Fraud and Corruption Control

Tabled: 29 March 2018

Overview

The community expects—and the law requires—that public sector employees act with integrity, accountability, impartiality, fairness, equity and consistency, and in the public interest.

Fraud and corruption can undermine trust in government, damage the reputation of the public sector, and waste public resources. Fraud is dishonest activity involving deception that causes actual or potential financial loss. Corruption is dishonest activity in which an employee acts against the interests of their employer and abuses their position to achieve personal gain or advantage for themselves or for others.

In this audit we examined the Melbourne Metro Rail Authority (MMRA), Public Transport Victoria (PTV) and the now defunct Major Projects Victoria (MPV), as examples of an administrative office, a statutory authority, and a business unit under the auspices of the Department of Economic Development, Jobs, Transport and Resources (DEDJTR).

We assessed whether their fraud and corruption controls were well designed and operating as intended.

We also assessed whether PTV took sufficient, appropriate and timely action to address issues identified by the Independent Broad-based Anti-corruption Commission’s Operation Fitzroy October 2014.

We made 11 recommendations for DEDJTR, and we made six further recommendations for PTV. All recommendations have been accepted.

Back to top

Transmittal letter

Ordered to be published

VICTORIAN GOVERNMENT PRINTER March 2018

PP No 385, Session 2014–18

The Hon. Bruce Atkinson MLC
President
Legislative Council
Parliament House
Melbourne
 
The Hon Colin Brooks MP
Speaker
Legislative Assembly
Parliament House
Melbourne
 

Dear Presiding Officers

Under the provisions of section 16AB of the Audit Act 1994, I transmit my report Fraud and Corruption Control.

Yours faithfully

Signature of the Auditor-General.png

Andrew Greaves 
Auditor-General

29 March 2018

Back to top

Acronyms

ABN Australian Business Number
CMS Contract management system
CSR Construction Supplier Register
DEDJTR Department of Economic Development, Jobs, Transport and Resources
DSDBI Department of State Development, Business and Innovation
IBAC Independent Broad-based Anti-corruption Commission
MMRA Melbourne Metro Rail Authority
MPV Major Projects Victoria
MTIP Major Transport Infrastructure Program
PTV Public Transport Victoria
SPC State Purchase Contracts
VAGO Victorian Auditor-General's Office
VGPB Victorian Government Purchasing Board
VPSC Victorian Public Sector Commission
VSB Victorian Secretaries' Board

Back to top

Audit overview

The community expects—and the law requires—that public sector employees act with integrity, accountability, impartiality, fairness, equity and consistency, and in the public interest.

Fraud and corruption can undermine trust in government, damage the reputation of the public sector, and waste public resources. Fraud is dishonest activity involving deception that causes actual or potential financial loss. Corruption is dishonest activity in which an employee acts against the interests of their employer and abuses their position to achieve personal gain or advantage for themselves or others.

The Independent Broad-based Anti-corruption Commission (IBAC) has exposed instances of corruption in the Victorian public sector. In response, the Secretaries of all Victorian government departments committed to improving integrity.

In this audit, we examined the Melbourne Metro Rail Authority (MMRA), Public Transport Victoria (PTV) and the now defunct Major Projects Victoria (MPV), as examples of an administrative office, a statutory authority, and a business unit of the Department of Economic Development, Jobs, Transport and Resources (DEDJTR). The nature of MPV, MMRA and PTV's operations, including high levels of procurement activity and close ties to the private sector—which can operate differently to the public sector—serve to elevate the risk of fraud and corruption.

We assessed whether their fraud and corruption controls were well designed and operating as intended. DEDJTR designed and operated some of these controls for the whole department, while MMRA and MPV implemented other controls at the administrative office or business unit level. We also assessed whether PTV took sufficient, appropriate and timely action to address issues identified by IBAC's Operation Fitzroy October 2014 (Operation Fitzroy).

At MPV, MMRA and PTV we focused on fraud and corruption detection, prevention and response activities, particularly for the high-risk areas of procurement and human resources. We also assessed the DEDJTR Integrity Services Unit's oversight role and coordination of some relevant integrity processes for MPV and MMRA. The period of review for this audit was January 2015 to April 2017, when MPV ceased operations.

Conclusion

While senior executives are endeavouring to build the right culture, more remains to be done to prioritise fraud and corruption control, and to ensure that the fraud and corruption controls in place operate as intended.

Unduly protracted delays to finalise and approve Fraud and Corruption Control Policies and Plans, areas of noncompliance with policies, and inadequate record keeping are undermining management's efforts. They also serve to lessen assurance that major fraud and corruption cannot occur, or will be detected.

PTV was subject to public hearings as part of IBAC's Operation Fitzroy and agreed to address the issues identified by that investigation. PTV made considerable progress in implementing many of these initiatives, however in some cases implementation was slow, or did not occur, as PTV elected over time to take alternative action. Gaps remain in certain areas, meaning work is still required to further reduce the risk of fraud and corruption.

Findings

Fraud and corruption control framework

The Standing Directions of the Minister for Finance 2016 (Standing Directions) under the Financial Management Act 1994 require DEDJTR and PTV to take all reasonable steps to manage fraud and corruption risks. This includes developing a Fraud, Corruption and Other Losses management and prevention policy (Fraud, Corruption and Other Losses Policy) that details prevention, detection and response activities. The Australian Standard 8001—2008 Fraud and Corruption Control (Australian Standard) also recommends a Fraud and Corruption Control Plan be developed. An effective fraud and corruption control framework will also increase staff awareness and focus internal audits on vulnerable areas.

Fraud and Corruption Control Policies and Plans

A Fraud, Corruption and Other Losses Policy has been mandatory for agencies since 1 July 2017. DEDJTR only recently finalised its Fraud, Corruption and Other Losses Policy and Fraud and Corruption Control Plan. DEDJTR's policy and plan had been in draft form since October 2015, and while they were reviewed and revised during this time and reflect some controls already in place, they were only approved in late February 2018.

While DEDJTR's policy and plan was in draft form, MPV and MMRA developed their own plans, which they intended would also incorporate the requirements of a Fraud, Corruption and Other Losses Policy. MPV's plan also remained in draft form and was incomplete, as it did not include response procedures.

PTV developed a Fraud and Corruption Control Plan, which incorporated the requirements of a Fraud, Corruption and Other Losses Policy in accordance with the Standing Directions.

MPV, MMRA and PTV all conducted fraud and corruption risk assessments when developing their Fraud and Corruption Control Plans. However, in a small number of instances (three for MPV, one for MMRA and one for PTV) they identified a risk in their assessment but did not detail it or any associated controls in their Fraud and Corruption Control Plan. PTV was controlling for this risk in practice, however including it in its plan would make the plan stronger by detailing how PTV is mitigating risks specific to its operating environment.

Staff training and awareness

IBAC has repeatedly highlighted the need to develop a culture of integrity and notes that public sector officers are 'best placed' to identify and report corruption.

MMRA and PTV provided integrity training to their staff, while MPV as a business unit, received integrity training from the DEDJTR Integrity Services Unit.

From our work within MPV, we identified that DEDJTR more broadly was not taking sufficient steps to ensure that all of its staff know how to identify and respond to fraud and corruption.

For example, DEDJTR does not consistently maintain records of attendance at integrity training. There is no record to demonstrate, or readily check, that all staff in positions exposed to high risks of fraud and corruption have received integrity training.

While the DEDJTR Integrity Services Unit maintains records of completion of online integrity modules, these modules are mandatory only for new starters in DEDJTR.

MPV, MMRA and PTV all delivered training that provides a general awareness of fraud and corruption and how staff should respond to suspected incidents, as recommended by the Australian Standard. All made this training compulsory, however, only MMRA and PTV maintained records of attendance to track compliance with this requirement.

DEDJTR and PTV provide information to staff on the Protected Disclosure Act 2012 (which provides critical protections to individuals reporting improper conduct) during induction sessions and integrity training. They also have dedicated intranet pages, which guide staff about making a protected disclosure.

However, the effectiveness of this has been called into question by the results of the Victorian Public Sector Commission (VPSC) People Matter Survey. In 2017 only 27 per cent of DEDJTR staff who responded, reported that DEDJTR had promoted the Protected Disclosure Act 2012. This compares with 29 per cent of DEDJTR respondents to the 2016 VPSC survey and 48 per cent of PTV respondents.

Internal audits

Under the Standing Directions, internal audit plans must include audits of business processes or units likely to be vulnerable to fraud, corruption and other losses.

MMRA and PTV's internal audit functions have provided appropriate coverage of fraud and corruption risks, with almost half of their audit activity in 2016–17 focusing on potentially vulnerable areas.

As a business unit within DEDJTR, MPV was subject to DEDJTR's internal audit program. We observed that the level of internal audit activity within MPV in 2016–17 was significantly lower than in MMRA and PTV. Following the government's decision to merge MPV and create a new statutory authority, DEDJTR advised us that it did not consider MPV a high-risk area warranting internal audit activity.

These management judgements and resource allocation decisions about MPV were made against a background of significant organisational change. In our opinion, this change would only have increased the risks inherent in a business unit that was continuing to manage large procurements, working closely with the private sector and maintaining processes that were separate to those of its department, DEDJTR.

Human resource practices providing fraud and corruption controls

Human resource practices that contribute to fraud and corruption controls include screening potential employees, and having processes to manage conflict of interest and offers of gifts, benefits and hospitality.

Such practices enhance transparency, facilitate external scrutiny and reinforce an integrity culture. As an administrative office and statutory authority respectively, MMRA and PTV have their own human resources functions. MPV, as a business unit received this service through DEDJTR.

Employment screening

Employers conduct employment screening to identify potential integrity concerns, and associated fraud and corruption risks, when hiring or promoting staff.

MMRA, PTV and DEDJTR's Human Resource functions are not fully implementing employment screening policies and procedures. Our testing highlighted deficiencies, including the failure to complete and document police checks, reference checks and qualification checks—or to respond appropriately when checks highlight anomalies. The DEDJTR Integrity Services Unit initiated an audit into DEDJTR's employment screening practices, which confirmed our findings. The audit has been finalised and all the internal audit's recommendations have been accepted.

The Victorian Public Sector Code of Conduct and the declaration of private interests process require certain staff to self-declare criminal activity. Aside from these obligations there are currently no processes that identify existing staff who commit a criminal offence and do not self-declare. There are also no processes to identify existing staff who do not hold a required qualification.

Conflict of interest

Public officers have a conflict of interest if they have a private interest that could improperly influence, or be seen to influence, their decisions or actions in the performance of their public duties. Employees in certain positions must outline their private interests to agencies through an annual declaration of private interest process. In response, action plans must be developed and monitored to manage potential conflicts of interest.

We identified deficiencies in conflict of interest processes, specifically in the management of conflicts and potential conflicts. We identified instances where individuals had declared conflicts, but these conflicts were not actively managed, and action plans were not enforced.

PTV and DEDJTR, incorporating MPV and MMRA, maintain conflict of interest registers. In some instances data within these registers were poor, which could limit the ability of managers to monitor declared interests and enforce action plans.

MMRA, PTV and DEDJTR Human Resources functions were not consistently using declarations of conflicts of interest during recruitment processes to guard against hiring based on factors other than merit, as required by VPSC guidance endorsed by the Victorian Secretaries' Board (VSB). This left them open to risks of fraud and corruption when hiring.

Gifts, benefits and hospitality

VPSC requires agencies to develop policies governing how their staff should respond to offers of gifts, benefits and hospitality to ensure they remain impartial when making decisions. Public sector staff must not accept gifts, benefits and hospitality from current or potential suppliers. MPV, MMRA and PTV all maintained gifts, benefits and hospitality registers and DEDJTR maintained a central register, which incorporated MPV and MMRA.

Gifts, benefits and hospitality policies were in place, however, these policies were not always operating as intended, and therefore not providing the protections they should.

Of particular concern were the high proportion of gifts, benefits and hospitality accepted by MPV staff from their suppliers with the endorsement of MPV management. Of the total offers accepted by MPV staff, 74 (46 per cent) were from suppliers.

The DEDJTR Integrity Services Unit oversaw MPV's gifts, benefits and hospitality processes and did not provide any evidence of action to remedy this situation, despite knowing of these practices. DEDJTR has advised that it has strengthened its processes in relation to gifts, benefits and hospitality over the past few months.

Fraud and corruption control in procurement practices

Procurement is a high-risk activity for fraud and corruption requiring strong controls. Controls should include a well-designed procurement framework and processes to manage conflicts of interest in procurement activity. To prevent and detect fraud and corruption, there must be vetting of potential suppliers and monitoring of procurement data.

Procurement framework

The strength of procurement frameworks for controlling fraud and corruption varied across MPV, MMRA and PTV.

MMRA has a procurement framework with strong controls for fraud and corruption. MPV's procurement controls had significant weaknesses such as poor conflict of interest processes during procurements and a lack of appropriate procurement monitoring. This was concerning given MPV's status at the time as the Victorian Government's specialist project delivery agency.

PTV has made progress in improving its procurement controls after Operation Fitzroy, but in some instances, these improvements occurred slowly or PTV implemented them inconsistently. In particular, PTV's procurements under $25 000 are not subject to conflict of interest controls, or central monitoring of spend. This lack of oversight, means that PTV is more vulnerable to fraud and corruption for these lower value transactions.

Supplier vetting

At the time of the audit, MPV, MMRA and PTV had not developed or consistently implemented guidelines to vet suppliers. We acknowledge the varying levels of use of suppliers on the Construction Supplier Register (CSR) and State Purchase Contracts (SPC), where suppliers are subject to whole of government vetting checks. DEDJTR estimates that up to 95 per cent of MPV's procurement was done through the CSR or SPC.

MPV, MMRA and PTV's Fraud and Corruption Control Plans all listed activities that could make up a program to vet suppliers. However, MPV, MMRA and PTV had not implemented supplier vetting guidelines that outlined which checks they would conduct beyond simple Australian Business Number (ABN) checks. This gap means they were missing a basic opportunity to reduce fraud and corruption risks associated with procurements involving third parties.

Conflict of interest processes in procurement

MPV staff only completed a conflict of interest declaration for each project they worked on, which could span a number of years and include multiple procurement activities. This practice did not comply with DEDJTR's procurement policy or VPSC guidance, which requires a separate declaration specific to every procurement and vendor.

MMRA has strong documented conflict of interest controls, which apply to all officers involved in any procurement over $2 000.

We found instances of noncompliance with conflict of interest management plans at both MPV and MMRA, demonstrating that even when employees declared relationships, senior management did not effectively manage these conflicts.

For example, we found one instance where an executive endorsed the decision to award a $3.9 million contract to a supplier for whom they had previously worked and in which they held shares. The executive had previously declared this conflict but the management plan was not enforced.

There has been a clear improvement in compliance under PTV's new procurement framework. PTV has demonstrated full compliance with conflict of interest controls for procurements under their new framework since March 2017. PTV could only produce four of eight conflict of interest forms for procurements tested under their old framework.

Monitoring fraud and corruption indicators

Monitoring procurement activity helps detect fraud and corruption. A strong monitoring and reporting program can also deter potential perpetrators of fraud and corruption, as it increases the chance of detecting irregular and inappropriate activity.

MPV, MMRA and PTV all had weaknesses in their monitoring and reporting of fraud and corruption indicators associated with procurement.

They provided evidence that they monitored and reported to their executive on generic procurement trends to varying degrees. However, monitoring activities for fraud and corruption indicators were less consistent, with MPV and MMRA unable to provide any evidence of such monitoring.

DEDJTR is developing a data analytics program, which is currently being trialled by MMRA. When fully implemented, this program will significantly improve reporting capacity.

PTV had reported on fraud and corruption indicators in procurement, although poor data quality in the contract management system (CMS), and PTV's inability to retain skilled data analytics staff, resulted in unreliable data and inconsistent monitoring. PTV does not currently monitor procurements worth less than $25 000, placing such procurements at a higher risk of fraud and corruption.

Response to fraud and corruption

To maintain public trust, the public sector must respond actively to instances of suspected fraud and corruption. Keeping records, including action taken in response to incidents, is a mandatory legislative requirement under the Standing Directions.

Better practice outlined in the Australian Standard recommends that an entity maintain a fraud and corruption register. Legislated external reporting to integrity agencies such as IBAC and the Victorian Auditor-General's Office (VAGO) provides a level of external scrutiny and enables systemic analysis. The Australian Standard recommends establishing a response team to coordinate activities. After fraud and corruption has occurred, entities should take steps to recover public funds and property that have been lost.

Fraud and corruption registers and response teams

MMRA and PTV both maintain detailed registers that outline how they have considered each alleged fraud and corruption incident and the action taken in response. As a business unit MPV was considered by DEDJTR's register.

The Integrity Services Unit at DEDJTR maintains a central register of integrity matters ranging from complaints to fraud and corruption allegations. However, the information is uncategorised, outdated and in some instances inaccurate, which limits this register's usefulness.

When reviewing the register, we were not able to consistently determine which entries related to fraud and corruption allegations, what action DEDJTR had taken and whether a financial loss had occurred.

MMRA and PTV have established response teams to coordinate response activities and recording, with appropriate senior representation. The DEDJTR Integrity Services Unit acts as the response team for DEDJTR as a whole and includes senior staff at the executive level.

Investigations

Internal investigations need to be timely, transparent, clearly documented and able to withstand external scrutiny. Poor investigations can diminish stakeholder confidence in an organisation's ability to effectively manage and respond to incidents of fraud and corruption.

DEDJTR decided to outsource investigations into fraud and corruption as it recognised that investigations required specialised resources and expertise. A sample of the investigations conducted by external contractors showed appropriately conducted investigations, which resulted in detailed investigation reports with key findings and recommendations.

We found investigations conducted by MMRA and PTV to be timely, thorough, well documented and conducted by suitably qualified external contractors where appropriate. MMRA and PTV also demonstrated how they had learned from the investigations and strengthened their controls.

MPV identified no instances of fraud and corruption, and hence conducted no investigations in 2014–15, 2015–16 and 2016–17.

Reporting

The Victorian government established IBAC in 2012 to identify, expose and investigate corruption. Under legislation, certain prescribed public sector body heads were required to notify IBAC of corrupt conduct, while others, including DEDJTR and PTV, had discretion to notify IBAC of such matters.

We identified one instance for PTV in 2013 and one instance for DEDJTR in 2016 where they did not report relevant matters to IBAC. At the time both had discretion over whether to report such matters.

Parliament strengthened the legislation in December 2016 to remove discretion and create a mandatory requirement for public sector agency heads to notify IBAC of suspected corruption. Parliament changed the legislation to ensure that all significant matters of corrupt conduct are brought to IBAC's attention.

Under the Standing Directions, agencies are now required to notify external parties, such as IBAC and VAGO, of incidents of significant or systemic fraud and corruption. DEDJTR has reported low levels of losses due to fraud and corruption under the Standing Directions. These low levels may be partly attributable to DEDJTR's treatment of missing assets. DEDJTR labels assets that cannot be located as 'disposed' in its accounts, without considering whether they were stolen. In response, DEDJTR has advised that it will ensure that policies and procedures for identifying and reporting lost assets include referring matters to the Integrity Services Unit to assess the possibility of fraud.

Recovery efforts following fraud and corruption

The Australian Standard recommends entities have a policy that considers recovering funds lost to fraud and corruption. Government entities should clearly document decisions on taking recovery action when public funds are lost to fraud and corruption, including decisions not to take action.

We identified examples where DEDJTR and PTV did not attempt to recover losses due to fraud and corruption, but did not document their decision-making process or rationale.

PTV did not document why it did not seek to recover significant funds lost due to fraud and corruption identified by Operation Fitzroy, estimated by IBAC to have involved $25 million of corrupted procurement, or a myki ticketing fraud in which PTV incurred losses of $4.8 million.

Following concerns identified by the former Department of State Development, Business and Innovation, DEDJTR found in 2015 that an organisation had obtained grant funding of more than $65 000 and was not able to demonstrate that it had provided the services for which the funding had been given. DEDJTR also found that the organisation had submitted documentation in support of the services, which was of questionable authenticity. DEDJTR also concluded that the organisation had demonstrated systemic noncompliance with a number of grant conditions. DEDJTR gave the organisation an opportunity to submit evidence of other services provided to acquit the funding already obtained, instead of seeking recovery.

In this matter, DEDJTR determined that it had not incurred any financial loss that required reporting under the Standing Directions. This position fails to account for DEDJTR's initial conclusion that it had paid more than $65 000 for services that could not be validated, and relies on the organisation's agreement to provide other services to the amount paid as detailed above. DEDJTR's handling of this matter failed to acknowledge the likelihood that fraud had occurred and consider fully the need to recover public funds.

There are complexities to potential recovery activity in some of the examples we considered. However, the failure to adequately document decision-making processes and rationales about public funds inhibits transparency.

PTV's response to Operation Fitzroy

Following IBAC's Operation Fitzroy, PTV committed to a broad range of reform initiatives, including:

  • developing new policies and procedures
  • appointing new specialist positions
  • procuring new systems
  • implementing an extensive program of fraud and corruption specific training.

PTV made significant progress in implementing its reform agenda to develop a Fraud and Corruption Control Plan, establish a response team and conduct an extensive fraud and corruption training program for staff. However, PTV implemented important procurement and financial control reforms slowly, with some still outstanding. Existing gaps in controls fail to reasonably minimise PTV's fraud and corruption risks.

Recommendations

We recommend that the Department of Economic Development, Jobs, Transport and Resources:

  1. fully implement its Fraud and Corruption Control Policy and Plan (see Section 2.3)
  2. identify all staff working in areas with the highest risk of fraud and corruption; and:
    • develop and implement a strategy to provide them with integrity training and
    • track completion of the training to ensure appropriate coverage and awareness (see Sections 2.4 and 2.5)
  3. work collaboratively with its agencies to support them in meeting Victorian Public Sector Commission requirements for conflict of interest practices in recruitment panels (see Section 3.4)
  4. through its Integrity Services Unit, continue to scrutinise declarations of private interest and related management plans and work collaboratively with its agencies to ensure consistency and active management of declared conflicts (see Section 3.3 and 3.4)
  5. through its Integrity Services Unit continue to scrutinise agency gifts, benefits and hospitality registers, and work collaboratively with agencies to proactively address noncompliance while working towards having a single register to improve oversight (see Section 3.5)
  6. develop and implement appropriate supplier vetting guidelines (see Section 4.3)
  7. work collaboratively with its agencies to develop appropriate fraud and corruption indicators and procurement reporting processes (see Section 4.5)
  8. formalise information sharing processes between its Integrity Services Unit and its agencies to facilitate appropriate feedback on integrity matters that are referred to agencies for action or information (see Section 5.4)
  9. ensure that it documents decision-making regarding efforts to recover losses due to fraud and corruption and collaboratively works with its agencies to support them to do the same (see Section 5.5)
  10. improve the reporting capacity of its Integrity Services Unit's integrity register to capture whether allegations are substantiated, losses are incurred and action taken, and ensure that the register captures all matters reported to it (see Section 5.2)
  11. finalise its review of the treatment of missing assets to ensure that there is consideration of whether losses are caused by fraud and corruption (see Section 5.4).

We recommend that Public Transport Victoria:

  1. finalise guidance for procurements of less than $25 000 (see Section 4.2)
  2. finalise and implement supplier vetting guidelines (see Section 4.3)
  3. improve scrutiny and reporting of procurements of less than $25 000 (see Section 4.5)
  4. perform regular and effective fraud and corruption lead indicator reporting with procurement data (see Section 4.5)
  5. document decision making regarding efforts to recover losses due to fraud and corruption (see Section 5.5)
  6. improve controls to detect and prevent over-expenditure on contracts, including processes to reconcile accounts payable and contract management system expenditure (see Appendix B).

Responses to recommendations

We have consulted with DEDJTR and PTV and we considered their views when reaching our audit conclusions. As required by section 16(3) of the Audit Act 1994, we gave a draft copy of this report to those agencies and asked for their submissions or comments. We also provided a copy of the report to the Department of Premier and Cabinet.

The following is a summary of those responses. The full responses are included in Appendix A.

DEDJTR noted it is deeply committed to developing and maintaining a strong integrity culture. DEDJTR accepted the recommendations, noting that the recommendations reflect activities already in progress and due for completion in 2018.

PTV noted its efforts since Operation Fitzroy to create an ethical culture that does not tolerate fraud and corruption. PTV advised that it will continue to endeavour to further improve its framework, processes and controls for managing fraud and corruption. PTV accepted the recommendations and stated it intends to address them all by September 2018.

Back to top

1 Audit context

The community entrusts public sector employees to make decisions that affect the lives and interests of all Victorians. They handle personal information, provide services and support, and manage, spend and account for public funds. The community expects—and the law requires—that they do this with integrity, accountability, impartiality, fairness, equity and consistency, and in the public interest.

Citizens need to have a level of trust and respect for their public institutions and the rule of law for society to function cohesively. The financial value of reported fraud and corruption in the Victorian public sector, including corruption exposed by IBAC, is minor relative to overall agency budgets. However, fraud and corruption can undermine trust in government and damage the reputation of the public sector. If left unchecked, it can affect the quality of services provided and can waste resources.

1.1 What are fraud and corruption?

Fraud is dishonest activity involving deception that causes actual or potential financial loss. Examples of fraud include:

  • theft of money or property
  • falsely claiming to hold qualifications
  • false invoicing for goods or services not delivered or inflating the value of goods and services
  • theft of intellectual property or confidential information
  • falsifying an entity's financial statements to obtain an improper or financial benefit
  • misuse of position to gain financial advantage.

Corruption is dishonest activity in which employees act against the interests of their employer and abuse their position to achieve personal gain or advantage for themselves or for others. Examples of corruption include:

  • payment or receipt of bribes
  • a serious conflict of interest that is not managed and may influence a decision
  • nepotism, where a person is appointed to a role because of their existing relationships rather than merit
  • manipulation of procurement processes to favour one tenderer over others
  • gifts or entertainment intended to achieve a specific outcome in breach of an agency's policies.

1.2 Losses resulting from fraud and corruption

It is difficult to measure total losses due to fraud and corruption. As well as financial losses, there are also indirect losses, including damage to the community's trust in government and losses to productivity. There are no precise figures, but in 2005 the Australian Institute of Criminology estimated that fraud cost the Australian economy $8.5 billion across the private and public sectors.

Under the Standing Directions, public sector agencies in Victoria are required to report to VAGO instances of fraud, corruption and other losses above $5 000 in cash and $50 000 in property. Reports made to VAGO for 2015–16 record about $19 million lost to fraud and corruption. However, these figures do not capture indirect losses, and any loss due to poor integrity is significant for public sector agencies and the communities they serve.

Figure 1A shows that IBAC investigations published between 2014 and 2017 revealed procurement and tendering processes totalling up to $275 million had been impacted by corruption. IBAC uncovered a further $2 million in improperly obtained personal benefits.

Many of the cases of fraud and corruption exposed by IBAC had gone undetected for some years.

Figure 1A
IBAC investigations: Approximate financial values of corruption

Date

Investigation name

Agency subject to investigation

Impact of corruption

April 2017

Operation Nepean

Department of Justice and Regulation

Impacted $1.6 million worth of payments

March 2017

Operation Liverpool

Department of Health and Human Services

Resulted in $101 000 of personal benefits being obtained

January 2017

Operation Dunham

Department of Education and Training

Impacted a project worth $127−240 million

October 2016

Operation Exmouth

Places Victoria

Impacted $8 million worth of payments

April 2016

Operation Ord

Department of Education and Training

Resulted in $1.9 million of personal benefits being obtained

October 2014

Operation Fitzroy

Former Department of Transport and PTV

Impacted $25 million worth of contracts

Source: VAGO based on information from IBAC.

1.3 Legislation and guidance

In Victoria, legislation and guidance material support public sector agencies to develop and implement fraud and corruption control frameworks, as Figure 1B outlines.

Figure 1B
Legislation and guidance for fraud and corruption control frameworks

Instrument

Requirements

Public Administration Act 2004

Mandatory compliance

Details Victorian public sector values and employment principles. Its purpose is to provide a framework for good governance and outline the responsibilities of departmental heads.

Code of Conduct for Victorian Public Sector Employees

Mandatory compliance

VPSC issues the Code of Conduct, which is binding for employees. It prescribes standards of required behaviour and includes provisions on:

  • complying with legislation, policies and lawful instructions
  • conflicts of interest
  • gifts and benefits
  • reporting unethical behaviour.

Standing Directions of the Minister for Finance 2016

Mandatory compliance

Sets the standards for financial management by Victorian Government agencies, and requires the responsible body to:

  • take all reasonable steps to minimise and manage the risk of fraud, corruption and other losses
  • establish a Fraud, Corruption and Other Losses Policy that is implemented across the agency
  • notify the responsible minister, the audit and risk committee, the portfolio department and VAGO of incidents of significant or systemic fraud and corruption
  • conduct internal audits of business processes or units likely to be vulnerable to fraud, corruption and other losses
  • safeguard resources and assets.

Instructions supporting the Standing Directions require agencies to develop policies and procedures that apply the minimum accountabilities set out in the VPSC Gifts, Benefits and Hospitality Policy Framework.

Protected Disclosure Act 2012 and Independent Broad-based Anti-corruption Commission Act 2011

Mandatory compliance

The purpose of the Protected Disclosure Act 2012 is to encourage and facilitate disclosures of improper conduct by public officers, public bodies and others, and to provide protections for people who make disclosures.

If a body can receive protected disclosures, it must have effective procedures to facilitate the making of disclosures, including notifications to IBAC.

Changes to the Independent Broad-based Anti-corruption Commission Act 2011 require that from 1 December 2016, all relevant principal officers of public sector bodies must notify IBAC of any matter they suspect on reasonable grounds involves corrupt conduct.

Australian Standard 8001—2008 Fraud and Corruption Control

Better practice guidance

Provides general guidance on controlling fraud and corruption by Standards Australia, a peak not-for-profit organisation, independent of government, which develops standards in Australia. This includes the development of a Fraud and Corruption Control Plan.

The Standing Directions and guidance issued by IBAC use the definitions outlined in the Australian Standard.

Source: VAGO.

Departmental Secretaries must ensure that their department's 'relevant public entities' meet legislative responsibilities. Under the Public Administration Act 2004, Secretaries are responsible for:

  • the general conduct and management of the functions and activities of the department and any administrative offices existing in relation to the department
  • working with and providing guidance to each relevant public entity on matters of public administration and governance.

1.4 Why this audit is important

IBAC's Operation Fitzroy investigation into the conduct of two officers of the former Department of Transport and PTV found that these officers and their associates corrupted $25 million worth of public contracts to benefit themselves. To minimise the waste of public funds and reassure the Victorian public of the public sector's integrity, it is important that public sector entities appropriately address weaknesses that increase the risk of fraud and corruption, including those identified by Operation Fitzroy.

1.5 Audited agencies and their responsibilities

DEDJTR

Government established DEDJTR in January 2015, and its responsibilities include transport and ports, investment attraction and facilitation, trade, innovation, regional development, small business, and key services to sectors including agriculture, the creative industries, resources and tourism. It employs over 3 000 people and operates from 96 sites across Melbourne and regional Victoria, and 22 international offices.

DEDJTR is the portfolio department for PTV. The Secretary of DEDJTR has responsibilities under the Public Administration Act 2004 for its portfolio agencies.

DEDJTR established an Integrity Services Unit in October 2015 to build its integrity capability, with specialist external resources providing supplementary skills when required. The unit is responsible for implementing the DEDJTR Integrity Framework, which applies to all DEDJTR employees in administrative areas, and to agencies for whom the Secretary is the employer. The unit is also responsible for developing and maintaining policies and systems that directly support integrity. Staff from the unit also sit on panels that act as an escalation point for certain integrity policies, and report to the Secretary and the audit, risk and integrity committee on systems that support integrity. Responsibilities of the Integrity Services Unit include:

  • managing gifts, benefits and hospitality processes
  • managing protected disclosures
  • managing a declarations of private interest process
  • drafting the Fraud and Corruption Control Plan
  • implementing the Integrity Framework
  • developing data analytics capability.

The Australian Standard recommends that entities complete data mining and real-time computer system analysis to detect potential instances of fraud and corruption. DEDJTR's Integrity Framework states that the DEDJTR Integrity Services Unit will develop and maintain a data analytics program.

MPV

MPV was the Victorian Government's in-house project delivery agency, and was a business unit in DEDJTR. It provided project delivery services and advice to Victorian Government departments. MPV ceased operating on 1 April 2017 following a merger with Places Victoria to form Development Victoria, which is a statutory authority within the DEDJTR portfolio.

MMRA

MMRA's objective is to deliver the $10.9 billion Metro Tunnel by 2026. MMRA is responsible for all aspects of the project, including planning and development, site investigations, stakeholder engagement, planning approvals and procurement, construction and project commissioning. MMRA is an administrative office within DEDJTR. The Coordinator-General sits within DEDJTR and has responsibility for overseeing the Major Transport Infrastructure Program (MTIP), of which MMRA is part.

PTV

Government established PTV in 2012 to plan, coordinate, operate and maintain Victoria's public transport system. PTV is a statutory authority in the DEDJTR portfolio. Following changes to the Transport Integration Act 2010, government disbanded the PTV board in April 2017 and transferred management powers to the PTV chief executive officer.

1.6 What this audit examined and how

This audit examined whether MMRA and PTV have, and MPV did have, well‑designed fraud and corruption controls that operate as intended.

We considered the role of the DEDJTR Integrity Services Unit in overseeing and supporting the practices outlined in DEDJTR's Integrity Framework, while testing the practices in MPV, MMRA and PTV. We also considered DEDJTR's role when performing certain functions, such as internal audit for MPV, reporting actual or suspected fraud, corruption or other losses, and safeguarding resources and assets under the Standing Directions.

MMRA and MPV were included in this audit because their work involves high‑risk factors for fraud and corruption, including:

  • high levels of procurement
  • use of contractors
  • partnerships with the private sector.

PTV was included so we could assess whether it has taken sufficient, appropriate and timely action to address the issues identified by IBAC's Operation Fitzroy.

The Standing Directions and guidance issued by IBAC use definitions outlined in the Australian Standard. The Australian Standard outlines a suggested approach for entities to control for the risk of fraud and corruption. It describes key risk areas for fraud and corruption, and includes guidance for the development and implementation of a Fraud and Corruption Control Plan. The Australian Standard includes minimum acceptable standards for entities seeking to fully comply.

The Australian Standard divides activities into three main elements—prevent, detect and respond—as detailed in Figure 1C.

Figure 1C
Fraud and corruption control activities

Diagram showing the overlapping fraud and corruption control activities - prevention, detection and response

Source: VAGO.

We assessed the effectiveness of the controls at the audited agencies across these three elements, with a focus on two high-risk areas—procurement and human resources.

Our areas of focus considered legislative obligations, better practice outlined in the Australian Standard, and guidance from VPSC.

We conducted our audit in accordance with section 15 of the Audit Act 1994 and ASAE 3500 Performance Engagements. We complied with the independence and other relevant ethical requirements related to assurance engagements. The cost of this audit was $740 000.

1.7 Report structure

Figure 1D
Structure of this report and areas of focus in this audit

Structure

Audit focus

Activities and controls examined

Part 2

Fraud and corruption control framework

Risk assessment to inform Fraud and Corruption Control Plan

Fraud and Corruption Control Policies and Plans

Staff training in fraud and corruption risks

Staff awareness, including protected disclosures

Internal audits focus on areas vulnerable to fraud and corruption

Data analytics

Part 3

Fraud and corruption prevention and detection in human resources practices

Employment screening

Declarations of private interests

Recruitment panel members declare conflicts of interest

Management of gifts, benefits and hospitality

Part 4

Fraud and corruption prevention and detection in procurement practices

Procurement framework design

Supplier vetting

Conflict of interest processes in procurement

Monitoring fraud and corruption indicators in procurement

Part 5

Response to fraud and corruption

Fraud and corruption incident register and response teams

Investigations

Reporting

Recovery efforts following fraud and corruption

Source: VAGO.

Appendix B looks at whether PTV has taken sufficient, appropriate and timely action to address the issues identified by IBAC's Operation Fitzroy.

Back to top

2 Fraud and corruption control framework

To achieve better practice in managing fraud and corruption, the Australian Standard suggests that entities develop a framework that includes:

  • risk assessments to inform fraud and corruption controls
  • a Fraud and Corruption Control Plan outlining the entity's approach to controlling the risk of fraud and corruption, from prevention through to detection and recovery
  • training and other activities to develop staff awareness of fraud and corruption risks and how to respond.

The Standing Directions under the Financial Management Act 1994 require agencies to establish a Fraud, Corruption and Other Losses Policy, implemented across the agency.

We assessed whether fraud and corruption frameworks were in place to govern the activities of MPV, MMRA and PTV. We also considered if the frameworks were consistent with Standing Directions requirements and better practice principles set out in the Australian Standard.

2.1 Conclusion

MPV and MMRA would have been subject to DEDJTR's Fraud, Corruption and Other Losses Policy and Fraud and Corruption Control Plan as a business unit and administrative office. However, DEDJTR only finalised its policy and plan in late February 2018. DEDJTR's protracted delay in finalising and approving these documents meant it was not compliant with the Standing Directions under the Financial Management Act 1994, which required a policy to be in place from 1 July 2017, or better practice requirements of the Australian Standard.

Without a final approved DEDJTR policy and plan, MPV and MMRA developed their own Fraud and Corruption Control Plans. They intended these to also incorporate the elements of a Fraud, Corruption and Other Losses Policy, as required under the Standing Directions. PTV developed a Fraud and Corruption Control Plan compliant with the Australian Standard. This plan also included the requirements of a Fraud, Corruption and Other Losses Policy under the Standing Directions

DEDJTR can do more to assure itself that all of its staff know how to identify and respond to fraud and corruption. DEDJTR does not consistently maintain records of attendance at integrity training. There are limited records to demonstrate, or readily check, that all staff in positions exposed to high risks of fraud and corruption have received integrity training. While DEDJTR Integrity Services maintains records of completion of online integrity modules, these modules are mandatory only for new starters in DEDJTR.

In addition, DEDJTR staff are reporting poor promotion of the Protected Disclosure Act 2012, and DEDJTR's internal audit program has given insufficient attention to high-risk activities undertaken by MPV, including procurement. These gaps undermine messages from DEDJTR's leadership that preventing, detecting and responding to fraud and corruption is an organisational priority.

PTV provided extensive mandatory fraud and corruption training to its staff, and its internal audit activity has appropriately considered fraud and corruption risks.

2.2 Risk assessment

The Australian Standard recommends that entities complete a preliminary assessment of fraud and corruption risks to inform the development of a Fraud and Corruption Control Plan. This risk assessment should consider risks inherent in the entity's industry and core business and should help determine the scope of controls outlined in the plan.

We examined whether MPV, MMRA and PTV had conducted risk assessments to inform their Fraud and Corruption Control Plans.

MPV

MPV conducted fraud and corruption risk assessments in early 2014 and December 2015. The 2015 assessment identified multiple risks and proposed steps for mitigation, but did not outline who was responsible for mitigating risks. There is little evidence to confirm how the mitigation strategies were considered or implemented. One undated document provided by DEDJTR listed the 12 risks identified and noted a number were complete and a number were estimated for completion in mid-2016. The risk assessment identified accounts payable fraud and poor contract management as high-priority risk areas. Proposed steps to mitigate these risks, included:

  • regular analysis of contract variations
  • exception reporting
  • computer-assisted techniques to identify procurement splitting (where contracts are split into parts of lesser value, so that certain controls do not apply) and instances where vendors were consistently engaged by the same project manager.

MPV's Fraud and Corruption Control Plan did not reference the identified risks of low-value procurement fraud, accounts payable fraud and the manipulation of project management data. The plan also did not include the mitigation controls suggested by the risk assessment.

We note that a large number of the recommendations made in the risk assessment referred to the use of data analytics, and we discuss DEDJTR's progress in implementing a data analytics program in Section 2.7. We also note that DEDJTR would have captured MPV in this program had it remained as a business unit in DEDJTR.

We identified concerns with the comprehensiveness of the risk assessment. MPV identified the risk of abuse of power as unlikely. The assessment identified staff accepting inappropriate gifts as an indication of the intent to corruptly influence. As detailed in Section 3.5, MPV staff accepted gifts, benefits and hospitality from suppliers. We confirmed that 46 per cent of accepted offers of gifts, benefits and hospitality came from contractors and vendors. MPV's mitigation strategy was running fraud and corruption awareness training to acquaint staff with the available avenues to report fraud and corruption, but as detailed in Section 3.5, it did not take sufficient action to avoid the general risks associated with public sector officers accepting offers from suppliers.

MMRA

MMRA's master risk register confirms that fraud and corruption risks have been considered and rated within the broader risk program. The register assigns identified risks to owners with detailed mitigation strategies and includes an implementation status.

MMRA has implemented the mitigation strategies suggested in the risk assessment. For example, the assessment identified the inappropriate access of information as a significant risk. A suggested strategy was conducting an internal cyber-security audit, which commenced in mid-2017.

MMRA's risk assessment reflects fraud and corruption risks that were not identified in the MPV or PTV risk registers, although they would be equally relevant—for example, 'kickbacks' for existing employees assisting candidates to secure roles at MMRA. However, this particular risk did not flow through to the Fraud and Corruption Control Plan and, as discussed in Section 3.4, MMRA was not controlling for this risk by using conflict of interest declarations for recruitment panel members.

PTV

PTV has conducted thorough fraud and corruption risk assessments. The assessments include detailed mitigation strategies and assign identified risks to owners. We noted one instance where an identified risk did not flow through to the Fraud and Corruption Control Plan. PTV identified cyber security threats as a high-level risk and detailed potential causes, consequences and controls, but did not reflect this in the Fraud and Corruption Control Plan.

Although PTV is managing the risk, including this information in the plan would make the plan stronger by detailing how PTV is mitigating risks specific to its operating environment.

2.3 Fraud and Corruption Control Policies and Plans

Under the Standing Directions, DEDJTR and PTV must establish a Fraud, Corruption and Other Losses Policy. The Australian Standard suggests the development of a Fraud and Corruption Control Plan that outlines an entity's approach to controlling fraud and corruption.

We assessed whether Fraud, Corruption and Other Losses Policies and Fraud and Corruption Control Plans compliant with the Standing Directions and consistent with the Australian Standard had been developed and implemented to support MPV, MMRA and PTV.

MPV and MMRA

As a business unit and administrative office, MPV and MMRA would have been subject to the policy and plan of their portfolio department, DEDJTR. DEDJTR only finalised its Fraud, Corruption and Other Losses Policy and Plan in 2018. The plan and policy had been in draft form since October 2015, and while they had been reviewed and revised during this time, they were not approved and finalised until late February 2018. As these documents were not finalised, DEDJTR did not have an agency-wide policy to prevent and manage fraud and corruption, and did not comply with the mandatory Standing Directions under the Financial Management Act 1994, which required a policy to be in place from 1 July 2017, or better practice under the Australian Standard.

Prior to the finalisation of the policy and plan, DEDJTR had reported that it relied on its 2015 Integrity Framework to give effect to its fraud and corruption control activities. The DEDJTR Integrity Framework is a valuable high-level document outlining a strategic approach for promoting a culture of integrity in DEDJTR and, as a new department, where it intended to direct its efforts to implement integrity structures, processes and resources. While the Integrity Framework is a positive indication of the culture that DEDJTR wants to develop, it does not provide the focus and detail of a Fraud, Corruption and Other Losses Policy or Fraud and Corruption Control Plan. As the Integrity Framework does not provide the necessary detail on preventing, detecting and responding to fraud and corruption, it is not compliant with the Standing Directions or consistent with the Australian Standard. The Integrity Framework describes a Fraud and Corruption Control Plan as a first line of defence and in October 2015 stated that DEDJTR was drafting such a plan.

During the course of this audit, the DEDJTR Integrity Services Unit acknowledged the delay in finalising its policy and plan. DEDJTR advised us, when the documents were in draft form, that it expected the finalised policy and plan would largely formalise controls that were already in place. However, DEDJTR is yet to fully implement certain controls, including a suite of due diligence policies and a data analytics program. DEDJTR has committed to finalising these controls in 2018.

The case studies in Figures 2A and 2B reflect the sophistication of fraud attempts faced by DEDJTR.

In March 2016, although unsuccessful, DEDJTR was subject to an attempted phishing attack seeking payment of $400 000. A year later, in April 2017, DEDJTR was subject to another phishing attack, this time successful.

Figure 2A
Case study: Attempted phishing scam in 2016

In March 2016, DEDJTR was subject to an attempted phishing attack that was successfully blocked. An external party sought payment of $400 000.

The scam took the form of an email from an executive officer seeking urgent payment of an invoice.

The request was feasible, based on the executive's business area, but a senior finance officer declined to process the request as the amount exceeded the executive's financial delegation and there was no purchase order.

DEDJTR investigated the matter and found that the email was from an external party using a 'masked' email address. DEDJTR also found that most of the information used to construct the invoice and emails to make them look plausible was available on DEDJTR or whole-of-government websites.

The attack was successfully blocked but DEDJTR reviewed and strengthened its controls after it concluded that it could have succeeded if:

  • the invoice had been for a less ambitious amount
  • the request was handled by an area where internal controls were not working as effectively
  • a purchase order had been created by a staff member feeling pressured, given the invoice appeared to have been sent by a senior officer
  • the purchase order process had been circumvented by requesting a credit card payment (for smaller amounts).

Source: VAGO based on DEDJTR information.

Figure 2B
Case study: Successful phishing scam in 2017

In April 2017, DEDJTR was the victim of a second phishing scam and made four payments totalling more than $294 000 to a bank account falsely represented as belonging to an existing supplier.

The existing supplier alerted DEDJTR that it had not received payment and that DEDJTR may have been the victim of a phishing scam.

DEDJTR contacted its bank and the bank recovered nearly $290 000. DEDJTR wrote‑off about $4 600. An employee did not comply with internal controls, and processed a request to change bank account details without first verifying the information provided.

In response to this incident, DEDJTR strengthened its controls. DEDJTR now requires vendors to complete a form and provide supporting documentation to change bank details. An authorised officer then reviews and assesses the request against publicly available information about the vendor.

A memorandum to the Secretary in July 2017 regarding this incident noted that DEDJTR's Fraud and Corruption Control Plan would be finalised in 'the coming weeks'. The plan was finalised in February 2018.

DEDJTR's internal audit function has reviewed the revised controls and is currently auditing their effectiveness given they have been in place for six months, which is a positive indicator of DEDJTR's efforts to manage ongoing phishing attempts.

Source: VAGO based on DEDJTR information.

IBAC has noted that leadership is key to creating an ethical culture and the 'tone from the top' is essential. These case studies highlight the importance of strengthening the culture and awareness of fraud and corruption risks. While DEDJTR's Integrity Framework is a positive step towards building and maintaining an integrity culture, a finalised Fraud, Corruption and Other Losses Policy and Fraud and Corruption Control Plan, which are communicated to staff, could have significantly reinforced these efforts at the time. Without a final approved DEDJTR policy and plan, MPV and MMRA developed their own Fraud and Corruption Control Plans.

MPV

MPV developed a Fraud and Corruption Control Plan but it remained in draft form. The DEDJTR Integrity Services Unit advised that MPV's director of governance and business was responsible for the plan, but this director left MPV in December 2016. MPV continued to operate until 31 March 2017.

The MPV draft Fraud and Corruption Control Plan did not reference key aspects that we would expect in a plan compliant with the Standing Directions and consistent with the Australian Standard, including:

  • policies or procedures to report fraud and corruption to external agencies
  • how matters would be investigated
  • internal reporting requirements.

MPV's failure to finalise and review its Fraud and Corruption Control Plan, and develop associated procedures, is concerning given it managed significant projects on behalf of the government.

MMRA

MMRA applied the Australian Standard by developing a Fraud and Corruption Control Plan. This was superseded in February 2017 by a plan that MTIP developed to cover all of its entities. This plan also meets the requirements of a Fraud, Corruption and Other Losses Policy under the Standing Directions

The MTIP plan references relevant internal policies and procedures, as well as external resources, including IBAC's Investigation Guide. The plan also highlights management's commitment to fraud and corruption control, with reference to mandatory annual fraud and corruption awareness training for all staff. MTIP tailored the plan to reflect its business context.

PTV

PTV developed a Fraud and Corruption Control Plan in September 2014, which is consistent with the Australian Standard and has been subject to regular reviews. This plan also meets the requirements of a Fraud, Corruption and Other Losses Policy under the Standing Directions. PTV also developed a separate and detailed Fraud and Corruption Response Procedure. Access to this procedure is restricted to safeguard PTV's investigative approach when responding to fraud and corruption. PTV's plan and response procedure demonstrate its commitment to this initiative after Operation Fitzroy.

Fraud and Corruption Control Plans

The Australian Standard provides a detailed template for use by entities and the plans we reviewed strongly align with this. The plans describe:

  • roles and responsibilities for the management of fraud and corruption in the agency
  • relationships with other agency procedures and policies
  • mechanisms for the communication and awareness of fraud and corruption
  • terms and definitions.

However, we found one significant example where the plans did not reflect the agencies' specific risks or practices—the MPV, MMRA and PTV plans all had identical sections for supplier vetting, copied directly from the Australian Standard. None had tailored this section to reflect their specific procurement environments, risks or actual practices. This raises the risk that there may not be adequate controls in this area—see Section 4.3 for further information.

2.4 Staff training

The Australian Standard suggests that entities train staff to be aware of fraud and corruption, and educate them on how to respond.

The Australian Standard notes that employees do not identify a significant proportion of fraud and corruption at an early stage because they are unable to recognise warning signs, are unsure how to report concerns or lack confidence in the available reporting systems. Various IBAC investigations have found that corrupt conduct went undetected for a number of years, highlighting the importance of training as a preventative activity.

We assessed the training provided to MPV, MMRA and PTV staff to determine whether it was consistent with recommendations in the Australian Standard.

MPV, MMRA and PTV

The MPV, MMRA and PTV training material is consistent with the Australian Standard. It includes:

  • definitions, costs and examples of fraud and corruption
  • IBAC's role and investigations
  • warning signs for fraud and corruption and internal controls
  • references to the Victorian Public Sector Code of Conduct and relevant policies
  • reference to the DEDJTR Integrity Framework
  • details on how to make a protected disclosure and use DEDJTR's 'report a concern' mechanism (an online portal that allows for anonymous reporting).

The training was mandatory for MPV, MMRA and PTV but only MMRA and PTV were able to provide records of attendance to confirm compliance.

The DEDJTR Integrity Services Unit provided training to MPV staff, which the Chief Executive Officer mandated. DEDJTR has advised that records of attendance were completed but they could not be located for the purposes of this audit. By not maintaining documentation, DEDJTR could not provide assurance that MPV staff had received sufficient information to respond effectively to fraud and corruption.

In response to Operation Fitzroy PTV committed to changing the culture and encouraged and equipped staff to identify, report and act on integrity matters. In the two years following the investigation, PTV ran an extensive mandatory training program on fraud and corruption risks, including specialised training for those involved with the management of contracts and procurements, and for members of the fraud and corruption control response team. PTV subsequently developed online training modules with a dedicated focus on fraud and corruption. PTV's ongoing training program reflects good practice and demonstrates PTV's commitment to fraud and corruption control.

DEDJTR Integrity Services Unit

The training material we reviewed is consistent with the Australian Standard. The material described vulnerable areas in DEDJTR, referenced relevant policies, provided opportunities for discussing integrity dilemmas and encouraged staff to contact the Integrity Services Unit if they had concerns.

Documentation provided by the DEDJTR Integrity Services Unit shows that its staff frequently conduct integrity training to raise awareness and education across DEDJTR. The DEDJTR Integrity Services Unit delivers three types of face‑to-face integrity training:

  • integrity conversations delivered to senior staff which consist of information sharing on key integrity matters
  • integrity training sessions which are scenario-based and engage participants in more formal learning
  • induction sessions.

In instances where business units requested the training, the business unit kept attendance records. The DEDJTR Integrity Services Unit has not consistently maintained records of staff who completed face-to-face training. As a result, DEDJTR cannot demonstrate or readily check that staff in positions exposed to high risks of fraud and corruption have received integrity training.

The DEDJTR Integrity Services Unit has introduced online integrity modules, which include a fraud and corruption component. DEDJTR has designed the modules for staff to complete each year. However, completion is mandatory only for new employees who are completing induction. DEDJTR has provided records that show 728 new staff completed the online modules as part of their induction program in 2016–17, and 34 managers have completed training since a manager's integrity toolkit was launched in late 2017.

DEDJTR can improve its preventative approach to fraud and corruption by ensuring wider reach of its training offerings, such as mandatory online modules, and recording staff completion of training to identify gaps.

2.5 Staff awareness, including protected disclosures

Fraud and corruption is secretive and difficult to detect. IBAC describes public sector employees as 'best placed' to identify suspicious conduct by their colleagues or concerns about external parties, such as contractors and suppliers. Public sector employees need to know how to report concerns and have confidence that their employer will protect them from any reprisals. Promotion of key integrity polices and processes, including the Protected Disclosure Act 2012, is vital. This increases the capacity of staff to detect and report possible instances of fraud and corruption.

We assessed VPSC survey results for DEDJTR (including MPV and MMRA) and for PTV staff to determine if key integrity polices and processes are promoted effectively.

VPSC People Matter Survey

There has been communication with staff by PTV, MMRA and DEDJTR, on behalf of MPV, about broad integrity issues, in the form of emails, staff bulletins, forums and training. However, levels of staff awareness of certain integrity policies and procedures, reported in the VPSC People Matter Survey, do not always reflect these efforts.

DEDJTR and PTV provide information to staff on the Protected Disclosure Act 2012 (which provides critical protections to individuals reporting improper conduct) during induction sessions and integrity training. They also have dedicated intranet pages, which guide staff about making a protected disclosure. PTV has information regarding disclosures in its Fraud and Corruption Control Plan. DEDJTR has recently established a new workplace conciliator role. DEDJTR anticipates that this role will promote staff awareness of a range of avenues for reporting issues or concerns, including protected disclosures. The role will work collaboratively with the Integrity Services Unit.

Every year, VPSC runs the People Matter Survey, which asks, among other things, if participants have seen or heard communication about particular policies in the past 12 months.

Figure 2C shows the results for 2016 and 2017. The data reflect particularly low awareness by DEDJTR and PTV staff of the promotion of processes to support the Protected Disclosure Act 2012 and reporting of improper employee conduct. Results for DEDJTR include MMRA and MPV staff. As the results also reflect the wider department, and MMRA and MPV only make up a small proportion of the total DEDJTR staffing numbers, the survey results are not necessarily reflective of MMRA or MPV staff responses.

Figure 2C
Reported promotion of integrity policies

Policy

DEDJTR
2017

DEDJTR
2016

PTV
2016

Code of Conduct

73%

77%

67%

Public sector values

71%

74%

49%

Processes for reporting improper employee conduct

51%

49%

71%

Processes to support the Protected Disclosure Act 2012

27%

29%

48%

Policy on giving and receiving of gifts and benefits

88%

83%

88%

Policy to assist employees to avoid conflicts of interest

70%

69%

76%

Note: PTV did not participate in the People Matter Survey in 2017 and MPV was no longer in existence.

Source: VAGO based on VPSC data.

These results show good levels of reported promotion of certain policies, such as gifts and benefits and the Code of Conduct. However, these results call into question the effectiveness of promotion activities and training provided to staff by DEDJTR in relation to protected disclosures.

For PTV, the results may reflect that it cannot receive protected disclosures, though this does not negate the need for its staff to know how to make one. Comparing DEDJTR's 2017 People Matter Survey results with like departments shows that its promotion of processes for reporting improper employee conduct and processes to support the Protected Disclosure Act 2012 are below the departmental averages of 64 per cent and 37 per cent respectively.

If protected disclosure policies are not effectively promoted, staff are less likely to use this mechanism. This reduces the ability to detect fraud and corruption and means that individuals wishing to report improper conduct may not receive the protections available to them under the Protected Disclosure Act 2012.

2.6 Internal audit

Internal audits are an important part of an effective control environment for fraud and corruption. Internal audits can monitor controls, detect weaknesses and make recommendations to strengthen controls. Under the Standing Directions, internal audit plans must include audits of business processes or units likely to be vulnerable to fraud, corruption and other losses.

We assessed whether internal audits in MPV, MMRA and PTV were considering fraud and corruption risks.

MPV

As a DEDJTR business unit, MPV was included in DEDJTR's internal audit activities, which cover a large and varied portfolio. Despite being responsible for complex projects and undertaking high levels of procurement, MPV was not subject to the same levels of internal audit activity as MMRA and PTV, which maintain their own internal audit functions.

In 2016–17, DEDJTR's internal audit program included only one audit with a specific focus on MPV. This was a follow-up audit to determine whether MPV had implemented the outstanding recommendations highlighted in our 2015 performance audit Follow up of Managing Major Projects. It did not assess fraud and corruption controls.

Although DEDJTR has conducted internal audits into vulnerable areas, these audits have not covered processes that MPV, as a business unit, maintained separately to DEDJTR. For example, DEDJTR completed an internal audit of accounts payable, but the audit did not include MPV's accounts payable system, which was separate to DEDJTR's.

In addition to DEDJTR's internal audit function, in late 2015, MPV engaged a contractor to complete data analytics work to assess fraud and corruption risks. Further discussion of MPV's response to the findings of this assessment are contained in Section 2.2. The contractor identified the following risks:

  • procurement splitting
  • variations to contracts being inaccurately reflected
  • opportunity for bank account details to be manipulated in the electronic payment file
  • opportunities for MPV staff to authorise payments which exceeded their financial delegations.

DEDJTR advised that as MPV would merge to become a statutory authority, it was not considered a high-risk area for DEDJTR's internal audit program, which also had to consider resourcing and budget constraints. DEDJTR also advised that as a relatively new department, it focused its internal audit program on core business processes affecting the whole department at this time.

We consider that MPV was a risk area for fraud and corruption, due to MPV undergoing significant organisational change, continuing to manage large procurements, working closely with the private sector and maintaining separate processes to DEDJTR.

MMRA

MMRA operates its own internal audit function and conducted more than 30 internal audits during 2016–17. Fraud and corruption risks were appropriately covered, with almost half of the 2016–17 audits focusing on potentially vulnerable areas, including:

  • contract management
  • gifts, benefits and hospitality
  • contractor and staff recruitment
  • the fraud and integrity control environment
  • conflicts of interest and confidentiality.

MMRA clearly linked internal audit activity to the risks it identified in risk assessments. MMRA identified the inappropriate access of information as a significant risk. Controls for this risk include internal audits, the development of security plans, and the maintenance of usage and access logs. MMRA is currently conducting an internal audit on cyber security, which includes assessing the physical security of data, and having the internal auditors try to use deception and non-standard testing methods to gain access to data, systems and applications.

PTV

PTV's internal audit program is appropriately considering fraud and corruption risks. PTV's 2016–17 internal audit program planned 10 audits, with five considering vulnerable areas including:

  • delegations of authority
  • payroll processes
  • asset management.

PTV operates an outsourced internal audit model, with PTV's internal audit division managing the contract. In an outsourced internal audit model, it is important that the team that manages the contract is properly resourced. This includes representation at a senior level to ensure audit teams properly rate the seriousness of audit findings and that business units appropriately respond.

During Operation Fitzroy, IBAC was concerned about the ad hoc auditing processes of PTV's outsourced internal audit provider. IBAC also questioned the effectiveness of PTV's audit and risk management function. IBAC did not fully explore this issue in its investigation, but we found evidence to support this concern. The case study in Figure 2D describes a 2013 internal audit conducted prior to IBAC's investigation and is an example of improperly classified audit findings that PTV did not act on appropriately at that time.

Figure 2D
Case study: Inappropriate rating of audit findings

In August 2013, PTV's outsourced internal audit function completed a report on procurement. The report identified a lack of controls over information in the vendor master file as a low-level finding. Internal audit testing at PTV found:

  • suppliers without an ABN
  • suppliers with duplicated bank account details and ABNs
  • suppliers with no bank account details
  • duplicate or similar supplier names in the master file.

The internal audit concluded that a 'lack of controls over the vendor master file creation and maintenance activities increases the risk of fictitious vendors being set up, which may potentially lead to fraudulent activities and financial losses. Inaccurate, incomplete, duplicated or outdated information in the supplier master file increases the risk of payments made to inaccurate or inappropriate suppliers and reduces the effectiveness of expenditure tracking and reporting.'

According to the report, a low-level audit finding:

  • represents a minor control weakness
  • will have a minimal impact on internal business only
  • should not decrease the public's confidence in PTV
  • should be addressed in 9–12 months, subject to competing priorities.

The audit's low-level classification and response did not reflect the actual risk and the events that followed. IBAC's Operation Fitzroy investigation began a month later, in September 2013, and identified significant losses through control weaknesses in PTV's procurement framework, including controls over information in the supplier master file. The investigation received significant media attention and had a negative impact on PTV's public reputation.

Source: VAGO based on PTV information.

This case study illustrates what can occur when there is inadequate oversight over the classification of findings and associated response. In 2015 PTV created a new senior role to oversee the audit and risk function. In December 2017 PTV restructured to create an Internal Audit Division and Head of Audit position. If the role operates as intended this should provide sufficient oversight of the internal audit function to prevent this situation recurring.

2.7 Data analytics

The Australian Standard suggests implementing a fraud and corruption detection program, which should include data mining and real-time computer system analysis to identify suspected fraudulent transactions. Data analytic tools enable analysis of large data sets and work to identify patterns, trends and possible anomalies, and can detect potential instances of fraud and corruption.

DEDJTR is responsible for the payroll and accounts payable functions for MMRA and maintains the vendor master file for PTV. Accounts payable and payroll systems facilitate high numbers of transactions every day including payments to vendors for goods and services and salary payments to employees. These information systems are an important source of information to detect common types of fraud and corruption, including false invoicing and illegitimate payments.

One of the initiatives in DEDJTR's November 2015 Integrity Framework was that the Integrity Services Unit would develop and maintain a suite of data analytics for use as a management tool. The framework noted that as at October 2015 there was limited use made of data analytics. In April 2016, DEDJTR provided dedicated resources to develop its data analytics capability.

In May 2016, the DEDJTR Integrity Services Unit commenced its first data matching exercise, which compared vendor and payroll data. The exercise did not identify any instances of fraud or corruption. However, there were caveats on this exercise, including that the DEDJTR Integrity Services Unit did not undertake any checks to verify the completeness and integrity of the data it received for testing.

In late 2017, DEDJTR began implementing business-as-usual data analytics for MTIP users, which includes MMRA. DEDJTR anticipates it will fully embed its data analytics program across the broader department by June 2018.

The data analytics program will not only assist DEDJTR in detecting potential instances of fraud and corruption, but will also improve compliance and business process reporting across DEDJTR. It is a positive initiative by DEDJTR to control for fraud and corruption.

In late 2015, MPV engaged a contractor to complete data analytics. Further discussion of MPV's response to the findings of this assessment is contained in Section 2.2.

Back to top

3 Prevention and detection in human resources practices

Human resources practices can support the development and maintenance of an integrity culture. Certain practices can contribute to preventing and detecting fraud and corruption, including:

  • employment screening of potential candidates
  • annual processes for declaring private interests
  • conflict of interest declaration processes in recruitment panels
  • management of offers of gifts, benefits and hospitality.

We assessed whether these controls were effectively implemented for MPV, MMRA and PTV staff. We also assessed the role of the DEDJTR Integrity Services Unit in overseeing gifts, benefits and hospitality processes and maintaining a central register of declarations of private interest.

3.1 Conclusion

Policies and processes are in place to conduct employment screening, manage conflicts of interest, and record offers of gifts, benefits and hospitality. However, these controls are not always operating as intended. Noncompliance with human resources policies and poor record keeping are undermining their effectiveness, leaving MMRA and PTV, and previously MPV, vulnerable to fraud and corruption.

In some instances, controls stopped at data collection and did not reflect an active process for using and monitoring information to detect noncompliance and potential fraud and corruption.

Although the DEDJTR Integrity Services Unit collects data on gifts, benefits and hospitality and declarations of private interest, we identified instances in 2016 and early 2017, where the unit knew of noncompliance but did not act in response. DEDJTR has advised that it has strengthened its processes since this time.

3.2 Employment screening

Screening potential employees provides a sense of an individual's personal integrity and highlights past behaviour that could indicate a fraud and corruption risk.

We assessed whether human resources functions consistently screened MPV, MMRA and PTV staff through police checks and reference checks and by confirming that candidates held the mandatory qualifications needed to perform a role.

Employment screening processes

Although employment screening policies and procedures were in place, human resource teams could not demonstrate that they fully implemented them while screening MPV, MMRA and PTV staff. Our testing highlighted deficiencies, including the failure to complete and document police checks, reference checks and qualification checks, or to respond appropriately when checks identified anomalies. Figure 3A describes an example of poor implementation of the employment screening policy.

Figure 3A
Case study: Poor implementation of employment screening policy

This entity identifies the falsification of employment history, qualifications and skills as a medium risk. It uses qualification checks to manage this risk.

A1 applied for a position as a technical specialist in April 2016. The position description for the role stated that 'A degree qualification in engineering or related discipline is mandatory.' A1 stated on their resume that they held a completed, relevant qualification from an overseas institution.

The role description required the successful candidate to:

  • manage a team of engineers
  • identify engineering risks
  • provide specialist technical advice across a range of technical engineering disciplines.

The entity conducted a qualification check that revealed that A1 did not hold the qualification. A1 had undertaken one year of the course and then withdrew without completing. The recruitment panel decided to employ A1 in October 2016 given A1's extensive relevant experience, on the condition that A1 complete the qualification while working. The agency also offered financial assistance to A1 to do so.

A1 did not hold the mandatory qualification, as required by the position description, and provided misleading information to the entity on their resume. Under the DEDJTR employment screening policy in place at the time, the entity should have escalated this matter to a three-person DEDJTR assessment panel, which includes an assistant director from the DEDJTR Integrity Services Unit. This did not occur and the DEDJTR Integrity Services Unit was unaware of the matter. A1 subsequently left the entity after three months, without enrolling to study the required qualification.

In response to this case study, the entity has commenced a review, which will confirm evidence of qualification checks for technical specialists for the past 12 months and is due for completion in March 2018.

Source: VAGO.

Employment screening processes for MPV, MMRA and PTV staff were strengthened in 2016 but these new processes only apply to new external applicants. Longstanding employees can move between roles in MMRA and PTV and are not required to undergo a police or qualifications check, with the exception of employees moving into financial delegate roles in MMRA.

Currently there are no processes that identify existing staff who commit a criminal offence. There are also no processes to identify staff who do not hold a required qualification.

MPV

Only a small number of staff commenced at MPV after the 2016 employment screening changes. Therefore, only a small sample of relevant personnel files were available to us. Human resources could not produce records to demonstrate that it had completed police checks for three of the five staff sampled, all three being contractors, and could only provide evidence of reference checks for two of these staff. Record keeping of employment screening documentation was poor. In one case, human resources could produce the application for a police check, but not the record of result.

In 2017 the DEDJTR Integrity Services Unit commissioned an internal audit of its employment screening processes to provide assurance over DEDJTR's recruiting and contracting processes and decisions. This decision followed reports released by IBAC and the Victorian Ombudsman in June 2017. The final internal audit report is consistent with the findings identified by our audit. The DEDJTR internal audit found:

  • police checks were not conducted for two contractors
  • recruitment and contracting processes do not adequately incorporate integrity requirements
  • the process for identifying, declaring and managing conflicts of interest as part of recruitment and contracting was not consistently applied, with no declarations able to be provided for the sample tested.

The internal audit recommended that DEDJTR consider:

  • revising its current policy requirements to enable police checks to be conducted prior to internal promotions
  • performing an analysis of current contractors holding senior positions to determine the extent to which police checks had not been conducted on these individuals and arrange for these to be completed
  • reviewing its contracting and recruiting processes to better align with VPSC requirements
  • reviewing its conflict of interest and recruitment policies to include further guidance on how conflicts of interest are to be reported and managed during recruitment processes.

DEDJTR has accepted the recommendations with a view to implementing them by 31 August 2018.

MMRA

MMRA maintains its own human resources function. MMRA has strong employment screening processes and requires all financial delegates to undergo police checks upon appointment, rather than only new employees. This is not a requirement for PTV or former MPV staff and reflects stronger controls. MMRA provided evidence for all sampled qualification and referee checks. However, poor record keeping meant MMRA could not demonstrate full compliance with the police check requirement. Testing found that nine of 20 sampled financial delegates had either not been subject to the required police checks or that evidence of the checks had not been retained. MMRA has now ensured that all current financial delegates have been subject to required police checks.

PTV

PTV has introduced stronger requirements for its employment screening processes over time. However, in many instances PTV Human Resources could not demonstrate compliance, meaning these processes are not working as an effective control. From a sample of 13 employees whose position descriptions required mandatory qualifications, PTV could not provide evidence of qualification checks for 11 of the employees. From a sample of 20 employees requiring a police check, PTV could not provide evidence that it completed a check for five of these employees. For the checks that were completed, PTV conducted some of these after the employee had started work at PTV, undermining the importance of this control. PTV could not provide evidence of an appropriate referee check for one employee from a sample of 10.

3.3 Declarations of private interests

All employees have private interests, but sometimes these interests can conflict with the performance of their public duties. Certain employees must outline their private interests through an annual declaration process. Management must put action plans in place if there is potential for a conflict of interest to occur and both the conflicts and plans must be recorded in a register. Information in this register should be up-to-date and accessible to ensure compliance and to continuously determine whether conflicts exist as employees move from project to project.

The DEDJTR Integrity Services Unit maintains a register of annual declarations of private interests for over 1 100 staff in designated positions, including in MMRA and MPV. PTV maintains its own register. We assessed whether the DEDJTR Integrity Services Unit and PTV were maintaining registers, and where appropriate, effectively managing declarations. Our assessment of the Integrity Services Unit's management of this process was limited to its handling of MPV and MMRA staff declarations.

Registers

Data in the registers for PTV, MMRA and MPV staff were in some instances poor, including entries that were incomplete and inaccurate. This could limit the ability of management to monitor declared interests and enforce action plans. There is a risk of the annual declaration of private interests process being reduced to a compliance activity, as opposed to an active and ongoing process of controlling for conflicts of interest in an organisation. Appropriate action needs to be taken to improve the data quality in the registers and ensure ongoing monitoring.

DEDJTR Integrity Services Unit

The DEDJTR Integrity Services Unit requires all employees and contractors in designated positions at MMRA and MPV to complete an annual declaration of private interests for inclusion in its Conflict of Interest Register. This process reinforces the Code of Conduct, which requires staff to avoid conflicts of interest.

In 2016–17, the Integrity Services Unit's work plan identified the need to digitalise a manual declaration of private interests process, which involved approximately 1 200 staff employees and contractors. Designated positions for completion of declaration of private interests include:

  • all executive officer positions
  • positions with a financial delegation of $50000 and above
  • senior technical specialists, including principal scientists and engineers.

The DEDJTR Integrity Services Unit could not produce copies of all required declarations for all financial delegates:

  • From a sample of nine staff who were required to complete a form in 2016, DEDJTR was unable to provide declarations for two MPV staff with financial delegations of $50000 and $2 million.
  • From a sample of 21, DEDJTR was unable to provide declarations for three MMRA staff.

The DEDJTR Integrity Services Unit is currently completing its review of the 2017–18 register. It is the unit's intention to conclude its review by preparing a report for each division which details reported private interests and associated management plans.

PTV

PTV maintains its own conflict of interest register. PTV could produce all the declaration forms for our sample, demonstrating its commitment to the declaration of private interest process. However, we did note some data quality issues in the register. For example, one employee stated that they 'held shares' without providing more information that would help determine whether a conflict existed. While PTV demonstrated that it reviewed and reported on declared conflicts, it could improve the quality of data in the register to better support external scrutiny and ensure action plans are enforced.

Conflict of interest management plans

Management must actively monitor plans to manage declared conflicts to ensure compliance.

The case studies in Figures 3B and 3C demonstrate where a conflict of interest has not been effectively managed.

Figure 3B
Case study: Poorly managed conflict in procurement activities

A project director declared to the agency that their spouse worked for a vendor that provided goods and services to the agency. No management plan was in place. Despite this conflict, the project director sat on evaluation panels and approved a contract variation relating to this vendor. See the case study in Figure 4B.

Source: VAGO.

Figure 3C
Case study: Failure to comply with management plan

An agency executive was a previous employee of a consulting firm and held $20 000 worth of shares in the company that owned the firm. The agency executive declared this conflict and the agency developed a management plan, requiring the executive to seek probity advice if they were to be involved in any way with the consulting firm. The agency executive failed to comply with this management plan and endorsed a recommendation for approval to proceed with an engagement for a contract worth $3.9 million. See the case study in Figure 4A.

Source: VAGO.

3.4 Conflict of interest in recruitment panels

Hiring based on relationships, rather than merit, is a form of corruption that agencies must actively prevent. DEDJTR's policy is consistent with VPSC conflict of interest guidance, which require staff involved in recruitment activities to complete a conflict of interest declaration to identify any relationships between a recruitment panel member and the candidates they are to assess. Officers must complete these declaration forms, regardless of whether a conflict exists. This process provides a level of transparency to ensure recruitment panel members act with impartiality and integrity when hiring staff.

We assessed a sample of recruitment activities of MPV, MMRA and PTV staff to determine if controls existed for potential conflicts of interest between recruitment staff and candidates.

MPV

Poor record keeping meant that we could not identify any conflict of interest considerations in recruitment panels for a sample of MPV staff. The DEDJTR Integrity Services Unit advised that in the absence of conflict of interest declarations for recruitment panel members, it relied on obligations in the Victorian Public Sector Code of Conduct for staff to disclose conflicts voluntarily. However, this practice is inconsistent with VPSC requirements endorsed by VSB that necessitate a declaration be made for every recruitment activity. Without signed declarations, MPV was not considering or actively controlling for conflicts of interest influencing the hiring of MPV staff.

MMRA

Prior to November 2017, MMRA's conflict of interest policy did not require members of the recruitment panel to sign a conflict of interest declaration when undertaking recruitment activities unless they identified a conflict and volunteered a declaration. This practice was inconsistent with VPSC requirements. Prompted by this audit, in November 2017 MMRA amended its practices and now requires all panel members to complete conflict of interest declarations specific to the candidate they are assessing.

PTV

Conflict of interest processes in PTV recruitment activities have varied over time. Currently, panel members are required to sign conflict of interest declarations at the end of their interview notes, which is consistent with VPSC requirements. For this current process, PTV could provide all interview notes sampled, detailing the conflict of interest declaration relating to the recruitment activity.

3.5 Management of gifts, benefits and hospitality

External parties sometimes make offers of gifts, benefits and hospitality to public sector officers. To ensure staff remain impartial when making decisions about how public resources are spent, the VPSC requires agencies to develop policies governing how their staff should respond to these offers.

At a minimum, up-to-date registers of offers of gifts, benefits and hospitality need to be maintained and data analysed to monitor compliance with policies, to identify patterns of behaviour and take action where appropriate.

Current VPSC requirements for the management of gifts, benefits and hospitality, which came into effect in October 2016, require public sector officers to:

  • provide written evidence of approval from a manager for acceptance of offers worth more than $50
  • decline all offers from current or potential suppliers
  • decline offers of money or gift vouchers
  • document a clear business reason for attending events.

We assessed whether gifts, benefits and hospitality policies and processes for MPV, MMRA and PTV were consistent with VPSC guidance and were complied with.

Offers of gifts, benefits and hospitality

MPV, MMRA and PTV all maintained gifts, benefits and hospitality registers. The number of offers of gifts, benefits and hospitality recorded in registers varies significantly. MPV reported the highest number of offers, and it had a practice of recording all offers, regardless of the value. Although PTV reported the lowest number of offers, PTV staff accepted all offers made between July 2016 and April 2017, as shown in Figure 3D.

Figure 3D
Gifts, benefits and hospitality offers and acceptances by agencies, July 2016 to April 2017

Bar chart showing the proportion of offers of gifts, benefits and hospitality that were declined, accepted, or where the decision is not recorded

Source: VAGO based on MPV, MMRA and PTV data.

Compliance with policies

Gifts, benefits and hospitality policies were in place, but we found instances of noncompliance, including instances where public sector officers accepted offers from suppliers, creating a perception of compromised integrity.

MPV

MPV's gifts, benefits and hospitality register shows that MPV officers accepted 250 offers between 1 January 2015 and 31 March 2017. Five senior MPV staff accepted 50 per cent of these offers.

We found multiple instances of noncompliance with DEDJTR's gifts, benefits and hospitality policy. Examples of offers accepted by MPV staff that did not align with the policy at the time include:

  • six offers by a supplier for tickets to the Australian Open in January 2017, including invitation-only President's Reserve seats, which were accepted by MPV staff, with no clear business reason outlined
  • acceptances of two $50 gift vouchers
  • a golf day organised by a vendor in 2017, which was attended by three MPV staff and approved by either the executive director or a director of MPV.

DEDJTR's November 2015 gifts, benefits and hospitality policy stated that MPV officers could not accept gifts, benefits or hospitality from current or potential suppliers. This requirement was also in MPV's 2016 procurement policy. Between November 2015 and March 2017, MPV officers accepted 74 offers from suppliers, or 46 per cent of all the accepted offers during this time frame.

The acceptance of gifts from suppliers could call into question the integrity of MPV officers, and fails to address perceptions that can arise when others observe this behaviour. Figure 3E shows a sample of suppliers from whom MPV officers accepted offers. We note that offers from legal firms could include professional development events commonly accepted by officers, through the use of the Legal Services Panel SPC.

Figure 3E
Sample of accepted gifts, benefits and hospitality at MPV from past and current vendors, January 2015 to March 2017

Bar chart showing the numbers of offers MPV staff accepted from vendors

Source: VAGO based on MPV data.

The high number of gifts, benefits and hospitality offered by suppliers, accepted by MPV staff and approved by management, demonstrates a culture that did not prioritise maintaining a perception of impartiality to sustain public trust.

There is no evidence of action taken by the DEDJTR Integrity Services Unit, despite the unit holding records of these acceptances in the register. DEDJTR has advised that it has strengthened its processes since this time.

MMRA

MMRA's gifts, benefits and hospitality practices revealed high levels of compliance with policy and VPSC requirements. MMRA has demonstrated its commitment to supporting a transparent culture of reporting on offers and introduced a digitised process in August 2017. This new process has significantly reduced the effort and time required to declare and manage offers. Since MMRA introduced the new process, the number of offers reported has increased.

PTV

PTV released its policy for managing gifts, benefits and hospitality in March 2017. It has clear rules and guidelines about responding to offers.

This policy reflects stronger controls than PTV's previous gifts, benefits and hospitality policy from July 2016, which was inconsistent with VPSC requirements. Entries in PTV's register from that time, align with PTV's gifts, benefits and hospitality policy of the time, but not with VPSC requirements. Examples include:

  • a dinner worth $450, which was not reported for three months
  • tickets to the Australian Open
  • tickets to the premiere night of a theatre production
  • lunch worth $300, for which the only reason stated was 'mutual interest'.

Under the new policy, PTV officers now record on their declaration forms detailed business reasons for accepting or declining offers, including noting when a perceived conflict of interest may arise from acceptance. In March 2017 PTV communicated these changes in the updated policy to all PTV staff to ensure they were aware of the new requirements. In April 2017 PTV also shared the updated policy with legal firms that provide services to PTV. This communication with suppliers outlined how offers of gifts, benefits and hospitality can raise the risk of a perceived or actual bias or preferential treatment, and that PTV staff must determine whether there is a legitimate business purpose for accepting offers.

Back to top

4 Prevention and detection in procurement practices

Procurement is a high-risk activity for fraud and corruption. Strong controls are needed in procurement frameworks to reduce the likelihood of fraud and corruption occurring. Essential procurement controls include:

  • mandatory approval stages in the procurement process to ensure procurements are initiated and approved by different officers
  • consistent supplier vetting programs
  • mandatory conflict of interest procedures
  • monitoring and reporting of procurement activity for fraud and corruption indicators.

We assessed whether MPV, MMRA and PTV had effectively implemented these controls in their procurement practices.

4.1 Conclusion

The strength of procurement frameworks to control for fraud and corruption vary across MPV, MMRA and PTV. MMRA has developed a strong framework, but significant weaknesses in procurement controls for MPV undermine MPV's prior status as the Victorian Government's specialist agency for project delivery.

PTV made progress in improving its procurement controls after Operation Fitzroy, however in some instances these improvements were slow to occur or inconsistently implemented. Outstanding gaps in PTV's controls for procurements under $25 000 leave PTV vulnerable to fraud and corruption for this type of transaction.

Where controls did exist, instances of poor record keeping meant MMRA and PTV could not always provide evidence of compliance with these controls.

Other weaknesses include a lack of consistent supplier vetting processes and monitoring of procurement data for specific fraud and corruption indicators. Given MPV, MMRA and PTV had high levels of interaction with the private sector, it is important that they improve their compliance with, and management of, conflict of interest policies that relate to procurement activities.

4.2 Procurement framework design

An effective procurement framework involves multiple elements to control fraud and corruption risks, including:

  • clear and mandatory procurement guidelines, outlining high standards and probity considerations
  • a well-trained and resourced procurement branch to centrally manage procurement activity
  • secure record-keeping systems to facilitate transparent decision making and enforce accountability
  • system-enforced financial delegations and separation of duties for appropriate approvals.

We assessed whether the frameworks covering MPV, MMRA and PTV procurements included these controls.

MPV

As a business unit, MPV fell under the DEDJTR procurement framework. Much of MPV's procurement activities were for construction works and related consulting. These procurements must comply with the Ministerial Directions made under the Project Development and Construction Management Act 1994. DEDJTR's procurement policy provides the expected level of guidance for procurement activity, however the policy does not apply to construction-related procurements that fall under the Project Development and Construction Management Act 1994. MPV had a procurement policy that outlined key principles, but it was high level and did not outline clear and practical steps for how procurement should operate. MPV had not developed the practical procurement guidance we would expect given that DEDJTR's overarching procurement policy was not applicable.

MPV received procurement support services through the DEDJTR Central Procurement Division. However, this division sat externally to MPV and did not have access to MPV's procurement system or project files. This limited the ability of this division to oversee procurement activities effectively and ensure compliance. MPV did, however, engage probity advisors or auditors for all projects.

While MPV maintained system-enforced financial delegate approvals over procurements, it did not maintain a central CMS. Project directors kept all documents relating to a procurement in a locked down project file. This severely limited the ability of MPV or DEDJTR's Central Procurement Division to centrally track different procurement details—for example, actual spend against approved contract amounts, or conflicts declared by staff involved. This limited the availability of documents to be centrally overseen and externally scrutinised.

With a lack of procurement guidance, central oversight and systems for tracking and storing procurement information, MPV's procurement practices did not have the necessary controls to prevent and detect fraud and corruption. This is concerning given MPV was responsible for significant procurements and major projects on behalf of government. These control gaps remained despite repeated negative findings made in past VAGO audits directed towards DEDJTR and MPV regarding MPV's procurement practices.

MMRA

MMRA has a strong procurement framework based on a 'lessons learned' approach that considers similar local and international projects.

MMRA has clear procurement guidance for all staff. Staff must register all MMRA procurements above the value of $2 000 with the procurement branch, which enters the details into a centrally maintained CMS. Only procurement branch staff can record data in the CMS. The procurement branch is well‑resourced to centrally manage the level of procurement activity in MMRA. Having a low-value threshold enables MMRA's procurement branch to have a more fulsome view of procurement occurring in MMRA. Overall, MMRA has designed a procurement framework with strong controls.

PTV

PTV's procurement framework has undergone considerable change since the IBAC investigation. PTV has had three different chief procurement officers since 2014.

In response to Operation Fitzroy, PTV committed to seek voluntary accreditation by the Victorian Government Purchasing Board (VGPB) of a new procurement framework. Although PTV was quick to develop a new procurement policy following the investigation in 2014, this procurement policy did not achieve accreditation with the VGPB.

In June 2016, PTV appointed the current chief procurement officer who has made significant progress improving PTV's procurement processes, including the design of a new procurement framework within six months of commencing in the role.

The VGPB accredited this better practice procurement framework in March 2017, more than two years after IBAC identified significant weaknesses in this area.

PTV's new procurement procedures are easy to understand and are readily available on the PTV intranet. However, PTV's procurement policy and guidelines only apply to procurements of more than $25 000 that staff register with the procurement branch for central management and recording in its CMS.

IBAC has identified the practice of 'splitting contracts' to avoid the need for a certain number of quotes, or a tender process, as a warning sign for corruption. This highlights the importance of having fraud and corruption controls that consider lower-value procurements.

Local business divisions conduct procurements of less than $25 000 to the standard required by the financial delegate who approves the purchase order. The procurement branch does not oversee records of procurements of less than $25 000 or how they are run because they are not stored in the CMS and therefore are not subject to reporting. This control gap limits PTV's ability to fully address the procurement framework weaknesses identified by Operation Fitzroy. PTV has implemented an 'Authority to Pay' process which requires two staff members to authorise payments, including those under $25 000. This process has enhanced the control environment for lower level procurements.

4.3 Supplier vetting

To be consistent with the Australian Standard, entities must develop a process that enables effective vetting of suppliers. The process should include, but is not limited to:

  • a search of the company register and ABN confirmation
  • a director bankruptcy search
  • a credit rating assessment
  • a search of pending legal proceedings
  • trade address and telephone listing verification
  • a media search.

Vetting guidelines should detail roles and responsibilities for supplier vetting activities between legal, finance and procurement divisions. Guidelines should also outline how to assess the characteristics of a procurement or supplier to determine vetting activities.

When considering the application of a supplier vetting process, we acknowledge that varying levels of procurement by MPV, MMRA and PTV were conducted using the CSR and SPC. DEDJTR has estimated that up to 95 per cent of MPV's procurements used the CSR or SPC. The Department of Treasury and Finance conducts due diligence activities for these service providers.

We assessed whether MPV, MMRA and PTV had developed and implemented supplier vetting guidelines and, when necessary, were consistently conducting appropriate due diligence checks on vendors.

At the time of the audit, supplier vetting guidelines were either not developed or consistently applied to MPV, MMRA and PTV procurements. The draft or final Fraud and Corruption Control Plans for MPV, MMRA and PTV all listed the types of activities from the Australian Standard that could make up a supplier vetting program. However, none had guidelines to outline which checks they would actually conduct, or had consistent vetting processes that went beyond simple ABN checks.

A lack of supplier vetting guidelines can result in ad hoc processes and various problems, including:

  • lack of clarity about responsibility for performing supplier vetting
  • no guidance on the vendor characteristics that would necessitate particular vetting activities, resulting in inconsistent practices
  • ABN checks as the sole vetting activity, which may occur at invoice payment, after the vendor has already been engaged and services delivered
  • poor records of vetting checks making it difficult to demonstrate the decision-making process behind a procurement if issues subsequently arise.

In response to our audit, MMRA implemented supplier vetting guidelines in November 2017.

PTV response to Operation Fitzroy

In response to Operation Fitzroy, PTV committed to increasing capacity to perform due diligence activities. PTV procured licenses for software to facilitate due diligence and supplier vetting activities. The PTV procurement policy states that the PTV legal, finance and procurement branches will validate a selection of suppliers using the search software. However these branches lack clear understanding of their roles and responsibilities for supplier vetting, which is resulting in inconsistent searching practices. PTV produced a guideline in 2015 but it was not consistently implemented. A 2017 internal audit confirmed this finding and the need for clear responsibilities.

We note that PTV pays to run each search, and vetting all new suppliers is not feasible. However, without a supplier vetting policy, there are no documented guidelines about how many suppliers should be subject to supplier vetting, and what supplier characteristics should trigger a search.

In response to our audit, PTV has acknowledged this gap and is in the process of developing new supplier vetting guidelines.

4.4 Conflict of interest processes in procurement

MPV, MMRA and PTV all have a high level of interaction with the private sector, and their workforces often move between roles in both the public and private sectors. Robust processes are essential to ensure MPV, MMRA and PTV can identify, document and actively manage relationships with the private sector.

VPSC conflict of interest guidance requires staff to complete a conflict of interest declaration before undertaking procurement activities, regardless of whether officers identify a conflict. These conflict of interest declarations are specific to the project at hand, and require staff to consider their relationships to specific entities and individuals involved in the procurement activity.

We assessed whether MPV, MMRA and PTV had conflict of interest processes consistent with VPSC guidance to control for conflicts of interest in procurement activities.

Conflict of interest policies and declarations

MPV

As a business unit, MPV was subject to DEDJTR's procurement and conflict of interest policies. However, MPV was not compliant with these policies and therefore had weak conflict of interest controls in procurement. MPV ran large projects with multiple procurement activities in each project. MPV staff only completed a conflict of interest declaration when they began a project, which could span a number of years. Declarations specific to particular procurements and vendors were not required. The declaration forms indicate that staff were required to notify the responsible director of any matter that may give rise to a conflict during their participation in the project, however this process is not consistent with VPSC guidance which requires a declaration for each procurement. These practices continued despite repeated criticisms of MPV's management of conflict of interest processes in previous VAGO audits. MPV's weak conflict of interest processes are concerning, given MPV's reliance on the private sector to deliver major projects on behalf of government.

MMRA

MMRA demonstrates strong documented conflict of interest controls. Under MMRA's procurement policy, all staff who are engaged in a procurement over $2 000, from the procurement advisor to the financial delegate, must sign a conflict of interest declaration and re-confirm the declaration when procurement details change. However, shortfalls in MMRA's record keeping meant they could not provide signed conflict of interest declarations for two of nine procurements tested.

PTV

PTV requires all evaluation panel members for procurements above $25 000 to submit a conflict of interest declaration. Procurements tested at PTV that occurred under the new procurement framework introduced in March 2017 were all compliant with the conflict of interest requirements.

There has been a clear improvement in compliance under PTV's new procurement framework. Poor record keeping limited PTV's ability to demonstrate compliance under the old procurement framework. PTV could not produce conflict of interest declarations for four of the eight procurements made under the old framework that we tested.

PTV's conflict of interest controls for lower value procurements are weaker as conflict of interest declarations are not required for procurements under $25 000.

Ongoing management of declared conflicts

When staff appropriately declare conflicts, management must effectively address the conflicts for the control to be effective, including during procurement activities. Lack of management could lead to personal interests conflicting with procurement decisions, or the perception that this has occurred. The case studies in Figures 4A, 4B and 4C describe three instances where those responsible did not manage conflicts of interest in procurement activities.

Figure 4A
Case study: Managing a declared private interest in procurement activity

An agency executive—C3—was a previous employee with a consulting firm and held $20 000 worth of shares in the company that owned the firm.

An action plan to manage C3's conflict required that C3 remain aware of the conflict and seek probity advice as to their appropriate level of involvement, if any, for any procurement or contract management discussions involving the firm or company.

C3 did not seek probity advice and signed off on a tender evaluation plan for a contract worth $3.9 million for which the firm was one of the tenderers. C3 was the project sponsor and the approver of the tender evaluation report. The evaluation panel assessed the firm as the preferred tenderer. C3—as project sponsor and the approver of the evaluation recommendation report—approved the panel's recommendation of the firm as the preferred tenderer and endorsed a recommendation for approval to proceed with the engagement.

After receiving a memo recommending the engagement, a senior executive officer in DEDJTR queried the appropriateness of C3 approving a recommendation to engage the firm, and initiated an independent review of the evaluation process and the outcome. The review concluded that it was an inadvertent oversight by C3 and recommended that the agency repeat parts of the procurement process involving C3. The review revalidated the firm as the preferred supplier, but concluded that the management of the conflict of interest had not been well handled and recommended a review of the agency's conflict of interest processes.

The senior executive in DEDJTR decided that the agency could not award the contract to the firm until C3 sold their shares so there was no possibility of financial gain, even indirectly, from the decision. C3 subsequently provided evidence that the shares had been sold.

Despite the conflict of interest process at the agency, the agency did not identify the inappropriate involvement of C3 in the procurement activity.

In response to this case study, the agency acknowledged that it could improve the process of overseeing declarations and arranged for external auditors to complete a review of conflict of interest management plans in early 2018.

Source: VAGO.

Figure 4B
Case study: Managing the perception of a conflict of interest due to a spouse's employment and shareholdings

An agency director—P1—was involved in multiple procurement activities involving a large consultancy company, which employed P1's spouse.

From 2014–16, the agency where P1 worked awarded contracts to the company worth in excess of $800 000.

P1 completed a number of conflict of interest declarations, consistently declaring that their spouse worked for the company.

Despite this conflict, P1 remained on evaluation panels involving the spouse's company. Probity advisors reviewed relevant conflict of interest declarations in March 2014 and July 2015, which detailed that the conflicts would 'be effectively managed by the following process(s)':

  • P1 being only one member of multi-person evaluation teams
  • the company being a large consultancy company and therefore tender outcomes having no material impact on the spouse's employment.

In June 2016, P1 approved the company receiving a variation to the contract. The variation was for nearly $70 000, which took the total value of the contract to more than $600 000. The contract terms had noted the potential for this variation, depending on the approach taken by the company.

A month later, in July 2016, when completing an annual declaration of private interests to DEDJTR, P1 declared that their spouse worked for the company and also held approximately $4 000 worth of shares in the company. Another director approved this declaration without an associated management plan.

The DEDJTR Integrity Services Unit did not identify the absence of a management plan nor take any further action to investigate the appropriateness of P1's involvement in procurement activities involving the company.

Source: VAGO.

Figure 4C
Case study: Inconsistent declarations of a conflict of interest and gifts, benefits and hospitality

In 2004, F1 left employment at Company D and in 2005 commenced at an audited agency, where they became a senior project director.

The agency engaged Company D on four occasions and F1 was involved in the procurement of Company D on each occasion.

A previous VAGO performance audit had reviewed one of the four procurements and concluded that F1's involvement created a perceived, if not an actual, conflict of interest. The audit also identified concerns that the tendering process had not been appropriately clear and competitive. At that time, agency staff were not required to complete conflict of interest declarations. F1 had not formally documented the conflict, but the agency was aware of F1's previous employment with Company D. The audit recommended that agency staff complete conflict of interest declarations.

During a subsequent tender process involving Company D and F1, in which Company D was not successful, F1 declared a personal relationship with a senior manager at Company D, stating that they played golf together. The same senior manager at Company D had been involved in the project subject to the earlier VAGO performance audit.

The agency engaged Company D a further two times, both projects involving F1. In the third engagement, F1 did not declare any conflicts with Company D. In the fourth engagement involving F1 and Company D, F1 again declared a personal relationship with a senior manager at Company D. Probity reports for all engagements do not refer to the declared conflict and show no consideration as to the appropriateness of F1 being involved in the projects.

Between December 2011 and September 2016, the agency's gift, benefits and hospitality register shows Company D made 65 offers to 15 different agency staff. Eight of these offers were to F1. According to the agency's register, F1 accepted five offers, declined two and the status of one is unclear. Accepted offers included F1 attending a cocktail function and receiving cufflinks as a gift.

Source: VAGO.

4.5 Monitoring fraud and corruption indicators

Monitoring procurement activity can help detect fraud and corruption. A strong monitoring and reporting program can also serve to deter potential perpetrators of fraud and corruption because it increases the chance of detecting irregular and inappropriate activity. It is important to distinguish between two types of monitoring activity:

  • generic monitoring and reporting on procurement expenditure and trends across the agency, such as contract values, expiry dates and complexity across different branches
  • monitoring and reporting on specific fraud and corruption indicators, such as vendors engaged multiple times, potential purchase order splitting and procurements just under delegation thresholds.

We assessed whether the generic monitoring of procurement activity, as well as monitoring and reporting on specific fraud and corruption indicators was occurring for MPV, MMRA and PTV procurement activity.

Fraud and corruption monitoring

Monitoring procurement activity for fraud and corruption varied across MPV, MMRA and PTV. Although they could all provide evidence that they monitored and reported generic procurement trends to their executive, to varying degrees, their monitoring activities for fraud and corruption indicators were less consistent.

DEDJTR is developing its data analytics capacity, which will enhance its fraud and corruption monitoring, as detailed in Section 2.7.

MPV

MPV provided only limited evidence of generic monitoring and reporting of procurement activity. There was no evidence of reporting on specific fraud and corruption indicators. MPV's generic procurement monitoring was limited to listing the value of procurements and the number of times MPV had engaged a certain supplier, and reporting occurred on an ad hoc basis. MPV provided no evidence of analysis of these reports. This lack of regular basic reporting of procurement activity is inconsistent with MPV's role specialising in project management. MPV had no controls to identify potential instances of fraud and corruption in procurement activity data.

MMRA

MMRA conducts generic procurement monitoring, but does not report on fraud and corruption indicators in procurement. MMRA produces a monthly dashboard report on procurement spend and contract expiry data. This data is useful for project management, but does not work as a control to identify potential fraud and corruption indicators.

The MMRA procurement branch does not centrally manage procurements that fall under the value of $2 000. MMRA has recognised that these procurements are at a higher risk of being subject to fraudulent activity and conducts internal audits of these lower-value procurements.

PTV

Following Operation Fitzroy, in 2015 PTV committed to undertake more sophisticated monitoring of procurement data to identify fraud and corruption indicators. PTV regularly reports on generic procurement activity and has attempted to report on procurement-related fraud and corruption indicators. Poor data quality in the CMS and PTV's inability to retain skilled staff in data analytics has resulted in inconsistent monitoring of fraud and corruption indicators in procurement. However, where reporting has occurred, PTV has considered relevant procurement-related fraud and corruption indicators including monitoring contracts with expenditure exceeding approval, purchase orders raised below delegation thresholds and variations to contracts. No monitoring is currently conducted on procurements of less than $25 000 which is a gap in PTV's procurement framework.

Back to top

5 Response to fraud and corruption

To maintain public trust and demonstrate that the public sector takes fraud and corruption seriously, there must be a proactive response when it suspects or identifies fraud and corruption. Response activities include:

  • maintaining a register to capture attempted and actual instances of fraud and corruption
  • establishing a fraud and corruption response team to coordinate response activities
  • conducting appropriate and thorough investigations into allegations of fraud and corruption
  • attempting recovery of losses caused by fraud and corruption
  • reporting instances of fraud and corruption and associated losses appropriately.

We assessed whether potential fraud and corruption incidents in MPV, MMRA and PTV were effectively responded to.

5.1 Conclusion

After its establishment in 2015, DEDJTR recognised concerns regarding previous responses to incidents of fraud and corruption and decided that it would outsource investigations. This approach recognised that specialised resources and expertise were required. There has been a significant improvement in the quality of its investigations of fraud and corruption allegations following this decision.

When we scrutinised the DEDJTR Integrity Services Unit register, we were not always able to determine how DEDJTR responded to reported integrity matters or if it incurred losses. Some entries in the register were incomplete and conflicted with the supporting documentation we reviewed. MMRA and PTV have maintained registers that clearly outline action taken and if losses occurred.

A range of external reporting requirements exist when fraud and corruption is suspected, which include reporting to IBAC suspected corruption and reporting financial losses to the minister, portfolio department and VAGO under the Standing Directions. We identified matters that we consider should have been reported and were not. Failing to report limits systemic analysis, and ultimately the ability of the public sector to effectively respond to fraud and corruption.

We also identified examples where decision-making processes or rationales about recovering funds lost due to fraud and corruption were not evident or not appropriately documented.

5.2 Fraud and corruption register and response team

A fraud and corruption register allows attempted and successful instances of fraud and corruption to be tracked. Keeping records, including action taken in response to incidents, is a mandatory legislative requirement under the Standing Directions. The Australian Standard recommends that an entity capture in the register:

  • the date and time of the report and the incident
  • how the incident came to the attention of management
  • the nature of the incident
  • the value of any loss
  • the action taken following discovery of the incident.

To manage this register and coordinate responses, the Australian Standard suggests entities should establish a fraud and corruption response team.

We assessed whether detailed fraud and corruption registers and response teams were in place to support responses to fraud and corruption incidents in MPV, MMRA and PTV. As a business unit within DEDJTR, MPV's response activities would have been undertaken by the DEDJTR Integrity Services Unit.

DEDJTR Integrity Services Unit

The Integrity Services Unit at DEDJTR maintains a central register of integrity matters ranging from complaints to fraud and corruption allegations. Uncategorised, outdated and, in some instances, inaccurate information limits this register's usefulness.

From reviewing the register, we were not able to consistently ascertain:

  • entries that related to fraud and corruption allegations
  • action that was taken and the status of these actions
  • whether an allegation had been substantiated
  • whether a financial loss had occurred.

The register contains 91 entries from September 2014 to June 2017. By assessing the information in each entry, we concluded that approximately 35 entries (38 per cent) included allegations of fraud and corruption. For 31 per cent of all the entries, there was not enough information for us to make an assessment.

The limited information in the register affected our ability to scrutinise the register and ascertain what action had been taken in response to allegations. In one instance, the status of a 2016 entry was 'potential fraud' for DEDJTR to investigate. However, in mandatory reporting of losses for 2015–16 under the Standing Directions, DEDJTR reported that the fraud was substantiated and that $1 865 of fraudulently acquired funds was recovered from the staff member when their employment was terminated.

The DEDJTR Integrity Services Unit established the register and associated integrity database in November 2016. Prior to this time, although a register existed in the form of a spreadsheet, individual DEDJTR officers kept information regarding integrity matters and investigations on their computers, rather than on a central database.

The DEDJTR Integrity Services Unit's record-keeping practices for fraud and corruption matters require improvement. While we note DEDJTR's position that it established the register as a management tool to track actions on matters which came to its attention, current practices limited our ability to conduct the same analysis that we had been able to undertake of MMRA's and PTV's registers. These practices also have the potential to limit DEDJTR's ability to understand fraud and corruption across the portfolio, given that much of the knowledge of past handling of matters has rested with individual officers and DEDJTR has not centrally collated this information.

During the course of the audit DEDJTR began to improve the data in its register and is now capturing additional information, including categorising the incident and noting any losses.

The DEDJTR Integrity Services Unit functions as a fraud and corruption response team. The team consists of senior staff including an executive director, director, assistant director and manager. The response team meets when required to consider various integrity-related matters, including protected disclosures and general complaints. DEDJTR records case notes on the matters discussed.

MPV's draft Fraud and Corruption Control Plan stated that MPV would maintain a fraud and corruption incident register and establish a response team. MPV was unable to provide us with any evidence of either, however, given it had reported no incidents this is to be expected.

MMRA

MMRA maintains a detailed register that outlines how it considered each fraud and corruption incident and the action taken in response. MMRA has established a fraud and corruption response team, led by the project systems and audit manager, and comprising three senior directors responsible for the Finance, Legal, and Governance and People branches within MMRA, along with a staff member from the DEDJTR Integrity Services Unit. MMRA's response team has met as required in response to alleged incidents and has maintained the register.

PTV

PTV maintains a register that details the nature of fraud and corruption allegations and how PTV has managed them. PTV also established a response team, which:

  • has met on a quarterly basis and as required
  • is guided by documented terms of reference
  • can make recommendations to the chief executive officer
  • must report incidents to the audit and risk committee and chief executive officer
  • has kept minutes of its meetings and has maintained the register.

5.3 Investigations

Thorough investigations must be conducted into apparent or suspected fraud, corruption or other losses as soon as possible.

Officers managing and conducting investigations should:

  • have appropriate skills and experience
  • be independent of the business unit in which the alleged fraudulent or corrupt conduct occurred.

IBAC has noted that if agencies handle internal investigations poorly, there can be serious consequences for individuals and the organisation. Internal investigations need to be timely, transparent, clearly documented and able to withstand external scrutiny.

We assessed a number of investigations conducted by MMRA, PTV and the DEDJTR Integrity Services Unit to determine if they reasonably responded to allegations. MPV reported no instances or investigations of fraud and corruption.

DEDJTR Integrity Services Unit

DEDJTR identified that the investigation of suspected activities or incidents required specialised resources and expertise. Currently the DEDJTR Integrity Services Unit outsources investigations. Our review of a sample of the investigations conducted by external contractors since mid 2016 found that:

  • investigations were outsourced to experienced contractors
  • investigation plans and procedures were referenced
  • appropriate documentation and data was collected, secured and analysed, including email and telephone records
  • interviews were conducted with evidence of procedural fairness
  • detailed reports were provided regarding the investigation of the allegations with key findings and recommendations.

We examined an investigation and a review managed by the DEDJTR Integrity Services Unit prior to the decision to outsource and identified a number of concerns regarding its handling of these particular matters including:

  • no evidence of planning or risk management
  • excessive time taken to finalise these matters
  • an approach taken by staff that could alert potential perpetrators of fraud and corruption, and that did not duly consider the seriousness of the allegations.

The case study in Figure 5A details a matter that IBAC referred to DEDJTR. IBAC was subsequently critical of DEDJTR's internal investigation, which resulted in a third party re-investigating the matter. This matter took over a year to finalise. This example supports DEDJTR's decision to outsource investigations and ensure appropriate expertise.

Figure 5A
Case study: Referred investigation from IBAC

IBAC referred a matter to DEDJTR to investigate. DEDJTR initiated an investigation in 2015 and communicated the outcomes of its investigation to IBAC.

In November 2015, the IBAC Commissioner wrote to the Secretary of DEDJTR stating that IBAC did not accept that DEDJTR had conducted an appropriate investigation of the allegations and rejected the report and its findings.

In January 2016, DEDJTR engaged an external contractor to review DEDJTR's investigation. In its February 2016 report, the external review found significant failings in the approach, methodology and conclusions reached in the DEDJTR investigation. The review found that DEDJTR had followed an 'inappropriate and unclear investigatory process'. The review recommended DEDJTR undertake an appropriate investigation. The review also noted that DEDJTR must develop fraud and corruption response procedures.

DEDJTR then engaged an external contractor to conduct the investigation in April 2016. The contractor delivered the final report in October 2016, more than a year after the matter was referred by IBAC to DEDJTR. IBAC was satisfied with this investigation and noted its support of the recommendation for DEDJTR to implement fraud and corruption response procedures.

Source: VAGO based on DEDJTR information.

MMRA

Only one matter has been subject to an investigation at MMRA.

In July 2017, an MMRA staff member found an unrecognised USB device in a computer. MMRA activated its fraud and corruption response team on the same day and sent an email to all MMRA staff alerting them to a potential breach in security and reminding them of key security measures.

MMRA engaged its probity advisor to conduct a review of the incident. The review included a forensic examination of the device and access logs. The review was unable to identify the source of the USB device. The review recommended MMRA conduct staff training.

The investigation was timely, thorough, well documented and conducted by an independent officer with the appropriate level of skill and experience.

PTV

PTV's fraud and corruption register details 23 incidents from 2013–17. Six of the matters listed on the register, including Operation Fitzroy, warranted formal investigations by external investigators. PTV dealt with the other 17 matters internally, which we assessed as appropriate, given the nature of these allegations. Internal and external investigations ultimately substantiated nine matters.

The following examples illustrate PTV's ability to effectively assess and respond to allegations of fraud and corruption, including the appropriate use of external expertise when required:

  • PTV identified an incident where a staff member was allegedly misappropriating funds. PTV engaged a suitably qualified external investigation firm to complete initial enquiries. PTV also reported the matter to Victoria Police for prosecution and sought to recover the funds.
  • In 2013–14, PTV incurred losses of $4.8 million due to a myki ticketing fraud. PTV engaged an external agency to investigate the fraud and reported the matter to Victoria Police. PTV took subsequent action to strengthen its controls.
  • PTV received information alleging the sale of fraudulent myki tickets. PTV engaged an external investigator and the investigation concluded that adequate controls were in place and did not substantiate the allegation of fraud.

All investigations we assessed were timely, thorough and well documented. PTV demonstrated how it learnt from the investigations and strengthened controls.

5.4 Reporting

Reporting obligations exist when suspected fraud and corruption is identified. These obligations ensure that government shares relevant information and that external parties can track incidents of fraud and corruption, and associated losses across the public sector.

Reporting activities include:

  • notifying IBAC of suspected and actual instances of fraud and corruption that meet a defined threshold
  • reporting financial losses due to fraud and corruption to the minister, portfolio department and VAGO under the Standing Directions
  • appropriately referring allegations to relevant portfolio departments and facilitating information sharing when fraud and corruption occur to help the entire portfolio improve its control environment.

Parliament established IBAC in 2012 to identify, expose and investigate corruption. DEDJTR and PTV had discretion as to whether they notified IBAC of corrupt conduct until December 2016. At this time, government strengthened the legislation, and it became a mandatory requirement for public sector agency heads to notify IBAC of suspected corruption. The revised legislation ensures that all relevant matters are brought to IBAC's attention to consider whether an investigation is required.

We assessed whether reporting obligations were being met. We also assessed the role of the DEDJTR Integrity Services Unit in meeting certain reporting obligations and facilitating information sharing to strengthen controls.

Notifying IBAC

IBAC must be notified of potential protected disclosures and, from December 2016, suspected corrupt conduct. Considerations in determining if a matter may be a protected disclosure include whether the conduct would constitute a criminal offence or reasonable grounds for dismissal. Failing to notify IBAC of relevant incidents diminishes its capacity to perform its role, conduct systemic analysis and expose corruption. IBAC has described the move to mandatory reporting as being of strategic importance as it reflects the government's view that building an integrity culture is mandatory, not discretionary.

We identified no instances of fraud and corruption in MPV and MMRA that should have reported to IBAC.

PTV

PTV's register details instances where PTV terminated staff employment because of alleged criminal activity. We judged one of these instances as warranting reporting to IBAC—a staff member processed $60 000 worth of fictitious transactions for personal gain.

PTV did not report this incident to IBAC. While PTV had discretion at the time as to whether it reported matters of corrupt conduct to IBAC, not doing so limits IBAC's ability to conduct systemic analysis of corruption across the Victorian public sector.

We note that PTV did appropriately investigate and report the $60 000 theft to Victoria Police and a prosecution followed.

DEDJTR Integrity Services Unit

We identified one incident, which we assessed as potential fraud. DEDJTR holds a different view and chose not to notify IBAC. We acknowledge that mandatory reporting was not in place at the time, but IBAC had been established to receive reports and investigate corruption. The case study in Figure 5B outlines this incident, which describes DEDJTR's review of a matter after questions about the authenticity of documentation used to obtain grant funding.

Figure 5B
Case study: DEDJTR Integrity Services Unit review into allegations of grant fraud

The former Department of State Development, Business and Innovation (DSDBI) awarded an organisation a grant of over $450 000 to provide certain services.

DSDBI had identified that some records submitted by the organisation did not appear authentic. DSDBI engaged its internal auditors, who identified concerns including the questionable authenticity of documents and noncompliance with grant agreement requirements.

DSDBI staff met with the organisation and provided it with the results of the audit and a further opportunity to validate the grant funding. The organisation took almost a year to complete this work.

This matter and the staff conducting the review transferred to DEDJTR following machinery of government changes in January 2015.

DEDJTR concluded that it had paid over $65 000 for services that could not be validated. The organisation requested further time to provide evidence of services it had provided but not yet claimed to acquit the funding already provided and DEDJTR agreed.

An internal memo demonstrates that DEDJTR ultimately concluded that the organisation:

  • had demonstrated systemic noncompliance with a number of grant conditions
  • submitted documents of questionable authenticity
  • was unable to provide an explanation for these practices.

DEDJTR determined that it had not incurred any financial loss that required reporting under the Standing Directions. This position fails to account for DEDJTR's initial conclusion that it had paid more over $65 000 for services that could not be validated. DEDJTR's absence of financial loss was only a result of its agreement with the organisation regarding subsequently validated services.

The review was finalised with a closure letter to the organisation. The letter noted its noncompliance with grant conditions and encouraged the organisation to address this in any future grant programs that it may participate in.

Source: VAGO.

Because DEDJTR did not report the matter voluntarily to IBAC or Victoria Police, the matter was not subject to external scrutiny or formal investigation. DEDJTR's rationale for its handling of this matter, and its position that this case study does not indicate fraud, is unclear from the documentation provided.

DEDJTR did not report the loss under the Standing Directions, concluding it incurred no loss, as it acquitted the money from the unverified services against services not yet validated or claimed. DEDJTR was ultimately unable to confirm if the organisation provided all of the services for which DEDJTR paid.

Not reporting such matters externally prevents IBAC, and in some cases Victoria Police, from taking appropriate and consistent action. It also means that there is a lack of transparency and no external scrutiny over the handling of such matters. Mandatory reporting to IBAC, introduced in December 2016, aims to ensure that IBAC is notified of all relevant matters.

Reporting of losses under the Standing Directions

Section 3.5.3 of the Standing Directions requires agencies to notify the responsible minister, their audit committee, the portfolio department and VAGO of instances of significant or systemic fraud and corruption and other losses. MMRA and PTV have defined their minimum reporting thresholds of $5 000 in cash and $50 000 in property in their Fraud and Corruption Control Plans. DEDJTR's Fraud, Corruption and Other Losses Policy has also defined its minimum reporting threshold as $5 000 cash and $50 000 property, while MPV's draft Fraud and Corruption Control Plan referred to old thresholds under the previous Standing Directions

Reports of losses made to VAGO under the Standing Directions for the 2015–16 financial year reveal that losses totalled more than $37.5 million across the public sector. These reports attribute about $19 million to fraud and corruption.

We assessed whether DEDJTR, including MPV and MMRA, and PTV appropriately reported losses under the Standing Directions and whether reports were consistent with losses identified in fraud and corruption registers.

DEDJTR, including MMRA and MPV

DEDJTR's expenditure for 2015–16 was approximately $6.8 billion and total assets were $4.6 billion. DEDJTR reported losses of $7 021 and $12 876 in 2014−15 and 2015−16 respectively, a low value given DEDJTR's size and asset holdings. The majority of these losses were low-value portable assets, such as mobile phones. Reports from MMRA and MPV to DEDJTR outline no losses over the two financial years, 2014–15 and 2015–16.

Although not fully explored in this audit, DEDJTR's low reporting may be partly attributable to its consideration of disposed assets, as the case study in Figure 5C outlines.

Figure 5C
Case study: DEDJTR asset management

In February 2017, a DEDJTR internal audit into asset management identified missing assets with an original value of $105 000 and a written down value of approximately $12 000. The internal audit report found that DEDJTR did not have strong controls over the storage of its assets and found that poor physical security measures may result in the theft of DEDJTR's assets. DEDJTR committed to conducting an asset stocktake in March 2017 to address the audit's findings.

DEDJTR sent the asset stocktake to all business units and asked staff to provide an attestation that the information was true and correct. DEDJTR asked staff if they had sighted assets and if assets had been disposed. During this process, 164 assets with an original cost of $3.5 million and a written down value of $447 000 were unable to be located.

DEDJTR treated the assets that could not be located as 'disposed' in the accounts, with no consideration of whether they were stolen.

Source: VAGO based on DEDJTR information.

This approach may result in DEDJTR not capturing and analysing potential losses due to fraud and corruption, and not reporting them under the Standing Directions for external consideration. In response to this finding, DEDJTR has advised that it will ensure that policies and procedures for identifying and reporting lost assets include referring matters to the Integrity Services Unit to assess the possibility of fraud.

PTV

PTV reported losses of about $4.9 million in 2014–15 and $158 944 in 2015–16 and these are consistent with losses identified in PTV's fraud and corruption register. PTV's losses included a myki ticketing fraud, along with thefts of myki vending machines and myki cards. PTV does not own the vending machines but reports these thefts as it owns the cash and myki cards contained inside.

PTV did not formally report the corruption identified by IBAC during Operation Fitzroy to the responsible minister, DEDJTR or VAGO, as required under the Standing Directions, despite IBAC finding $25 million of corrupted contracts. At the time, PTV could not quantify a loss, as it still received the required goods and services and the prosecutions against the alleged perpetrators were ongoing to establish the extent of the corruption.

While it was difficult for PTV to quantify the financial loss accurately, the intent of the Standing Directions is to report instances of systemic or significant fraud and corruption. We consider that under the Standing Directions PTV should have reported an incident of corruption that affected up to $25 million worth of contracts. Subsequent orders issued by the court required the perpetrators of this corruption to repay the state millions.

We note that the matter was in the public domain due to IBAC's public hearings and associated media reports, PTV was engaging with IBAC and the portfolio department, VAGO was aware of an investigation taking place, and there is no suggestion that PTV attempted to conceal the incident from external scrutiny. However, reporting under the Standing Directions is a legislative requirement that was not met in this instance and if incidents are not reported, it diminishes systemic analysis.

Information sharing across the portfolio

Effective information exchange between the DEDJTR Integrity Services Unit and its portfolio is crucial to the management of fraud and corruption. It ensures consistent reporting and the identification of trends and common control weaknesses and threats.

Reporting to the DEDJTR Integrity Services Unit

Under the Standing Directions, instances of systematic and significant fraud must be reported to the portfolio department. The DEDJTR Integrity Services Unit also required MPV and MMRA to report all integrity incidents to it, regardless of the Standing Directions threshold. This is not required of PTV as a statutory authority.

MPV reported no integrity matters to the DEDJTR Integrity Services Unit. In July 2016, MMRA was subject to two attempted external frauds. MMRA reported these incidents to the DEDJTR Integrity Services Unit on 22 July 2016.

From July 2016 to February 2017 MMRA was subject to a further four external fraud attempts to invoice MMRA for a total of $6 010. MMRA did not report these incidents to the DEDJTR Integrity Services Unit because it concluded that it had reported similar activity previously and did not consider a further notification warranted.

The DEDJTR Integrity Services Unit did not incorporate these reports from MMRA into its register because it determined that the attempts were 'spam'. Phishing attempts by their very nature are spam and can be an effective way of fraudulently acquiring funds from government, see examples in Section 2.3. Not including such reports in the register undermines the purpose of collecting information to understand the wider threat environment across the portfolio. However, this needs to be balanced with the volume of attempts that a department of DEDJTR's size receives and therefore the DEDJTR Integrity Services Unit exercises judgment each time as to whether an attempt is added to its register.

Knowledge sharing to strengthen controls across the portfolio

In March 2016, DEDJTR was subject to an attempted phishing scam seeking payment of a fraudulent invoice for $400 000 as detailed in Figure 2A. Although the attack was unsuccessful, the Secretary wrote to VSB and the DEDJTR portfolio alerting them to the matter. In April 2017, DEDJTR was the victim of another phishing scam and made four payments totalling more than $294 000 to a bank account falsely represented as belonging to an existing supplier. DEDJTR did not circulate any advice about this incident. See Figure 2B for further information.

In January 2018, the DEDJTR Integrity Services Unit shared information regarding a false request to change vendor payment details. The request had been actioned in 2016, but no payment had been sought by the perpetrators of the scam. In error, in 2017, a payment was made to this false vendor account. DEDJTR circulated a copy of the correspondence, which requested the change in bank account details, and highlighted the need to:

  • regularly review and deactivate vendor sites which had not been used for 12 months
  • ensure there was independent verification before changing vendor bank details.

DEDJTR presented limited evidence that the Integrity Services Unit had shared lessons learned from matters recorded in its central register. These are the only two examples that DEDJTR provided.

5.5 Recovery efforts following fraud and corruption

The Australian Standard recommends entities have a policy for the recovery of funds lost to fraud and corruption. Government entities should clearly document decisions on taking recovery action when public funds are lost to fraud and corruption, including decisions not to take action.

We assessed whether the DEDJTR Integrity Services Unit and PTV are actively attempting to recover funds lost to fraud and corruption and are documenting decision-making processes and rationales regarding these recovery efforts. MMRA and MPV recorded no losses to fraud and corruption.

DEDJTR Integrity Services Unit

The DEDJTR Integrity Services Unit has not consistently recorded in its register the outcomes of allegations of fraud and corruption, or whether it has incurred any losses. This made it difficult for us to determine when there were losses for DEDJTR to recover.

By collating information from the DEDJTR Integrity Services Unit register and DEDJTR's reports under the Standing Directions, we confirmed two instances of financial loss due to fraud and corruption in DEDJTR:

  • DEDJTR lost $294000 to a falsely represented bank account in a phishing scam in April 2017. It recovered the majority of this amount, writing off approximately $4600.
  • DEDJTR lost $1865 to false claims by an employee. It recovered the full amount.

Although DEDJTR has been successful in recovering funds from both incidents, the lack of information available in the DEDJTR Integrity Services Unit register has limited our ability to identify losses and analyse DEDJTR's decision-making with respect to recovery effort.

As mentioned in Figure 5B, we identified a matter where DEDJTR was unable to validate that more than $65 000 worth of services had been provided. DEDJTR allowed the organisation to acquit yet-to-be-claimed services against the funding already obtained despite noting that the organisation had been noncompliant with a number of grant conditions.

PTV

A limited number of incidents in PTV's fraud and corruption register have resulted in a financial loss. PTV estimates that eight incidents caused a financial loss and five of these were of a low value, including thefts of funds less than $60.

Of the remaining three incidents, PTV only attempted to recover losses from one, and was successful. A finance fraud was perpetrated by a staff member and PTV ultimately recovered the full amount of $60 000.

The further two losses relate to Operation Fitzroy and a high-value myki ticketing fraud.

IBAC's Operation Fitzroy estimated that $25 million of PTV contracts were corrupted. PTV considered these losses too difficult to quantify in order to pursue a claim. PTV stated that although the procurement process was corrupted, PTV did not believe it necessarily paid inflated prices.

From the documentation provided, PTV did not appear to consider recovering the losses associated with Operation Fitzroy until a third party contacted DEDJTR after seeing media reports about IBAC's investigation. PTV confirmed that it did not seek to recover any losses via civil claims or insurance.

Following the sentencing of the two former PTV employees responsible, the courts issued pecuniary penalty orders. Any monies recovered will go to consolidated revenue. Under agreement between PTV and IBAC, items of furniture improperly obtained, and seized during the investigation, will be subject to a police auction, with the proceeds also going to consolidated revenue.

In 2013–14, PTV incurred losses of $4.8 million due to a myki ticketing fraud. PTV advised that these losses would have been too hard to recover, given the nature of the fraud.

Both of these were complex cases where quantifying losses and recovery were difficult. The complexities to consider include active legal action and balancing the costs of recovery against the actual loss. While we acknowledge these complexities, it is still a problem that PTV did not document its decision-making process or rationale as to why it did not seek to recover significant public funds lost due to fraud and corruption. PTV was unable to demonstrate that it considered recovery until approached by an external party, and then did not adequately document its decision not to pursue recovery.

Challenges and complexities in recovering losses due to fraud and corruption highlight the importance of prevention and detection activity to minimise losses.

Back to top

Appendix A. Audit Act 1994 section 16—submissions and comments

We have consulted with DEDJTR and PTV, and we considered their views when reaching our audit conclusions. As required by section 16(3) of the Audit Act 1994, we gave a draft copy of this report, or relevant extracts, to those agencies and asked for their submissions and comments. We also provided a copy of the report to the Department of Premier and Cabinet.

Responsibility for the accuracy, fairness and balance of those comments rests solely with the agency head.

Responses were received as follows:

RESPONSE provided by the Secretary, DEDJTR

Response provided by the Secretary, DEDJTR - page 1

Response provided by the Secretary, DEDJTR - page 2 (action plan)

Response provided by the Secretary, DEDJTR - page 3 (action plan)

RESPONSE provided by the Chief Executive Officer, PTV

 

Response provided by the Chief Executive Officer, PTV - page 1

Response provided by the Chief Executive Officer, PTV - page 2 (action plan)

Back to top

Appendix B. Public Transport Victoria's Response to Operation Fitzroy

In October 2014, IBAC published its investigation report into allegations of serious corruption in the former Department of Transport and PTV. The investigation examined the circumstances around the procurement of infrastructure works between 2006 and 2013. Victoria Police laid more than 100 criminal charges against nine individuals and one company.

To address the issues identified by Operation Fitzroy, IBAC recommended that PTV implement a program of procurement reforms and cultural change. PTV was required to report to IBAC on implementing the reforms. PTV provided a progress report to IBAC in June 2015 and a final report in December 2015, which are available on IBAC's website.

Following IBAC's investigation, PTV committed to a broad range of reform initiatives, including:

  • developing new policies and procedures
  • appointing new specialist staff
  • procuring new systems
  • implementing an extensive program of fraud and corruption-specific training.

IBAC recommended that VAGO consider and review PTV's actions to ensure it identified and addressed systemic weaknesses.

We assessed whether PTV had implemented the reform activities it reported to IBAC in 2015 and whether PTV's current practices address the fraud and corruption control weaknesses identified by IBAC—see Figure B1.

We have rated PTV's implementation of the reforms using a traffic light system:

Reform fully implemented and still in place at PTV

Reform implemented slowly or inconsistently

Reform not implemented, or was implemented but is no longer in place

Conclusion

PTV was subject to public hearings as part of IBAC's Operation Fitzroy and undertook to address the issues identified by that investigation. PTV made considerable progress in implementing many of these initiatives. PTV developed a Fraud and Corruption Control Plan, established a response team, and conducted an extensive training program on fraud and corruption for staff. However, in some cases implementation was slow, or did not occur, as PTV elected over time to take alternative action. Gaps remain in certain areas, meaning work is still required to further reduce the risk of fraud and corruption.

Findings

Figure B1 PTV reforms following Operation Fitzroy

Reform

Rating

Status

Fraud and corruption reforms

Fraud and corruption risk assessment

PTV conducted a fraud and corruption risk assessment to inform its Fraud and Corruption Control Plan. All risks identified were being managed (see Section 2.2).

Develop a Fraud and Corruption Control Plan

PTV developed a Fraud and Corruption Control Plan consistent with the Australian Standard (see Section 2.3).

Establish fraud and corruption response team

PTV established a fraud and corruption response team that meets quarterly, has appropriate senior membership, has developed terms of reference and keeps minutes of its meetings (see Section 5.2).

Establish fraud and corruption incident register

PTV has established a fraud and corruption incident register (see Section 5.2).

Fraud and corruption lead indicator reporting

PTV has generated reports on lead fraud and corruption control indicators.

Internal control reviews advisor

A dedicated resource to undertake reviews on internal controls and ensure procurement policy compliance was in place but subsequently left PTV.

Procurement reforms

New procurement framework accredited by VGPB

After Operation Fitzroy, PTV developed a new procurement framework, however this framework did not achieve accreditation with the VGPB. It was not until March 2017 that an accredited framework was operational at PTV. This framework only applies to procurements over the value of $25 000 (see Section 4.2).

Creation of 'approval to procure' and 'recommendation to award' stages

PTV created an 'approval to procure' stage and a 'recommendation to award' stage within its procurement process. The addition of these stages has created an added level of control in PTV's approval process for procurements over $25 000.

Monthly monitoring of procurement activity for fraud and corruption indicators

PTV has attempted monthly monitoring reports over procurement activity. However, these reports have been inconsistent (see Section 4.5).

Supplier vetting prior to execution of every contract and when engaging a new supplier

PTV procured licenses for software to facilitate due diligence and supplier vetting activities. However, PTV's legal, finance and procurement branches lack a clear understanding of their roles and responsibilities for supplier vetting, resulting in inconsistent searching practices (see Section 4.3).

PTV will not re-engage suppliers named during the Operation Fitzroy investigation

The only control in place to not re-engage these suppliers was an email to staff listing which suppliers they should not re-engage. PTV has experienced high levels of staff turnover—therefore, a number of current staff would not have received this email.

PTV has not put in place other controls, such as a flag in the CMS or ongoing monitoring of identified suppliers. PTV did not present any evidence that it conducted searches with the Australian Securities and Investments Commission to help identify individuals and companies named in the investigation who may be associated with new companies that PTV has engaged.

Finance will conduct spot checks across all levels of procurement expenditure

There is no evidence of consistent spot checks across all levels of procurement expenditure.

Development of procurement templates and guides for staff undertaking procurements

Procurement templates are only mandatory for procurements over $25 000. There is currently no guidance for procurements under $25 000.

Financial control reforms

Manage weakness of current CMS

PTV acknowledged the weaknesses in the CMS and reported to IBAC that it would procure and implement a new CMS by June 2016. This did not occur. A procurement process began, but no current PTV staff could confirm when PTV discarded the decision to procure a new CMS.

PTV still does not manage weaknesses in the CMS well and was slow to implement access controls. The CMS does not integrate with the accounts payable financial system responsible for the actual payment of funds. This means that PTV cannot track real-time expenditure against a contract in the CMS, and there is a risk that PTV may fail to detect and prevent over-expenditure. Manual controls could detect and prevent over‑expenditure on contracts. PTV currently does no manual checks or reconciliations between accounts payable expenditure and CMS approval records to manage this system weakness.

Before March 2017, all PTV staff could edit records in the CMS. Over time, and due to the lax procurement processes in the past, the integrity of the data in the CMS was poor. PTV's current chief procurement officer, who started at PTV in June 2016, advised us that when they started the CMS reflected approximately 3 800 active contracts. They began a data cleansing exercise, which reduced the number of active contracts to between 600 and 700. Some expired contracts were incorrectly marked as active and still had funds attributed. The data cleansing project took a year to complete. It was not until March 2017 that access to the CMS was restricted and became centrally managed by the procurement branch.

Cultural reforms

Staff required to fill out conflict of interest declarations

PTV requires staff to sign a conflict of interest declaration upon commencement, however in some cases action plans resulting from identified conflicts have not been well managed.

Fraud and corruption awareness training

PTV committed to changing its workplace culture and encouraged staff to identify, report and act on integrity matters. In the two years following Operation Fitzroy, PTV ran an extensive training program on fraud and corruption risks, including specialised training for those involved in managing contracts and procurements, as well as members of the fraud and corruption response team (see Section 2.4).

Police checks for selected staff

Conducting police checks on new employees has been inconsistent at PTV, and there has been poor record keeping of checks that were completed (see Section 3.2).

Source: VAGO.

Back to top