Skip to content

Chapter 2 – Background

2.1 This chapter describes a number of key concepts such as what constitutes fraud, corruption and conflict of interest, before considering the Commonwealth Fraud Control Framework and the role of other key Commonwealth agencies within the Framework. The ATO’s own fraud risk management and governance arrangements are also explained, followed by a summary of approaches to fraud risk management adopted by other revenue agencies in comparable jurisdictions.

Fraud, corruption, integrity and conflict of interest

2.2 Those trusted with regulatory power are expected to exercise that power effectively and ethically. Public confidence is lost when institutions are ineffective in fulfilling their public role or fail to address unethical staff conduct. As a result, an institution loses its legitimacy and power to engender voluntary compliance with the laws that it regulates.

2.3 Unethical behaviour, such as fraud and corruption, threatens the funds available to deliver public goods and services, distorts the decision-making process of public officials, weakens public confidence in Government and undermines the financial integrity of public institutions. In a 2017 Australian Institute of Criminology (AIC) report19, Commonwealth losses attributable to fraud had totalled approximately $1.203 billion over four financial years, from $119 million in 2010–11 increasing to $673 million in 2013–14. However, over this period, Commonwealth agencies had only recovered $75.3 million previously lost to fraud and the number of reported incidents more than doubled, rising from 52,127 in 2010–11 to 110,698 in 2013–14, with the most common types of external fraud related to government entitlements, including revenue, visa/citizenship and social security frauds.

2.4 The main types of unethical behaviour, namely: fraud, corruption and conflict of interest, are described in more detail below.


2.5 In a criminal law context, fraud has been defined as ‘dishonestly obtaining a benefit, or causing a loss, by deception or other means’20, for example, theft or knowingly providing false or misleading information to the Commonwealth, or failing to provide it when there is an obligation to do so.21

2.6 The ‘benefits’ obtained may be tangible, such as obtaining monetary benefits, or intangible, such as obtaining information. A benefit may also be obtained by a third party through unauthorised disclosure of information or provision of access.22

2.7 ‘Dishonesty’ focuses on a person’s intent and is based on whether a reasonable person would consider an act or omission to be honest or dishonest at the time it occurs. Therefore, accidents and inefficient work practices would not meet the definition of fraud.23

2.8 In the tax context, fraud may be contrasted with ‘non-compliance’ whereby activities such as a taxpayer incorrectly reporting their income may be the subject of administrative penalties by the ATO without the need to establish the taxpayer’s state of mind. Fraud, by contrast, may be prosecuted through the criminal justice system and requires evidence of actual intent to obtain a benefit through dishonest means.24


2.9 In the Australian Public Service (APS) context, corruption has been defined as ‘the abuse of a public position for private gain‘ or ‘the dishonest or biased exercise of a Commonwealth public official’s functions‘.25 Such conduct amounts to ‘abuse of public office‘, which is a criminal offence, where:

(a) the public official:

(i) exercises any influence that the official has in the official’s capacity as a Commonwealth public official; or
(ii) engages in any conduct in the exercise of the official’s duties as a Commonwealth public official; or
(iii) uses any information that the official has obtained in the official’s capacity as a Commonwealth public official; and

(b) the official does so with the intention of:

(i) dishonestly obtaining a benefit for himself or herself or for another person; or
(ii) dishonestly causing a detriment to another person.26

2.10 Other examples of corrupt conduct include bribery, embezzlement, insider trading, nepotism or cronyism.27

2.11 The Senate Select Committee on a National Integrity Commission also noted that ‘corruption’, and ‘corrupt conduct’ carry different meanings in different contexts.28

2.12 It could be said, therefore, that corruption refers, not to a particular offence necessarily, but rather to a range of behaviours which may or may not amount to criminal conduct. Although an event may amount to both fraud and corruption, not all cases of corruption will amount to fraud nor will all cases of fraud involve corruption. Fraud and corruption can also involve collusion between officials and external parties who work together in secret for a dishonest purpose.29 As noted by the Victorian Independent Broad-based Anti-corruption Commission:

When a public servant can be persuaded to cooperate with a criminal group, they offer the group ongoing access while employing inside knowledge of the public bodies’ systems to avoid detection. Obtaining information and access from insiders is an efficient and cost-effective means of facilitating major criminal enterprises.30

Conflict of interest

2.13 A conflict of interest arises when an official’s interest or relationship, real or perceived, conflicts with a duty they hold or where they have a role that conflicts with another role.31 For example, a conflict of interest may arise where:

2.14 Real or perceived conflicts of interest may adversely affect an official’s or agency’s integrity or reputation.33 Public confidence in the Government may be jeopardised if the public perceives that officials are working to serve their own agendas.34 The Organisation for Economic Co-operation and Development (OECD) notes that it is not practical to prohibit public officials from having private interests but recognises that ‘an unresolved conflict of interest may result in abuse of public office.’35

2.15 It should be noted that bias is not the same as a conflict of interest as a bias can affect a public official’s judgment irrespective of any conflict of interest. For example, an official conducting job interviews may place importance on a university education and will therefore have a bias towards candidates who have completed their university degree. The public servant, however, may not have any financial or other interest with universities. As such they may make a biased decision to hire a candidate with a university education without any conflict of interest.

2.16 Unlike fraud and corruption, conflicts of interest may not amount to a criminal offence. However, it may evidence unethical conduct which attracts a disciplinary sanction as APS employees are required to:

2.17 Before turning to how the ATO manages the specific risks of fraud and corruption, this report considers a range of other factors that influence how Commonwealth agencies generally manage risks including fraud and corruption.

Risk management across the Commonwealth public service

2.18 Commonwealth public service agencies have general risk management obligations under the Public Governance, Performance and Accountability Act 2013 (PGPA Act) which is administered by the Department of Finance. Each agency gives effect to these requirements by setting out its expectations of staff decision-making and conduct through corporate policies known as Chief Executive Instructions (CEIs).37 They are lawful directions to staff for the purposes of the Public Service Act 1999.38 Staff who do not comply with the CEIs may be in breach of the APS Code of Conduct39, potentially resulting in the imposition of disciplinary sanctions.40 Non-compliance by contractors may result in breach of the terms of their contract with the ATO.41

2.19 Section 16 of the PGPA Act requires an ‘accountable authority’, which is the Commissioner in the case of the ATO, to establish and maintain an appropriate system of risk oversight and management.42 To that end, the Commonwealth Risk Management Policy43 requires Commonwealth entities, such as the ATO, to comply with nine elements in order to satisfy this part of the PGPA Act. One of these elements is the mandatory establishment of a risk management framework that provides ‘the arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the entity.’44

2.20 The PGPA Act also authorises the making of rules through legislative instruments such as the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule). Section 10 of the PGPA Rule requires Commonwealth entities to take ‘all reasonable measures to prevent, detect and deal with fraud relating to the entity.’ This section, known as ‘the Fraud Rule’, also lists specific requirements such as the need for the agency to develop and implement a fraud control plan.45

2.21 The Fraud Rule forms part of the Commonwealth Fraud Control Framework administered by the AGD.46 The Commonwealth Fraud Control Framework consists of:

2.22 Commonwealth agencies publicly demonstrate their compliance with the Commonwealth Fraud Control Framework by reporting on fraud control matters in their Annual Reports50 and reporting51 information on fraud perpetrated against the Commonwealth to the AIC by 30 September each year. Such reporting, however, is not required to include incidents of suspected fraud, incidents under investigation and whether the fraud was proven or not although reporting agencies are encouraged to do so.52

2.23 There is no specific requirement for agencies to report fraud matters to their responsible Minister. However, there is a legislative requirement that the Minister be kept informed about significant issues that may affect the agency53, for example, information regarding fraud risks.54

The roles and responsibilities of key agencies

2.24 The Fraud Policy and Fraud Guidance sets out the roles and responsibilities of key agencies some of which, as well as those of other relevant bodies, are outlined below.

Attorney-General’s Department

2.25 The AGD is responsible for providing high level policy advice to the Government about fraud control arrangements within Commonwealth agencies. This includes developing and reviewing general policies of Government with respect to fraud control, such as the Commonwealth Fraud Control Framework, advising agencies about the content and application of those policies, and reporting to Government on compliance with the Fraud Rule.55

Australian Federal Police

2.26 The AFP is the primary law enforcement agency for the Commonwealth and its responsibilities include investigating serious or complex fraud against the Commonwealth.56 If a fraud is not serious or complex, the affected agency will remain responsible for investigating that fraud.57

2.27 Agencies must refer all instances of potential serious or complex fraud offences to the AFP in accordance with the Australian Government Investigation Standards (AGIS)58 and AFP referral process. However, agencies are not required to make such referrals if legislation sets out alternative arrangements or where agencies have the capacity, appropriate skills and resources needed to investigate the matter as well as meet the AGIS requirements for evidence gathering and the Commonwealth Department of Public Prosecutions’ (CDPP) requirements in preparing briefs of evidence.59

2.28 Generally, where a referral is made to the AFP, the referring agency completes an AFP Referral Form and sends it to the AFP Operations Monitoring Centre in the State or Territory in which the suspected offences occurred. In exceptional circumstances where immediate action by the AFP is required, the AFP will consider the referral over the telephone but a written referral must follow within 24 hours.60 Referrals are considered in accordance with the criteria set out in the AFP Case Categorisation and Prioritisation Model (CCPM) in deciding whether to undertake an investigation into the matter, undertake a joint investigation with the agency or reject the referral.61

2.29 For the ATO, however, there are specific processes which prescribe how such referrals may be made to the AFP and how their priority is determined. These processes are set out in detail in Chapter 6.

Australian Commission for Law Enforcement Integrity

2.30 The ACLEI assists the Integrity Commissioner to detect, investigate and prevent corrupt conduct in designated Government agencies with law enforcement functions.62 The ATO is not subject to ACLEI’s jurisdiction. In administering the tax laws, however, the ATO does access information of other law enforcement agencies which do fall under ACLEI’s jurisdiction.

Australian National Audit Office

2.31 The ANAO audits the financial statements of Commonwealth agencies and may conduct performance audits to assess how agencies meet their fraud control responsibilities.63 For example, the ANAO conducted a performance audit on the ATO’s fraud control arrangements in 2000 as well as a broader performance audit of fraud control arrangements for selected Commonwealth entities in 2014.64

Commonwealth Director of Public Prosecutions

2.32 The CDPP is responsible for prosecuting offences against Commonwealth law.65 Agencies are encouraged to consider criminal prosecution in appropriate circumstances as an important deterrent to future instances of fraud and to educate the public generally about the seriousness of fraud.66 Agencies are also encouraged to take reasonable measures to recover financial losses from fraud through proceeds of crime and civil recovery processes or through administrative remedies.67

2.33 When referring matters to the CDPP for consideration of prosecution action, agencies are encouraged to prepare briefs in accordance with the guidelines for dealings between Commonwealth investigators and the CDPP.68

2.34 Where a brief of evidence has been referred to the CDPP, the brief will be examined to decide whether a prosecution should be instituted and, if so, on what charge or charges.69 In addition to the evidentiary requirements for prosecution, the CDPP has the discretion to consider whether it is in the public interest to prosecute the offender(s). The factors for such consideration vary from case to case, but may include:70

Australian Institute of Criminology

2.35 The AIC is responsible for conducting an annual fraud survey of agencies and producing reports on fraud against the Commonwealth, the compliance of Commonwealth agencies with the Commonwealth Fraud Control Framework as well as fraud trends.71 In doing so, the AIC must annually report on fraud against the Commonwealth and fraud control arrangements within six months of receiving the information it collects from agencies.72

Australian Securities and Investments Commission

2.36 The ASIC regulates Australian companies, financial markets, financial services organisations and professionals who deal with and advise on investments, superannuation, insurance, deposit-taking and credit under a number of Commonwealth laws. ASIC uses enforcement powers to detect and deal with unlawful conduct and responds to breaches of law ranging from minor regulatory offences through to serious misconduct.73

Commonwealth Ombudsman

2.37 The Commonwealth Ombudsman’s role includes monitoring the operation of the PID Act.74


2.38 Parliament, and its committees, also perform a key role in scrutinising all government activities including fraud or corruption-related matters.

ATO’s Enterprise Risk Management Framework

2.39 Pursuant to the Commonwealth Risk Management Policy, the ATO’s Enterprise Risk Management Framework comprises of a range of components including a risk matrix, to assist with rating risk according to likelihood and consequence, and a risk register to record different categories of risk hierarchically.75

2.40 During the review, the ATO began to change its risk management framework. However, to date, not all risks and responsibilities have been migrated to the adjusted framework and, in any event, the risks and responsibilities relevant to this review are likely to remain substantially the same. Accordingly, this report refers to the framework prior to the commencement of such migration.

2.41 The risk register contains 21 ‘Level 0’ risk categories within which are more specific ‘Level 1’ risks.

2.42 In accordance with the third element of the Commonwealth Risk Management Policy76, the ATO allocates responsibilities for the each of these Level 1 risks to various officers within the ATO. These include a Senior Executive Service (SES) Band 1 officer as the ‘risk steward’ who is responsible for ‘managing a discrete risk population or group (risk pool) within an enterprise risk category’ and an executive level (EL) officer as the ‘risk manager’ who has day-to-day responsibility for managing that risk.77

2.43 For example, under the Level 0 risk category ‘Major Tax Integrity Threats’, there are Level 1 risks such as ‘Aggressive Tax Planning’, ‘Cash Economy’ and ‘Tax Crime’. Under ‘Tax Crime’ are four risks, namely: GST Evasion, Phoenix, Refund Fraud and Tax Crime. The risk of Tax Crime is described as the ‘Failure to adequately identify and respond to major criminal threats to Australia’s tax and superannuation system which have the potential to undermine community confidence in the integrity of the system’.78 The risk steward for Tax Crime is the Assistant Commissioner (SES Band 1) for the Tax Evasion and Crime (TEC) area whilst the risk manager is a Director (EL officer) within the Tax Crime Risk Management unit. Both of these positions are located within the PGH business line. Further information about how the ATO addresses the Tax Crime risk is contained in Chapter 6.

2.44 Similarly, the Level 0 risk ‘Governance’, contains the Level 1 risk ‘Internal Fraud and Corruption’ which is described as ‘Failure to minimise internal fraud and corruption through timely and effective prevention, detection and investigative activities.’79 The risk steward is the Assistant Commissioner for the FPII unit (the FPII Assistant Commissioner), whilst the risk manager is a Director within that unit.

2.45 The risk register captures other details about the risk such as any mitigation details or risk assessments which may be attached as documents. In relation to the Internal Fraud and Corruption risk, for example, one of the documents included is the Fraud and Corruption Control Plan. This plan is discussed later in this chapter.

2.46 By contrast, for ‘Privacy’ risks80, which is a Level 1 risk, the mitigation details refer to the CEI on Privacy and Taxpayer Confidentiality. The following section addresses the role of CEIs within the ATO.

ATO’s Chief Executive Instructions

2.47 The Commissioner has issued a number of CEIs giving instructions to staff in a variety of areas such as asset management, work health and safety as well as a range of integrity-related issues such as conflicts of interest81 and appropriate access to taxpayer records.82

2.48 For example, the CEI 2014/05/08 on ‘Internal Fraud and Corruption‘ requires ATO staff to:

actively [assist] in preventing, detecting and reporting internal fraud and corruption by:

  • Ensuring your mandatory training for dealing with fraud and ethics is complete and remains current
  • Referring any suspicion of fraud and corruption to either your manager, or [the FPII unit], leaving a message on the … hotline … or completing the Anonymous Fraud Alert Form
  • Not overlooking fraud or corruption, not hindering an investigation, and not attempting to investigate fraud or corruption yourself. If you have any concerns talk to your manager or Fraud Prevention and Internal Investigations
  • Complying with the APS Code of Conduct including behaving honestly and not making improper use of inside information
  • Participating in fraud control activities, such as risk assessment activities
  • Respecting the confidentiality of others who may report or are involved in a fraud investigation
  • Assisting and supporting fraud and corruption reporting, investigation and prosecution, including providing information or acting as a witness.83

ATO Fraud and Corruption Control Plan

2.49 The ATO has developed a fraud control plan as required by the Fraud Rule. Consistent with developments in international and Australian standards84, the ATO’s fraud control plan also addresses corruption as a risk and, accordingly, it is known as the Fraud and Corruption Control Plan.85 This publicly available document sets out the range of ATO strategies to prevent, detect and respond to internal and external fraud and corruption risks as well as the associated oversight and reporting mechanisms.86 These strategies include:

fraud and corruption prevention strategies that are targeted at building a strong integrity culture within the ATO, and fraud awareness in those who interact with the ATO [which] is based on [a number of factors, including]: a strong awareness of what fraud is and what to do about it;… robust recruitment and vetting processes …[; and] regular training and communication…

… fraud and corruption detection activity [that] is based around [the following including]: system monitoring and scanning, and associated control scenarios … systematic review and analysis of fraud referrals to identify possible trends … a strong culture of reporting, and awareness of how to report [; and] …PIDs… [which are made by those who suspect wrongdoing by ATO officers]…

…[responding] in the following ways [including]: assessment of all reports and allegations to determine an appropriate response;… undertaking investigations in accordance with [AGIS; and] pursuing disciplinary, administrative, civil or criminal actions as appropriate…87

2.50 The Fraud and Corruption Control Plan also considers that all ATO officers have an obligation to report incidents of suspected fraud or corruption and provides the details for the community and law enforcement agencies to report suspected tax crime regarding external fraud.88 The obligation for ATO officers to report external fraud is also outlined in the CEI on Tax Crime and External Fraud which imposes a number of requirements including the responsibility for staff to refer suspected tax crime matters, after consultation with their manager, to the TEC area within PGH.89

2.51 Since the 2014–15 financial year, the ATO has reviewed its Fraud and Corruption Control Plan annually.

Figure 2.1 – Overview of Commonwealth and ATO risk management framework

Source: ATO90, AGD and Department of Finance.

ATO’s governance of fraud and corruption risk management

2.52 Generally, the ATO’s governance structure consists of a number of committees, program boards and consultation groups.91 In relation to the management of fraud and corruption risks, the current critical functional areas and positions include the following:

ATO’s risk reporting

2.53 To track compliance with certain legal obligations as well as whole-of-government and internal requirements, the ATO conducts the ‘conformance with obligations program’.99 This program monitors and reports on the level of conformance in areas of identified risks. These reports include quarterly qualitative conformance statements from the responsible areas.

2.54 Quarterly corporate integrity indicator reports are also produced for areas of risk, priority or identified improvement.100 These are:

a rolling program of quantitative reports in some predetermined areas of risk, priority or where the ATO needs to improve concerning reputation, people, information practices, resources and security.101

2.55 Table 2.1 below describes these reports in more detail by outlining the indicators and what is being measured.102

Table 2.1: ATO corporate integrity indicators

Corporate integrity indicator Measurement
Aged complaints Aged complaints over 50 business days old
Conflicting Information Technology (IT) access roles Medium and high risk conflicting IT tax systems where access combinations pose financial and/or fraud risks
Security incidents Overview of security incidents by type and site across the ATO
Unauthorised access to taxpayer records The number of occurrences of unauthorised access to taxpayer records
Comcare claims The costs and number of Comcare claims
Workforce absence The level of workforce absence across the ATO compared to the APS large agency median of 12.4 days and the ATO’s internal rate of unscheduled leave compared to the same time last year.
Mandatory training Completion rates for ATO staff and new starters’ mandatory training in Security, Privacy, Fraud and Work Health Safety

Source: ATO

2.56 Summaries from the conformance statements, integrity indicator reports and other relevant materials are reported to the ATO Executive, the ARC and are made available across the ATO.103

2.57 The FPII Assistant Commissioner also provides detailed reports to the ARC which includes identified trends and work that the FPII unit may be conducting internally or with other agencies in Australia and overseas. The reports to the ARC also include an overview of the FPII unit’s prevention, detection and response activities for the relevant period, including:104

2.58 The FPII Assistant Commissioner also reports on a monthly basis to the Deputy Commissioner, ATOC, on the FPII unit’s performance, including progress of reviews, trends and status of individual FPII investigations.105 The ATO has also advised the IGT that the FPII Assistant Commissioner may also report directly to the Commissioner or Second Commissioners on issues of significant risk or misconduct.

2.59 Furthermore, as noted above, the ATO publicly demonstrates its compliance with the Commonwealth Fraud and Corruption Control Framework by reporting on fraud control matters in the Commissioner’s Annual Reports106, to the AIC annually on fraud perpetrated against the ATO107 and to the Commonwealth Ombudsman regarding its compliance with the PID regime.108

International approaches

2.60 The following section briefly describes the approaches taken by revenue authorities in some comparable countries within the OECD to address risks of internal fraud and corruption. While they all have their own priorities and focus areas in relation to the management of external fraud, the need for sound management of internal fraud is a ubiquitous concern across all jurisdictions.

United States of America

2.61 Responsibility for the management of fraud risks within the Internal Revenue Service (IRS) is shared between the IRS itself and the Treasury Inspector General for Tax Administration (TIGTA), which is an independent office having oversight responsibilities of the IRS and reporting directly to the Treasury Secretary and Congress.109 Generally, TIGTA’s Office of Investigations (OI) conducts a comprehensive program of investigating potentially fraudulent activities that have been detected or reported, whilst the IRS is responsible for fraud prevention through training programs and adopting internal controls. The responsibility for detecting internal fraud is shared by TIGTA and the IRS, with the former focusing on areas such as unauthorised access while the latter has its own projects in place to detect fraud and impropriety in areas such as procurement and human resources (HR). Due to the structures in place, any potentially fraudulent conduct detected by the IRS’s detection projects is referred to TIGTA’s OI.

Internal Revenue Service

2.62 With respect to recruitment, the IRS has a two-stage checking process aimed at safeguarding the integrity and trustworthiness of the workforce. Initial pre-screening is conducted by the IRS prior to the employee’s commencement date, while a much more thorough ‘suitability investigation’ is conducted under the jurisdiction of the Office of Personnel Management within the first year of employment.110

2.63 The extent of both the pre-screening and the suitability investigation will depend on the position’s risk level. Any position in the IRS that involves access to federal tax information is designated to be at least moderate risk and subject to fingerprinting, a credit search, Federal and local law enforcement checks and a personal subject interview. Written inquiries are also made to the employee’s previous employer(s) and/or place of study with references being sought for the past five years.111 Employees in positions designated to be high risk, such as criminal investigators, are subject to more comprehensive checks. There is a separate but similar screening regime for contractors.112

2.64 Although the extensiveness of the background checks can be quite time consuming, the IRS’s two-stage process means that a portion of the checks can be completed while the employee has already commenced employment. In this way, the IRS is able to balance the need for a thorough vetting process while minimising the delay in deploying human resources that such a process would typically entail.

2.65 Furthermore, the IRS’s screening process is not limited to a point-in-time check which occurs when an employee enters the organisation. For moderate and high risk positions, the background investigation is repeated once every five years to provide assurance that the employees remain suitable for their role from an integrity perspective.113

2.66 Once an employee or a contractor joins the IRS, measures are also taken to instil within them the ethics and values of the organisation. Employees are required to complete annual mandatory training which includes modules on ethics, unauthorised access and conflicts of interest. To ensure the robustness of online training, some of the mandatory modules are created using software that have set time frames per slide or require staff members to interact with the screen to ensure that they are working through the content.114 The training packages also use real and relevant examples from actual investigations to provide more practical and useful guidance. After working through the module, the employee or contractor needs to complete a test which, if failed, would require the employee or contractor to repeat the entire module before they could attempt the test again. Staff will also be prevented from accessing certain IRS systems if the associated training modules are incomplete or not passed.115

2.67 The IRS also adopts various internal controls to reduce the likelihood of fraud. For example, the team responsible for case selection has no involvement in audit or compliance activities and vice versa. Similarly, senior officers with more extensive decision-making powers are only privy to high level information and generally do not have any direct involvement in individual audit cases. While it is an option for the taxpayer to escalate issues to such officers, these officers encourage the taxpayer to raise and resolve their concerns with the manager of the audit team directly. In instances where senior officers are involved in cases, the IRS has a set of principles which guides these interactions.116 Furthermore, the right of US taxpayers to appeal to an independent Office of Appeals, which is separate and independent from the IRS’s compliance function, operates as a further check on the senior officer’s decision-making powers.

2.68 The IRS also treats management of conflicts of interest very seriously as public servants in the US are prohibited, by law, from participating in an official capacity in any matter in which they have a financial interest if the matter will have a direct and predictable effect on that interest.117 Senior executives are required to make a Public Financial Disclosure which outlines their assets, liabilities, financial transactions and gifts received and those of their spouse.118 Such disclosures must be made upon commencement of employment and annually thereafter. Employees who are not senior executives but are deemed to be employed in a position that has a direct and substantial economic effect on the interests of a non-federal entity, such as auditors, are instead required to lodge a Confidential Financial Disclosure Report upon commencement of their role and annually thereafter. This report requires the employee to disclose their assets, liabilities and gifts and those of their spouse and dependent children.119

2.69 Conflicts of interest are not simply restricted to situations where there may be financial gain but also extends to other types of personal benefits. As such, IRS employees are specifically expected to recuse themselves from participating in matters related to a particular taxpayer if the employee is currently seeking employment from that taxpayer.120

2.70 The rules that seek to prevent IRS employees from being exposed to conflicts of interest extend into the period after the employee has left the organisation. Broadly speaking, under US legislation, a former IRS employee would be permanently prohibited from dealing with the IRS on a matter if they previously participated personally and substantially in the matter while being employed by the IRS. That IRS employee would also be prohibited for a period of two years from dealing with the IRS if they did not substantially participate in the matter but it was under their official responsibility. Senior executives also have an additional restriction placed upon them after they leave the organisation known as the ‘no contact rule,’ which effectively prohibits the former executive from dealing with the IRS in connection with any matter for a period of one year.121

Treasury Inspector General for Tax Administration

2.71 The reasons why allegations of fraud or corruption by IRS staff are investigated by a structurally independent agency are based in the history of TIGTA and its predecessor, the IRS Inspection Service. In response to allegations of corruption, the IRS Inspection Service was established in 1951 as the IRS’s internal affairs division.122 However, perceptions of conflicts of interest remained as the IRS Inspection Service was within the IRS. These conflict of interest perceptions and allegations of abuse of power by the IRS led to the ultimate transfer of all the functions of the IRS Inspection Service to the newly created independent TIGTA.123

2.72 The purpose of severing the internal fraud investigation function from the IRS was to promote impartiality by preventing such investigations from being unduly influenced by IRS senior management. The fact that TIGTA has its own reporting channels to the Treasury Secretary and to Congress further supports the separation of roles and responsibilities.

2.73 As noted earlier, TIGTA may receive referrals about fraud or other misconduct by IRS employees. TIGTA may also be alerted to these matters through its fraud, waste and abuse hotline or online reporting form.124 While the majority of TIGTA’s investigations originate by these channels, the OI also proactively engages in monitoring activities to detect potential wrongdoing, such as unauthorised access and the misuse of IRS systems.125 For example, TIGTA has put in place certain automated safeguards and is able to detect IRS employees who look up records of their family, neighbours and high profile taxpayers. In addition, TIGTA is also able to detect employees who have potentially made adjustments to tax accounts.

2.74 As noted earlier, the above investigations are conducted by TIGTA’s OI whose staff are Federal law enforcement officers and possess both the capability and the broad range of powers including the authority to carry firearms, to execute and serve search warrants, and to make arrests.126 In addition, TIGTA does not need to obtain permission from the US Department of Justice to commence its investigations.

2.75 Not all allegations made to TIGTA involve criminal allegations. Approximately 30 per cent of all allegations are referred back to the IRS for action127 as they involve less serious administrative concerns such as employee performance issues or unauthorised absences.

2.76 During each six month reporting period, the OI typically conducts around 1,500 investigations. When an investigation into an IRS employee has been completed, TIGTA presents the outcomes to the IRS who determines the appropriate disciplinary action to take. In circumstances where the outcome of the investigation uncovers a criminal element, TIGTA will refer the matter to the Department of Justice for prosecution.128

2.77 TIGTA also has some involvement in fraud prevention. For example, TIGTA conducts a variety of proactive activities, such as presentations to groups of IRS employees. These activities provide TIGTA with the opportunity to meet face-to-face with IRS employees and their managers to make them more aware of TIGTA’s role and responsibility and to help them feel more comfortable about approaching TIGTA to provide information.129 The IRS also publishes the number of staff terminated, suspended, fined and prosecuted for unauthorised access on posters to remind its staff of the seriousness of the offence and to act as a deterrent.

2.78 In addition, TIGTA has a review function that is performed by its Office of Audit and Office of Inspections & Evaluations. Such reviews are designed to promote efficiency and effectiveness in the administration of the US revenue system and sometimes touch on integrity issues. For example, in the past five years TIGTA has reviewed topics such as the hiring of former employees130, the controls over outside employment131, and the violation of tax laws by IRS employees132.

United Kingdom

2.79 Her Majesty’s Revenue and Customs (HMRC) adopts a range of measures to manage the risk of internal fraud. These include preventative measures, such as vetting processes and detection activities which monitor suspicious use of information technology (IT) systems.

2.80 A prospective employee is subject to a vetting process that is similar to that adopted in Australia. At a minimum, the prospective employee must undergo a Baseline Personnel Security Standard pre-engagement check which involves an identity check, a nationality check, employment history verification for the past three years and a criminal record check for unspent convictions.133 An applicant for a higher risk position will need to obtain a security clearance, of which there are three levels, in addition to the Baseline pre-engagement check. Unlike the later check, which is only performed once upon entry into HMRC, security clearances are subject to a review process every 7 to 10 years, depending on the security clearance level. Clearance holders are also required to report any relevant changes in their circumstances.134

2.81 HMRC’s two primary methods for detecting internal fraud are referrals, which can be made by employees, managers or other government agencies, and proactive risk profiling activities, such as data mining practices which incorporates the logging and analysis of its staff’s keystrokes to detect suspicious activity. A proportion of HMRC’s internal investigations also originate from its risk profiling activities.135 HMRC has indicated that it constantly seeks opportunities to further improve its detection mechanisms. In its most recent Internal Fraud and Corruption Strategy document, HMRC indicated that it will be adopting a ‘test and learn’ based approach with the aim of making its data mining practices more flexible in dealing with emerging risk areas.136

2.82 In relation to managing conflicts of interest, HMRC currently relies on employees’ self-disclosures. However, HMRC is testing a pilot that seeks to match such self-disclosures with information regarding employees’ and their family’s shareholdings and directorships.137 This information would assist to identify potential conflicts of interest and prevent actual conflicts from arising.

2.83 If HMRC detects a potential integrity issue with an employee, or decides to investigate an allegation about an employee, the matter is referred to Internal Governance, an area within HMRC’s Fraud Investigation Service Unit responsible for managing internal fraud. The matter is either examined by the Internal Governance area’s civil investigative team, which typically actions between 300 and 350 cases per year, or the Internal Governance area’s criminal investigative team, for more serious matters. Officers in the criminal investigative team are law enforcement officers who have the power to apply for search warrants and make arrests. Approximately 25 cases are referred each year to the Crown Prosecution Service by this team.138 If the prosecution results in a successful conviction, the details of the investigation are published on HMRC’s intranet as a deterrent, including the name of the offender, the nature of the offence and the length of the sentence.139

2.84 The outcomes of investigations are also used by HMRC as part of its overall fraud management strategy to drive its ‘upstream’ prevention and detection activities. For example, investigative outcomes are used to design specific educational and communication packages with the aim of providing HMRC employees with fraud and ethics training that is both relevant and practical. Investigative outcomes are also used to inform HMRC’s key risk areas with the aim of ensuring that its detection activities remain up-to-date and responsive.140

New Zealand

2.85 In October 2015, New Zealand’s revenue authority, the Inland Revenue Department (IRD), introduced a new fraud and corruption control policy and framework which involved the creation of a fraud risk register.141 The register is aimed at ensuring that the organisation maintains a holistic, up-to-date understanding of its risk profile and adopts a differentiated approach to account for the variance in risk in each of the organisation’s business groups.

2.86 All prospective IRD employees, at a minimum, undergo a pre-employment suitability check to examine the candidate’s criminal history and their compliance with tax, student loan and child support obligations. If the role is in a sensitive area with higher risk, the applicant will also be subject to a more comprehensive vetting process to obtain one of the three levels of security clearances. Security clearances are reviewed every five years and when a significant change in circumstances is reported to ensure currency.142

2.87 After the prospective employee has passed all of the relevant checks and joins the IRD, they will undergo an induction process with his or her manager. On the first day, the manager is required to have a discussion with the new starter about the IRD’s culture and values and go through the IRD’s Code of Conduct. A signed form acknowledging that this has occurred must be filled out and attached to the new starter’s personnel files. If relevant, a conflict of interest disclosure will also need to be submitted. During the first week, the new starter must complete online training packages on the IRD’s Code of Conduct, security awareness and unauthorised access. After these have been completed, the manager is required to discuss the training with the new starter with the aim of ensuring that the new starter has a proper understanding of the content of the modules and allowing the manager to provide some context on how the content applies specifically to the new starter’s role.143

2.88 Due to the relatively small size of the organisation and the geographical proximity of its offices, scheduled and ad hoc fraud training throughout the year can be presented face-to-face by members of the IRD’s Integrity Assurance team. The IRD sees this type of fraud awareness training as having a greater impact on employee behaviour when compared with online learning, which, in the IRD’s experience, can be treated as a ‘tick-and-flick’ exercise. Furthermore, the training provides IRD employees with an opportunity to interact directly with the Integrity Assurance team. Establishing this kind of rapport is aimed at creating a sense of trust and familiarity which may give the employee the greater confidence to report fraud should the need arise.144

2.89 The IRD’s internal controls impose an annual requirement for senior officers to disclose financial assets that they or their family possess.145 These controls have the aim of preventing the IRD’s decision makers from being inappropriately influenced by their interests and relationships and are further supplemented by segregation of duties. For example, as senior officers in the IRD do not typically have any direct interest or involvement in audit cases, it makes it more difficult for taxpayers or their representatives to use their relationships with senior officers to inappropriately influence decision-making. If a taxpayer were to contact an IRD senior officer directly about a particular audit and request intervention, the expected behaviour would be for the senior officer to decline and refer the matter to the complaint management service, being the appropriate channel for the investigation of such concerns.146

2.90 Furthermore, IRD senior managers with high decision-making power would typically not be able to access individual taxpayer data.147 Those intending to access data would likely need to give instructions to subordinate staff to perform access by proxy. In such a situation, it would be expected that the employee report the matter if they suspect any impropriety, as the IRD’s focus on fraud awareness and training is aimed at making its employees more comfortable with reporting improper conduct.148

2.91 The investigation of employee misconduct within the IRD is undertaken internally by its Integrity Assurance team. The majority of these investigations stem from reports from its own staff while proactive detection measures play a comparatively small role. The typical methods for IRD staff to report improper conduct are an online form and a referral hotline. The IRD also has a separate intranet report option for staff which allows for anonymous referrals, however, usage of this option is low when compared to the other channels.149

2.92 It should be noted that there are regular meetings between the IRD’s Integrity Assurance manager with the Commissioner’s Executive Advisors on internal fraud risks as well as regular briefings and reports to the Deputy Commissioner.150


2.93 Similar to the models in the other jurisdictions above, all prospective Canada Revenue Agency (CRA) employees must undergo personnel security screening before they are permitted to work for the organisation, with higher risk positions requiring more stringent checks. At a minimum, CRA employees are required to obtain a ‘reliability status’ clearance which involves the verification of their identity, background and credentials, mandatory fingerprinting, a credit check, and a criminal record check. Some employees may also require a security clearance at the secret or top secret level, requiring both a security assessment and an assessment of loyalty to Canada undertaken by the Canadian Security Intelligence Service. A security screening is deemed effective after the employee has signed a security briefing certificate. This certificate specifies the security requirements attached to the granted level of screening and signifies that the employee understands and agrees to abide by those requirements.151

2.94 Once an employee has been deemed suitable for employment and hired, they must comply with a number of obligations upon initial hire. Firstly, they are required sign an Oath or Affirmation in relation to secrecy. The CRA considers any information which is acquired in consequence of employment by the CRA, that is not publicly available, to be protected information. The disclosure of such information at any time will constitute a breach of either the Income Tax Act152 or the Excise Act153 and may result in criminal sanctions.154 Furthermore, employees are required to review the CRA Code of Integrity and Professional Conduct,155 the Values and Ethics Code for the Public Sector,156 and the Directive on Conflict of Interest, Gifts and Hospitality, and Post-employment.157 These documents are considered part of the conditions of employment and must be reviewed by CRA officers annually and whenever the employees change roles within the CRA.158

2.95 Specific obligations in relation to preventing, identifying, disclosing and managing conflicts of interest are outlined in the conflicts of interest directive. One such obligation requires employees to disclose private interests and outside activities in a confidential disclosure form within 60 working days of initial appointment. The definition of private interest is comprehensive and includes investments, interests in partnerships and companies, rental properties and commodities. The definition of outside activities is similarly comprehensive and includes all paid or unpaid employment, membership on a board of directors, and public speaking engagements. Any changes to an employee’s private interests and outside activities which occur during the period of employment must also be disclosed, even if the change occurs during periods of leave, with or without pay. In addition, the directive also requires CRA employees to disclose all offers or acceptance of prohibited and reportable gifts.159

2.96 When a CRA employee makes a disclosure under the directive, the information is submitted to a delegated manager at the director level or higher. The delegated manager is responsible for reviewing the submission in accordance with the criteria outlined in the directive. If a real, apparent or potential conflict of interest is found to exist, the delegated manager may consider appropriate measures such as the restriction, removal or reassignment of specific duties, directing the employee to cease, curtail or modify the outside activity, and/or directing the employee to relinquish, divest, or make other arrangements to manage the private interest. The employee would then be required to carry out the measures within 120 days of his or her initial appointment or change in circumstances.160

2.97 If a CRA employee observes that a fellow employee has engaged in behaviour that is contrary to the obligations in the conflict of interest directive, or any other form of misconduct, the employee is obliged to report the matter. The misconduct can be reported directly to the CRA’s Internal Affairs and Fraud Control Division for investigation, to the observing employee’s manager who may then refer the matter on to the Internal Affairs and Fraud Control Division, or to the CRA’s anonymous internal fraud and misuse reporting line which is operated by a third party.161 Statistics provided by the CRA indicate that the lowest source of internal investigations was the anonymous tip line whilst the highest source of investigations was referrals from management.162 The CRA also commences investigations into misconduct that it detects on a proactive basis. The unauthorised access of taxpayer data, for example, is something which can be automatically detected on the CRA’s Enterprise IT systems.163

2.98 In addition to the internal controls outlined previously, the conflict of interest directive also imposes rigorous post-employment rules on employees who are leaving the organisation to manage the risk of potentially preferential treatment, inappropriate disclosure of CRA information, and other conflict of interest situations. The context for these controls is the increased recruitment of the CRA’s senior officers since 2010 by private sector firms such as the Big Four accounting firms. This has been an issue which has been reported in newspapers164 and discussed in the House of Commons165 and is a major concern for the CRA.

2.99 Any CRA employee who has accepted an offer of outside employment, including self-employment, must make a disclosure. Such disclosure may lead to them being assigned to other duties and responsibilities for the remainder of their employment. Members of the CRA’s executive group are subject to an additional requirement to lodge a confidential disclosure form whenever they receive any firm offer of outside employment.166

2.100 Furthermore, after an employee has left the CRA, they are not permitted to act for, or on behalf of any taxpayer in relation to any ongoing matter in which they had been involved while still employed at the CRA. The directive also specifically prohibits former employees from contacting current CRA employees in any manner that could be perceived as seeking preferential treatment or privileged access.167 The directive also prohibits current employees from dealing with any former employee unless the delegated manager has been advised and approval has been granted.168

2.101 Once an employee leaves the CRA, they are prohibited from accepting employment from any entity outside the public service if they had official dealings with them during one year immediately prior to termination. Furthermore, during this period, the former employee is prohibited from dealing with the CRA as a representative of any entity if they had any official dealings with the entity during the one year immediately prior to termination. The former employee is also required to disclose to the CRA’s Senior Officer for Post-employment any offer or acceptance of employment during the limitation period.169

2.102 In order to manage the risk of former employees disclosing the CRA’s risk thresholds and other strategically important information to private sector firms, it is the CRA’s standard practice to provide a reminder letter to all departing employees, outlining their ongoing obligation and the restrictions that apply.170

19 Australian Institute of Criminology (AIC), Fraud against the Commonwealth: Report to Government 2013–14 (2017).

20 Criminal Code Act 1995 s 134.2.

21 AGD, Commonwealth Fraud Control Framework 2017 (2017) p C7 para [15].

22 ibid.

23 ibid.

24 McLaren, J, ‘The distinction between tax avoidance and tax evasion has become blurred in Australia: Why has it happened?’ (2008) 3(2) Journal of Australasian Tax Teachers Association p 143.

25 Senate Select Committee on a National Integrity Commission, Parliament of Australia, Report (2017) paras [2.5] and [2.6].

26 Criminal Code Act 1995 s 142.2.

27 AGD, Managing the insider threat to your business (2014) p 6.

28 Above n 25, para [2.8].

29 ATO, ‘Fraud Awareness e-Learning Training Booklet – Text Version’ (Internal ATO document, undated) p 11.

30 Victorian Independent Broad-based Anti-corruption Commissioner, Organised crime group cultivation of public sector employees (2015) <>.

31 ANAO, Managing Conflicts of Interest in FMA Agencies (2014) para [1.7].

32 Independent Commission Against Corruption (ICAC) NSW, ‘Conflicts of interest’, <>.

33 Above n 29, p 16.

34 Australian Public Service Commission (APSC), ‘In whose interests? Preventing and managing conflicts of interest in the APS’ (23 October 2013) <>; APSC, ‘Values and Code of Conduct in practice Section 5: Conflict of interest’ (August 2017) <>.

35 Organisation for Economic Co-operation and Development (OECD), Managing Conflict of Interest in the Public Sector: A Toolkit (2005) p 96.

36 Public Service Act 1999 s 13(7).

37 APSC, Building better governance (2012).

38 Public Service Act 1999 s 13(5).

39 The APS Code of Conduct is set out in Public Service Act 1999 s 13.

40 Public Service Act 1999 s 15.

41 ATO, ‘Chief Executive Instructions – Corporate Governance (CEI 2014/11/02)’ (Internal ATO document, 3 November 2014).

42 Public Governance, Performance and Accountability Act 2016 s 16.

43 Department of Finance, Commonwealth Risk Management Policy (2014).

44 ibid., para [14].

45 Public Governance, Performance and Accountability Rule 2014 s 10(b).

46 AGD, ‘Fraud Control’ <>.

47 The Fraud Policy is also known as the Commonwealth Fraud Control Policy: above n 21.

48 Above n 18.

49 Above n 21.

50 Public Governance, Performance and Accountability Act 2013 s 17AG.

51 AGD, Commonwealth Fraud Control Policy (2016) paras [12] and [14].

52 Above n 18, para [93].

53 Public Governance, Performance and Accountability Act 2013 s 19.

54 Above n 21, para [94].

55 Above n 18, p C5.

56 ibid.

57 ibid., para [71].

58 Above n 51, para [4].

59 ibid., para [8].

60 Australian Federal Police (AFP), ‘Referrals – Referring matters to the AFP – services for government’ <>.

61 ANAO, Fraud Control in Australian Government Entities (2011).

62 Above n 18, p C5.

63 ibid.

64 ANAO, Fraud Control Arrangements, Across Entities, Performance Audit, 2014 (2014).

65 Above n 18, p C5.

66 Above n 21, para [83].

67 ibid., para [86].

68 Referred to in above n 18, p 83.

69 Commonwealth Director of Public Prosecutions (CDPP), Prosecution Policy of the Commonwealth (2008) s 3.4, p 11.

70 CDPP, Prosecution Policy of the Commonwealth – Guidelines for the making of decisions in the prosecution process (2014).

71 Above n 18, p C5.

72 Above n 51, para [13].

73 Above n 18, p C5.

74 Commonwealth Ombudsman, ‘Public Interest Disclosure scheme’ <>.

75 Information about the ATO’s management of enterprise risk was also explored in the IGT’s Review into aspects of the Australian Taxation Office’s use of compliance risk assessment tools (2013) Chapter 2.

76 Above n 43, para [15].

77 ATO, ‘Chief Executive Instruction 2015/03/01 Risk Management’ (Internal ATO document, 16 March 2015).

78 ATO, ‘Risk Register, Tax Crime Risk Level 1’ (Internal ATO document, ATO database, accessed January 2018).

79 ATO, ‘Risk Register, Internal Fraud and Corruption Level 1’ (Internal ATO document, ATO database, accessed January 2018).

80 Described as ‘The failure of ATO staff and/or contractors to prevent taxpayer information from being unlawfully collected, used or disclosed.’

81 ATO, ‘Chief Executive Instruction 2014/06/10 Conflict of Interest’ (Internal ATO document, 12 October 2017).

82 ATO, ‘Chief Executive Instruction 2014/04/02 Access to Taxation Records in the Possession of the Commissioner’ (Internal ATO document, 16 April 2014).

83 ATO, ‘Chief Executive Instruction 2014/05/08 Internal Fraud and Corruption’ (Internal ATO document, 29 January 2015).

84 Standards Australia, Australian Standard AS 8001-2008 Fraud and Corruption Control (2008).

85 A fraud control plan is required by s 10(b) of the Fraud Rule. However, agencies may incorporate corruption risks into their plans to create a fraud and corruption control plan.

86 ATO, ‘ATO Fraud and Corruption Control Plan 2017–18’ (15 September 2017) <>.

87 ibid.

88 ibid.

89 ATO, ‘Chief Executive Instruction 2014/05/09 Tax Crime and External Fraud’ (Internal ATO document, 9 May 2014).

90 Note that during this review the ATO’s Enterprise Risk Management Framework was in a state of change.

91 Above n 7, p 127.

92 ibid., p 135.

93 ibid.

94 RSM Bird Cameron, ‘ATO – Independent Review of the Internal Audit Function and FPII Function’, report to the ATO (December 2015) p 35.

95 ATO, ‘The Integrity Framework Integrity Arrangements – Assessment of the framework and recommendations for future arrangements (2015)’ (Internal ATO document, 2015).

96 Above n 86.

97 Above n 7, pp 9 and 59.

98 Above n 86.

99 ATO, ‘CEI 2014/05/07 ATO’s Conformance with Obligations’ (Internal ATO document, 6 June 2014).

100 ibid.

101 ATO, ‘Corporate integrity indicators’ (Internal ATO document, 31 March 2017).

102 ibid.

103 Above n 99.

104 ATO, ‘FPII Snapshot of key activities and outcomes for DC ATO Corporate 1 January–31 March 2017’ (Internal ATO document, 2017).

105 ATO, ‘FPII – Reporting Matrix’ (Internal ATO document, 31 March 2017).

106 Public Governance, Performance and Accountability Rule 2014 s 17AG.

107 Above n 51, p 3 paras [12] and [14].

108 Above n 105.

109 Treasury Inspector General for Tax Administration (TIGTA), Office of Investigations (24 May 2013) <>.

110 Internal Revenue Service (IRS), Internal Revenue Manual, Parts and (28 June 2016).

111 TIGTA, The Office of Safeguards should Improve Management Oversight and Internal Controls to Ensure the Effective Protection of Federal Tax Information, Reference Number 2014-20-059 (15 September 2014) p 6.

112 Above n 110, Part 10.23.2 (27 April 2016).

113 ibid., Part (28 June 2016).

114 The IRS uses software called Articulate.

115 Tax Executive Staff, ‘Elevating Examination Concerns Within the New LB&I – The Expert: Rosemary Sereti’, Tax Executive, (1 February 2018) <>.

116 Above n 110, Parts and (3 September 2016).

117 United States, 5 C.F.R. § 2635.402 and 18 U.S.C. § 208.

118 US Office of Government Ethics, Executive Branch Personnel Public Financial Disclosure Report – OGE Form 287e (1 March 2014) <>.

119 US Office of Government Ethics, Confidential Financial Disclosure Report – OFE Form 450 (January 2017) <>.

120 United States, 5 C.F.R. § 2635.601.

121 United States 18 U.S.C § 207.

122 TIGTA, History (24 May 2013) <>.

123 Internal Revenue Service Restructuring and Reform Act of 1998 s 1103.

124 TIGTA, Report Fraud, Waste, & Abuse (5 October 2016) <>.

125 TIGTA, Audit trails did not comply with standards or fully support investigations of unauthorised disclosure of taxpayer data, Reference Number 2012-20-099 (20 September 2012) p 2.

126 United States 26 U.S.C § 7608.

127 TIGTA, Semiannual Report to Congress October 1, 2016 – March 31, 2017 (5 June 2017) p 67.

128 ibid., pp 28 and 67.

129 TIGTA, What is TIGTA (11 December 2014) <>.

130 TIGTA, Additional Consideration of Prior Conduct and Performance Issues is Needed When Hiring Former Employees, Reference Number 2015-10-006 (30 December 2014); TIGTA, The Internal Revenue Service Continues to Rehire Former Employees With Conduct and Performance Issues, Reference Number 2017-10-035 (24 July 2017).

131 TIGTA, Controls Over Outside Employment Are Not Sufficient to Prevent or Detect Conflicts of Interest, Reference Number 2014-10-073 (29 September 2014).

132 TIGTA, Review of the Internal Revenue Service’s Process to Address Violations of Tax Law by Its Own Employees, Reference Number 2015-10-002 (14 April 2015).

133 UK Cabinet Office, National Security and Intelligence and Government Security Profession, Her Majesty’s Government Baseline Personnel Security Standard (1 April 2014) p 12 <>.

134 Her Majesty’s Revenue and Customs (HMRC) communication to the IGT, 30 August 2017.

135 HMRC communication to the IGT, 26 September 2017.

136 HMRC, ‘HMRC Internal Fraud and Corruption Strategy: A Cross Departmental Collaborative Approach’ (Internal HMRC document, date unknown).

137 HMRC communication to the IGT, 30 August 2017.

138 ibid.

139 HMRC, ‘Playboy fraudster’s luck runs out’ (Internal HMRC document, date unknown); HMRC, ‘Former employee and husband sentenced for tax fraud’ (Internal HMRC document, date unknown).

140 Above n 136.

141 Inland Revenue Department (IRD), Annual Report 2016 (2016) p 42 <>.

142 New Zealand Security Intelligence Service, Protective Security Requirements (18 December 2014) <>.

143 IRD, ‘Navigating IR: Your Induction Journey – Hiring Leader’s Induction Checklist’ (Internal IRD document, date unknown).

144 IRD communication to the IGT, 17 August 2017.

145 IRD, ‘Disclosure & Conflict of Interest Policy’ (internal IRD document, July 2017).

146 IRD communication to the IGT, 17 August 2017.

147 IRD communications to the IGT, 17 August 2017 and 6 March 2018.

148 IRD communication to the IGT, 17 August 2017.

149 IRD communication to the IGT, 17 October 2017.

150 IRD communication to the IGT, 6 March 2018.

151 Treasury Board of Canada Secretariat, Standard on Security Screening (20 October 2014) <>.

152 Income Tax Act R.S.C. 1985 (Canada) c. 1 (5th Supp.).

153 Excise Act R.S.C. 1985 (Canada) c. E-14.

154 Canada Revenue Agency (CRA), Directive on conflict of interest, gifts and hospitality, and post-employment (16 December 2016) <>.

155 CRA, Code of Integrity and Professional Conduct (20 September 2016) <>.

156 ibid., Appendix B.

157 Above n 154.

158 ibid., s 6.

159 ibid., Appendix A.

160 ibid., Appendix B.

161 Above n 155, s 2.

162 CRA, ‘2016-17 Annual report on internal investigations’, (internal CRA document, undated).

163 CRA, Internal controls to ensure privacy and security (13 June 2016) <>.

164 Harvey Cashore, Kimberly Ivany and Katie Pedersen, ‘Senior federal tax enforcer joined KPMG as its offshore ‘sham’ was under CRA probe’, CBC News, 11 April 2016.

165 Evidence to Standing Committee on Finance, House of Commons, Canada, 5 May 2016, (Diane Lorenzato, Assistant Commissioner, Human Resources Branch, CRA).

166 Above n 154, Appendix D.

167 ibid.

168 ibid., s 7.1.

169 ibid., Appendix D.

170 Above n 165.