Personnel Security: Due Diligence over Public Service Employees

Tabled: 21 May 2020

3 Screening contractors and consultants

Contractors and consultants contribute significantly to the VPS. They provide a broad range of services, both onsite and remotely. Like VPS employees, they can hold positions of trust and, where necessary, should be subject to the same screening as employees.

3.1 Conclusion

The audited agencies do not have processes to make sure that contractors and consultants undergo risk-based screening prior to working in the VPS. This creates a significant risk that agencies are engaging unsuitable contractors and consultants.

The WoVG agreements for engaging contractors and consultants do not clearly specify screening obligations for suppliers. Audited agencies do not understand their obligations to request screening from suppliers when engaging contractors and consultants. However, DTF and DPC are considering how to rectify these gaps and strengthen screening requirements as they renegotiate the WoVG agreements.

3.2 Engaging contractors and consultants

Government agencies can engage contractors and consultants directly through their own procurement processes or through WoVG agreements, including SPCs and supplier registers.

We assessed contracts, user guides and templates for three of the most commonly used WoVG agreements to determine if they include screening requirements for contractors. These are summarised in Figure 3A.

Figure 3A
WoVG agreements in audit scope

Central agreement


Supplier services

Overseen by

Approximate 2017–18 and 2018–19 spend


Contractors providing services from eight master vendors (suppliers)

Includes fixed-term, permanent and executive contractors

  • Administration
  • Information 
  • technology-related roles
  • Specialist roles


$784 million


Consultants providing professional advice and consultancy services from 199 suppliers

  • Commercial
  • Finance
  • Tax
  • Probity


$173 million

eServices register

Contractors providing a broad range of services from 1 376 suppliers

  • Information technology services
  • Software and equipment solutions
  • Maintenance


$235 million

Source: VAGO, based on information provided by DPC and DTF.

We also considered direct engagement of contractors and consultants outside the WoVG agreements.

3.3 Screening consultants and contractors

Contractual obligations

WoVG agreements are designed to streamline procurement processes and provide consistent engagement terms and conditions. 

The three WoVG agreements we looked at include general supplier obligations—such as providing suitably qualified contractors and consultants—and obligations to conduct any security requirements specified by the government agency. They do not include mandatory screening obligations for the supplier.

In all three WoVG agreements, the government agency undertaking the procurement must specifically request any screening required. The government agency must also pay for any screening, excluding police checks. 

Figure 3B summarises the screening obligations for suppliers in each WoVG agreement. 

Figure 3B 
Summary of screening obligations in the WoVG agreements 



eServices register

Complete any security checks specifically requested by government agency.

Provide staff that have appropriate qualifications and experience.

Comply with the VPS Code of Conduct and the Public Administration Act 2004.

Comply with any specific security requirements specified in the order or advised by government agency.

Ensure staff have the necessary expertise.

Ensure staff maintain the highest ethical standards.

Comply with security requirements specified by the government agency.

Provide staff that ‘possess and will use specific skills, qualifications and experience’.

Source: VAGO, based on  contract documents for SS SPC, PAS SPC and eServices register.

There are advantages and risks to the current approach, in which the supplier and government agency share responsibility for screening:



It should encourage risk-based screening.

Hiring managers should consider the risks and requirements of each position to determine what screening it needs. 

For example, roles with access to sensitive information or roles providing services to vulnerable people are considered to be higher risk and therefore may require more screening processes.

Government agencies may employ unsuitable consultants and contractors if they do not fully understand and implement their obligations. 

For example, hiring managers must be aware that they need to request police checks for each contractor they engage. It is not automatic.

This requires clear instructions and processes that include screening as a key step in the contractor or consultant engagement process.

We found that the government agencies do not consistently understand their obligations to specify screening checks when they are requesting quotes for a contractor, then check that it is done when they are evaluating the submissions. For example, DTF, DELWP and DoT reported during the audit that the SS SPC supplier automatically completes police checks for all contractors, without it being specifically requested. In practice, without a request, the supplier does not do this as it is not a requirement of the contract. This confusion creates the risk that no screening is completed.  

Review of WoVG agreements

DTF and DPC are reviewing the WoVG agreements. This is an opportunity to clarify suppliers’ obligations to conduct basic screening, that is consistent with the Standards, for all contractors and consultants.

VPSC and DTF have started to work together to ensure that, where relevant, the WoVG agreements align with the VPS pre-employment screening policy. This is a positive step towards reducing the risk of employing unsuitable contractors and consultants, and VPSC should ensure this work captures all relevant WoVG agreements, such as eServices.

Development of a VPS-wide contractor system

The HCM project team, described in Section 2.4, intends to design a HCM system that can interface with a VPS-wide contractor management system. It is important that the HCM project team works with VPSC and agencies to ensure that they design and implement a system that will capture all relevant contractor information, including any screening conducted. This could significantly reduce the risk of engaging unsuitable contractors and improve personnel security in the VPS.

3.4 Staffing services police checks

Statistical analysis found with 95 per cent confidence that in the two-year period we examined, between 34.1 per cent and 45.1 per cent of the 5 205 SS SPC contractors engaged in the audited agencies had a police check.

To determine how many SS SPC contractors have police checks, we reviewed a sample of contractors engaged by the audited agencies from 1 July 2017 to 30 June 2019. In that period, there were 5 205 SS SPC engagements across the audited agencies, of which we sampled 299 engagements. We also considered whether:

  • agencies requested police checks when they engaged a contractor
  • suppliers completed police checks when requested by the agency.

Figure 3C shows that only 39 per cent (118 of 299 contractors) of our sample had a police check completed by the supplier or hiring agency.

Figure 3C
Police checks for sample SS SPC contractors, 1 July 2017 to 30 June 2019 

Figure 3C Police checks for sample SS SPC contractors, 1 July 2017 to 30 June 2019

Note: Percentages have been rounded and may not match figures discussed in the text
Source: VAGO, based on data provided by DTF.

Statistical analysis of the data shows that during this period, up to 3 430 contractors worked in the VPS without being checked for a criminal history. These contractors may have accessed sensitive or financial information or provided services to vulnerable people. Without an assessment of their criminal history, there is the risk that a contractor may not be suitable for work in the VPS.

Requesting the police check

During the two-year period we examined, agencies did not request that the supplier complete a police check for 57 per cent of SS SPC engagements. This demonstrates that the agencies do not properly understand and comply with their obligations to request police checks for SS SPC engagements.

Our analysis also showed that where suppliers do complete the requested police check, in 14 per cent of these engagements it was completed over six months after the start date. This is consistent with our finding that the WoVG agreements do not clearly state obligations for suppliers to complete requested police checks prior to a contractor starting.

3.5 User guides and templates

DPC and DTF publish the user guides and templates that instruct government agencies on how to use the WoVG agreements.

The guides and templates we audited do not:

  • clearly and accurately explain the screening obligations for suppliers and government agencies
  • prompt government agencies to specifically consider and document screening requirements for each engagement.

This means that government agencies will not understand, or not fulfil, their obligations. This is evident in our finding in Figure 3C that a police check was requested by the government agency and completed by the supplier in only 35 per cent of SS SPC engagements.

Review of SS SPC user guide

In September 2018, DTF updated the SS SPC user guide. This was in response to IBAC’s report Corruption and misconduct risks associated with employment practices in the Victorian public sector, August 2018.

The user guide now includes more detailed information on the supplier and government agency’s obligations, including that:

Suppliers must ...

Hiring agencies must …

Conduct screening for candidates they put forward, to confirm their:

  • qualifications and work history
  • past work performance and history of discipline issues
  • any criminal or commercial history that may make them unsuitable.

Confirm and receive written notice from suppliers on screening conducted for each candidate.

It is positive to see this greater focus on screening and clearer supplier obligations. However, we found the following gaps:

  • The obligations in the user guide are not consistent with the actual contract provisions, which state the government agency must specify the screening requirements.
  • While the instructions are thorough, they are not simple enough for a new hiring manager to quickly understand and implement.
  • The Request for Quote and Purchase Order templates do not include a prompt for government agencies to consider screening requirements.

3.6 Monitoring contractor and consultant engagements

Personnel security relies on accurate records of who is coming and going from the workplace. Government agencies should have records of all individuals working in their organisation, including contractors and consultants. This is fundamental to protecting the integrity of the VPS. 

We examined:

  • audited agencies’ record keeping practices for contractors and consultants engaged in WoVG agreements
  • obligations on suppliers to keep records and report on the contractors and consultants they provide to government agencies.

The WoVG agreements do not oblige suppliers to keep records or report on the screening they conduct on their contractors or consultants. Nor do the audited agencies keep these records, excluding DHHS, which records completed police checks for contractors. This reduces the agencies’ ability to monitor the suitability of the contractors and consultants they engage. Figure 3D summarises our findings.

Figure 3D
Summary of monitoring arrangements for SPC engagements


PAS and eServices register

Supplier reporting obligations

  • Provide quarterly reports to DTF, which includes individual contractor details, costs and engagement length. Does not include any information about screening contractors. 
  • DTF consolidates and provides this information to all government agencies to monitor their use of the SS SPC. 
  • Keep accurate records and provide reports to the government agency, as specified in the contract.  
  • No specific obligation to keep records of individuals engaged or details of screening conducted.

Agencies' record keeping practices

  • Seven of the nine agencies do not keep records of individual contractors engaged.
  • DHHS and DET record SS SPC contractors on their payroll systems.
  • Only DHHS records completed police checks.
  • All agencies reported they keep records of contractors who require access to information systems, but this does not include screening information.
  • No agencies have systems or processes to record each individual engaged, or whether a police check or other screening has been done.  
  • Agencies often engage businesses, not individuals for services.
  • Information systems only record the business name (not names of individual consultants and contractors or any screening information). 

Risks and issues

  • Agencies do not know if contractors have been screened, or if suppliers are conducting screening when requested, increasing the risk of engaging unsuitable contractors. 
  • Engagements can include multiple individuals that change regularly. Keeping records of all the individuals, (including screening information) may create a significant administrative burden on government agencies. 
  • Agencies risk engaging unsuitable individual consultants or contractors due to lack of screening information on these individuals.

Note: DET requires specific reports from suppliers to supplement DTF’s reports. However, these do not include any contractor screening information.
Source: VAGO.

3.7 Direct engagement of contractors and consultants

Government agencies rely on their internal procurement processes when engaging contractors and consultants outside WoVG agreements.

We found inconsistent practices across the audited agencies for screening contractors and consultants. Often, the agencies are not properly considering the risk of the role of the consultant or contractor and what screening should be conducted. This means that agencies could engage unsuitable contractors and consultants who can potentially access sensitive information, finances or vulnerable people. 

Figure 3E summarises the audited agencies’ screening policies and procedures when engaging contractors outside WoVG agreements. This does not include consultants, as agencies keep records of the consultancy business rather than the individual engaged. 

Figure 3E
Agency policies and procedures for screening contractors outside of WoVG agreements











Screening policy applies to contractors



Policy requires police check for contractors




Guidelines require hiring managers to consider the risk of the role and screening required



Records kept of contractor's details and whether a police check was conducted




(a)Suitability for employment policy, only extends to contractors in schools.
(b) Employment screening policy does not include contractors in scope but states police checks can be requested.
(c) Police checks for contractors engaged for longer than six weeks.
(d) Police checks are optional for contractors.
(e) Procurement processes include prompts for screening SS SPC or other labour hire engagements, but not all contractors.
(f) Records kept of contractors but these do not include whether a police check was completed.
Source: VAGO, based on information supplied by agencies.

DET has recently strengthened their suite of contracts to require suppliers to notify DET of any fraud history and advise them if they are ex-employees of DET. However, these obligations do not specify the screening that is required, such as police checks.

3.8 Case study—DHHS contractor procurement

Since January 2019, DHHS manages all its contractor and consultant engagements—including via WoVG agreements—through its central procurement team. Prior to this, individual branches or divisions would engage contractors and consultants directly, without central oversight.

DHHS’s central management of contractor procurement helps to ensure consistent processes. A procurement officer oversees each engagement and guides the hiring manager to ensure they complete mandatory steps. 

DHHS processes include:

  • mandatory police checks for all SS SPC engagements and a requirement for the supplier to advise the hiring manager of the outcome
  • mandatory reference checks for SS SPC and eServices engagements
  • optional reference checks for PAS SPC engagements
  • mandatory misconduct history check for all ex-employees of DHHS.

We examined police checks completed for SS SPC across the audited agencies in Section 3.4. DHHS accounted for 36 of the 299 engagements in our sample. We found for the 36 DHHS engagements of SS SPC contractors:

Since 1 January 2019

1 July 2017 to 30 December 2018

100 per cent (9 of 9) had a police check

78 per cent (21 of 27) had a police check 

This suggests that the centralised management and oversight of engagements improved compliance with police checks. 

Back to Top