Fraud Control Plan 2011
Chapter Three
Identifying, Analysing, Evaluating, Monitoring and Treating Risk
Risk Defined
The effect of uncertainty on objectives.
Risk Identification
Unidentified risk cannot be treated. While the department undertakes a thorough approach to risk identification, it is a continuous process. Improving our capacity to identify new risks is a specific goal of this plan. For the purposes of this plan, the department has used the 'Risk Management Toolkit' contained in the Risk Management Handbook 2011 to examine fraud control in the Department.
The following methodology is based on APS guidelines and is consistent with the corporate governance framework of the Government and the department. The risk assessment process is based upon the steps in the following diagram. While individual areas will act on overall findings in different ways, it is important to ensure that documentation of risk assessments is clear and comprehensive and presented in a form suitable for external scrutiny.
The ratings of the identified fraud risks were provided using the department's risk assessment matrix (See attachment B). Each division was asked to rate the fraud risks inherent in their operations and propose whether to accept, transfer or treat the risk. Specific controls were then implemented to reduce the risk.
High Priority Risks
During the review of the department's current procedures, particular attention was paid to high priority risks (those risks with an Extreme or High rating). High priority risks do not necessarily refer to types of fraudulent activities that occur with greater frequency but rather refers to those fraud risks that, due to the combination of the likelihood and high consequences, demand a greater amount of attention and resources. Yet, risks with relatively low consequences may occur with far greater frequency and therefore employees and managers must focus upon the whole spectrum of risks within their work areas. High Priority risks for 2011 are listed in the following section.
Extreme Risk
RISK: Unauthorised disclosure of official information, including, sensitive, confidential and classified information, for personal gain in Canberra. |
|
|---|---|
Risk Treatment:
|
Resource Implications:
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director OSS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators: |
|
Responsible Division, Contact |
CMD/DSB/Director OSS |
High Risk
RISK: Altering of genuine passports |
|
|---|---|
Risk Treatments:
|
Resource Implications:
|
Risk Analysis Rating: High |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PFS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
Low levels of passport alterations detected |
Responsible Division, Contact |
APO, Director PFS |
RISK: Issue of fraudulent or duplicate passports |
|
|---|---|
Risk Treatments:
|
Resource Implications:
|
Risk Analysis Rating: High |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PFS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
APO, Director PFS |
RISK: Illegal use of passports by impostor |
|
|---|---|
Risk Treatments:
|
Resource Implications:
|
Risk Analysis Rating: High |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PFS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
Level of activity of the APO in border management issues |
Responsible Division, Contact |
APO, Director PFS |
Identified Risks by Functional Area
The types of fraud risks, that organisations have to manage varies significantly. Risks for the department include functions such as:
- accountable document management
- accountable travel document management
- accounts payable
- asset management
- corporate credit cards
- information technology and information security
- passport issues in Australia and at post
- physical security of DFAT premises
- procurement and contract management
- records management
- salaries and allowances.
The areas within the department that are engaged or responsible for managing tasks more prone to fraud risk include:
- Information Management Division (IMD)
- Consular, Public Diplomacy and Parliamentary Affairs Division (CPD)
- Australian Passport Office (APO)
- Corporate Management Division (CMD).
Managers and employees in these divisions need to be particularly aware of any potential fraud risks that may be specific to their division and operations. The following chapters provide details of the identified risks in each work area, the specified controls and proposed treatment for the fraud risk.
Posts need to be aware of all the functions that they perform that may be exposed to the risk of fraud and ensure appropriate controls are in place. Posts deemed 'High Risk" by the department's risk rating process also need to be aware of the particular risks they face as well as the issues in the risk environment such as language barriers and cultural and legal issues that may alter the effectiveness of control measures.
ICT Services Branch (ISB)
Information Technology and Information Security
The following are the risks that have previously been identified in the information technology and information security area and remain relevant:
- breach of passwords (authentication process) for personal benefit
- breach of LAN security for personal benefit
- misuse of SATIN Low / Microsoft Office products for personal benefit
- misuse of the departmental internet connection for personal benefit.
The following are the previously identified controls related to these risks:
- all servers and other critical equipment are housed in two secure computer rooms with access restricted to technical administrators
- high-side systems have no floppy or hard drives
- all contract staff requiring access are cleared to an appropriate level or supervised when dealing with material or equipment beyond their level of clearance
- a DFAT employee is always present at installations
- installations are conducted using procedures consistent with Government guidelines
- equipment is only installed in an environment that is appropriately secured
- after each installation, documentation is prepared by the installation team and signed off by a Director from IMD
- senior employees from Central Office perform quality checks on large or particularly sensitive installations
- staff are cleared to a security level appropriate to their duties and responsibilities.
- security clearances are re-evaluated every five years and mid-term periodic appraisals are conducted every two and half years
- all external connections and changes to the systems must be approved by a Director from IMD
- all communications are encrypted using military grade encryption for high-side data
- all communications rooms and communications equipment are secured at all times
- the Internet firewall that protects the low-side network from unauthorised access is endorsed by DSB
- communication between other government organisations and DFAT is currently encrypted using techniques appropriate to the level of sensitivity of the information
- access to DFAT systems by vendors for maintenance and support of products is on an "as required" basis. Vendors are called in and supervised on site
- changes to ICT infrastructure and applications are submitted to a Change Review Board
- valid user IDs and passwords are mandatory for access to DFAT systems
- SATIN has password lockout after 3 failed attempts. SATIN access controls require all password lockouts on the high-side system to be reset by the System Administrator
- use of complex passwords and strong password controls is mandated
- high-side system user accounts are actively monitored. On a monthly basis an additional check is made on the Access Control List to identify any inactive user IDs that may have been missed. Inactive user IDs are suspended while the reason for its inactivity is queried. Suspended user IDs are deleted if it is determined that the user is no longer in need of access to high-side systems
- PICS/DELTA -an employee independent of the technical administration function monitors system logs and provides reports on a monthly basis
- PICS/DELTA - all passport function processes have an auditable trail
- formal arrangements are in place to ensure all consultants working on the department's mainframe are aware of and comply with the department's fraud control policy
- SAP - monitoring of system logs by an employee independent of the technical administration function to continue on a regular basis
- the department's acceptable use policy for laptop computers forbids the saving of material above X-IN-CONFIDENCE on standard laptop computers.
The following are new areas of risk that have been identified in the information technology and information security area with potential fraud implications:
- identity theft
- wireless technology risks
- data leakage
- phishing attacks
- use of webmail
The following are newly implemented controls:
- introduction of endpoint security tool - Safend which provides an audit and authentication capability for all removable media devices connected to a SATIN Low desktop
- audit trails/logging/monitoring of emails, internet usage, printing, and cable access. Facilities within the Operation Security Team (OST) for centralised monitoring of internet and email use continue to be upgraded
- gradual introduction of more automated ICT asset management and inventory controls
- contract staff have been formally assigned to APS-led teams, and their access to information is controlled by a roles-based regime in Windows Active Directory
- user authorisation and authentication procedures have been improved for all privileged accounts. Access by privileged users at posts and STOs, such as LANA system administrators, has been reduced as more administration support services are centralised in Canberra
- SATIN Low servers at post have been relocated to secure areas which are not accessible by Locally Engaged Staff (LES).
The following are further recommended control measures:
- continue to strengthen gateway firewalls and other countermeasures against external attacks aimed at SATIN Low
- as SATIN High evolves towards integration with other agency secret networks (driven by the roadmaps of the National Security Community and the Secret Network Owners Committee) controls will be strengthened to monitor, identify and prevent misuse of communications in the secret domain.
- the introduction of additional measures to ensure uniquely identifying login names on SATIN Low and High.
The following are the individual risks that have been identified and their specific controls:
RISK: Breach of passwords (authentication process) for personal benefit |
|
|---|---|
Risk Treatment:
|
Resource Implications:
|
Risk Analysis Rating: Moderate |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director ICT Compliance will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators:
|
|
Responsible Division, Contact |
IMD/ISB/Director ICT Compliance |
RISK: Breach of LAN security for personal benefit |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director ICT compliance will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
IMD/ISB/Director ICT Compliance |
RISK: Misuse of SATIN Low / Microsoft Office products for personal benefit |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director ICT compliance will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
IMD/ISB/Director ICT Compliance |
RISK: Misuse of the departmental internet connection for personal benefit |
|
|---|---|
Risk Treatment:
|
Resource Implications:
|
Risk Analysis Rating: Moderate |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director ICT compliance will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators
|
|
Responsible Division, Contact |
IMD/ISB/Director ICT Compliance |
RISK: Fraud related to identity theft |
|
|---|---|
Risk Treatment: Newly implemented and proposed controls as detailed above |
Resource Implications: Divisional expense |
Risk Analysis Rating: Moderate |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director ICT compliance will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
Nature and extent of related incidents of fraud |
Responsible Division, Contact |
IMD/ISB/Director ICT Compliance |
RISK: Fraud related to wireless communications |
|
|---|---|
Risk Treatment: Newly implemented and proposed controls as detailed above |
Resource Implications: Divisional expense |
Risk Analysis Rating: Moderate |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director ICT compliance will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
Nature and extent of related incidents of fraud |
Responsible Division, Contact |
IMD/ISB/Director ICT Compliance |
RISK: Fraud related to Data Leakage |
|
|---|---|
Risk Treatment: Newly implemented and proposed controls as detailed above |
Resource Implications: Divisional expense |
Risk Analysis Rating: Minor |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director ICT compliance will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
Nature and extent of related incidents of fraud |
Responsible Division, Contact |
IMD/ISB/Director ICT Compliance |
RISK: Fraud related to Phishing Attacks |
|
|---|---|
Risk Treatment: Newly implemented and proposed controls as detailed above |
Resource Implications: Divisional expense |
Risk Analysis Rating: Significant |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director ICT compliance will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
Nature and extent of related incidents of fraud |
Responsible Division, Contact |
IMD/ISB/Director ICT Compliance |
RISK: Fraud related to use of Webmail |
|
|---|---|
Risk Treatment: Newly implemented and proposed controls as detailed above |
Resource Implications: Divisional expense |
Risk Analysis Rating: Moderate |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director ICT compliance will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
Nature and extent of related incidents of fraud |
Responsible Division, Contact |
IMD/ISB/Director ICT Compliance |
Corporate Management Division
Accountable Documents
The following risks have been identified:
- cash and cheque collections retained by staff who issue stolen or fraudulent official receipts
- use of stolen bank cheques to purchase items on departmental account
- use or sale of stolen petrol coupons, prepaid envelopes, stamps and/or impress seals
- private use of Cabcharge vouchers.
The following controls are in place to mitigate these risks:
- the Finance Management Manual (FMM) Chapter 12 outlines procedures for the management of accountable documents
- custodians of accountable documents hold bulk stocks of accountable documents in a secure container to which only the Custodian has access
- holders of accountable documents in processing areas are responsible for the safe custody of the limited stocks they hold. Stocks must be stored in a secure container, when not in use, to which only the holder of accountable document has access
- Finance Managers must appoint in writing a Custodian of Accountable Documents and a person responsible for carrying out regular mandated checks of accountable documents
- a handover/takeover document must be completed whenever a Custodian or Holder of accountable documents is relieved, even temporarily, of their position
- the Custodian must maintain an accountable documents register in which the receipt of bulk stocks and the issue of stocks to processing areas are recorded
- on receipt of bulk stocks the Custodian must ensure that the order is complete and serial numbers are in sequence and enter the details in to the accountable documents register
- details of bulk cheques are entered into SAP by number range at time of receipt
- receipt of stocks must be acknowledged by the issuing office, and must be stored in a secure place ( B class safe minimum). The custodian must also note that all documents have been received and mark the front cover of the book and initial the entry.
- holders of accountable documents must acknowledge receipt of stocks in writing by signing the register and then store them in a secure (B class) container in the processing area
- the loss or theft of any accountable document must be reported in writing to the Finance Manager as soon as it is discovered. The Finance Manager should take appropriate action to prevent the use of the lost or stolen documents (give stolen cheque numbers to the bank, cancel a passport on PICS, TARDIS, or provide details of the lost visa to DIAC)
- the FMM includes procedures for the disposal of obsolete accountable documents
- Bulk and issued stocks of accountable documents are inspected on a random basis once every three months by a person formally appointed by the Finance Manager
- the checks ensure that stocks on hand agree with the record held in the Accountable Documents Register; all issued stocks are accounted for, an inspection form is completed and signed and placed on file by the responsible employee
- details of cheque issues are recorded in the SAP check register
- bank reconciliation processes will identify a presented cheque number that is not recorded in the SAP cheque register or does not have a vendor payment document.
RISK: Use of stolen bank cheques to purchase items on departmental account |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
RISK: Cash and cheque collections retained by staff who issue stolen or fraudulent official receipts |
|
|---|---|
Risk Treatment: Existing controls Sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
RISK: Use or sale of stolen petrol coupons, prepaid envelopes, stamps and/or impress seals |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
RISK: Private use of Cabcharge vouchers |
|
|---|---|
Risk Treatment: Existing Control sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
Asset Management
The following risks have been identified:
- theft of assets or portable and attractive items
- unauthorised personal use of assets and portable and attractive items
- unauthorised disposal of assets or portable and attractive items
- deletion of asset records.
The following controls are in place to mitigate these risks:
- Finance Management Manual includes policy and procedures on the proper management of assets
- an Asset Register is maintained in SAP
- access to amend the Asset Register is restricted
- individual assets are identified with a bar coded asset label
- annual stocktakes of assets are performed by employees working in pairs
- annual stocktakes are required for non-asset items (i.e. purchase price less than AUD2, 000) that are considered portable and/or attractive - these are the responsibility of Branch Heads in Canberra and Finance Managers overseas and in State Offices
- stocktake results are reported to the asset manager
- discrepancies in stocktake results are investigated
- assets lent to staff are recorded in the Register of Borrowed Assets
- the borrowed assets register is reviewed when an employee moves to a different area of the department
- a review of the borrowed asset register is included in the separation checklist for all employees leaving the department
- if an asset needs to be disposed of, a formal 'proposal to dispose' is prepared, approved and recorded
- depending on the nature and value of the item, a proposal to donate, sell or transfer title of an asset may require the prior approval of the Chief Finance Officer.
- SAP records the results of all work area stocktakes, including the additions/disposals that occur as a result of the stocktake process. The SAP Stocktake Module is only "open" for a limited period
- Work area Capital Management Plans are approved by the Senior Executive. Approved asset funding is provided to work areas via Internal Orders which limit expenditure to the approved level
- the FMM requires the appointment of stocktake officers who do not occupy positions with direct responsibility for maintaining asset master data or processing payments for the purchase of assets.
RISK: Theft of assets or portable and attractive items |
|
|---|---|
Risk Treatment:
|
Resource Implications:
|
Risk Analysis Rating: Moderate |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
RISK: Unauthorised disposal of assets or portable and attractive items |
|
|---|---|
Risk Treatment: Existing control sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
RISK: Deletion of asset records |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
RISK: Unauthorised personal use of assets and portable and attractive items |
|
|---|---|
Risk Treatment Existing control sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
Accounts Payable
The following risks have been identified:
- circumvention of authorisation procedures
- duplicate payments to suppliers
- manipulation of a SAP master vendor record for gain
- introduction of fictitious invoices
- overcharging or provision of false accounts by suppliers
- unchecked payments entered by posts that appear in Canberra's payment run.
The following controls are in place to mitigate these risks:
- the Funds Controller, Bank Reconciliation Officials, Certifying Official and Cashier are appointed in writing by the Finance Manager
- the FMM requires an appropriate separation of responsibilities within the accounts payable processes
- where insufficient separation of duties for financial functions exist the Finance Manager will undertakes a risk assessment and seek CFO approval where required by the FMM
- SAP access profiles reflect duties performed by function and are checked at least once per month or as required upon changes of duties
- the invoice is matched to the purchase order
- the PTWS or SAP document is checked to the purchase order/invoice to ensure that payment details are correct
- expenditure is allocated to cost objects that are reviewed by budget co-ordinators
- photocopied invoices must be certified (stamped and signed) as 'not already paid' so the same invoice is not paid twice
- SAP checks invoice numbers to warn of possible duplicate payments
- invalid (i.e. invalid details compared to invoice, or possibly duplicate) payments are withheld
- the Funds Controller in Australia reviews payment requests entered by posts.
- bank exception reports are reviewed after each pay run to identify rejected payment instructions (eg invalid bank code)
- accounts officer contacts the payee/vendor to verify the details
- vendor details are updated in SAP by the Vendor Master Officer (appointed by Finance Manager)
- each month the Finance Manager signs-off SAP reports including:
- changes and additions to the Vendor Master Record
- possible Duplicate Payments
- debtors and Advances register
- vendor open items report (includes credit card transaction for payment to provider)
- SAP User Profiles
RISK: Circumvention of authorisation procedures |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Moderate |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
RISK: Duplicate payments to suppliers |
|
|---|---|
Risk Treatment: Existing Control sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Moderate |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
RISK: Manipulation of a SAP master vendor record for gain |
|
|---|---|
Risk Treatment: Existing controls Sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: Risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997 as a result of the biennial review of the Fraud Control Plan. Director FPT will report to the CEU every six months the performance of the risk treatments in place. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
RISK: Introduction of fictitious invoices |
|
|---|---|
Risk Treatment: Existing control sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
RISK: Overcharging or provision of false accounts by suppliers |
|
|---|---|
Risk Treatment: Existing controls Sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
RISK: Unchecked payments entered by posts that appear in Canberra's payment run |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, |
CMD, Director FSS |
Collection and Security of Public Moneys
The following risks have been identified:
- employee theft of public money
- mixing public and private money.
The following controls are in place to mitigate these risks:
- Finance Managers appoint Cashiers and Sub-Cashiers to collect public money
- Cashiers and Sub-Cashiers issue receipts for money collected and ensure collections are banked promptly
- unbanked money is held in a secure receptacle for which the Cashier has sole access to
- independent checks are undertaken to ensure money was correctly banked
- random checks of unbanked money held by the Cashier are undertaken
RISK: Employee theft of public money |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
RISK: Mixing public and private money |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
Corporate Credit Cards
The following risks have been identified:
- unauthorised access to card details (eg through the internet)
- unauthorised issue of an official credit card for personal gain
- purchase made on an official credit card for personal gain
- paying for goods and services not received by DFAT for personal gain
- suppliers using card number for non-existent transactions.
The following controls are in place to mitigate these risks:
- applications from non-SES officers are approved by supervisor where there is a demonstrated need for a card
- cardholder must be an Approvers / Approver's agent where necessary
- for cards issued in Australia the cardholder's identity is verified by FPT prior to entering card request
- the card provider is advised of officers authorised to submit card requests and collect cards
- cardholder's sign-off a Cardholder Agreement that sets out the terms for use of the card
- the card monthly limit is specified by the supervisor or in accordance with the DFAT Travel Policy for SES cards
- cardholders acquit their statement (and attach original supporting evidence documentation) within 7 days of receipt of the statement
- cardholder statements are subject to an independent review
- travel expenses charged to the Business Travel Account are reconciled monthly. Unidentified transactions are disputed with card provider and payment for disputed transactions withheld
- cardholders must report stolen credit cards to the card provider and Card Manager upon detection of the loss
- the card provider monitors card activity and reports all suspicious purchases and places a block on further purchases until cardholder verifies the transaction
- the cardholders reports disputed (including fraudulent) transactions to the card provider and Card Manager upon detection
- the DFAT exit checklist requires the Card Manager's sign-off that any credit card has been returned and cancelled
RISK: Unauthorised access to card details (eg through the internet) |
|
|---|---|
Risk Treatment: Existing control sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
RISK: Unauthorised issue of an official credit card for personal gain |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
RISK: Purchase made on an official credit card for personal gain |
|
|---|---|
Risk Treatment: Reduce limit on credit card balances and purchase amounts according to historical spending patterns |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
RISK: Payment made for goods and services not received in order to obtain a personal benefit from the supplier |
||
|---|---|---|
Risk Treatment: Reduce limit on credit card balances and purchase amounts according to historical spending patterns |
Resource Implications: Nil |
|
Risk Analysis Rating: Low |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
||
Performance Indicators |
|
|
Responsible Division, Contact |
CMD, Director FPT |
|
RISK: Suppliers using card number for non-existent transactions |
|
|---|---|
Risk Treatment:
|
Resource Implications:
|
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director FPT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director FPT |
Procurement and Contract Management
The following are the risks identified in this area:
Procurement
- placement of orders with specific suppliers in return for personal benefit
- deliberately avoiding or manipulating a procurement process to avoid DFAT procurement policies (e.g. thresholds, approvals etc.) for personal gain or collusion
- unauthorised disclosure of commercial-in-confidence information to suppliers with the intent of giving them a competitive advantage
- fraternising with suppliers prior to or during a procurement process, including acceptance of gifts, benefits or hospitality, with the intent of personal gain
- not declaring conflicts of interest
- prior to or during a procurement process only one or a select few suppliers are provided with additional information with the intent of giving them a competitive advantage
- contracts negotiated in a manner that provides a favourable outcome to one supplier that is inconsistent with value for money principles
Contract Management
- payment made for goods/services that are not delivered or are inferior with the intent of personal gain through collusion
- contractors influencing DFAT decision making to guide the decision in a manner that the contractors gain a personal or commercial advantage
- DFAT staff accepting and hiding inappropriate changes in scope or price for work tendered/quoted in return for personal gain
- communicating or fraternising inappropriately with a contractor, including acceptance of gifts, benefits or hospitality, with the intent of personal gain
- unauthorised disclosure of commercial-in-confidence information (eg. pricing, intellectual property etc.) to provide undue competitive advantage
The following are the controls that mitigate against these risks:
- Procurement
- relevant financial delegates must approve all procurement and associated expenditure (Regulation 9) and where a delegate undertakes procurement, all approvals must be exercised by another delegate
- procurement policy requires a specific number of quotes to be requested or an open tender process to be undertaken and all exceptions approved in writing by a delegate
- the financial delegate to approve the procurement evaluation and outcome
- DFAT's procurement policy and guidance is available to all staff via the department's intranet and sets out processes to follow to ensure compliance with Commonwealth procurement policy
- the Conduct and Ethics Manual and the APS Code of Conduct provide the framework for staff to disclose conflicts of interest, gifts or hospitality and behave in an appropriate manner. DFAT's procurement guidance provides further detail regarding probity considerations that apply to procurement processes
- DFAT procurement guidance includes information on how to handle approaches to the market and communications with suppliers to ensure all suppliers receive the same information when undertaking a procurement process
- DFAT security policy provides information about handling classified information.
- the Procurement and Contracts Governance Section (PGS) will implement arrangements to analyse compliance with procurement policy and procedures and to identify procurement splitting to avoid threshold requirements
- Contract Management
- the staff member that receives the goods/services is required to record on the invoice that the goods have been received when submitting invoices for payment
- where a contractor wrongfully provides input into a decision making process, the contractor and their company are excluded from any subsequent procurement process or necessary conflict of interest declaration and treatments put in place
- DFAT contract templates include the requirement for contractors and their personnel to comply with the APS Code of Conduct, DFAT's Code of Conduct for Overseas Service and the requirement to declare any real or perceived conflicts of interest.
- changes to scope or price must be approved by the relevant financial delegate. Details of the change must be entered in DFAT's contract database
- the Conduct and Ethics Manual and the APS Code of Conduct provide the framework for staff to disclose conflicts of interest, gifts or hospitality and behave in an appropriate manner. DFAT's procurement guidance provides further detail regarding probity considerations that apply to contract management
- DFAT security policy provides information about handling classified information.
- the Procurement and Contracts Governance Section (PGS) will implement arrangements to analyse contract management practices as well as to identify non-compliance with procurement policy for contract variations and invoice splitting to avoid thresholds
The following are the individual risks and their specific controls:
Procurement
RISK: placement of orders with specific suppliers in return for personal benefit |
|
|---|---|
Risk Treatment: Existing controls sufficient:
|
Resource Implications: Nil |
Risk Analysis Rating: Moderate |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director PGS |
RISK: deliberately avoiding or manipulating a procurement process to avoid DFAT procurement policies (e.g. thresholds, approvals etc.) for personal gain or collusion |
||
|---|---|---|
Risk Treatment: Existing controls sufficient:
|
Resource Implications: Nil |
|
Risk Analysis Rating: Moderate |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. |
||
Performance Indicators |
|
|
Responsible Division, Contact |
CMD, Director PGS |
|
RISK: unauthorised disclosure of commercial-in-confidence information to a supplier/s with the intent of giving them a competitive advantage |
||
|---|---|---|
Risk Treatment: Existing controls sufficient:
|
Resource Implications: Nil |
|
Risk Analysis Rating: Moderate |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. |
||
Performance Indicators |
|
|
Responsible Division, Contact |
CMD, Director PGS |
|
RISK: fraternising with suppliers prior to or during a procurement process, including acceptance of gifts, benefits or hospitality, with the intent of personal gain |
||
|---|---|---|
Risk Treatment: Existing controls sufficient:
|
Resource Implications: Nil |
|
Risk Analysis Rating: Moderate |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. |
||
Performance Indicators |
|
|
Responsible Division, Contact |
CMD, Director PGS |
|
RISK: not declaring conflicts of interest |
|
|---|---|
Risk Treatment: Existing controls sufficient:
|
Resource Implications: Nil |
Risk Analysis Rating: Moderate |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director PGS |
RISK: prior to or during a procurement process only one or a select few suppliers are provided with additional information with the intent of giving them a competitive advantage |
||
|---|---|---|
Risk Treatment: Existing controls sufficient:
|
Resource Implications: Nil |
|
Risk Analysis Rating: Moderate |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. |
||
Performance Indicators |
|
|
Responsible Division, Contact |
CMD, Director PGS |
|
RISK: contracts negotiated in a manner that provides a favourable outcome to one supplier that is not consistent with value for money principles |
|
|---|---|
Risk Treatment: Existing controls sufficient:
|
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director PGS |
Contract Management
RISK: Payment made for goods/services that are not delivered or are inferior with the intent of personal gain through collusion |
|
|---|---|
Risk Treatment: Existing controls sufficient:
|
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director PGS |
RISK: contractors influencing DFAT decision making to guide the decision in a manner that the contractor gains a personal or commercial advantage |
||
|---|---|---|
Risk Treatment: Existing controls sufficient:
|
Resource Implications: Nil |
|
Risk Analysis Rating: Moderate |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. |
||
Performance Indicators |
|
|
Responsible Division, Contact |
CMD, Director PGS |
|
RISK: DFAT staff accepting and hiding inappropriate changes in scope or price for work tendered/quoted in return for personal gain |
||
|---|---|---|
Risk Treatment: Existing controls sufficient:
|
Resource Implications: Nil |
|
Risk Analysis Rating: Low |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. |
||
Performance Indicators |
|
|
Responsible Division, Contact |
CMD, Director PGS |
|
RISK: communicating or fraternising inappropriately with a contractor, including acceptance of gifts, benefits or hospitality, with the intent of personal gain |
||
|---|---|---|
Risk Treatment: Existing controls sufficient:
|
Resource Implications: Nil |
|
Risk Analysis Rating: Moderate |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. |
||
Performance Indicators |
|
|
Responsible Division, Contact |
CMD, Director PGS |
|
RISK: unauthorised disclosure of commercial-in-confidence information (eg. pricing, intellectual property etc.) to provide undue competitive advantage |
||
|---|---|---|
Risk Treatment: Existing controls sufficient:
|
Resource Implications: Nil |
|
Risk Analysis Rating: Moderate |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. |
||
Performance Indicators |
|
|
Responsible Division, Contact |
CMD, Director PGS |
|
Travel in Australia and Overseas
The following risks have been identified in travel and information systems:
- unauthorised issue of a visa for non official use
- false information and or documentation in support of a visa or travel application
- illegal use of visas by impostor
- unauthorised access to information contained within the travel systems used by the department
- employees retaining travel advance funds for travel not undertaken or for altered itineraries
- employees taking or extending trips which are unnecessary
- employees staying at more expensive hotels when travelling overseas than can be justified
- employees seeking reimbursement for a mode of travel other than that taken
- duplicate payment of airfares
- failure to declare meals provided at official expense for which allowances have been paid
- use of official frequent flyer points for private travel.
The following controls are in place to mitigate against these risks:
- all Visalink visa applications must be authorised by the visa clerk
- Visalink is paid by the relevant Division's or traveller's credit card
- cardholders acquit their statement (and attach original supporting evidence documentation) within 7 days of receipt of the statement
- cardholder statements are subject to an independent review
- the official must acquit their travel
- proposed travel arrangements are approved by an authorised delegate
- officials are required to declare loyalty reward program point balances
- access to information contained within the travel systems (SAP and PTWS) used by the Department is restricted to relevant staff within the Travel Unit
- other Government agencies and DFAT Divisions will only be given access to information pertaining to their respective areas.
The following are the individual risks and their treatments:
RISK: Unauthorised issues of a visa for non-official use (including false information and or documentation in support of a visa or travel application, illegal use of visas by impostors) |
||
|---|---|---|
Risk Treatment: Controls currently in place to prevent fraudulent or unethical behaviour have been assessed as potentially inadequate. FTT will be reviewing the control processes associated with the issuing of Third Person Notes to determine what additional measures may be required. |
Resource Implications: Work will be undertaken in FTT |
|
Risk Analysis Rating: Low |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Manager, Financial Training and Travel, FTT will report to the CEU on the performance of the risk treatments. |
||
Performance Indicators |
|
|
Responsible Division, Contact |
CMD, Manager Financial Training and Travel, FTT |
|
RISK: Unauthorised access to information contained within the travel information systems (SAP and PTWS) used by the department. |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Manager, Financial Training and Travel, FTT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Manager Financial Training and Travel, FTT |
RISK: Employees retaining travel advance funds for travel not undertaken or for altered itineraries |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Manager, Financial Training and Travel, FTT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Manager Financial Training and Travel, FTT |
RISK: Employees taking or extending trips which are unnecessary |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Manager, Financial Training and Travel, FTT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Manager Financial Training and Travel, FTT |
RISK: Employees staying at more expensive hotels when travelling overseas than can be justified |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Manager, Financial Training and Travel, FTT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Manager Financial Training and Travel, FTT |
RISK: Employees seeking reimbursement for a mode of travel other than that taken |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Manager, Financial Training and Travel, FTT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Manager Financial Training and Travel, FTT |
RISK: Duplicate payment of airfares |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Manager, Financial Training and Travel, FTT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Manager Financial Training and Travel, FTT |
RISK: Use of official frequent flyer points for private travel |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Manager, Financial Training and Travel, FTT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Manager Financial Training and Travel, FTT |
RISK: Failure to declare meals provided at official expense for which allowances have been paid |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Manager, Financial Training and Travel, FTT will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Manager Financial Training and Travel, FTT |
Salaries and Allowances
The following are the risks identified in the area of salaries and allowances:
- fraudulent payment in excess of authorised remuneration
- duplicate payments
- payments to 'ghosts' (false identities) for personal gain
- continued payments to individuals who have ceased employment
- fraudulent payments to staff without a position number
- staff in PSS section modifying their own data in PeopleSoft for personal gain
- fraudulent payment of allowances
- payment of an allowance not due
- duplicate payment of allowances for personal gain
- failure to detect errors in payment of salaries or allowances
- failure to record leave taken.
The following are the controls that are applied to the area of salaries and allowances:
- access controls within PeopleSoft are reviewed monthly
- PeopleSoft Self Service module is now rolled out to the majority of overseas posts allowing for greater accuracy in leave processing
- new starter information is provided to Pay and Conditions staff by Staffing Branch for entry into PeopleSoft
- all new starters must be security cleared before they are entered into PeopleSoft
- salaries are calculated in PeopleSoft according to the level and classification of the employee
- a second employee reviews new entries into PeopleSoft
- DFAT Enterprise Agreement provides guidance about allowances
- Written advice required from employees before changes will be made to salary distribution
- a 'pay variation' report is generated before each pay which lists pay variances above or below 10 per cent which is reviewed by Pay and Conditions team leaders
- a letter of resignation is required for separating employee's before their final entitlements are calculated by Pay and Conditions
- redundancy payments are reviewed by the Pay and Conditions Manager.
- exit checklists are completed by all separating employees before the employee's final pay will be processed
- access controls within PeopleSoft have been tightened and are reviewed monthly
- additional procedures for checking data verification including for transfer of leave liabilities.
The following are the individual risks and their specific controls:
RISK: Fraudulent payment in excess of authorised remuneration |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PSS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director PSS |
RISK: Duplicate payments for personal gain |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PSS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director PSS |
RISK: Payments to 'ghosts' (false identities) for personal gain |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PSS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director PSS |
RISK: Continued payments to individuals who have ceased employment |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PSS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director PSS |
RISK: Fraudulent payments to staff without a position number |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PSS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director PSS |
RISK: Staff in REC section modifying their own data in PeopleSoft for personal gain |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PSS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director PSS |
RISK: Fraudulent payment of allowances |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PSS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director PSS |
RISK: Payment of an allowance not due |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PSS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director PSS |
RISK: Duplicate payment of allowances |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PSS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director PSS |
RISK: Failure to detect errors in payment of salaries or allowances |
||
|---|---|---|
Risk Treatments:
|
Resource Implications:
|
|
Risk Analysis Rating: Moderate |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PSS will report to the CEU on the performance of the risk treatments. |
||
Performance Indicators |
|
|
Responsible Division, Contact |
CMD, Director PSS |
|
Post and Locally Engaged Staff Management Issues Section
The following are the risks identified in this area:
- rebate of employer contributions to host social welfare agencies either not reported when received by LES on sick/maternity leave, or redirected from post to private bank accounts.
The following are the existing controls:
- improve Australia-based staff (A-based) awareness of local labour law and social security systems in their countries of service
- increase LES awareness of their Code of Conduct and potential action/consequences for any breaches
- rebates to be paid to post where possible rather than employee or add obligation to declare rebates to LES Conditions of Service in relevant countries.
RISK: Double payment to LES on sick/maternity leave by host social welfare agency and the department. Host social welfare agencies providing sick/maternity pay directly to LES without the department being informed by welfare agency or LES. |
|
|---|---|
Risk Treatment: Existing controls |
Resource Implications: Nil |
Risk Analysis Rating: Moderate |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PLI will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CMD, Director PLI |
RISK: Rebate of employer contributions to host social welfare agencies either not reported when received by LES on sick/maternity leave, or redirected from post to private bank accounts. |
||
|---|---|---|
Risk Treatment:
|
Resource Implications: Nil |
|
Risk Analysis Rating: Moderate |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PLI will report to the CEU on the performance of the risk treatments. |
||
Performance Indicators |
|
|
Responsible Division, Contact |
CMD, Director PLI |
|
Information Technology and Information Security
The following risks have been identified:
- allocation of unnecessary or excess access authority in SAP
- inadequate separation of duties in SAP
- unchecked SAP audit reports
The following controls exist in this area:
- all servers and other critical equipment are housed in two secure computer rooms with access restricted to technical administrators
- high-side systems have no floppy or hard drives
- all contract staff requiring access are cleared to an appropriate level or supervised when dealing with material or equipment beyond their level of clearance
- a DFAT employee is always present at installations
- installations are conducted using procedures consistent with Government guidelines
- equipment is only installed in an environment that is appropriately secured
- after each installation, documentation is prepared by the installation team and signed off by a Director from IMD
- senior employees from Central Office perform quality checks on large or particularly sensitive installations
- staff are cleared to a security level appropriate to their duties and responsibilities
- security clearances are re-evaluated every five years and mid-term periodic appraisals are conducted every two and half years
- all external connections and changes to the systems must be approved by a Director from IMD
- all communications are encrypted using military grade encryption for high-side data
- all communications rooms and communications equipment are secured at all times
- the Internet firewall that protects the low-side network from unauthorised access is endorsed by DSD
- communication between other government organisations and DFAT is currently encrypted using techniques appropriate to the level of sensitivity of the information
- access to DFAT systems by vendors for maintenance and support of products is on an "as required" basis. Vendors are called in and supervised on site
- changes to IT&T infrastructure and applications are submitted to a Change Review Board
- valid user IDs and passwords are mandatory for access to DFAT systems
- Satin has password lockout after 3 failed attempts. Satin access controls require all password lockouts on the high-side system to be reset by the System Administrator
- use of complex passwords and strong password controls is mandated
- high-side system user accounts are actively monitored. On a monthly basis an additional check is made on the Access Control List to identify any inactive user IDs that may have been missed. Inactive user IDs are suspended while the reason for its inactivity is queried. Suspended user IDs are deleted if it is determined that the user is no longer in need of access to high-side systems
- PICS/DELTA -an employee independent of the technical administration function monitors system logs and provides reports on a monthly basis
- PICS/DELTA - all passport function processes have an auditable trail
- formal arrangements are in place to ensure all consultants working on the department's mainframe are aware of and comply with the department's fraud control policy
- the department's acceptable use policy for laptop computers forbids the saving of material above X-IN-CONFIDENCE on standard laptop computers.
- SAP - monitoring of system logs by an employee independent of the technical administration function to continue on a regular basis.
RISK: Inadequate Separation of duties in SAP |
||
|---|---|---|
Risk Treatment: 1 Reduce timeframe between checks of separation of duties |
Resource Implications: Nil |
|
Risk Analysis Rating: Moderate |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, MIS will report to the CEU on the performance of the risk treatments. |
||
Performance Indicators |
|
|
Responsible Division, Contact |
CMD, Director MIS |
|
RISK: Unchecked SAP audit reports |
||
|---|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
|
Risk Analysis Rating: Low |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, MIS will report to the CEU on the performance of the risk treatments. |
||
Performance Indicators |
|
|
Responsible Division, Contact |
CMD, Director MIS |
|
RISK: Allocation of unnecessary or excess access on SAP |
||
|---|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
|
Risk Analysis Rating: Low |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, MIS will report to the CEU on the performance of the risk treatments. |
||
Performance Indicators |
|
|
Responsible Division, Contact |
CMD, Director MIS |
|
Diplomatic Security Branch (DSB)
Physical and Information Security
The following risks have been identified in the area of physical and information security generally:
- unauthorised disclosure of official information, including, sensitive, confidential and classified information, for personal gain (in Canberra) (See Extreme Risks)
- unauthorised disclosure of official information, including sensitive confidential and classified information, for personal gain (at Posts)
- unauthorised disclosure of official information, including sensitive, confidential and classified information, for personal gain (at STOs and APOs)
- unauthorised Access to DFAT Premises (in Canberra)
- unauthorised Access to DFAT Premises (at Posts)
- unauthorised Access to DFAT Premises (at STOS and APOs).
Physical and Information Security in Canberra
The following controls are in place in Canberra to ensure security of information and property:
- all access to the building is controlled through the use of security passes
- three security guards are on the building premises 24 hours a day
- the building is fitted with security cameras both within the building and around the perimeter
- the security cameras are monitored 24 hours a day by at least one security guard
- all visitors to DFAT must report to the reception desk upon arrival
- visitors are required to be signed in to the visitor management system and wear a visitors' pass while on the premises. Visitor passes are attached to brightly coloured lanyards to ensure they are visible
- the visitors' passes expire at the end of the day or week depending on the duration of issue
- all visitors must be escorted whilst in the building
- all DFAT Staff are required to have at least a minimal level security clearance
- staff attend a security awareness course as part of the induction process and regular security awareness and refresher courses thereafter
- access to work areas is controlled by security passes whose use can be audited
- security passes restrict staff access to certain areas of the building based on their work profile and security clearance
- if a security pass is not used for a period of time, the pass is deactivated
- audit facilities allow access to the building to be retraced
- specialised units within the department investigate fraud or security breaches
- security services have been contracted out to Sydney Night Patrol Security
- a department wide 'clear desk policy' reduces the risk that classified material is unintentionally left out overnight
- after-hours security guard patrols seek out unsecured classified material.
- staff are 'breached' if classified material is left out or a cabinet or compactus is left unlocked
- additional internal and external access controls (e.g. airlock doors etc) have been added to the R.G.Casey building
- divisions are allocated security breach targets/limits as formal performance measures.
The following are the individual risks and specific treatments to reduce the risk:
RISK: Unauthorised disclosure of official information, including, sensitive, confidential and classified information, for personal gain in Canberra (See High Priority Risks Section).
RISK: Unauthorised access to DFAT premises (Canberra) |
|
|---|---|
Risk Treatment:
|
Resource Implication:
|
Risk Analysis Rating: Moderate |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director OSS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
Nature and extent of incidents of unauthorised access to DFAT premises |
Responsible Division, Contact |
CMD/DSB/Director OSS |
Physical and Information Security at Overseas Posts
The following controls are in place at overseas posts to ensure the security of information and property:
- departmental procedures for protecting official information are set out in the department's Security Instructions which are available to all A-based staff and summarised in the Annual Declaration of Information Security
- all A-based are required to sign an Annual Declaration of Information Security
- staff attend a mandatory Overseas Security Awareness course prior to going on posting
- staff attend a security briefing conducted by the Post Security Officer upon arrival at post
- access to the Chancery is controlled on the 'defence-in-depth' principle
- some posts have security guards
- some posts have external security lighting
- some posts have perimeter security walls and fences, with entry controlled by security gates and sometimes guards
- some chancery vehicle entry points are restricted by barriers
- some Chancery compounds are fitted with security cameras within the building and around the perimeter
- in some posts the security cameras are monitored 24 hours a day
- keypad operated airlock doors separate public from work areas
- all external doors are locked at night and keys are stored in key safes.
The following are the individual risks and the specific treatments for securing information and property at overseas posts:
RISK: Unauthorised disclosure of official information including, sensitive, confidential and classified information for personal gain (at overseas posts) |
||
|---|---|---|
Risk Treatment:
|
Resource Implications:
|
|
Risk Analysis Rating: Moderate |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director SPC will report to the CEU on the performance of the risk treatments. |
||
Performance Indicators |
Nature and extent of incidents of unauthorised disclosure of official information |
|
Responsible Division, Contact |
CMD/DSB/Director SPC |
|
RISK: Unauthorised access to DFAT premises (At Post) |
|
|---|---|
Risk Treatment:
|
Resource Implications: 1. Divisional expense |
Risk Analysis Rating: Moderate |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director OSS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
Nature and extent of incidents of unauthorised access to DFAT premises overseas |
Responsible Division, Contact |
CMD/DSB/Director OSS |
Physical and Information Security in State and Territory Offices and Australian Passport Offices
The following are the controls in place in State and Territory Offices (STOs) and Australian Passport Offices (APOs):
- all STO/APO are on upper floors of large well-serviced office buildings
- after hours access to the building is restricted to authorised personnel
- access to basement parking areas etc is in most cases restricted to the vehicles of authorised tenants only however pedestrian access is not always similarly restricted
- access to the State Office suite is controlled through the use of access control systems
- security cameras oversee public waiting areas and the reception desk
- all visitors must report to the reception desk upon arrival or use a telephone handset at the entry door
- the larger State Offices, Sydney and Melbourne, have airlock doors between the public areas and the office
- visitors are required to sign a register and wear a visitors' pass while on the premises
- all visitors must be escorted whilst in the building
- all DFAT staff are required to have at least a minimal level security clearance
- staff attend a security awareness course as part of the induction process and attend regular security awareness refresher courses thereafter
- a department wide clear desk policy reduces the risk that classified material will be left out overnight
- staff are 'breached' if classified material is left out or cabinet or compactuses are left unlocked overnight
- security specialists, under contract to the department, review physical security in STOs/APOs each year to ensure that all Offices comply with government standards.
The following are the individual risks and proposed treatments to secure information and property at State and Territory Offices and Australian Passport Offices:
RISK: Unauthorised disclosure of official information including, sensitive, confidential and classified information, for personal gain (at State and Territory Offices and Australian Passport Offices) |
|
|---|---|
Risk Treatment:
|
Resource Implications:
|
Risk Analysis Rating: Moderate |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director OSS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
Nature and extent of incidents of unauthorised disclosure of official information |
Responsible Division, Contact |
CMD/DSB/Director OSS |
RISK: Unauthorised access to DFAT premises (at State and Territory Offices and Australian Passport Offices) |
|
|---|---|
Risk Treatment:
*Note recent security upgrades:
|
Resource Implications: 1 - 5 Budgetary expense |
Risk Analysis Rating: Moderate |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director OSS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
Nature and extent of incidents of unauthorised access to DFAT premises overseas |
Responsible Division, Contact |
CMD/DSB/Director OSS |
Australian Passports Office
The following risks have been identified:
- altering of genuine passports (See High Risks)
- Issue of fraudulent or duplicate passports (See High Risks)
- illegal use of passports by impostor (see High Risks)
- use of digitally altered passport images enables other criminal activity such as financial fraud
- breach of passports system (PICS - CITEC mainframe) for personal benefit
- fraudulent sale of accountable documents
- theft of accountable documents
- theft of passport application fees
- issue of a passport when application fee has not been paid (except where the fee has been waived under the Australia Passports Act 2005).
The following are the controls that aim to mitigate against these identified risks:
Fraud Risk Control Measures (In Australia):
- Online Passport Information is available on the Corporate Information Database
- only original passport applications and proof of identity documents accepted
- all passport applications are submitted on a standard form
- an accredited interviewer interviews all applicants and sights the relevant supporting documentation and confirms applicant's identity using the Personal Identity Documents System (PIDS)
- the accredited interviewer records the PICS or Post Office identification on the application form and provides a declaration under the Australian Passports Act 2005 that all information has been checked and is accurate
- a schedule of passport fees is displayed in Passport Offices and in Australia Post Offices so clients know how much they should be charged
- the CASHMAN system identifies the appropriate fee when the application is scanned
- all applicants are given a receipt for passport fees paid
- the receipt number is recorded on the application form and in PICS
- cash drawers are kept in a B class cabinet overnight and when not in use
- DFAT employees are required to balance their cash drawer daily (using the CASHMAN system)
- a supervisor investigates cash drawer discrepancies and reports to the Finance Manager
- DFAT employees are liable for cash drawer shortfalls
- the CASHMAN system generated collector statement is given to the National Cashier daily for reconciliation and banking
- unannounced monthly checks are conducted on collections and banking by an independent officer reporting to the Finance Manager
- passport revenue is reconciled monthly to PICS
- annual revenue checks are performed by ANAO
- the National Cashier gives the DFAT employee a receipt for cash takings
- application forms are scanned into the DELTA system in a timely manner
- the operator confirms the data scanned into DELTA
- PICS access is controlled centrally and functions are limited
- the PICS system performs data integrity checks automatically on each application and alerts the Eligibility Officers if details are not verified
- PICS instructs Eligibility Officers on the correct steps to be followed in resolving any alert flowing from the data integrity checks. For high risk resolution issues Eligibility Officers must confirm these steps were followed and / or are required to add a mandatory explanation of how the issue was resolved
- the PICS system assesses applicants as low, medium, high or very high risk. The level of risk influences the vetting process
- on-line validation of cardinal documents is available and utilised
- Eligibility C integrity checking which automatically screens certain high / very high risk applications and certain other categories of applications for vetting / approval by a Team Leader
- high risk applicants are automatically referred to a senior eligibility officer for assessment
- a random sample of low risk application and a percentage of probationary eligibility officers' work are automatically referred to senior eligibility officers to ensure consistency of decision and conformity with requirements
- authorising employees cannot choose an application from the eligibility queue but must take the first application in the queue
- applications are put on hold while being assessed so that they do not automatically process
- the image of each passport applicant is compared to the entire FR database of 15 million images using facial recognition software with the results reviewed by the Eligibility Officer for potential identity fraud
- print/laminate staff verify the data recorded in DELTA before the passport is printed
- the PICS system automatically allocates the next passport number
- Print/laminate staff match the passport number to the number on the next available passport
- all passports prepared are subject to quality control standards
- all passport spoils are processed in PICS, signed off by the operator and referred to a custodian for destruction
- depending on when the passport is spoiled, the PICS system automatically refers the application to the appropriate queue (i.e. print/laminate or eligibility)
- the custodian reconciles spoiled passports received to PICS and then records the spoil date on PICS
- a replacement passport cannot be reprinted for a spoilt passport until the destruction certificate is acquitted in the system by a second person
- the custodian shreds all spoiled passports, a second employee witnesses, and they both sign the spoil sheet after destruction
- access to queues in DELTA is restricted (staff cannot perform all functions)
- access to passport print rooms are physically restricted to print officers
- blank supplies of passports are issued daily to print officers who must acquit the supply and return unused blank booklets to the custodian each end of day
- Strict storage and issue accountability is enforced regarding storage and issue of bulk stocks of blank documents.
- 80% of full validity passports are printed at central printing offices in Canberra or Sydney.
- Passports are despatched by registered mail.
- an annual fraud risk assessment is prepared by Passports Branch
- specialised fraud investigation staff have been appointed to all passport offices in Australia
- an AFP officer has been seconded to the Sydney Passport Office
- PICS highlights reasons why an application is assessed as high risk
- APO maintains current document security expertise and incorporates advanced technologies into the passport booklet limits the possibility of subsequent data alteration
- Advanced passport production techniques limit the viability of attempting to forge a whole document
- PICS - CITEC Mainframe located in a secure location and services provided by a trusted serviced provider, staff are security cleared and access controls are in place.
Fraud Risk Control Measures (At Overseas Posts):
- Online Passport Information is available on the departmental intranet
- only original copies of the application and proof of identity documentation (or certified copies) are accepted
- all passport applications are submitted on a standard form
- an interviewing employee sees all new applicants, sights relevant supporting documentation, and signs the declaration on the form
- a schedule of application fees is posted in the client waiting area so clients know how much they should be charged
- all applicants are given a receipt (cash register or hand written) when the application fee is paid
- the receipt number is recorded on the application form
- cash drawers are kept in B class cabinet overnight and when not in use
- collectors are required to balance their cash drawer daily
- all cash drawer discrepancies are investigated
- certifying employees are liable for cash drawer shortfalls
- collections are reconciled and banked on a daily basis
- the Accountant gives the Collectors a receipt for cash takings
- PICS access is controlled centrally and functions are limited
- the PICS system performs some automatic checks and displays an alert if details need to be verified
- the TARDIS system checks applications for alerts
- All applications except those for London and Washington are assessed for eligibility at the Central Eligibility Office in Canberra.
- All full validity passports are printed at the central printing offices in Canberra and Sydney.
- Passports are despatched by DHL courier to overseas posts.
- Secure mail systems are used at posts to despatch passports.
- print/laminate staff verify the data before the passport is printed
- the TARDIS system alerts the operator if a passport number has already been used
- all passport spoils are processed in PICS/TARDIS, signed off by the operator and referred to a custodian for destruction
- the custodian reconciles spoiled passports during the quarterly document check
- the custodian shreds all spoiled passports, a second employee witnesses, and they both sign the spoil sheet after destruction
- a monthly reconciliation of revenue to actual passports issued is performed.
- periodic checks of accountable forms (Finance Management Manual 12.6 checks) are performed
- a six monthly stock take is carried out of all passport stocks held at Posts
- on-line validation of primary identity documents and personal details
- eligibility officers record reasons for low or high assessments on PICS
- a six monthly stock take is carried out of all passport stocks held at Posts
- automated Births Deaths and Marriage (BDM) checks during ELLO
- DVS BDM checks and validation
- Rules-based manual assessments of DELTA records conducted for Emergency Passports applications.
The following matrices identify individual risks, their ratings and the individual controls being introduced:
RISK: Use of digitally altered passport images enables other criminal activity such as financial fraud |
||
|---|---|---|
Risk Treatments: 1 APO undertakes outreach work to inform the domestic ID user community as to document security features and related fraud awareness |
Resource Implications:
|
|
Risk Analysis Rating: Low |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PFS will report to the CEU on the performance of the risk treatments. |
||
Performance Indicators |
Number of training sessions provided to ID user organisations |
|
Responsible Division, Contact |
APO, Director PFS |
|
RISK: False information and false documents in support of passports applications |
|
|---|---|
Risk Treatments:
|
Resource Implications:
|
Risk Analysis Rating: Moderate |
|
StrategyTimeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PFS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
APO, Director PFS |
RISK: Theft of passport application fees |
||
|---|---|---|
Risk Treatments: Existing controls sufficient |
Resource Implications: Nil |
|
Risk Analysis Rating: Low |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PFS will report to the CEU on the performance of the risk treatments. |
||
Performance Indicators |
|
|
Responsible Division, Contact |
APO, Director PFS |
|
RISK: Issue of a passport when application fee has not been paid |
|
|---|---|
Risk Treatments: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PFS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
APO, Director PFS |
RISK: Fraudulent sale of accountable documents |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Moderate |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PST will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
APO, Director PST |
RISK: Theft of accountable documents |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PST will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
APO, Director PST |
RISK: Breach of passports system (PICS - CITEC mainframe) for personal benefit |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: data. |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, PST will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
APO, Director PST |
Consular Public Diplomacy and Parliamentary Affairs Division
Records Management
The following are the risks identified in records management:
- unauthorised disclosure of information contained on a file, either paper or electronic, for personal gain
- fraudulent altering of information on a file, either paper or electronic, for personal gain.
The following are the controls currently in place:
- files are classified based on the mostly highly classified information on the file
- all files and their locations are recorded in TRIM/ - EDRMS
- tight security and access controls apply to all files and documents in EDRMS
- strict privacy provisions and controls are applied to any personnel files
- tailored security and access control models for files and documents in posts and divisions which take account of particularly sensitive information
- security access is set by position not individual persons so officers only have access to the information within their designated work areas clear guidelines and training on managing access to information
- broader access is limited to designated administrator positions
- EDRMS provides a full audit trail of access to information which
- Is a deterrent against misuse; and
- Allows rapid identification of any individuals engaged in suspected misuse
- regular technical checks to confirm that EDRMS access controls are working effectively.
The following are the individual risks and their controls:
RISK: Unauthorised disclosure of information contained on a file, either paper or electronic, for personal gain |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, COR will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CPD, Director COR |
RISK: Fraudulent altering of information on a file, either paper or electronic, for personal gain |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, COR will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CPD, Director COR |
Consular Loans
The following risk has been identified:
- failure to repay a traveller emergency loan.
The following controls are in place:
- consular Handbook Chapter 8 Regulations.
RISK: Failure to repay a traveller emergency loan |
||
|---|---|---|
Risk Treatment:
|
Resource Implications:
|
|
Risk Analysis Rating: Moderate |
||
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, CTS will report to the CEU on the performance of the risk treatments. |
||
Performance Indicators |
|
|
Responsible Division, Contact |
CPD, Director CTS |
|
Notarial Services
The following new risk has been identified:
- Notarial practices and fees charged for notarial acts - potential for over or under charging for notarial acts performed and non-receipt of fees received.
The following controls are in place:
- pre-posting training and regular regional consular training overseas for A-Based and Locally Engaged Staff which provides guidance on fee charging
- an online e-learning module "Notarials: A Practical Guide"
- comprehensive advice on notarial practices contained in Chapter 43 of Consular Handbook and Notarial Guidelines for State and territory Offices (43.8.6 of the Handbook requires post to prominently display in English and the local language the current schedule of fees)
- collectors of public monies, including notarial officers, are subject to random examination of receipts as well as department audit reviews
- guidance provided in the Financial Management Manual, such as prominent display of notices to clients that official receipts are issued for every consular service.
RISK: Potential for over or under charging for notarial acts performed and non-receipt of fees received. |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource Implications:
|
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Director, CTS will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CPD, Director CTS |
ExecCorro and Ministerial Submission System
The following risks have been identified:
- misuse ExecCorro or Ministerial Submission System for personal benefit.
The following controls are in place:
- all servers and other critical equipment are housed in two secure computer rooms with access restricted to technical administrators
- High-side systems have no floppy or hard drives
- all contract staff requiring access are cleared to an appropriate level or supervised when dealing with material or equipment beyond their level of clearance
- a DFAT employee is always present at installations
- Installations are conducted using procedures consistent with Government guidelines
- equipment is only installed in an environment that is appropriately secured
- after each installation, documentation is prepared by the installation team and signed off by the Director MIS
- senior employees from Central Office perform quality checks on large or particularly sensitive installations
- staff are cleared to a security level appropriate to their duties and responsibilities k
- security clearances are re-evaluated every five years and mid-term periodic appraisals are conducted every two and half years
- all external connections and changes to the systems must be approved by IMB
- all communications are encrypted using military grade encryption for high-side data
- all communications rooms and communications equipment are secured at all times
- the Internet firewall that protects the low-side network from unauthorised access is endorsed by DSD
- communication between other government organisations and DFAT is currently encrypted using techniques appropriate to the level of sensitivity of the information
- access to DFAT systems by vendors for maintenance and support of products is on an "as required" basis. Vendors are called in and supervised on site
- changes to IT&T infrastructure and applications are submitted to a Change Review Board
- valid user IDs and passwords are mandatory for access to DFAT systems
- Satin has password lockout after 3 failed attempts. Satin access controls require all password lockouts on the high-side system to be reset by the System Administrator
- use of complex passwords and strong password controls is mandated.
- high-side system user accounts are actively monitored. On a monthly basis an additional check is made on the Access Control List to identify any inactive user IDs that may have been missed. Inactive user IDs are suspended while the reason for its inactivity is queried. Suspended user IDs are deleted if it is determined that the user is no longer in need of access to high-side systems
- PICS/DELTA -an employee independent of the technical administration function monitors system logs and provides reports on a monthly basis
- PICS/DELTA - all passport function processes have an auditable trail
- formal arrangements are in place to ensure all consultants working on the department's mainframe are aware of and comply with the department's fraud control policy
- SAP - monitoring of system logs by an employee independent of the technical administration function to continue on a regular basis
- the department's acceptable use policy for laptop computers forbids the saving of material above X-IN-CONFIDENCE on standard laptop computers.
RISK: Misuse of ExecCorro or Ministerial Submission System for personal benefit |
|
|---|---|
Risk Treatment: Existing controls sufficient |
Resource implications: Nil |
Risk Analysis Rating: Low |
|
Strategy Timeframe: As part of the biennial review of the Fraud Control Plan, risk treatments will be reviewed every two years in accordance with the procedures set out in the Financial Management and Accountability Act, 1997. Every six months, Mgr, MCP will report to the CEU on the performance of the risk treatments. |
|
Performance Indicators |
|
Responsible Division, Contact |
CPD, PMB Manager MCP |
FCP REVIEWED