The community expects—and the law requires—that public sector employees act with integrity, accountability, impartiality, fairness, equity and consistency, and in the public interest.
Fraud and corruption can undermine trust in government, damage the reputation of the public sector, and waste public resources. Fraud is dishonest activity involving deception that causes actual or potential financial loss. Corruption is dishonest activity in which an employee acts against the interests of their employer and abuses their position to achieve personal gain or advantage for themselves or others.
The Independent Broad-based Anti-corruption Commission (IBAC) has exposed instances of corruption in the Victorian public sector. In response, the Secretaries of all Victorian government departments committed to improving integrity.
In this audit, we examined the Melbourne Metro Rail Authority (MMRA), Public Transport Victoria (PTV) and the now defunct Major Projects Victoria (MPV), as examples of an administrative office, a statutory authority, and a business unit of the Department of Economic Development, Jobs, Transport and Resources (DEDJTR). The nature of MPV, MMRA and PTV's operations, including high levels of procurement activity and close ties to the private sector—which can operate differently to the public sector—serve to elevate the risk of fraud and corruption.
We assessed whether their fraud and corruption controls were well designed and operating as intended. DEDJTR designed and operated some of these controls for the whole department, while MMRA and MPV implemented other controls at the administrative office or business unit level. We also assessed whether PTV took sufficient, appropriate and timely action to address issues identified by IBAC's Operation Fitzroy October 2014 (Operation Fitzroy).
At MPV, MMRA and PTV we focused on fraud and corruption detection, prevention and response activities, particularly for the high-risk areas of procurement and human resources. We also assessed the DEDJTR Integrity Services Unit's oversight role and coordination of some relevant integrity processes for MPV and MMRA. The period of review for this audit was January 2015 to April 2017, when MPV ceased operations.
While senior executives are endeavouring to build the right culture, more remains to be done to prioritise fraud and corruption control, and to ensure that the fraud and corruption controls in place operate as intended.
Unduly protracted delays to finalise and approve Fraud and Corruption Control Policies and Plans, areas of noncompliance with policies, and inadequate record keeping are undermining management's efforts. They also serve to lessen assurance that major fraud and corruption cannot occur, or will be detected.
PTV was subject to public hearings as part of IBAC's Operation Fitzroy and agreed to address the issues identified by that investigation. PTV made considerable progress in implementing many of these initiatives, however in some cases implementation was slow, or did not occur, as PTV elected over time to take alternative action. Gaps remain in certain areas, meaning work is still required to further reduce the risk of fraud and corruption.
Fraud and corruption control framework
The Standing Directions of the Minister for Finance 2016 (Standing Directions) under the Financial Management Act 1994 require DEDJTR and PTV to take all reasonable steps to manage fraud and corruption risks. This includes developing a Fraud, Corruption and Other Losses management and prevention policy (Fraud, Corruption and Other Losses Policy) that details prevention, detection and response activities. The Australian Standard 8001—2008 Fraud and Corruption Control (Australian Standard) also recommends a Fraud and Corruption Control Plan be developed. An effective fraud and corruption control framework will also increase staff awareness and focus internal audits on vulnerable areas.
Fraud and Corruption Control Policies and Plans
A Fraud, Corruption and Other Losses Policy has been mandatory for agencies since 1 July 2017. DEDJTR only recently finalised its Fraud, Corruption and Other Losses Policy and Fraud and Corruption Control Plan. DEDJTR's policy and plan had been in draft form since October 2015, and while they were reviewed and revised during this time and reflect some controls already in place, they were only approved in late February 2018.
While DEDJTR's policy and plan was in draft form, MPV and MMRA developed their own plans, which they intended would also incorporate the requirements of a Fraud, Corruption and Other Losses Policy. MPV's plan also remained in draft form and was incomplete, as it did not include response procedures.
PTV developed a Fraud and Corruption Control Plan, which incorporated the requirements of a Fraud, Corruption and Other Losses Policy in accordance with the Standing Directions.
MPV, MMRA and PTV all conducted fraud and corruption risk assessments when developing their Fraud and Corruption Control Plans. However, in a small number of instances (three for MPV, one for MMRA and one for PTV) they identified a risk in their assessment but did not detail it or any associated controls in their Fraud and Corruption Control Plan. PTV was controlling for this risk in practice, however including it in its plan would make the plan stronger by detailing how PTV is mitigating risks specific to its operating environment.
Staff training and awareness
IBAC has repeatedly highlighted the need to develop a culture of integrity and notes that public sector officers are 'best placed' to identify and report corruption.
MMRA and PTV provided integrity training to their staff, while MPV as a business unit, received integrity training from the DEDJTR Integrity Services Unit.
From our work within MPV, we identified that DEDJTR more broadly was not taking sufficient steps to ensure that all of its staff know how to identify and respond to fraud and corruption.
For example, DEDJTR does not consistently maintain records of attendance at integrity training. There is no record to demonstrate, or readily check, that all staff in positions exposed to high risks of fraud and corruption have received integrity training.
While the DEDJTR Integrity Services Unit maintains records of completion of online integrity modules, these modules are mandatory only for new starters in DEDJTR.
MPV, MMRA and PTV all delivered training that provides a general awareness of fraud and corruption and how staff should respond to suspected incidents, as recommended by the Australian Standard. All made this training compulsory, however, only MMRA and PTV maintained records of attendance to track compliance with this requirement.
DEDJTR and PTV provide information to staff on the Protected Disclosure Act 2012 (which provides critical protections to individuals reporting improper conduct) during induction sessions and integrity training. They also have dedicated intranet pages, which guide staff about making a protected disclosure.
However, the effectiveness of this has been called into question by the results of the Victorian Public Sector Commission (VPSC) People Matter Survey. In 2017 only 27 per cent of DEDJTR staff who responded, reported that DEDJTR had promoted the Protected Disclosure Act 2012. This compares with 29 per cent of DEDJTR respondents to the 2016 VPSC survey and 48 per cent of PTV respondents.
Under the Standing Directions, internal audit plans must include audits of business processes or units likely to be vulnerable to fraud, corruption and other losses.
MMRA and PTV's internal audit functions have provided appropriate coverage of fraud and corruption risks, with almost half of their audit activity in 2016–17 focusing on potentially vulnerable areas.
As a business unit within DEDJTR, MPV was subject to DEDJTR's internal audit program. We observed that the level of internal audit activity within MPV in 2016–17 was significantly lower than in MMRA and PTV. Following the government's decision to merge MPV and create a new statutory authority, DEDJTR advised us that it did not consider MPV a high-risk area warranting internal audit activity.
These management judgements and resource allocation decisions about MPV were made against a background of significant organisational change. In our opinion, this change would only have increased the risks inherent in a business unit that was continuing to manage large procurements, working closely with the private sector and maintaining processes that were separate to those of its department, DEDJTR.
Human resource practices providing fraud and corruption controls
Human resource practices that contribute to fraud and corruption controls include screening potential employees, and having processes to manage conflict of interest and offers of gifts, benefits and hospitality.
Such practices enhance transparency, facilitate external scrutiny and reinforce an integrity culture. As an administrative office and statutory authority respectively, MMRA and PTV have their own human resources functions. MPV, as a business unit received this service through DEDJTR.
Employers conduct employment screening to identify potential integrity concerns, and associated fraud and corruption risks, when hiring or promoting staff.
MMRA, PTV and DEDJTR's Human Resource functions are not fully implementing employment screening policies and procedures. Our testing highlighted deficiencies, including the failure to complete and document police checks, reference checks and qualification checks—or to respond appropriately when checks highlight anomalies. The DEDJTR Integrity Services Unit initiated an audit into DEDJTR's employment screening practices, which confirmed our findings. The audit has been finalised and all the internal audit's recommendations have been accepted.
The Victorian Public Sector Code of Conduct and the declaration of private interests process require certain staff to self-declare criminal activity. Aside from these obligations there are currently no processes that identify existing staff who commit a criminal offence and do not self-declare. There are also no processes to identify existing staff who do not hold a required qualification.
Conflict of interest
Public officers have a conflict of interest if they have a private interest that could improperly influence, or be seen to influence, their decisions or actions in the performance of their public duties. Employees in certain positions must outline their private interests to agencies through an annual declaration of private interest process. In response, action plans must be developed and monitored to manage potential conflicts of interest.
We identified deficiencies in conflict of interest processes, specifically in the management of conflicts and potential conflicts. We identified instances where individuals had declared conflicts, but these conflicts were not actively managed, and action plans were not enforced.
PTV and DEDJTR, incorporating MPV and MMRA, maintain conflict of interest registers. In some instances data within these registers were poor, which could limit the ability of managers to monitor declared interests and enforce action plans.
MMRA, PTV and DEDJTR Human Resources functions were not consistently using declarations of conflicts of interest during recruitment processes to guard against hiring based on factors other than merit, as required by VPSC guidance endorsed by the Victorian Secretaries' Board (VSB). This left them open to risks of fraud and corruption when hiring.
Gifts, benefits and hospitality
VPSC requires agencies to develop policies governing how their staff should respond to offers of gifts, benefits and hospitality to ensure they remain impartial when making decisions. Public sector staff must not accept gifts, benefits and hospitality from current or potential suppliers. MPV, MMRA and PTV all maintained gifts, benefits and hospitality registers and DEDJTR maintained a central register, which incorporated MPV and MMRA.
Gifts, benefits and hospitality policies were in place, however, these policies were not always operating as intended, and therefore not providing the protections they should.
Of particular concern were the high proportion of gifts, benefits and hospitality accepted by MPV staff from their suppliers with the endorsement of MPV management. Of the total offers accepted by MPV staff, 74 (46 per cent) were from suppliers.
The DEDJTR Integrity Services Unit oversaw MPV's gifts, benefits and hospitality processes and did not provide any evidence of action to remedy this situation, despite knowing of these practices. DEDJTR has advised that it has strengthened its processes in relation to gifts, benefits and hospitality over the past few months.
Fraud and corruption control in procurement practices
Procurement is a high-risk activity for fraud and corruption requiring strong controls. Controls should include a well-designed procurement framework and processes to manage conflicts of interest in procurement activity. To prevent and detect fraud and corruption, there must be vetting of potential suppliers and monitoring of procurement data.
The strength of procurement frameworks for controlling fraud and corruption varied across MPV, MMRA and PTV.
MMRA has a procurement framework with strong controls for fraud and corruption. MPV's procurement controls had significant weaknesses such as poor conflict of interest processes during procurements and a lack of appropriate procurement monitoring. This was concerning given MPV's status at the time as the Victorian Government's specialist project delivery agency.
PTV has made progress in improving its procurement controls after Operation Fitzroy, but in some instances, these improvements occurred slowly or PTV implemented them inconsistently. In particular, PTV's procurements under $25 000 are not subject to conflict of interest controls, or central monitoring of spend. This lack of oversight, means that PTV is more vulnerable to fraud and corruption for these lower value transactions.
At the time of the audit, MPV, MMRA and PTV had not developed or consistently implemented guidelines to vet suppliers. We acknowledge the varying levels of use of suppliers on the Construction Supplier Register (CSR) and State Purchase Contracts (SPC), where suppliers are subject to whole of government vetting checks. DEDJTR estimates that up to 95 per cent of MPV's procurement was done through the CSR or SPC.
MPV, MMRA and PTV's Fraud and Corruption Control Plans all listed activities that could make up a program to vet suppliers. However, MPV, MMRA and PTV had not implemented supplier vetting guidelines that outlined which checks they would conduct beyond simple Australian Business Number (ABN) checks. This gap means they were missing a basic opportunity to reduce fraud and corruption risks associated with procurements involving third parties.
Conflict of interest processes in procurement
MPV staff only completed a conflict of interest declaration for each project they worked on, which could span a number of years and include multiple procurement activities. This practice did not comply with DEDJTR's procurement policy or VPSC guidance, which requires a separate declaration specific to every procurement and vendor.
MMRA has strong documented conflict of interest controls, which apply to all officers involved in any procurement over $2 000.
We found instances of noncompliance with conflict of interest management plans at both MPV and MMRA, demonstrating that even when employees declared relationships, senior management did not effectively manage these conflicts.
For example, we found one instance where an executive endorsed the decision to award a $3.9 million contract to a supplier for whom they had previously worked and in which they held shares. The executive had previously declared this conflict but the management plan was not enforced.
There has been a clear improvement in compliance under PTV's new procurement framework. PTV has demonstrated full compliance with conflict of interest controls for procurements under their new framework since March 2017. PTV could only produce four of eight conflict of interest forms for procurements tested under their old framework.
Monitoring fraud and corruption indicators
Monitoring procurement activity helps detect fraud and corruption. A strong monitoring and reporting program can also deter potential perpetrators of fraud and corruption, as it increases the chance of detecting irregular and inappropriate activity.
MPV, MMRA and PTV all had weaknesses in their monitoring and reporting of fraud and corruption indicators associated with procurement.
They provided evidence that they monitored and reported to their executive on generic procurement trends to varying degrees. However, monitoring activities for fraud and corruption indicators were less consistent, with MPV and MMRA unable to provide any evidence of such monitoring.
DEDJTR is developing a data analytics program, which is currently being trialled by MMRA. When fully implemented, this program will significantly improve reporting capacity.
PTV had reported on fraud and corruption indicators in procurement, although poor data quality in the contract management system (CMS), and PTV's inability to retain skilled data analytics staff, resulted in unreliable data and inconsistent monitoring. PTV does not currently monitor procurements worth less than $25 000, placing such procurements at a higher risk of fraud and corruption.
Response to fraud and corruption
To maintain public trust, the public sector must respond actively to instances of suspected fraud and corruption. Keeping records, including action taken in response to incidents, is a mandatory legislative requirement under the Standing Directions.
Better practice outlined in the Australian Standard recommends that an entity maintain a fraud and corruption register. Legislated external reporting to integrity agencies such as IBAC and the Victorian Auditor-General's Office (VAGO) provides a level of external scrutiny and enables systemic analysis. The Australian Standard recommends establishing a response team to coordinate activities. After fraud and corruption has occurred, entities should take steps to recover public funds and property that have been lost.
Fraud and corruption registers and response teams
MMRA and PTV both maintain detailed registers that outline how they have considered each alleged fraud and corruption incident and the action taken in response. As a business unit MPV was considered by DEDJTR's register.
The Integrity Services Unit at DEDJTR maintains a central register of integrity matters ranging from complaints to fraud and corruption allegations. However, the information is uncategorised, outdated and in some instances inaccurate, which limits this register's usefulness.
When reviewing the register, we were not able to consistently determine which entries related to fraud and corruption allegations, what action DEDJTR had taken and whether a financial loss had occurred.
MMRA and PTV have established response teams to coordinate response activities and recording, with appropriate senior representation. The DEDJTR Integrity Services Unit acts as the response team for DEDJTR as a whole and includes senior staff at the executive level.
Internal investigations need to be timely, transparent, clearly documented and able to withstand external scrutiny. Poor investigations can diminish stakeholder confidence in an organisation's ability to effectively manage and respond to incidents of fraud and corruption.
DEDJTR decided to outsource investigations into fraud and corruption as it recognised that investigations required specialised resources and expertise. A sample of the investigations conducted by external contractors showed appropriately conducted investigations, which resulted in detailed investigation reports with key findings and recommendations.
We found investigations conducted by MMRA and PTV to be timely, thorough, well documented and conducted by suitably qualified external contractors where appropriate. MMRA and PTV also demonstrated how they had learned from the investigations and strengthened their controls.
MPV identified no instances of fraud and corruption, and hence conducted no investigations in 2014–15, 2015–16 and 2016–17.
The Victorian government established IBAC in 2012 to identify, expose and investigate corruption. Under legislation, certain prescribed public sector body heads were required to notify IBAC of corrupt conduct, while others, including DEDJTR and PTV, had discretion to notify IBAC of such matters.
We identified one instance for PTV in 2013 and one instance for DEDJTR in 2016 where they did not report relevant matters to IBAC. At the time both had discretion over whether to report such matters.
Parliament strengthened the legislation in December 2016 to remove discretion and create a mandatory requirement for public sector agency heads to notify IBAC of suspected corruption. Parliament changed the legislation to ensure that all significant matters of corrupt conduct are brought to IBAC's attention.
Under the Standing Directions, agencies are now required to notify external parties, such as IBAC and VAGO, of incidents of significant or systemic fraud and corruption. DEDJTR has reported low levels of losses due to fraud and corruption under the Standing Directions. These low levels may be partly attributable to DEDJTR's treatment of missing assets. DEDJTR labels assets that cannot be located as 'disposed' in its accounts, without considering whether they were stolen. In response, DEDJTR has advised that it will ensure that policies and procedures for identifying and reporting lost assets include referring matters to the Integrity Services Unit to assess the possibility of fraud.
Recovery efforts following fraud and corruption
The Australian Standard recommends entities have a policy that considers recovering funds lost to fraud and corruption. Government entities should clearly document decisions on taking recovery action when public funds are lost to fraud and corruption, including decisions not to take action.
We identified examples where DEDJTR and PTV did not attempt to recover losses due to fraud and corruption, but did not document their decision-making process or rationale.
PTV did not document why it did not seek to recover significant funds lost due to fraud and corruption identified by Operation Fitzroy, estimated by IBAC to have involved $25 million of corrupted procurement, or a myki ticketing fraud in which PTV incurred losses of $4.8 million.
Following concerns identified by the former Department of State Development, Business and Innovation, DEDJTR found in 2015 that an organisation had obtained grant funding of more than $65 000 and was not able to demonstrate that it had provided the services for which the funding had been given. DEDJTR also found that the organisation had submitted documentation in support of the services, which was of questionable authenticity. DEDJTR also concluded that the organisation had demonstrated systemic noncompliance with a number of grant conditions. DEDJTR gave the organisation an opportunity to submit evidence of other services provided to acquit the funding already obtained, instead of seeking recovery.
In this matter, DEDJTR determined that it had not incurred any financial loss that required reporting under the Standing Directions. This position fails to account for DEDJTR's initial conclusion that it had paid more than $65 000 for services that could not be validated, and relies on the organisation's agreement to provide other services to the amount paid as detailed above. DEDJTR's handling of this matter failed to acknowledge the likelihood that fraud had occurred and consider fully the need to recover public funds.
There are complexities to potential recovery activity in some of the examples we considered. However, the failure to adequately document decision-making processes and rationales about public funds inhibits transparency.
PTV's response to Operation Fitzroy
Following IBAC's Operation Fitzroy, PTV committed to a broad range of reform initiatives, including:
- developing new policies and procedures
- appointing new specialist positions
- procuring new systems
- implementing an extensive program of fraud and corruption specific training.
PTV made significant progress in implementing its reform agenda to develop a Fraud and Corruption Control Plan, establish a response team and conduct an extensive fraud and corruption training program for staff. However, PTV implemented important procurement and financial control reforms slowly, with some still outstanding. Existing gaps in controls fail to reasonably minimise PTV's fraud and corruption risks.
We recommend that the Department of Economic Development, Jobs, Transport and Resources:
- fully implement its Fraud and Corruption Control Policy and Plan (see Section 2.3)
- identify all staff working in areas with the highest risk of fraud and corruption; and:
- develop and implement a strategy to provide them with integrity training and
- track completion of the training to ensure appropriate coverage and awareness (see Sections 2.4 and 2.5)
- work collaboratively with its agencies to support them in meeting Victorian Public Sector Commission requirements for conflict of interest practices in recruitment panels (see Section 3.4)
- through its Integrity Services Unit, continue to scrutinise declarations of private interest and related management plans and work collaboratively with its agencies to ensure consistency and active management of declared conflicts (see Section 3.3 and 3.4)
- through its Integrity Services Unit continue to scrutinise agency gifts, benefits and hospitality registers, and work collaboratively with agencies to proactively address noncompliance while working towards having a single register to improve oversight (see Section 3.5)
- develop and implement appropriate supplier vetting guidelines (see Section 4.3)
- work collaboratively with its agencies to develop appropriate fraud and corruption indicators and procurement reporting processes (see Section 4.5)
- formalise information sharing processes between its Integrity Services Unit and its agencies to facilitate appropriate feedback on integrity matters that are referred to agencies for action or information (see Section 5.4)
- ensure that it documents decision-making regarding efforts to recover losses due to fraud and corruption and collaboratively works with its agencies to support them to do the same (see Section 5.5)
- improve the reporting capacity of its Integrity Services Unit's integrity register to capture whether allegations are substantiated, losses are incurred and action taken, and ensure that the register captures all matters reported to it (see Section 5.2)
- finalise its review of the treatment of missing assets to ensure that there is consideration of whether losses are caused by fraud and corruption (see Section 5.4).
We recommend that Public Transport Victoria:
- finalise guidance for procurements of less than $25 000 (see Section 4.2)
- finalise and implement supplier vetting guidelines (see Section 4.3)
- improve scrutiny and reporting of procurements of less than $25 000 (see Section 4.5)
- perform regular and effective fraud and corruption lead indicator reporting with procurement data (see Section 4.5)
- document decision making regarding efforts to recover losses due to fraud and corruption (see Section 5.5)
- improve controls to detect and prevent over-expenditure on contracts, including processes to reconcile accounts payable and contract management system expenditure (see Appendix B).
Responses to recommendations
We have consulted with DEDJTR and PTV and we considered their views when reaching our audit conclusions. As required by section 16(3) of the Audit Act 1994, we gave a draft copy of this report to those agencies and asked for their submissions or comments. We also provided a copy of the report to the Department of Premier and Cabinet.
The following is a summary of those responses. The full responses are included in Appendix A.
DEDJTR noted it is deeply committed to developing and maintaining a strong integrity culture. DEDJTR accepted the recommendations, noting that the recommendations reflect activities already in progress and due for completion in 2018.
PTV noted its efforts since Operation Fitzroy to create an ethical culture that does not tolerate fraud and corruption. PTV advised that it will continue to endeavour to further improve its framework, processes and controls for managing fraud and corruption. PTV accepted the recommendations and stated it intends to address them all by September 2018.