Procurement is a high-risk activity for fraud and corruption. Strong controls are needed in procurement frameworks to reduce the likelihood of fraud and corruption occurring. Essential procurement controls include:
- mandatory approval stages in the procurement process to ensure procurements are initiated and approved by different officers
- consistent supplier vetting programs
- mandatory conflict of interest procedures
- monitoring and reporting of procurement activity for fraud and corruption indicators.
We assessed whether MPV, MMRA and PTV had effectively implemented these controls in their procurement practices.
The strength of procurement frameworks to control for fraud and corruption vary across MPV, MMRA and PTV. MMRA has developed a strong framework, but significant weaknesses in procurement controls for MPV undermine MPV's prior status as the Victorian Government's specialist agency for project delivery.
PTV made progress in improving its procurement controls after Operation Fitzroy, however in some instances these improvements were slow to occur or inconsistently implemented. Outstanding gaps in PTV's controls for procurements under $25 000 leave PTV vulnerable to fraud and corruption for this type of transaction.
Where controls did exist, instances of poor record keeping meant MMRA and PTV could not always provide evidence of compliance with these controls.
Other weaknesses include a lack of consistent supplier vetting processes and monitoring of procurement data for specific fraud and corruption indicators. Given MPV, MMRA and PTV had high levels of interaction with the private sector, it is important that they improve their compliance with, and management of, conflict of interest policies that relate to procurement activities.
4.2 Procurement framework design
An effective procurement framework involves multiple elements to control fraud and corruption risks, including:
- clear and mandatory procurement guidelines, outlining high standards and probity considerations
- a well-trained and resourced procurement branch to centrally manage procurement activity
- secure record-keeping systems to facilitate transparent decision making and enforce accountability
- system-enforced financial delegations and separation of duties for appropriate approvals.
We assessed whether the frameworks covering MPV, MMRA and PTV procurements included these controls.
As a business unit, MPV fell under the DEDJTR procurement framework. Much of MPV's procurement activities were for construction works and related consulting. These procurements must comply with the Ministerial Directions made under the Project Development and Construction Management Act 1994. DEDJTR's procurement policy provides the expected level of guidance for procurement activity, however the policy does not apply to construction-related procurements that fall under the Project Development and Construction Management Act 1994. MPV had a procurement policy that outlined key principles, but it was high level and did not outline clear and practical steps for how procurement should operate. MPV had not developed the practical procurement guidance we would expect given that DEDJTR's overarching procurement policy was not applicable.
MPV received procurement support services through the DEDJTR Central Procurement Division. However, this division sat externally to MPV and did not have access to MPV's procurement system or project files. This limited the ability of this division to oversee procurement activities effectively and ensure compliance. MPV did, however, engage probity advisors or auditors for all projects.
While MPV maintained system-enforced financial delegate approvals over procurements, it did not maintain a central CMS. Project directors kept all documents relating to a procurement in a locked down project file. This severely limited the ability of MPV or DEDJTR's Central Procurement Division to centrally track different procurement details—for example, actual spend against approved contract amounts, or conflicts declared by staff involved. This limited the availability of documents to be centrally overseen and externally scrutinised.
With a lack of procurement guidance, central oversight and systems for tracking and storing procurement information, MPV's procurement practices did not have the necessary controls to prevent and detect fraud and corruption. This is concerning given MPV was responsible for significant procurements and major projects on behalf of government. These control gaps remained despite repeated negative findings made in past VAGO audits directed towards DEDJTR and MPV regarding MPV's procurement practices.
MMRA has a strong procurement framework based on a 'lessons learned' approach that considers similar local and international projects.
MMRA has clear procurement guidance for all staff. Staff must register all MMRA procurements above the value of $2 000 with the procurement branch, which enters the details into a centrally maintained CMS. Only procurement branch staff can record data in the CMS. The procurement branch is well‑resourced to centrally manage the level of procurement activity in MMRA. Having a low-value threshold enables MMRA's procurement branch to have a more fulsome view of procurement occurring in MMRA. Overall, MMRA has designed a procurement framework with strong controls.
PTV's procurement framework has undergone considerable change since the IBAC investigation. PTV has had three different chief procurement officers since 2014.
In response to Operation Fitzroy, PTV committed to seek voluntary accreditation by the Victorian Government Purchasing Board (VGPB) of a new procurement framework. Although PTV was quick to develop a new procurement policy following the investigation in 2014, this procurement policy did not achieve accreditation with the VGPB.
In June 2016, PTV appointed the current chief procurement officer who has made significant progress improving PTV's procurement processes, including the design of a new procurement framework within six months of commencing in the role.
The VGPB accredited this better practice procurement framework in March 2017, more than two years after IBAC identified significant weaknesses in this area.
PTV's new procurement procedures are easy to understand and are readily available on the PTV intranet. However, PTV's procurement policy and guidelines only apply to procurements of more than $25 000 that staff register with the procurement branch for central management and recording in its CMS.
IBAC has identified the practice of 'splitting contracts' to avoid the need for a certain number of quotes, or a tender process, as a warning sign for corruption. This highlights the importance of having fraud and corruption controls that consider lower-value procurements.
Local business divisions conduct procurements of less than $25 000 to the standard required by the financial delegate who approves the purchase order. The procurement branch does not oversee records of procurements of less than $25 000 or how they are run because they are not stored in the CMS and therefore are not subject to reporting. This control gap limits PTV's ability to fully address the procurement framework weaknesses identified by Operation Fitzroy. PTV has implemented an 'Authority to Pay' process which requires two staff members to authorise payments, including those under $25 000. This process has enhanced the control environment for lower level procurements.
4.3 Supplier vetting
To be consistent with the Australian Standard, entities must develop a process that enables effective vetting of suppliers. The process should include, but is not limited to:
- a search of the company register and ABN confirmation
- a director bankruptcy search
- a credit rating assessment
- a search of pending legal proceedings
- trade address and telephone listing verification
- a media search.
Vetting guidelines should detail roles and responsibilities for supplier vetting activities between legal, finance and procurement divisions. Guidelines should also outline how to assess the characteristics of a procurement or supplier to determine vetting activities.
When considering the application of a supplier vetting process, we acknowledge that varying levels of procurement by MPV, MMRA and PTV were conducted using the CSR and SPC. DEDJTR has estimated that up to 95 per cent of MPV's procurements used the CSR or SPC. The Department of Treasury and Finance conducts due diligence activities for these service providers.
We assessed whether MPV, MMRA and PTV had developed and implemented supplier vetting guidelines and, when necessary, were consistently conducting appropriate due diligence checks on vendors.
At the time of the audit, supplier vetting guidelines were either not developed or consistently applied to MPV, MMRA and PTV procurements. The draft or final Fraud and Corruption Control Plans for MPV, MMRA and PTV all listed the types of activities from the Australian Standard that could make up a supplier vetting program. However, none had guidelines to outline which checks they would actually conduct, or had consistent vetting processes that went beyond simple ABN checks.
A lack of supplier vetting guidelines can result in ad hoc processes and various problems, including:
- lack of clarity about responsibility for performing supplier vetting
- no guidance on the vendor characteristics that would necessitate particular vetting activities, resulting in inconsistent practices
- ABN checks as the sole vetting activity, which may occur at invoice payment, after the vendor has already been engaged and services delivered
- poor records of vetting checks making it difficult to demonstrate the decision-making process behind a procurement if issues subsequently arise.
In response to our audit, MMRA implemented supplier vetting guidelines in November 2017.
PTV response to Operation Fitzroy
In response to Operation Fitzroy, PTV committed to increasing capacity to perform due diligence activities. PTV procured licenses for software to facilitate due diligence and supplier vetting activities. The PTV procurement policy states that the PTV legal, finance and procurement branches will validate a selection of suppliers using the search software. However these branches lack clear understanding of their roles and responsibilities for supplier vetting, which is resulting in inconsistent searching practices. PTV produced a guideline in 2015 but it was not consistently implemented. A 2017 internal audit confirmed this finding and the need for clear responsibilities.
We note that PTV pays to run each search, and vetting all new suppliers is not feasible. However, without a supplier vetting policy, there are no documented guidelines about how many suppliers should be subject to supplier vetting, and what supplier characteristics should trigger a search.
In response to our audit, PTV has acknowledged this gap and is in the process of developing new supplier vetting guidelines.
4.4 Conflict of interest processes in procurement
MPV, MMRA and PTV all have a high level of interaction with the private sector, and their workforces often move between roles in both the public and private sectors. Robust processes are essential to ensure MPV, MMRA and PTV can identify, document and actively manage relationships with the private sector.
VPSC conflict of interest guidance requires staff to complete a conflict of interest declaration before undertaking procurement activities, regardless of whether officers identify a conflict. These conflict of interest declarations are specific to the project at hand, and require staff to consider their relationships to specific entities and individuals involved in the procurement activity.
We assessed whether MPV, MMRA and PTV had conflict of interest processes consistent with VPSC guidance to control for conflicts of interest in procurement activities.
Conflict of interest policies and declarations
As a business unit, MPV was subject to DEDJTR's procurement and conflict of interest policies. However, MPV was not compliant with these policies and therefore had weak conflict of interest controls in procurement. MPV ran large projects with multiple procurement activities in each project. MPV staff only completed a conflict of interest declaration when they began a project, which could span a number of years. Declarations specific to particular procurements and vendors were not required. The declaration forms indicate that staff were required to notify the responsible director of any matter that may give rise to a conflict during their participation in the project, however this process is not consistent with VPSC guidance which requires a declaration for each procurement. These practices continued despite repeated criticisms of MPV's management of conflict of interest processes in previous VAGO audits. MPV's weak conflict of interest processes are concerning, given MPV's reliance on the private sector to deliver major projects on behalf of government.
MMRA demonstrates strong documented conflict of interest controls. Under MMRA's procurement policy, all staff who are engaged in a procurement over $2 000, from the procurement advisor to the financial delegate, must sign a conflict of interest declaration and re-confirm the declaration when procurement details change. However, shortfalls in MMRA's record keeping meant they could not provide signed conflict of interest declarations for two of nine procurements tested.
PTV requires all evaluation panel members for procurements above $25 000 to submit a conflict of interest declaration. Procurements tested at PTV that occurred under the new procurement framework introduced in March 2017 were all compliant with the conflict of interest requirements.
There has been a clear improvement in compliance under PTV's new procurement framework. Poor record keeping limited PTV's ability to demonstrate compliance under the old procurement framework. PTV could not produce conflict of interest declarations for four of the eight procurements made under the old framework that we tested.
PTV's conflict of interest controls for lower value procurements are weaker as conflict of interest declarations are not required for procurements under $25 000.
Ongoing management of declared conflicts
When staff appropriately declare conflicts, management must effectively address the conflicts for the control to be effective, including during procurement activities. Lack of management could lead to personal interests conflicting with procurement decisions, or the perception that this has occurred. The case studies in Figures 4A, 4B and 4C describe three instances where those responsible did not manage conflicts of interest in procurement activities.
Case study: Managing a declared private interest in procurement activity
An agency executive—C3—was a previous employee with a consulting firm and held $20 000 worth of shares in the company that owned the firm.
An action plan to manage C3's conflict required that C3 remain aware of the conflict and seek probity advice as to their appropriate level of involvement, if any, for any procurement or contract management discussions involving the firm or company.
C3 did not seek probity advice and signed off on a tender evaluation plan for a contract worth $3.9 million for which the firm was one of the tenderers. C3 was the project sponsor and the approver of the tender evaluation report. The evaluation panel assessed the firm as the preferred tenderer. C3—as project sponsor and the approver of the evaluation recommendation report—approved the panel's recommendation of the firm as the preferred tenderer and endorsed a recommendation for approval to proceed with the engagement.
After receiving a memo recommending the engagement, a senior executive officer in DEDJTR queried the appropriateness of C3 approving a recommendation to engage the firm, and initiated an independent review of the evaluation process and the outcome. The review concluded that it was an inadvertent oversight by C3 and recommended that the agency repeat parts of the procurement process involving C3. The review revalidated the firm as the preferred supplier, but concluded that the management of the conflict of interest had not been well handled and recommended a review of the agency's conflict of interest processes.
The senior executive in DEDJTR decided that the agency could not award the contract to the firm until C3 sold their shares so there was no possibility of financial gain, even indirectly, from the decision. C3 subsequently provided evidence that the shares had been sold.
Despite the conflict of interest process at the agency, the agency did not identify the inappropriate involvement of C3 in the procurement activity.
In response to this case study, the agency acknowledged that it could improve the process of overseeing declarations and arranged for external auditors to complete a review of conflict of interest management plans in early 2018.
Case study: Managing the perception of a conflict of interest due to a spouse's employment and shareholdings
An agency director—P1—was involved in multiple procurement activities involving a large consultancy company, which employed P1's spouse.
From 2014–16, the agency where P1 worked awarded contracts to the company worth in excess of $800 000.
P1 completed a number of conflict of interest declarations, consistently declaring that their spouse worked for the company.
Despite this conflict, P1 remained on evaluation panels involving the spouse's company. Probity advisors reviewed relevant conflict of interest declarations in March 2014 and July 2015, which detailed that the conflicts would 'be effectively managed by the following process(s)':
In June 2016, P1 approved the company receiving a variation to the contract. The variation was for nearly $70 000, which took the total value of the contract to more than $600 000. The contract terms had noted the potential for this variation, depending on the approach taken by the company.
A month later, in July 2016, when completing an annual declaration of private interests to DEDJTR, P1 declared that their spouse worked for the company and also held approximately $4 000 worth of shares in the company. Another director approved this declaration without an associated management plan.
The DEDJTR Integrity Services Unit did not identify the absence of a management plan nor take any further action to investigate the appropriateness of P1's involvement in procurement activities involving the company.
Case study: Inconsistent declarations of a conflict of interest and gifts, benefits and hospitality
In 2004, F1 left employment at Company D and in 2005 commenced at an audited agency, where they became a senior project director.
The agency engaged Company D on four occasions and F1 was involved in the procurement of Company D on each occasion.
A previous VAGO performance audit had reviewed one of the four procurements and concluded that F1's involvement created a perceived, if not an actual, conflict of interest. The audit also identified concerns that the tendering process had not been appropriately clear and competitive. At that time, agency staff were not required to complete conflict of interest declarations. F1 had not formally documented the conflict, but the agency was aware of F1's previous employment with Company D. The audit recommended that agency staff complete conflict of interest declarations.
During a subsequent tender process involving Company D and F1, in which Company D was not successful, F1 declared a personal relationship with a senior manager at Company D, stating that they played golf together. The same senior manager at Company D had been involved in the project subject to the earlier VAGO performance audit.
The agency engaged Company D a further two times, both projects involving F1. In the third engagement, F1 did not declare any conflicts with Company D. In the fourth engagement involving F1 and Company D, F1 again declared a personal relationship with a senior manager at Company D. Probity reports for all engagements do not refer to the declared conflict and show no consideration as to the appropriateness of F1 being involved in the projects.
Between December 2011 and September 2016, the agency's gift, benefits and hospitality register shows Company D made 65 offers to 15 different agency staff. Eight of these offers were to F1. According to the agency's register, F1 accepted five offers, declined two and the status of one is unclear. Accepted offers included F1 attending a cocktail function and receiving cufflinks as a gift.
4.5 Monitoring fraud and corruption indicators
Monitoring procurement activity can help detect fraud and corruption. A strong monitoring and reporting program can also serve to deter potential perpetrators of fraud and corruption because it increases the chance of detecting irregular and inappropriate activity. It is important to distinguish between two types of monitoring activity:
- generic monitoring and reporting on procurement expenditure and trends across the agency, such as contract values, expiry dates and complexity across different branches
- monitoring and reporting on specific fraud and corruption indicators, such as vendors engaged multiple times, potential purchase order splitting and procurements just under delegation thresholds.
We assessed whether the generic monitoring of procurement activity, as well as monitoring and reporting on specific fraud and corruption indicators was occurring for MPV, MMRA and PTV procurement activity.
Fraud and corruption monitoring
Monitoring procurement activity for fraud and corruption varied across MPV, MMRA and PTV. Although they could all provide evidence that they monitored and reported generic procurement trends to their executive, to varying degrees, their monitoring activities for fraud and corruption indicators were less consistent.
DEDJTR is developing its data analytics capacity, which will enhance its fraud and corruption monitoring, as detailed in Section 2.7.
MPV provided only limited evidence of generic monitoring and reporting of procurement activity. There was no evidence of reporting on specific fraud and corruption indicators. MPV's generic procurement monitoring was limited to listing the value of procurements and the number of times MPV had engaged a certain supplier, and reporting occurred on an ad hoc basis. MPV provided no evidence of analysis of these reports. This lack of regular basic reporting of procurement activity is inconsistent with MPV's role specialising in project management. MPV had no controls to identify potential instances of fraud and corruption in procurement activity data.
MMRA conducts generic procurement monitoring, but does not report on fraud and corruption indicators in procurement. MMRA produces a monthly dashboard report on procurement spend and contract expiry data. This data is useful for project management, but does not work as a control to identify potential fraud and corruption indicators.
The MMRA procurement branch does not centrally manage procurements that fall under the value of $2 000. MMRA has recognised that these procurements are at a higher risk of being subject to fraudulent activity and conducts internal audits of these lower-value procurements.
Following Operation Fitzroy, in 2015 PTV committed to undertake more sophisticated monitoring of procurement data to identify fraud and corruption indicators. PTV regularly reports on generic procurement activity and has attempted to report on procurement-related fraud and corruption indicators. Poor data quality in the CMS and PTV's inability to retain skilled staff in data analytics has resulted in inconsistent monitoring of fraud and corruption indicators in procurement. However, where reporting has occurred, PTV has considered relevant procurement-related fraud and corruption indicators including monitoring contracts with expenditure exceeding approval, purchase orders raised below delegation thresholds and variations to contracts. No monitoring is currently conducted on procurements of less than $25 000 which is a gap in PTV's procurement framework.