Research reports

Local government integrity frameworks review

27/03/2019

IBAC's Local government integrity frameworks review provides a snapshot of the integrity frameworks examined in a sample of six Victorian councils and highlights examples of good practices and possible areas for improvement.

A key objective of the review is to help all councils review and strengthen their own integrity frameworks, to improve their capacity to prevent corrupt conduct.

Related resources

HTML versions of documents

This is a summary of the Independent Broad-based Anti-Corruption Commission’s (IBAC) Local government integrity frameworks review.

This research report provides a snapshot of the integrity frameworks examined in a sample of six Victorian councils and highlights examples of good practices and possible areas for improvement. A key objective of the review is to help all councils review and strengthen their own integrity frameworks, to improve their capacity to prevent corrupt conduct.

The review builds on earlier work published by IBAC in 2015, which reviewed integrity frameworks in a different sample of councils.¹

Background

Corruption in local government can lead to increased costs and reduction in economic growth, diminished trust in councils and jeopardise the delivery of valuable programs and services.

Victorian councils provide a wide range of public services and maintain considerable public infrastructure. Collectively, they manage approximately $84 billion in public assets and spend around $7 billion on the provision of services annually.²

Given the resources and responsibilities entrusted to councils, it is important they develop, implement and maintain strong integrity frameworks, and continuously improve their capacity to identify and prevent corrupt conduct.

An integrity framework brings together the instruments, processes, structures and conditions required to foster integrity and prevent corruption in public organisations.³ Integrity frameworks include elements of risk management, management and commitment, deterrent and prevention measures, detection measures, and staff education and training.

Methodology

Six councils participated in this project, comprising a mix of metropolitan, regional and interface⁴ councils.

The review was undertaken in four phases including stakeholder consultations, an organisational integrity framework survey (which asked participating councils to describe their integrity frameworks), a review of council policies and procedures, and a council staff questionnaire.

A total of 648 responses were received to the questionnaire across the participating councils (a 26 per cent response rate). IBAC also met with participating council CEOs and senior officers to discuss the key findings of the review and to explore specific issues.

The review was limited to council employees, and did not include elected councillors.

Risk management

Risk management helps identify internal weaknesses that may facilitate corruption. However, appropriate controls can reduce the number and severity of instances of corrupt conduct.

All six councils had a risk management policy supported by either a risk management strategy, framework or plan. Their approaches reflected an understanding of the need for responsibility for risk management to be embedded across their organisations. For example, each of the six councils’ policies detailed risk management accountabilities at the executive, senior manager and employee levels.

Three councils had internal risk management committees (and separate audit committees); the other councils had combined audit and risk committees. Only one council’s risk management committee had explicit responsibility for corruption prevention strategies. However, four of the six councils advised they conduct specific risk assessments of potential corruption and fraud risks.

All six councils maintained a risk register detailing strategic and operational risks. Five councils provided information on fraud and corruption risks from their registers. Some councils included ‘fraud and corruption’ as a high-level risk only. Other councils referred to corruption risks relating to specific processes or activities (eg collusion in tender processes).

Good practice observed in this review included:

establishing a comprehensive risk management framework comprising policies and plans with clear accountabilities for managing risk, including a designated risk management officer
embedding risk management accountabilities in managers’ position descriptions
undertaking periodic assessments of corruption and fraud risks across council’s operations
establishing clear processes for reporting fraud and corruption risks, with regular reporting and senior management oversight of these risks and their controls.

Fraud and corruption control

All six councils had fraud and corruption control frameworks in place with clear accountabilities for the prevention of fraud and corruption at all levels of the organisation.

As part of their frameworks, four councils had fraud and corruption control plans in place or were in the process of developing a plan (compared with only one council in IBAC’s 2015 review). The current review also identified prevention, detection and response measures including processes for identifying fraud and corruption risks, usually through risk assessment processes, risk registers, controls and training.

Good practice observed in this review included:

establishing a comprehensive fraud and corruption control framework comprising policies, plans and clear accountabilities for fraud and corruption prevention which extends beyond financial fraud
nominating a senior officer who has overall responsibility for fraud and corruption control in the council who reports to the executive, and audit and risk committee
providing clear examples of fraud and corruption in relevant policies and procedures, to help employees identify and report suspected fraud and corruption
developing staff awareness of fraud and corruption risks through induction processes, regular training, and information and resources for employees.

Corruption risks

IBAC’s review examined the councils’ policies and procedures in relation to seven corruption risks – procurement, cash handling, conflicts of interest, gifts, benefits and hospitality, employment practices, misuse of assets and resources, and misuse of information.

IBAC also asked the six councils to rate each of these risks as a high, medium or low corruption risk. One council rated misuse of assets as a medium-to-high risk. The six other risks were rated by the councils as low or low-to-medium, primarily because the councils considered they had sufficient controls in place.

Council employees were also surveyed about their perceptions of the extent to which a range of functions or activities were a corruption risk. The functions and activities considered by respondents to be at highest risk of corruption (specifically, as a medium-to-high risk) were conflicts of interest, information management and procurement.

Risk area 1: Procurement

Corruption in public sector procurement has been identified as a recurring issue in IBAC investigations. Common vulnerabilities include the failure to manage conflicts of interest, lack of supervision and a failure to comply with procurement policies. It is important that councils are alert to the risks associated with procurement, and have solid procurement policies and procedures in place to mitigate this risk.

All six councils had sound procurement policies and procedures in place. Common controls in these documents included requiring members of tender panels to declare conflicts of interest; discouraging the acceptance of gifts, benefits and hospitality from suppliers; ensuring prospective suppliers have equal access to information; and segregating duties. Councils need to be vigilant that these controls are applied and are working effectively.

Councils can also do more to ensure suppliers better understand the standards expected of them, and of council employees. There is merit in councils outlining expectations of suppliers through a supplier code of conduct (noting that the Victorian Government has implemented a code of conduct for suppliers in state government). Such a code could outline requirements around integrity, ethics and reporting suspected corrupt conduct.

Good practice observed in this review included:

requiring tender panel members to complete conflict of interest and confidentiality declarations at key points in the procurement process (eg before opening tender submissions, and after tender evaluations but before recommendations are made)
requiring tender evaluation panels to have at least one independent member
providing clear guidance to prospective suppliers regarding their obligations in relation to conflicts of interest and gifts, benefits and hospitality
expressly prohibiting employees from soliciting gifts from suppliers and requiring employees to report all offers from suppliers.

COUNCIL STAFF QUESTIONNAIRE – SCENARIO

A council employee who manages the tender process tells a friend who runs a concreting business about an upcoming council tender and provides confidential council information so that their friend has an edge over other tenderers.

Ninety-three per cent of council staff correctly considered the conduct in this scenario to be corrupt conduct. Sixty-five per cent of council staff said they would report this conduct internally within their council.

Risk area 2: Cash handling

Cash was a method of payment at all six councils, however dedicated cash handling policies were only identified in four councils. Although the amount of cash handled by councils varied (and may be minimal as councils seek to minimise the associated risks), it is appropriate that written procedures clearly outline the processes and obligations on employees who handle cash, to avoid risks of theft.

Good practice observed in this review included:

requiring employees with cash handling responsibilities to undertake pre-employment screening checks as part of the selection process
establishing clear procedures which outline when employees can claim petty cash, reimbursement limits and approval processes
establishing a range of controls to mitigate risks associated with cash handling, including conducting regular and random audits of cash holdings.

Risk area 3: Conflicts of interest

Failure to properly identify, declare and manage conflicts of interest has been a common feature of IBAC investigations. When conflicts of interest are not properly identified and managed, they provide opportunities for corruption, placing a council’s finances and reputation at risk. Public sector agencies, including councils, need to be alert to the risks associated with failing to properly manage conflicts of interest.

Some of the six councils highlighted good practice around the identification and management of conflicts of interest in relation to their recruitment and procurement activities, but there are opportunities to strengthen policies and procedures.

Only one council had a tailored, stand-alone conflict of interest policy. The other councils relied on general guidance provided by Local Government Victoria or their own codes of conduct to communicate information on conflicts of interest. It was not always clear how employees should declare or manage conflicts of interest.

It is important that councils develop and communicate a clear policy that outlines what conflicts of interest are, and how employees should declare and manage conflicts. It is also good practice to centrally monitor and oversight conflicts of interest, for example, through a register.

Good practice observed in this review included:

highlighting the importance of declaring and managing conflicts of interest (including through the use of examples and checklists) in codes of conduct
providing clear guidance on how to manage conflicts of interest in high risk functions and activities, including procurement and recruitment
maintaining a central conflict of interest register
requiring contractors and council planners to identify, declare and manage conflicts of interest.

Risk area 4: Gifts, benefits and hospitality

The acceptance of gifts, benefits and hospitality can create perceptions that an employee’s integrity has been compromised. It is a particular risk in procurement as it can undermine both public and supplier confidence in the process.

Five councils had stand-alone policies or procedures providing guidance on gifts, benefits and hospitality. Gifts, benefits and hospitality were also addressed in codes of conduct and some councils covered this issue in their procurement policies, although the strength of the message (discouraging the acceptance of gifts, benefits and hospitality from suppliers) varied.

All six councils maintained gifts, benefits and hospitality registers, however there was little indication that the councils were regularly monitoring their registers to identify potential risks or vulnerabilities.

Good practice observed in this review included:

developing a policy that clearly outlines the council’s position on gifts, benefits and hospitality including employee obligations in relation to gifts, benefits and hospitality
ensuring policies on gifts, benefits and hospitality are broad in scope and apply to all employees and personnel acting on behalf of the council
requiring employees to declare gifts, benefits and hospitality regardless of whether they are accepted or declined and recording all offers, regardless of whether they are accepted or declined
requiring all offers from suppliers to be declared, regardless of their value, and recording this information on the gifts, benefits and hospitality register.

Risk area 5: Employment practices

IBAC has identified that employment practices are vulnerable to corruption, including recruitment compromised by conflicts of interest and inadequate employment screening. This can result in the ‘recycling’ of employees with problematic discipline and criminal histories.⁵

The six councils advised they mitigate risks associated with recruitment by conducting pre-employment screening checks on candidates, usually involving police checks, reference checks and verification of qualifications. Some councils had stronger pre-employment checks for positions considered ‘high risk’ (such as those in finance, information services, and planning and development). The councils also had controls in place to promote merit-based recruitment, including the use of independent panel members and conflict of interest declaration processes.

However, there appeared to be a lack of awareness of other potential risks associated with employment, such as the recycling of problematic employees. There is also scope for councils to strengthen controls and improve employee awareness of policies and processes around secondary employment.

Good practice observed in this review included:

conducting pre-employment screening checks, particularly for high-risk positions
requiring recruitment panel members to withdraw from a panel where a conflict of interest exists or is perceived to exist
clearly articulating that secondary employment can create a conflict of interest and therefore approval is required to undertake external employment
an advisory committee (with an independent chair) advising council on matters of CEO performance, contract extensions, remuneration matters and recruitment.

Risk area 6: Misuse of assets and resources

Assets and other resources of an organisation can present a corruption risk, through theft and misuse. Both high and low-value resources can present corruption risks, as highlighted by IBAC’s 2015 Review of council works depots.⁶

All six councils had policies and procedures around the appropriate use of various council assets and resources, including the use of motor vehicles, fuel cards and corporate credit cards, and minor assets. All six councils also communicated to their employees about appropriate use of resources in their codes of conduct.

The councils advised they have controls to mitigate risks associated with the misuse of assets and resources. For example, three councils maintained registers or systems for managing minor (low value) assets. This is good practice, however, there were some limitations including one council not allocating a unique identifier to all assets.

Councils varied in how strongly they communicated to employees that the misuse of council property is not appropriate. In an example of good practice, one council prohibited personal use of small plant and equipment, and communicated that message in tool box meetings, through memos and staff inductions.

Good practice observed in this review included:

clearly stating that fraudulent or unauthorised use of council assets and resources will be subject to the council’s disciplinary code and possibly criminal prosecution
maintaining registers or systems for managing low value assets including, for example, IT equipment, and small plant and equipment
undertaking regular and random audits of council assets and resources, eg checking motor vehicle log books and auditing fuel card usage
developing clear policies and controls around the disposal of surplus or scrap material and assets (regardless of value).

COUNCIL STAFF QUESTIONNAIRE – SCENARIO

A senior council employee is a member of the local football club. They arrange for the club to borrow council equipment without authorisation to maintain the clubhouse at no charge. This saves the club thousands of dollars each year.

Eighty-eight per cent of council staff correctly considered the conduct in this scenario to be corrupt conduct. Sixty-four per cent of council staff said they would report this conduct internally within their council.

Risk area 7: Misuse of information

IBAC has identified unauthorised information access and disclosure as a risk across the Victorian public sector. This includes access and disclosure by employees with high levels of access to information such as system administrators or IT specialists. Unauthorised information access and disclosure are enablers of corrupt conduct and can be overlooked as corruption risks by agencies.

All six councils had policies and procedures relevant to the appropriate use of information and information systems. Some councils also had stand-alone information security policies. Each council’s code of conduct also provided guidance on the appropriate use of council information and information systems and/or the importance of privacy and confidentiality. However, only three councils included risks relating to information misuse on their risk registers.

Councils provided examples of controls to mitigate risks around information misuse, including user access controls (such as restricted access, user access reporting and password sharing controls) and network security and system control audits.

Good practice observed in this review included:

highlighting information misuse as a risk in fraud and corruption prevention policies and plans
developing a stand-alone information security policy which addresses confidentiality, integrity and unauthorised access to sensitive information
providing guidance on the appropriate use of council information and information systems and/or the importance of privacy and confidentiality in employee codes of conduct
requiring new employees and members of tender evaluation panels to sign information confidentiality agreements.

COUNCIL STAFF QUESTIONNAIRE – SCENARIO

A council employee helps their spouse set up a mailing list for their veterinary clinic by obtaining the addresses of registered pet owners from a council database.

Ninety per cent of council staff considered the conduct in this scenario to be corrupt conduct. Seventy-two per cent of council staff said they would report this conduct internally within their council.

Ethical culture and leadership

People in leadership positions set the ethical tone of an organisation and are key to building organisational integrity and corruption resistance. It is essential that they communicate expected standards of behaviour and values to staff, lead by example, appropriately supervise employees, and act on suspected misconduct or corrupt conduct. Managers should also actively encourage staff to report suspected corrupt conduct and reinforce that reprisals for making disclosures will not be tolerated.

Eighty-five per cent of respondents to the staff questionnaire ‘strongly agreed’ or ‘agreed’ that the culture at their council encourages people to act with honesty and integrity. Nearly two-thirds of respondents considered their council to be ‘moderately’ or ‘very effective’ at preventing corruption.

As required by the Local Government Act 1989, each council maintained a code of conduct which outlined the behaviours and standards expected of employees. The codes made reference to either corrupt conduct or fraud, and covered key risks, although there was generally a greater focus on fraud than corruption.

Figure 1 alt text: A donut chart showing 44% strongly agree, 41%agree, 8% neither agree or disagree, 4% disagree, 2%strongly disagree, and 1% don’t know or prefer not to say. n=648 — FIGURE 1: EXTENT TO WHICH COUNCIL STAFF ‘AGREE’ OR ‘DISAGREE’ THAT THE CULTURE AT THEIR COUNCIL ENCOURAGES PEOPLE TO ACT WITH HONESTY AND INTEGRITY

It is good practice to be explicit about corruption, misconduct and fraud by providing definitions and examples, to assist employees’ understanding. Most codes expressly stated that unlawful actions may lead to criminal charges and/or civil action. Four councils also required employees to sign a form acknowledging that they had read and understood the code. This is one way of promoting understanding of the required standards of conduct.

Four councils had a dedicated senior representative as a central point of contact for fraud and corruption prevention in their organisation. In three of these councils, the senior officer was a member of the executive management team and attended audit committee meetings. Senior management in some councils also have responsibility for protected disclosures and welfare management.

All six councils provided a range of education and training to staff including in relation to fraud and corruption awareness, risk management, procurement and protected disclosures. Two councils provided a tailored online e-learning module on fraud and corruption awareness. The training included examples of corrupt conduct and how to report suspected corruption or fraud.

Good practice observed in this review included:

including statements in employee codes of conduct from the CEO that emphasise the importance of understanding and complying with the code, and using it to guide ethical decision making
nominating senior officers to have overall responsibilities for risk management, fraud and corruption control and for protected disclosure and welfare management
maintaining a commitment to education and training, including regular training to employees on fraud and corruption awareness, risk management, procurement and protected disclosures.

It starts from the quality, ethics, character, principles and commitment of the CEO to drive positive culture change and to then ensure that the right staff are employed … the CEO is the one who sets the tone of the council as an organisation

- Council employee

Reporting

An integrity framework must include mechanisms to help councils to detect instances of suspected corrupt conduct in a timely manner. It is therefore critical that employees know how to and are encouraged to report suspected corrupt conduct.

All six councils’ fraud and corruption control procedures outlined processes for employees to report suspected fraud and corruption, although these were largely focussed on internal channels (eg managers, CEOs and protected disclosure coordinators). And all of the councils had protected disclosure procedures in place, as required by the Protected Disclosure Act 2012 (PD Act).

While the current protected disclosure regime (established under the PD Act) has been in place for more than five years, less than half of respondents said they were aware of their council’s protected disclosure procedures, and only a quarter said they had received information or training on protected disclosures in the past 12 months.

Figure 2 alt text: A donut chart showing 73% responded yes, 5% no, 19% don’t know, and 2% prefer not to say. n=500 — FIGURE 2: WILLINGNESS TO REPORT OBSERVED OR SUSPECTED SERIOUS CORRUPT CONDUCT BY COUNCIL EMPLOYEES

To encourage reporting, councils need to do more to improve employees’ awareness of how to make protected disclosures and the protections available to them to encourage reporting. Councils should also ensure employees understand they can report directly to IBAC.

The requirement of the council CEO to mandatorily report suspected corrupt conduct to IBAC pursuant to section 57(1) of the Independent Broad-based Anti-corruption Commission Act 2011 should also be consistently outlined in appropriate policies.

Good practice observed in this review included:

audit and risk committees reviewing reports of suspected corrupt conduct as a standing agenda item
ensuring relevant policies and procedures outline both internal and external channels for reporting
appointing a welfare officer to support disclosers or a person who is the subject of the disclosure
operating a centralised reporting system which can only be accessed by authorised employees, to enhance confidentiality and minimise the risk of reprisals.

[There is] no hesitation about reporting what seems wrong; it is knowing the best channels and feeling confident about protection (and not adversely affecting career prospects) that is the issue. Staff can be ‘shown the door’ in apparently legit ways or under the guise of other issues.

- Council employee

Conclusion

Victoria’s councils have an important role to play in the provision of services at a local level. If there is corruption, it robs the community of much needed funds to support front line services. Corruption hurts us all.

Public sector agencies need to have strong integrity frameworks comprised of policies and procedures, processes, systems and controls, which promote integrity and help prevent and detect corrupt conduct.

IBAC’s review of integrity frameworks in local councils demonstrated that the six participating councils have sound integrity frameworks in place. However, following discussions with councils, IBAC identified that some good practice in policies had not translated into practice. All councils are encouraged to develop strong policies and procedures, and to ensure compliance.

Our review highlighted instances of good practice as well as opportunities for improvement. It is beneficial for all councils to consider how they can strengthen their integrity frameworks in suitable ways for their organisations.

In particular, councils are encouraged to develop and communicate a clear policy on conflicts of interest, proactively address misconduct and corruption risks associated with employment practices, and ensure suppliers understand the standards expected of them and council employees.

It is also critical to encourage employees to report instances of suspected corrupt conduct and proactively explain to employees how they can be protected, and that their reports will be taken seriously.

¹ IBAC 2015, A review of integrity frameworks in six Victorian councils, IBAC, Melbourne, <https://www.ibac.vic.gov.au/publications-and-resources/article/a-review-of-integrity-frameworks-in-six-victorian-councils>.

² Victorian Auditor-General’s Office (VAGO) 2018, Local Government and Economic Development, VAGO, Melbourne, p.21.

³ Based on the definition developed by the Organisation for Economic Co-operation and Development, Integrity Framework, <www.oecd.org/gov/44462729.pdf>.

⁴ Interface councils are councils surrounding metropolitan Melbourne.

⁵ IBAC 2018, Corruption and misconduct risks associated with employment practices in the Victoria public sector, IBAC, Melbourne, <https://www.ibac.vic.gov.au/publications-and-resources/article/corruption-and-misconduct-risks-associated-with-employment-practices-in-the-victorian-public-sector>.

⁶ IBAC 2015, Local government: Review of council works depots, IBAC, Melbourne, <https://www.ibac.vic.gov.au/publications-and-resources/article/local-government-review-of-council-works-depots>.

Acronym/Term	Explanation
CCC	Queensland Crime and Corruption Commission
FTE	Full-time equivalent
LG Act	Local Government Act 1989
LGI	Local Government Inspectorate
LGV	Local Government Victoria
RFQ	Request for quote
RFT	Request for tender
PD Act	Protected Disclosure Act 2012¹
VAGO	Victorian Auditor-General’s Office
VGPB	Victorian Government Purchasing Board
VO	Victorian Ombudsman

¹ During the period of this review, the legislation concerned with protecting people who make disclosures about improper conduct in Victorian councils was the Protected Disclosure Act 2012. A new ‘public interest disclosure’ (PID) scheme will replace the ‘protected disclosure’ scheme from 1 January 2020. There are no substantive changes to the obligations of councils. For the purposes of this report, we refer to protected disclosures.

This research report provides a snapshot of the integrity frameworks examined in a sample of six Victorian councils in 2017 and 2018 and highlights examples of good practices and possible areas for improvement. A key objective of the review is to help all councils review and strengthen their own integrity frameworks, to improve their capacity to prevent corrupt conduct.

The review builds on earlier work published by IBAC in 2015, which reviewed integrity frameworks in a different sample of councils.²

Corruption in local government can lead to increased costs and reduction in economic growth, diminished trust in councils and jeopardise the delivery of valuable programs and services.

IBAC reviewed integrity frameworks in six councils in Victoria in 2017 and 2018, and identified good practice and opportunities for improvement in relation to different elements of those frameworks. Although no single integrity framework is fit-for-purpose for all councils, this report seeks to highlight ways in which councils can examine their own integrity frameworks and strengthen policies and practices to improve their corruption resistance.

This review builds on earlier work published by IBAC in 2015⁴, which reviewed integrity frameworks in a different sample of councils.⁵ Both reviews involved consultations with the participating councils including through an organisational integrity framework survey, a council employee questionnaire and a review of relevant policies and procedures.

The following areas are covered in this report:

Perceptions of corruption explores council and employee perceptions of corruption, including the extent to which employees feel their councils encourage a culture of honesty and integrity.
Risk management examines the role of risk identification and assessment in corruption prevention, recognising that proactive analysis of potential corruption risks is integral to developing effective corruption prevention strategies.
Fraud and corruption control explores councils’ approaches to preventing, detecting and monitoring fraud and corruption.
Corruption risks considers councils’ responses to specific fraud and corruption risks, namely procurement, cash handling, conflicts of interest, gifts and benefits, employment practices, misuse of assets and resources, and misuse of information.
Ethical culture and leadership discusses governance and leadership in terms of organisational culture, codes of conduct, and education and training initiatives for employees to ensure there is a clear understanding of the importance of corruption prevention.
Detection and reporting considers mechanisms in place to help councils detect suspected corrupt conduct, including reporting processes for reporting suspected corrupt conduct and auditing practices.

This report highlights good practice and areas for improvement identified during the review that may be applied more broadly across the Victorian local government sector. IBAC thanks the six councils for their participation and assistance with this project. The councils were highly engaged in the review and welcomed the focus on good practice, and the opportunity to share and benefit from learnings across the sector.

‘It can be a challenge to uncover and implement best practice examples due to the reticence of councils to publicly share their experiences. The role of IBAC in assisting the sector to continuously improve the culture and practice of good governance and fraud control is crucial to overcoming this.’

Participating council

1.1 Key findings

The methodology for this review is based on the approach adopted in the earlier review conducted in 2015. The review was undertaken in four key phases: stakeholder consultation, an organisational integrity framework survey (which asked participating councils to describe their integrity frameworks), a review of council policies and procedures, and a council staff questionnaire. IBAC also met with participating council chief executive officers (CEO) and senior officers to discuss the key findings of the review and to explore specific issues.

The key findings of the review are based on the six councils that participated in the review and do not necessarily reflect the local government sector as a whole. In addition, the review was limited to council employees, and did not cover elected councillors.

Perceptions of corruption

Eighty-five per cent of respondents to the staff questionnaire across the six councils ‘agreed’ or ‘strongly agreed’ that the culture at their organisation encourages people to act with honesty and integrity. More than two-thirds of respondents (71 per cent) also considered their council to be at least ‘moderately’ effective at preventing corruption.

Twenty-four per cent of respondents believed corruption in the Victorian local government sector has reduced a lot over the past five years. And 18 per cent said that they believe corruption in their own council is ‘much lower’ than in other councils. However, around one-third of respondents (31 per cent) across the six councils said they believe ‘some’ or ‘a little’ corruption exists in their council.

Overall the findings suggest that although respondents consider the prevalence of corruption to have declined in the broader local government sector over the past five years, there is room for improvement given the level of corruption that is still perceived to exist.

Risk management frameworks

Risk management helps identify internal weaknesses that may facilitate corruption. Appropriate controls can reduce the number and severity of instances of corrupt conduct. All six councils reported having a risk management policy supported by either a risk management strategy, framework document or plan. Their approaches reflect an understanding of the need for responsibility for risk management to be embedded across their organisations. For example, each of the six councils’ policies detailed risk management accountabilities at the executive, senior manager and employee levels.

Three councils had internal risk management committees (and separate audit committees); the other councils had combined audit and risk committees. Only one council’s risk management committee had explicit responsibility for corruption prevention strategies, which may indicate corruption risks are not always on a council’s radar. However, four of the six councils said they conduct specific risk assessments of potential corruption and fraud risks.

All six councils advised they maintain a risk register detailing strategic and operational risks. Five councils provided information on fraud and corruption risks from their registers. Some councils included ‘fraud and corruption’, as a high-level risk only. Other councils referred to corruption risks relating to specific processes or activities (eg collusion in tender processes).

Fraud and corruption control

Councils need a robust framework to prevent, detect and respond to fraud and corruption to minimise the occurrence and impact of fraud and corruption. All six councils had fraud and corruption control frameworks in place including policies and plans, with clear accountabilities for the prevention of fraud and corruption at all levels of the organisation.

All six councils provided copies of their current fraud and corruption policies, one of which was in draft form (although some councils’ policies were due for review). Five councils highlighted their commitment to preventing both fraud and corruption in their policies, and provided examples of both.

Three councils provided fraud control plans, while a fourth council advised it was developing a plan. This indicates there is an understanding of the importance of fraud and corruption prevention in the local government sector.

There was also evidence of effective prevention, detection and response measures, including processes for identifying fraud and corruption risks, usually through their risk assessment processes, risk registers, controls and training.

Corruption risks

Procurement

Corruption in public sector procurement has been identified as a recurring issue in IBAC investigations. Common vulnerabilities include the failure to manage conflicts of interest, lack of supervision, and a failure to comply with procurement policies. It is important that councils are alert to the risks associated with procurement, and have solid procurement policies and procedures in place to mitigate this risk.

Although no council identified procurement as a high-risk activity in the context of corruption, all six councils had sound policy and procedures in place, outlining the processes for undertaking procurement of different monetary values, to help mitigate this risk. Common controls in these documents included: requiring members of tender panels to declare conflicts of interest, including independent members on tender evaluation panels; discouraging the acceptance of gifts, benefits and hospitality from suppliers; ensuring prospective suppliers have equal access to information; and segregating duties. Councils need to be vigilant that these controls are applied and are working effectively.

Councils can also do more to ensure suppliers better understand the standards expected of them, and of council employees. There is merit in councils outlining expectations of suppliers through a supplier code of conduct (noting that the Victorian Government has implemented a code of conduct for suppliers in state government).⁶ Such a code could outline requirements around integrity, ethics and reporting suspected corrupt conduct.

Cash handling

The improper handling of cash can constitute corrupt conduct, the most serious risks being misappropriation and theft. Cash was a method of payment at all six councils, however dedicated cash handling policies were only identified in four councils. Although the amount of cash handled by councils varies (and may be minimal as councils seek to minimise the associated risks), it is appropriate that written procedures clearly outline processes and obligations on employees who handle cash, to avoid the risk of theft.

Conflict of interest

Failure to properly identify, declare and manage conflicts of interest has been a common feature of IBAC investigations. When conflicts of interest are not properly identified, declared and managed, they provide opportunities for corruption, placing a council’s finances and reputation at risk. Public sector agencies, including councils, need to be alert to the risks associated with failing to properly manage conflicts of interest.

Some of the six councils highlighted good practice around the identification and management of conflicts of interest, in relation to their recruitment and procurement activities, but there are opportunities to strengthen policies and procedures.

It is important that councils develop and communicate a clear policy that outlines what conflicts of interest are, and how employees should declare and manage them. It is also good practice to centrally oversight conflicts of interest, for example, through a register which is monitored by a designated officer and/or the audit and risk management committee. Three of the councils maintained a register of declared conflicts of interest, which were subject to some oversight.

Gifts, benefits and hospitality

The acceptance of gifts, benefits and hospitality can create perceptions that an employee’s integrity has been compromised. The inappropriate provision of or request for gifts, benefits and hospitality has been a regular feature of IBAC’s investigations. It is a particular risk in procurement as it can undermine both public and supplier confidence in the process.

Good practice is to prohibit the acceptance of gifts, benefits or hospitality from those about whom the employee is likely to make business decisions, including current or prospective suppliers. The majority of the six councils had some policy or procedure stating that employees should avoid accepting gifts, benefits and hospitality from suppliers, and/or exercise discretion before accepting hospitality from suppliers.

Five councils also had stand-alone policies or procedures providing guidance on gifts, benefits and hospitality. Gifts, benefits and hospitality were also addressed in codes of conduct and some councils covered this issue in their procurement procedures, although the strength of the message (discouraging the acceptance of gifts, benefits and hospitality from suppliers) varied.

While councils are not legislatively required to develop a gifts, benefits and hospitality policy, it is good practice to ensure there are policies and procedures to clearly outline the council’s position on this issue, to encourage consistency and awareness across the organisation.

Councils’ processes for declaring gifts, benefits and hospitality were generally clear and appropriate. Three councils required employees to declare gifts, benefits and hospitality regardless of whether they are accepted and/or declined. Recording all offers of gifts, benefits and hospitality enables councils to monitor external approaches and possible attempts to inappropriately influence employees.

All six councils maintained gifts, benefits and hospitality registers. There was little evidence these registers were publicly available, although one council noted that its register is considered a public document and may be viewed at any time by appointment. There was also little indication that the councils were regularly monitoring their registers to identify potential risks or vulnerabilities.

Employment practices

The six councils advised they mitigate risks associated with recruitment by conducting pre-employment screening checks on candidates, usually involving police checks, reference checks, and verification of qualifications. Some councils had stronger pre-employment checks for positions considered higher risk (such as those in finance, information services, and planning and development). The councils also had controls in place to promote merit-based recruitment, including the use of independent panel members and conflict of interest declaration processes.

However, there appeared to be a lack of awareness of other potential risks associated with employment, such as the recycling of problematic employees. There is scope for councils to strengthen their controls, for example, by requiring shortlisted applicants to disclose any discipline and/or criminal matters in pre-screening employment processes. It is noted that in October 2018, the Victorian Public Sector Commission introduced a new pre-employment screening policy for preferred candidates for VPS executive positions. This policy requires candidates to declare relevant instances of misconduct.

There is also scope to improve awareness of council policies and processes in relation to secondary employment. Only around one-third of respondents to the staff questionnaire indicated they were aware of their council’s policy and processes in this area.

Misuse of assets and resources

Assets and other resources of an organisation can present a corruption risk, through theft and misuse. Both high and low value resources can present corruption risks, as highlighted by IBAC’s 2015 Review of council works depots.⁸ All six councils had policies and procedures around the appropriate use of various council assets and resources, including the use of motor vehicles, fuel cards and corporate credit cards, and minor assets.⁹ All six councils communicated to their employees via their codes of conduct about the appropriate use of assets and resources.

The councils also reported having controls to mitigate risks associated with the misuse of assets and resources. For example, three councils maintained registers or systems for managing minor (low value) assets. This is good practice; however, there were some limitations, including one council not allocating a unique identifier to all assets.

Misuse of information

Five councils identified misuse of information as a medium risk in the context of corruption; three councils identified misuse of information and information systems as a risk in their fraud and corruption procedures. However, IBAC identified that only three councils included risks related to information misuse on their risk registers.

Unauthorised information access and disclosure was discussed across a range of council policies and all councils addressed the risk of unauthorised information access and disclosure in relation to procurement.

Councils also provided examples of controls to mitigate risks around information misuse, including user access controls (such as restricted access, user access reporting and password sharing controls), and network security and system control audits.

Ethical culture and leadership

Organisational values and standards

As required by the Local Government Act 1989 (LG Act), each council maintained a code of conduct, which outlined the behaviours and standards expected of employees. A small number of codes included statements from the CEO highlighting the purpose of the code and emphasising the importance of understanding and complying with the code, and using it to guide ethical decision-making.

All six codes of conduct made reference to either corrupt conduct or fraud, and covered key risks, although there was generally a greater focus on fraud than corruption. It is good practice to be explicit about corruption, misconduct and fraud by providing definitions and examples, to assist employees’ understanding.

The potential implications of a breach of the code of conduct should also be stressed, noting that a breach of the code may constitute misconduct, which will be managed in accordance with the council’s disciplinary procedures and can result in dismissal. Most codes expressly stated that unlawful actions may lead to criminal charges and/or civil action.

Four councils required employees to sign a form acknowledging that they had read and understood the code. This is one way of promoting understanding of the required standards of conduct.

Education and training

All six councils provided a range of education and training to staff, including in relation to fraud and corruption awareness, risk management, procurement and protected disclosures.

Two councils provided a tailored e-learning module on fraud and corruption awareness. The training included examples of corrupt conduct and how to report suspected corruption or fraud.

There was also evidence of tailored risk management training that covers risk identification, risk assessment and analysis, treatment of risks, and internal controls to manage risks, although the training was usually targeted to managers.

All councils provided information on procurement-related training they gave to employees. One council, for example, provided details of its training, which included ‘war stories’ to highlight risks around failing to comply with processes. It is an effective training tool to highlight real-life examples of how procurement can be corrupted in councils and the consequences for those involved. Resources available on IBAC’s website could assist councils in this regard.

Reporting

An integrity framework must include mechanisms to help councils detect instances of suspected corrupt conduct in a timely manner. It is therefore critical that employees know how to report suspected corrupt conduct and are encouraged to do so. All six councils’ fraud and corruption control procedures outlined processes for employees to report suspected fraud and corruption, although these largely focused on internal channels (eg managers, directors, CEOs and protected disclosure coordinators). And all of the councils had protected disclosure procedures in place, as required by the Protected Disclosure Act 2012 (PD Act).¹⁰

Four councils also reiterated how employees can report misconduct or corruption in their codes of conduct. However, there was limited reference to employees’ ability to report suspected corrupt conduct to IBAC directly.

The review highlighted that despite high levels of willingness to report suspected corruption (73 per cent of respondents to the staff questionnaire said they were willing to report), concern about possible victimisation or other reprisals was still an issue. Almost 30 per cent of respondents were not confident they would be protected from victimisation. The most common reasons for not reporting included fear of reprisal and lack of confidence in senior management to address the issue. While the current protected disclosure regime (established under the PD Act) has been in place for more than five years, less than half of all respondents said they were aware of their council’s protected disclosure procedures and only a quarter said they had received information or training on protected disclosures in the past 12 months.

To encourage reporting, councils need to do more to improve employees’ awareness of how to make protected disclosures and the protections available to them. Councils should also ensure employees understand they can report directly to IBAC.

All councils appeared to understand their statutory obligation to report suspected corrupt conduct to IBAC. However, the review identified that the responsibility of the CEO to mandatorily report suspected corrupt conduct to IBAC is not consistently outlined in fraud and corruption control policies or plans (or other policies).

The requirement of the council CEO to mandatorily report suspected corrupt conduct to IBAC pursuant to section 57(1) of the Independent Broad-based Anti-corruption Commission Act 2011 (IBAC Act) should be outlined in appropriate policies.

Auditing

The majority of the six councils had strategic internal audit plans, which are reviewed and updated regularly. The audit plans covered a range of corruption-related issues including procurement and contract management, human resources issues, fuel and corporate cards, and IT controls. All internal audit reports were reviewed by each council’s audit committee to consider findings and ensure that key recommendations are acted on.

Only one council’s audit committee charter included specific reference to corruption prevention. A number of other audit committee charters included functions that may contribute to corruption prevention, such as considering the reports and audits of IBAC and the Victorian Auditor-General’s Office (VAGO), and maintaining an effective system of internal controls. A better practice would be to ensure audit committees have specific responsibility for corruption prevention.

1.2 Local government

There are 79 local governments across Victoria, comprised of 31 metropolitan and 48 rural councils. Collectively, they employ more than 43,000 employees.¹¹

Councils face a number of challenges. In 2018, VAGO reported that some Victorian councils, particularly non-metropolitan councils, have experienced a decline in economic growth over the past 10 years. Gross regional product¹² has not kept pace with population growth in 50 of the 79 councils.¹³ Changes to revenue streams have also made it harder for councils to fund their activities. For example, the introduction of rate capping in 2016/17 limited councils’ capacity to increase rates above the rate of inflation.¹⁴ Some councils, especially in rural municipalities, are experiencing financial pressures due to an expectation that they will assume an increasing range of responsibilities, and declining revenue growth.¹⁵

Despite these challenges, the community rightly expects that services will be delivered professionally and with integrity. Under the Local Government Act 1989 (LG Act), councils are required to ensure that resources are used efficiently and effectively, and services are provided in accordance with best value principles. Resources must also be managed in a responsible and accountable manner.¹⁶

1.3 Integrity frameworks

An integrity framework brings together the instruments, processes, structures and conditions required to foster integrity and prevent corruption in public organisations.¹⁷ Integrity frameworks are commonly understood to include elements of risk management, management and commitment, deterrent and prevention measures, detection measures, and staff education and training.

While administered under the LG Act, each council operates independently, has diverse demographics and faces different challenges and opportunities. In local government, councils need to consider a tailored approach to suit local needs. Often, one size does not fit all.

In 2015, IBAC published its review of integrity frameworks in a sample of six Victorian councils, examining systems and practices to detect and prevent corruption in the local government sector.¹⁸ The review identified examples of good practice to prevent and raise awareness of corruption in local government, including corruption controls and initiatives to foster a strong ethical culture.

Areas of improvement identified in that report included the need to maintain awareness of corruption risks, particularly through risk assessment processes. Other areas for improvement included possible refinement of management’s approach to leadership to ensure there is an appropriate balance between developing a values-based organisational culture and enforcing relevant controls. The review also found councils could do more to communicate that misconduct and corruption will not be tolerated, and to encourage reports of suspected corruption.

² IBAC 2015, A review of integrity frameworks in six Victorian councils, Melbourne, <www.ibac.vic.gov.au/publications-and-resources/article/a-review-of-integrity-frameworks-in-six-victorian-councils>.

³ Victorian Auditor-General’s Office 2018, Local Government and Economic Development. Melbourne, p.21.

⁴ For the purposes of this report, the earlier review is referred to as the 2015 review.

⁵ IBAC 2015, A review of integrity frameworks in six Victorian councils, Melbourne.

⁶ <www.procurement.vic.gov.au/Buyers/Supplier-Code-of-Conduct>.

⁷ IBAC 2018, Corruption and misconduct risks associated with employment practices in the Victoria public sector, Melbourne, <www.ibac.vic.gov.au/publications-and-resources/article/corruption-and-misconduct-risks-associated-with-employment-practices-in-the-victorian-public-sector>.

⁸ IBAC 2015, Local government: Review of council works depots, Melbourne, <www.ibac.vic.gov.au/publications-and-resources/article/local-government-review-of-council-works-depots>.

⁹ Low value or minor assets can include office furniture, IT equipment, mobile phones and scrap materials.

¹⁰ As previously noted, during the period of this review, the legislation concerned with protecting people who make disclosures about improper conduct in the Victorian public sector was the Protected Disclosure Act 2012. However, from 1 January 2020 a new ‘public interest disclosure’ scheme will replace protected disclosures.

¹¹ Victorian Auditor-General’s Office, Local Government and Economic Development, March 2018, p.21.

¹² Gross Regional Product (GRP) measures each local government area’s contribution to the state economy. Victorian Auditor-General’s Office, Local Government and Economic Development, March 2018, p.14.

¹³ Victorian Auditor-General’s Office, Local Government and Economic Development, March 2018, p.17.

¹⁴ Environment, Natural Resources and Regional Development Parliamentary Committee, Inquiry into the Sustainability and Operational Challenges of Victoria’s Rural and Regional Councils, Final Report, 2018, p.xiv.

¹⁵ Environment, Natural Resources and Regional Development Parliamentary Committee, Inquiry into the Sustainability and Operational Challenges of Victoria’s Rural and Regional Councils, Final Report, 2018, p.1.

¹⁶ Local Government Act 1989. s.3D(C).

¹⁷ Based on the definition developed by the Organisation for Economic Co-operation and Development, Integrity Framework, <www.oecd.org/gov/44462729.pdf>.

¹⁸ This review is referred to as the 2015 review. The majority of work relating to the 2015 review, including the organisational integrity framework survey, review of council policies and procedures, and staff questionnaire were conducted in 2014.

The methodology for this review is based on the approach adopted in 2015.

The review was undertaken in four key phases: stakeholder consultation, an organisational integrity framework survey, a review of council policies and procedures, and a council staff questionnaire. The review was limited to council employees and did not include elected councillors. The key findings of the review are based on the six councils that participated in the review and do not necessarily reflect the local government sector as a whole.

In March and April 2017, IBAC consulted with key stakeholders, namely the Local Government Inspectorate (LGI), Local Government Victoria (LGV), VAGO and Victorian Ombudsman (VO). This consultation helped to identify corruption risks affecting the local government sector and potential councils suitable for involvement in the project.

Six councils were nominated to participate in the project. This sample included a mix of metropolitan, regional and interface¹⁹ councils. As the focus of this review was on identifying good practice and areas for improvement which can be applied across the local government sector, the six participating councils have not been named in this report.

In May and June 2017, IBAC met with the CEO and other senior officers from each of the six nominated councils to discuss the review and seek their participation in the project. Once the selected councils agreed to participate, the project was conducted in key stages as summarised on the following pages.

2.1 Integrity framework survey

To examine the integrity frameworks in place at the selected councils, an organisational survey was developed based on the survey used in 2015.

The survey was refined following consultation with stakeholders including the LGI. Some modifications were made to incorporate mandatory reporting, and a greater emphasis on ascertaining the effectiveness of corruption prevention measures.

The survey requested participating councils to:
- describe their integrity frameworks in terms of risk management, governance, detection and prevention measures and education
- identify their corruption risks and explore prevention strategies employed to mitigate these risks.
Responses to the integrity framework survey were received by IBAC in July and August 2017. The responses included answers to specific questions as well as the provision of relevant policies, plans and procedures.

2.2 Council policy review

The second stage of the project involved a review of the relevant policies and procedures in place at each participating council. Councils provided policies requested by IBAC, as well as additional policies and documents they considered relevant to their integrity frameworks.

A policy review tool, informed by good practice research and guidelines including IBAC projects and investigations, and feedback from the LGI, was developed to identify elements of good practice in integrity frameworks. The tool covered key themes including risk management, fraud, procurement, conflicts of interest, gifts and benefits, and recruitment and employment. All relevant documents provided by each council were checked against this tool. This process helped to identify good practice within councils.

Around 160 policy documents were reviewed by IBAC. A further 40 documents were examined for additional evidence of good practice including audit reports, risk registers and training material.

2.3 Staff questionnaire

A questionnaire to explore employee awareness of policies and procedures, perceptions of corruption risks, and willingness to report suspected corrupt conduct was coordinated by IBAC across each of the six councils. The questionnaire was based on the instrument used in the 2015 IBAC review, which was modelled on the NSW Independent Commission Against Corruption’s survey of NSW public sector employees.²⁰

The online staff questionnaire was open for three weeks at each council during August and September 2017. Three of the six councils also distributed hard copy questionnaires to non-desk based staff including depot employees, care workers and staff employed at swimming pool and leisure centres.

A total of 648 responses to the staff questionnaire were received across the six councils. This is a 26 per cent response rate, based on the number of full-time equivalent (FTE) staff across the participating councils. This compares to 631 responses received in 2015, a response rate of 20 per cent based on the number of FTE in the sample of six councils. The key findings of the staff questionnaire are based on aggregate findings across the six councils.

2.4 Follow-up consultations

The final stage of the project involved meetings with senior officers of each participating council during February and March 2018. IBAC met with staff responsible for risk and compliance, human resources, governance and protected disclosures, as well as the CEOs at three councils. IBAC provided each council with an individual summary report outlining key findings, areas of good practice and opportunities for improvement.

Councils were given an opportunity to comment on the summary report. IBAC also asked follow-up questions, to assist in our understanding of their individual integrity frameworks.

Councils’ responses to the key findings were generally positive, with interest expressed in areas of good practice, as well as opportunities for improvement. For example, one council advised of its intention to assess the opportunities for improvement against the findings of relevant internal audit reports, to consider the findings at the council’s audit committee and to communicate the findings to relevant department managers.

¹⁹ Interface councils are councils surrounding metropolitan Melbourne.

²⁰ NSW Independent Commission Against Corruption, Unravelling Corruption: A Public Sector Perspective, Survey of NSW Public Sector Employees, 1994.

Employees’ perceptions of corruption in their own organisations and sector more broadly can help to identify areas of risk and to develop strategies to address those risks. IBAC’s staff questionnaire sought to examine perceptions of corruption amongst employees of the six participating councils. The results build on the outcomes of the survey conducted as part of the 2015 review, as well as 2017 IBAC research on perceptions of corruption across the local government sector.²¹

3.1 Organisational culture

The majority of respondents to the staff questionnaire across the six councils agreed that the culture at their council encourages people to act with honesty and integrity, with 85 per cent of respondents stating they either ‘agree’ or ‘strongly agree’ with this statement. In IBAC’s 2017 survey, 74 per cent of respondents agreed with the same statement.

Figure 1 alt text: A donut chart showing 8% responded extremely effective, 37% very effective, 26% moderately effective, 5% slightly effective, 4% not at all effective, 16% don’t know, and 4% not aware of any corruption prevention strategies. n=525 — FIGURE 1: EXTENT TO WHICH COUNCIL IS EFFECTIVE AT PREVENTING CORRUPTION

More than two-thirds of respondents across the six councils (71 per cent) considered their council to be at least ‘moderately’ effective at preventing corruption. Respondents indicated a number of reasons why they considered their council to be effective at preventing corruption, citing a strong organisational culture, sound policies, processes and procedures, and the provision of fraud and corruption awareness training as key strengths. One respondent stated:

I have worked at this council for seven years … [It] has an excellent culture and values that are practically applied. There are “no silos” in this organisation, staff work closely together for best community outcomes. Very difficult to hide improper practices, as the council uses a range of corporate practices in procurement, cash handling, project management framework to name a few that all staff are required to adhere to … [it] would become obvious if someone was acting outside the systems.

- Council employee

Another respondent commented:

We have strong policies and code of conduct that are communicated widely. We have a very constructive and positive culture undermined by three core principles. Our values are widely embedded into our culture and often referred to, as this assists people with their decision making and judgement.

- Council employee

In IBAC’s 2017 perceptions of corruption survey, just over half of all local government respondents agreed that their council has ‘strong corruption prevention policies in place’ (52 per cent). Similarly in the 2015 review, 58 per cent of respondents considered their council to be ‘extremely’ or ‘moderately’ effective at preventing corruption.

One respondent commented:

There is an increasing level of awareness [of corruption], the controls are improving all the time and there is a growing culture of not accepting corrupt or inappropriate behaviour.

- Council employee

3.2 Perceived prevalence of corruption

Although positive culture and high levels of confidence in corruption prevention strategies were recorded across councils, 31 per cent of respondents across the six councils believed that ‘some’ or ‘a little’ corruption exists within their own council. This compares to 41 per cent of respondents in 2015.

However, in this review almost one-quarter of respondents (24 per cent) perceived that the level of corruption in the Victorian local government sector had decreased by ‘a lot’ over the past five years. This compares to eight per cent of respondents in 2015. Eighteen per cent said they believed corruption in their own council was ‘much lower’ than in other councils. This compares to 16 per cent of respondents in 2015.

Overall, the findings suggest that although respondents consider the prevalence of corruption to have declined in the broader local government sector over the past five years, there is room for improvement given that, in the six participating councils, around one-third of respondents thought that some or a little corruption existed in their organisation.

3.3 Understanding what corruption is

A large majority of respondents across the six councils correctly perceived the scenarios posed in the staff questionnaire to represent corruption, suggesting they have a good understanding of what constitutes corrupt conduct.

The percentage of respondents across the six councils who identified the conduct in the scenarios as corrupt ranged from 88 per cent to 93 per cent. These results are fairly consistent with earlier research: in 2015, the range of responses for essentially the same scenarios was 72 to 94 per cent. And in the 2017 perceptions of corruption survey, 84 per cent of respondents stated they believed they understood what constituted corrupt behaviour.

The higher proportion of respondents who considered the conduct in scenario 3 (borrowing council equipment without authorisation) to be corrupt in this review (88 per cent) compared to 2015 (72 per cent) may reflect the modification of the question to state the equipment was borrowed ‘without authorisation’.

FIGURE 2: PERCENTAGE OF RESPONDENTS WHO IDENTIFIED THE SCENARIO AS CORRUPT CONDUCT

	Corrupt conduct
Scenario	2015	2018
1. Council tender A council employee who manages the tender process tells a friend who runs a concreting business about an upcoming council tender and provides confidential council information so that their friend has an edge over other tenderers.	94%	93%
2. Mailing list A council employee helps their spouse set up a mailing list for their veterinary clinic by obtaining the addresses of registered pet owners from a council database.	87%	90%
3. Council equipment A senior council employee is a member of the local football club. They arrange for the club to borrow council equipment without authorisation to maintain the clubhouse at no charge. This saves the club thousands of dollars each year.	72%	88%
4. Direction from a councillor A councillor approaches a council staff member and directly tries to influence an upcoming development application.	90%	91%

3.4 Corruption risks

Council employees across the six councils were also asked to consider the extent to which specific functions and activities (eg conflicts of interest, procurement, recruitment) were considered to be a potential corruption risk within their council, and to nominate other issues as possible emerging corruption risks for councils.

Respondents generally perceived each listed function or activity to be ‘low risk’. The functions and activities considered to be ‘medium to high risk’ included conflicts of interest (44 per cent), information management (42 per cent), procurement (41 per cent) and recruitment (38 per cent). This is consistent with the 2015 results, as highlighted in Figure 3 on page 20.

The findings are also consistent with IBAC’s 2017 perceptions of corruption research, which reported that local government employees considered conflict of interest, misuse of information or material, and hiring of friends and family as three of the areas of highest corruption risk.²²

While a lower proportion of respondents across the six councils considered conflicts of interest and information management to be a medium to high risk in this review compared to 2015, the proportion of respondents who perceived procurement as a medium to high corruption risk was stable.

A higher proportion of respondents considered council assets/resources and cash handling to be a medium to high risk in this review (38 per cent and 31 per cent respectively), compared to 2015 (22 per cent and 24 per cent respectively).

In terms of possible emerging corruption risks for councils, respondents across the six councils highlighted a range of risks predominately relating to inappropriate procurement, employment practices and conflicts of interest.

Figure 3 alt text: A bar chart showing 44% of respondents identified conflicts of interest as a medium/high corruption risk in 2018, compared to 59% in 2015. 42% identified information management as a medium/high corruption risk in 2018, compared to 50% in 2015. 41% identified procurement as a medium/high corruption risk in 2018, compared to 42% in 2015. 38% identified recruitment as a medium/high corruption risk in 2018, compared to 49% in 2015. 38% identified council assets and resources as a medium/high corruption risk in 2018, compared to 22% in 2015. 36% identified discretionary powers / authority as a medium/high corruption risk in 2018, compared to 33% in 2015. 33% identified employment as a medium/high corruption risk in 2018, compared to 32% in 2015. 31% identified cash handling and payment as a medium/high corruption risk in 2018, compared to 24% in 2015. 24% identified funding and grants as a medium/high corruption risk in 2018, compared to 31% in 2015. 19% identified delivering programs or services to the community as a medium/high corruption risk in 2018, a risk area not asked about in 2015. — FIGURE 3: EMPLOYEE PERCEPTIONS OF POTENTIAL CORRUPTION RISKS

Procurement, conflicts of interest, and recruitment and employment practices are perceived as key corruption risks from both an organisational and employee perspective.

In the organisational survey, the six councils were also asked to rate nine potential corruption risks as high, medium or low risk. Only one council rated two risks (unlawful or inappropriate conduct, and misuse of assets and resources) as medium to high. All other risks were rated as low or medium (or low-to-medium). Conflicts of interest and misuse of information and information systems were rated as a medium risk by five councils. Three councils rated procurement and employment issues as a medium risk. All other risks had a low or low-to-medium rating.

By comparison, in the 2015 review, one council rated conflicts of interest and improper funding and procurement arrangements as high risk, and a second council rated misuse of information, and cash and payment arrangements as high risk. All other risks were rated as medium or low. Comments made by councils in the survey indicated that they generally rated the risks as medium or low because they considered they had appropriate controls in place, effectively mitigating the residual risk.

3.5 Awareness of integrity agencies

In addition to perceptions of corruption, the staff questionnaire examined council employee awareness of IBAC and the LGI.

Almost three-quarters of respondents to the staff questionnaire across the six councils (72 per cent) indicated they were aware of IBAC. This is an improvement on the 2015 review, when 32 per cent of respondents said they had heard of IBAC. The majority of respondents (59 per cent) also stated they either ‘knew a little bit about’ or had a ‘good understanding’ of what IBAC does.

Forty-one per cent of respondents across the six councils indicated they had heard of the LGI and 28 per cent of respondents stated they either ‘knew a little bit about’ or had a ‘good understanding’ of the work of LGI. (This question was not included in the 2015 review of integrity frameworks.)

²¹ IBAC, Perceptions of corruption, Survey of Victorian local government employees, September 2017. Responses were received from 1019 local government employees. Employees from state government and Victoria Police were also surveyed, as were members of the Victorian community. The surveys were conducted in 2016.

²² IBAC, Perceptions of corruption, Survey of Victorian local government employees, September 2017, p.7.

RISK MANAGEMENT

GOOD PRACTICE OBSERVED IN THIS REVIEW INCLUDED:

Establishing a comprehensive risk management framework comprising policies and plans with clear accountabilities for risk management across the organisation.
Embedding risk management accountabilities into managers’ position descriptions.
Having a designated risk management officer who is responsible for developing and implementing the council’s risk management framework.
Undertaking periodic assessments of potential fraud and corruption risks across council’s operations.
Maintaining a risk register of strategic and operational risks, including fraud and corruption-related risks.
Establishing clear processes for reporting fraud and corruption risks, with regular reporting and senior management oversight of these risks and their controls.

OTHER GOOD PRACTICE SUGGESTIONS:

Establishing an internal risk management committee, in addition to audit committees, whose responsibilities explicitly include corruption risks and overseeing corruption prevention strategies.
Reviewing risk management frameworks on an annual basis to ensure the identified risks and corresponding treatments and controls remain current and effective.

Risk management is an essential element of a sound integrity framework. Risk management is the process of identifying, analysing and mitigating risks, which may prevent an organisation from achieving its objectives.²³

Risk management helps identify internal weaknesses that may facilitate corruption. Appropriate controls can reduce the number and severity of instances of corrupt conduct. A strong risk management approach also provides a framework for all employees to have clear responsibility for identifying risk factors, controls and treatments, and embeds corruption prevention within an organisation’s governance framework.²⁴

4.1 Legislation and guidelines

The Local Government (Planning and Reporting) Regulations 2014 (under the LG Act) requires councils to prepare an annual report containing information prescribed in a governance and management checklist covering the following:

risk policy and risk management framework outlining the council’s commitment and approach to minimising risks to operations
six-monthly reports of strategic risks to the council’s operations, their likelihood and consequences of occurring, and risk minimisation strategies.²⁵

There is limited specific guidance on how local government should undertake risk management; however, general guidance for the broader public sector can be found in the Victorian Government Risk Management Framework. While not mandatory for local government, it reflects the Australian and New Zealand Risk Management Standard and better practice approaches to risk management.

One key principle in the Australian Standard is that risk management should be part of, and not separate from, organisational processes:

‘Risk management is not a stand-alone activity that is separate from the main activities and processes of the organisation. Risk management is part of the responsibilities of management and an integral part of all organisational processes.’²⁶

A risk management plan should ensure that risk management is implemented and embedded in practices and processes. Organisations should also ensure there is clear accountability for managing risk, including ensuring the effectiveness of internal controls.²⁷

4.2 Risk management frameworks

The purpose of a risk management framework is to assist organisations to integrate risk management into significant activities and functions.²⁸ For the purposes of this review, a risk management framework comprises the policies, procedures, processes, resources and governance arrangements that contribute to effective risk management within each council.

Each council appeared to have comprehensive risk management frameworks, with policies, plans and clear accountabilities for risk management at all levels of the organisation. The following section compares risk management frameworks in place within the six councils.

4.2.1 Risk policies and plans

Good practice is for organisations to review their risk management framework on an annual basis to ensure it remains current, and that risk treatments and controls remain effective.

All six councils had a risk management policy supported by either a risk management strategy, framework document or plan. This was consistent with the findings of the 2015 review, where all six participating councils had risk management policies in place even though the requirement under the Local Government Regulations had not yet come into effect. This suggests that the importance of having formal risk management policies and processes in place is well established in councils.

All councils demonstrated a commitment to effectively managing risk across their operations and to developing a positive risk culture, by acknowledging their responsibility to effectively manage risks as part of business management processes.

One council, in its risk management policy, referred to: ‘creating a culture of accountability for risk management across the organisation, and incorporating risk management into operations, planning and decision making to build stakeholder confidence and trust’.

The organisation-wide accountability for risk management is reflected in each council’s risk management policies, which detail accountabilities for risk management at the executive, senior management and employee levels (including key staff such as team leaders and risk officers).

In most councils, the CEO is ultimately responsible for ensuring that risk is effectively managed. One council advised that risk management accountabilities are embedded into position descriptions and key performance indicators for managers, which is good practice.

Most councils also had a designated risk management officer who was responsible for the development and implementation of the risk management framework. For example, one council had a strategic risk advisor who was responsible for developing, facilitating and implementing the risk management framework. Key responsibilities included developing and providing risk training and awareness across the council, monitoring and reviewing the risk register (quarterly), including the effectiveness of controls, and regular reporting to the CEO and directors.

Three councils applied their risk management policies to contractors and volunteers, recognising the importance of applying the principles of risk management broadly within their organisations.

A large majority of respondents to the staff questionnaire (85 per cent) said they were aware of the council’s risk management policies. One council maintained a dedicated risk management page on its intranet, including links to all relevant documents such as reporting requirements. This suggests that risk management policies and processes are not only well established but also effectively communicated across the councils.

Each council reported that its risk management framework, policies and practices were generally reviewed at least once every three years, to assess the adequacy, compliance and effectiveness of risk management policies, procedures and controls. However, four councils had at least one risk management-related policy or document that was out of date, or overdue for review.

4.2.2 Risk management committees

Risk management committees have key responsibilities for monitoring the implementation and effectiveness of risk management frameworks, including the adequacy of actions taken to mitigate risks.

Three councils had internal risk management committees (and separate audit committees); the other councils had combined audit and risk committees. Two of these councils advised that their risk management committee also reports to their audit committee. One particular council, in the terms of reference for its risk management committee, cited the responsibility of the chair to provide a report to the audit committee on the operations and activities of the risk management committee for the preceding year.

Risk management committees generally included the CEO, directors and managers. One council advised that external subject matter experts were sometimes invited to participate in risk management committee meetings to provide advice and expertise as and when required.

The role and responsibilities of risk management committees were outlined in policies or terms of reference. Stand-alone risk management committees were broadly responsible for oversighting council’s risk management activities including monitoring, reviewing and reporting on the effectiveness of the risk management framework.

Only one council’s risk management committee had explicit responsibility for corruption prevention strategies. This may indicate that corruption risks are not always identified as impediments to achieving a council’s objectives. Considering specific corruption risks in the risk management process is good practice.

In this council, the risk management committee was responsible for, among other things, review of the fraud risk register, implementation of fraud and protected disclosure awareness training, as well as compliance with risk policies and the risk management framework. The committee also had responsibility for ensuring appropriate investigations were conducted when instances of corruption or fraud were reported; maintaining records to identify trends in corrupt or fraudulent activity, and ensuring appropriate liaison was undertaken with law enforcement and industry organisations to maintain a high level of awareness of potential corruption and fraud risk areas.

In another council, a principal element of its risk management framework was its internal risk management committee, comprised of the executive team and strategic risk management advisor, with the CEO as its chair. The primary purpose of the committee was to oversee the development, implementation and review of the council’s risk management framework. It regularly monitored and reviewed the internal audit program, compliance program, risk register, received high-level incident reports, procurement reports and industry audits or reports including those of IBAC and VAGO. According to the council, corruption and fraud control was considered within all of these activities. The committee met five to six times per year and a copy of meeting minutes were a standing item at the council’s audit committee.

4.2.3 Risk assessment

It is good practice for councils to review their risk management framework annually to ensure it remains current, and risk treatments and controls remain effective.

Risk assessment is the process of risk identification, analysis and evaluation.²⁹ An organisation’s approach to managing corruption and fraud risks should be underpinned by policies and processes that identify these risks and produce strategies to address them.³⁰

Councils, like other public sector agencies, are vulnerable to corruption risks; however, not all councils actively consider the risk of corruption in their risk management processes. The 2015 review highlighted that corruption risks were not always identified as potential impediments to achieving councils’ strategic and operational objectives.

In the current review, as part of the organisational survey, councils were asked to advise if they carried out periodic assessments of potential corruption risks in each area of council operations, and if so, how frequently these risk assessments were carried out.

Four of the six councils advised they conduct specific risk assessments of potential corruption and fraud risks. This is an improvement on the 2015 review.

For example, one council undertook risk assessments for 10 key fraud and corruption risks as a minimum:

theft of cash
theft/misuse of assets
misuse of confidential corporate information
conflict of interest
accounts payable
payroll practices
procurement
IT and information security
recruitment
misuse of credit cards.

While all councils undertook risk assessments, the frequency varied between councils. Three of the six councils advised they conduct risk assessments annually, while two councils undertake assessments every six months. One council, however, conducts risk assessments every one to three years.

4.2.4 Risk registers

It is good practice for councils to have a clear process for reporting on key risks, including corruption risks, which involves regular reporting to senior officers of the organisation to ensure strategic oversight and monitoring of those risks.

Risk registers are an essential tool for collating and tracking identified risks and their mitigation strategies. Risk registers should include the risk description, existing controls, rating, responsible person/owner, risk treatment strategy and any risk treatments.³¹ All six councils maintained a risk register detailing strategic and operational risks. Five councils provided information on fraud and corruption risks from their risk registers.

In the 2015 review, four of the six councils had risk registers in place, and the remaining two councils advised they were in the process of developing risk registers. The results of the current review may indicate there is an improved understanding within the local government sector of the importance of monitoring risks in a coordinated and strategic way.

The information provided varied between councils. One council advised that its risk register lists one overarching risk regarding corruption and fraud, and two specific corruption and fraud-related risks – credit card fraud and theft of physical health records. This council advised that corruption and fraud were considered a corporate rather than a strategic risk, and information in the risk register was recorded at a high level, hence the overarching fraud and corruption risk.

Similarly, another council reported that it lists one fraud and corruption risk on its corporate risk register. However, it also said it maintains a fraud risk register, which contains seven corruption risks, including collusion and manipulating the electoral process for personal gain. This council also provided a fraud risk exposure document, which lists 22 fraud risks and associated risk control assessments.

A third council provided a detailed extract of its fraud and corruption risks. The information provided included a description of the risk, risk owner, inherent and residual risk rating, and risk controls and treatment plans.

There is significant variation in the frequency with which councils reviewed their risk register. Three councils reviewed their risk register every six months, two councils every quarter and one council on an annual basis.

Two councils’ reporting around risk was particularly comprehensive:

In the first council all risk registers were reviewed at least annually, coinciding with the annual planning and budgeting process. Key strategic and operational risks were reported to the management team quarterly. In addition, risks rated as high or extreme were reported and monitored through the audit committee, also quarterly.
In the second council strategic risks were reported to the council every six months. In addition, very high strategic risks were reported to the CEO/risk management committee and audit committee monthly, and high strategic risks were reported quarterly.

4.2.5 Risk controls

Controls are implemented to reduce or maintain the likelihood and/or consequence of a risk. Once potential risks are identified, organisations should record (in a risk register) what controls exist to reduce or maintain that risk.

Three of the six councils provided information (taken from their risk registers) on internal controls related to specific risks contained in their risk registers. IBAC’s organisational survey also asked councils to provide details of controls they have in place to deter and prevent corrupt conduct for specific corruption risks.

These controls illustrate how councils can use identified risks to develop fraud and corruption prevention initiatives and strategies. Some of the controls listed in risk registers and in responses to the organisational survey included:

a fraud and corruption control policy
risk management training
fraud and corruption awareness training
segregation of duties within human resources and payroll
confidentiality agreements and password sharing protocols
pre-employment screening
procurement delegations
probity checks for prospective suppliers
monitoring fuel card usage (including odometer readings).

The sophistication of the controls identified varied between councils. Some councils referred to having specific policies and procedures in place to mitigate certain risks, while other councils listed specific controls that can be measured or tested for effectiveness.

Five of the six councils also advised they had processes in place to assess the effectiveness of existing controls in managing corruption and fraud risks. These processes included regular reviews of risk registers, internal audit programs, and monitoring and reporting to senior management and audit and risk committees.

The risk management framework of one council was the subject of an internal audit in 2015/16. The audit reviewed the framework against the Australian Standard³² as well as the management of risks, including controls, mitigation and treatment strategies.

The audit found that risk management was adequately incorporated into strategic and business planning processes across the council, and that this council’s risk register was effective in keeping track of identified risks, controls and mitigation actions. However, it was identified that some mitigation actions in the council’s risk register had not been acted on for more than a year. Concerns were also raised with insufficient information being provided to substantiate action taken. It is important that controls and treatments are implemented in a timely way (and recorded appropriately on risk registers), to avoid ineffective risk management and potential escalation of the risk.

A more detailed discussion of specific corruption risks and controls is outlined in section 6.

²³ Pat Barrett, Commonwealth Auditor-General, Achieving better practice corporate governance in the public sector, 26 June 2002, p.16.

²⁴ <www.icac.nsw.gov.au/preventing-corruption/corruption-risk-management>.

²⁵ Local Government (Planning and Reporting) Regulations 2014, Sch.1, Governance and Management Checklist.

²⁶ AS/NZS ISO 31000:2009, Risk management – Principles and guidelines, 2009, p.7.

²⁷ AS/NZS ISO 31000:2009, Risk management – Principles and guidelines, 2009, p.11.

²⁸ AS/NZS ISO 31000:2018, Risk management – Principles and guidelines, 2018, p.4.

²⁹ AS/NZS ISO 31000:2018, Risk management – Principles and guidelines, 2018, p.11.

³⁰ Queensland Crime and Corruption Commission, Effectiveness of Queensland Public Sector Corruption Risk Assessments, Audit Report, 2017, p.4.

³¹ Victorian Government Risk Management Framework Practice Guide, State of Victoria, 2016, p.29.

³² AS/NZS ISO 31000:2018, Risk management – Principles and guidelines, 2018.

FRAUD AND CORRUPTION CONTROL

GOOD PRACTICE OBSERVED IN THIS REVIEW INCLUDED:

Establishing a comprehensive fraud and corruption control framework comprising policies, plans and clear accountabilities for fraud and corruption prevention, which extend beyond financial fraud.
Providing clear examples of fraud and corruption in relevant policies and procedures, to help employees identify and report suspected fraud and corruption.
Developing staff awareness of fraud and corruption risks through induction processes, regular training, and information and resources for employees, contractors and volunteers.
Nominating a senior officer who has overall responsibility for fraud and corruption control in the council who reports to the executive, and audit and risk committee.
Having a designated fraud control officer who is responsible for developing and implementing the council’s fraud and corruption control framework.

OTHER GOOD PRACTICE SUGGESTIONS:

Tailoring the council’s fraud and corruption prevention awareness activities on employees working in high-risk areas (eg procurement and finance).
Ensuring position descriptions for managers contain appropriate fraud and corruption control responsibilities, including key performance indicators.

Fraud is dishonest activity involving deception that causes actual or potential financial loss. Examples include theft of money, intellectual property or confidential information, and falsely claiming to hold qualifications. Fraud can be perpetrated by employees, customers, contractors or external service providers.³³

Corruption is the misuse of public power or position. Corruption can occur through improper or unlawful actions by public sector employees or agencies, the inactions of public sector employees or agencies, and the actions of private individuals who try to improperly influence public sector functions or decisions. Examples include taking or offering bribes, dishonestly using influence, and misusing information acquired at work.

The impact of fraud and corruption on councils and their communities can be significant. It denies the community the fair delivery of vital goods and services, and can disrupt business continuity, reduce the quality and effectiveness of services, and threaten a council’s financial stability.³⁴ To minimise the occurrence and impact of fraud and corruption, councils need a robust fraud control framework that delivers prevention, detection and response strategies.

5.1 Legislation and guidelines

In addition to general provisions in the LG Act concerning sound financial management, the Local Government Regulations require councils to report annually on whether they have a policy outlining their commitment and approach to minimising fraud risk (and if no such policy exists, the reason why).³⁵

In its 2012 audit report, Fraud Prevention Strategies in Local Government, VAGO encouraged councils to take a strategic and coordinated approach to the management of fraud risks, and recommended that councils develop fraud control plans based on comprehensive fraud risk assessments.³⁶

5.2 Fraud and corruption control frameworks

The Australian Standard AS8001–2008 on Fraud and Corruption Control recommends that organisations adopt policies and processes for the identification, analysis and assessment of potential fraud and corruption risks. It recommends organisations develop a framework that includes fraud-specific risk assessments, a fraud and corruption control plan, and training and other activities to develop staff awareness of fraud and corruption risks. Codes of conduct are also considered part of an organisation’s fraud control framework, as they are a means of outlining expected standards of conduct and an organisation’s commitment to those standards. Codes of conduct are discussed in section 7 of this report.

To minimise the occurrence and impact of fraud and corruption, councils need a robust control framework to prevent, detect and respond to fraud and corruption, namely:

prevention measures designed to help reduce the risk of fraud and corruption occurring in the first place
detection measures designed to uncover incidents of fraud and corruption as and when they occur
response measures designed to take corrective action and minimise the harm caused by fraud and corruption.

All six councils had fraud control and corruption frameworks in place, including policies, plans and clear accountabilities for the prevention of fraud and corruption at all levels of the organisation. The frameworks also detail prevention, detection and response measures councils have in place, including fraud risk assessment processes, risk registers, controls and training. Key elements of participating councils’ fraud control frameworks are discussed on the next pages.

5.2.1 Fraud policies

All six councils provided copies of their current fraud and corruption policies, one of which was in draft form. In the 2015 review, four councils had fraud policies in place, while the remaining two were in the process of developing their policies. This most probably reflected that the requirement to report on fraud policies pursuant to the Local Government Regulations came into effect from the end of 2014/15.

Five councils referred to their commitment to preventing both fraud and corruption in their fraud policies. The sixth council’s policy focused predominately on fraud; however, a commitment to both fraud and corruption prevention was articulated in its fraud and corruption control plan.

One council’s policy strongly stated that it did not tolerate fraud and corruption: ‘the council has zero tolerance for corrupt conduct or fraudulent activities and is committed to preventing, deterring and detecting fraudulent and corrupt behaviour in the performance of council activities. Employees must not engage in practices that may constitute fraud or corruption’.

Another council’s policy placed emphasis on developing a strong ethical culture to prevent fraud and corruption: ‘as fraud constitutes a significant risk to any organisation, it is appropriate that a culture of ethical conduct be developed to recognise and avoid fraud and to deal appropriately with any cases of fraud’.

All councils defined both fraud and corruption in their policies. One council defined corruption broadly, making it clear that it can involve those internal and external to council: ‘[corruption is] dishonest activity in which a councillor, employee, volunteer or contractor of council acts contrary to the interests of council and abuses his or her position of trust, in order to achieve some personal gain or advantage’.

Providing clear definitions and examples of fraud and corruption in the policy helps employees better understand what actions constitute fraud and corruption, and how to identify and report suspected fraud and corrupt conduct.

All six councils provided examples of both fraud and corruption in their policies. These examples are broad ranging and extend beyond financial fraud, which is good practice. One council provided examples relating to a range of council functions including payroll/timesheet fraud, unauthorised use of council assets, false claims for reimbursement, and recruitment fraud. Three of the six councils addressed both fraud and corruption in their codes of conduct. Two councils addressed fraud only, while one council referred to neither fraud nor corruption, other than listing the fraud and corruption control policy and procedures as a related document.

Codes of conduct provide an opportunity to communicate to employees about what fraudulent and corrupt conduct is, that it will not be tolerated and the potential consequences of engaging in such conduct. For example, one council code of conduct stated: ‘all incidents of fraud and corruption will be investigated and where appropriate, reported to police for prosecution. Council will seek financial recovery of losses in all cases. Civil proceedings will be initiated where appropriate’.

5.2.2 Fraud control plans

Fraud control plans are also a critical component of an effective fraud control framework. According to VAGO, a fraud control plan should outline an organisation’s fraud prevention, detection and response initiatives, and include key risks (identified through risk assessments), key controls and activities through which the organisation will assure itself that its fraud control framework is effective.³⁷

In addition to their fraud policies, three of the six councils provided their fraud and corruption control plans, which bring together the key elements of a fraud control framework, while a fourth council advised it was developing a plan.

In the 2015 review, only one council had a fraud control plan. The current review may indicate an improved understanding of the importance of fraud and corruption prevention in the local government sector.

The fraud control plans examined generally outline the management and employee responsibilities for fraud and corruption control, and detail the prevention, detection and response strategies and controls for mitigating fraud risks within their organisation. Two councils’ fraud control plans specifically provide a summary of the key fraud and corruption risks for the councils as defined by fraud risk assessments, which is good practice.

The Australian Standard suggests that fraud and corruption control plans should be reviewed every two years. One council’s plan was overdue for review.

5.2.3 Fraud accountabilities

The importance of ensuring organisation-wide accountability for fraud prevention was reflected in each council’s fraud and corruption control framework; policies generally outlined the responsibilities of key staff in relation to fraud prevention including the CEO, senior management, managers, audit committees and fraud control officers. This is consistent with the 2015 review.

In a majority of councils, it was clear the CEO was ultimately responsible for minimising fraud and corruption risk across the organisation. In one council, for example, the fraud and corruption control plan stated: ‘the CEO has the ultimate responsibility for the prevention, control and minimisation of fraud and corruption across the council. The CEO (and Directors) are responsible for monitoring the corporate implementation and performance of the Fraud Policy and this Fraud Control Plan, which includes promoting an environment where fraud and corruption are not tolerated. As a key factor in fraud prevention, senior management must exhibit to employees and customers a genuine and strong commitment to fraud control’.

At another council, a key responsibility of the CEO was to ensure that directors’ position descriptions contained appropriate fraud control responsibilities and measures. Some councils also had a senior executive who was responsible for fraud and corruption control within the council. In one council, the senior officer responsible for people and governance had overall responsibility for implementing and overseeing the fraud and corruption control program. This position reported directly to the CEO and was a member of the executive management team, audit committee and the risk management committee.

Another council had a fraud control officer. This officer was responsible for ensuring that allegations of fraud were appropriately recorded, investigated, referred to other organisations (where appropriate) and reported to the council’s executive.

One council also had a specific risk management and fraud control group, which was responsible for, among other things, reviewing the fraud risk register and implementing fraud and protected disclosure awareness training. At the conclusion of each financial year, the chair of this group was required to provide a report to the council’s audit committee on the activities of the group.

5.2.4 Fraud risk assessment

To effectively manage fraud and corruption risk, organisations should regularly identify the risks of fraud within their organisation. The Australian Standard AS8001–2008 on Fraud and Corruption Control recommends that organisations conduct a preliminary assessment of fraud and corruption risks to inform the development of their fraud and corruption control plans. Fraud risks should be assessed for each area and process of an organisation (eg purchasing, cash payment and receipts, and payroll). These risks should also be recorded and monitored via a risk register.

While each of the six councils’ fraud and corruption policies highlighted the importance of assessing fraud and corruption risks, they differed in their approaches. For example, fraud and corruption risk assessments in two councils formed part of the council’s risk management framework. Both councils maintained a strategic risk register, which included fraud and corruption-related risks and had a nominated officer who was responsible for regularly reviewing fraud and corruption risks.

In another council, managers were responsible for undertaking risk assessments on fraud and corruption matters every six months or when a major change occurs. However, it was not clear whether this was a stand-alone exercise or a component of the council’s general risk assessment process. As previously mentioned, five councils also provided extracts of their specific fraud and corruption risks from their risk registers, one of which appeared to be particularly comprehensive.

In summary, the review suggests that the six councils have solid processes for identifying fraud and corruption risks, usually through their risk assessment processes. A more detailed discussion of specific fraud and corruption risks, and the nature and effectiveness of controls is outlined in section 6.

5.2.5 Fraud prevention awareness

Councils should ensure all relevant parties, including employees, contractors and volunteers are aware of their responsibilities for fraud and corruption control, as well as expected standards of ethical behaviour. It is important to raise awareness through education and training, in addition to policies and procedures, as part of a fraud and corruption control framework. Good practice suggests there should be particular focus on employees working in high risk areas such as procurement and finance.

All councils’ fraud policies demonstrated a commitment to raising the awareness of fraud and corruption within their organisation. Councils predominately appeared to raise awareness of fraud and corruption through channels including relevant policies and processes, internal communications (eg dedicated intranet page), and provision of training and information to new employees upon induction.

One council highlighted the importance of employees understanding how to report suspected corruption or fraud: ‘it is important that fraud and corruption is identified and reported at an early stage and that staff have understanding and confidence in the system. Staff will be provided with information on the fraud and corruption plan and policy so that they have confidence in knowing how to respond if this type of activity is detected or suspected’.

This council had a strong approach to promoting fraud and corruption awareness including:

the provision of the council’s fraud and corruption policy and code of conduct in induction packs to all new employees
a dedicated risk management page on the intranet, which includes links to all relevant documents including reporting
an annual fraud and corruption awareness e-learning module all employees are required to complete
timely communication of substantive amendments to fraud policies and procedures, and the code of conduct.

In another council, employees were required to sign an induction acknowledgement form to confirm they had received the fraud and corruption control policy and were aware of its contents. Managers at this council were also required to ensure all contractors were aware of the council’s fraud and corruption control policy. While this is good practice, better practice would be to required to ensure other groups, such as volunteers, were also made aware of their council’s fraud and corruption control policy.

Despite the measures in place to promote awareness of fraud and corruption, only around two-thirds (64 per cent) of respondents to the staff questionnaire said they were aware of their council’s fraud prevention policy. This means that around one-third (36 per cent) of respondents were either not aware of their council’s fraud prevention policy, stated ‘don’t know’ or felt the policy was ‘not applicable’ to their job.

Although this is an improvement compared with the 2015 review, where 44 per cent of survey respondents were not aware of their council’s fraud prevention policy, more can be done to raise awareness of fraud and corruption in the local government sector. Fraud and corruption related education and training is covered in more detail in section 7.

5.2.6 Reporting of fraud and corruption

Clear reporting mechanisms are a key element of an effective fraud and corruption control framework. Employees and external parties need to understand what constitutes possible fraudulent or corrupt conduct, as well as how they can report such conduct and the protections available to them for reporting.³⁸

Since 1 December 2016, council CEOs, as relevant principal officers, have been required to notify IBAC of any matter which they suspect on reasonable grounds involves corrupt conduct. Councils are also required to establish mechanisms, policies and procedures for supporting and protecting disclosers as required by the PD Act.

Not all fraud control and corruption frameworks were explicit about the obligation of the CEO to notify IBAC of suspected corrupt conduct pursuant to section 57(1) of the IBAC Act. Three of the six councils did not include this information in their fraud and corruption policies.

All six councils placed the onus on employees to report any incidents of actual or suspected fraud and corruption to their supervisor, manager or director, within their fraud and corruption policies, plans or procedures. Three of the six councils’ fraud control and corruption frameworks outlined both internal and external mechanisms available to employees for reporting actual or suspected fraud and corruption.

The policies highlighted that employees can make a complaint about actual or suspected fraud and corruption internally to the CEO or the protected disclosure coordinator; however, not all policies stated that reports can also be made directly to IBAC.

All of the six councils’ fraud control and corruption frameworks applied to contractors, however only two councils made it explicit that that there is an obligation on contractors to report actual or suspected fraud and corrupt conduct. For example, one policy states:

‘employees/contractors/volunteers are responsible for the safeguarding of council entrusted assets against theft, misuse or improper use, and are required to report any suspicion of fraud or corrupt behaviour’.

It is important that the obligation on CEOs, employees and contractors is clear and reflected in relevant policies. Reporting is discussed in more detail in section 8.

³³ Victorian Auditor-General’s Office, Fraud Prevention Strategies in Local Government, 2012, p.1.

³⁴ Victorian Auditor-General’s Office, Fraud Prevention Strategies in Local Government, 2012, p.3.

³⁵ The Bill which was before Parliament in 2018 (but not passed before the November 2018 state election) proposed strengthening councils’ statutory obligations in relation to fraud control, by requiring audit and risk committees to monitor and advise on fraud prevention systems and controls.

³⁶ Victorian Auditor-General’s Office, Fraud Prevention Strategies in Local Government, June 2012, p.9.

³⁷ Victorian Auditor-General’s Office, Fraud Prevention Strategies in Local Government, June 2012, p.9.

³⁸ Queensland Audit Office, Fraud Management in Local Government, 2014-15, p.6.

IBAC’s review examined the councils’ policies and procedures in relation to seven corruption risks. The risks were identified following internal and external stakeholder consultations, and an examination of relevant research, investigations and complaints data. The key corruption risks include:

procurement
cash handling
conflicts of interest
gifts, benefits and hospitality
employment practices
misuse of assets and resources
misuse of information.

The discussion on each risk below includes contextual information on the risk, relevant legislative obligations and guidelines, risk ratings, and key policies, strategies and controls that the six councils have in place to manage specific issues associated with each risk.

6.1 Risk area 1: Procurement

PROCUREMENT

GOOD PRACTICE OBSERVED IN THIS REVIEW INCLUDED:

Requiring tender panel members to complete conflict of interest and confidentiality declarations at key points in the procurement process (eg before opening tender submissions, and after tender evaluations but before recommendations are made).
Requiring tender evaluation panels to have at least one independent member.
Providing clear guidance to prospective suppliers regarding their obligations in relation to conflicts of interest and gifts, benefits and hospitality.
Controlling and monitoring information provided to prospective suppliers, to ensure all suppliers have equal access to information, and all discussions with tenderers are documented.
Engaging a probity auditor for high value and/or high risk projects.
Expressly prohibiting employees from soliciting gifts from suppliers and requiring employees to declare all offers from suppliers.
Requiring employees to report irregular approaches from suppliers and record them on the gifts, benefits and hospitality register.
Prohibiting employees from visiting a contractor’s premises without invitation.

OTHER GOOD PRACTICE SUGGESTIONS:

Requiring all communication with prospective tenderers to occur through an online tender portal, rather than via council employees.
Using a probity adviser for sensitive, complex and/or high value procurements.
Considering applying or developing an equivalent to the Victorian Government Purchasing Board’s supplier code of conduct.

COUNCIL STAFF QUESTIONNAIRE – SCENARIO

Ninety-three per cent of council staff correctly considered the conduct in this scenario to be corrupt. Sixty-five per cent of council staff said they would report this conduct internally within their council.

A significant proportion of local government expenditure is spent on procuring goods, services and works to help councils deliver services, programs and infrastructure for their communities.³⁹ Procurement is vulnerable to corruption because it involves the distribution of monies and devolved decision making; for example, about which goods and services need to be purchased, the method of procurement, and the selection of suppliers. It is therefore important that councils are alert to the risks associated with procurement, and have solid procurement policies and procedures in place to mitigate this risk.

OPERATION ROYSTON

IBAC commenced Operation Royston in 2016. It was alleged that a manager of a regional Victorian council had subverted procurement processes, and failed to declare and manage conflicts of interest when engaging suppliers, including his wife and associates. IBAC found that over a two year period, the manager unlawfully authorised payments of around $184,000 to suppliers. The former manager pleaded guilty to criminal charges including obtaining financial advantage by deception. He was sentenced to three years’ imprisonment and was ordered to pay compensation to the council.

Councils are required, under the LG Act, to develop and make publicly available a procurement policy, providing the principles, processes and procedures that apply to the purchases of goods, services and works by the council. The policy is required to be reviewed annually.⁴⁰ Certain provisions of the policy are set by the LG Act, including the requirement for councils to initiate a public tender process when goods or services exceed $150,000 or where works exceed $200,000.⁴¹

All councils had multiple procurement-related risks on their risk registers.

In their responses to IBAC’s organisational survey, three councils assessed procurement as a low risk and three assessed it as a medium risk. No councils assessed procurement as a high risk. This is a similar result to the 2015 review, where only one council rated procurement as high risk.

Councils supported their risk ratings by citing examples of controls they had in place to help mitigate procurement-related risks. These controls included:

having procurement policies and procedures in place
regular audits
a system of financial delegations
controls around purchase orders (eg raising of purchase orders to be approved by two people, monthly reporting on purchase order compliance).

Responses to the staff questionnaire indicated the majority of respondents across the six councils (76 per cent) also considered procurement to be a low or medium risk.

The questionnaire included a scenario in which a council employee tells a friend who runs a concreting business about an upcoming tender and provides confidential council information, thus providing the friend with an advantage. Ninety-five per cent of respondents correctly indicated that this is not at all acceptable, while 89 per cent considered these actions to be either extremely or moderately harmful to the council. These results are very similar to those of the 2015 review.

6.1.1 Public tender process

As required by the LG Act, all six councils had policies requiring a public tender process where the estimated value of goods and services to be procured exceeds $150,000 (or in the case of works, $200,000). One council required a tender to be conducted at a lower level of expenditure ($100,000 and above for goods and services, and $150,000 for works).

Three other councils’ policies included a provision that public tenders may be undertaken for procurement under the legislated thresholds where it would produce a better outcome. One of these three councils also stated in its policy that if cumulative expenditure over a two-year period is likely to exceed the legislated threshold, a competitive process should be considered.

Councils should think broadly when determining which method of procurement to adopt; it is important that consideration is given to the aggregate spend across the organisation, across services and over time periods. In 2010, VAGO recommended that councils should regularly monitor cumulative payments to suppliers to identify opportunities to utilise competitive or collaborative procurement arrangements.⁴² This advice is reiterated in LGV’s Best Practice Procurement Guidelines 2013.

Three councils indicated that they engage probity auditors for certain contracts. A probity auditor is generally an independent contractor who audits compliance with probity requirements for specific procurements, usually at the end of the process.⁴³ One council advised it uses a probity auditor for contracts exceeding $10 million (eg waste contract and caravan park development on crown land). Probity auditors can assist in ensuring the independence of a procurement process by helping to identify probity issues and risks, and addressing them proactively.

It is also good practice to consider the use of a probity advisor for sensitive, complex or high value procurements. Probity advisors can develop probity plans designed to ensure procurement is conducted fairly and ethically, and provide advice and training to council employees on probity during the procurement process.⁴⁴ Two councils referred to the engagement of probity advisors in their procurement policies. One of these councils stated in its policy that the appointment of a probity auditor and/or advisor needs to be considered early in the procurement process and well before the tendering phase.

6.1.2 Conflicts of interest in procurement

All but one council had a policy requiring members of tender panels to declare conflicts of interest before commencing the evaluation process (compared with four councils in the 2015 review). Although this is good practice, the process for declaring and managing conflicts was not always clear, which may reduce the effectiveness of the control.

IBAC identified an example of good practice at one council which requires all panel members to complete a form declaring direct or indirect declarations: (a) before tenders are opened, and (b) after the evaluation process but before a recommendation is made if a conflict arises. The contract manager is also required to sign a conflict of interest declaration if they have not been involved in the procurement process.

Another council required employees who have access to tender information to sign a conflict of interest declaration before they are able to access tender submissions.

All councils’ policies highlighted the need for employees to maintain the confidentiality of information during the procurement process, including information about the tender process, responses and prices. Three councils’ policies stipulated that panel members were required to sign a confidentiality declaration at the outset of the procurement process.

It is also good practice to recognise that prospective suppliers may also have conflicts of interest which should be identified and managed through appropriate processes. One council advised that suppliers were required to declare conflicts of interest via a statutory declaration during the procurement process. Another council said it outlined suppliers’ obligations in relation to conflicts of interest in request for quote (RFQ) and request for tender (RFT) documentation.

All six councils had provisions discouraging the acceptance of gifts, benefits and hospitality from suppliers, which is a common way that conflicts can arise in the procurement process. This compares with five councils in the 2015 review. The provisions varied from a general statement that employees should exercise discretion when accepting hospitality from contractors, to more detailed provisions outlining the process for seeking approval of and declaring offers on a register. One council explicitly stated in its policy that no gifts, benefits and hospitality should be accepted during procurement, and required all offers (not just those accepted) to be declared regardless of value.

Another council had a provision prohibiting employees from directly or indirectly soliciting gifts from contractors, and discouraging visits to a contractor’s premises without invitation and when not on official business. This council required employees to report irregular approaches from contractors to the CEO for recording on the gifts and benefits register.

It is good practice to provide clear guidance to suppliers (and prospective suppliers) about the ethical standards expected of them, for example, in relation to offering gifts and benefits, and reporting and managing conflicts of interest. The Municipal Association of Victoria has developed resources to help suppliers understand how to work effectively and ethically with councils. The Doing business with local government guide and e-learning tool⁴⁵ states that all council suppliers are expected to maintain the ‘highest standards of behaviour’ and not engage in conduct contrary to fair competition and dealings. The guide also highlights relevant obligations on council employees, including in relation to the acceptance of gifts, benefits and hospitality.

These are useful resources but it is noted that in 2017, the Victorian Government Purchasing Board (VGPB) introduced a code of conduct which outlines expectations of state government suppliers around integrity, ethics and conduct, including their obligation to report suspected misconduct or suspected corruption.

This is considered to be good practice. One council stated on its website that it had developed ‘supplier guidelines’, which outline the council’s expectations. However, when requested to provide these guidelines, the council provided its purchase order terms and conditions, which give minimal guidance on standards relevant to integrity and conduct of suppliers.

Although IBAC acknowledges the VGPB does not cover local government, councils can do more to ensure suppliers better understand the standards expected of them, and of council employees. There is merit in councils outlining expectations of suppliers through a supplier code of conduct such as that developed by the VGPB. Such a code could outline requirements around integrity, ethics and reporting suspected corrupt conduct.

6.1.3 Tender evaluation panels

Four councils had provisions stating that evaluation panels must include at least one independent member. The strongest of these provisions stated that the independent panel member (from the central procurement area) was to chair the panel. In addition, the council reserved the right to appoint an independent external person to any evaluation panel. The inclusion of independent members on evaluation panels is one way of strengthening impartiality in procurement.

The procurement policies of all six councils acknowledged the importance of ensuring all prospective suppliers have equal access to information to assist in preparation of quotes or tenders, as well as requirements for confidentiality. The policy of one council provided more detail, requiring a process be put in place at the start of a tender to control and monitor the flow of information to and from tenderers. Examples outlined in the policy included designating a single employee to deal with tenderers, and ensuring key discussions with tenderers are documented. In another council’s policy the importance of confidentiality was emphasised, and included the statement that employees must avoid referring to current or proposed contracts in discussions with acquaintances or outside interests.

IBAC understands that some councils (other than those participating in this review) have taken steps to eliminate the need for prospective suppliers to communicate with council employees during the tender process, by directing all questions and queries through online tender portals or a generic (council) email address. One council uses an e-procurement system, which allows suppliers to submit tenders or contract bids online. Communication from prospective suppliers is directed securely to authorised procurement staff.

6.1.4 Segregation of duties

The majority of the six councils referred in their procurement policies to the need to:

segregate duties to avoid the risks associated with one employee controlling the procurement process
have controls around purchase orders, including ensuring they are generated before invoices are received
have prohibitions on splitting purchase orders and contracts to circumvent thresholds and delegations
require more than one person to sign-off the addition of a new supplier to the purchasing system.

However, a number of audit reports provided by participating councils highlight that these controls are not consistently applied. For example, an audit at one council identified a concern around purchase orders being raised after receipt of invoices. In response, the council organised targeted training to be provided to relevant employees, to reinforce proper process around purchase orders. Although it is important to clearly outline controls and processes in policy, it is critical that the effectiveness of these controls is tested through audits and other assurance processes.

6.2 Risk area 2: Cash handling

CASH HANDLING

GOOD PRACTICE OBSERVED IN THIS REVIEW INCLUDED:

Establishing and communicating clear policies and procedures governing cash handling including petty cash.
Including cash handling as a risk for review in internal audit and corruption risk management processes.
Requiring employees with cash handling responsibilities to undertake pre-employment screening checks as part of the selection process.
Establishing clear procedures which outline when employees can claim petty cash, reimbursement limits and approval processes.
Providing training to employees with cash handling responsibilities including those responsible for maintaining petty cash.
Establishing a range of controls to mitigate risks associated with cash handling, including conducting regular and random audits of cash holdings.

OTHER GOOD PRACTICE SUGGESTIONS:

Considering more stringent forms of pre-employment screening for employees with cash handling responsibilities, such as consideration of disciplinary histories.

Many councils accepted cash at customer service sites including libraries, recycling facilities and civic offices, which commonly receive cash for, among other things, animal registration, rates, community programs, kindergarten enrolments and infringements.

While the amounts in question may be small, cash handling presents a corruption risk, for example, by a council employee:

failing to record purchases properly in order to misappropriate cash
misappropriating cash from a machine or while cash is in transit
artificially inflating the value of a good/service to misappropriate cash.⁴⁶

Good practice suggests that as a minimum, public sector agencies that handle cash should develop policy and procedures for cash handling, refer to cash handling in all relevant corporate documents such as codes of conduct, provide training to all relevant staff, and include cash handling as a risk to be assessed in internal audit and corruption risk management processes.⁴⁷

In the organisational survey, two of the six councils rated improper cash handling and payment arrangements as a medium risk, while the remaining four councils rated it as low risk. Councils’ justification for the low or medium risk rating was that they had effective policies, procedures and auditable controls in place. In the 2015 review, one council considered cash handling to be high risk. The other councils rated the risk as low.

One council provided detailed information on its controls to explain its low risk rating: controls included cash handling policies and procedures, formal training for all staff responsible for handling cash, cheques and credit card payments, and daily reconciliation of payments including supervisory checks and sign-off.

Four of the six councils provided internal audit reports relating to cash handling. One council’s audit identified key strengths in the cash handling process, including the development of policies and procedures to govern cash handling processes, direct oversight of cash handling processes by revenue officers, and an effective monitoring and reporting process.

6.2.1 Cash handling and receipting

Cash was a method of payment at all six councils; however, dedicated cash handling policies were only identified in relation to four councils (one council also provided some guidance to customer service officers regarding provision of receipts, in its customer service quality manual). Although the amount of cash handled by councils varied (and may be minimal as councils seek to minimise the associated risks), it is appropriate that written procedures clearly outline the processes and obligations on employees who handle cash, to avoid risks of theft.

One council’s policy made it clear that cash transactions are to be phased out where possible (to minimise risk) while providing clear guidance for staff in circumstances ‘where cash transactions cannot be avoided’. This council’s policy was comprehensive, and covered, among other things:

minimum training requirements (including supervision and mentoring until the employee is deemed competent)
the process for establishing a new float
the responsibilities of cashiers and supervisors (including resolving discrepancies in two days)
cash minimisation processes (including limiting the amount of cash held)
record keeping requirements.

The policy also stated that cash holdings were subject to random audits.

In addition to cash handling procedures, a second council referred to cash handling in its fraud control plan, noting that managers were responsible for implementing, monitoring and reporting on systems to detect potential fraudulent activities, including via shift, daily and weekly cash reports.

That council’s pre-employment screening policy also stated employees who handle cash (eg customer service officers, transfer station employees and program activities employees) were subject to police checks as part of the selection process. Two other councils also required police checks to be conducted for prospective staff whose duties involve handling cash. Good practice would be to consider other, more stringent forms of pre-employment screening for employees with cash handling responsibilities, such as a consideration of disciplinary histories.

Although not all the councils had cash handling procedures in place, they appeared cognisant of the risks associated with cash handling. Five councils specifically identified theft or misuse of cash as an example of fraud in policies and procedures governing employee conduct and/or fraud and corruption control (the exception being the council which was explicit in its commitment to phase out cash transactions). Four of the six councils had also undertaken an audit of cash handling within the past five years.

6.2.2 Petty cash

Of the five councils that expressly maintain petty cash, three had specific procedures which set limits on petty cash reimbursements and the circumstances in which petty cash can be used. One council’s procedure stated that petty cash ‘should only be used in limited circumstances’ and instructed staff to use an existing council vendor wherever possible to avoid the need for petty cash. Petty cash reimbursement was limited to $82.50 (inclusive of GST) and was dependent on provision of receipts and the approval of a manager.

While a second council did not appear to have stand-alone petty cash procedures, it indicated it operates a petty cash system for ‘urgent and operational business expenses’ (with a limit of $100). However, its use should be limited as the purchase card policy suggests that such cards are used ‘for the procurement of low value/low risk goods and services’ that do not fall within the usual purchase order procedures.

This council also had restrictions in place for purchases under a certain threshold, including petty cash purchases within its procurement policy. The procurement policy stated that purchases less than $500, including via petty cash, must comply with purchasing requirements, although purchase orders are not required. However, the council’s corporate credit card policy suggested the council had sought to reduce the use of petty cash through credit cards, which are more effectively monitored.

A third council’s policy made it clear that a limit of $50 (including GST) applied for all cash reimbursements. A petty cash authorisation form had to be completed and signed by the relevant line manager (or staff member responsible for the budget line item) with receipts/evidence for all items attached.

If councils consider it necessary to maintain petty cash, there should be clear procedures in place, which outline circumstances in which employees can claim petty cash, reimbursement limits and approval processes.

6.3 Risk area 3: Conflicts of interest

CONFLICTS OF INTEREST

GOOD PRACTICE OBSERVED IN THIS REVIEW INCLUDED:

Developing and communicating a clear policy position on conflicts of interest, which is consistent with legislative provisions and operating environment.
Highlighting the importance of declaring and managing conflicts of interest (including through the use of examples and checklists) in codes of conduct.
Providing clear guidance on how to manage conflicts of interest in high risk functions and activities including procurement and recruitment.
Requiring contractors and council planners to identify, declare and manage conflicts of interest
Maintaining a central conflicts of interest register, which is monitored by a designated officer and/or by the audit and risk management committee.
Developing a tailored, stand-alone policy on identifying, declaring and managing conflicts of interest.

OTHER GOOD PRACTICE SUGGESTIONS:

Maintaining an electronic register of declared financial and non-financial interests, which can be used to facilitate cross-checks with other data held by councils (such as vendors).

The failure to properly identify, manage and declare conflicts of interest has been a common feature of IBAC investigations. Public sector agencies, including councils, need to be alert to the risks associated with failing to properly manage conflicts of interest, particularly in activities such as procurement and recruitment.

A conflict of interest occurs where there is conflict between the public duty and private interests of a public official. A conflict of interest whether actual, potential or perceived, which is not properly identified, declared or managed, provides opportunities for corruption, placing a council’s finances and reputation at risk. The need to identify, declare and manage conflicts of interest is therefore central to an effective integrity framework.

The LG Act requires all council staff to act with integrity, which includes avoiding conflicts of interest.⁴⁸ The Act requires the CEO and employees with a delegated power, duty or function to declare a conflict of interest, and expressly prohibits the individual from exercising the relevant power, duty or function. Employees providing advice to council, or members of a special committee, must also disclose any conflicts.⁴⁹ Failure to do so is a criminal offence.

A person is considered to have a conflict of interest if they have a direct or indirect interest in a matter. The LG Act provides a high level of prescription as to what constitutes a conflict, defining conflicts of interest in terms of direct interests and six types of indirect interests.⁵⁰ The latter relate to financial and non-financial interests that may pose a conflict, such as associations or gifts.

Senior council officers and other officers nominated by the CEO are also required to provide records of the financial and non-financial interests of themselves and their family, via primary and ordinary returns. A failure to disclose a conflict of interest is a breach of the Act.⁵¹

Of the six councils involved in our review, five rated conflicts of interest as a medium risk issue and one council rated it as low risk. The medium risk rating was largely attributed to existing policies and procedures, including codes of conduct and procurement policies, as well as audited systems and controls.

Despite the medium risk rating, only one council identified specific conflict of interest risks on their risk register. This risk related to ‘undisclosed councillor or employee conflicts of interest for personal gain’ and the inherent risk was rated as extreme. There was a broader spread of risk ratings in the 2015 review, with three councils rating conflicts of interest as a medium risk, one council rating it a high risk, and two a low risk.

Responses to the staff questionnaire suggest that employees across the six councils consider conflicts of interest to be a low risk issue, with 49 per cent of respondents rating conflict of interest as low risk, 32 per cent rating it as medium risk and 11 per cent rating it as high risk within their council. Twenty per cent of respondents said they were not aware of their council’s conflicts of interest policy, suggesting there is an opportunity for councils to improve employee awareness on this issue.⁵²

Only one council had a tailored, stand-alone conflict of interest policy. The other councils addressed conflicts of interest in their code of conduct and/or used the LGV 2011 guide, Conflict of Interest – A Guide for Council Staff. One of these five councils advised it was developing a stand-alone conflict of interest policy.

Two councils said they were disinclined to develop a separate conflicts of interest policy. Instead, one council undertook to strengthen information on conflicts of interest in its code of conduct, while the other felt conflicts of interest were adequately addressed in other policies. This is similar to the 2015 review, where councils addressed conflicts of interest in their codes of conduct and/or the LGV guide, rather than via a stand-alone conflicts of interest policy.

Councils’ codes of conduct noted the importance of declaring and avoiding conflicts of interest to help maintain community confidence and trust. For example, one council’s code of conduct required employees to ‘avoid conflicts of interest to help maintain public confidence in Council decision making’, while another focused on the importance of employees ‘acting with integrity, including avoiding conflicts of interest’.

It is important that councils develop and communicate their policy, to clearly outline what conflicts of interest are (consistent with legislative requirements), and how employees are required to identify, declare and manage such conflicts. Reliance on the LGV guide is not sufficient, particularly as a means of communicating to employees about the specific requirements of the council. Councils could consider the development of a tailored, stand-alone policy on identifying, declaring and managing conflicts of interest to achieve this.

In 2017, the Queensland Crime and Corruption Commission (CCC) reported on its audit of how allegations involving conflict of interest are dealt with by councils. The CCC recommended that councils put in place a conflicts of interest framework that outlines the overarching policy regarding all conflict of interest matters, establishes roles and responsibilities, and outlines the mandatory steps to follow when dealing with a conflict.
The framework should, among other things, require the maintenance of appropriate records of declared conflicts of interest, that is, declaration forms and a central register.⁵³

6.3.1 Identifying and declaring conflicts of interest

Guidance for employees on how to declare conflicts of interest was predominantly outlined in each council’s code of conduct. And the nature and level of advice provided to employees varied between councils. All councils, in their code of conduct or policy, stated that employees must ensure there is no conflict between personal interests (pecuniary or non-pecuniary) and council duties. Four councils, in their codes of conduct, also focused on the interests of an employee’s friend, family member, or personal associate. In one code, for example, employees were advised that their personal or financial interests, or those of a close associate or family member, should not influence, or cannot be reasonably perceived to influence, the performance of their role and duties.

One council required contractors as well as employees to declare and avoid real and apparent conflicts of interest, while another council required employees with delegated authority, or those involved in the preparation of reports that are considered at council meetings, to be aware of additional conflict of interest obligations under the LG Act.

Some councils included examples of conflicts of interest in their codes of conduct or policy. For example, one council referred to conflicts of interest including: being made a beneficiary in a client’s will, and dealing with friends on regulatory, inspection or recruitment matters. Another council provided examples of different types of conflicts of interest, such as direct and indirect interests, drawing on the LG Act.

A third council’s code of conduct contained a checklist to help employees identify possible conflicts of interest. The checklist applied the guidance issued by LGV and posed a number of questions for employees to consider, for example: am I, a relative of mine, or a member of my household, likely to be directly affected by this matter?

Employees were advised that if they answer ‘yes’ to any question, they should speak to their manager or the governance team to determine whether they should disclose a conflict of interest. It is good practice to provide examples or case studies to help employees understand and identify conflicts of interest.

One council advised that planners were required to make a conflict/no conflict declaration at the start of each planning application process and to amend this declaration if necessary during the process (eg if the planner knows a person who lodges an objection). Council advised that these obligations were explained to each new planner when they commenced work with the team.

It was not always clear how employees should declare a conflict of interest, other than reporting the conflict of interest to their manager, director or the CEO. One council provided its stand-alone conflict of interest disclosure form, which required an employee to indicate if they have a direct or indirect conflict of interest, and the nature of the conflict. However, the form was limited as it did not prompt the employee or manager to record how the conflict would be managed.

Councils provide clearer guidance on how to manage conflicts of interest in high risk areas where conflicts of interest can commonly arise, namely procurement and recruitment. Five councils’ procurement and recruitment-related policies and procedures covered conflicts of interest, in addition to the information provided in the code of conduct and/or stand-alone policies. Conflicts of interest in procurement and recruitment are discussed in sections 6.1 and 6.5 of this report.

6.3.2 Managing conflicts of interest

As outlined in the previous section, councils generally required employees to declare any conflicts of interest to their manager or, in some cases, to the relevant director or CEO. Most of the six councils required members of tender panels to declare conflicts of interest before commencing the evaluation process. In some councils, panel members were required to withdraw from a recruitment process where a conflict of interest, either personal or professional in nature, existed or was perceived to exist.

Three councils maintained a central register of declared conflicts of interest. The conflict of interest forms used by these councils commonly required employees to outline the type of conflict of interest (direct or indirect) and the nature of the conflict. However, there was little further information on how conflicts of interest should be managed, particularly with respect to central monitoring and oversight of conflicts.

One council advised that conflict of interest forms for recruitment, procurement and councillor declarations were held separately by the relevant departments, and there was no central oversight. Another council also commented that conflicts of interest were managed in individual reports to council; however, there was no central register.

Good practice is to centrally oversight conflicts of interest, for example, through a register which is regularly monitored by a designated officer and/or by the audit and risk management committee. It can also be beneficial to maintain an electronic register of declared financial and non-financial interests, which can facilitate cross-checks with other data held by councils (such as vendors).

It is also important that managers understand their responsibility to ensure identified conflicts are appropriately managed. The council with the stand-alone conflict of interest policy stated in that policy that it was the responsibility of the CEO, director or manager to ensure that an employee with a conflict of interest did not exercise a relevant power, duty or function and to appoint another employee to do that work.

6.4 Risk area 4: Gifts, benefits and hospitality

GIFTS, BENEFITS AND HOSPITALITY

GOOD PRACTICE OBSERVED IN THIS REVIEW INCLUDED:

Developing a policy that clearly outlines the council’s position on gifts, benefits and hospitality, including employee obligations in relation to gifts, benefits and hospitality.
Ensuring policies on gifts, benefits and hospitality are broad in scope and apply to all employees and other personnel acting on behalf of the council.
Developing a ‘GIFT test’⁵⁴ to help employees decide whether or not to accept a gift or benefit.
Requiring employees to declare gifts, benefits and hospitality regardless of whether they are accepted or declined, and recording all offers, regardless of whether they are accepted or declined.
Requiring all offers from suppliers to be declared, regardless of their value, and recording this information on the gifts, benefits and hospitality register.
Explicitly prohibiting the acceptance of gifts, benefits or hospitality from those about whom the employee is likely to make decisions including current or prospective suppliers.

OTHER GOOD PRACTICE SUGGESTIONS:

Prohibiting the acceptance of monetary gifts or gratuities by council employees regardless of their value.
Centrally monitoring and oversighting gifts, benefits and hospitality registers, including oversight by audit and risk committees, to identify potential trends and patterns, including possible vulnerabilities in relation to particular individuals and organisations.
Making gifts, benefits and hospitality registers publicly available, in the interests of transparency and accountability.

The acceptance of gifts, benefits and hospitality can create perceptions that an employee’s integrity has been compromised. This is recognised in the LG Act, which states that a person has an indirect interest if they receive gifts with a total value of $500 from a person who has represented or represents a body that has a direct interest in a matter, in the five years preceding a decision or the exercise of a power.⁵⁵

The inappropriate provision of or request of gifts, benefits and hospitality has been a regular feature of IBAC’s investigations, particularly in relation to suppliers.

The acceptance of gifts, benefits and hospitality presents a particular risk in the context of procurement as it can undermine both public and supplier confidence in the process, by inappropriately influencing the decision-making process or creating a perception that a public officer has been influenced. Good practice is to prohibit the acceptance of gifts, benefits or hospitality from those about whom the employee is likely to make business decisions, including current or prospective suppliers. It is also good practice is for a council’s gifts, benefits and hospitality policy to be linked to its conflict of interest policy, to provide employees with assistance in managing these situations if they arise.

In consultations, a number of councils highlighted that gifts, benefits and hospitality was a challenging issue because of the need for councils to be active in their local communities and to promote economic development as well as stakeholder relationships. One council referred to employees and councillors being regularly invited to events promoting local economic and social development, which can present issues in light of the $500 indirect interest provision of the Act. Sometimes the offerer was asked to value the event, to enable the council to purchase a ‘ticket’ to avoid an actual or perceived conflict.

Of the six councils, three identified specific risks associated with gifts, benefits and hospitality on their risk registers. The risks related to offers of gifts, hospitality or benefits from suppliers, or third parties seeking preferential treatment or services. These risks were rated as medium or low on the risk register.

In the organisational survey, councils were not specifically asked to provide a risk rating for gifts, benefits and hospitality but cited the following controls (as part of their responses to conflicts of interest):

gifts, benefits and hospitality policies
reviewing gifts and benefits registers
staff reminders about council policy prior to specific events (eg Christmas).

Responses to the staff questionnaire suggested that employees across the six councils considered gifts, benefits and hospitality as low risk; half of all respondents (49 per cent) rated conflicts of interest (including gifts and benefits) as a low risk issue. Only 11 per cent rated it as a high risk issue.

While councils are not legislatively required to develop a gifts, benefits and hospitality policy, it is good practice to ensure there are policies and procedures in place that clearly outline the council’s position on this issue to encourage consistency and transparency across the organisation.

Five councils had stand-alone policies or procedures, providing guidance on gifts, benefits and hospitality. All six councils also addressed gifts, benefits and hospitality in their codes of conduct, which is consistent with the 2015 review. Four councils addressed, to varying extents, the issue of gifts, benefits and hospitality in their procurement policies (eg stating that employees involved in procurement must avoid accepting any gifts or benefits from suppliers).

It is important that employees understand their obligations in relation to gifts, benefits and hospitality, including when it is not appropriate to accept gifts and benefits, how to declare offers, and what approvals are required. A large majority of respondents to the staff questionnaire said they were aware of their council’s gifts, benefits and hospitality policy (91 per cent). This is consistent with the 2015 review where 92 per cent of respondents said they were aware of their council’s policy in this area.

Most of the councils’ stand-alone gifts, benefits and hospitality policies were broad in scope, applying to personnel including employees, contractors, volunteers, service providers, work placement students, and agencies and third parties involved in performing duties or acting on behalf of the council. One council’s policy also applied to members of special or advisory committees appointed by council, as well as immediate family members or close associates of employees where an applicable gift was linked to the duties or position of the employee.

6.4.1 When can gifts, benefits and hospitality be accepted?

All six councils allowed the acceptance of some form of gifts, benefits and hospitality. Four councils allowed employees to accept gifts, benefits and hospitality up to a value of $50 without the need for approval. If the value exceeded $50, approval of a manager or CEO was required. This is consistent with the findings of the 2015 review.

The fifth council did not stipulate thresholds but framed its policy in terms of when gifts, benefits and hospitality could not be accepted (eg when it could impact on the perceived independence of the employee). It also referred employees to the ‘GIFT test’ to help them decide whether or not to accept a gift or benefit.

The sixth council clearly stated in its code of conduct that it did not tolerate employees who sought or accepted any gift, fee, reward or benefit for themselves, their family, friends of any other person or body for anything done in connection with their council duties. This is a strong message, which was reinforced in consultations with that council; the council referred to its CEO having a ‘zero tolerance’ to the acceptance of any gifts and benefits.

However, the council’s intranet stated that employees could receive token gifts. It is important that councils communicate consistently to employees about their obligations in relation to acceptance of gifts, benefits and hospitality.

While all councils included some reference to the acceptance of gifts, benefits and hospitality in the context of procurement, the strength of the message varied. Most councils referred briefly to the need for employees to avoid accepting gifts, benefits and hospitality from suppliers, and/or to exercise discretion before accepting hospitality from suppliers.

One council, however, had a separate section in its gifts, benefits and hospitality policy on procurement which unequivocally stated that no gifts, benefits or hospitality should be sought or accepted from any actual or potential supplier. One part of the policy stated: where employees are involved in the procurement of products or services, particularly when a tender process is underway, it would be inappropriate for councillors and employees involved to accept a gift, benefit or hospitality from any other party involved in the process, either directly or indirectly.

This council also required all offers from suppliers to be declared, regardless of their value, and recorded on the gifts, benefits and hospitality register. This policy recognises the particular risks associated with gifts, benefits and hospitality from suppliers and makes it clear to employees that acceptance is never appropriate.

Another council’s policy covered gratuities defined as a ‘small monetary gift in acknowledgement for services rendered’. The policy stated that offers of gratuities which exceed $50 must be discussed with a general manager, implying that gratuities under that threshold can be accepted. Good practice would be to explicitly prohibit the acceptance of any monetary gift, regardless of value. The council advised IBAC it would review this provision.

6.4.2 Declaring gifts, benefits and hospitality

Consistent with the 2015 review, three of the six councils required employees to declare gifts, benefits and hospitality regardless of whether they are accepted or declined. The remaining three councils required only accepted offers to be declared. It is good practice to record offers of gifts, benefits and hospitality, regardless of whether they are accepted or declined. This enables councils to monitor external approaches and possible efforts to inappropriately influence employees. IBAC notes in 2018, one priority for the Victorian Secretaries Board Integrity and Corporate Reform Subcommittee was to monitor declined offers of gifts, benefits and hospitality in state government agencies to identify patterns or trends of concern.

Councils’ processes for declaring gifts, benefits and hospitality were generally clear and appropriate. For example, one council required all gifts, benefits and hospitality, either accepted or declined by an employee, to be declared by completing a declaration form within 14 days. The form, which must be signed by the employee’s manager or CEO, outlines the decision regarding the gifts, benefits and hospitality (accept, decline or return), its estimated value and whether previous offers have been made by that individual or organisation.

In one council, it appeared that employees were only required to declare gifts (exceeding $50), not hospitality. Hospitality can be of significant value (exceeding $50) and therefore it should be clear that employees are required to declare it.

6.4.3 Gifts, benefits and hospitality registers

All six councils had a gifts, benefits and hospitality register. This is consistent with the 2015 review. The registers generally record offers above the value of $50 and in some cases offers that are accepted and declined. In one council, the register also recorded official gifts, individual or cumulative gifts exceeding the gift disclosure threshold of $500 over five years, and all offers from actual or potential suppliers during procurement activities.

Registers are usually maintained by the governance areas of councils. However, there was little indication that registers are regularly monitored to consider potential risks or vulnerabilities. IBAC did not identify any councils where audit and risk committees had oversight of the register.

One council advised their CEO oversighted the acceptance of gifts, benefits and hospitality by general managers, and general managers monitor their own employees. There was no overarching, strategic review of the register. A second council advised the register was monitored by the governance coordinator and reviewed annually by the financial services manager.

It is good practice to monitor and oversight a gifts, benefits and hospitality register, to identify possible trends and patterns, including possible vulnerabilities in relation to particular individuals and organisations. It is good practice to make registers publicly available, in the interests of transparency and accountability.

There was little evidence these registers were publicly available (none were available on councils’ websites), although one council advised that its register was considered a public document and may be viewed at any time by appointment.

6.5 Risk area 5: Employment practices

EMPLOYMENT PRACTICES

GOOD PRACTICE OBSERVED IN THIS REVIEW INCLUDED:

Conducting a range of pre-employment screening checks, particularly for high risk positions, including police checks, working with children checks, reference checks, verification of qualifications and proof of eligibility to work.
Requiring recruitment panel members to withdraw from a panel where a conflict of interest, either personal or professional in nature, exists or is perceived to exist.
Clearly articulating that secondary employment can create a conflict of interest and therefore approval is required to undertake external employment; failure to do so may result in disciplinary action.
Highlighting the importance of maintaining confidentiality of council information, particularly where an employee’s secondary employment may be with an organisation that interacts with the council.
Prohibiting council employees from working for the council under contract arrangements (ie employees cannot act as staff and suppliers simultaneously).
An advisory committee (with an independent chair) advising council on matters of CEO performance, contract extensions, remuneration matters and recruitment.

OTHER GOOD PRACTICE SUGGESTIONS:

Requiring prospective employees to complete a statutory declaration about their employment history, including if they have been investigated for disciplinary or criminal matters.
Conducting pre-employment screening for internal applicants, particularly if they are applying for positions which are considered high risk.
Considering additional pre-employment screening processes for high risk positions, such as bankruptcy checks, credit history checks and psychometric screening.

IBAC has identified that employment practices are vulnerable to corruption including recruitment compromised by nepotism, conflicts of interest and inadequate pre-employment screening. This can result in the recycling of employees with problematic discipline and criminal histories. In August 2018, IBAC published a research report which highlights corruption risks in public sector employment practices at different stages of the employment cycle.⁵⁶

Consistent with obligations across the Victorian public sector, councils are required to ensure employment decisions are based on merit and that employees have avenues of redress against unfair or unreasonable treatment. These, and other employment obligations, are enshrined in the LG Act.⁵⁷

The Act outlines provisions for the employment of senior officers, including the CEO. Senior officers, including the CEO, are employed under contracts which must specify performance criteria. Councils are required to review the performance of their CEO on an annual basis, and the CEO must review the performance of other senior officers, at least once a year.

As part of the organisational survey, the six councils were asked to indicate whether recruitment and employment were considered to be high, medium or low risk areas. Three councils rated recruitment and employment issues as medium risk and three rated recruitment and employment issues as low risk.

The councils supported their risk ratings by citing the following controls:

policies and procedures
pre-employment screening checks
independent recruitment panel members.

In light of the medium and low risk ratings, it is perhaps not surprising that two of the six councils did not include recruitment and/or employment-related issues on their risk registers.

One of these councils advised that recruitment is not listed on its strategic risk register because ‘it just hasn’t presented a challenge for us and is unlikely to in the foreseeable future’. It appears that not all councils are cognisant of the corruption and misconduct risks associated with employment practices.

Responses to the staff questionnaire also suggested that employees across the six councils viewed recruitment and employment issues as a low or medium risk:

Only 12 per cent of respondents rated the appointment of personnel as a high risk issue in their council; 52 per cent of respondents rated this issue as low risk and 26 per cent rated it as a medium risk.⁵⁸
Only eight per cent of respondents rated secondary employment as a high risk issue in their council; 53 per cent of respondents rated it as low risk and 24 per cent rated it as medium risk.⁵⁹

These results are broadly consistent with the 2015 review, with only a small minority of respondents identifying recruitment and secondary employment as high risk issues. However, in IBAC’s 2017 perceptions of corruption survey, ‘hiring friends or family for public service jobs’ was the most commonly observed (22 per cent) and second most suspected (34 per cent) corrupt behaviour.

Discussed on the next page are councils’ policies and procedures in relation to pre-employment screening, secondary employment, and employment of friends and family.

6.5.1 Pre-employment screening

Pre-employment screening is an opportunity to validate a candidate’s qualifications and previous work experience, check for conflicts of interest and, where appropriate, review criminal records or disciplinary history. When these checks are either not conducted (or are not done properly), there is a risk of employing individuals who can undermine an agency’s integrity.⁶⁰

IBAC’s 2018 employment practices report highlights instances where public sector agencies have failed to properly screen prospective employees, resulting in employment of people with problematic discipline histories or who lack relevant or required qualifications. One council in this review noted the recruitment of unqualified or underqualified employees as a key risk in its strategic risk register:

‘Unqualified or under qualified staff, through misrepresentation in applications for employment, can lead to legal proceedings, loss of reputation, increased health and safety risks, decreased productivity and inflated recruitment and training costs.’

In October 2018 the Victorian Public Sector Commission issued a new employment screening policy for VPS executive officers. The policy requires that all preferred candidates for VPS executive positions complete a statutory declaration in relation to relevant instances of misconduct and sign a consent form allowing the prospective employer to contact the candidate’s current and previous employers to substantiate their employment history. It is acknowledged this policy does not expressly apply to local government, but it is good practice which could be considered by councils.⁶¹

All six councils covered pre-employment screening in their recruitment policies or procedures. Two councils also have stand-alone pre-employment screening policies. In one council, the pre-employment screening policy noted that:

‘Pre-employment screening forms a crucial part of the employment process and allows the council to objectively assess the suitability of candidates against the requirements and risks of a job role.’

Councils conduct a range of pre-employment screening checks, including police checks, working with children checks, reference checks, verification of qualifications, work experience, licenses, and proof of eligibility to work.

Three councils had stronger pre-employment screening requirements for designated high risk positions. For example, at one council, high risk positions, such as those in the finance, information services, and planning and development areas, were subject to police checks. These requirements were stipulated in the employment contract terms and conditions. This is good practice and recognises that screening can be tailored to risks associated with different positions.

In two councils, international police checks were required for prospective employees working in aged and disability services if they have lived or worked overseas for a period of 12 months or more since the age of 16, and those working in family and housing services if they have resided overseas for at least 12 months in the previous 10 years. Another council’s recruitment procedures stipulated police checks must be undertaken for preferred applicants (including volunteers) for positions which involve working with vulnerable people including children, youth, the elderly or frail, or for employees required to enter the homes of residents.

Councils could also consider additional pre-employment screening for positions which are identified as high risk. More stringent screening could include conducting bankruptcy checks, credit history checks and psychometric testing.

While criminal history was a standard pre-employment screening requirement, none of the six councils required applicants to disclose any disciplinary matters associated with previous employment. This makes it difficult for councils to avoid recycling of employees with problematic discipline histories. In consultations, one council said that issues with disciplinary histories were detected during reference checks with supervisors (and issues with criminal histories were identified through police checks). Supervisors were not contacted unless an employee provided consent, suggesting that failure to provide consent would be a red flag.

A second council advised it asked referees if they would ‘re-employ’ the prospective candidate as a means of gaining information about historic disciplinary issues, without directly asking the question. However, no formal policy was in place and the council considered that disciplinary matters became invalid after 12 months, or at least could not be relied upon as a reason not to employ a person.

This council also stated, in its fraud and corruption control procedures, that recruitment screening should be considered when employees are promoted or are acting in positions considered higher risk. This would be good practice, as it recognises risks associated with employees getting into an organisation with low levels of screening and then moving to higher risk positions without further screening. However, in consultations, the council advised this screening does not occur and that they would amend the fraud and corruption control procedures to reflect this.

IBAC considers public sector agencies can take stronger, more effective action to prevent recycling of problematic employees, such as requiring prospective employees to complete a statutory declaration about their work history, including if they have been investigated for disciplinary or criminal matters.⁶²

6.5.2 Merit-based employment

As stated earlier, the LG Act enshrines the principle of merit in employment decisions. IBAC has identified numerous instances throughout the public sector where proper recruitment decisions have been corrupted by the employment of family and friends. It is therefore important, as a standard control, that all members of selection panels complete conflict of interest forms, and that there are processes for dealing with identified conflicts.

While none of the councils’ recruitment policies explicitly stated that employees must not employ or seek to influence a selection process involving a family member or friend, five of the six councils required members of recruitment panels to declare conflicts of interest of a personal or professional nature (ie where an applicant is a friend or relative of the panel member).

Two of these councils specifically required panel members to sign a conflict of interest declaration form as part of the recruitment process. In some councils it is also explicit that panel members are required to withdraw from a recruitment panel where a conflict of interest, either personal or professional in nature, exists or is perceived to exist. This is good practice.

One council’s recruitment policy required each panel member to provide a written declaration of any professional or personal relationship with any applicant. Where a panel member had an actual conflict, they were to immediately remove themselves from the recruitment process. If a panel member had a perceived conflict, they were required to declare this in writing to the delegated officer prior to shortlisting. The policy stated that where a panel member had a relationship, either personal or professional, with an applicant, but believed they should stay on the selection panel, approval should be sought from the delegated officer. Better practice would be to state that the employee needs to remove themselves from a panel for all personal and professional conflicts, which are considered significant.

All six councils aspired to the principle of merit-based recruitment, through additional processes. In most councils, recruitment panels were required to comprise at least three people and include an independent member. In some cases this could be a human resources representative or a person from outside the council.

Three of the six councils also stipulated specific training requirements for certain panel members. For example, one council required both the chair and the independent member to have completed behavioural interview training. In another council, panel members were required to be experienced in non-discriminatory recruitment and selection interviewing, or to have undertaken recruitment and selection training in the last two years and be familiar with the council’s recruitment-related policies and procedures.

CEOs are appointed by the elected council, which also assesses the CEO’s performance annually. One council had an advisory committee, which guided it on matters of CEO performance, contract extensions, remuneration matters and (where required) recruitment. The committee was comprised of an independent chair, the mayor and a councillor. The independent chair developed the draft performance criteria and performance review methodology for consideration of the committee and council.

While not a requirement under the LG Act, an advisory committee with an independent chair is one way of supporting independence in employment decisions regarding the CEO.⁶³

In 2018, the LGI published a report on managing the employment cycle of a council CEO. The report highlights issues with the recruitment and performance management of CEOs by councils.⁶⁴

6.5.3 Secondary employment

While council employees are generally not restricted from undertaking paid or unpaid work external to their council, secondary employment can pose a number of corruption risks. It is therefore good practice to have arrangements in place for the approval and monitoring of secondary employment. Corruption risks associated with secondary employment include direct conflicts of interest with the employee’s council work, such as working as a private planning consultant while assessing planning applications for council, or borrowing council equipment or material for a landscaping business.

Secondary employment was covered in all six councils’, such as code of conduct. Most codes explained that secondary employment can create a conflict of interest for employees and therefore require staff to declare any potential conflicts of interest. The codes also stated that approval was generally required from either the CEO, director or a manager if an employee wished to undertake secondary employment, whether the work was paid or voluntary.

One code, for example, clearly articulated that employees must seek approval from their manager to commence or continue in secondary employment or unpaid activity. It provided examples of jobs that may constitute secondary employment, and noted that failure to disclose and seek approval for secondary employment may result in disciplinary action.

Another code highlighted the importance of not sharing confidential information while employed by council, where employees have taken up secondary employment with organisations that deal with or are in the process of dealing with the council (eg planning application, tendering for council work). A third code expressly stated that council employees were precluded from working for the council under contract arrangements; employees could not act as staff and suppliers simultaneously.

Only around one-third (31 per cent) of respondents to the staff questionnaire across the six councils indicated they were aware of their council’s policy and processes in relation to secondary employment. This is lower than would be expected given secondary employment is covered in codes of conduct (97 per cent of respondents said they were aware of the code).

The level of awareness is also lower than the 2015 review, where almost one half of survey respondents stated they were aware of their council’s policy on secondary employment (47 per cent).

6.6 Risk area 6: Misuse of assets and resources

MISUSE OF ASSETS AND RESOURCES

GOOD PRACTICE OBSERVED IN THIS REVIEW INCLUDED:

Adopting policies and procedures around the appropriate use of council assets and resources, including policies on the use of motor vehicles, fuel cards, corporate credit cards, asset management and disposal of assets.
Establishing a range of controls to mitigate the risk of misuse of motor vehicles, fuel cards and corporate credit cards.
Clearly stating that fraudulent or unauthorised use of council assets and resources will be subject to the council’s disciplinary code and possibly criminal prosecution.
Maintaining registers or systems for managing low value assets including, for example, IT equipment, and small plant and equipment.
Undertaking regular and random audits of council assets and resources (eg checking motor vehicle log books and auditing fuel card usage).
Developing clear policies and controls around the disposal of surplus or scrap material and assets (regardless of value).

OTHER GOOD PRACTICE SUGGESTIONS:

Assigning unique identifiers to all small plant and equipment and other low value assets, and recording these in a register.
Ensuring all decisions regarding asset disposal are documented, even if assets are disposed via donation to not-for-profit organisations or charities.

COUNCIL STAFF QUESTIONNAIRE – SCENARIO

A senior council employee is a member of the local football club. Without authorisation, they arrange for the club to borrow council equipment to maintain the clubhouse at no charge. This saves the club thousands of dollars each year.

Under the LG Act, councils are required to ensure that resources are used efficiently and effectively, and that services are provided in accordance with the best value principles to best meet the needs of the local community.

In this review, only one council rated misuse of assets and resources as a medium to high risk. Two councils rated the issue as medium risk and three councils as low risk. Two councils linked the low risk of misuse of council assets and resources with their approaches to depot operations. One council stated it ‘contracts out road and parks maintenance so does not operate a traditional depot’, while another council stated ‘practices are in place at the depot and (have been) reviewed during the recent IBAC investigation into depots’.

Three councils also identified risks associated with the misuse of assets and resources on their risk registers, including:

unauthorised use of council fleet vehicles
misuse of fuel cards
misuse of council credit cards for personal gain
theft of council assets, equipment and materials.

Responses to the staff questionnaire indicated employees across the six councils were inclined to view misuse of assets and resources as a low risk issue: nearly half of respondents (45 per cent) rated the issue as low risk, 27 per cent as medium risk and only 11 per cent as high risk. The remaining respondents stated ‘don’t know’ or ‘prefer not to say’ (17 per cent). In the 2015 review, an even larger proportion of respondents rated disposal and sale of assets as low risk (74 per cent).

The high proportion of respondents who rated misuse of assets and resources as low risk may be linked to the relatively low level of awareness of council policies relating to the misuse of assets and resources. Only around a third of respondents (37 per cent) stated they were aware of their council’s asset replacement, sale and disposal policy.

However, all six councils had policies and procedures around the appropriate use of various council assets and resources. These include policies on the use of motor vehicles, fuel cards and corporate credit cards, asset management and disposal of assets.

The appropriate use of assets and resources was also addressed in each council’s staff code of conduct. (In 2015, five councils’ codes of conduct addressed expectations around use of resources.) One code, for example, included a section on the use of council equipment, assets, intellectual property and services. It stated that employees must not misuse these resources and provided examples of misuse, including using council’s equipment for personal or commercial gain.

6.6.1 Corporate credit cards

Corporate credit cards are generally used by councils to purchase low value goods and services, and when it is more efficient than using the purchase order system. Payment by credit cards may also occur when other payment methods are not acceptable to the supplier, or as an alternative to using petty cash. As one council stated in its credit card policy:

‘Corporate credit cards can deliver significant benefits to the Council through improved administrative practices and more efficient cash management. However, they can also expose the Council to significant risk if not properly controlled.’

Good governance arrangements and controls are required to mitigate corruption risks associated with the misuse of corporate credit cards and to facilitate the responsible issue and use of such cards.

LOCAL GOVERNMENT INSPECTORATE INVESTIGATION INTO CENTRAL GOLDFIELDS SHIRE COUNCIL

The LGI investigated multiple allegations relating to the use of a council credit card for personal, unauthorised expenses by the then CEO of Central Goldfields Shire Council. Over four years, the then CEO used his council credit card for 112 transactions on expenses unrelated to council business. The LGI reported on this matter in 2017, highlighting a lack of internal controls, inadequate policies and procedures, and an overall poor culture in relation to compliance. As a result of this investigation, charges were laid (including obtaining financial advantage by deception). The former CEO was convicted in December 2018 on five charges. He was fined $26,000 and ordered to pay $10,000 in costs.⁶⁶

All six councils had policies and/or procedures, which govern the use of corporate credit cards. The policies outlined employees’ obligations in relation to the appropriate use of credit cards and stated clearly that they must be used for business expenditure only.

One policy, for example, stated that cards are ‘to be used for official Council business only’ and that officers issued with a card were in a position of trust in regard to the use of public funds. Another council’s policy stated that in no circumstances should the corporate credit cards be used for personal expenditure, cash advances or gratuities. This policy also stated employees should apply the ‘public disclosure test’ to ensure credit card use was defensible if it were to come to public attention. A third policy stated that cards must not be used for high value purchases, where a purchase order is more appropriate, nor for regular purchases from the same supplier.

Relevant managers at each council were responsible for ensuring compliance with the policy and procedures, and that employees are aware of and understand their individual responsibilities associated with using a credit card. In most councils, employees applying for a credit card were required to sign a form acknowledging they were aware of their responsibilities and duties under the council’s policies and procedures. One council’s form included an acknowledgement that: ‘I understand that any deliberate abuse will result in employment with the council being terminated without any further warning’.

All councils advised they have a range of controls in place to mitigate misuse of corporate credit cards. Standard controls outlined in policies include the requirement to attach invoices to monthly cardholder statements to support all purchases, credit card limits (per transaction and per month), and reconciliation of transaction reports each month. Other controls included:

exception reporting (ie non-compliance reporting, which details activity that is unusual, fraudulent or exceeds spending limits)
regular and random audits
review of cardholder statements by the direct manager and an independent person (eg corporate credit card administrator)
credit card application assessment to be signed off by three levels of management (eg the cardholder’s manager, finance manager and the CEO).

One council maintained a register of credit cards, which recorded all issues and returns of cards. The finance manager (or their delegate) was responsible for the issue of credit cards and maintaining a register of those cards.

Breaches of council policies governing the use of corporate credits or purchase cards are taken seriously and employees are encouraged to report any issues internally for investigation. One policy noted that the fraudulent misuse of cards would be subject to the council’s disciplinary code and possibly criminal prosecution. Another policy stated that any employee who believed a cardholder was using a card to make unauthorised, excessive or unreasonable transactions must report the matter for investigation and appropriate action.

6.6.2 Motor vehicles and fuel cards

Using a council vehicle and fuel card for non-work purposes, when this does not form part of an employment contract, is an inappropriate use of council resources that can lead to disciplinary action or may constitute a criminal offence.⁶⁷ It is important to be clear about the appropriate use of these resources and the consequences of non-compliance.

All six councils had policies in place, which outline conditions of use of council motor vehicles and fuel cards. For example, one policy stated that fleet vehicles must not be used for any commercial activity or purpose, such as Uber. Similarly under no circumstances could the fuel card be used for personal gain. In the event of a breach of policy, the responsible manager would be notified and the employee may face disciplinary action.

Most councils’ policies covered the private use of vehicles, stating that employees must not use council vehicles for personal use (unless, in some cases, with the prior written approval of management). Two councils’ policies did not discuss unauthorised use of vehicles. Another council’s motor vehicle policy referred to circumstances which could give rise to disciplinary action, including driving while impaired by drugs or alcohol, but did not refer to unauthorised vehicle use.

Councils had a number of controls in place around appropriate use of council vehicles. All councils required drivers to complete a log book which notes travel distances and purpose of each trip. Some councils undertook random checks on log books. Good practice would be to regularly conduct checks of logbooks. Drivers were also required to provide an accurate odometer reading each time a vehicle was refuelled. Fuel had to be purchased using an allocated fuel card.

One council’s policy stated that all fuel and servicing dockets were to be attached to monthly fuel card transaction reports and returned to the central governance unit.

6.6.3 Minor assets

Minor assets or assets of low value⁶⁸ are vulnerable to theft and other forms of misuse (such as unauthorised personal use) because they are often attractive, portable, and sometimes subject to less oversight and controls than higher value assets. IBAC’s 2015 depots review identified deficiencies in the management of small plant and equipment at the sample of council depots reviewed.

The depots review found that to minimise corruption risks associated with misuse of small plant and equipment, councils should ensure these assets are appropriately marked as council property, recorded on registers, stored securely, and subject to regular and random audits.⁶⁹ It is also important that there are clear policies and controls around the disposal of surplus or scrap material and assets.⁷⁰

OPERATION CONTINENT

In 2013, IBAC investigated allegations of corrupt conduct involving employees at a council depot. The investigation identified a number of issues in the conduct and management of the depot that had potential to allow corrupt conduct to occur. These issues included poor record keeping, a lack of registers for managing physical assets, and inadequate controls such as audits and segregation of duties.

Three councils maintained registers or systems for managing minor (low value) assets. One council maintained two distinct systems for managing minor (low value) assets within IT. One system was used to manage tablets and smart phones. The other system managed computers and laptops. According to the council, the former system had, to date, had stronger controls than the latter. For example, ad hoc audits were conducted of tablets and smart phones. However, the council advised an audit for computers and laptops was planned for October 2018.

Another council maintained a register of ‘small plant and ancillary equipment’. While this is good practice, not all its assets currently have a unique identifier. However, the council advised it intends to attach a unique identifier to all small plant and ancillary equipment, in response to IBAC’s 2015 depots review.

One council also advised that it had a stand-alone disposal of assets policy, which covers office furniture and technology assets such as computers and printers. This policy stated that assets will normally be disposed of through ‘publicly competitive processes’ unless an alternative method was deemed appropriate. A second council maintained a disposal of assets policy for minor assets. This policy covered the disposal of minor assets that were no longer required or had reached the end of their useful lives, including excess material, obsolete equipment and other items surplus to council requirements.

A third council advised it was in the process of developing an asset disposal policy and asked IBAC for guidance on disposal of assets. IBAC highlighted the Queensland Crime and Misconduct Commission’s 2002 research on minimising integrity risks associated with the disposal of scrap and low value assets.⁷¹

It is also important that the process for disposing of councils’ assets is managed and authorised appropriately. Conflicts of interest must be avoided in the disposal process, and all decisions and reasons for decisions regarding asset disposal should be documented, even if assets are disposed by way of donation such as to not-for-profit organisations or charities. It is good practice to build controls around transparency and accountability for disposal of assets, regardless of value.

In our 2015 review of council depots, IBAC identified concerns with personal use of plant and equipment, including the possibility that it could be used for secondary employment and engender negative community perceptions.⁷² In this review, the six councils varied in how strongly they communicated the message that personal use of council property is not appropriate. For example, one council’s code of conduct stated that councils should ‘avoid using Council equipment or materials for personal commercial gain or on improvements to personal property’. This is not a sufficiently strong or clear message.

Another council stated in its code of conduct that it would not tolerate misuse of council equipment or assets. This council advised it prohibits employees using small plant and equipment for non-work purposes. This position was adopted in 2011 after it was identified that insurance did not cover employees’ personal use of equipment. The council communicates this to employees through toolbox meetings at the depot, in other meetings across council, induction training, memos and other instructions. This is good practice.

6.7 Risk area 7: Misuse of information

MISUSE OF INFORMATION

GOOD PRACTICE OBSERVED IN THIS REVIEW INCLUDED:

Highlighting information misuse as a risk in fraud and corruption prevention policies and plans.
Developing policies and procedures relevant to the appropriate use of information and information systems, including policies on information management and privacy.
Developing a stand-alone information security policy which addresses confidentiality, integrity and unauthorised access to sensitive information.
Providing guidance on the appropriate use of council information and information systems, and/or the importance of privacy and confidentiality in employee codes of conduct.
Requiring new employees to sign information confidentiality agreements when they commence employment with the council.
Requiring members of tender evaluation panels or contractors and consultants who are engaged to evaluate or supervise contracts to sign confidentiality agreements.
Ensuring contractors understand their obligation to maintain confidentiality of council information, and to comply with the council’s privacy policy and the Privacy and Data Protection Act 2014.

OTHER GOOD PRACTICE SUGGESTIONS:

Requiring employees involved in activities which involve access to information and have a heightened risk of corruption, such as procurement, to formally acknowledge they understand and comply with confidentiality obligations.

COUNCIL STAFF QUESTIONNAIRE – SCENARIO

A council employee helps their spouse set up a mailing list for their veterinary clinic by obtaining the addresses of registered pet owners from a council database.

IBAC has identified unauthorised information access and disclosure as a risk across the Victorian public sector. This includes access and disclosure by employees with high levels of access to information, such as system administrators or IT specialists. Unauthorised information access and disclosure are enablers of corrupt conduct and often can be overlooked as corruption risks by agencies. Unauthorised information access and disclosure is also a key corruption risk in procurement.

In 2015/16, VAGO found controls around information systems were an area of weakness across local government. Issues raised related to poor patch installation and outdated security updates, the use of outdated and insecure software and poor password policies.⁷³ These issues contribute to vulnerable systems which may be misused by council employees (and others).

The Privacy and Data Protection Act 2014 sets out 10 Information Privacy Principles, which govern the way public bodies, including councils, collect and handle personal information.⁷⁴ Under the Act, an organisation must take reasonable steps to protect the personal information it holds from misuse, loss or unauthorised access, modification or disclosure.⁷⁵

Five of the six councils rated misuse of information and information systems as medium risk. The sixth council rated it as low risk. (This is similar to the 2015 review, where four councils rated the issue as a medium risk and only one council rated it as high risk.) One council stated its medium risk rating was ‘based on the continuing escalation of cyber security threats’.

Three councils also highlighted the misuse of information and information systems as a key fraud and corruption risk in their fraud and corruption prevention policies. One council’s fraud policy, for example, highlighted the ‘deliberate falsification, concealment, destruction or use of falsified documentation and the improper use of information for personal financial benefit’, as a fraud and corruption risk.

However, only three councils included risks relating to information misuse on their risk registers. The risks noted largely related to inappropriate access, use or loss of data/information, misuse of intellectual property and information security breaches. Councils provided examples of controls to mitigate risks around information misuse on their risk registers:

user access management controls (eg restricted access, user access reporting, and password sharing controls)
requiring staff to acknowledge agreement of system user terms and conditions on first login
network security and system control audits
use of cloud solutions and ensuring information is encrypted correctly
IT and information security training.

One council advised that it had conducted an audit of information security and systems controls in 2015/16. This audit reviewed controls and security in the IT environment and looked at potential unauthorised access or loss of systems and data. The audit found that the council’s IT security and system controls were operating effectively; however, it highlighted opportunities for improvement in emerging risk areas, in particular cyber security threats.

Responses to the staff questionnaire suggested that employees across the six councils may view misuse of information as low risk, with just under half of respondents (46 per cent) rating misuse of information as a low risk issue, 31 per cent rating it as medium risk and only 11 per cent rating it as high risk. These results are consistent with the 2015 review (45 per cent of respondents rated misuse of information as low risk and 38 per cent as medium risk).

All six councils had policies and procedures relevant to the appropriate use of information and information systems, including policies on information management and privacy. Two councils had stand-alone information security policies concerned with the protection of confidentiality, integrity and unauthorised access of sensitive information and data. One such policy contained high-level statements about mitigation of risks associated with inappropriate use of information, while the other provided guidance on notebook security, cybercrime prevention and handling of security incidents. The staff questionnaire suggested a high level of awareness of council policies and procedures in relation to managing confidential information (80 per cent). This is similar to the 2015 review (83 per cent).

Each council’s code of conduct also provided guidance on the appropriate use of council information and information systems, and/or the importance of privacy and confidentiality. One code focused on information disclosure and stated that:

‘The council will not tolerate the misuse of information made available to council, which includes using information for personal gain or for any purpose other than the purpose for which it was obtained.’

Another council’s code placed an emphasis on privacy and confidentiality, stating that employees were expected to understand the importance of personal privacy and confidentiality, and referred specifically to the need to regularly renew passwords, use information for official purposes only, and not disclose personal information unless authorised.

6.7.1 Information access and disclosure

Improper use of confidential information occurs when an employee of a public sector agency accesses information held by the agency for private use and/or benefit, either for themselves or another person or entity. It can involve unauthorised access and/or disclosure of information.⁷⁶

Unauthorised information access and disclosure is discussed across a range of the six councils’ policies. One council’s records management policy stated that employees must protect records from unauthorised access and release of information. Another council’s information management policy emphasised that employees must not disclose or use any information that relates to council business for personal gain, during or after their employment.

All councils addressed the risk of unauthorised information access and disclosure in relation to procurement. As a minimum, all councils included in their procurement policies the obligation on employees to maintain confidentiality of commercial-in-confidence information (including prices). One council’s procurement policy was particularly strongly worded:

‘Quotations received from suppliers are confidential and must not be divulged to other suppliers in order to achieve a better price. It does not meet probity requirements nor are council’s interests well served by “playing off” one supplier against another…

All incidents of collusive tendering, breaches of confidentially or other probity related issues are to be reported directly to council executive.’

One council reiterated the need for confidentiality in procurement in its information management policy.

6.7.2 Privacy and confidentiality

It is good practice for councils to ensure that employees involved in activities which include access to information and have a heightened risk of corrupt conduct (such as procurement) fully understand their obligations in relation to confidentiality and formally acknowledge that they understand and will comply with that obligation.

All six councils had a privacy policy in place as required under the Privacy and Data Protection Act. The policies outlined councils’ obligations under that Act with regard to the collection, management and disclosure of personal information. Most policies also referenced the Information Privacy Principles, including those relating to information use and disclosure, and data security. However, one council’s policy did not specifically address the potential deliberate misuse of information.

In an example of good practice, one council required employees to sign information confidentiality agreements when they commenced employment. Another council advised it did not require staff to sign confidentiality or non-disclosure agreements regarding information obtained during the course of their employment, and agreed this is an area for improvement.

In addition to the requirements on council employees, all councils’ policies highlighted the requirement for contractors to comply with the Privacy and Data Protection Act. One council, for example, required all of its service delivery contractors to comply with its privacy policy, as well as the requirements of the Act. The council advised that this is a provision in its contracts with suppliers.

A second council’s policy stated that it would take reasonable steps to ensure contractors’ compliance with the Privacy and Data Protection Act. The council’s confidentiality provisions were also reinforced with contractors in a one-page policy on ‘tender and contract confidentiality’. Contractors or consultants engaged to evaluate or supervise contracts were required to sign a confidentiality agreement.

The majority of councils required members of tender evaluation panels to sign a confidentiality declaration, stating they would not disclose any information about the tender process, tenderers or tender responses to any person who is not part of the formal selection process.

³⁹ Victorian councils spend between 45 and 60 per cent of their annual budgets on procurement. Minister for Agriculture, Local Government Bill 2018, Second reading speech, 21 June 2018, Hansard, p.2963.

⁴⁰ Local Government Act 1989, s186A.

⁴¹ Local Government Act 1989, s186(1). Amounts were fixed in an Order-in-Council as reported in the Victorian Government Gazette, Number G 32, 7 August 2008, p.1908, to align with the procurement thresholds then applicable in state government. IBAC is aware that these requirements may change in the future, as a Bill which was before Parliament in 2018 but not passed before the November 2018 state election, proposed a less prescriptive approach. The proposed new approach would allow councils to set their own procurement thresholds consistent with the principles of sound financial management, and open and fair competition.

⁴² Victorian Auditor-General’s Officer, Tendering and contracting in local government, 2010, p. ix.

⁴³ Local Government Victoria, Best Practice Procurement Guidelines 2013, p.131.

⁴⁴ Local Government Victoria, Best Practice Procurement Guidelines 2013, p.131.

⁴⁵ <www.mav.asn.au/events/e-learning-portal/doing-business-with-local-government>.

⁴⁶ <www.icac.nsw.gov.au/preventing-corruption/knowing-your-risks/cash-handling/4909>.

⁴⁷ <www.icac.nsw.gov.au/preventing-corruption/knowing-your-risks/cash-handling/4909>.

⁴⁸ Local Government Act 1989, s 95.

⁴⁹ Local Government Act 1989, s 80B and s 80C.

⁵⁰ Local Government Act 1989, ss 77B-78E.

⁵¹ IBAC is aware that these requirements may change in the future, as the Bill which was before Parliament in 2018 (but not passed) proposed an alternative approach which would require employees (and councillors) to consider whether they have a material or general conflict of interest. A material conflict of interest was defined as a situation where an employee (or councillor) or a person with whom they have a relationship stands to gain or lose as a result of a decision.

⁵² Seventy-six per cent of respondents stated that they were aware of their council’s policy in relation to conflicts of interest.

⁵³ Queensland Crime and Corruption Commission, Audit Report on Conflict of Interest, 2017, p.13.

⁵⁴ The ‘GIFT test’ asks employees to consider:

Giver – who is making the offer and what is their relationship to me?
Influence – are they seeking to gain an advantage or influence my decisions or actions?
Favour – are they seeking a favour in return for the gift, benefit or hospitality?
Trust – would accepting the gift, benefit or hospitality diminish publish trust?

⁵⁵ Local Government Act 1989, s 78C.

⁵⁶ IBAC, Corruption and misconduct risks associated with employment practices in the Victoria public sector, August 2018.

⁵⁷ Local Government Act 1989, s 94C.

⁵⁸ A further 10 per cent stated that they did not know or preferred not to say.

⁵⁹ A further 15 per cent stated that they did not know or preferred not to say.

⁶⁰ IBAC, Corruption and misconduct risks associated with employment practices in the Victoria public sector, August 2018, p.8.

⁶¹ Victorian Public Sector Commission, Executive Re-employment Screening Policy, 2018.

⁶² IBAC, Corruption and misconduct risks associated with employment practices in the Victoria public sector, August 2018, p.19.

⁶³ The Bill which was before Parliament in 2018 (but not passed before the November 2018 state election) proposed that councils be required to develop a CEO employment and remuneration policy. One element of the policy would be that independent professional advice be obtained regarding the recruitment, remuneration and performance monitoring of the CEO.

⁶⁴ Local Government Inspectorate, Protecting Integrity: Leading the way. Managing the employment cycle of a council CEO, 2018.

⁶⁵ It is acknowledged that minimal and reasonable personal use of some council assets (such as phones and computers) is acceptable, and is usually acknowledged in policies.

⁶⁶ Local Government Inspectorate, Former Central Goldfields CEO convicted on five charges, <www.vic.gov.au/lgi/publications-and-resources/media-releases/former-central-goldfields-ceo-convicted-on-five-charges.html>.

⁶⁷ A useful resource is NSW ICAC’s 2008 ‘tip sheets’ on use and misuse of public sector resources for employees and managers. <www.icac.nsw.gov.au/docman/preventing-corruption/tip-sheets>.

⁶⁸ Low value or minor assets can include items such as office furniture, IT equipment, mobile phones, as well as surplus and obsolete items.

⁶⁹ IBAC, Local government: Review of council works depots, May 2015, p.4.

⁷⁰ <www.icac.nsw.gov.au/docman/preventing-corruption/tip-sheets/1278-use-and-misuse-of-public-sector-resources-tip-sheet-for-employees/file>.

⁷¹ Queensland Crime and Misconduct Commission, The Public Scrapbook: Guidelines for the correct and ethical disposal of scrap and low-value assets, March 2002.

⁷² IBAC, Local government: Review of council works depots, May 2015, p.44.

⁷³ Victorian Auditor-General’s Office, Local Government: 2015-16 – Audit Snapshot, November 2016, p.7.

⁷⁴ Privacy and Data Protection Act 2014, s 13(1)(d) states that the Act applies to a council.

⁷⁵ Privacy and Data Protection Act 2014, Sch. 1, Principle 4.

⁷⁶ Queensland Crime and Corruption Commission, Unauthorised access, disclosure and the risks of corruption in the Queensland public sector, May 2016, p.5.

ETHICAL CULTURE AND LEADERSHIP

GOOD PRACTICE OBSERVED IN THIS REVIEW INCLUDED:

Including statements from the CEO in employee codes of conduct that emphasise the importance of understanding and complying with the code, and using it to guide ethical decision making.
Promoting an ethical organisational culture, including a zero tolerance approach to accepting gifts, benefits and hospitality.
Nominating a senior officer in the organisation to have overall responsibility for fraud and corruption control, including reporting to the executive team and audit and risk committees.
Nominating senior officers to be responsible for protected disclosures and welfare management in the organisation.
Embedding risk management accountabilities into managers’ position descriptions, including key performance indicators.
Maintaining a commitment to education and training, including regular training to employees on fraud and corruption awareness, risk management, procurement and protected disclosures.

OTHER GOOD PRACTICE SUGGESTIONS:

Being explicit about managers’ responsibilities for building corruption and fraud resistance in position descriptions.

In environments where there is no shared understanding of, or support for, organisational values, including integrity, it is easier for individuals to rationalise corrupt conduct and ignore the harm their actions may cause. Likewise, poor supervision of staff can facilitate opportunities for corrupt conduct.

An important element of corruption prevention is to ensure that all employees understand what constitutes corrupt conduct and are aware of corruption risks, as well as how to report suspected corrupt conduct. It is also important the community is aware of required employee standards of conduct, to hold employees to account, and to discourage external attempts to engage employees in corrupt conduct. This also encourages community reporting of corruption.

Reporting cultures can be undermined when employees are not confident that their leaders will respond appropriately to issues when they arise. In IBAC’s 2017 perceptions of corruption survey, 20 per cent of respondents agreed with the statement ‘if I reported corruption, I could lose my job’, while 28 per cent agreed with the statement that ‘if I reported corruption, I would experience personal repercussions (other than losing my job)’. Managers should actively encourage staff to report suspected corrupt conduct and reinforce that reprisals for making disclosures will not be tolerated.

The following discussion outlines key findings and good practice observed in the six councils in relation to:

employee perceptions of organisational culture
organisational values and standards
commitment to education and training
information available to the public
senior management oversight.

Chapter 8 discusses the importance of developing and promoting a culture of safe reporting as part of an ethical culture.

7.1 Perceptions of organisational culture

FIGURE 4: EXTENT TO WHICH COUNCIL STAFF ‘AGREE’ OR ‘DISAGREE’ THAT THE CULTURE AT THEIR COUNCIL ENCOURAGES PEOPLE TO ACT WITH HONESTY AND INTEGRITY

Figure 4 alt text: A donut chart showing 44% strongly agree, 41%agree, 8% neither agree or disagree, 4% disagree, 2%strongly disagree, and 1% don’t know or prefer not to say. n=648

A large majority of respondents to the staff questionnaire across the six councils agreed that the culture at their council encourages people to act with honesty and integrity, with 85 per cent either agreeing or strongly agreeing with this statement. In IBAC’s 2017 perceptions of corruption survey, 74 per cent of respondents agreed with the same statement.

Encouragingly, almost two-thirds of respondents across the six councils (63 per cent) also considered their council to be ‘very’ or ‘moderately’ effective at preventing corruption. In response to the question why do you think your council is extremely or very effective at preventing corruption, respondents cited effective policies and procedures, good governance, education and training, leadership and a strong organisational culture.

In relation to organisational culture and setting the tone from the top, one respondent commented:

It starts from the quality, ethics, character, principles and commitment of the CEO to drive positive culture change and to then ensure that the right staff are employed… the CEO is the one who sets the tone of the council as an organisation.

- Council employee

Other respondents considered ‘strong leadership’, with ‘high standards set by the leadership team’ and an ‘honest culture’ as helping their council prevent corruption. Education and training also plays a significant role, with one respondent stating ‘there has been a strong emphasis in recent years on up-skilling managers and other senior staff’.

7.2 Organisational values and standards

Codes of conduct document the behaviours and standards that an organisation expects of its employees. Codes of conduct can also help employees understand the parameters of unacceptable behaviour. A clear code which is regularly reinforced with employees can help to provide a common understanding of organisational expectations, and remedial, disciplinary or other consequences if an employee’s conduct falls short of the required standard.

As required by the LG Act, each council maintains a code of conduct. The codes aim to provide all employees with guidance on expected minimum standards of behaviour and professional conduct. Two codes of conduct included a message from the CEO highlighting the purpose of the code, emphasising the importance of understanding and complying with the code, and using it to guide ethical decision making.

All six codes of conduct had a reasonably broad application, with most codes covering all council employees, volunteers and contractors. Two codes also covered work experience students and/or graduate placements. The 2015 review found one council had separate codes of conduct for volunteers and contractors. It is important that all people who work for the council in either a paid or unpaid capacity understand the standards they are expected to uphold.

Four councils required employees to sign a form acknowledging that they had read and understood the code of conduct. In 2015, two councils required their employees to sign such an acknowledgement. In this review, one council advised that all new employees were required to sign a form to acknowledge they understood their obligations under the code of conduct, as well as the employee handbook and council’s fraud policy.

Requiring employees to formally acknowledge the code of conduct is one way of promoting understanding of the expected standards of conduct. It can also assist in establishing that an employee was aware of expected standards, if they are later accused of misconduct.

Nearly all staff questionnaire respondents across the six councils (97 per cent) indicated they were aware of their council’s code of conduct. And two-thirds (66 per cent) said they had received training on the code in the past 12 months, suggesting codes of conduct are accessible and actively promoted by councils.

One council’s code of conduct training specifically covered conflict of interest, gifts and benefits, fraud and corruption, privacy and confidentiality, and the appropriate use of council resources. All new employees, volunteers and contractors were required to complete an e-learning module on the code of conduct as a condition of employment.

All six councils posted their employee codes of conduct on their intranet; however, only two councils had made their code publicly available on the internet. Consideration should be given to publishing the code on websites to make it easily accessible to members of the community as well as volunteers, contractors and suppliers (particularly where councils do not have separate guidance for these groups). It is also important to ensure the code is regularly reviewed and updated. Three councils had codes of conduct which had been reviewed within the past three years. This is good practice.

All codes of conduct made reference to either corrupt conduct or fraud, although there was generally a greater focus on fraud than corruption. One council’s code of conduct, for example, stated it did not tolerate fraudulent activity, and made no reference to corruption. Other councils, however, included strong statements about corruption and provided definitions and examples. One council’s code stated:

‘[The council] has zero tolerance for corrupt conduct or fraudulent activity. [The council] is committed to preventing, deterring, detecting and reporting corrupt and fraudulent behaviour. Fraud and corruption is the use of deception or misrepresentation to obtain an unjust advantage or benefit, or to cause a disadvantage or loss to [the council], and includes theft and misappropriation of [council] assets. Examples include, but are not limited to, forgery or stealing or misusing equipment, cash, records, intellectual property or other [council] property.’

It is good practice to be explicit about the risk of corruption, misconduct and fraud, by providing definitions and examples to assist employees’ understanding.

In addition to corrupt conduct and fraud, all six councils’ codes covered key corruption risks including conflicts of interest, gifts and benefits, secondary employment, information misuse/confidentiality, and misuse of council assets and resources.

Most of the six councils’ codes of conduct outlined how employees can make a complaint or report corrupt conduct via internal channels (eg protected disclosure coordinators, managers, human resources areas); however, not all codes specified that disclosures can be made directly to IBAC.

All six codes of conduct clearly discussed the implications associated with a breach of the code, noting that a breach may constitute misconduct which will be managed in accordance with the council’s disciplinary policy and may result in dismissal. Most codes expressly stated that unlawful actions may lead to criminal charges and/or civil action.

7.3 Commitment to education and training

A key element of corruption prevention involves ensuring all employees understand what types of behaviour constitutes corrupt conduct as well as establishing awareness of key corruption risks and issues. This is reflected in the Australian Standard on Fraud and Corruption Control, which states that organisations should ensure all employees have a general awareness of fraud and corruption and how to respond if they detect or suspect this activity.

Accordingly, it is important that councils have clear policies and procedures in place and ensure employees are trained in relevant policies, to minimise non-compliance, and potential misconduct and corruption. All six councils provided a range of education and training in areas relevant to integrity frameworks.

Responses to the staff questionnaire suggested online resources (councils’ internet and/or intranet) were the main source of information for employees, followed by supervisors/managers, colleagues, staff newsletters and CEO updates. These findings are consistent with the 2015 review.

Around one-third of respondents said they did not know where to get information about protected disclosures (33 per cent), asset replacement, sale and disposal (35 per cent) and secondary employment (38 per cent).

While one council suggested the terminology used in the questionnaire may not have been well understood by respondents in relation to certain risks, IBAC suggests councils can do more to raise awareness of how to make protected disclosures, and policies around asset management and secondary employment.

The following discussion examines the education and training initiatives in place in the six councils in relation to four key themes:

risk management
fraud and corruption awareness
procurement
protected disclosures.

Risk management

Risk management training and awareness was recognised as a requirement for employees at each council and was generally provided to senior employees (directors, managers, supervisors) and risk coordinators. Some councils also provided risk management training to all employees.

For example, one council provided tailored risk awareness/training programs for all staff which included:

risk management awareness training for staff and management, covering risk identification
risk assessment and analysis
treatment of risks
use and review of internal controls to manage risks
responsibilities and accountabilities with regard to risk management
use of risk management framework tools.

This council-tailored training incorporated team meetings, toolbox meetings, online/e-learning modules and staff newsletter articles. Contractors and volunteers also received risk management awareness training relevant to their roles.

Another council advised that all employees received risk management training during the induction process. However, the council was in the process of incorporating risk management training into its corporate training schedule and providing annual refresher courses to those in managerial positions.

A large majority of respondents (85 per cent) to the staff questionnaire across the six councils said they were aware of their council’s risk management policy; however, only 59 per cent said they had received any information or training on risk management over the last 12 months.⁷⁷

This is not surprising, as most councils appear to target risk management training to employees with specific risk responsibilities (eg managers). The questionnaire was predominantly completed by staff employed at Band 5 or 6 or equivalent and those without supervisory responsibilities.

Fraud and corruption awareness

Five of the six councils provided corruption and fraud awareness training. The sixth council advised it does not currently provide training in these areas, but noted it is an outstanding action item from a 2016 internal audit.

Two councils provided a tailored e-learning module on fraud and corruption awareness for all employees. In one of these councils, employees were assessed on 14 questions covering:

examples of corruption and fraud
examples and consequences of unethical behaviour
protected disclosures, including making disclosures and reporting corrupt activities
corruption and fraud scenarios relating to misuse of council resources and information
reporting breaches of the fraud and corruption control policy.

This council’s induction program also covered the fraud and corruption control policy.

In the second council, the e-learning module was designed to increase employee understanding of fraud and corruption, and incorporated workplace examples of fraud and corrupt conduct. The module also covered fraud and corruption in the context of key risk areas such as handling information, providing products and services and managing assets, and employees completed an online assessment at the conclusion of the module.

Another council had incorporated corruption and fraud awareness and control into its code of conduct e-learning module. In addition to corruption and fraud, this training also covered key corruption risks including conflicts of interest, gifts, benefits and hospitality, and the appropriate use of council resources.

Other awareness raising within the six councils occurred via team meetings and staff newsletter articles. Face-to-face training and presentations, typically as part of toolbox meetings, were also provided to non-desk-based staff or those working in the field. Staff were also required to sign attendance forms and complete an assessment form to demonstrate their understanding of the training.

Sixty-four per cent of respondents to the staff questionnaire across the six councils stated they were aware of their council’s fraud and corruption prevention policy – an increase from the 2015 review (45 per cent). However, only 39 per cent of respondents stated they had received any information or training on fraud and corruption prevention in the last 12 months.

Procurement

All six councils provided information to IBAC on the procurement-related training they provided to employees. This is an improvement on the 2015 review, where limited information about procurement training was provided by most councils (only one council referred to training in its procurement policy).

In this review, one council advised it provides a range of training relating to procurement and contract management. This includes contract management training for contract supervisors, general procurement training for regular requisitioners, supplier evaluation and selection training, and training specific to conditions of contracts.

Another council stated it provided mandatory training for employees who have some responsibility for procurement. An internal learning program was delivered one-on-one by the team responsible for overseeing procurement. Online requisition training was also offered biannually, and was provided internally on a one-on-one basis.

A third council provided examples of its procurement training, namely two presentations on how to undertake a tender or request-for-quote process. Both presentations provided context around why it is important to follow correct processes, by highlighting legislative obligations and the risks associated with failing to comply. The presentations included ‘war stories’, citing a 2009 Victorian Ombudsman investigation and a 2010 VAGO audit report.

Highlighting real-life examples of how procurement can be corrupted in councils and the consequences for those involved is an effective training tool. Corruption prevention resources are also available on IBAC’s website (including special reports and case studies on investigations), highlighting corruption vulnerabilities and practical prevention approaches. These resources will assist councils in training employees about corruption risks associated with procurement.

A relatively high proportion of respondents to the staff questionnaire across the six councils stated they were aware of their council’s procurement/contract management policies (71 per cent, compared with 76 per cent in 2015. And just over one-third advised they had received training on procurement/contract management in the last 12 months (35 per cent compared with 47 per cent in 2015). Although there appears to be a good level of employee awareness of councils’ procurement and contract management policies, more could be done to provide training in these areas, and to highlight corruption risks.

Protected disclosures

In most of the six councils, information and training on protected disclosures was integrated into the employee induction process or into training on the code of conduct or corruption and fraud awareness. Additional training was also provided by some councils for employees with specific responsibilities and functions under the PD Act.

For example, one council conducted education and awareness-raising activities in relation to protected disclosures, including mandatory training for specified officers. This training covered how to make disclosures, to whom disclosures can be made, confidential and anonymous disclosures, detrimental action, and protections. Protected disclosures were covered in induction sessions, and basic information provided through brochures and posters. This material advised staff of their right to make a disclosure to their council or IBAC, and advised that they could seek advice confidentially and anonymously.

A second council, in its fraud and corruption awareness training, encouraged employees to report misconduct and corruption, and informed them of the protections available under the protected disclosure regime. A third council also provided front-line customer service and records officers with training to enable them to identify and report disclosures from external sources. This is good practice.

Overall, 46 per cent of respondents to the staff questionnaire across the six councils stated they were aware of their council’s process for making and managing protected disclosures. However, only 25 per cent of respondents stated they had received any information or training on protected disclosures in the past 12 months. The results are similar to the 2015 review where 45 per cent of respondents were aware of their council’s process for making and managing protected disclosures, and 23 per cent of respondents had received information or training on this issue.

These results are somewhat disappointing given the current protected disclosure regime has been in place for more than five years. Councils can do more to improve employees’ awareness of how to make protected disclosures and the protections available under the PD Act.

IBAC has established a Protected Disclosure Community of Practice which provides protected disclosure coordinators across the public sector with opportunities to network, share knowledge and build their skills in managing protected disclosure complaints. IBAC has also published a series of fact sheets and a standard presentation on protected disclosures to assist protected disclosure coordinators to raise awareness within their organisations. These resources may assist councils to promote the protected disclosure regime within their organisations.

7.4 Information for the public

Councils were asked if they provide any specific information, education or training to the public about how to interact with the council to minimise opportunities for corruption.

In accordance with legislative requirements, all councils published information about their protected disclosure procedures and procurement policy on their websites. In addition, a range of other policies were available on councils’ websites, including risk management frameworks, employee codes of conduct, complaints policies, customer service charters, and policies in relation to corruption and fraud prevention. For example, one council’s customer service charter stated:

‘Council employees are responsible and accountable for ensuring the security and confidentiality of records containing personal information (eg name, address, phone number, etc). Unless required by law, personal information must not be released without written consent from the individual the information relates to, or their legal representative.’

Councils advised of other ways they communicate with individuals or groups outside of the council to help minimise opportunities for misconduct or corruption:

information is provided to aged care and disability clients on the council’s policy regarding gifts and benefits
all successful tenderers are provided with a copy of the council’s fraud and corruption policy and protected disclosure procedures
annual forums are run to engage directly with suppliers, covering the council’s quotation and tendering processes
publication of a tender and quote guide on the council’s website
community organisations are provided with the council’s community grants program policy.

It is good practice to raise awareness externally regarding a council’s expectations of its employees and others, to make clear what is and is not acceptable. This is particularly appropriate when conflicts of interest can arise, for example, in relation to employees’ interaction with community members or suppliers.

Information on how to report suspected corrupt conduct was generally limited to protected disclosures (discussed in section 8.2.1). There is merit in communicating more generally to the community, including through council websites, to encourage reporting of concerns regarding the conduct of employees.

IBAC RESOURCES

IBAC has a number of useful resources on its website that provide information to the Victorian public sector and the community on reporting corruption. These include:

Public sector corruption hurts all Victorians⁷⁸
Reporting corruption and misconduct⁷⁹
Local council complaints⁸⁰
What is a protected disclosure?⁸¹

7.5 Senior management oversight

The Australian Standard on Fraud and Corruption Control states that senior managers should display a high level of commitment to controlling the risks of fraud and corruption, both within and outside of the organisation. According to the Standard, good practice is to have a dedicated area or position within an organisation with clear responsibility for corruption awareness and prevention.

The organisational survey asked the six councils to describe mechanisms to monitor corruption prevention controls. Councils’ responses focused on their risk management and audit controls but four councils also said they had a dedicated senior representative as a central point of contact for corruption and fraud prevention within their organisation.

In three of these councils, the senior officer was a member of the executive management team and also attended audit committee meetings. This is good practice. For example, at one council, the executive responsible for governance had responsibility for fraud and corruption, as well as protected disclosures, risk management, and internal and external audit. This position reported directly to the CEO and was a member of the audit committee and the risk management committee. In another council, the director corporate services was the senior representative for anti-corruption measures within the organisation. This director also attended audit committee meetings, with the finance manager and the CEO.

Senior management in some of the councils also had responsibility for protected disclosures and welfare management, which may indicate a commitment at senior levels to encouraging a reporting culture and managing the wellbeing of disclosers.

One council described the broad roles and responsibilities of all managers and executive team members in fostering a corruption resistant culture, which include:

promoting a work environment and culture that fosters behaviour that is consistent with the highest ethical standards
identifying risk exposures to corrupt and fraudulent activities, and establishing controls and procedures for prevention and detection of such activities
educating employees about corruption and fraud prevention and detection.

Although manager position descriptions at this council included risk management responsibilities, there was no specific reference to corruption and fraud prevention. It would be better practice to be more explicit about managers’ responsibilities for building corruption and fraud resistance in formal documentation, including position descriptions.

⁷⁷ The previous review did not cover risk management, as such a comparison with 2015 data is not possible.

⁷⁸ IBAC Information sheet – Public sector corruption hurts all Victorians, August 2017.

⁷⁹ IBAC Fact sheet – Reporting corruption and misconduct, July 2016.

⁸⁰ IBAC flow chart – Local council complaints, November 2017.

⁸¹ IBAC Fact sheet – What is a protected disclosure? February 2018.

DETECTION AND REPORTING

GOOD PRACTICE OBSERVED IN THIS REVIEW INCLUDED:

Developing comprehensive protected disclosure procedures, based on the PD Act and IBAC guidelines.
Ensuring relevant policies and procedures outline both internal and external channels for employees to report suspected fraud and corruption (including employees’ ability to report to IBAC directly).
Ensuring a broader application of the council’s protected disclosure procedures to include employees, councillors, volunteers, contractors and consultants.
Providing examples of corrupt and improper conduct in relevant policies and procedures to help employees better understand the types of conduct that should be reported and may be assessed as a protected disclosure.
Appointing a welfare officer to support disclosers or a person who is the subject of the disclosure.
Operating a centralised reporting system which can only be accessed by authorised employees, to enhance confidentiality and minimise the risk of reprisals.
Clearly stating the responsibility of the council CEO to mandatorily report suspected corrupt conduct to IBAC, in relevant policies and procedures.

OTHER GOOD PRACTICE SUGGESTIONS:

Ensuring information regarding protected disclosure procedures, including available protections and IBAC’s role and contact details, can be readily accessed by employees and the public, including on the council’s intranet and website.
Encourage community members to report concerns regarding conduct of council employees (eg via council’s website and local media).
Requiring suppliers and prospective suppliers to report suspected misconduct and corrupt conduct, and to make this obligation clear, for example through a code or contract.

An integrity framework must include mechanisms to help councils detect instances of suspected corrupt conduct in a timely manner. Detection mechanisms sit alongside strong risk management policies, corruption and fraud control frameworks, and policies and procedures in relation to identified corruption risks to form an integrity framework.

Detection mechanisms include effective reporting procedures for employees and others (including members of the public and suppliers) and strong auditing practices.

8.1 Identifying corrupt conduct

All six councils said they had experienced instances of suspected corrupt conduct over the past three years. The most common means of detection was conduct ‘identified by work colleagues’. This is consistent with the 2015 review.

In the current review:

five councils stated suspected corrupt conduct had been reported by work colleagues through complaint handling procedures (including matters relating to unauthorised access to confidential information and inappropriate procurement practices)
two councils stated suspected corrupt conduct had been identified by supervisors/managers (including allegations of preferential treatment towards particular suppliers)
three councils stated suspected corrupt conduct had been identified by clients or suppliers (including allegations of employee theft, and conflicts of interest).

In addition, three councils said they were aware that protected disclosures had been made involving allegations of potentially corrupt conduct at their council.

8.2 Employee willingness to report

FIGURE 5: WILLINGNESS TO REPORT OBSERVED OR SUSPECTED SERIOUS CORRUPT CONDUCT BY COUNCIL EMPLOYEES

Figure 5 alt text: A donut chart showing 73% responded yes, 5% no, 19% don’t know, and 2% prefer not to say. n=500

Responses to the staff questionnaire indicated a substantial majority of council employees across the six councils were willing to report suspected serious corrupt conduct (73 per cent) and would primarily report issues to their immediate supervisor/manager (49 per cent), protected disclosure coordinator (25 per cent) or the CEO (11 per cent). Only four per cent said they would report to IBAC.

This is broadly consistent with IBAC’s 2017 perceptions of corruption survey, where 75 per cent of local government respondents said they would report corruption if they personally observed it, and the largest proportion of respondents (33 per cent) said they would report to their immediate manager.

However, despite high levels of willingness to report corrupt conduct (particularly to managers) and the existence of protected disclosure provisions (discussed in section 8.2.1):

29 per cent of respondents were not confident they would be protected from victimisation for reporting serious corrupt conduct, and a further 33 per cent were unsure if they would be protected.

One respondent stated:

[There is] no hesitation about reporting what seems wrong; it is knowing the best channels and feeling confident about protection (and not adversely affecting career prospects) that is the issue. Staff can be ‘shown the door’ in apparently legit ways or under the guise of other issues.

- Council employee

A similar issue was identified in IBAC’s 2017 research where only 30 per cent of local government respondents felt they would be protected from victimisation if they reported corruption. It is worth noting that this issue also exists in the broader public sector – only around one in five state government respondents (21 per cent) believed they would be protected from victimisation if they reported corruption.⁸²

Of the respondents who gave reasons for not reporting or being unsure whether they would report, the most common reasons were:

fear of reprisal (68 per cent)
senior management would not do anything about it (60 per cent)
making a report could affect my career (56 per cent)
need to have evidence to back up the allegation (48 per cent).

In the 2015 review, the most common reason respondents gave for not reporting or being unsure if they would report was the belief that they needed evidence to support the allegation (71 per cent).

In consultations for this review, one council commented that the high threshold for protected disclosures and perceived poor outcomes for those who report may explain a lack of confidence in protection from victimisation.

However, other councils highlighted evidence of the information and support they provide to disclosers to encourage reporting. One council said it sets clear expectations on reporting and does not tolerate reprisals. The council stressed there would be no ramifications for reporting and encouraged use of an employee assistance program. A second council commented it encourages reporting as part of its e-learning fraud and corruption module, while a third council advised it highlights the role and responsibilities of the protected disclosure coordinator in its fraud and corruption training; this council did, however, acknowledge that the message about organisational support may not be most effective coming from an external deliverer of training.

It is important that employees are willing to report corruption, and councils have a critical role in educating employees about how to report wrongdoing and the protections available to them under the protected disclosure regime. One council acknowledged more needs to be done to communicate with its employees about what the council is doing to prevent corrupt conduct and the protections available to employees who report.

All six councils’ fraud and corruption control procedures outlined processes for employees to report suspected fraud and corruption. These were largely focused on internal channels for reporting, including managers, directors, CEOs, and protected disclosure coordinators. Four councils also reiterated how employees can report misconduct or corruption in their codes of conduct.

However, there is limited reference to employees’ ability to report to IBAC directly, with only four councils’ codes or policies referring to IBAC as a reporting channel. Of the four, one council’s fraud and corruption policy incorrectly stated that employees can report directly to IBAC only in relation to complaints about councillors.

In an example of good practice, one council’s code of conduct included a section on reporting corrupt or improper conduct, and stated that disclosures can be made directly to IBAC, and provided contact details. The code also stressed that employees’ confidentiality would be maintained and that protection was guaranteed under the PD Act. These messages were reinforced in training provided on the code of conduct.

Sections 8.2.1 and 8.2.2 below discuss procedures in place within the six councils in relation to protected disclosures and mandatory notifications.

8.2.1 Protected disclosures

During the period of this review, the legislation concerned with protecting people who make disclosures about improper conduct in Victorian councils was the Protected Disclosure Act 2012. A new ‘public interest disclosure’ (PID) scheme will replace the ‘protected disclosure’ scheme from 1 January 2020. There are no substantive changes to the obligations of councils under the new scheme. For the purposes of this report, we refer to ‘protected disclosures’.

The protected disclosure regime is an important way of encouraging employees to report suspected corrupt conduct, as the PD Act protects people who make disclosures about improper conduct in the public sector.

All six councils had developed protected disclosure procedures, as required under section 58(1) of the PD Act. These procedures generally made it clear that the council would not tolerate improper conduct by the organisation, employees, or councillors, or the taking of reprisals against anyone who makes a disclosure.

All six councils’ protected disclosure procedures were comprehensive and were based on the Act (eg in relation to definitions of improper conduct) and IBAC’s 2016 Guidelines for making and handling protected disclosures. The procedures outlined sound processes for receiving protected disclosures (including through the appointment of protected disclosure coordinators), notifying IBAC of assessable disclosures, putting in place secure information management systems to manage protected disclosures, and training relevant staff in how to receive, handle, assess and notify disclosures.

There were some errors in the procedures. For example, one council’s procedures stated that disclosures could be made to the Victorian Inspectorate, but only disclosures about IBAC can be made to the Victorian Inspectorate.

The protected disclosure procedures generally apply to employees and councillors. However, one council had a broader scope, with its procedures applying to employees, councillors, volunteers, contractors and consultants. Two councils also made it clear in their procedures that members of the public can make protected disclosures. For example:

‘Councillors, employees or contractors and members of the public are encouraged to raise matters of improper conduct, including suspected fraud, corruption, substantial mismanagement of public resources, risk to public health and safety, risk to the environment, or detrimental action.’

As stated in section 6.1.2, in 2017 the VGPB introduced a supplier code of conduct. This code states that suppliers are expected to report to the relevant public sector agency or IBAC if they suspect that another supplier or a public sector employee has engaged in misconduct or corrupt conduct. It would be good practice for councils to require their suppliers to report suspected misconduct and corrupt conduct, and to make this obligation clear through a code or contract.

Four councils provided examples of corrupt and improper conduct in their procedures to help employees (and members of the public) understand the types of conduct that should be reported and may be assessed as a protected disclosure. Examples of improper conduct included:

a public officer takes a bribe or receives a payment other than his or her salary in exchange for the discharge of a public duty
a public officer favours unmeritorious applications for jobs or permits by friends or relatives
a public officer sells confidential information.

These four councils also provided examples of detrimental action, such as demotion, transfer, isolation or changes in duties. Including these sorts of examples is good practice, and assists employees and others to better understand the protected disclosure regime.

Most of the procedures stated a welfare officer would be appointed to support the discloser or the person who is the subject of the disclosure. In some cases support may also be provided to witnesses. One procedure stated that the welfare manager may be sourced from an employee assistance program to ensure an independent approach where the discloser is a council employee.

Two councils advised they operate a centralised reporting system, which can only be accessed by authorised employees, to enhance confidentiality and minimise the risk of reprisals against disclosers. This system aims to encourage the reporting of disclosures to the CEO or the protected disclosure coordinator in light of the seriousness of protected disclosure matters, and to better manage confidentiality. However, there are still provisions for disclosures to be made to a manager, director or directly to IBAC.

Under the Act, councils must ensure that procedures are readily available to the public and employees. All six councils’ websites contained high-level information on the protected disclosure regime, with links to their protected disclosure procedures. The website content made it clear how individuals could make disclosures, and some included IBAC’s contact details. This is good practice.

Councils’ procedures also outlined penalties associated with breaches of the PD Act, including the taking of detrimental action against a discloser. All polices made it clear that disciplinary action would be taken against employees involved in the taking of detrimental action.

Councils were asked to comment on the effectiveness of their protected disclosure procedures. Responses were limited. One council said it does not have established systems in place to evaluate the effectiveness of its protected disclosure processes. Councils cited regularly reviewing their procedures (although only one council had up-to-date procedures in place) and having protected disclosure coordinators in place.

Five councils’ procedures were overdue for review. In light of the upcoming changes to the protected disclosure regime (effective 1 January 2020), it would be timely for councils to review and update procedures to ensure they are operating effectively.

8.2.2 Mandatory notifications

Since December 2016 council CEOs, as relevant principal officers, have been required under section 57(1) of the IBAC Act to notify IBAC of any matter which they suspect on reasonable grounds involves corrupt conduct.

The six councils were asked to demonstrate their understanding of their mandatory notification obligations, and to highlight any issues regarding the mandatory notification process. All councils appeared to have a good understanding of their obligations to report suspected corrupt conduct.

Only one council raised an issue regarding the mandatory notification process, specifically how to handle serial or vexatious complainants. IBAC reiterated that the decision to notify IBAC rests with the relevant principal officer based on a reasonable suspicion that corrupt conduct has occurred or is occurring.

At the time of the review, three of the six councils had not made any notifications to IBAC since the introduction of mandatory notifications. The other councils have only made one or two notifications, for issues including timesheet fraud, theft, misuse of council resources and gifts and benefits.

As previously mentioned, the responsibility of the CEO to mandatorily report suspected corrupt conduct to IBAC was not consistently outlined in fraud and corruption control policies or plans. Three councils did not make these obligations clear in their policies. This is an area of potential improvement.

8.3 Auditing

AUDITING

GOOD PRACTICE OBSERVED IN THIS REVIEW INCLUDED:

Regularly reviewing and updating strategic internal audit plans and ensuring these audit plans cover a range of fraud and corruption issues.
Ensuring council audit and risk management committees have an independent chair and comprise a majority of independent members.
Requiring audit and risk committees to review reports of suspected corrupt conduct as a standing agenda item.
Requiring audit committee members to declare conflicts of interest at the beginning of meetings or prior to discussion of the matter to which the conflict pertains (and minuting declarations).
Requiring independent audit committee members to have experience in financial reporting, accounting or business management.
Considering the reports and audits of IBAC and VAGO, to ensure the council considers and implements relevant recommendations.

OTHER GOOD PRACTICE SUGGESTIONS:

Maintaining a central register of declared conflicts of interest for audit and risk committee members.
Audit committee charters to explicitly highlight responsibility for corruption prevention and how that responsibility will be given effect.

While reporting mechanisms are essential to provide opportunities for employees, community members and others to advise councils of suspected corrupt conduct, auditing provides for systematic and proactive reviews of processes and practices to identify corruption vulnerabilities and possible corrupt conduct.

An effective auditing regime can serve as an early warning system to identify emerging risks and procedural weaknesses, and a detection mechanism to identify specific instances of misconduct or corruption. Auditing should be informed by a thorough risk assessment, and monitored by an independent committee.

8.3.1 Internal auditing

In response to the organisational survey, five councils provided details of their strategic internal audit plans, which are generally reviewed and updated every three years. Internal audit plans are developed by a consideration of strategic risk registers and the council’s strategic objectives/priorities.

One council advised its audit and risk advisory committee reviews the three-year internal audit plan at each of its meetings to ensure that audit projects remain relevant to the council’s strategic risk register and strategic objectives/priorities, acknowledging that these may change from time to time.

The charters for two audit committees also explicitly stated that the committee was responsible for overseeing or determining the scope of the internal audit plan to ensure it was linked to the council’s material business risks and priorities.

One council reviewed and updated its plan annually to ensure audit resources were appropriately focused. The review process considered council’s risk framework, the council plan, the impact of any change on operations, systems or the business environment, prior areas of audit and outcomes, and management input.

The six councils’ audited plans covered a range of matters, including the following corruption-related areas:

fraud and corruption
procurement and contract management
human resources management
senior employment contracts
asset management
fuel and corporate cards
risk management framework
IT general controls
records management
audit of core financial services (eg payroll).

All internal audit reports were reviewed by each council’s audit committee to consider findings and ensure that key recommendations were acted on. One council stated that its committee advises the council on significant issues identified and action to be taken on issues raised, including identification and dissemination of good practice.

8.3.2 Audit committees

Councils are required, under section 139 of the LG Act, to establish an audit committee. Audit committees are advisory committees which monitor the council’s internal control activities. The roles of audit committees vary but can explicitly include corruption and fraud prevention.^{83 84}

Composition of audit committees

The LG Act requires audit committees to be chaired by an independent person. LGV, in its 2011 guidelines Audit Committees – A guide to good practice for local government, states that good practice is for audit committees to be comprised of a majority of independent members.⁸⁵

The audit committee charters (or terms of reference) for the six councils all required an independent chair; however, two councils did not require a clear majority of independent members. At one of these two councils, the audit committee consisted of three independent members and three councillors. This council advised it used to have a majority of independent members, as there were only two councillors on the committee. However, a third councillor was appointed at their request. To manage this, the independent chair had the casting vote to offset the additional councillor member. Better practice would be for an audit committee to be chaired by an independent member, and to comprise a majority of independent members. Councillors cannot be regarded as independent as they are part of the policy and decision-making processes of councils.⁸⁶

The skills, knowledge and experience required by audit committee members are also addressed in all the relevant charters (or terms of reference). One charter, for example, noted that independent members were required to have experience in financial reporting, accounting or business management and at least one member should be designated as a ‘financial expert’.

Role and responsibilities

The LGV Audit Committee Guide notes that audit committees have a broad mandate that generally includes risk management and ‘fraud prevention (including corruption)’ in addition to financial performance and compliance and other audit and assurance activities.⁸⁷ All six councils’ audit committees were bound by a charter (or terms of reference), which details how the committee should operate, including its purpose, objectives, authority, composition and role, and responsibilities and reporting requirements.

Only one council’s audit charter included a reference to corruption prevention, that is, the committee would ‘monitor the effectiveness of policies to prevent fraud and corruption’. This council’s charter also stated the committee was responsible for monitoring procurement and tender policies, and receiving reports from management about any procurement/tender non-compliance issues. Similarly, in the 2015 review, one council’s committee charter referred to corruption prevention.

The charters of three other councils outlined their committees’ responsibilities in relation to fraud. One charter in particular had a detailed section on fraud control and compliance, which included:

monitoring the effectiveness of fraud prevention policies
considering investigations of any suspected cases of fraud
receiving status reports of instances of fraud.

Although this is good practice, better practice would be to expand the scope to corrupt conduct.

All six councils advised that their audit committee reviewed reports of suspected corrupt conduct. One council advised of a standing agenda item where the chair asks the CEO if there are any matters such as breaches of legislation or practice that need to be brought to the attention of the committee. Another council advised it had a standing agenda item to report any incidents of suspected fraud or corruption to the audit committee. A third council stated there was a standing agenda item called ‘review of any instances of fraud or possible illegal acts’.

A number of councils’ audit charters included other functions that may contribute to corruption prevention such as:

considering the reports and audits of IBAC and VAGO, to ensure the council considers relevant recommendations
providing independent guidance in relation to internal and external audit programs
monitoring the implementation of recommendations arising from audits
maintaining an effective system of internal controls.

In 2016, one council initiated a self-assessment of its depot operations in response to IBAC’s 2015 review of council depots. The council developed an action plan, comprised of a matrix of agreed actions to implement relevant practice insights outlined in IBAC’s report. Progress on implementing the identified actions was regularly reported to the council’s audit committee. This is a constructive way of proactively addressing potential corruption risks.

Conflicts of interest declarations

Under the LG Act, audit committee members are required to comply with the same legislative provisions regarding conflicts of interest as members of special committees.⁸⁸ Audit committee members must disclose any conflict of interest at meetings they attend and remove themselves from the meeting while the relevant matter is being considered. Similarly, they must also lodge a declaration of interests, via primary and ordinary returns, on a biannual basis. VAGO has also recommended that councils maintain a conflict of interests register for audit committee members.⁸⁹

Three of the six councils outlined in their audit committee charters the requirements for members to declare any conflicts of interest at the beginning of a meeting or prior to discussion of the matter to which the conflict pertains. This is good practice.

One council’s charter was particularly clear in outlining members’ responsibility to disclose all conflicts of interest and members being ineligible to vote on matters where a conflict exists. The charter also stated:

‘Members of the Audit Committee must be fully aware of their responsibilities with regard to the management of interests in relation to the discharge of their duties as a member of the Committee … Failure to comply with the Act with regard to conflicts of interest may result in the member’s appointment being terminated.’

The committee chair commonly calls for the declaration of any conflicts of interest that apply to any matter to be considered at each meeting, and details of any conflicts of interest are usually minuted. None of the councils, however, appeared to maintain a conflict of interests register for audit committee members. A central register is a sound way to record declared conflicts and how they have been managed.

⁸² IBAC, Perceptions of corruption – Survey of Victorian state government employees, September 2017, p.11.

⁸³ Local Government Victoria, Audit Committees – A guide to good practice for local government, February 2011, p.8.

⁸⁴ The Bill which was before Parliament in 2018 (but not passed before the November 2018 state election) proposed an expanded role for audit and risk committees, which would have responsibility for monitoring compliance with policies and procedures with overarching governance principles, and the Act and Regulations.

⁸⁵ Local Government Victoria, Audit Committees – A guide to good practice for local government, February 2011, p.19.

⁸⁶ Victorian Auditor-General’s Office, Local Government: Results of the 2012-13 Audits, December 2013, p.43.

⁸⁷ Local Government Victoria, Audit Committees – A guide to good practice for local government, February 2011, p.2.

⁸⁸ Local Government Act 1989, s139.

⁸⁹ Victorian Auditor-General’s Office, Local Government: Results of the 2012-13 Audits, December 2013, p.43.

Victoria’s councils have an important role to play in the provision of services to the community at a local level. If there is corruption, it robs the community of much needed funds to support front line services. Corruption hurts us all.

Public sector agencies need to have strong integrity frameworks comprised of policies and procedures, processes, systems and controls, which promote integrity and help prevent and detect corrupt conduct.

IBAC’s review of integrity frameworks demonstrated that the six participating councils have sound integrity frameworks in place. They have policies and procedures to address identified corruption risks, risk management processes, fraud and corruption control frameworks, and mechanisms to encourage reporting and detect instances of suspected corrupt conduct.

All councils are encouraged to develop strong policies and procedures, and to ensure compliance. However, following discussions with participating councils, IBAC identified that some good practice in policies had not translated into practice.

Our review highlighted instances of good practice as well as opportunities for improvement.
It is beneficial for all councils to consider how they can strengthen their integrity frameworks in suitable ways for their organisations.

In particular, councils are encouraged to develop and communicate a clear policy on conflicts of interest, proactively address misconduct and corruption risks associated with employment practices, and ensure suppliers understand the standards expected of them and council employees.

It is also critical to encourage employees to report instances of suspected corrupt conduct and proactively explain to employees how they can be protected, and that their reports will be taken seriously.

IBAC thanks the six councils for their participation and assistance with this project.

Research reports

Local government integrity frameworks review

Related resources

HTML versions of documents

Background

Methodology

Risk management

Good practice observed in this review included:

Fraud and corruption control

Good practice observed in this review included:

Corruption risks

Risk area 1: Procurement

Good practice observed in this review included:

COUNCIL STAFF QUESTIONNAIRE – SCENARIO

Risk area 2: Cash handling

Good practice observed in this review included:

Risk area 3: Conflicts of interest

Good practice observed in this review included:

Risk area 4: Gifts, benefits and hospitality

Good practice observed in this review included:

Risk area 5: Employment practices

Good practice observed in this review included:

Risk area 6: Misuse of assets and resources

Good practice observed in this review included:

COUNCIL STAFF QUESTIONNAIRE – SCENARIO

Risk area 7: Misuse of information

Good practice observed in this review included:

COUNCIL STAFF QUESTIONNAIRE – SCENARIO

Ethical culture and leadership

Good practice observed in this review included:

Reporting

Good practice observed in this review included:

Conclusion

1.1 Key findings

Perceptions of corruption

Risk management frameworks

Fraud and corruption control

Corruption risks

Procurement

Cash handling

Conflict of interest

Gifts, benefits and hospitality

Employment practices

Misuse of assets and resources

Misuse of information

Ethical culture and leadership

Organisational values and standards

Education and training

Reporting

Auditing

1.2 Local government

1.3 Integrity frameworks

2.1 Integrity framework survey

2.2 Council policy review

2.3 Staff questionnaire

2.4 Follow-up consultations

3.1 Organisational culture

3.2 Perceived prevalence of corruption

3.3 Understanding what corruption is

3.4 Corruption risks

3.5 Awareness of integrity agencies

RISK MANAGEMENT

GOOD PRACTICE OBSERVED IN THIS REVIEW INCLUDED:

OTHER GOOD PRACTICE SUGGESTIONS:

4.1 Legislation and guidelines

4.2 Risk management frameworks

4.2.1 Risk policies and plans

4.2.2 Risk management committees

4.2.3 Risk assessment

4.2.4 Risk registers

4.2.5 Risk controls

FRAUD AND CORRUPTION CONTROL

GOOD PRACTICE OBSERVED IN THIS REVIEW INCLUDED:

OTHER GOOD PRACTICE SUGGESTIONS:

5.1 Legislation and guidelines

5.2 Fraud and corruption control frameworks

5.2.1 Fraud policies

5.2.2 Fraud control plans

5.2.3 Fraud accountabilities

5.2.4 Fraud risk assessment