes in the human resources system that require validation of criminal history screening before new staff can be entered into the system.
It was a 9 month process to meet with key stakeholders, develop and test the changes to information technology systems and implement the detection system, including back screening existing staff.
The authority’s screening system was enhanced to allow communications with the human resources system, Australian Criminal Intelligence Commission system, and with people undertaking criminal record checks via SMS or email.
What have been the benefits?
There has been a significant reduction in the risk of new staff being employed without a current criminal record clearance being confirmed.
It has also improved the process of assessing any criminal history of prospective staff and other human resources processes for new staff across the authority.
What were the challenges and limitations?
Challenges included communicating to all parts of the authority due to its size and dispersion, providing training to ensure compliance, and managing any breaches of the policy.
Technical updates to systems to ensure screening validation and testing of systems were also challenging due to the high number of criminal record checks undertaken each year.
The authority’s detection system is now fully implemented. Continual refinements and enhancements are made to the technical side of the information technology systems when required.
Authority E
Show moreAuthority E has implemented a framework and register to identify instances of non-compliance in multiple functional areas. The framework enables the reporting of potential breaches of finance policies and procedures via the register.
The authority has gained a better understanding of the internal processes of different functional areas and implemented improvements.
What does the detection system do?
A framework is in place which outlines actions and responsibilities of finance office staff, and a register is used to identify instances of non-compliance with finance policies and procedures from a range of data sources.
Staff in the financial processing team are required to record in the register all potential compliance breaches they identify. The register is submitted to the internal audit director for review.
What was the context for developing and implementing the system?
Following investigations into compliance breaches, a detection system was developed using available data relevant to key finance policies and procedures. This included purchasing card acquittals, purchase orders, acquittal of travel advances, travel bookings and staff reimbursements.
How was the system rolled out?
Internal discussions were held with key members of the finance and internal audit teams to design and implement the framework and register. Each of the finance teams implemented individual registers and these were consolidated. The detection system took approximately 2 months to implement.
What have been the benefits?
The authority has gained a better understanding of functional areas’ internal processes which has led to continuous improvement opportunities such as:
- simplifying finance policies for staff expenses and discretionary spend items
- reducing the number of purchasing cards issued
- maintaining confidentiality in the reporting process to ensure staff are not unfairly penalised or disadvantaged after reporting potential compliance breaches.
Reports generated also identify internal control gaps, issues and inappropriate practices so action can be taken.
What were the challenges and limitations?
Due to technology limitations, data collection relies on individual staff correctly identifying potential breaches when processing or approving finance data and then recording them in the register.
This limits the framework and register’s ability to introduce system controls and detection or exception reporting; and leverage data analytics to inform process and policy improvements.
Additionally, the framework and register apply equally to breaches and potential breaches. Individual staff who identify those breaches are not responsible for assessing policy compliance. Manual investigation of an identified breach or potential breach is required to determine whether there is a breach and whether escalation is required.
