Personnel Security: Due Diligence over Public Service Employees

Tabled: 21 May 2020

Audit overview

The Victorian public service (VPS) relies on employees, contractors and consultants who are appropriately qualified, competent and act in the public interest.

To achieve this, VPS agencies and departments must have effective personnel security measures, including employment screening. If properly implemented, these measures help to control fraud and corruption risks during recruitment and maintain the integrity of the VPS.

This audit examined personnel security and conflict of interest (COI) measures at all eight government departments and the Victorian Public Sector Commission (VPSC) and undertook detailed file reviews at three agencies—the Department of Health and Human Services (DHHS), the Department of Premier and Cabinet (DPC) and the Department of Treasury and Finance (DTF).

Our audit objective was to determine whether fraud and corruption controls regarding personnel security are well-designed and operating as intended at the audited agencies.

Conclusion

Government agencies have well-designed policies and procedures that operate to minimise the risk of recruiting unsuitable employees from outside the VPS, and from hiring a former VPS employee with an undisclosed history of misconduct. However, the same controls are not in place for contractors or consultants, nor are they operating effectively for candidates who are existing VPS employees.

There are also gaps in how agencies identify and reduce the risk of conflicts of interest during recruitment.

These weaknesses unnecessarily expose the VPS to fraud and corruption risks and increase the risk that unsuitable individuals may work in the VPS.

VPSC’s pre-employment screening policy is a positive first step towards a consistent, better practice approach to employment screening in the VPS. However, the policy does not cover all key employment screening activities and VPSC has not integrated its other guidance material to provide comprehensive instruction for agencies on employment screening.

Findings

Screening VPS employees

VPS-wide pre-employment screening policy

In December 2019, VPSC released its VPS Pre-employment Screening Policy, combining two previous versions. The policy sets a minimum standard for pre employment screening in the VPS.

The policy is a positive step towards achieving a consistent approach to employment screening that aligns with better practice. However, it primarily focuses on a candidate’s misconduct history, and does not cover all aspects of employment screening. VPSC publishes additional guidance on some aspects of employment screening, such as police and reference checks, but these do not provide a consolidated source of guidance for hiring agencies that is fully consistent with Australian Standard 4811—2006 Employment screening (the Standard).

We acknowledge VPSC’s ongoing work with agencies to review and improve the policy.

Police checks

National police checks identify a candidate’s criminal history, which in Victoria includes both findings of guilt and charges. Police checks provide critical information about a candidate’s suitability for work in the VPS.

All audited agencies have policies and processes that are adequate for completing criminal history checks for candidates new to the agency (external candidates), which includes confirming their identity.

However, no audited agency periodically rechecks the criminal history of existing employees to assess ongoing suitability for their role. Only the Department of Education and Training (DET) requires a mandatory police check for candidates who are existing employees (internal candidates) and the Department of Justice and Community Safety (DJCS) requires a mandatory police check for employees working directly with offenders. This means the ongoing suitability of VPS employees, who may have access to sensitive information or work in high-risk roles supporting vulnerable people, is not checked. This practice is not consistent with the Standard, which recommends a risk-based approach to employment screening for both external and internal candidates.

Compliance with police checks

We examined whether DHHS, DPC and DTF completed police checks of external candidates in 2017–18 and 2018–19. Figure A shows high levels of compliance across all three departments.

Figure A
Police check compliance rates, 1 July 2017 to 30 June 2019

Figure A Police check compliance rates, 1 July 2017 to 30 June 2019

Note: See Appendix B Data analysis methodology for details.

Source: VAGO.

Candidates with a criminal history

Agencies do not automatically exclude candidates with a criminal history. While we found some inconsistency in practices, all agencies had fair and thorough processes for assessing a candidate’s criminal history. Agencies provide the candidate with an opportunity to respond to the police check outcome, and appropriately assess the risk the past criminal conduct may pose to the agency and the services it provides.

We examined the assessment processes at DHHS, DPC and DTF and found the agencies hired 66 per cent (19 of 29) of the candidates with a criminal history. All three agencies have well-designed processes for assessing a candidate with a criminal history, although DHHS’s poor record keeping practices meant we could not verify if staff conducted thorough assessments in 35 per cent (6 of 17) of the files we reviewed.

Reference checks

Reference checking is a longstanding, fundamental requirement for all VPS recruitment. It confirms a candidate’s employment history and past performance and conduct.

All agencies have policies and procedures that require mandatory reference checks for external candidates. They provide clear instructions and templates for hiring managers to conduct reference checks.

However, not all agencies include specific questions about candidates’ past misconduct and performance concerns.

Agencies also are not consistently conducting reference checks for internal candidates:

  • DHHS and DJCS have policies and procedures that require two mandatory reference checks.
  • DTF and VPSC require one reference check.
  • Other agencies have limited or no documented guidance in relation to internal candidates.

These gaps mean that hiring managers may not have all the relevant information to assess a candidate’s suitability.

Compliance with reference checks for external candidates

We examined whether DHHS, DPC and DTF completed the two mandatory reference checks for external candidates in 2017–18 and 2018–19 and found that compliance varied across the three departments, as shown in Figure B.

Figure B
Completion of reference checks (external candidates), 1 July 2017 to 30 June 2019

Figure 2B Completion of reference checks (external candidates), 1 July 2017 to 30 June 2019

Note: Reference checks that were marked as complete in the selection report, but had no evidence attached were considered as incomplete.

Note: See Appendix B Data analysis methodology for details.

Source: VAGO.

The low compliance rates were likely caused by poor record keeping practices rather than the reference checks not being done. We found that:

  • DHHS's and DPC’s selection report templates instruct hiring managers to attach reference checks, but this is not being done consistently.
  • DPC instructs hiring managers to keep records of reference checks but does not specify how or where to keep them.
Screening misconduct history

Agencies need accurate information about a candidate's past conduct, including any involvement in misconduct, to make sure they recruit suitable candidates.

We used agencies' misconduct and payroll data to determine whether VPS staff with misconduct histories are being re-employed in the VPS. This involved:

  • identifying employees that had been terminated for misconduct or resigned during a misconduct investigation between 1 July 2015 and 30 June 2019
  • comparing this to payroll data to determine if they were re-employed in agencies between 1 July 2017 and 30 June 2019.

Only 4 per cent (9 of 205) of the VPS employees that were terminated for misconduct, or resigned during a misconduct investigation, were re-employed in the agencies. This indicates that controls are working to minimise the risk of employing candidates with potentially unsuitable misconduct histories.

COI policies and procedures

All agencies have COI policies that acknowledge recruitment as a high-risk activity. However, this had not led to effective recruitment policies and procedures that control the risk of COI.

All agencies, aside from the Department of Environment, Land, Water and Planning (DELWP), DJCS and VPSC, do not have thorough processes to ensure selection panels identify, declare and manage COI during short listing. Rather, they consider COI at the end of the recruitment phase, which is too late. We also found that the level of instruction and training for hiring managers on COI risks during recruitment varies, and in some instances does not exist.

During the audit, DPC and DHHS reviewed and improved their COI processes for recruitment. DPC now requires the selection panel chairperson to document that COI have been declared and managed throughout the recruitment process. DHHS improved its instructions to hiring managers emphasising the requirement to declare COI early in the recruitment process.

Screening contractors and consultants

Government agencies can engage contractors and consultants by using whole of Victorian Government (WoVG) purchasing agreements, or by using their own procurement processes.

Consultants are engaged primarily to provide expert analysis or advice.

Contractors provide works or services but are not directly employed by the agency.

WoVG purchasing agreements include state purchase contracts and supplier registers. They aim to provide common goods and services to departments at a lower price and standardise the way the government buys from suppliers.

We examined the following three WoVG agreements:

  • staffing services state purchase contract (SPC)
  • professional advisory services SPC
  • eServices register.

These agreements include broad obligations for suppliers to provide suitable staff, but no specific obligations to conduct basic screening. For example, all audited agencies conduct police checks for new employees, but there is no mandatory requirement for contractors or consultants who may be filling a similar role. Instead, government agencies must specifically request any screening for each contractor or consultant engagement.

This approach is not working. We examined a sample of 299 staffing services SPC engagements from 1 July 2017 to 30 June 2019 and found that 60 per cent did not have a police check. Our analysis showed that during this period, up to 3 430 contractors worked in the VPS without being checked for a criminal history.

We also found that the audited agencies do not fully understand their obligation to request screening for each contractor or consultant. The current guidance and templates, both for WoVG agreements and direct procurement processes, do not clearly instruct and prompt hiring managers to consider what screening is required for consultants and contractors.

Record keeping

We found that agencies’ record keeping policies and practices for employment screening are inconsistent and not always compliant with the Public Record Office Victoria (PROV) standards. Many agencies use a combination of the VPS online recruitment system and their own record management systems, spreadsheets and paper files.

This creates the risk that agencies cannot find an employment screening record that demonstrates a candidate’s suitability. If a recruitment decision is challenged, agencies would not be able to provide evidence to support their decision.

In particular, ineffective record keeping practices at DHHS, DPC and DTF meant that they could not locate copies of reference checks and therefore could not be sure that they were done.

This emphasises the importance of the proposed VPS-wide Human Capital Management (HCM) project, which aims to implement a single system for recording all information for recruitment processes across the VPS, including employment screening.

A consistent VPS human resources system

In January 2019, the Victorian Government launched the One VPS initiative, designed to make it easier for the VPS to work together. One VPS was responsible for the development of the HCM system, a shared human resources system for all eight government departments and Victoria Police. On Friday 1 May 2020, the government announced One VPS would cease, but the Enterprise Services Branch in DPC would continue to oversee the HCM project.

The HCM project team is in the design phase, with implementation planned to start in 2020–21, initially at the Department of Transport (DoT). Previously, One VPS and VPSC co-chaired the project steering committee and DPC intends to continue this arrangement, which is important to ensure the success of the HCM project.

There is considerable work for agencies and the project team to understand the HCM's potential risks and benefits. If it is successfully implemented as a single source of information on VPS employees’ work history, it has the potential to reduce ineffective record keeping practices and improve the effectiveness of employment screening in the VPS.

Recommendations

Our 13 recommendations fall under five key topics, with specific recommendations for VPSC, DPC and DTF, as well as recommendations that apply to all audited agencies.

We recommend that the Victorian Public Sector Commission:

1. Update, and consolidate into a single location, the Victorian public service pre employment screening policy and other guidance on employment screening, which aligns with Australian Standard 4811—2006 Employment screening.The policy and guidance material must provide clear instruction for agencies on risk based employment screening practices, which allow for variation in agencies’ workforce risk profiles. The policy and guidance should cover all aspects of employment screening, including but not limited to:

  • police checks
  • reference checks
  • eligibility to work checks
  • qualifications check
  • role-specific checks (see Section 2.4)

2. Update the Victorian public service pre-employment screening policy to provide clear guidance on employment screening requirements for candidates who are existing Victorian public service employees (see Section 2.4).

3. Review and update recruitment guidelines and toolkits to ensure that all recruitment guidance material incorporates employment screening and conflicts of interest (see Section 2.4).

4. Continue to work with the Human Capital Management project team to ensure that the system incorporates Victorian public service-wide employment screening practices (see Section 2.5).

We recommend that the Department of Treasury and Finance:

5. Include in the staffing services state purchase contract obligations for suppliers to:

  • conduct a police check for all contractors they engage in the Victorian public service. To avoid duplication of police checks, suppliers should be obliged to provide the date and outcome of the last police check for the contractor when responding to a request for quote
  • include in their quarterly reporting the date of police check and confirm their suitability for the engagement
  • comply with the Victorian public service pre-employment screening policy and any specific requests for screening (see Sections 3.3, 3.4 and 3.6)

6. Include in the professional advisory services state purchase contract a clear obligation for suppliers to ensure that the individuals they employ in Victorian public service engagements undergo appropriate, risk-based employment screening, consistent with Australian Standard 4811—2006 Employment screening (see Section 3.3).

7. Review and improve the user guides and templates for the staffing services agreement and professional advisory services agreement to:

  • ensure they clearly define the contractual obligations for suppliers and government agencies in relation to screening contractors or consultants
  • prompt hiring managers to document specific screening requirements based on the risk of the contractor/consultant role at the start of the procurement process
  • require suppliers to document the screening completed prior to the engagement starting (see Section 3.5).

We recommend that the Department of Premier and Cabinet:

8. Include in the eServices register head contract clear obligations for suppliers to:

  • ensure individuals they employ in Victorian public service engagements:
    • have a police check within the past 12 months (or as requested by the government agency)
    • have conducted any other relevant screening checks as requested by the government agency
  • submit information to the government agency on the dates and outcomes of the screening checks conducted prior to the engagement starting (see Section 3.3).

9. Review and improve the user guides and templates for the eServices register to:

  • ensure they clearly define the contractual obligations for suppliers and government agencies in relation to obtaining police checks or other relevant screening checks, for individuals delivering services in government agencies
  • prompt hiring managers/procurement leads to document specific screening requirements based on the risk profile of the engagement at the start of the procurement process
  • require suppliers to document the screening completed prior to the engagement starting (see Section 3.5).

We recommend that all audited agencies:

10. Update recruitment and employment screening policies and procedures to clearly state that candidates who are existing employees should be subject to risk based employment screening (see Section 2.2).

11. Update policies and procedures for directly engaging contractors and consultants outside whole of Victorian Government agreements to include:

  • clear instructions and prompts for hiring managers to consider the risks associated with the contractor/consultant role and what screening may be required
  • processes for hiring managers to ensure that they conduct any necessary screening (see Section 3.7).

12. Implement processes for identifying, declaring and managing conflicts of interest during recruitment. This should include:

  • that all selection panel members must identify, declare and manage any conflicts of interest and record this at the short listing phase of recruitment, prior to interview (see Section 2.7).

13. Review conflict of interest training for Victorian public service employees and include specific guidance on identifying, declaring and managing conflicts of interest during recruitment processes (see Section 2.7).

Responses to recommendations

We have consulted with VPSC, DTF, DPC, DHHS, DELWP, DJCS, the Department of Jobs, Precincts and Regions (DJPR), DET, and DoT and we considered their views when reaching our audit conclusions.

As required by the Audit Act 1994, we gave a draft copy of this report to those agencies and asked for their submissions or comments. All agencies responded to the proposed report, accepted all the audit recommendations, and provided a detailed action plan to address them. Appendix A includes these responses and plans.

Back to Top