SOP2012–007 Page 1 of 3
Standard Operating Policy
FRAUD CONTROL FRAMEWORK IN AMBULANCE SOP Document No. SOP2012-007
File No. 12/114 (D12/4851)
Date issued 11 April 2012
Contents Policy Statement Fraud Control Framework in Ambulance
Attachments 1. Fraud Control Framework – Ambulance Service of NSW – Version 2012/01
2. Attachment 1 – Fraud Control Work Plan – 2012/12 – Ambulance Service of NSW – Version 2011/06
3. Fraud Risk Assessment 2010-2012
Author Branch Professional Standards and Conduct Unit
Branch Contact (02) 9320-7785
Division Professional Standards and Conduct Unit
Summary The purpose of this policy is to provide staff with information as to how fraud control is managed within Ambulance.
Applies to All Ambulance Service of NSW staff All Operational staff All Administration staff All Headquarters staff Division staff (Aero Medical, Metropolitan and Regional) Operation Centres
Review Date 1 November 2013
Previous Reference 1. Ambulance Service of NSW – Fraud Policy (Extracted and Modified from the NSW Health Website http://www.health.nsw.gov.au/pubs/1997/pdf/annual_report_97.pdf) NSW Health Annual Report 1996/97 – Appendix 28, pg. 146 (Excerpt from Circular 93/70 and PD2005_059)
2. Fraud Control Strategy – Department of Health NSW – PD2007_070
Status Active
Approved by Chief Executive
Related Documents
• NSW Health Policy Directive – PD2007_070 Fraud Control Strategy • SOP2007-012 Code of Conduct
Revision History
Version (Circular) Amendment notes
11 April 2012 (SOP2012-007)
Fraud Control Framework and Fraud Control Work Plan approved by Audit and Risk Committee and A/Chief Executive.
25 January 2012 (SOP2012-001)
SOP covering Fraud Control Framework and Fraud Control Work Plan approved by the A/Chief Executive.
SOP2012–007 Page 2 of 3
Standard Operating Policy
Revision History – continued
Version (Circular) Amendment notes 16 December 2005 (IC05/30) 1996/97
Fraud Policy (Extracted and Modified from the NSW Health Website) http://www.health.nsw.gov.au/pubs/a/ar9697/a2800.html) NSW Health Annual Report 1996/97 – Appendix 28 (excerpt from Circular 93/70 and PD2005_059)
Compliance with this policy directive is mandatory
SOP2012– 007 Page 3 of 3
Standard Operating Policy
Fraud Control Framework in Ambulance Policy Statement Statement of Attitude to Fraud
Ambulance has a zero tolerance approach to fraud.
Fraud Control in Ambulance
Ambulance has established a Fraud Control Framework which underpins the Ambulance Fraud Control Work Plan. All employees are to comply with the guidance provided under the Fraud Control Framework. The Fraud Control Framework is consistent with the Ambulance Code of Conduct. The Ambulance Fraud Control Work Plan outlines specific program risks which have been identified in the bi-annual risk assessment. Program Managers are required to maintain an awareness of and implement specific risk management strategies covered in the work plan which relate to their program areas.
Definition of fraud
For the purposes of this SOP, fraud is defined as any false representation or concealment of fact with the necessary criminal intent to permanently deprive someone or to induce someone to part with something of value. Benefits that are obtained by deception or other means can be either tangible or intangible.
Responsibilities of Staff in Fraud Control
Responsibility for fraud control includes prevention, detection, deterrence and response and is a shared responsibility across all levels of the Service. The Chief Executive has overall responsibility for ensuring that the strategic aims of the Fraud Control Framework and Work Plan are complied with across Ambulance. Director/s Operations/Corporate and General Managers have delegated responsibility to ensure that allocated elements of the plans risk assessment are managed and reported upon as required. The Chief Finance Officer, Director, Professional Standards and Conduct Unit and Manager, Risk Management have responsibility to conduct two yearly reviews of the Ambulance Risk Management Assessment and Fraud Control Work Plan. The review of the planning documents should also be undertaken when any new function/service or major structural change occurs within Ambulance. All employees have a responsibility to report suspected incidents of fraud to either the Chief Executive, Director, Professional Standards and Conduct Unit, Director, Operations/Corporate, Chief Finance Officer or General Managers as appropriate. All employees of Ambulance have a responsibility to comply with the risk management strategies that are applicable to their respective work place environments or level of decision making as outlined in the Fraud Control Framework and Fraud Control Work Plan. All employees have a responsibility to comply with the Code of Conduct and Organisational Values. Employees may be called to account for their actions or non-action in compliance with that code. Note: Failure of an employee to take reasonable action to report suspected fraud may amount to misconduct and may be dealt with in accordance with the Health Services Regulation 2008 and supporting Ambulance Procedural Guidelines for Dealing with Misconduct.
Review of the Fraud Control Work Plan
The Plan will be reviewed every two years on completion of the Risk Management Assessment review.
1
FRAUD CONTROL FRAMEWORK
AMBULANCE SERVICE OF NSW
VERSION 2012/01
Hierarchy of review
Delegated officer Date
Version (1) 2011/01 - 24/05/11 Version (2) 2011/02 - 02/06/11 Version (3) 2011/03 – 24/06/11 Version (4) Version (5) 12/10/11
Stephen Murphy, Investigation Officer, Professional Standards & Conduct Unit (PSCU) Incorporating comments by Director PSCU – Ms Marian O’Connell (MOC) Incorporating comments by Director Executive Support Joanna Clark Incorp changes by MOC Incorp changes by Chief Finance Officer (CFO) Incorp changes by CFO and General Manager (GM), Corporate Services
25/5/11 30/05/11 24/6/11 12/10/11 04/11/11
Review – Director PSCU
Marian O’Connell
18/10/11
Review – CFO
Stephen O’Malley
18/10/11
Review – Risk Management
Natasha Hallifax
Review - GM, Corporate Services
Michael Landsbergen
19/10/11
Approval - Chief Executive (CE)
Mike Willis
19/12/11
Endorsement Audit and Risk Management Committee Version 2012/01
19/3/12
Ambulance Service of NSW – Fraud Control Framework - p2
Table of Contents Pg 1. BACKGROUND TO THE AMBULANCE SERVICE OF NSW 3 1.1 Statement of Attitude to Fraud
3
2. WHY FRAUD CONTROL? 4 2.1 Definition of fraud 4 2.2 Definition of Corruption
5
3. RESPONSIBILITIES OF STAFF IN FRAUD CONTROL 5 3.1 The Chief Executive 5 3.2 The Chief Finance Officer (CFO), Director, Professional Standards and Conduct Unit
(PSCU) and Manager, Risk Management 5
3.3 Management 6 3.4 All employees 6 3.5 Fraud Control Responsibility – Implementation
6
4. FRAUD RISK ASSESSMENT 7 4.1 Qualitative Risk Analysis Matrix Utilised
7
5. FRAUD RISK MANAGMENT 7 5.1 Managing Fraud Risk associated with outsource functions/consultancies/contractors
7
6. FRAUD INVESTIGATION CASE REFERRAL STANDARDS AND TRAINING 7 6.1 Fraud Awareness Training 7 6.2 Fraud Control Work Plan Training 8 6.3 Prosecution of Fraud 8 6.4 Reporting of Corruption or Maladministration 8 6.5 Fraud Investigation Standards
8
7. RELATIONSHIP WITH OTHER AMBULANCE PLANS 8 7.1 Corporate Plan 8 7.2 Strategic and Annual Internal Audit Plans
8
8. REVIEW OF THE FRAUD CONTROL WORK PLAN 9 Attachments Pg 1 Fraud Control Work Plan - Ambulance 10 2 Fraud Control Strategy – Ministry of Health PD2007_070 3 Fraud Risk Management Assessment 2010-12 4 Ambulance Code of Conduct 5 Ambulance Service Values Chart
Ambulance Service of NSW – Fraud Control Framework - p3
1. BACKGROUND TO THE AMBULANCE SERVICE OF NSW
The Ambulance Service is committed to providing high quality clinical care and health related transport services to the people of NSW. In the 2010/11 year, the Ambulance responded to 1149820 emergency and non-emergency incidents requiring Ambulance response. For the same period 837070 Emergency Triple Zero calls were also managed. The Ambulance employs over 4 300 people, with 90% being operational staff involved in the front line delivery of services. This includes Paramedics, Patient Transport Officers and specialised areas such as Intensive Care and Extended Care Paramedics, Special Operations, Counter Disaster, Aero Medical and Medical Retrieval. The remaining 10% of the workforce are corporate, clinical and other support staff that assist in the delivery of services.
1.1 Statement of Attitude to Fraud
Ambulance has a zero tolerance approach to fraud
Fraud damages the reputation of Ambulance in the wider community and impacts negatively on the resources available to promote and deliver Ambulance objectives. Ambulance is committed to minimising the incidence of fraud through the identification of risks and the development, implementation and regular review of a range of fraud prevention and detection strategies. Where there is substantial change in the structure or functions of Ambulance, or a transfer of functions (such as the result of outsourcing), Ambulance will undertake to reassess fraud risk by undertaking a Fraud Risk Management Assessment specifically in relation to the change and update the Fraud Control Work Plan accordingly. Each fraud prevention and detection strategy is designed to contribute to an environment based upon risk management, sound internal controls, monitoring and improvement to systems and proper ethical practices. Specifically they cover monitoring of the effective controls and new initiatives for high residual risk events. To achieve this Ambulance:
• reviews its Fraud Risk Management Assessment every two years and updates its Fraud Control Work Plan
• encourages and promotes professional and ethical business practice by staff and external service providers
• clearly defines the hierarchical reporting and decision making process with respect to suspected instances of fraud
• uses all available avenues to recover money or property lost through fraudulent activity
• where appropriate, prosecutes persons and/or organisations for fraud offences, should they occur
• implements arrangements for the provision of information, to the Professional Standards and Conduct Unit (PSCU) on all suspicions of/or a prima-facie case of fraud
• provides assurance to the probable identification of fraud through regular reviews and scrutiny of operations
Ambulance Service of NSW – Fraud Control Framework - p4
To achieve this through its employees Ambulance: • facilitates fraud awareness training for all employees trains selected employees in initial investigation techniques, including the
recognition of fraud risk indicators and how they can implement measures and procedures to assist in the detection of fraud
clearly articulates standards and procedures to encourage the minimisation and deterrence of fraud
2. WHY FRAUD CONTROL?
Fraud and corruption risks exist within all NSW Government Agencies. Fraud risk, as a category of corporate risk, presents any organisation with the greatest threat in respect to financial loss and damage to reputation. The nature of fraud and corruption means they are pervasive risks which constantly change and require ongoing monitoring. For these reasons, the NSW Independent Commission Against Corruption (ICAC) and Audit Office of NSW both recommend agencies assess their fraud and corruption risks on a regular basis, and ensure that steps are taken to effectively manage and prevent fraud and corruption from occurring. Ambulance has a requirement and a commitment to actively support the NSW Ministry of Health’s Fraud Control Policy – PD2007_070 (Attachment 1). This Fraud Control Framework and Work Plan provides for an effective tool to ensure that Ambulance meets its compliance obligations to the NSW Ministry of Health and relevant Health Policy in the areas of fraud control. The platforms of an effective fraud and corruption control framework are deterrence through strategies that manage:
• Prevention • Detection and • Investigation.
This Fraud Control Framework and Work Plan and the supporting risk assessment are key components of the fraud prevention and detection strategies that will be adopted by Ambulance. Fraud awareness training and an investigative response capability are key components of the fraud deterrence strategy.
2.1 Definition of fraud
For the purposes of this plan, fraud is defined as any false representation or concealment of fact with the necessary criminal intent to permanently deprive someone or to induce someone to part with something of value. The definition includes events or incidents involving:
• theft • obtaining property, financial advantage or any other benefit by deception • causing a loss, or avoiding or creating a liability by deception • providing false or misleading information to the Ambulance, or failing to
provide information where there is an obligation to do so • making, using or possessing forged or falsified documents • bribery, corruption, abuse of office or maladministration
Ambulance Service of NSW – Fraud Control Framework - p5
• unlawful use of Ambulance computers, vehicles, telephones and other property or services
• any offence of a like nature to those listed above.
Benefits that are obtained by deception or other means can be either tangible or intangible. Some examples include:
• hacking into or interfering with an Ambulance computer system • using Ambulance systems to gain access to other systems without authority • charging Ambulance for goods or services that are incomplete or not
delivered • making false/fraudulent statements of claim against advertised positions
2.2 Definition of Corruption
Corrupt conduct is defined under the Independent Commission against Corruption Act 1988 as the dishonest or partial exercise of public official functions. It may also involve the conduct of non-public officials which adversely affects the honest and impartial exercise of a public official’s functions. Public officials include people working in government departments, statutory authorities and local councils in NSW, as well as judges and magistrates and elected officials. For conduct to be considered corrupt under the ICAC Act definition it has to be serious enough to involve a criminal or disciplinary offence or be grounds for dismissal. However, at the point a report is made to ICAC, the reporting officer need not know with any certainty that this seriousness test can be satisfied as this will often only be known after a full investigation. Some examples of corrupt conduct by public officials that fall within this definition include:
• A company wants to do business with the government and pays a public official to choose that company for the job
• A public official bypasses recruitment procedures to employ friends or family members
• A public official accesses confidential information as a favour to a friend • A public official takes office petty cash to pay for personal items • A public official extorts money from a client in their care • A public official uses a work computer and e-mail address to run a private
internet business
3. RESPONSIBILITIES OF STAFF IN FRAUD CONTROL
Responsibility for fraud and corruption control which includes prevention, detection, deterrence and response is a shared responsibility across all levels of Ambulance. 3.1 The Chief Executive has overall responsibility for ensuring that the strategic aims
of the Fraud Control Framework and Work Plan are complied with across Ambulance Operational and Corporate. Director/s and General Managers have delegated responsibility to ensure that allocated elements of the plans risk assessment are managed and reported upon as required.
3.2 The Chief Finance Officer, Director, PSCU, Manager, Risk Management have
responsibility to conduct two yearly reviews of the Ambulances Risk Management Assessment and Fraud Control Work Plan.
Ambulance Service of NSW – Fraud Control Framework - p6
The review of the planning documents should also be undertaken when any new function/service or major structural change occurs within the organisation.
3.3 All employees have a responsibility to report suspected incidents of
fraud/corruption to either the Chief Executive, Director, PSCU, Operational / Corporate Directors or General Managers as appropriate.
3.4 All employees have a responsibility to comply with the risk management strategies
that are applicable to their respective work place environments or level of decision making.
All employees have a responsibility to comply with the Code of Conduct and Ambulance Service Values. Employees may be called to account for their actions or non-action in compliance with that code.
Note: Failure of an employee to take reasonable action to report suspected fraud/corruption may amount to misconduct and may be dealt with in accordance with the Health Services Regulation 2008 and supporting Procedural Guidelines for Dealing with Misconduct.
3.5 Fraud Control Responsibility – Implementation
Responsibility
Responsible Officer/Area Finish date
Overall responsibility for ensuring compliance with the Fraud Control Framework and Work Plan.
• Chief Executive Ongoing
Coordinating the conduct of a risk assessment to ensure the ultimate delivery of a Fraud Control Work Plan every two years.
• Chief Finance Officer • Director PSCU • Manager, Risk Management
Ongoing
Providing a central reporting point for allegations of incidents of fraud, ensuring that matters are appropriately recorded, investigated, referred (when and where appropriate) and reported.
• Director PSCU
Ongoing
Coordination of training, including fraud awareness training.
• Director PSCU Ongoing
Prevention and detection of fraud within program areas through the strategic implementation of the internal control system and any other effective means.
• All Ambulance program areas
Ongoing
Assisting with implementation of the Fraud Control Framework and Work Plan.
• All staff Ongoing
Ambulance Service of NSW – Fraud Control Framework - p7
4. FRAUD RISK ASSESSMENT
Ambulance managers are responsible and accountable for understanding the potential risk areas that relate to their areas/program responsibilities. The Fraud Risk Management Assessment is a key document to aid managers in gaining an understanding of the range of fraud risk categories that the Ambulance is exposed to (Attachment 3).
4.1 Qualitative Risk Analysis Matrix Utilised
The Fraud Risk Management Assessment has been developed in accordance with Australian/New Zealand Risk Management Standard 4360. Fraud risk identified as part of the preparation of this assessment have been categorised as high, medium or low in accordance with the following Qualitative Risk Analysis Matrix:
CONSEQUENCE
LIKELIHOOD Insignificant Minor Moderate Major Severe Rare Low Low Medium Medium High Unlikely Low Medium Medium Medium High Possible Low Medium Medium High Extreme Likely Medium Medium High High Extreme Almost Certain Medium High High Extreme Extreme
5. FRAUD RISK MANAGMENT
5.1 Managing Fraud Risk associated with outsource functions / consultancies / contractors
Ambulance may use external service providers to enhance service delivery functions. To ensure the risk of fraud and corruption associated with external service providers is managed, when selecting service providers Ambulance provides assurance that the following issues are considered:
• the necessity for the service provider to meet and comply with procurement guidelines that may be instigated by Ambulance
• he depth of experience of the service provider including the outcomes of past work
• the solvency of the external service provider • the potential for conflict of interest where the external provider is a client or
provides other services to Ambulance • the commitment of the service provider to comply with Information Privacy
Principles as outlined in relevant Health policies, Acts or Regulations • the need to meet the relevant levels of competency
6. FRAUD INVESTIGATION CASE REFERRAL STANDARDS AND TRAINING
6.1 Fraud Awareness Training
Ambulance recognises that the primary purpose of education and training in the area of fraud control is it to contribute to the prevention and control of fraud by raising the level of awareness amongst staff. The objective is to aid staff in identifying fraudulent practices and to make it very clear that such practices will not be tolerated by the Ambulance.
Fraud awareness training will be incorporated into the Code of Conduct Training delivered to employees by the Professional Standards and Conduct Unit.
Ambulance Service of NSW – Fraud Control Framework - p8
6.2 Fraud Control Work Plan Training
To facilitate internal review and modification of the Fraud Control Work Plan Line Managers undertaking the Ambulance Management Qualification course will be provided with training on fraud and corruption control arrangements within Ambulance. Senior Ambulance Program Managers will be provided with specific training on an as needs basis. Training development and delivery will be coordinated through the PSCU.
6.3 Prosecution of Fraud
Ambulance has a policy to act on all instances of reported fraud. Prosecution or referral for prosecution will be assessed by the Chief Executive on advice from the Director PSCU, General Manager, Corporate Services or the Chief Finance Officer.
6.4 Reporting of Corruption or Maladministration
In accordance with ICAC guidelines all instances of reported corruption or maladministration will be reported to ICAC.
6.5 Fraud Investigation Standards
An investigation conducted by both employees of Ambulance and external contractors or consultants will be conducted in accordance with Ambulance Procedural Guidelines for Dealing with Misconduct. The guidelines are available on the Intranet link to the Professional Standards and Conduct Unit. When notified of suspected fraud the Director PSCU will consult with the Chief Executive to determine an appropriate course of action in relation to investigation and/or referral of the matter to the NSW Police or other relevant agency. The Chief Executive or delegated officer has the final determination on a decision to refer the matter to another agency, with the exception of mandatory reporting requirements to ICAC in relation to corruption and/or maladministration which rests with the Chief Executive as the Principal Reporting Officer.
7. RELATIONSHIP WITH OTHER ASNSW PLANS
7.1 Corporate Plan
The Ambulance Fraud Control Framework and Work Plan are key corporate documents and sit underneath the Ambulance Risk Management Assessment and Corporate/Operational Plans.
7.2 Strategic and Annual Internal Audit Plans
The Ambulance Audit and Risk Management Committee are responsible for endorsing the strategic planning in fraud risk management.
Internal audit services are provided under contract and are coordinated by the General Manager, Corporate Services on behalf of the Chief Executive.
Ambulance Service of NSW – Fraud Control Framework - p9
8.1 REVIEW OF THE FRAUD CONTROL WORK PLAN
The Plan will be reviewed every two years on completion of the Risk Management Assessment review. The plan will also require review upon any major change to organisational structure, role or function of Ambulance. The Ambulance Audit and Risk Management Committee have responsibility for endorsing the Fraud Control Work Plan through the Chief Executive.
10
FRAUD CONTROL WORK PLAN
2010/12
AMBULANCE SERVICE OF NSW
VERSION 2012/01
Hierarchy of review
Delegated officer Date
Version (1) 2011/01 - 24/05/11 Version (2) 2011/02 - 02/06/11 Version (3) 2011/03 – 24/06/11 Version (4) 2011/04 – 29/09/11 Version (5) 2011/05 – 12/10/11
Stephen Murphy (PSCU) Incorporating comments by Director PSCU – Ms Marian O’Connell Incorporating comments by Director Executive Support Joanna Clark Incorporating comments from Director PSCU to move bulk of document to SOP Incorp comments from CFO and D-PSCU Incorp comments from GM-Corporate Services
25/5/11 30/05/11 24/6/11 29/9/11 12/10/11
Review – Director PSCU
Marian O’Connell
18/10/11
Review – Chief Finance Officer
Stephen O’Malley
18/10/11
Review – Risk Management
Natasha Hallifax
Review - General Manager – Corporate Services
Michael Landsbergen
19/10/11
Approval - Chief Executive
Mike Willis
19/12/11
Endorsement – Audit and Risk Management Committee Version 2012/01
19/3/12
11
Identified Fraud Risk Areas – Allocation of Responsibility The following table highlights the current risk areas that have been targeted for review within the 2010/12 Services Fraud Risk Management Assessment. The table identifies areas of responsibility across Ambulance for development and implementation of relevant fraud risk control strategies. Note: Further detail of the relevant risk areas can be found within the Deloitte Risk Assessment (Attachment 1). Risk Descriptor Deloitte Fraud Risk Assessment 2010-12 – TAB 2
Responsible Officer/ Program Area
Strategies/tasks
Finish Date
R1 - Raise awareness of secondary employment requirements.
Director PSCU through code of conduct training
All line managers
Publish articles in sirens.
Re-enforce during code of conduct training
Incorporate into on-line code of conduct training Include in induction training and AMQ
Ongoing
R2 – Update Award and address the lack of clarity in respect to On Call arrangements for employees.
Director Workforce
Incorporate on-call arrangements into Award
Completed 25/1/11 with publication of Administrative Bulletin AB2011-003 -Memorandum of Understanding (MOU) and Variation to Operational Awards
R3 – Update Fraud Control Policy to reflect corrupt conduct more clearly and link to the Code of Conduct.
Director PSCU
Incorporate definition into the Ambulance fraud control plan Incorporate into code of conduct training for new employees Incorporate into on-line training package for code of conduct
July 2011
12
Risk Descriptor Deloitte Fraud Risk Assessment 2010-12 – TAB 2
Responsible Officer/ Program Area
Strategies/tasks
Finish Date
R4 – Introduce annual sign off of all staff to abiding by the Code of Conduct.
Director PSCU
Incorporate into on-line code of conduct training and assessment.
September 2011
R5 – Strengthen processes over clinical and pharmaceutical supplies.
Director Operations (each region) General Manager Operations Manager Clinical Education Director PSCU
Conduct routine audits of drug registers as per policy. Review Ambulance Policy on management of S4 and S8 drugs. Develop process for managing breaches of drug policy in a consistent manner. Incorporate process training into relevant in service courses – drug management.
To be identified
R6 – Implementation of Rostering automated software.
Director Workforce General Manager Operations Director Operations Divisions Director Service Improvement Office
Note: a number of
projects currently underway. Further info to be provided by project managers.
2013 (Scheduled delivery and implementation of E-Rostering – Service wide)
R7 – To consult with Internal Audit in respect to the process being undertaken to re-evaluate how Schedule 8 drugs could be better managed.
General Manager Operations Manager Clinical Education Director PSCU
Implement internal audit report 2011/15 recommendations.
As detailed in the audit report.
13
Risk Descriptor Deloitte Fraud Risk Assessment 2010-12 – TAB 2
Responsible Officer/ Program Area
Strategies/tasks
Finish Date
R8 – To continue lines of communication with the NSW Ministry of Health over the importance of obtaining enhanced reporting and controls over human resource related transactions.
Director Workforce Planning.
To be identified
R9A – To continue lines of communication with the NSW Ministry of Health over the importance of obtaining enhanced reporting and controls over accounts payable related transactions by DHHS.
Chief Finance Officer
To be identified
R9B – To reassess certain SOP’s and update as appropriate to support transition to DHSS
Chief Finance Officer Director Workforce
To be identified
R10 – To revisit the Code of Conduct in respect to clarification on value of gifts so that they are consistent with ICAC requirements.
Director PSCU
Incorporate into on-line code of conduct training. Incorporate into revised Ministry Code of Conduct.
To be identified.
14
Risk Descriptor Deloitte Fraud Risk Assessment 2010-12 – TAB 2
Responsible Officer/ Program Area
Strategies/tasks
Finish Date
Fraud awareness training
Director PSCU
Facilitates fraud awareness training for all employees. Train selected employees in initial investigation techniques, including the recognition of fraud risk indicators and how they can implement measures and procedures to assist in the detection of fraud. Clearly articulates standards and procedures to encourage the minimisation and deterrence of fraud.
Ongoing Ongoing February 2012 on acceptance of the fraud control framework.
1
Liability limited by a scheme approved under Professional Standards Legislation.
Member of Deloitte Touche Tohmatsu Limited
1
Ambulance New South Wales Fraud Risk Assessment 2010 – 2012 November 2010
Distribution
Party Title
Mr Greg Rochford Chief Executive
Mr Michael Landsbergen General Manager, Corporate Services
Mr Stephen O’Malley Chief Finance Officer
Mr Harvey Christophers Partner, Risk Services, Deloitte
Ms Linda Waugh Account Director, Risk Services, Deloitte
Ms Petra Koziollek Account Director, Risk Services, Deloitte
Mr Lakshman Gunaratnam Account Director, Risk Services, Deloitte
AMBULANCE NSW
FRAUD CORRUPTION RISK ASSESSMENT NOVEMBER 2010
SECTION ONE: EXECUTIVE SUMMARY
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 1
Contents 1. EXECUTIVE SUMMARY ............................................................................................................................................................. 2
2. BACKGROUND AND CONTEXT ............................................................................................................................................. 10
3. KEY FINDINGS .......................................................................................................................................................................... 16
4. AREAS FOR INTERNAL AUDIT CONSIDERATION ............................................................................................................. 20
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES ............................................................................................... 22
APPENDIX B: LEGAL DEFINITION OF CORRUPT CONDUCT .............................................................................................. 50
APPENDIX C: FRAUD RATING DEFINITIONS .......................................................................................................................... 53
APPENDIX D: INTERVIEW AND WORKSHOP PARTICIPANTS ............................................................................................ 55
AMBULANCE NSW
FRAUD CORRUPTION RISK ASSESSMENT NOVEMBER 2010
SECTION ONE: EXECUTIVE SUMMARY
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 2
1. Executive Summary 1.1 Background As part of the 2009/10 Internal Audit Plan agreed with the Ambulance Service of NSW (“the Service”), Deloitte Touche Tohmatsu (“Deloitte”) undertook an organisation-wide fraud and corruption risk assessment (FCRA). The engagement was performed in accordance with the agreed Terms of Reference dated 5 May 2010.
Fraud and corruption risks exist within all NSW Government Agencies and are frequently the areas which present greatest threat in respect of financial loss and
damage to reputation. The nature of fraud and corruption means they are pervasive risks which constantly change and require ongoing monitoring. For these
reasons, the NSW Independent Commission Against Corruption (ICAC) and Audit Office both recommend that agencies assess their fraud and corruption risks on a regular basis, and ensure that steps are taken to effectively manage and prevent fraud and corruption from occurring.
The platforms of an effective fraud and corruption control framework are prevention, detection and investigation. To achieve prevention and detection objectives,
an agency must have a comprehensive and detailed understanding of its fraud and corruption risks and overall profile. It is this understanding that allows agencies to
tailor their Audit Program and other risk management activities to ensure that high and emerging fraud and corruption risk areas are addressed appropriately. The
incorporation into the Internal Audit Program fulfils proactive and detective objectives as recommended by both the ICAC and the Audit Office. A fraud and
corruption risk assessment also serves to identify where fraud and corruption controls are absent, dated, inadequate or no longer effective, and where proactive
strategies need strengthening to improve the fraud and corruption control environment. The Service has not previously undertaken a FCRA but has an established fraud and corruption risk framework which includes the Service’s Code of Conduct (2007) and a Fraud Policy (2005).
1.2 Objective and Scope
The key objectives of this engagement were to conduct an assessment of fraud and corruption risks and associated controls across all key business processes of the
Service. The agreed deliverable was a Fraud and Corruption Risk Assessment report which includes fraud and corruption risk matrices, key considerations for the
three year internal audit plan as well as a recommendations table for management’s consideration on the top ten fraud risks. The methodology followed can be found in Section Two – Background and Context.
The scope included coverage of key business processes in the following areas:
Professional Standards and Conduct
Finance and Data Services Public Affairs Operations Corporate Services
In discussion with Management it was agreed that the assessment would not cover Clinical Development as this was a specialised area and had alternate review
mechanisms in place. The scope did include the Service’s control requirements for providers of out-sourced services. The assessment was conducted as a consulting
engagement and in accordance with our Inherent Limitations. For the avoidance of doubt, the procedures that we performed as part of this engagement do not
constitute an assurance engagement in accordance with Australian Standards for Assurance Engagements, nor does it represent any form of audit under Australian Standards on Auditing, and consequently no assurance conclusion or audit opinion has been provided.
AMBULANCE NSW
FRAUD CORRUPTION RISK ASSESSMENT NOVEMBER 2010
SECTION ONE: EXECUTIVE SUMMARY
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 3
1.3 Key Findings and Recommendations
1.3.1 Overall Comments The Ambulance Service in the last decade has seen major expansion of demand for its services and has responded with major investment in staff and in operational capability. These have included:
large increases in operational (and support) staff numbers and expansion in clinical and management training
new clinical equipment, new vehicles (including fixed wing and rotary); new radio and computer-aided despatch systems
new operational procedures, including better triage of calls (and more non-emergency response resources) new clinical protocols and less-fatigue-inducing shift systems (with shorter shifts).
Through our interviews and workshops it became evident that a number of the critical issues that the Service has, both from a fraud risk and area for audit consideration have arisen due to the proportionately less development in administrative support systems at the Service and the heavy reliance on manual controls and paper based systems. As a result, the efficiency of administrative processes is reduced and the risk of fraud is higher than in other agencies of similar size. That is the major finding from this Fraud and Corruption Risk Assessment. Without significant investment into the enabling underlying systems, such as a Payroll system for support services, the Ambulance will continue to bear significant inherent payroll related risks, including undetected fraud and error surrounding areas such as the processing and approval of timesheets, leave, and overtime. In addition to considerably reducing the likelihood and consequence of fraud risks, there are many other benefits to Ambulance were the payroll system upgraded or replaced, these include:
savings that would arise through efficiencies from automated processes
enhanced management reporting which would assist scheduling the rosters as well as monitoring allocation of overtime
enhanced leave management. We have seen many NSW government entities and State Owned Corporations, with much smaller growth and less complex processes, invest more heavily in their back office systems over the last 5 years to gain such efficiencies. They include new integrated financial systems and human resource systems, plus new payroll systems with integrated employee kiosks. Such systems provide staff with the flexibility to manage their working hours, leave requests and banking changes online. They free up the employer’s administration staff to undertake higher value tasks as well as assist in managing headcount. Ambulance NSW is one of a few larger agencies, along with other health services, where such systems have not been widely introduced and existing processes/controls are substantially manual. We understand this is not just a matter of resources. For administrative systems, the Ambulance Service is heavily dependent on developments at NSW Health and, because Ambulance is one of the smaller and non-standard health services, is often one of the last to see such systems implemented. Its differences from other health services also mean that often (as with patient records, rostering, payroll and billing) the standard systems need to be adjusted for the ambulance context. These delays and adjustments add to the risk of control weaknesses and of fraud unless carefully managed.
AMBULANCE NSW
FRAUD CORRUPTION RISK ASSESSMENT NOVEMBER 2010
SECTION ONE: EXECUTIVE SUMMARY
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 4
We understand that a number of NSW Health administrative systems are now under development: payroll, human resources, rostering, asset management. We support such developments, provided they recognise the particular characteristics of awards and processes in the Service. In the meantime, the risks remain high due to the complexity of the many of the processes and despite well-developed manual controls. They may continue to be high after the initial implementation of new administration systems, as the Service has found with the recent replacement of SUN Financials with ORACLE, until the controls are fully understood and bedded-down. Our second general observation is with those particular characteristics of the Ambulance Service context that contribute to the risk of fraud. Some of these are unavoidable because of the trust that members of the public place in this most respected of services. Some are due to the highly dispersed operations of the Service across the State and staff’s need for rapid access to everything from petty cash funds, to medical supplies, to transport and to local suppliers. Some of them are more a reflection of long-established local practices, or interpretations of complex awards, in particular those associated with on-call and call-out; with rostering, overtime and resource allocation; and with private use of vehicles. The Service has taken some significant steps to reduce such complexity and to agree consistent definitions and interpretations, for example around meal break allowances and private usage of ambulance vehicles. The current industrial case around the definition of on-call start and finish time is another. To the extent that such ambiguities continue, so too do the risks of fraud, or the perceptions of fraud. Our third general observation is about staff awareness of fraud risk, which appears from the workshops and discussions to be relatively low for an organisation where the risks are relatively high. This may in part be a reflection of recent priorities to build awareness around other aspects of culture and conduct (in relation to healthy workplace). The Fraud Control policy dates from 2005 and the Code of Conduct from 2007. Staff’s understanding of them in relation to fraud matters, particularly of the former, was limited. We suggest a refresh of these, and closer links between them, to help bolster fraud risk awareness, particularly in those functions exposed to high risks. Many of the findings raised in this report have been raised in prior reports, albeit from differing perspectives. The key report whose findings include those highlighted in this FCRA, is the Auditor General’s Follow Up (2007) of the 2001 Performance Audit. This report indicates that whilst significant investment and resources have been deployed to improve clinical enabling systems (Computer Aided Despatch Systems) and interfaces with key stakeholders such as hospitals (emergency departments) as well as simplifying the governance structure of the Service, little has been done in respect of the workforce flexibility recommendations. It is these recommendations1 which if addressed would assist in strengthening the control environment which at present is conducive to fraud and errors remaining undetected in a timely manner or at all.
1 See Auditor General’s Follow Up Report p44 2.8 Workforce flexibility
AMBULANCE NSW
FRAUD CORRUPTION RISK ASSESSMENT NOVEMBER 2010
SECTION ONE: EXECUTIVE SUMMARY
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 5
1.3.2 Fraud & Corruption Control As a result of the risk assessment process, the following high level areas were identified as those where enhancements could be made to the fraud and corruption control environment and framework within Ambulance NSW. Further details can be found in Section 3 - Key Findings.
R1 Raise awareness of secondary employment requirements
R2 Update Award and address the lack of clarity in respect to the On Call matter
R3 Update Fraud Control Policy to reflect corrupt conduct more clearly and link to Code of Conduct
R4 Introduce annual sign off of all staff to abiding by Code of Conduct
R5 Strengthen processes over clinical and pharmaceutical supplies
R6 Implementation of Rostering automated software
R7 To consult with Internal Audit in respect to the process being undertaken to re-evaluate how section 8 drugs could be better
managed
R8 To continue lines of communication with the Department over the importance of obtaining enhanced reporting and controls
over human resource related transactions
R9A To continue lines of communication with the Department over the importance of obtaining enhanced reporting and controls
over accounts payable related transactions processed by DHHS.
R9B To reassess certain SOP’s and update as appropriate to accommodate the transition to DHSS
R10 To revisit the Code of Conduct in respect to clarification on value of gifts so that they are consistent with ICAC requirements.
AMBULANCE NSW
FRAUD CORRUPTION RISK ASSESSMENT NOVEMBER 2010
SECTION ONE: EXECUTIVE SUMMARY
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 6
1.3.3 Areas for Internal Audit Consideration One of the two key deliverables arising from the fraud risk assessment was the identification of areas for consideration in the development of the Service’s Three Year Internal Audit Plan. Tabled below are the categories in which we have recommended such audits. Further details can be found in Section 4 – Areas for Internal Audit Consideration.
Contract Management – outsourced services such as fixed wing and rotary, fleet leasing, property management – assessing the robustness of controls over compliance to key clauses.
OHS – examining the processes in place which ensure that key OHS risks for Ambulance are appropriately managed.
Information Management & Access Controls - assessing the processes in place to manage access to certain information and the way in which key information is categorised and restricted.
Payroll Management – Timesheet Accuracy – examining the efficiency of controls in place over the veracity of declared time worked including on-call, call-out and overtime worked.
IT Project Management – examining project management processes and their implementation, particularly on development of specifications and user testing.
Shared Support Services – examining the robustness of controls in place to gain assurance that the financial transactions being processed on behalf of the Service are complete, accurate and valid.
Fleet Leasing – reviewing the processes in place which monitor key vehicle costs to determine if they are in line with expected costs such as fuel usage, general maintenance and tyres.
Gifts and Benefits – NSW Health’s Gifts & Benefits Policy (PD2010_010) requires the Internal Audit Manager to review and sign off on the Registers at least every 2 years to ensure all actions have been completed and identify any trends and or incidents that require further actions.
AMBULANCE NSW
FRAUD CORRUPTION RISK ASSESSMENT NOVEMBER 2010
SECTION ONE: EXECUTIVE SUMMARY
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 7
1.4 Overall Residual Risk Profile
The following table summarises, for each key area, the total number of risk scenarios examined and their associated breakdown of residual risk ratings ranging from low to very high. The residual risk rating has been collated from risk ratings obtained from discussion with five members of the executive and from holding two workshops in which a subset of these scenarios were covered. These 52 scenarios are illustrated on a risk map below. The details of the each scenario can be found in the matrices located in Appendix A: Fraud and Corruption Risk Matrices.
Table 1 – Fraud and Corruption Risks by area/business process
Area or Business Process Number of Risks
Residual Risks
Very High High Moderate Low
Organisation Wide (Generic Risk Areas) [1.1 - 1.3] 3 2 1 0 0
Financial Management (Petty Cash, Accounts Payable & Accounts Receivable) [2.1 – 2.9] 8 2 1 2 3
Procurement and Contract Management [3.1 – 3.9] 9 0 3 5 1
Assets and Supplies [4.1 – 4.7] 7 0 2 1 4
Information and Records [5.1 – 5.5] 5 1 2 1 1
Payroll, Allowances and Expenses [6.1 – 6.7] 7 1 4 1 1
Operations [7.1 – 7.3] 3 0 1 0 2
Events, Sponsorship and Branding [8.1-8.5] 5 0 2 1 2
Human Resources [9.1 – 9.5] 5 0 2 3 0
Total for the Service 52 6 18 14 14
AMBULANCE NSW
FRAUD CORRUPTION RISK ASSESSMENT NOVEMBER 2010
SECTION ONE: EXECUTIVE SUMMARY
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 8
1.4.1 Fraud Risk Profile
The risk profile below represents the scores obtained from workshops and interviews, however the top ten themes are based on the risk profile and further discussion
with senior management.
Top 10 Areas/Themes of Concern
1. Validity of ‘On call’ payments
2. Level of awareness of Fraud & Corruption related policies
3. Integrity of Accounts Payable
4. Payroll – Timesheet and rostering integrity
5. Management of clinical and pharmaceuticals supplies
6. Human Resources – Secondary employment
7. Human Resources – Leave management
8. Data integrity
9. Human Resources – Recruitment
10. Misuse of private usage – Motor vehicles
Control Effectiveness
Inh
ere
nt
Ris
k (
lik
eli
ho
od
+ C
on
se
qu
en
ce
)
Very
High
8
LOW
3
Low
1
GOOD
1
LOWMODERATE
VERY HIGH
HIGH
1.1
1.2
1.3
2.1
2.2
2.3
2.4
2.52.6
2.72.8
3.1
3.2
3.3
3.4
3.5
3.63.7
3.8
3.9
4.14.2
4.3
4.4
4.5
4.6
4.7
5.1
5.3
5.4
5.2
5.5
6.1
6.2
6.3
6.4
6.5
6.6
6.7
7.1
7.2
7.3
8.1
8.2
8.3
8.4
8.5
9.1
9.2
9.3
9.4
9.5
AMBULANCE NSW
FRAUD CORRUPTION RISK ASSESSMENT NOVEMBER 2010
SECTION ONE: EXECUTIVE SUMMARY
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 9
1.5 Acknowledgement We wish to place on record our appreciation of the assistance and co-operation received from executive management and other staff at the Service in undertaking this assessment.
Harvey Christophers Partner November 2010
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
SECTION TWO: BACKGROUND AND CONTEXT
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 10
2. Background and Context As part of the 2009/10 Internal Audit Plan agreed with the Ambulance Service of NSW (“the Service”), Deloitte Touche Tohmatsu (“Deloitte”) has undertaken an organisation-wide fraud and corruption risk and controls assessment. Fraud and corruption risks exist within all NSW Government Agencies and are frequently the areas which present greatest threat in respect of financial loss and damage to reputation. The nature of fraud and corruption means they are pervasive risks which constantly change and require ongoing monitoring. For these reasons, the NSW Independent Commission Against Corruption (ICAC) and Audit Office both recommend that agencies assess their fraud and corruption risks on a regular basis, and ensure that steps are taken to effectively manage and prevent fraud and corruption from occurring.
The platforms of an effective fraud and corruption control framework are prevention, detection and investigation. To achieve prevention and detection objectives, an agency must have a comprehensive and detailed understanding of its fraud and corruption risks and overall profile. It is this understanding that allows agencies to tailor their Audit Program to ensure that high and emerging fraud and corruption risk areas are incorporated where appropriate. The incorporation into the Internal Audit Program fulfils proactive and detective objectives as recommended by both the ICAC and the Audit Office. A fraud and corruption risk assessment also serves to identify where fraud and corruption controls are absent, dated, inadequate or no longer effective, and where proactive strategies need strengthening to improve the fraud and corruption control environment.
The assessment was conducted as a consulting engagement. For the avoidance of doubt, the procedures that we performed as part of this engagement do not constitute an assurance engagement in accordance with Australian Standards for Assurance Engagements, nor does it represent any form of audit under Australian Standards on Auditing, and consequently no assurance conclusion or audit opinion has been provided.
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
SECTION TWO: BACKGROUND AND CONTEXT
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 11
2.1 What are Corruption and Fraud Risks?
The ICAC has provided commentary and a lay-person definition of corruption as follows:
Corruption risks can exist in relation to almost all functions and activities of an agency. Unmanaged corruption risks can expose an agency to the possibility of an employee engaging in corrupt conduct. Corrupt conduct is defined in section 8 and 9 of the Independent Commission Against Act 1988 [ICAC Act] but, ordinarily speaking, it is the dishonest or partial behaviour, misuse of information or breach of public trust by a NSW public sector employee which, if proved, could amount to a crime or disciplinary offence. The term also refers to the conduct of any person (whether or not that person is a public official) that adversely affects or could adversely affect the exercise of official functions by public officials and could constitute or involve a criminal or disciplinary offence. (Corruption risk management – Tip sheet for NSW Public Officials, ICAC, February 2008, p.1).
The full legal definition of corrupt conduct (s 7-9, ICAC Act) can be found in Appendix B. Fraud falls within section 8 and 9 of the ICAC Act and is a particular type of corrupt conduct.
Fraud involves the use of deceit or secrecy to obtain an unjust advantage or to injure the rights or interests of others (fraud is a form of theft). It involves the intent to deceive, unlawful action and/or receipt of money or a benefit.
The Service applies the following definition(s) within its Fraud Policy (2005):
The term ―fraud‖ is used in many contexts and the following are two general definitions:
Fraud, briefly stated, is a false representation or concealment of a material fact to induce someone to part with something of value.
Fraud is dishonesty, generally in the context of a false representation made by means of a statement or conduct, with the intention of gaining a material advantage.
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
SECTION TWO: BACKGROUND AND CONTEXT
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 12
2.2 Methodology
The methodology adopted for the Fraud and Corruption Risk Assessment aligns with key elements of AS/NZ 4360:2004 and ISO31000:2009. It also has regard to
relevant guidelines and reports issued by the Independent Commission Against Corruption and the NSW Audit Office, and the Australian Standard on Fraud and
Corruption Control (8001:2008). An outline of our methodology and approach is provided in the following diagram, with further detail provided in Appendix C: Fraud Rating Definitions.
Planning and
Document
Analysis
Risk
Identification
Risk
Assessment
Reporting
Approach
Review existing documentation (including all
policies and procedures).
Develop and consult on risk assessment
methodology
Consult on interviewee list and workshop
participants.
Approach
Review existing documentation
Define scope
Approach
Populate preliminary risk matrices with
existing business knowledge
Identify and document risk scenarios
Identify and document controls
Approach
Review existing documentation
Define scope
Approach
Conduct fraud risk assessment interviews
to:
Assess Control Effectiveness
Evaluate Likelihood & Consequence
Conduct 2 x staff workshops
Approach
Review existing documentation
Define scope
Approach
Collate results and draft report
Re-appraise results with key staff
Confirm risk and control ratings
Identify areas for Internal Audit Plan
Develop Action Plans as required
Output
Sound knowledge of fraud and corruption
risk environment and documented controls
Final list of interviewees and workshop
groupings and participants.
Output
Fraud and corruption risk scenarios
identified
Documented controls identified
Fraud and corruption risk matrices
completed ready for discussion with
management
Preparation of interview kits
Prepare workshop methodology
Output
Fraud and corruption risk matrices
Output
Final report with risk matrices and
recommendations for Internal Audit Plan and
fraud and corruption risk management
control enhancement.
Co
mm
un
ica
tio
n w
ith
Ma
na
ge
me
nt
Stage I
Stage II
Stage III
Stage IV
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
SECTION TWO: BACKGROUND AND CONTEXT
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 13
The following phases shown below were undertaken for this engagement.
Stage 1: Planning and Document Analysis
The focus of our activity during Stage 1 was on the assessment and analysis of Ambulance Service NSW documentation and internal control processes including but not limited to:
Relevant policies and procedures Internal registers if applicable (conflicts of interest, gifts and benefits etc.) and management systems
Risk assessment and management processes and associated documents (e.g. business risk assessment)
Training and education program and activities, and internal communication strategies and processes
Organisational structures and position/function reporting and supervision
Recent internal audit reports and audit committee processes
Code of Conduct Employment contracts and conditions
Instrument or policies on delegations (both financial and non-financial)
Issue management processes and reporting.
Access to these documents was provided through the Service’s Records Management Office. Access to management and staff for information and interviews were organised through the office of the General Manager Corporate Services (Merinda Breen and Robyne Stewart). During Stage 1 we developed and finalised the risk assessment definitions and categories (e.g. likelihood, consequence and controls assessment), and finalised list of interviewees and workshop attendees (Rozelle and Dubbo).
Stage 2: Risk Identification
In Stage 2 we developed and populated preliminary fraud and corruption risk matrices, setting out the details of existing fraud and corruption controls identified during Stage 1. This process in stage 2 was limited to identifying control weaknesses based on our desk review and detail specific questions to be directed to the five executives interviewed. Interview kits were developed and distributed. Workshop methodology was developed and finalised.
Stage 3: Risk Assessment
This stage was limited to holding two workshops and conducting interviews with:
Greg Rochford, Chief Executive Mike Willis General Manager Operations
Michael Landsbergen, General Manager Corporate Services Marian O’Connell Director Professional Standards & Conduct.
Stephen O’Malley Chief Finance Officer
Interviewees (excluding the Chief Executive officer) were asked to do some planning and preparation before the interview (i.e. complete interview kit ratings and review of control descriptions). They were also encouraged to bring direct-report managers with expertise in the areas being covered to the interview. We note that interviewees attended the meetings singularly. The two workshops were with a cross-section of staff and management, the first from Sydney and surrounds and was held in Rozelle offices, the second with a cross-section of staff and management from regional NSW which was held in Dubbo. Due to the limited number of key interviews, in some instances the extent of details, insights and controls obtained was limited.
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
SECTION TWO: BACKGROUND AND CONTEXT
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 14
Stage 4: Reporting
During Stage 4 we consolidated the information collected during stages 1 – 3 into the fraud and corruption matrices and drafted the Fraud and Corruption Risk and Controls Assessment Report, this included:
Identifying areas for consideration for the 3 year Internal Audit Plan
Suggesting actions to improve the fraud and corruption control environment.
In summary, the following diagram illustrates the general process followed to develop the deliverables for this review.
Policy and Procedure Review
Conducted 5 Interviews with 52 Fraud Risk
Scenarios
Staff Workshop-
Rozelle with 17
Fraud Risk
Scenarios
Other
Comments
and Findings
Staff Workshop-
Dubbo with 17
Fraud Risk
Scenarios
Fraud Risk
Areas of Concern
Areas for
Internal Audit Consideration
Fraud
Risk Profile
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
SECTION TWO: BACKGROUND AND CONTEXT
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 15
2.3 Risk Ratings The risk ratings used by management and the workshop participants to assist in developing a fraud risk profile of the Ambulance Service of NSW can be found in Appendix D. In the case of fraud and corruption risks the consequence rating (even in consideration of existing controls) will push many risks into the medium or high category. This is particularly the case for the NSW Government agencies which are subject of significant media scrutiny and to ICAC jurisdiction (which potentially equates to significant media exposure). A series of media reports on fraud or corruption within a public sector agency will have a significant consequence in respect of damage to reputation and community confidence.
Fraud and corruption risks with a medium to high residual risk rating need to be considered individually – some at this level can be tolerated with routine (medium) or active (high) monitoring process; others may require additional controls to be put into place, and/or enhancement of existing controls.
The degree of risk which can be tolerated or accepted is a matter for the Service to decide, however this report makes recommendations in areas where it is considered appropriate given the nature of the particular risk in the context of the Service.
A residual risk is the level of risk that remains within an organisation after consideration of all existing controls. The residual risk rating provides information about areas where management attention and/or action is required.
In the risk matrices below we indicate whether controls are adequate or whether further enhancements should be considered.
Ref. Fraud/Corrupt Scenario
Relevant Policies Control Descriptions Assessment of Controls 1 (Good) to 3
(Needs Improvement)
Likelihood
A (Rare) to D (Almost Certain)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk Rating
Risk Reference
Description of
the fraud or
corruption risk scenario
If covered by a
Policy, the name
of the Policy and
the date the
Policy was last
reviewed by the Service
A description of the control or strategy to
reduce the likelihood of the risk occurring or
the impact of the risk should it occur. This
may also include activities that monitor the
fraud and corruption risk environment. Where
relevant, a reference the applicable Service Policy has been included
The
assessment of
the control environment
The
consequence
of the risk occurring
The
likelihood of
the risk occurring
Calculated
risk rating
determined
as a function
of the
likelihood rating
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
SECTION THREE: KEY FINDINGS
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 16
3. Key Findings
3.1 Fraud Risk Profile The risk profile below represents the residual risks of the Service based on numerical data and insights from the Service, these were sourced through:
1. Scores obtained from the Interviews with senior management (scores on Likelihood, Consequence of the scenario and the Control Effectiveness of the controls in place to mitigate the risk of the scenario)
2. Scores obtained from the workshops held at Dubbo and Rozelle (scores on Likelihood, Consequence of the scenario and the Control Effectiveness of the controls in place to mitigate the risk of the scenario)
3. Insights provided by staff from the interviews and workshops.
Table Two – Definitions of Ratings
Very High Risk: Risks where treatment options require preparation, active review and management. Immediate action required – introduction or enhancement of controls.
Moderate Risk: Risk is tolerable – continuous monitoring through normal processes (e.g. audit, management/supervisory oversight etc).
High Risk: Continuous monitoring required and/or management action required (i.e. introduction or enhancement of controls or governance processes).
In the case of fraud and corruption risks the consequence rating (even in consideration of existing controls) will push many risks into this category. This is particularly the case where an agency such as the ICAC exists. Public inquiries conducted by ICAC are high profile and attract significant media attention so reputation damage to an organisation named at an ICAC inquiry is often significant. For this reason consequence ratings are elevated because a single ICAC exposure can have a significant consequence for organisational reputation.
Fraud and corruption risks with this residual risk rating need to be considered individually – some at this level can be tolerated with continuous and active monitoring; others may require additional controls to be put into place, and/or enhancement of existing controls.
The degree of risk which can be tolerated or accepted is a matter for Ambulance management.
Low Risk: Risks where systems and processes managing the risks are adequate. Risk is acceptable – monitoring through normal processes.
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
SECTION THREE: KEY FINDINGS
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 17
Control Effectiveness
Inh
ere
nt
Ris
k (
lik
eli
ho
od
+ C
on
se
qu
en
ce
)
Very
High
8
LOW
3
Low
1
GOOD
1
LOWMODERATE
VERY HIGH
HIGH
1.1
1.2
1.3
2.1
2.2
2.3
2.4
2.52.6
2.72.8
3.1
3.2
3.3
3.4
3.5
3.63.7
3.8
3.9
4.14.2
4.3
4.4
4.5
4.6
4.7
5.1
5.3
5.4
5.2
5.5
6.1
6.2
6.3
6.4
6.5
6.6
6.7
7.1
7.2
7.3
8.1
8.2
8.3
8.4
8.5
9.1
9.2
9.3
9.4
9.5
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
SECTION THREE: KEY FINDINGS
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 18
The review was a fraud risk assessment and as such key issues of a business risk nature were not examined in detail other than to consider those areas for audit plan inclusion. The following table identifies those key findings that arose from the interviews and workshops that have a fraud risk element and suggested recommendations to address such potential risks.
Table Three – Key Findings from a Fraud Risk Perspective
Area Risk Category Key Findings Rating Recommendations
Human Resources
Secondary Employment
Many senior staff members believe there is insufficient awareness amongst staff members about the important of declaring any secondary employment being undertaken. We understand that the most likely reason for not declaring the secondary employment has been the fear that it will not be approved.
R1: Management should create more awareness around the risks of conflicts of interest with secondary employment and the importance of declaring any secondary employment. Staff members also need to be aware, that in most instances, where a conflict of interest does not exist, that their secondary employment will be approved. This can be done through an article in the monthly newsletter, “Sirens” and/or by conducting short workshops with practical examples.
Governance Fraud Control
Policy
The fraud control policy is dated 2005 and is a high level document that does not detail corruption matters.
It was noted that a large number of staff members were unaware the Service has a Fraud Control Policy. However many were very clear and familiar with the Code of Conduct.
R2: We suggest a refresh of both documents and closer links between them, to help bolster fraud risk awareness, particularly in those functions exposed to high risks.
Human Resources/
Payroll On Call
The current industrial case around the definition of on-call start and finish time remains an issue. To the extent that such ambiguities continue, so too do the risks of fraud, or the perceptions of fraud.
R3: Revisit the issue through appropriate industrial channels.
Human
Resources/ Payroll
Timesheets
Whilst the process is manual there is a higher risk of error or intention abuse of declared actual time worked not being detected.
R4: Continue liaison with the Department to seek future investment in an online system to support efficient and effective enhanced control mechanisms.
Human
Resources/ Payroll
Rostering
Whilst the process is manual there is a higher risk of rosters being developed that do not provide fairness and equity in overtime allocation and meeting employee needs.
R5: To continue lines of communication with the Department about enhanced reporting and controls. We understand that there are plans in place to address this matter.
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
SECTION THREE: KEY FINDINGS
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 19
Area Risk Category Key Findings Rating Recommendations
Consumables Clinical Supplies
Discussion with staff indicated that little control was in place to minimise the theft of supplies.
R6: Statistical Analysis of Ambulance stations to determine if the usage rate at any station is significantly different – then to determine what appropriate controls would be reasonable.
Consumables Pharmaceutical
Supplies
Discussion with staff indicated that whilst there were some controls in place that the system could still be abused.
R7: We understand that a large project is currently underway to re-evaluate how section 8 drugs could be better managed. We would welcome providing comment to the processes being considered from a risk and internal audit perspective.
Human Resources
Leave management
Concerns were raised about the difficulty of managing sick leave and other leave given the lack of adequate reporting.
R8: To continue lines of communication with the Department about obtaining enhanced reporting and controls. We understand that there are plans in place to address this matter.
Financial Management
Accounts Payable
The lack of adequate reporting by DHSS raises concerns that there it is not feasible to have complete oversight of all changes to the vendor masterfile or of all invoices processed. There remains the risk of fraudulent transactions being processed and remaining undetected.
R9A: To continue lines of communication with the Department about obtaining enhanced reporting and controls. We understand that there are plans in place to address this matter.
R9B: To reassess certain SOP’s and update as appropriate to accommodate the transition to DHSS.
Receipt of Gifts and Benefits
Gifts and Benefits
The Service follows the NSW Health’s directive PD2010-010 Policy Directive PW2010-010 which provides a broad value of token gifts and moderate acts of hospitality to be under $75. The document is not clear on distinguishing between token and nominal value and what needs to be registered. Currently there is a risk that a token gift of a pen or box of chocolates will need to be registered.
Generally token gifts are not registered but those of nominal value are.
R10: We recommend that management re-examine this matter and add clarification so that when this Policy Directive is rolled out there is adequate clarity on what does have to be reported and what does not.
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
SECTION FOUR: AREAS FOR INTERNAL AUDIT CONSIDERATION
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 20
4. Areas for Internal Audit Consideration The following table summarises the key areas identified during the FCRA which are suggested for consideration in the development of the three year internal audit plan for the Service. These areas may not be directly related to a fraud matter.
Table Four – key areas for audit consideration
Area Why? High level Objectives/ Scope/Comments
Contract Management
Inherent risks in this area due to: high dollar value of the outsourced service contracts
controversial aspects arose from some tenders – Australian v Canadian company bidding for work
limited number of employees with oversight of key compliance requirements
limited checks and balances
no prior independent audit examination
high reputational implications.
Review of RFDS and CHC Contracts
To assess the level of compliance with the RFDS and CHC contracts, particularly in respect to:
penalty costs for offline time (Rotary and Fixed Wing)
key safety aspects (e.g. Servicing)
veracity of fixed (standing) costs and variable (hourly flying) costs.
Review of other outsourced services e.g. fleet leasing.
The recent New South Wales Auditor-General’s Performance Report (September 2010) was focused on the Helicopter Emergency Medical Service Contract and covered the tender process and the management of the delivery of the service per the contract.
OHS
The Service has a number of different environments and conditions under which staff have to operate – a number of comments have been made about safety of clothing and its suitability.
To assess the adequacy of health and safety risk controls currently in place over selection of uniforms.
Payroll
The key inputs to the payroll system used by Ambulance are highly manual in nature. Such manual have an inherently high risk. These processes include:
Paper based timesheets
Paper based leave requests
Manual approval of leave
Manual approval of timesheets
Manual approval of overtime.
Timesheet Accuracy: To assess the accuracy of timesheets and ensure appropriate approval is given.
On–Call - To examine the efficiency of controls in place over the veracity of declared time worked including on call, call-out and overtime worked.
Overtime Management: To assess the processes over overtime management.
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
SECTION FOUR: AREAS FOR INTERNAL AUDIT CONSIDERATION
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 21
Area Why? High level Objectives/ Scope/Comments
IT Project management
Management have noted that there is significant room for improvement in developing specifications and in user tested of systems.
IT Project management: Assess recent project and review current IT project management protocols.
Information Management
Currently there are few restrictions to key information at the Service. It would be prudent to have a framework which categories the sensitivity of information and that the framework then determines level of access.
To examine how access is allocated and how information security is maintained.
Share Services Currently there is no Memorandum of Understanding or Contract between the Dept of Health for agreed levels of service.
Concern over the level of robust controls DHSS has in place.
Examining the robustness of controls in place to gain assurance that he financial transactions being processed on behalf of the Service are complete accurate and valid.
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 22
Appendix A: Fraud and Corruption Risk Matrices The following information was obtained from:
reviewing current Standard Operating Procedures (SOP’s)
holding five interviews with senior management
facilitating two workshops.
Due to the limited number of key interviews and workshops held, the robustness of the insights obtained, and in some instances the extent of details obtained has been limited and may be incomplete. It should be noted that due to the recent move to DHSS a large number of previously relevant policies and procedures and the underlying embedded controls, are no longer as robust or relevant.
1. Organisation Wide
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of controls
1 (Good)
2 (Adequate)
to 3 (Needs
Improvement)
Likelihood
A (Rare -1),Unlikely B -
2, Possible C -
3 to D (Almost
Certain - 4)
Impact
1 (Insignificant)
2 (Minor), 3
(Moderate) to 4 (Major)
Residual
Risk Rating
1.1 Secondary Employment
Undertaking unapproved outside employment with a competitor or supplier; undertaking outside employment that presents an actual conflict with work requirements at Ambulance.
SOP2007-028 Ambulance Service Employees and other Employment
SOP2007-012 Code of Conduct
The Policy (2007-028) requires employees to obtain written authorisation from a supervisor to undertake secondary employment (can only be authorised if assessed as not creating a conflict of interest with Ambulance duties).
The Code (2007-012) states any employment outside of the Ambulance service will:
be performed outside normal working hours
not conflict with Ambulance Service
not adversely affect work performance
not affect safety or the safety of colleagues, patients or the public
3 D 2
C
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 23
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of controls
1 (Good)
2 (Adequate)
to 3 (Needs
Improvement)
Likelihood
A (Rare -1),Unlikely B -
2, Possible C -
3 to D (Almost
Certain - 4)
Impact
1 (Insignificant)
2 (Minor), 3
(Moderate) to 4
(Major)
Residual
Risk Rating
not involve the use of Ambulance Service resources.
1.2 Staff Awareness
Minimal awareness of fraud and corruption related policies and procedures (risk of non-compliance and failure to report)
SOP2007-012 Code of Conduct
1C05/30 Fraud Policy
The Code (2007-012) is a very comprehensive document which includes amongst other things conditions and procedures for staff to disclose fraud or corruption issues.
The Policy (1C05/30) establishes conditions and procedures for staff to disclose fraud or corruption issues. Responsibilities for CEO, general managers and sector managers and directors.
3 D 3
1.3 Receipt of gifts and benefits
Inappropriate gifts and benefits causing a conflict of interest
SOP2007-012 Code of Conduct
SOP2010-019 Conflicts of Interest and Gifts and Benefits
The Code (2007-012) summarises information on acceptance of gifts and benefits by staff (includes all staff working in any permanent, temporary, casual or termed appointment). Token gifts (under the value of $75) may be accepted but permission from supervisor must be granted in order to keep token gift. Non-token gifts will not be accepted.
The Policy (2010-019) states a Conflict of Interest Register and a Gifts and Benefits Register have been established and will be maintained by the Professional Standards and Conduct Unit. All staff should record and report the receipt of the gifts or benefits of token value and/or any perceived or actual conflict of interest and forward these to Divisional Managers or Unit Directors for assessment.
2 C 3
C
H
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 24
2. Financial Management (Petty Cash, Accounts Payable and Accounts Receivable)
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
Rating
2.1 Petty Cash Expenditure
Theft and Unauthorised use
SOP2006-057 Petty Cash
Financial Handbook - Section 2: Accounts Payable
The Petty Cash Officer maintains an Expense Account Book for all Petty Cash payments. This must be reconciled to the recoupment value at month end by an independent officer.
The Policy (2006-057) states float should be kept in a container that can be locked and kept in a locked safe or other secure area. The key to the container should be under the control of one person.
1 A 1
2.2 Petty Cash Expenditure
False claims
SOP2006-057 Petty Cash
Financial Handbook - Section 2: Accounts Payable
Expenditure on any single item must not exceed $100 and delegated personnel (Station Officers, Assistant Operations Managers, and Managers) must authenticate all claims for Petty Cash reimbursement. Supporting documentation is required.
1 A 1
2.3 Cab Charge False claims
SOP2007-089 Travel Reimbursement
DTT Report - Internal Audit of the Management of Cab and Employee Expenditure 2008
Legitimate expenditure whilst travelling is refundable only if receipts/ tickets for bus/ taxi fares are submitted with each claim stating the purpose of the trip and signed by the individual.
The key controls in relation to the management of cab and employee expenditure noted during our internal audit were as follows:
- The Accounting Manual for Department of Health and Ambulance Service, September 2007
- The Review of Meal, Travelling and Related Allowances, Circular No. 2006-07
- Out of Pocket Expenses, Circular No. 96/42
1 A 2
L
L
L
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 25
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
Rating
- The Official Travel Policy, dated September 2005
- Delegations of Authority (“DOA”) matrices located on the Service intranet, HRM-47and FM-13.
2.4 Cab Charge Theft and unauthorised use
SOP2007-089 Travel Reimbursement
DTT Report - Internal Audit of the Management of Cab and Employee Expenditure 2008
Legitimate expenditure whilst travelling is refundable only if receipts/ tickets for bus/ taxi fares are submitted with each claim with each claim stating the purpose of the trip and signed by the individual.
The key controls in relation to the management of cab and employee expenditure noted during our internal audit were as follows:
- The Accounting Manual for Department of Health and Ambulance Service, September 2007
- The Review of Meal, Travelling and Related Allowances, Circular No. 2006-07
- Out of Pocket Expenses, Circular No. 96/42
- The Official Travel Policy, dated September 2005
- Delegations of Authority (“DOA”) matrices located on the Service intranet, HRM-47and FM-13.
1 B 2
2.5 Accounts Payable
Manipulation of the vendor master file for gain
None available from DHSS
Financial control over the masterfile has been outsourced to DHSS in March 2010 – there is currently no visibility by the Service on all changes processed to the vendor masterfile.
3 C 4
M
C
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 26
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
Rating
2.6 Accounts Payable
Introduction of fictitious invoices
None available from DHSS
Financial control over processing of invoices has been outsourced to DHSS in March 2010 – there is currently no visibility by the Service on all controls in place by DHSS to mitigate the introduction of fictitious invoices.
3 C 4
2.7 Accounts Payable
Overcharging or provision of false accounts by suppliers
None available from DHSS
Financial control over processing of invoices has been outsourced to DHSS in March 2010 – there is currently no visibility by the Service on all controls in place by DHSS to mitigate the introduction of fictitious invoices.
It is possible that some such matters could be identified by staff at an Ambulance Station if goods noted on a delivery docket are not received.
2 C 3
2.8 Accounts Receivable
Managing Bad Debts- unpaid invoice is written off without proper authorisation
DTT Report - Statement of Corporate Governance
2006/2007 - Financial Management Review 2006
That internal audit report found:
- Write offs are processed on a monthly basis
- An extract is prepared from the SUN finance system, showing all proposed write offs older than 6 months (similar reports are provided now that data is on the DHSS)
- All significant transactions (over $500) are reviewed to check whether the charge relates to a pensioner or private health fund patient (who do not have to pay themselves)
- For Sydney-related write offs a summary is prepared which is sent to Director Finance and Data Services for review and approval for all write offs below $4000 (as per delegation). For Regional related write offs, approval is done via email. Approved summaries, emails and lists of
2 B 2
H
C
M
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 27
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
Rating
write offs are filed and stored at each location
- If during the month there were write offs larger than $4000, the summary is forwarded to Chief Executive for approval of up to $10000.
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 28
3. Procurement and Contract Management
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
Rating
3.1 Procurement
and Purchasing Unauthorised purchases
SOP2010-014 General Guidelines for Purchasing and Supplies
The new SOP (March 2010) provides the key processes and controls for procuring stock and non stock items.
All purchase requests are to be authorised by three staff:
a) Requesting Officer
b) Funds Control Officer
c) Approving Officer.
However financial processing and the establishment of necessary controls has been transferred to DHSS and there is currently no visibility on what these controls are.
2 B 2
3.2 Procurement
and Purchasing Purchases for private use
SOP2010-014 General Guidelines for Purchasing and Supplies
The new SOP (March 2010) provides the key processes and controls for procuring stock and non stock items.
All purchase requests are to be authorised by three staff:
a) Requesting Officer
b) Funds Control Officer
c) Approving Officer.
However financial processing and the establishment of necessary controls has been transferred to DHSS and there is currently no visibility on what these controls are.
1 A 2
L
M
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 29
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
Rating
3.3 Procurement
and Purchasing
Invoices are paid for goods and services which are not received or are partially received
SOP2006-044 Receiving Goods and Services Policy
SOP2010-014 General Guidelines for Purchasing and Supplies
The new SOP (March 2010) provides the key processes and controls for procuring stock and non stock items. The Guidelines (2010-014) state the invoice should be signed off or noted appropriately for the receipt of goods and services.
However, financial processing and the establishment of necessary controls has been transferred to DHSS and there is currently no visibility on what these controls are.
2 B 2
3.4 Procurement
and Purchasing
Bias to particular suppliers (e.g. IT companies, consultants, contract staff and service providers) through bribes/secret commissions, gifts/benefits, hospitality
SOP2010-019
Conflicts of Interest and Gifts and Benefits
A Conflict of Interest Register and a Gifts and Benefits Register have been established and will be maintained by the Professional Standards and Conduct Unit. All staff should record and report the receipt of the gifts or benefits of token value and/or any perceived or actual conflict of interest and forward these to Divisional Managers or Unit Directors for assessment.
2 B 3
3.5 Procurement
and Purchasing Unauthorised receipting of goods/services
SOP2006-044 Receiving Goods and Services Policy
When goods/services are supplied, the officer receiving the good/services is to check to ensure the accuracy/condition prior to signing the delivery docket. When signing docket, employee number must be included. The delivery docket/ invoice is to be given to the Officer in Charge.
Extract from revised SOP 2010-014 indicates that A copy of the Non Stock Purchasing Request (NSPR) should be retained as a basic record, and this should be used to mark off goods subsequently received and passed for
2 B 2
H
M
M
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 30
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
Rating
payment.
Copies of purchase orders will not be supplied therefore it is imperative that all relevant details are carefully included, including contact name and phone number.
The purchase order will be sent directly to the supplier.
3.6 Procurement
and Purchasing Processing of invoice knowing supplier has overcharged
SOP2006-044 Receiving Goods and Services Policy
SOP2010-014 General Guidelines for Purchasing and Supplies
OLD control: The Policy (40) states the officer receiving the goods/services is to check to ensure the accuracy/condition prior to signing the delivery docket. The delivery docket/invoice is to be given to the Officer in Charge.
NEW: With the move to DHSS there are still some controls in the raising of requests and matching to PO’s, however the details and controls in place at DHSS are at this point unclear by management.
2 B 2
3.7 Tendering/ Contracting
Bias to tender proponents, i.e. in decision making (having solicited or knowing gifts and benefits will arise)
SOP2010-014 General Guidelines for Purchasing and Supplies
This SOP is limited in detail and advises staff re Tenders and contracts cannot be entered into prior to seeking advice from the CFO. No further detail on committees and processes for tenders ins noted in this SOP.
2 B 3
3.8 Tendering/ Contracting
Release of confidential tender information in exchange for gifts/benefits
(From time to time it is possible that staff may be approached by organisations and or members of the community with an offer(s)
SOP2007-098 Disclosure of pecuniary interests
The SOP provides guidance to assist staff in identifying conflicts of interest which involve pecuniary interests and to provide general procedures in relation to disclosing and dealing with any actual or potential conflict
Depending on the significance of the conflict, a range of options are available including:
2.5 A 3
M
M
H
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 31
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
Rating
of reward for information that could be supplied through the course of their official duties.)
recording the detail and taking no further action because the potential conflict is minimal
relinquish the private interest
restrict access of information to the staff member with the conflict that is sensitive or confidential
ensure the staff member with the conflict is not involved in considerations or discussions and does
not have a vote on any questions relating to the matter
remove the conflicted staff member from the project and reallocate responsibility to make decisions
to a staff member who does not report to the person with the conflict
transfer the staff member (at no disadvantage in term of conditions) to another area of work.
3.9 Contract
Management Inducement to ignore poor performance of contractor
SOP2007-012 Code of Conduct
SOP2007-023 Internal Reporting Policy for Making Protected Disclosures
The Code (2007-012) sets ethical standards for staff including acting honestly and fairly in a consistent and impartial manner. Staff are encouraged to report any misconduct that they become aware of or suspect (and has protected disclosures policy in place). Staff are prohibited from soliciting gifts or benefits and can generally only accept gifts of a nominal value (up to $75). Any gifts or benefits >$75 must be entered onto the gift
2.5 B 3
H
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 32
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
Rating
SOP2010-019
Conflicts of Interest and Gifts and Benefits
register and approval must be sought to accept gift/benefit.
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 33
4. Assets and Supplies
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
4.1
Managing Corporate Supplies (Photocopier/ Mail/Faxes/ Telephone/ Stationery)
Unauthorised/excessive use of corporate resources such as Photocopier/Mail/Faxes/ Telephone/Stationery, (e.g. running private business from work)
SOP2007-042 Usage of Mobile Phones
Private calls made on Ambulance owned telephones/mobiles must be paid for by individual (1.38.8 Private calls made on Service owned telephones must be paid for as per Operational Procedure 1.9) which requires itemisation of calls.
2 C 1
4.2 Managing Property and Assets
Theft/damage of assets/property (e.g. laptops, Ambulance Fleet, fuel, Navman, stretchers, blankets)
SOP2006-067 Minimum Equipment Checks
SOP2006-018 Equipment Loss/ Replacement
SOP2006-020 Fuel Records
SOP2009-047 Portable Satellite Navigation Unit: Navman 150S
Any high costs or accountable items found missing from Ambulance Fleet must be reported to Officer in Charge.
If equipment is lost, matter must be reported to Officer in Charge.
Where bowsers located at the station are still used, fuel consumption must be entered into the Bowser Fuel Record Book and at the end of each month the record book is reconciled and a tank dip is to be taken to ensure accuracy of the recorded entries. Any significant discrepancies between recorded usage and tank dip are to be reported to Sector Manager on a Fuel Loss/Gain request to Write Off Form.
Staff issued with Navman are responsible for safety and security of the device, and loss or theft must be reported to manager/district manager prior to complete of shift.
1 B 1
M
L
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 34
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
4.3
Managing Ambulance Service Vehicles
Misuse of private usage entitlements
SOP2009-041 Private Usage of Ambulance Service Vehicles
SOP2008-020 Motor Vehicle Policy
The Chief Executive has sole authority to approve the allocation of Ambulance Service vehicles for private use. Running sheets must be kept and all journeys undertaken must be recorded and must specify business and private usage kilometres. Running sheets are regularly audited. Mobile data terminals including terminals in each Ambulance including GPS tracking.
2 C 3
4.4 Managing Clinical Supplies
Theft/damage/misuse of clinical equipment and medical supplies from Ambulances or station (e.g. medication, bandages, drugs, oxygen etc.)
SOP2010-003 Medications Management
SOP2010-003 Medications Management Q&A
Logs must be kept at the start (Section 8 drugs are only accessible and issued to highly trained paramedics) and end of a shift. This includes records of the quantity of medications in store, the quantity signed out, balance of medications and number and signature of authorised clinician.
Any loss/discrepancy in medications must be reported then forwarded to District manager. The appropriate delegate will commence appropriate investigative procedures and organise referral of incident to PSCU and NSW Police.
2 C 3
4.5 Disposing of Assets
Disposal of assets to 3rd party for less than market value
NSW Health Policy Directive - Procurement and Disposal of Goods and Services
NSW Health has an Agreement with its preferred supplier to provide a disposal service. Disposals arranged under this Agreement preclude the need for staff to obtain additional quotations as the service provider will undertake that task on behalf of the Health System.
While it is expected that all disposals will be arranged through the service provider there
1 A 2
H
H
L
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 35
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
may be circumstances where disposals are undertaken directly. In these cases the delegations of authority apply.
4.6 Disposing of Assets
Kickbacks received from disposal of assets
NSW Health Policy Directive - Procurement and Disposal of Goods and Services
NSW Health has an Agreement with its preferred supplier to provide a disposal service. Disposals arranged under this Agreement preclude the need for staff to obtain additional quotations as the service provider will undertake that task on behalf of the Health System.
While it is expected that all disposals will be arranged through the service provider there may be circumstances where disposals are undertaken directly. In these cases the delegations of authority apply.
Goods valued up to $3,000
Goods valued up to $3,000 may be disposed of by negotiated sales and verbal quotes.
Goods valued over $3,001 but not exceeding $250,000
Goods valued over $3,001 but not exceeding $250,000 may be disposed of by auction, written quotes or tenders.
Goods valued over $250,001
If the estimated value of the goods exceeds $250,001, the disposal must be referred to Department of Commerce (NSW Procurement Contracting Services) for the invitation of tenders/auction approval action. Area Health Services, Children’s Hospital Westmead and Ambulance Service of NSW have been granted
1 A 2
L
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 36
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
interim accreditation and may undertake disposal activities of goods (excluding real property such as land and buildings) up to a value of $100 million without reference to Department of Commerce. Affiliated health organisations can tender to dispose of surplus or unserviceable goods themselves.
4.7 Disposing of Assets
Theft of assets prior to disposal from Ambulance
SOP2007-012 Code of Conduct
SOP2007-053 Purchase, Allocation, Disposal and Reallocation of Vehicles
Disposal is restricted by delegation and policy.
1 A 2
L
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 37
4. Information and Records
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS,
etc)
Controls
Ratings
Assessment of controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
5.1 IT System (Network)
Destruction/modification/theft/ corruption of data (e.g. personnel data, financial data, patient)
SOP2007-094 Information technology Security Policy
The Policy (2007-094) states private information, including personal client details is often stored on computer systems and applications. It may only be used for intended purposes which have been authorised. Data should not be shared via a communication link, or on computer storage media, with an external organisation, without the written approval of the Senior Officer in the area responsible for the data.
3 B 3
5.2 IT System (Network)
Theft of software
SOP2007-094 Information technology Security Policy
The Policy (2007-094) states that in all cases, any staff member using Ambulance software must adhere to copyright conditions, i.e. making unauthorised copies for business and/or private use is strictly prohibited.
1.5 B 1
5.3 Managing Information (Hard Copy)
Theft/unauthorised use of information (e.g. Ambulance data, tender and contract information)
SOP2006-073 Records Management Policy
The Policy (2006-073) states all records should be stored securely by locking cabinet doors. Confidential records should always be kept in locked cabinets in a controlled environment, i.e. an authorised office.
2 C 3
5.4
Managing Information (Electronic Copy)
Theft/unauthorised use of information (e.g. copyright breaches, employee data, patient data, contract information)
SOP2007-094 Information technology Security Policy
The Policy (2007-094) states private information, including personal client details is often stored on computer systems and applications. It may only be used for intended purposes which have been authorised. Data should not be shared via a communication link, or on computer storage media, with an external organisation, without the written approval of the Senior Officer in the area responsible for the data.
2 B 2
H
C
M
M
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 38
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS,
etc)
Controls
Ratings
Assessment of controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
5.5 Managing Patient Data
Falsify patient status to “Pensioner” to avoid fee where patient is not covered by health fund or fee is simply waived for a friend/ relative
SOP2009-025 Patient Health Care Record SOP Version 4.0
The Policy (2009-025) states Station managers and/or their delegates are responsible for auditing the report forms. Incomplete PHCRs and PTO PHCRs are to be returned to the attending Paramedics for immediate rectification.
The Pension/ Concession Number field is to be filled if the patient is a pension/health care card holder. Card must not be expired. If no pension number is available, then the field should be left blank.
Even if the status is put to pensioner, if no number is noted, an invoice is still sent to the Patient who most likely would have to prove they are a pensioner to obtain an exemption.
Both Ambulance officers attending to patients must sign PHCR to ensure accuracy.
2 B 3
H
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 39
6. Payroll, Allowances and Expenses
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS,
etc)
Controls
Ratings
Assessment of controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
6.1
Processing Salaries/ Allowances/ Overtime
Employee processes a fraudulent payment in excess of legal entitlement
SOP2007-081 Sustenance and Living Away from Home Allowances
SOP2007-037 Timesheets
All claims by Officers below Manager level must be made and authorised on a standard time sheet.
Employee salary rates are loaded into the Supero system and any amendments require a formally authorised salary rate change notification.
Employees acting in another position are required to submit a separate form which includes formal authorisation to receive Higher Duties Allowance.
2.5 C 2
6.2
Processing Salaries/ Allowances/ Overtime
Duplicate payments processed for personal gain by employee
DTT Report - Payroll and Accounts Payroll Review 2009
Key controls for Payroll are in operation through a formal approval process in place for all changes to payroll records by delegated authorities and the payroll department.
Payroll user’s work is actioned then checked by another payroll staff member; no changes are allowed without supporting paperwork signed by a delegated authority.
As part of the fortnightly payrun process a suite of reports are produced and checked by payroll staff including:
exception report detailing employees earning > $5K in a period
masterfile change report detailing key changes such as additions to the payrun and changes in bank accounts.
1 B 2
H
L
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 40
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS,
etc)
Controls
Ratings
Assessment of controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
6.3
Processing Salaries/ Allowances/ Overtime
Payments made to ‘ghosts’ for personal gain
DTT Report - Payroll and Accounts Payroll Review 2009
Key controls for Payroll are in operation through a formal approval process in place for all changes to payroll records by delegated authorities and the payroll department.
Segregation of duties over key tasks - Payroll user’s work is actioned then checked by another payroll staff member; no changes are allowed without supporting paperwork signed by a delegated authority.
As part of the fortnightly payrun process a suite of reports are produced and checked by payroll staff including:
exception report detailing employees earning > $5K in a period
masterfile change report detailing key changes such as additions to the payrun and changes in bank accounts.
In addition, a Staff Establishment Report is produced and distributed to each Cost Centre Manager which details all salary costs allocated to their Cost Centre during the period.
1 B 3
M
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 41
Ref No.
Business Process
Fraud/ Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS,
etc)
Controls
Ratings
Assessment of
controls
1 (Goods) to 3
(Needs Improvement)
Likelihood
A (Rare- 1)
to D
(Almost Certain- 4)
Impact
1 (Insignificant
to 4 (major)
Residual
Risk
6.4
Processing Salaries/ Allowances/ Overtime
Continuing to process payments to individuals that have ceased employment with the Ambulance or redirecting such payments to another bank account of choice.
DTT Report - Payroll and Accounts Payroll Review 2009
Key controls for Payroll are in operation through a formal termination process requiring authorisation by delegated personnel as approval for final termination payment.
2 C 2
6.5
Processing Salaries/ Allowances/ Overtime
Fraudulent overpayment/ duplicate payment or allocation/ of an allowance or leave credit (allowances e.g. Community language, sustenance, living away from home, meal) or overtime
SOP2007-081 Sustenance and Living Away from Home Allowances
All claims by officers below manager level must be authorised on a standard time sheet.
Employee salary rates are loaded into the Supero system and any amendments require a formally authorised salary rate change notification.
Actual v Budget overtime analysis is regularly performed which provides insight to which areas are going over budget and this can be drilled down if needed as to which employee if necessary.
A separate form is required to be completed and submitted by employees to claim any allowances and a register is maintained to detail meal, sustenance and travel allowances claimed by employees.
Line managers have the ability to request a Leave Taken Report detailing all leave processed for their subordinates during the period.
Payroll user’s work is actioned then checked by another payroll staff member; no changes are allowed without supporting paperwork signed by a delegated authority.
2 C 2
H
H
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 42
Ref No.
Business Process
Fraud/ Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS,
etc)
Controls
Ratings
Assessment of
controls
1 (Goods) to 3
(Needs Improvement)
Likelihood
A (Rare- 1)
to D
(Almost Certain- 4)
Impact
1 (Insignificant
to 4 (major)
Residual
Risk
6.6
Processing Salaries/ Allowances/ Overtime
Abuse of on call/rostering through either Dispatch or not calling in a job being completed at the completion of a job – there by obtaining an advantage of addition salary.
SOP 2007-043 Rural on call policy
There are long standing local definitions of when a call starts and finishes – issue is lack of consistency across the Service. Time “on call” refers to that period of off duty during which Ambulance Officers are required to hold themselves in readiness to answer a call. This period of time is not considered to be time worked unless the Officer is recalled to duty.
3 D 4
6.7 Workers Compensation Claims
Employee claims Workers Compensation for an injury not caused at work.
DTT Report - Workers Compensation Review 2008
Details of controls noted from prior review:
- Draft policies and procedures for the management of the Return to Work process
- Segregation of duties between Return to Work procedures, claims management and weekly benefit calculations, payments and reimbursements.
Also advised that Station Managers keep close monitoring on.
2 C 2
H
C
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 43
7. Operations
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of
Controls
1 (Good) to 3
(Needs Improvement)
Likelihood
A (Rare - 1)
to D
(Almost Certain - 4)
Impact
1 (Insignificant)
to 4 (Major)
Residual Risk
7.1 Management of Patient Belongings
Theft of patient belongings by Ambulance staff (e.g. jewellery, money)
SOP2008-010 Security of Patient Belongings
Wherever possible officers shall ensure any belongings such as wallets, handbags and jewellery are retained by the patient or handed to a relative/friend/NSW Police Officer.
In the event the patient is incapacitated and/or unaccompanied during transport, the same process of securing items which were removed to facilitate treatment should occur and as part of the handover process the items are to be given to the nursing staff immediately upon being triaged or admitted to a facility.
The process of handover should be clearly documented on the PHCR (Patient Health Care Record) at the earliest opportunity.
1 B 2
M
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 44
Ref No.
Business Process
Fraud / Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of
Controls
1 (Good) to 3
(Needs Improvement)
Likelihood
A (Rare- 1)
to D
(Almost Certain- 4)
Impact
1 (Insignificant)
to 4 (Major)
Residual
Risk
7.2 Dispatch and Patient Care
Dispatching ambulance and/or providing preferential patient care family and friends
SOP2010-016 Dispatch- Emergency Response Standards
SOP2007-012 Code of Conduct
SOP2007-098 Conflict of Interest- Disclosure of Pecuniary Interests
The Standards (2010-016) states in all cases Emergency (hot) Responses should be immediate.
The Code (2007-012) states that all Ambulance staff must perform duties fairly and ensure that any decisions are not influenced by self- interest or personal gain.
The Policy (2007-098) states:
“If a family member/ partner becomes a patient of the service, I will report this to my immediate supervisor so she can assess any conflict of interest issues”
All staff are obliged to report any instances of conflict of interest to either Ambulance or direct to ICAC.
Dispatch process calls as they come in and are unable to provide preferential care – the system logs calls as they come in and are required to be allocated on that basis.
1 A 1
7.3 Rostering of Staff
There is inequity in rostering; overtime is always allocated to one person (who might be a friend/relative). There is collusion between Ambulance staff and Call Centre staff so overtime is unfairly allocated.
SOP2006-050 Roster Preparation
SOP2006-047 Shift Changes
Lists of staff willing to work overtime are retained and used in rotation to allocate overtime opportunities in rotation.
Roster audits undertaken.
Changes in shifts (or overtime worked) worked must be approved by Office in Charge.
2 D 2
H
L
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 45
8. Events, Sponsorship and Branding
Ref No.
Business Process
Fraud / Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of Controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
8.1 Provisions for Special Events
Discounted services are provided for special events in exchange for bribes/gifts/hospitality (e.g. Free grand final tickets in exchange for free Ambulance services)
SOP2006-075 Major and Sporting Events
General Manager, Operations has authority to waive or reduce charges for events. Applications are assessed and concession/exemption based on operational requirements and advice from within the Premiers Department.
2 C 3
8.2
Official Ambulance Stationery Management
Ambulance staff members use official stationery (letterheads/ logos/headers/footers) for personal gain
SOP2006-027 Official Stationery
Official stationery can only be used with permission of CEO. Logo approval is to be obtained through Public Affairs Director. Official stationery must not be stored on privately owned computers.
1 A 1
8.3
Management of Sponsorship, Fundraising and Donations
Ambulance staff members take money from sponsorship/ fundraising/donations for personal use
SOP2006-028 Sponsorship, Fundraising and Donations Guidelines
SOP2009-004 Approved Items for Purchase from Special Project Fund
SOP2007-012 Code of Conduct
Principle 6: Staff should not receive a personal benefits arising from a donation, sponsorship or fundraising activity.
Donations may only be accepted by employees who hold the position of Station Manager and above.
Any funding received should be used in accordance to the agreement or conditions of donation.
Special Projects Funding- Only equipment listed in policy guidelines can be purchased with this funding.
2 A 4
H
L
H
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 46
Ref No.
Business Process
Fraud/Corruption Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of Controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain -
4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
8.4
Management of Sponsorship, Fundraising and Donations
Ambulance staff members take money from sponsorship/ fundraising/donations for personal use
SOP2006-028 Sponsorship, Fundraising and Donations Guidelines
SOP2009-004 Approved Items for Purchase from Special Project Fund
SOP2007-012 Code of Conduct
Principle 6: Staff should not receive a personal benefits arising from a donation, sponsorship or fundraising activity.
Donations may only be accepted by employees who hold the position of Station Manager and above.
Any funding received should be used in accordance to the agreement or conditions of donation.
Special Projects Funding - Only equipment listed in policy guidelines can be purchased with this funding
1 A 1
8.5 Ambulance Uniform and Logo
Improper use of Ambulance uniform/logo or attendance at events as Ambulance representative without approval
Ambulance Services Regulation 2005 (467)
Regulation (467) states an employee must not wear a uniform issued by the Ambulance Service except when on duty or when travelling to or from duty or with the permission for the Ambulance Service. There is a police charge for impersonating an ambulance officer. Police also can interview people if they find a uniform.
1 B 3
L
M
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 47
9. Human Resources
Ref No.
Business Process Fraud/Corruption
Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of Controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain - 4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
9.1 Engagement of Temporary Staff
Unauthorised employment of contract/casual staff or engagement of contract/casual staff who have a criminal or poor employment record
SOP2009-060 Casual Employment
During the recruitment interview, applicants are requested to authorise Ambulance to conduct probity screening - National Criminal Record Check 2 A 2
9.2 Recruitment Process
Favouritism in the process - employee obtains position due to relative or friend who is part of the recruitment process
SOP2007-080 Guidelines for Staff Selection Panels
Positions should be open to all people on the basis of merit and merit only.
Committee has the responsibility to ensure that no candidate is unfairly excluded from an opportunity for interview and that all recommendations are made on the basis of merit related to the job.
2 A 2
M
M
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 48
Ref No.
Business Process Fraud/Corruption
Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of Controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain - 4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
9.3 Recruitment Process
Applicant is employed, yet he/she has a false or CV or false certifications
The identification of a candidate cannot be falsely provided as Ambulance requires original documentation be provided for the 100 point check.
It is possible for a candidate to provide a false CV or qualifications however it is likely that this will be realised during the interview process as questions are asked about employment history and during the referee check with previous employers.
The mandatory Criminal Record Check and 100 point identification check would pick up any potential issues in terms of previous offences before the candidate was able to gain employment.
2 C 2
9.4 Leave Management
An employee provides false/misleading information to obtain leave (e.g. sick, special) and takes such leave
SOP2007-063 Sick Leave Procedure
For sick leave, medical certificates only need to be provided if three or more days of leave are taken.
Where attendance records indicate unreasonable sick leave balances, the manager/ supervisor should interview the employee. Further actions determined depending on outcome of interview.
2 C 2
H
H
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX A: FRAUD AND CORRUPTION RISK MATRICES
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 49
Ref No.
Business Process Fraud/Corruption
Scenario
Relevant Ambulance
Documents (e.g. Policies, SOPS
etc)
Controls
Ratings
Assessment of Controls
1 (Good) to 3 (Needs
Improvement)
Likelihood
A (Rare - 1) to D (Almost Certain - 4)
Impact
1 (Insignificant) to 4 (Major)
Residual Risk
9.5 Leave Management
An employee takes leave and either doesn’t record the leave taken or under records it, thereby maintaining a larger leave credit than entitled
SOP2007-064 Leave Management Process
The Policy (153) states:
- Application for leave is completed then forwarded to Officer in Charge of the station/sector for sighting and appropriate recommendation (compliance with SOPs and Award/Agreement requirements is essential)
- Once application is verified to be correct, the Officer in Charge is to ensure prompt dispatch to the Area Office or Payroll Office in Sydney.
Officers in Charge/Section Heads cannot recommend their own leave requests. This task will be carried out at the Sector Office.
1 B 2
M
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX B: LEGAL DEFINITION OF CORRUPT CONDUCT
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 50
Appendix B: Legal Definition of Corrupt Conduct Section 7 – 9 of the Independent Commission Against Corruption Act 1988 provides the definition of corrupt conduct:
7 Corrupt conduct
(1) For the purposes of this Act, corrupt conduct is any conduct which falls within the description of corrupt conduct in either or both of subsections (1) and (2) of section 8, but which is not excluded by section 9.
(2) Conduct comprising a conspiracy or attempt to commit or engage in conduct that would be corrupt conduct under section 8 (1) or (2) shall itself be regarded as corrupt conduct under section 8 (1) or (2).
(3) Conduct comprising such a conspiracy or attempt is not excluded by section 9 if, had the conspiracy or attempt been brought to fruition in further conduct, the further conduct could constitute or involve an offence or grounds referred to in that section.
8 General nature of corrupt conduct
(1) Corrupt conduct is: (a) any conduct of any person (whether or not a public official) that adversely affects, or that could adversely affect, either directly or indirectly, the honest or impartial exercise of official functions by any public official, any group or body of public officials or any public authority, or (b) any conduct of a public official that constitutes or involves the dishonest or partial exercise of any of his or her official functions, or
(c) any conduct of a public official or former public official that constitutes or involves a breach of public trust, or
(d) any conduct of a public official or former public official that involves the misuse of information or material that he or she has acquired in the course of his or her official functions, whether or not for his or her benefit or for the benefit of any other person.
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX B: LEGAL DEFINITION OF CORRUPT CONDUCT
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 51
(2) Corrupt conduct is also any conduct of any person (whether or not a public official) that adversely affects, or that could adversely affect, either directly or indirectly, the exercise of official functions by any public official, any group or body of public officials or any public authority and which could involve any of the following matters:
official misconduct (including breach of trust, fraud in office, nonfeasance, misfeasance, malfeasance, oppression, extortion or imposition),
fraud, election bribery,
bribery, theft, election funding offences,
blackmail, perverting the course of justice, election fraud,
obtaining or offering secret commissions, embezzlement, treating,
currency violations, tax evasion, revenue evasion,
illegal drug dealings, obtaining financial benefit by vice engaged in by others,
bankruptcy and company violations,
illegal gambling, forgery, harbouring criminals,
treason or other offences against the Sovereign,
homicide or violence matters of the same or a similar nature to any listed above,
any conspiracy or attempt in relation to any of the above.
(3) Conduct may amount to corrupt conduct under this section even though it occurred before the commencement of this subsection, and it does not matter that some or all of the effects or other ingredients necessary to establish such corrupt conduct occurred before that commencement and that any person or persons involved are no longer public officials.
(4) Conduct committed by or in relation to a person who was not or is not a public official may amount to corrupt conduct under this section with respect to the exercise of his or her official functions after becoming a public official.
(5) Conduct may amount to corrupt conduct under this section even though it occurred outside the State or outside Australia, and matters listed in subsection (2) refer to:
(a) matters arising in the State or matters arising under the law of the State, or (b) matters arising outside the State or outside Australia or matters arising under the law of the Commonwealth or under any other law.
(6) The specific mention of a kind of conduct in a provision of this section shall not be regarded as limiting the scope of any other provision of this section.
9 Limitation on nature of corrupt conduct
(1) Despite section 8, conduct does not amount to corrupt conduct unless it could constitute or involve:
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX B: LEGAL DEFINITION OF CORRUPT CONDUCT
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 52
(a) a criminal offence, or
(b) a disciplinary offence, or
(c) reasonable grounds for dismissing, dispensing with the services of or otherwise terminating the services of a public official, or
(d) in the case of conduct of a Minister of the Crown or a member of a House of Parliament—a substantial breach of an applicable code of conduct.
(2) It does not matter that proceedings or action for such an offence can no longer be brought or continued, or that action for such dismissal, dispensing or other termination can no longer be taken.
(3) For the purposes of this section:
applicable code of conduct means, in relation to:
(a) a Minister of the Crown—a ministerial code of conduct prescribed or adopted for the purposes of this section by the regulations, or
(b) a member of the Legislative Council or of the Legislative Assembly (including a Minister of the Crown)—a code of conduct adopted for the purposes of this section by resolution of the House concerned.
criminal offence means a criminal offence under the law of the State or under any other law relevant to the conduct in question.
disciplinary offence includes any misconduct, irregularity, neglect of duty, breach of discipline or other matter that constitutes or may constitute grounds for disciplinary action under any law.
(4) Subject to subsection (5), conduct of a Minister of the Crown or a member of a House of Parliament which falls within the description of corrupt conduct
in section 8 is not excluded by this section if it is conduct that would cause a reasonable person to believe that it would bring the integrity of the office concerned or of Parliament into serious disrepute.
(5) Without otherwise limiting the matters that it can under section 74A (1) include in a report under section 74, the Commission is not authorised to include
a finding or opinion that a specified person has, by engaging in conduct of a kind referred to in subsection (4), engaged in corrupt conduct, unless the Commission is satisfied that the conduct constitutes a breach of a law (apart from this Act) and the Commission identifies that law in the report.
(6) A reference to a disciplinary offence in this section and sections 74A and 74B includes a reference to a substantial breach of an applicable requirement of
a code of conduct required to be complied with under section 440 (5) of the Local Government Act 1993, but does not include a reference to any other breach of such a requirement.
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX C: FRAUD RATING DEFINITIONS
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 53
Appendix C: Fraud Rating Definitions The risk assessment methodology adopted is based on the Australian/New Zealand Risk Management Standard (AS/NZS 4360:2004). This assessment was used to
qualitatively measure the likelihood and consequence, and the inherent and residual risk of each potential fraud risk.
The following table shows how the consequence of each fraud risk was measured in terms of damage to reputation, integrity, competence, credibility, and financial
loss.
Table Five – Measuring Consequence/Impact
Level Descriptor Examples of Consequences/Impact
1 Insignificant An INSIGNIFICANT risk rating will indicate that a fraud/corruption risk will only have an immaterial financial or administrative impact on Ambulance.
2 Minor A MINOR risk rating will indicate that a fraud/corruption risk will only have a small financial or administrative impact on Ambulance. Financial losses are
not likely to exceed $10,000 (including costs of investigation and disruption to management and staff). Only minor damage to reputation.
3 Moderate A MODERATE risk rating will indicate that a fraud/corruption risk has the potential to moderately impact on Ambulance. Potential consequences may
include some or all of the following:
Financial losses are not likely to exceed $50,000 (including costs of investigation, legal costs and disruption to management and staff)
Ambulance’s integrity and reputation are likely to suffer
Some criticism from the Government and media are likely
An ICAC investigation may result.
4 Major A MAJOR rating will indicate that a fraud/corruption risk has the potential to seriously impact on Ambulance. Potential consequences may include some or
all of the following:
Financial losses resulting from fraud are likely to exceed $100,000 (including costs of investigation, legal costs and disruption to management and staff)
Possible ICAC inquiry
Ambulance’s integrity and competence may be challenged by the Government
May result in criminal proceedings
The media are likely to severely criticise Ambulance and Ambulance staff
severe public embarrassment and damage to reputation
may impact on Ambulance’s insurance coverage.
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX C: FRAUD RATING DEFINITIONS
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 54
The following tables show how the likelihood of each corruption and fraud risk was measured.
Table Six – Measuring Likelihood
Rating Likelihood of Occurrence
A Rare The event will only occur in exceptional circumstances or as a result of a combination of unusual events (e.g. once every 10 years)
B Unlikely The event may occur at some time but not likely to occur in the foreseeable future (i.e. within the next 5 years)
C Possible The event may occur within the foreseeable future or medium term (i.e. within 3 years)
D Almost Certain The event will occur in most circumstances (i.e. within 1-2 years)
Table Seven – Control Effectiveness
Control Rating Descriptor Definition
1 Good Controls are highly effective in minimising the fraud risk
2 Adequate Controls are adequate for Ambulance in controlling the fraud risk
3 Needs improvement Enhancing one or more of the controls will result in the fraud risk being better controlled for Ambulance’s purpose
Table Eight – Residual Risk Ratings
GOOD Control Effectiveness NEEDS
IMPROVEMENT
4360
:2004
1 1.5 2 2.5 3
Co
nseq
uen
ce +
Lik
elih
oo
d
= In
here
nt
Ris
k
8 Very High Risk High High Critical Critical Critical
7 High High Critical Critical Critical
6 High High High High Critical
5 Medium High High High Critical
4 Medium Medium Medium Medium High
3 Low Medium Medium Medium High
2 Low Risk Low Low Low Low Medium
AMBULANCE NSW
FRAUD RISK ASSESSMENT NOVEMBER 2010
APPENDIX D: INTERVIEW AND WORKSHOP PARTICIPANTS
Ambulance Service NSW – Fraud Risk Assessment 2010 - 2012 55
Appendix D: Interview and Workshop Participants
Interviewees Workshop Participants- Rozelle Workshop Participants - Dubbo
Name Title Name Title Name Title
Michael Landsbergen GM, Corporate Services Anne Mathews A/Divisional Human Resources Manager
Greg Parrey Western Divisional Human Resources Manager
Kathryn Wood Director, Public Affairs Karen Evtushenko Manager – Management Accounting Unit
Leanne Abernethy Southern Divisional Human Resources Manager
Mick Willis GM, Operations Padraic Hoban Manager Financial Services Sam Cowell Western Divisional Finance Manager
Marian O’Connell
Director, Professional Standards and Conduct Unit
Giles Buchanan A/Inspector (Sydney) Kylie Moroney Southern Divisional Finance Manager
Stephen O’Malley Chief Finance Officer Steve Murphy PSCU representative Michael Bray Deputy Director Operations Illawarra/South Coast Sector
Graeme Field Manager, Aeromedical and Retrieval Services
Mishkaa Griffiths Manager, Recruitment Trevor Hannan Inspector (Western)
Mike Lloyd Manager, Property Services Chris Patrick Inspector (Western)
Murray Traynor Inspector (Sydney) Brad Porter A/Operational Support Manager (Western)
Shane Whittaker Inspector (Sydney) Tracy Riley DOCO/SOCO (Western)
Graeme Field Manager, Aeromedical and Retrieval Services
Jed Gollan Clinical Support Manager
Mary-Anne Saba Pharmacist Greg Parrey Western Divisional Human Resources Manager
Brett Standaloft Control Centre representative (DOCO/SOCO)
www.deloitte.com.au