Research reports

This is a summary of the Independent Broad-based Anti-corruption Commission’s State government integrity frameworks review.

In 2018, IBAC reviewed integrity frameworks in a sample of 38 Victorian state government agencies, identifying examples of good practice and opportunities for improvement. A key objective of this project was to help state government agencies review and strengthen their own integrity frameworks, to improve their capacity to prevent corrupt conduct.¹

IBAC identified a number of initiatives the broader public sector could consider to strengthen their integrity frameworks, such as the application of more robust due diligence processes for suppliers, development of more interactive training in corruption prevention awareness, and consideration of integrity-related performance measures.

The review also suggests agencies are developing a greater awareness of potential corruption risks, exploring new detection and prevention mechanisms and fostering a culture of integrity.

The review builds on earlier work published by IBAC in 2014, which reviewed integrity frameworks in a different sample of state government agencies.²

_______________

¹ In March 2019, IBAC also published its Local government integrity frameworks review, which provided a snapshot of integrity frameworks examined in a sample of six Victorian councils. That report highlighted examples of good practices and possible areas for improvement in the local government sector.

² IBAC, 2014, A review of integrity frameworks in Victorian public sector agencies, Melbourne.

Corruption in state government agencies can lead to the loss of public resources, reduction in economic development and diminished community trust, which can have implications for public safety and the delivery of important programs and services.

Victorian state government agencies are responsible for a wide range of public services and infrastructure. These agencies vary in size and functions. Their responsibilities include the delivery of key community services, the management of public facilities and natural resources, and regulatory functions. All these activities must be conducted in a manner that ensures public funds are appropriately used in the public interest and for the benefit of the community.

Given the resources and responsibilities entrusted to state government agencies, it is important they develop, implement and maintain effective integrity frameworks, and continuously improve their capacity to identify and prevent corrupt conduct.

An integrity framework brings together the instruments, processes, structures and conditions required to foster integrity and prevent corruption in public organisations.³ For the purposes of this report, integrity frameworks include risk management, governance and leadership, deterrent and prevention measures, detection mechanisms, and communication and training to promote awareness and understanding of the agency’s integrity principles and initiatives.

_______________

³ Based on the definition developed by the Organisation for Economic Co-operation and Development, Integrity Framework, www.oecd.org/gov/44462729.pdf.

An agency’s fraud and corruption control plan is a critical component of its broader fraud and corruption control framework, which should document the organisation’s prevention, detection and response initiatives.

Such plans can also help to consolidate fraud and corruption control resources, ensure consistency in approach and responses across the organisation, and identify whether further work and additional resources are required.

Most agencies across all three tiers provided evidence of a fraud and corruption control plan. The documentation provided to IBAC suggests plans are regularly reviewed and amended at two to three-year intervals, as well as when there are significant changes in business conditions or practices. Those documents also suggest agencies across all tiers are aware of the importance of developing these plans, and consider them a key part of their corruption risk management.

• perceived exposure to potential corruption risks and controls to mitigate those risks
• information and education programs to promote and reinforce integrity and fraud and corruption awareness initiatives
• internal mechanisms to report suspected corruption, and other ways in which suspected corrupt conduct has been identified by participating agencies.

More than 500 policies, procedures and other resources were provided to IBAC and considered as part of this review. This included documents related to fraud and corruption control, codes of conduct, conflict of interest, gifts and benefits, supplier engagement, and protected disclosures.

These policy documents and agencies’ responses to the survey were broadly assessed against the Australian Standard AS 8001-2008 Fraud and Corruption Control.

For the purposes of the review, the 38 participating agencies were clustered into three tiers:

• Tier 1 included 13 agencies with fewer than 300 full-time equivalent (FTE) employees. Agencies in this tier tended to have annual incomes of less than $80 million⁴
• Tier 2 included 18 agencies with 300 to 11,000 FTE employees. Agencies in this tier tended to have annual incomes of $80 million to $2 billion
• Tier 3 comprised the seven state government departments.⁵

_______________

⁴ Note that income refers to an agency’s total income from transactions, as reported in their most recent annual report prior to the commencement of the review.

⁵ There were seven departments at the time of this review.

IBAC’s review was undertaken in three stages: an organisational integrity framework survey, a review of agency policies and procedures, and in-depth consultations with a sample of 10 participating agencies to explore specific issues.

Key topics canvassed in the organisational integrity framework survey included:

Assessment of corruption risks

Agencies should adopt policies and processes to systematically identify, analyse and evaluate fraud and corruption risks to assess where their most significant risks lie and what controls can be used to mitigate those risks.

IBAC’s 2014 review observed that while most participating agencies reported applying risk assessment processes to financial, audit or fraud risks, very few reported conducting specific corruption risk assessments. That review concluded ‘corruption and its prevention is generally not on the radar of Victorian public sector agencies’.⁶

In this 2019 review, agencies were presented with a list of potential corruption risks and asked to indicate the extent to which each issue was a risk to the agency, whether the risk was recorded on the agency’s risk register, and whether the agency had any controls in place to manage that risk. The issues most commonly identified as a corruption risk by participating agencies were: improper procurement, conflict of interest, and misuse of information or material, as shown in Figure 1. This was generally consistent with IBAC’s 2017 survey on the perceptions of corruption of Victorian state government employees.⁷

n = 38 agencies

* ‘Abuse of discretion’ does not total 38 because one agency did not provide a response to this question.

Responses also indicated most participating agencies formally record corruption risk issues in their risk registers and implement controls to mitigate those risks. Conflict of interest, improper procurement and improper cash handling or payment arrangements were the issues most frequently controlled for and recorded on risk registers.

This suggests that while agencies are now considering a broader range of corruption risks, financial and fraud-related corruption risks continue to receive more attention.

Outlined below are the issues most commonly identified by participating agencies as posing a corruption risk to their organisation. Agencies’ response to the other corruption risks listed in the survey are available in the full report.

Risk area 1: Improper procurement arrangements

Corruption in public sector procurement is a recurring issue in IBAC investigations. Public sector agencies need to be alert to the risks associated with procurement.

Of the 38 agencies involved in this review, 14 stated that improper procurement arrangements posed a great risk to their organisation, 22 stated that this risk was relevant to their agency to some extent, and two stated it was not a risk to their organisation at all. This is consistent with the findings of the 2014 review.

Good practice observed in this review

All 38 agencies indicated they had controls partly or comprehensively in place to manage the risk, regardless of whether improper procurement arrangements were considered a corruption risk. Controls identified included:

• policies, procedures and guidelines relating to the organisation’s procurement framework, conflict of interest, code of conduct, contract management, financial management, outsourcing, delegations, probity, protected disclosures, and fraud, corruption and other loss prevention
• segregation of duties
• delegation of authority and multi-level approval requirements
• training and communication
• Victorian Government Purchasing Board (VGPB) requirements, noting that suppliers and contractors are required to comply with the Victorian Government Supplier Code of Conduct
• audit activities
• management oversight
• internal reconciliation and review procedures
• system controls
• due diligence.

Opportunities for improvement identified in this review – performing due diligence on suppliers

Performing due diligence on suppliers in the form of background checks, supported by declarations by the supplier, can help an agency better understand the risks involved in doing business with that supplier, including but not limited to potential conflicts of interest. The level of due diligence undertaken will depend on the risks associated with the interaction with that supplier, taking into account factors such as the anticipated spend, the nature of goods or services to be provided, risks associated with the provision of the goods or services, and the supplier’s financial profile and reputation.

Due diligence procedures should seek to validate information collected from the supplier through third party independent sources, to determine whether the potential supplier and individuals associated with the supplier pose any unacceptable risks. Checks should also be made against employee declarations to identify any risks or potential conflicts of interest that may not have been declared by one party.

It is good practice to conduct due diligence periodically over the course of a contract to ensure changes in a supplier’s circumstances do not present any increased risks to an agency.

Only one of the 38 participating agencies discussed conducting due diligence in relation to procurement, however this control was discussed by a number of other agencies in relation to the associated risk of hiring one’s own company or the company belonging to a friend or family to provide public services.

Risk area 2: Conflicts of interest

When conflicts of interest are not properly identified and managed, they provide opportunities for corruption, placing an agency’s finances and reputation at risk. Failure to properly identify, declare and manage conflicts of interest has been a common feature of IBAC investigations.

Of the 38 participating agencies, 13 said conflict of interest posed a great risk to their organisation, 22 stated it was relevant to their agency to some extent, and three stated it was not a risk to their organisation at all.

Good practice observed in this review

All 38 agencies indicated they had controls partly or comprehensively in place to manage the conflict of interest risk, regardless of whether it was considered a corruption risk. Controls identified included:

• policies, procedures and guidelines regarding conflict of interest, disclosure of interests, codes of conduct, procurement, human resources recruitment and selection checklists, external employment, and gifts, benefits and hospitality
• declaration and associated registration processes to record those details in a way that allows for further cross-checking
• management oversight, for instance through the inclusion of ‘conflicts of interest’ as a standing agenda item for relevant committees
• employee training and communication
• development and implementation of data analytics to identify potential conflicts
• delegation of authority and multi-level approval requirements.

Opportunities for improvement identified in this review – conflicts of interest

Consultations with agencies also suggests there is increasing recognition of the value of coordinating conflict of interest and private interest declarations in a centralised, electronic register to allow more sophisticated data analytics.

Requiring electronic declarations reduces the chance of mistakes or omissions by avoiding the need to transfer data from one format to another. Maintaining a centralised repository of all declarations also enables analysis to identify potential conflicts with other parties, such as suppliers.

Risk area 3: Misuse of information and material

IBAC has identified unauthorised information access and disclosure as a risk across the Victorian public sector. This risk can often be overlooked by agencies and therefore can facilitate other corrupt conduct. Similarly, theft or loss of material can sometimes be discounted as an operational risk without recognising the broader corruption risk involved.

Of the 38 participating agencies, eight said misuse of information or material posed a great risk to their organisation, 27 stated this risk was relevant to their organisation to some extent, and three stated it was not a risk to their organisation at all.

Good practice observed in this review

The majority of agencies (35 of the 38) indicated they had controls partly or comprehensively in place to manage the risk of misuse of information and material, and 22 described specific controls. Controls identified included:

• policies and procedures such as codes of conduct and policies concerning data security, privacy and data protection, data classification, IT use, financial management and clean desk requirements
• system controls including access controls, password and user name protections, and processes to maintain audit trails
• employee training and communication
• audit activities
• internal reconciliation and review such as monitoring systems to identify potential data theft, suspicious system activities and network intrusions
• confidentiality clauses in third-party and privacy agreements.

_______________

⁶ IBAC 2014, A review of integrity frameworks in Victorian public sector agencies, Melbourne, p 2.

⁷ IBAC 2017, Perceptions of corruption: Survey of Victorian state government employees, Melbourne, p 8.

 

Ethical culture and leadership

People in leadership positions set the ethical tone of an organisation and are key to building organisational integrity and corruption resistance. It is essential they communicate expected standards of behaviour and values to staff, and lead by example.

Managers need to supervise employees appropriately, actively encourage staff to report suspected corrupt conduct, act on reports of suspected misconduct or corrupt conduct, and reinforce that reprisals for making disclosures will not be tolerated.

Good practice observed in this review

Senior management commitment to controlling the risk of fraud and corruption was generally well documented by the agencies. Policies included statements of commitment to the implementation and oversight of integrity initiatives, and strong messaging that senior management has the ultimate responsibility to promote a culture of compliance in this area. Fraud and corruption control policies and code of conduct documents from the agencies described in detail the roles and responsibilities of each level of management.

Thirty agencies said they had a dedicated team or committee of employees with particular responsibility for corruption prevention measures including oversight of the organisation’s integrity framework and ongoing benchmarking of its ethical standards.

Training and other initiatives to promote integrity and awareness of corruption risks

Education and training provided by agencies to their staff to promote corruption awareness and prevention appears to have increased in frequency and scope since the 2014 review. Since becoming fully operational in 2013, IBAC has undertaken a number of investigations in the public sector that may have contributed to an increased focus on the need for corruption prevention education and training.

The 2014 review noted relatively few participating agencies reported having specific education or training programs for staff to help them understand what constitutes corruption. Content for such training was generally limited to the Code of Conduct for Victorian Public Sector Employees which, at the time, contained little specific information about corruption.

Good practice observed in this review

Responses to this review suggest most of the agencies (28 of 38) now provide dedicated corruption and integrity training, or this content is integrated into other training. Content is tailored to the audience, with certain higher-risk roles receiving additional, more focused training.

In addition to education and training programs, agencies were asked to discuss any initiatives they used to promote integrity in their organisations. Innovative approaches described included:

• the appointment of risk champions, or other designated individuals within the agency with specific responsibility for promoting risk awareness, providing support to business units, and reporting to senior management
• organisational support for specific committees or forums dedicated to risk and/or integrity matters
• leadership responding, and being seen to respond appropriately, when integrity issues are raised
• including integrity criteria in position descriptions and performance plans
• requiring employees to formally declare compliance with policies.

Assurance that integrity is promoted and understood

The top three ways that senior management in these agencies assure themselves integrity is promoted and employees have a good understanding and confidence in corruption prevention measures are:

• leading by example
• training
• support for audits and other reviews that monitor compliance with integrity framework policies.

The primary purpose of training and other initiatives to promote integrity and awareness of corruption risks is to raise general awareness about fraud and corruption. This better equips employees to identify potential fraud and corruption, ensures they know how to report suspected corrupt conduct, and have confidence in their organisation’s procedures and support for those who speak up.

It can be helpful to ‘test’ awareness through staff surveys and other feedback or reporting mechanisms. Insight into staff awareness of fraud and corruption risks, as well as compliance with the agency’s internal controls, can help identify staff concerns and misconceptions that need to be addressed through integrity and corruption awareness initiatives.

Opportunities for improvement identified in this review – integrity measures in performance plans

Half of the participating agencies indicated integrity measures were incorporated into staff performance reviews or appraisal mechanisms, while only one agency stated integrity measures were included in executive performance plans.

It is good practice for public sector agencies to include integrity-related measures in employee performance reviews, either as a stand-alone item or in the context of the organisation’s values. Integrity-related performance measures for managers can include staff completion of integrity-related training, recognition of individuals who display integrity in ways that go beyond what is expected of them, regular discussions around the agency’s values and code of conduct, and exploring other opportunities to embed integrity in how staff carry out their duties.

Detection

An integrity framework must include mechanisms to help state government agencies detect instances of suspected corrupt conduct in a timely manner. Employees need to know how to report suspected corrupt conduct and be confident in reporting. Agencies also need to proactively audit systems and processes relevant to identified areas of high risk and where appropriate, use data analytics to identify potential issues of concern.

Both prevention and detection are necessary to mitigate risks to the financial and reputational wellbeing of an agency in the case of an incident. However, documentation provided by participating agencies appeared to focus more on preventative measures rather than measures to detect possible corrupt conduct where controls fail.

It is good practice for an agency’s fraud and corruption control plan and code of conduct to contain an overarching statement that processes and controls are in place to detect corruption. Content relating to specific detection controls should be set out in documentation supporting the integrity framework. Such an overarching statement was missing from the policies provided by agencies across all three tiers.

The main ways agencies identified suspected corrupt conduct was through identification or reporting by colleagues, and/or reporting by supervisors and managers.

IBAC’s 2017 survey of Victorian state government employees suggests while most respondents were willing to make a report if they observed corruption, only one-third were confident they knew how to report corrupt activities, as shown in Figure 2.⁸

The 2017 survey results were drawn from a broader cross-section of state government agencies, some of which were not involved in this review. However, it suggests that across state government agencies, there may be value in developing strategies that seek to bridge this gap between willingness to report and confidence to make a report.

Agencies need to do more to improve employees’ awareness of how to report suspected corrupt conduct and the protections available to them under the current protected disclosure regime.

n = 4542, figures may not total 100 due to rounding

Opportunities for improvement identified in this review – utilising data to identify risk areas

During consultation, a number of agencies advised they had developed fraud and corruption detection programs with advanced data analytics and data mining capabilities, which helped them to identify and respond to suspected fraud and corruption in a timely manner.

For example, one department advised that three employees work full-time on compliance reviews and conduct a monthly reconciliation of corporate credit cards. That process involves examining expenses data to identify unusual amounts or suspect purchases, which can help to detect policy breaches. The finance team also uses analytics to check transactions related to accommodation, flowers, restaurants, and duplicate payments – especially expenses incurred on weekends.

Analytics may be utilised as regular monitoring and/or when potential issues are identified. In some circumstances, ad hoc analytics may become ongoing if systemic issues need to be monitored.

When internal resources and capabilities are limited, agencies could consider engaging external subject matter expertise to set up data analytics. Additionally, agencies could consider using analytics to identify key areas of risk by leveraging the fraud and corruption risk assessments. Once issues are identified, it is important agencies take follow-up action.

_______________

⁸ IBAC 2017, Perceptions of corruption: Survey of Victorian state government employees, Melbourne, p 12.

⁹ The data for the question ‘I know how to report corruption’ was only partially reported by IBAC in its 2017 report Perceptions of corruption: Survey of Victorian state government employees.

The implementation and maintenance of an integrity framework comprising policies and procedures, processes, systems and controls, plays an important role in an agency’s approach to identifying and managing corruption risks.

This review of integrity frameworks in a sample of state government agencies suggests agencies are developing a greater awareness of potential corruption risks. Agencies are exploring new detection and prevention mechanisms, and fostering cultures of integrity. This review also identified a number of initiatives the broader public sector could consider to strengthen integrity frameworks.

Employees must be encouraged to identify and report suspected corrupt conduct. This requires a sustained effort to ensure staff are made aware of reporting channels in their own agencies and to IBAC, and the protections available to them so they feel confident to make a report knowing that their agency will take appropriate action to address issues raised.