To maintain public trust and demonstrate that the public sector takes fraud and corruption seriously, there must be a proactive response when it suspects or identifies fraud and corruption. Response activities include:
- maintaining a register to capture attempted and actual instances of fraud and corruption
- establishing a fraud and corruption response team to coordinate response activities
- conducting appropriate and thorough investigations into allegations of fraud and corruption
- attempting recovery of losses caused by fraud and corruption
- reporting instances of fraud and corruption and associated losses appropriately.
We assessed whether potential fraud and corruption incidents in MPV, MMRA and PTV were effectively responded to.
After its establishment in 2015, DEDJTR recognised concerns regarding previous responses to incidents of fraud and corruption and decided that it would outsource investigations. This approach recognised that specialised resources and expertise were required. There has been a significant improvement in the quality of its investigations of fraud and corruption allegations following this decision.
When we scrutinised the DEDJTR Integrity Services Unit register, we were not always able to determine how DEDJTR responded to reported integrity matters or if it incurred losses. Some entries in the register were incomplete and conflicted with the supporting documentation we reviewed. MMRA and PTV have maintained registers that clearly outline action taken and if losses occurred.
A range of external reporting requirements exist when fraud and corruption is suspected, which include reporting to IBAC suspected corruption and reporting financial losses to the minister, portfolio department and VAGO under the Standing Directions. We identified matters that we consider should have been reported and were not. Failing to report limits systemic analysis, and ultimately the ability of the public sector to effectively respond to fraud and corruption.
We also identified examples where decision-making processes or rationales about recovering funds lost due to fraud and corruption were not evident or not appropriately documented.
5.2 Fraud and corruption register and response team
A fraud and corruption register allows attempted and successful instances of fraud and corruption to be tracked. Keeping records, including action taken in response to incidents, is a mandatory legislative requirement under the Standing Directions. The Australian Standard recommends that an entity capture in the register:
- the date and time of the report and the incident
- how the incident came to the attention of management
- the nature of the incident
- the value of any loss
- the action taken following discovery of the incident.
To manage this register and coordinate responses, the Australian Standard suggests entities should establish a fraud and corruption response team.
We assessed whether detailed fraud and corruption registers and response teams were in place to support responses to fraud and corruption incidents in MPV, MMRA and PTV. As a business unit within DEDJTR, MPV's response activities would have been undertaken by the DEDJTR Integrity Services Unit.
DEDJTR Integrity Services Unit
The Integrity Services Unit at DEDJTR maintains a central register of integrity matters ranging from complaints to fraud and corruption allegations. Uncategorised, outdated and, in some instances, inaccurate information limits this register's usefulness.
From reviewing the register, we were not able to consistently ascertain:
- entries that related to fraud and corruption allegations
- action that was taken and the status of these actions
- whether an allegation had been substantiated
- whether a financial loss had occurred.
The register contains 91 entries from September 2014 to June 2017. By assessing the information in each entry, we concluded that approximately 35 entries (38 per cent) included allegations of fraud and corruption. For 31 per cent of all the entries, there was not enough information for us to make an assessment.
The limited information in the register affected our ability to scrutinise the register and ascertain what action had been taken in response to allegations. In one instance, the status of a 2016 entry was 'potential fraud' for DEDJTR to investigate. However, in mandatory reporting of losses for 2015–16 under the Standing Directions, DEDJTR reported that the fraud was substantiated and that $1 865 of fraudulently acquired funds was recovered from the staff member when their employment was terminated.
The DEDJTR Integrity Services Unit established the register and associated integrity database in November 2016. Prior to this time, although a register existed in the form of a spreadsheet, individual DEDJTR officers kept information regarding integrity matters and investigations on their computers, rather than on a central database.
The DEDJTR Integrity Services Unit's record-keeping practices for fraud and corruption matters require improvement. While we note DEDJTR's position that it established the register as a management tool to track actions on matters which came to its attention, current practices limited our ability to conduct the same analysis that we had been able to undertake of MMRA's and PTV's registers. These practices also have the potential to limit DEDJTR's ability to understand fraud and corruption across the portfolio, given that much of the knowledge of past handling of matters has rested with individual officers and DEDJTR has not centrally collated this information.
During the course of the audit DEDJTR began to improve the data in its register and is now capturing additional information, including categorising the incident and noting any losses.
The DEDJTR Integrity Services Unit functions as a fraud and corruption response team. The team consists of senior staff including an executive director, director, assistant director and manager. The response team meets when required to consider various integrity-related matters, including protected disclosures and general complaints. DEDJTR records case notes on the matters discussed.
MPV's draft Fraud and Corruption Control Plan stated that MPV would maintain a fraud and corruption incident register and establish a response team. MPV was unable to provide us with any evidence of either, however, given it had reported no incidents this is to be expected.
MMRA maintains a detailed register that outlines how it considered each fraud and corruption incident and the action taken in response. MMRA has established a fraud and corruption response team, led by the project systems and audit manager, and comprising three senior directors responsible for the Finance, Legal, and Governance and People branches within MMRA, along with a staff member from the DEDJTR Integrity Services Unit. MMRA's response team has met as required in response to alleged incidents and has maintained the register.
PTV maintains a register that details the nature of fraud and corruption allegations and how PTV has managed them. PTV also established a response team, which:
- has met on a quarterly basis and as required
- is guided by documented terms of reference
- can make recommendations to the chief executive officer
- must report incidents to the audit and risk committee and chief executive officer
- has kept minutes of its meetings and has maintained the register.
Thorough investigations must be conducted into apparent or suspected fraud, corruption or other losses as soon as possible.
Officers managing and conducting investigations should:
- have appropriate skills and experience
- be independent of the business unit in which the alleged fraudulent or corrupt conduct occurred.
IBAC has noted that if agencies handle internal investigations poorly, there can be serious consequences for individuals and the organisation. Internal investigations need to be timely, transparent, clearly documented and able to withstand external scrutiny.
We assessed a number of investigations conducted by MMRA, PTV and the DEDJTR Integrity Services Unit to determine if they reasonably responded to allegations. MPV reported no instances or investigations of fraud and corruption.
DEDJTR Integrity Services Unit
DEDJTR identified that the investigation of suspected activities or incidents required specialised resources and expertise. Currently the DEDJTR Integrity Services Unit outsources investigations. Our review of a sample of the investigations conducted by external contractors since mid 2016 found that:
- investigations were outsourced to experienced contractors
- investigation plans and procedures were referenced
- appropriate documentation and data was collected, secured and analysed, including email and telephone records
- interviews were conducted with evidence of procedural fairness
- detailed reports were provided regarding the investigation of the allegations with key findings and recommendations.
We examined an investigation and a review managed by the DEDJTR Integrity Services Unit prior to the decision to outsource and identified a number of concerns regarding its handling of these particular matters including:
- no evidence of planning or risk management
- excessive time taken to finalise these matters
- an approach taken by staff that could alert potential perpetrators of fraud and corruption, and that did not duly consider the seriousness of the allegations.
The case study in Figure 5A details a matter that IBAC referred to DEDJTR. IBAC was subsequently critical of DEDJTR's internal investigation, which resulted in a third party re-investigating the matter. This matter took over a year to finalise. This example supports DEDJTR's decision to outsource investigations and ensure appropriate expertise.
Case study: Referred investigation from IBAC
IBAC referred a matter to DEDJTR to investigate. DEDJTR initiated an investigation in 2015 and communicated the outcomes of its investigation to IBAC.
In November 2015, the IBAC Commissioner wrote to the Secretary of DEDJTR stating that IBAC did not accept that DEDJTR had conducted an appropriate investigation of the allegations and rejected the report and its findings.
In January 2016, DEDJTR engaged an external contractor to review DEDJTR's investigation. In its February 2016 report, the external review found significant failings in the approach, methodology and conclusions reached in the DEDJTR investigation. The review found that DEDJTR had followed an 'inappropriate and unclear investigatory process'. The review recommended DEDJTR undertake an appropriate investigation. The review also noted that DEDJTR must develop fraud and corruption response procedures.
DEDJTR then engaged an external contractor to conduct the investigation in April 2016. The contractor delivered the final report in October 2016, more than a year after the matter was referred by IBAC to DEDJTR. IBAC was satisfied with this investigation and noted its support of the recommendation for DEDJTR to implement fraud and corruption response procedures.
Source: VAGO based on DEDJTR information.
Only one matter has been subject to an investigation at MMRA.
In July 2017, an MMRA staff member found an unrecognised USB device in a computer. MMRA activated its fraud and corruption response team on the same day and sent an email to all MMRA staff alerting them to a potential breach in security and reminding them of key security measures.
MMRA engaged its probity advisor to conduct a review of the incident. The review included a forensic examination of the device and access logs. The review was unable to identify the source of the USB device. The review recommended MMRA conduct staff training.
The investigation was timely, thorough, well documented and conducted by an independent officer with the appropriate level of skill and experience.
PTV's fraud and corruption register details 23 incidents from 2013–17. Six of the matters listed on the register, including Operation Fitzroy, warranted formal investigations by external investigators. PTV dealt with the other 17 matters internally, which we assessed as appropriate, given the nature of these allegations. Internal and external investigations ultimately substantiated nine matters.
The following examples illustrate PTV's ability to effectively assess and respond to allegations of fraud and corruption, including the appropriate use of external expertise when required:
- PTV identified an incident where a staff member was allegedly misappropriating funds. PTV engaged a suitably qualified external investigation firm to complete initial enquiries. PTV also reported the matter to Victoria Police for prosecution and sought to recover the funds.
- In 2013–14, PTV incurred losses of $4.8 million due to a myki ticketing fraud. PTV engaged an external agency to investigate the fraud and reported the matter to Victoria Police. PTV took subsequent action to strengthen its controls.
- PTV received information alleging the sale of fraudulent myki tickets. PTV engaged an external investigator and the investigation concluded that adequate controls were in place and did not substantiate the allegation of fraud.
All investigations we assessed were timely, thorough and well documented. PTV demonstrated how it learnt from the investigations and strengthened controls.
Reporting obligations exist when suspected fraud and corruption is identified. These obligations ensure that government shares relevant information and that external parties can track incidents of fraud and corruption, and associated losses across the public sector.
Reporting activities include:
- notifying IBAC of suspected and actual instances of fraud and corruption that meet a defined threshold
- reporting financial losses due to fraud and corruption to the minister, portfolio department and VAGO under the Standing Directions
- appropriately referring allegations to relevant portfolio departments and facilitating information sharing when fraud and corruption occur to help the entire portfolio improve its control environment.
Parliament established IBAC in 2012 to identify, expose and investigate corruption. DEDJTR and PTV had discretion as to whether they notified IBAC of corrupt conduct until December 2016. At this time, government strengthened the legislation, and it became a mandatory requirement for public sector agency heads to notify IBAC of suspected corruption. The revised legislation ensures that all relevant matters are brought to IBAC's attention to consider whether an investigation is required.
We assessed whether reporting obligations were being met. We also assessed the role of the DEDJTR Integrity Services Unit in meeting certain reporting obligations and facilitating information sharing to strengthen controls.
IBAC must be notified of potential protected disclosures and, from December 2016, suspected corrupt conduct. Considerations in determining if a matter may be a protected disclosure include whether the conduct would constitute a criminal offence or reasonable grounds for dismissal. Failing to notify IBAC of relevant incidents diminishes its capacity to perform its role, conduct systemic analysis and expose corruption. IBAC has described the move to mandatory reporting as being of strategic importance as it reflects the government's view that building an integrity culture is mandatory, not discretionary.
We identified no instances of fraud and corruption in MPV and MMRA that should have reported to IBAC.
PTV's register details instances where PTV terminated staff employment because of alleged criminal activity. We judged one of these instances as warranting reporting to IBAC—a staff member processed $60 000 worth of fictitious transactions for personal gain.
PTV did not report this incident to IBAC. While PTV had discretion at the time as to whether it reported matters of corrupt conduct to IBAC, not doing so limits IBAC's ability to conduct systemic analysis of corruption across the Victorian public sector.
We note that PTV did appropriately investigate and report the $60 000 theft to Victoria Police and a prosecution followed.
DEDJTR Integrity Services Unit
We identified one incident, which we assessed as potential fraud. DEDJTR holds a different view and chose not to notify IBAC. We acknowledge that mandatory reporting was not in place at the time, but IBAC had been established to receive reports and investigate corruption. The case study in Figure 5B outlines this incident, which describes DEDJTR's review of a matter after questions about the authenticity of documentation used to obtain grant funding.
Case study: DEDJTR Integrity Services Unit review into allegations of grant fraud
The former Department of State Development, Business and Innovation (DSDBI) awarded an organisation a grant of over $450 000 to provide certain services.
DSDBI had identified that some records submitted by the organisation did not appear authentic. DSDBI engaged its internal auditors, who identified concerns including the questionable authenticity of documents and noncompliance with grant agreement requirements.
DSDBI staff met with the organisation and provided it with the results of the audit and a further opportunity to validate the grant funding. The organisation took almost a year to complete this work.
This matter and the staff conducting the review transferred to DEDJTR following machinery of government changes in January 2015.
DEDJTR concluded that it had paid over $65 000 for services that could not be validated. The organisation requested further time to provide evidence of services it had provided but not yet claimed to acquit the funding already provided and DEDJTR agreed.
An internal memo demonstrates that DEDJTR ultimately concluded that the organisation:
DEDJTR determined that it had not incurred any financial loss that required reporting under the Standing Directions. This position fails to account for DEDJTR's initial conclusion that it had paid more over $65 000 for services that could not be validated. DEDJTR's absence of financial loss was only a result of its agreement with the organisation regarding subsequently validated services.
The review was finalised with a closure letter to the organisation. The letter noted its noncompliance with grant conditions and encouraged the organisation to address this in any future grant programs that it may participate in.
Because DEDJTR did not report the matter voluntarily to IBAC or Victoria Police, the matter was not subject to external scrutiny or formal investigation. DEDJTR's rationale for its handling of this matter, and its position that this case study does not indicate fraud, is unclear from the documentation provided.
DEDJTR did not report the loss under the Standing Directions, concluding it incurred no loss, as it acquitted the money from the unverified services against services not yet validated or claimed. DEDJTR was ultimately unable to confirm if the organisation provided all of the services for which DEDJTR paid.
Not reporting such matters externally prevents IBAC, and in some cases Victoria Police, from taking appropriate and consistent action. It also means that there is a lack of transparency and no external scrutiny over the handling of such matters. Mandatory reporting to IBAC, introduced in December 2016, aims to ensure that IBAC is notified of all relevant matters.
Reporting of losses under the Standing Directions
Section 3.5.3 of the Standing Directions requires agencies to notify the responsible minister, their audit committee, the portfolio department and VAGO of instances of significant or systemic fraud and corruption and other losses. MMRA and PTV have defined their minimum reporting thresholds of $5 000 in cash and $50 000 in property in their Fraud and Corruption Control Plans. DEDJTR's Fraud, Corruption and Other Losses Policy has also defined its minimum reporting threshold as $5 000 cash and $50 000 property, while MPV's draft Fraud and Corruption Control Plan referred to old thresholds under the previous Standing Directions
Reports of losses made to VAGO under the Standing Directions for the 2015–16 financial year reveal that losses totalled more than $37.5 million across the public sector. These reports attribute about $19 million to fraud and corruption.
We assessed whether DEDJTR, including MPV and MMRA, and PTV appropriately reported losses under the Standing Directions and whether reports were consistent with losses identified in fraud and corruption registers.
DEDJTR, including MMRA and MPV
DEDJTR's expenditure for 2015–16 was approximately $6.8 billion and total assets were $4.6 billion. DEDJTR reported losses of $7 021 and $12 876 in 2014−15 and 2015−16 respectively, a low value given DEDJTR's size and asset holdings. The majority of these losses were low-value portable assets, such as mobile phones. Reports from MMRA and MPV to DEDJTR outline no losses over the two financial years, 2014–15 and 2015–16.
Although not fully explored in this audit, DEDJTR's low reporting may be partly attributable to its consideration of disposed assets, as the case study in Figure 5C outlines.
Case study: DEDJTR asset management
In February 2017, a DEDJTR internal audit into asset management identified missing assets with an original value of $105 000 and a written down value of approximately $12 000. The internal audit report found that DEDJTR did not have strong controls over the storage of its assets and found that poor physical security measures may result in the theft of DEDJTR's assets. DEDJTR committed to conducting an asset stocktake in March 2017 to address the audit's findings.
DEDJTR sent the asset stocktake to all business units and asked staff to provide an attestation that the information was true and correct. DEDJTR asked staff if they had sighted assets and if assets had been disposed. During this process, 164 assets with an original cost of $3.5 million and a written down value of $447 000 were unable to be located.
DEDJTR treated the assets that could not be located as 'disposed' in the accounts, with no consideration of whether they were stolen.
Source: VAGO based on DEDJTR information.
This approach may result in DEDJTR not capturing and analysing potential losses due to fraud and corruption, and not reporting them under the Standing Directions for external consideration. In response to this finding, DEDJTR has advised that it will ensure that policies and procedures for identifying and reporting lost assets include referring matters to the Integrity Services Unit to assess the possibility of fraud.
PTV reported losses of about $4.9 million in 2014–15 and $158 944 in 2015–16 and these are consistent with losses identified in PTV's fraud and corruption register. PTV's losses included a myki ticketing fraud, along with thefts of myki vending machines and myki cards. PTV does not own the vending machines but reports these thefts as it owns the cash and myki cards contained inside.
PTV did not formally report the corruption identified by IBAC during Operation Fitzroy to the responsible minister, DEDJTR or VAGO, as required under the Standing Directions, despite IBAC finding $25 million of corrupted contracts. At the time, PTV could not quantify a loss, as it still received the required goods and services and the prosecutions against the alleged perpetrators were ongoing to establish the extent of the corruption.
While it was difficult for PTV to quantify the financial loss accurately, the intent of the Standing Directions is to report instances of systemic or significant fraud and corruption. We consider that under the Standing Directions PTV should have reported an incident of corruption that affected up to $25 million worth of contracts. Subsequent orders issued by the court required the perpetrators of this corruption to repay the state millions.
We note that the matter was in the public domain due to IBAC's public hearings and associated media reports, PTV was engaging with IBAC and the portfolio department, VAGO was aware of an investigation taking place, and there is no suggestion that PTV attempted to conceal the incident from external scrutiny. However, reporting under the Standing Directions is a legislative requirement that was not met in this instance and if incidents are not reported, it diminishes systemic analysis.
Information sharing across the portfolio
Effective information exchange between the DEDJTR Integrity Services Unit and its portfolio is crucial to the management of fraud and corruption. It ensures consistent reporting and the identification of trends and common control weaknesses and threats.
Reporting to the DEDJTR Integrity Services Unit
Under the Standing Directions, instances of systematic and significant fraud must be reported to the portfolio department. The DEDJTR Integrity Services Unit also required MPV and MMRA to report all integrity incidents to it, regardless of the Standing Directions threshold. This is not required of PTV as a statutory authority.
MPV reported no integrity matters to the DEDJTR Integrity Services Unit. In July 2016, MMRA was subject to two attempted external frauds. MMRA reported these incidents to the DEDJTR Integrity Services Unit on 22 July 2016.
From July 2016 to February 2017 MMRA was subject to a further four external fraud attempts to invoice MMRA for a total of $6 010. MMRA did not report these incidents to the DEDJTR Integrity Services Unit because it concluded that it had reported similar activity previously and did not consider a further notification warranted.
The DEDJTR Integrity Services Unit did not incorporate these reports from MMRA into its register because it determined that the attempts were 'spam'. Phishing attempts by their very nature are spam and can be an effective way of fraudulently acquiring funds from government, see examples in Section 2.3. Not including such reports in the register undermines the purpose of collecting information to understand the wider threat environment across the portfolio. However, this needs to be balanced with the volume of attempts that a department of DEDJTR's size receives and therefore the DEDJTR Integrity Services Unit exercises judgment each time as to whether an attempt is added to its register.
Knowledge sharing to strengthen controls across the portfolio
In March 2016, DEDJTR was subject to an attempted phishing scam seeking payment of a fraudulent invoice for $400 000 as detailed in Figure 2A. Although the attack was unsuccessful, the Secretary wrote to VSB and the DEDJTR portfolio alerting them to the matter. In April 2017, DEDJTR was the victim of another phishing scam and made four payments totalling more than $294 000 to a bank account falsely represented as belonging to an existing supplier. DEDJTR did not circulate any advice about this incident. See Figure 2B for further information.
In January 2018, the DEDJTR Integrity Services Unit shared information regarding a false request to change vendor payment details. The request had been actioned in 2016, but no payment had been sought by the perpetrators of the scam. In error, in 2017, a payment was made to this false vendor account. DEDJTR circulated a copy of the correspondence, which requested the change in bank account details, and highlighted the need to:
- regularly review and deactivate vendor sites which had not been used for 12 months
- ensure there was independent verification before changing vendor bank details.
DEDJTR presented limited evidence that the Integrity Services Unit had shared lessons learned from matters recorded in its central register. These are the only two examples that DEDJTR provided.
5.5 Recovery efforts following fraud and corruption
The Australian Standard recommends entities have a policy for the recovery of funds lost to fraud and corruption. Government entities should clearly document decisions on taking recovery action when public funds are lost to fraud and corruption, including decisions not to take action.
We assessed whether the DEDJTR Integrity Services Unit and PTV are actively attempting to recover funds lost to fraud and corruption and are documenting decision-making processes and rationales regarding these recovery efforts. MMRA and MPV recorded no losses to fraud and corruption.
DEDJTR Integrity Services Unit
The DEDJTR Integrity Services Unit has not consistently recorded in its register the outcomes of allegations of fraud and corruption, or whether it has incurred any losses. This made it difficult for us to determine when there were losses for DEDJTR to recover.
By collating information from the DEDJTR Integrity Services Unit register and DEDJTR's reports under the Standing Directions, we confirmed two instances of financial loss due to fraud and corruption in DEDJTR:
- DEDJTR lost $294000 to a falsely represented bank account in a phishing scam in April 2017. It recovered the majority of this amount, writing off approximately $4600.
- DEDJTR lost $1865 to false claims by an employee. It recovered the full amount.
Although DEDJTR has been successful in recovering funds from both incidents, the lack of information available in the DEDJTR Integrity Services Unit register has limited our ability to identify losses and analyse DEDJTR's decision-making with respect to recovery effort.
As mentioned in Figure 5B, we identified a matter where DEDJTR was unable to validate that more than $65 000 worth of services had been provided. DEDJTR allowed the organisation to acquit yet-to-be-claimed services against the funding already obtained despite noting that the organisation had been noncompliant with a number of grant conditions.
A limited number of incidents in PTV's fraud and corruption register have resulted in a financial loss. PTV estimates that eight incidents caused a financial loss and five of these were of a low value, including thefts of funds less than $60.
Of the remaining three incidents, PTV only attempted to recover losses from one, and was successful. A finance fraud was perpetrated by a staff member and PTV ultimately recovered the full amount of $60 000.
The further two losses relate to Operation Fitzroy and a high-value myki ticketing fraud.
IBAC's Operation Fitzroy estimated that $25 million of PTV contracts were corrupted. PTV considered these losses too difficult to quantify in order to pursue a claim. PTV stated that although the procurement process was corrupted, PTV did not believe it necessarily paid inflated prices.
From the documentation provided, PTV did not appear to consider recovering the losses associated with Operation Fitzroy until a third party contacted DEDJTR after seeing media reports about IBAC's investigation. PTV confirmed that it did not seek to recover any losses via civil claims or insurance.
Following the sentencing of the two former PTV employees responsible, the courts issued pecuniary penalty orders. Any monies recovered will go to consolidated revenue. Under agreement between PTV and IBAC, items of furniture improperly obtained, and seized during the investigation, will be subject to a police auction, with the proceeds also going to consolidated revenue.
In 2013–14, PTV incurred losses of $4.8 million due to a myki ticketing fraud. PTV advised that these losses would have been too hard to recover, given the nature of the fraud.
Both of these were complex cases where quantifying losses and recovery were difficult. The complexities to consider include active legal action and balancing the costs of recovery against the actual loss. While we acknowledge these complexities, it is still a problem that PTV did not document its decision-making process or rationale as to why it did not seek to recover significant public funds lost due to fraud and corruption. PTV was unable to demonstrate that it considered recovery until approached by an external party, and then did not adequately document its decision not to pursue recovery.
Challenges and complexities in recovering losses due to fraud and corruption highlight the importance of prevention and detection activity to minimise losses.