Part 8: Fraud – The responsibilities and duties of public entities

Central government: Results of the 2003-04 audits.


There have been a number of instances of fraud in the public sector in recent years. Two of the more high-profile, and high-value, instances were:

  • a fraud of $1.9 million at the Ministry of Social Development (identified in July 2003); and
  • a fraud of $2.3 million at the Ministry of Health (identified in September 2004).

We thought it timely to reiterate our expectations in respect of the:

  • responsibility of public entity management to minimise fraud; and
  • duties of public entity management in the event of fraud.


Fraud always attracts a great deal of interest, irrespective of its scale. Questions are asked about how the fraud was perpetrated, and whether the controls designed to stop fraudulent activity were operating effectively. In the public sector, the interest in fraud is heightened, because public money is involved, and because those individuals entrusted with public money are expected to exhibit the highest standards of honesty and integrity.

The high standards of behaviour expected of individuals entrusted with public money mean that, when a fraud is committed, the same high standards must be applied to ensure that the perpetrators are brought to justice, and that there is an accompanying level of accountability and disclosure.

Responsibility of public entity management to minimise fraud

Responsibility for preventing and detecting fraud rests with the management teams of public entities, through the implementation and continued operation of adequate internal control systems (appropriate to the size of the public entity), supported by written policies and procedures.

In general, the potential for fraud is affected by a number of factors, including the:

  • quality of the entity’s financial information systems, financial controls, and financial control environment (which includes an awareness of the possibility of fraud and active measures to combat it);
  • competence, experience, and focus of management teams and staff handling financial transactions;
  • frequency with which the organisational structure changes:
  • level of staff turnover;
  • amount of money being managed by the entity; and
  • number of people employed by the entity to manage its money.

Minimising employee fraud

Because of the ingenuity of people determined to commit fraud, and because internal controls need to be cost effective, it is effectively impossible to prevent all fraud. We also recognise that the risk of fraud will vary according to the size of the entity, the complexity of its operation, and other factors as noted above.

Public entities can take a number of steps to minimise fraud.

Management must make it clear that fraudulent behaviour is unacceptable, and make employees and those who deal with the entity aware of that attitude and the consequences of transgressing. The only satisfactory way of communicating that attitude is by issuing formal policies and procedures to everyone in the entity – covering the prevention, detection and investigation of fraud.

We therefore expect every public entity to have a policy on how to minimise fraud, and how it will be dealt with if it occurs.

In an article published in 2000, we stated that a fraud policy should include, as a minimum, these key elements1:

  • a system for undertaking regular reviews of transactions, activities or locations that may be susceptible to fraud;
  • specifications for fully documenting what happened in a fraud, and how it is to be managed;
  • the means for ensuring that every individual suspected of committing fraud (whether they are an employee or someone external to the entity) is dealt with in the same manner;
  • the principle that every effort is to be made to gather sufficient reliable evidence to support a prosecution, and that every case of fraud will be referred to the appropriate law enforcement agency with a view to prosecution; and
  • the principle that recovery of the lost money or other property will be pursued wherever possible and practicable.

Other steps that public entities can take to minimise fraud include:

  • Having clear ethical standards that are understood by all employees, and complied with. Managers should demonstrate these standards.
  • Thorough recruitment processes – checking not only nominated referees but also, with the consent of the applicant, previous direct managers. Gaps in employment history should be explained. Criminal checks should be undertaken before new employees are hired into key positions.
  • Enforcement of mandatory holidays. In addition to being sound business practice for the welfare of staff, this is an important internal control.
  • Effective budget setting and monitoring procedures.
  • An understanding by management teams of the roles of their staff, an appropriate and sensible level of oversight, and a balance of segregation of duties and aggregation or concentration of unsupervised duties.
  • Active risk management, including an ongoing assessment of fraud risk through important areas of the organisation. This should include an effective internal audit function.

Duties of public entity management in the event of fraud

The managers of public entities, whether elected or appointed to office, have a duty to conduct the entity’s affairs in a fair, businesslike manner, with reasonable care, skill, and caution, and with due regard to the interests of taxpayers, ratepayers, and others whom they serve. Managers should not shield a person from the possible institution of proceedings for a criminal offence (even though managers may believe that they do so on valid grounds).

In the event of suspected fraud, we expect the Board or Chief Executive to report the matter to the appropriate law enforcement agency, which will decide whether proceedings should be instituted for a criminal offence. We also expect public entities to immediately inform their Appointed Auditor of any suspected fraud.

It is for the law enforcement agencies, not public entity managers, to decide whether or not a person should be prosecuted.

It is the Auditor-General’s policy that, if a public entity does not report fraud to the appropriate law enforcement agency, the Auditor-General will consider doing so – for the purpose of protecting the interests of the public.

We also expect that recovery of the lost money or other property will be pursued wherever possible and practicable.

1: “Managing Employee Fraud”, Central Government: Results of the 1999-2000 Audits, parliamentary paper B.29[00c], pages 46-51.

page top