Research reports

Risk and management

Half of the councils involved in the project have adopted risk assessment models that are integrated into budget and/or business planning processes.
While there are business management advantages of integration, corruption risks may not always be identified as impediments to achieving operational objectives. As such, it is important to ensure corruption risks are not forgotten in the process. Overall, councils are quite good at identifying and rating risks. However, councils could do more to implement and actively monitor the effectiveness of controls (eg. conducting audits and implementing recommendations).

Conflicts of interest: A large proportion of senior managers and staff at the councils involved in this project rated conflicts of interest as a medium- or high-risk issue, suggesting councils have a good awareness of the concept.

Procurement: Procurement-related issues were generally considered to be low-risk issues by both senior managers and staff. The risk was reduced to some extent by control mechanisms, such as minimising cash handling where possible, applying strict quotation and tendering procedures and aggregating the organisation’s spending.

Misuse of resources: A number of councils have used technology to minimise opportunities to access, copy and transfer information for illegitimate reasons. With assets, the greatest risks often relate to lower-value items – these are often more readily available and involve minimal oversight, making them easier to misuse without detection, albeit with less impact on a case-by-case basis.

Governance

Documented guidance: sound leadership, education and information for both staff and the public must complement each other in order to support the other risk management and detection elements of a council’s integrity framework.

Codes of conduct: Codes of conduct are a key mechanism used to govern council’s behavioural expectations of staff. The guidance in those codes could be reinforced with a statement of council’s intolerance for corruption and details of the penalties for breaching the code.

Leadership: CEOs varied in the balance of their approach to leadership, with some placing greater emphasis on values and organisational culture while others favoured the development and enforcement of controls. Neither culture nor controls should be pursued to the exclusion of the other.

Public information: At present the councils involved in this project are doing little to broadcast their intolerance of misconduct and corruption.

Staff education: A number of councils noted that continual education that reinforces formal training embed key messages within the fabric of the organisation. However, councils could do more to raise awareness of protected disclosure procedures and fraud and corruption policies, and requirements around reporting secondary employment.

Detection

Suspected corruption was most often detected by work colleagues, which highlights the importance of implementing clear and effective protected disclosure procedures and creating a safe reporting environment.

Reporting: In response to the staff survey, the majority of respondents (65 per cent) said they would report suspected corrupt conduct, however, eight per cent said they would not and the remaining 26 per cent said they did not know if they would report it.

Auditing: The role of audit committees has shifted from purely financial considerations to broader governance issues. All six councils had medium-term audit plans, some of which address corruption risks.

Local government provides a wide range of public services and maintains considerable public infrastructure with a total operating expenditure of around $7.12 billion in Victoria. Given the resources and responsibilities entrusted to local government, it is important that councils operate efficiently and effectively and continuously seek to improve their capacity to prevent corrupt conduct.

A key challenge in the local government sector involves identifying a variety of good corruption prevention practices that can be applied across the range of different councils in Victoria. In local government, one size does not fit all.

The Good Governance Guide highlights the diverse nature of local government agencies.3 It states ‘individual councils can determine what they need to do to ensure “…the peace, order and good governance” of their municipalities.4 Essentially each council makes its own decisions based on its collective beliefs, the advice it receives, various financial considerations, legislative powers and so on.’

This project was undertaken by IBAC pursuant to the prevention, education and capacity building functions set out in section 8 of the Independent Broad-based Anti-Corruption Act 2011. Recognising that a range of corruption prevention measures are already in place in the local government sector, this paper provides a picture of the integrity frameworks observed in the councils involved in this project and outlines examples of good practices and possible areas for improvement, with a view to help councils strengthen their individual integrity frameworks.

Following a brief discussion of the methodology, the paper outlines the results of the research in three key areas, namely:

• risk management
• governance
• detection.

In 2013 IBAC consulted with key stakeholders to select six councils to participate in the project.

The sample included councils from metropolitan and regional areas. Councils ranged in size from 3,000 to more than 20,000 square kilometres, with population densities of less than one person per square kilometre to more than 3,500 people per square kilometre.  Recurrent revenue ranged from $25 million to more than $300 million per annum, while recurrent expenditure ranged from $20 million to more than $200 million per annum. Industry in the councils included agriculture, horticulture, forestry, tourism, manufacturing, retail and residential services. Council staffing ranged from around 100 to more than 1,300 employees.

IBAC surveyed senior managers about their council’s organisational arrangements in early 2014 in order to review and understand the:

• integrity frameworks in place (in terms of risk management, governance, detection, prevention and education of corruption risks)
• corruption risks and challenges facing councils
• range of prevention strategies employed by councils (many of which may be applied more broadly across the local government sector).

The survey of senior managers sought answers to specific questions and examples of a range of policies, plans and reports to support the strategies and practices discussed in their responses. One survey response was sought from each council on behalf of the organisation.

Following the senior manager survey, a staff survey was circulated to employees with computer access in mid-2014.
The staff survey asked about employees’:

• awareness of their council’s policies
• perceptions of corruption risks within council
• willingness to report suspected corrupt conduct.

​A total of 631 responses were received, from council employees with computer access. While it is not possible to calculate a true response rate, the number of responses received represents around 20 per cent of the full-time equivalent staff numbers at the councils involved in the project.

Finally, IBAC met with selected senior staff at each council to clarify information provided, view systems and explore specific issues. These were generally staff responsible for risk and compliance, human resource management and governance, as well as the council CEO.

A clear risk-management framework can help councils identify risks, set specific goals, track risk-management activities over time and isolate areas for improvement or attention.  This work should be informed by well-defined policies and regular risk assessments that consider potential corruption threats. This will ensure councils can actively assess operational vulnerabilities and develop targeted strategies to address each council’s unique corruption risks.

Key findings

• A number of the councils involved in this project use risk assessment models that are integrated into budget and/or business planning processes. In doing so, it is important not to neglect corruption risks which may not always be apparent impediments to achieving council’s operational objectives.
• While councils were generally good at identifying a range of corruption-related risks, it was apparent that many controls had not been acted upon for some time, suggesting that more could be done to implement and actively monitor the effectiveness of controls.
• A recent survey conducted by one council demonstrated the importance of regularly reminding staff why conflicts of interest pose a corruption risk for council, how to make a declaration and the penalties for breaching council’s policy.
• All of the councils had gift policy statements and a gift register in place. However, inspection of those registers suggested that some councils do not actively encourage staff to report gifts that are accepted, much less offered, rendering the register a less effective control.
• In terms of information technology, most councils applied classification restrictions with some also running audits and exception reports to identify inappropriate access to council’s network. It would also be prudent to clearly state the penalties for breaching council’s policy.
• While many councils have published statements on responsible use of council resources, more could be done to clarify details of the different classes of resources (consumables through to large plant and equipment) as well as the associated disposal processes and the penalties for breaching council’s policy.
• Most councils had a fraud prevention policy that detailed the fraud risk assessment and reporting processes. However, few outline other controls such as actively obliging staff to safeguard council assets against theft and misuse.

Good practices observed

• Requiring that staff record details of all gifts, benefits and hospitality offered, so that council can monitor external approaches and attempts to influence staff.
• Maintaining a central register of all councillor requests for information to ensure equal and transparent access to information and to discourage inappropriate requests from councillors.
• Periodically asking all staff whether they have external employment to check that the council has appropriate measures in place to identify and manage potential conflicts of interest.
• Using virtual information technology systems that do not have separate hard drives, making it harder to save information remotely and to safeguard council’s information technology.
• Actively aggregating spends, in terms of individual suppliers and types of goods and services.
• Requiring conflict of interest declarations and deeds of confidentiality from all tenderers, tender evaluation panel members and staff involved in a specific procurement process.
• Tracking and comparing usage or ordering levels from year to year to identify excessive orders for particular resources.
• Developing and applying decision-making matrices to guide staff to make consistent decisions relating to reviews of fines.

Most of the risk-management policies examined included a statement of objectives, including two which specifically referenced the importance of risk management in terms of council’s reputation as a professional, responsible and ethical organisation.

Four councils had risk registers in place. The remaining two councils were in the process of developing and rolling out new risk registers.

Typical corruption-related risks in council risk registers included:

• falsification of timesheets or unauthorised leave taken
• disclosure of confidential information during the tender process
• unauthorised use of IT systems and inappropriate access to confidential information
• inappropriate use of delegations
• purchase and disposal of assets
• unauthorised ordering of stock incurring unplanned expenses and the potential for misappropriation of supplies
• having a long-term contractor or repeated use of the same contractor
• inadequate controls on credit cards
• lack of segregation of financial duties (including banking, electronic funds transfers and accounts payable)
• failure to implement a sufficiently robust fraud policy and fraud control plan
• failure to identify and manage internal fraud.

The true measure of an effective risk register lies in the effectiveness of the controls applied. If controls are not identified, actively applied or reviewed, merely maintaining a list of the risks council faces is arguably of little, if any, value.

Unidentified and poorly managed conflicts of interest provide fertile ground for corruption opportunities, putting both a council’s finances and reputation at risk.  Conflicts of interest can include directions or influence by councillors or offers of gifts, benefits and hospitality.

Council’s senior managers and staff were asked to rate conflicts of interest as a risk to their council. The majority of senior managers (five of the six) and staff survey respondents (79 per cent) said that conflicts of interest were a low- to medium-risk issue in their organisation.

Codes, policies and processes

Conflicts of interest were addressed in all six staff codes of conduct, with specific references in policies and processes for areas where conflicts of interest can arise (eg. procurement (in particular tendering), planning and council agendas, and reporting templates).

Generally, conflicts are recorded in councils’ register of interests and in documentation associated with reports to council or decisions that use delegated authority.

The main prompts for declaring conflicts of interest are the bi-annual ordinary returns (required of nominated officers), and specific declarations. However, conflicts can arise outside the parameters of the ordinary return procedures, including in communication with councillors, recruitment and procurement processes.

All six councillor codes of conduct state that councillors must not exercise undue influence on council staff.  Five staff codes of conduct also state that councillor contact outside the scope of council protocols should be reported to senior management or the protected disclosure coordinator.

All six staff codes of conduct provide guidance in relation to accepting gifts, benefits and hospitality, although there were significant differences. Most codes advise staff not to accept gifts, particularly where it could be perceived to influence an employee’s official duties or create a sense of obligation.

In addition, all six councils have a gift register in place. However, the contents of those registers differed substantially.

By recording offers of gifts or hospitality, council can monitor who approaches their organisation and identify parties who may be attempting to influence
council staff.

Staff awareness of council policies

In response to the staff survey:

• 79 per cent of respondents were aware of their council’s protocols for communicating with councillors, however, in consultations, some senior managers noted that staff who do not have any responsibility for communicating with councillors would not be expected to have an understanding of the protocols
• 83 per cent of respondents were aware of their council’s conflicts of interest policy, suggesting that there is room for councils to improve staff awareness in this area
• 92 per cent of respondents were aware of their council’s policy in relation to gifts and benefits, suggesting a high level of awareness.

Employment issues include (but are not limited to) employing family or friends, external employment, reference checking and vetting.

Councils and staff were asked to rate employment issues as a risk to their council. All six senior managers said that employment issues were a low- to medium risk issue in their organisation. Similarly, the majority of staff survey respondents said that appointing personnel (85 per cent) and external employment (94 per cent) were low- to medium-risk issues in their organisation.

Codes, policies and processes

Having a process for declaring conflicts of interest and applying proactive measures can help prompt employees to reflect on and declare any other interests they may have.

While a number of staff codes of conduct state that employees should not use their position to obtain favours for other employees, relatives or friends, two expressly state that staff who undertake recruitment must not employ, or try to influence the selection process involving, a family member or friend.

Reference checks safeguard against applicants who fraudulently claim qualifications and experience and provide an opportunity to discuss the applicant’s integrity with their previous employers. Failure to conduct appropriate vetting and checks may also allow conflicts of interest to go unchecked where an applicant has prior, undisclosed dealings with the council.

All six councils conduct reference checks to ensure that they employ appropriately trained and experienced staff. Most councils conduct police checks for certain positions.

While credit checks are not currently conducted by any of the councils involved in the project, a number of councils acknowledged the potential value of vetting staff with financial responsibilities in this manner.

Additional external employment can pose a number of corruption risks. The first step in managing these potential risks is to be aware that the external employment is occurring.

Most of the staff codes specify that employees must consider and document whether the additional employment presents any potential conflicts of interest. Most also require express approval (from senior management) if an employee wishes to undertake additional external employment (whether the work is paid or voluntary).

Staff awareness of council policies

In response to the staff survey almost half of all respondents stated that they were aware of their council’s policy about external employment as shown in Figure 1. 

Local government spends in excess of $2.7 billion annually on goods, services and works, making procurement a key corruption risk area.

It is important to note that corruption risks associated with procurement are not limited to large contracts or purchases. In fact, the risk of corruption can be higher for goods or services that are relatively low in financial value because low-value items may be subject to a lower level of scrutiny, while being purchased more frequently.

Councils and staff were asked to rate procurement issues as a risk to their council. The majority of senior managers (four of the six) said that procurement was a low-risk issue in their organisation. Similarly, the majority of staff survey respondents said that buying goods or services (52 per cent), cash handing (72 per cent) and misuse of funds (65 per cent) were low-risk issues in their organisation.

Codes, policies and procedures

Under the Local Government Act 1989, councils are required to develop a procurement policy that is publicly available and reviewed annually.

All six councils have policies that specify thresholds at which the purchase of goods and services and works must go to public tender, consistent with the Act.

Two councils require public tender for procurement below the legislated threshold and three policies provide for the option to conduct a tender if it would lead to a better result for the council. A number of councils require tender evaluation panel members to sign conflict of interest forms before taking part in the evaluation. In addition, all six policies note the importance of equal access to relevant information by potential providers and the requirements for confidentiality.

Five of the six procurement policies included sections on conflicts of interest and noted the importance of avoiding offers of gifts, benefits and hospitality. One procurement policy went further to outline why gifts and hospitality were problematic in relation to procurement and directed employees to its standalone gifts and benefits policy. The sixth council also had a stand-alone gifts and benefits policy which ideally should be referenced in the procurement policy, to clearly state council’s expectations in relation to gifts and benefits in the context of procurement.

One policy detailed its councils aggregation processes, noting that the council would consider its spending holistically (in terms of individual suppliers as well as types of goods and services) and formally tender when the total value over a three-year period exceeds the legislated thresholds. Actively aggregating a council’s spending can help to prevent deliberate or inadvertent contract splitting and ensure a more holistic approach to council’s management of external contractors and suppliers.

Cash handling was generally seen as low risk by senior managers, with only one rating it as a high-risk issue.  That senior manager noted the council had a number of cash-handling issues, which resulted in the installation of surveillance cameras at key cash transaction points.  One of the senior managers that rated cash handling as a low-risk issue has treated the risk by purchasing cash-handling equipment, including an electronic safe and coin change dispenser at their main leisure facility.

Most senior managers also noted that the amount of cash being handled is relatively small, and that on balance, investing in additional controls would outweigh the potential loss. While the amounts may be small, the difficulty in regulating cash transactions has the potential to make cash handling a more serious corruption risk over time if poor practices are allowed to develop.

Staff awareness of council policies

In response to the staff survey, more than three quarters of respondents stated that they were aware of their council’s procurement policy and processes, as shown in Figure 2.

The misuse of council resources, including information and assets, can often be more difficult to identify and quantify than the misappropriation of funds. However, their misuse can be equally devastating for councils. 

Misuse of information and information systems can include privacy or confidentiality breaches, improper access and/or disclosure of council information, misuse of computer systems, and falsification or destruction of records or security breaches.

Councils and staff were asked to rate misuse of information as a risk to their council. The majority of senior managers (four of the six) said that misuse of information was a medium-risk issue in their organisation. In comparison, staff survey respondents were split with 38 per cent stating it was a medium-risk issue and 45 per cent stating that it was a low-risk issue in their organisation.

This perception of information management as a low risk may suggest a corruption vulnerability or particularly effective information management strategies and controls by councils. However, as technology develops in relation to information access, capture and dissemination, it is crucial that councils are alert to the potential risks of inappropriate access and dissemination of information which can facilitate corrupt conduct.

A number of councils use technology to minimise opportunities to access, copy and transfer information (eg. use of classification programs to restrict access, virtual IT systems without separate hard drives which make it harder to save information remotely, and exception reports to identify password sharing or out-of-hours access). However, information misuse can occur through simple processes such as word of mouth, making it necessary to consider cultural factors and employ a range of other controls.

Codes, policies and procedures

Effective information management is a necessary element of any strategy to prevent inappropriate access and misuse of information. A lack of appropriate record-keeping systems and practices can allow lax practices to develop and hinder a council’s ability to identify and prosecute individuals in the event of council’s information resources being used corruptly.

Councils are required to establish standards to manage public records and must take reasonable steps to protect personal information from misuse, loss or unauthorised access, modification or disclosure.

All of the councils involved in this project have a range of policies governing the access and use of information and information systems. In addition, some staff codes of conduct include guidance on the use of information and information systems.

Most codes of conduct remind employees of council’s confidentiality requirements and/or state that council information must only be used for council business.  Some noted that any knowledge or information gained during the course of employment must not be disclosed or used to gain an improper advantage for the employee or any other person.

Senior managers also identified a range of control mechanisms at their council, including:

• confidentiality agreements
• computer usage terms and conditions
• password renewal
• classifications
• scanning incoming mail
• running audits and exception reports
• automatically revoking access when
• employment ceases.

​Staff awareness of council policies

In response to the staff survey, more than two-fifths of respondents stated that they were aware of their council’s policies on managing confidential information, as shown in Figure 3.

Misuse of assets and other resources include the loss and improper disposal of valuable items, as well as poor asset management.

Councils and staff were asked to rate misuse of assets and resources as a risk to their council. The majority of senior managers (four of the six) said misuse of assets and resources was a medium-risk issue. In terms of the disposal and sale of assets the majority of staff survey respondents (74 per cent) said the issue was a low-risk issue in their organisation.

Codes, policies and procedures

Policy statements governing the ethical use, destruction and disposal of all assets are important to corruption prevention. If not properly managed, poor practices and inadequate controls can lead to misconduct and create environments in which corrupt activities can develop.

Councils are required to manage financial risks prudently, including risks relating to the management and maintenance of assets.

All but one of the staff codes of conduct stated the councils’ expectations of staff accountability when using council assets and resources. Those five codes state that employees are responsible for using council property effectively and economically, and for official purposes only. Two codes also included policy statements covering the disposal and destruction of assets, while others put this in a separate disposal policy.

A number of senior managers indicated their council either maintains an asset register or is currently developing one. Other controls included:

• audits and stocktakes
• tracking and comparing usage
• limiting supply of bulk consumables
• using fuel cards with a PIN
• monitoring high-value vehicles with GPS.

Misuse of discretionary authority includes activities related to compliance functions (such as building, food safety and parking inspections) and regulatory
functions (such as the approval of permits and licences).

Councils and staff were asked to rate misuse of authority as a risk to their council. The majority of senior managers (four of the six) and staff survey respondents (61 per cent) stated that misuse of regulatory authority was a low-risk issue in their organisation.

Codes, policies and procedures

Councils were not asked to provide policies governing discretionary powers, however, one council’s compliance and enforcement policy was available online.

By making this information publicly available, anyone with concerns about enforcement action taken by council employees can check compliance with council expectations, and raise issues if necessary.

Providing information so that members of the community are aware of council’s expectations of its employees can be a useful means of identifying and preventing potential corrupt conduct.

In terms of regulatory functions, two councils have counter-signing requirements in place for all planning approvals.

One council submits a report at council meetings whenever there are five or more objections to a permit application, or where officers propose to refuse a permit. The same council formally notes decisions about the allocation of capital discretionary funds in council meeting minutes to ensure transparency and reduce opportunities for corruption.

Unlawful or inappropriate conduct includes corrupt conduct or involvement in criminal offences.

Councils and staff were asked to rate unlawful or inappropriate conduct as a risk to their council. All six senior managers stated that unlawful or inappropriate conduct was a low- or medium-risk issue in their organisation. When asked about the risk of bribery in their council, 71 per cent of staff survey respondents stated that it was a low-risk issue while 19 per cent stated that it was a medium-risk issue.

Fraud is a key category of unlawful or inappropriate conduct, and fraud control is central to any discussion about corruption. 

In 2012, the Victorian Auditor-General’s Office (VAGO) recommended councils develop appropriate fraud control plans based on comprehensive fraud risk assessments and ensure strategies outlined in fraud policies are implemented effectively.11 The Local Government Act requires councils to report whether they have a policy outlining their commitment and approach to minimising the risk of fraud from the end of the 2014–15 financial year.

Codes, policies and procedures

Fraud prevention policies, staff code of conduct and protected disclosure procedures were the main policies councils used to address unlawful or inappropriate conduct.

Two codes of conduct require employees to notify the council if they are charged with a criminal offence or lose their drivers’ licence. While criminal charges are mentioned, those codes focus on operational considerations, namely, where a person’s position requires a licence. One council requires employees to advise council if they are charged with a criminal offence.

All six councils had protected disclosure policies that define ‘improper conduct’ and most define ‘corrupt conduct’. At least three policies include examples of conduct that employees should report under the Protected Disclosure Act 2012 (PD Act).

Two councils were in the process of developing a fraud control policy. The other four councils provided copies of their fraud (and corruption) policies; those policies all discussed the issue of assessing fraud risks but differed substantially in their approach. 

Fraud assessments and control plans should not only look at the risks of council employees behaving fraudulently, they must also consider the external environment in which councils operate. Councils should actively assess the fraud and corruption risks posed by contractors, suppliers, stakeholders and members of the public, identify controls and actively engage with staff on those issues to ensure that the risks are appropriately managed.

The four policies reviewed specified that all representatives and members of council staff are responsible for fraud prevention. Beyond the general requirement to identify and report, one policy noted that councillors and staff also have responsibilities to safeguard council assets against theft and misuse.  Only one policy recognises that it can be difficult for contractors to report suspected fraudulent activity in relation to the tender process or service provision, as they may fear repercussions affecting future business dealings with council.

Fraud control plans ensure that strategies outlined in fraud risk assessments and policies are implemented effectively.

Only one council provided a copy of its fraud control plan which lists ‘operational functions that traditionally provide exposure to high risk’, but does not provide any indication of the major fraud risks identified through council’s risk assessment. In addition, the plan provided could benefit from performance measures or procedures for assessing its effectiveness. These last two elements are arguably the more challenging parts of a fraud control plan – they must be tailored to address the particular concerns faced by each council.

Fraud has a number of negative effects, wider than financial loss. It can result in significant reputational damage, which is especially harmful in the public sector as it can impact on public trust in government. Fraud can also have significant personal impacts on those affected by it.

The impacts of fraud can be difficult to reverse, underscoring the importance of implementing effective prevention strategies at all levels of an organisation.

‘Identification and reporting of fraud isn’t necessarily about dollar values… if you damage your reputation it can take years to repair.’
Council CEO 

Staff awareness of council policies

In response to the staff survey:

• 35 per cent of respondents were aware of their council’s corruption prevention policy
• 45 per cent were aware of their council’s fraud prevention policy
• 46 per cent were aware of their council’s process for making and managing protected disclosures
• 79 per cent were aware of their council’s process for reporting improper conduct.

• Most staff codes of conduct included a description of misconduct, illegal activity, fraud and/or corrupt behaviour. This could be supplemented with a statement of council’s intolerance for corruption, obligation to report and details of the penalties for breaching the code.
• CEOs varied in their preferred leadership approach, with some placing greater emphasis on values and building organisational culture, and others focusing more on controls. Neither culture nor controls should be pursued to the exclusion of the other.
• There was little to indicate that councils have evaluation strategies in place to measure the effectiveness of staff education and awareness training in relation to corruption, fraud or risk management.
• Councils should consider reviewing all policies and procedures that comment on corruption prevention to ensure consistency and tailor those policies for the general public and/or contractors and suppliers. This would inform stakeholders of council’s behavioural expectations and intolerance of corrupt conduct.

• Including a clear statement in the code of conduct that council can take disciplinary action if staff breach council policies (including termination of employment). While staff may be aware of policies, the possible ramifications are more likely to influence decision making.
• Periodically requiring written acknowledgement of the code of conduct to convey the importance of that key policy and formalise council’s agreement with staff.
• Considering a range of additional resources such as a free advice line to assist staff in ethical decision making. conduct.

Codes of conduct document the specific behaviours and ethical standards that an organisation expects its staff to meet and may include sanctions for breaching those standards. A clear code of conduct that is regularly reinforced with staff can provide management and employees with a common understanding of organisational expectations, and the possibility of disciplinary or remedial action if an employee’s conduct does not meet the standard. Moreover, council CEOs are required to develop and implement a code of conduct for staff and ensure that council employees have access to the code.13

To play an effective part in a council’s integrity framework a staff code of conduct should be accessible, relevant to staff and consistent with other policies. However, a policy is not sufficient on its own if the behavioural expectations are not displayed by senior management.

All of the codes of conduct contained policy statements in relation to how conflicts of interest can arise in the context of gifts, benefits and inducements. However, none of the codes explained to staff how a conflict of interest can increase vulnerability to corruption. This contextual information can help employees have a better understanding of the gravity of issues that can arise from conflicts, and therefore appreciate the need to declare relevant matters.

Beyond those general policy statements, the most common issues addressed included:

• favouritism, nepotism and patronage
• external employment
• leaving council
• investments and financial interests
• interactions with suppliers and contractors
• interactions with councillors.

​Most of the codes of conduct also included a policy statement in relation to council’s expectations regarding use of council assets and responsibilities when accessing and disclosing council information.

Three staff codes of conduct could be applied broadly to volunteers and contractors, and one council has a separate code of conduct for volunteers and
contractors. Adopting an expansive definition of staff not only conveys that the code of conduct applies equally to everyone working for the council, it also promotes a universal understanding of the values expressed in that code. Moreover, it is in the interest of councils to ensure that everyone who is expected to comply with the code is explicitly covered by the code.  This avoids the potential for individuals to say that they did not understand the code or it did not apply to them.

In terms of availability and transparency, all six staff codes of conduct are on council intranets, while two councils have made their code publicly available on their websites.

Staff awareness of codes of conduct

In response to the staff survey:

• 97 per cent of respondents were aware of their council’s code of conduct
• 50 per cent had received training on their staff code of conduct over the past 12 months.

​All senior managers said that their council discusses the code with new staff during inductions and provides ongoing training and reminders in face-to-face
training sessions and emails. However, only two councils specifically require periodic written acknowledgement that staff have read and understand the code of conduct. 

A formal acknowledgment from staff in relation to the code of conduct as a condition of employment is one way of stressing the importance of complying with the behavioural and ethical standards in the code and formalising their agreement to carry out their work in line with the code.

However, policies are just one of the tools available to councils to promote ethical culture. On their own, policies can never be sufficient to combat corruption.

The people in leadership positions set the ethical tone of an organisation and therefore play a pivotal role in building organisational integrity and corruption resistance. It is essential that managers not only communicate expected conduct and desired values to staff, they must also demonstrate the conduct and act in ways that are consistent with the values council wishes to instill in its employees.

By leading from the front, senior managers can help to instil greater confidence in employees to report and comply with policies, knowing that their leaders will take timely and appropriate action in response to valid complaints and enforce penalties in the event of policy breaches. 

In response to the senior manager survey and in consultations, councils indicated their commitment to ethical leadership is demonstrated in a variety of
ways, including:

• the CEO meeting with all new starters to discuss the council’s values and expected behaviours
• focusing on ethical considerations in the recruitment process, and contract terms and conditions for senior managers
• investing in and promoting effective reporting mechanisms such as anonymous third-party complaint lines
• providing additional services such as free access to advice lines to help staff make decisions
• making sure the structure of the organisation supports and promotes the work of the governance team
• promoting audits and other governance activities to staff as an opportunity to learn and improve rather than a punitive exercise
• ensuring that strategic risks are on the agenda for every meeting of the audit committee and senior management.

CEOs varied in their preferred leadership approach with some focusing on values and building organisational culture, while others placed greater focus on controls.

Both components are important. Neither culture nor controls should be pursued to the exclusion of the other. Nor are ‘set and forget’ approaches effective when it comes to promoting ethical culture or a safe reporting environment. As a number of CEOs noted, key messages must be repeated through various means including policies, training and awareness measures, leadership shown by management and fair and effective action in response to breaches.

In consultations, one CEO noted that staff communications with councillors and declaring gifts and benefits are partly cultural issues, which take time and constant reminders to embed through acquired knowledge rather than formal training processes. Their goal is to achieve a state where the desired practice is simply the way business is done at council. This view was supported by employees at the same council, who noted their CEO ‘leads from the front’ and that staff are willing to report issues because they know their CEO will take action.​​

The adage that prevention is better than cure is as relevant to corruption as to any other field. The costs to a council in terms of investigating and repairing damaged reputations in the wake of identified corruption are generally far greater than the costs involved in investing in awareness-raising activities and controls to identify and address potential corruption issues proactively.

If policies and leadership are the basic building blocks, education and information are the vehicles to ensure that employees understand why corruption prevention is important and the role they play in assisting their council. Employees need to be informed and reminded of their council’s procedures for identifying risks, making reports and generally playing their part in safeguarding council’s assets, information and resources. The importance of good communication cannot be overstated.

A key element of corruption prevention involves ensuring senior management and employees have a common understanding of the types of behaviour that constitute corrupt conduct and an awareness of emerging risk areas and issues. Accordingly, education and information for employees are important to promote active involvement in corruption risk identification and compliance with policies, procedures and controls.

Five of the six councils provided details of their staff education initiatives. The one council that did not acknowledged that while a range of policies and procedures have been issued to staff intermittently, more work needed to be done to promote corruption awareness as well as the council’s
risk management activities. 

Online resources (internet and/or intranet) are the main source of information for employees, followed by managers, colleagues and the staff newsletter.
However it is important to note that e-learning has limitations – particularly in local government – as a large number of staff work remotely, without regular access to the intranet.

A number of the councils involved in this project also run fraud awareness training while others are in the process of developing relevant training.

In response to the staff survey:

• 47 per cent of respondents were aware of their council’s external employment policy
• 45 per cent were aware of the process for making and managing protected disclosures
• 45 per cent were aware of the fraud prevention policy
• 34 per cent were aware of the corruption prevention policy.

​Around one-third of respondents did not know where to get information about corruption prevention (36 per cent) or fraud prevention (32 per cent). A number of the councils involved in this project did not have a fraud and/or corruption policy, and as such, staff awareness of these topics can be expected to be low.

Of greater concern was that 18 per cent of respondents did not think the processes for making and managing protected disclosures was applicable to their job. Just over a quarter of all respondents (28 per cent) did not know where to get information about protected disclosures.

While it is possible that this may be due to a change in terminology from ‘whistleblower’ to ‘protected disclosure’ legislation, it may also suggest that councils could do more to promote their protected disclosure procedures. This will ensure staff know where to report suspected corruption and get support should they make a report.

All of the councils provide training on the staff code of conduct. A number of councils also communicate regularly with staff to remind them of their obligations under the code. 

Only one council provided specific training on their procurement policy; this was the only council to rate procurement as a high-risk issue.

While the other five councils provided limited information about their training arrangements, all indicated that procurement training is provided. For example, a number of councils use the code of conduct to support specific procurement issues. Two councils also provide employees involved in cash handling or procurement with targeted training.

All six councils use formal acknowledgement requirements to ensure that their staff are aware of the council’s policies and procedures. Methods included
periodic written acknowledgement of particular policies (such as staff codes of conduct and IT policies) and records of training attendance.

Obtaining acknowledgment can help councils to convey the importance of particular policies or behavioural expectations, remind staff of the consequences
if breached, and avoid claims of ignorance in circumstances where contrary conduct is detected.

Another important element of corruption prevention is ensuring the community has access to, and awareness of, a council’s ethical standards. Making this information public helps the community hold council employees to account and deters external stakeholders from attempting to engage council employees in corrupt conduct.

The PD Act requires councils to establish protected disclosure procedures and make those procedures available to the public and all employees.

All six councils publish information about their protected disclosure procedures on their websites and in their annual reports.

One council publishes a range of other policies on their website, including their risk-management framework, staff code of conduct and policies in relation to fraud prevention, compliance and enforcement and reimbursement of expenses. The same council issues media releases in relation to grants and donations, helping to raise public awareness and ensure transparency.

Another council publishes their staff code of conduct and a range of other policies online because they are considered ‘contracts with the community’. Making those documents public reminds staff that they will be held accountable by members of the community if they do something wrong.

One council provides conflict of interest information to tenderers, and another sends a summary of their fraud and corruption control policy to new contractors.

Informing external stakeholders about council’s business practices and ethical standards is a low-cost, practical corruption prevention initiative which can
help to:

• improve council’s reputation and community confidence
• prevent practices and dealings that are contrary to council’s standards
• uncover issues that could adversely affect council’s integrity and effectiveness.

• Suspected corruption was most often identified by work colleagues, highlighting the need to ensure that protected disclosure procedures are up-to-date and consistent with the PD Act.
• Beyond policy statements, councils must endeavour to create a safe reporting environment. This should include reassuring employees they will not be penalised, emphasising that employees do not need to have hard evidence to make a report and demonstrating management’s commitment by taking appropriate action in response to reports that are made.
• The role of audit committees has shifted from purely financial considerations to broader governance issues. As such, audit committee charters should reflect the role those committees play in ensuring that wider corruption risks are adequately identified, monitored and notified to management.

• Applying a range of reporting options such as engaging a third-party provider to receive complaints and reports, allowing employees to maintain anonymity.
• Maintaining a network of contact officers who can provide preliminary advice on a range of issues.
• Reporting on trends in relation to a range of issues allowing senior management to detect adverse developments so that appropriate action can be taken.

All six councils involved in the project have identified suspected corrupt conduct in the past three years. The two most common ways of detecting suspected corrupt conduct were internal reports by work colleagues, and external reports from the public or stakeholders.

In addition, in two councils a supervisor or manager had identified suspected corrupt conduct. One council had also identified suspected corrupt conduct
through compliance monitoring, demonstrating the important role that auditing processes play in detecting corruption. Two councils were aware of protected
disclosures involving alleged corrupt conduct at their council. These responses suggest that staff form the cornerstone of the detection process.

Reports

Making a report is not a decision people generally take lightly. As such, councils should not take it for granted that their employees will make a report if they observe corrupt conduct.

Results from the staff survey also suggest that the fact that an employee identifies suspected corrupt conduct does not necessarily mean they will report it. 

When staff were asked what they would do if they personally observed serious corrupt conduct within their council, 65 per cent of respondents stated they
would report it. Only eight per cent said they would not report it, while 26 per cent were not sure what they would do, as shown in Figure 4.

Of those who gave reasons for not reporting or being unsure, the most common reason was the belief that they needed to have evidence in order to report (71 per cent), followed by concern that it could adversely affect their career (59 per cent), and lack of confidence that management would take action (44 per cent).

These results suggest that it is not awareness of what constitutes corruption or obligations to report that govern an individual’s decision to act. Organisational culture and personal considerations play an important role in a person’s decision to make a report. It takes courage to report, particularly if an individual is either uncertain about what they have observed or perceive that a report could affect their ongoing employment.

For these reasons, it is important that councils create a safe reporting environment, and reiterate their commitment to taking action in response if they want staff to report suspected corrupt conduct.

Awareness of what constitutes corruption and reporting obligations do not govern an individual’s decision to act. Organisational culture and personal considerations play an important role in a person’s decision to make a report. 

Protected disclosure procedures are the primary mechanism for reporting suspected corrupt conduct in local government. All six councils involved in this
project had protected disclosure procedures in place, albeit with a number of small errors. Most of the policies provided reasonably clear guidance on how to make a disclosure.

All six councils have references or links to protected disclosure information on their websites including advice to contact either IBAC or the Victorian Ombudsman. In general, councils ensure the protected disclosure system is operating effectively by:

• engaging external experts to help prepare and deliver education in relation to protected disclosures
• addressing awareness of the procedures in performance reviews
• gauging staff awareness of the protected disclosure procedures in staff surveys.

The PD act requires all public bodies establish procedures around the management of the welfare of people involved in a protected disclosure. Providing that support helps to build trust in the system – an important component of any reporting and complaint handling process, along with the need for clarity and accessibility.​​

Reporting mechanisms allow staff and the public to make senior management aware of suspected corruption. Auditing provides for a systematic review
of processes and practices to identify corruption vulnerabilities and potentially corrupt conduct.  An effective auditing regime can serve as both an early warning system to identify emerging risks and procedural weaknesses, and a detection mechanism to identify specific instances of misconduct or corruption.Ideally, auditing schedules should be informed by a thorough risk assessment, and monitored by an independent committee to ensure that its functions are scrutinised objectively.

From the end of the 2014–15 financial year councils will be required to report on whether they have:

• engaged an internal auditor to ‘provide analyses and recommendations aimed at improving council’s governance, risk and management controls’
• established an audit committee in accordance with the Local Government Act, noting that the role of audit committees includes overseeing council’s
  compliance with ‘applicable legal, ethical and regulatory requirements’.17

​Four councils provided details of their strategic auditing plans (for the next three to five years) and scheduled auditing activities for the current year.

In terms of integration with risk assessments, those auditing plans indicated that the audit items had been identified through the risk-assessment process,
including one which listed the council’s top 20 risks at a given date and identified various auditing activities to address those issues.

Central to the auditing function is an audit committee that has relevant skills, appropriate knowledge of council functions and sufficient resources, independence and authority to oversight the audit program, scrutinise council functions effectively and provide informed, objective advice to a council.  An audit committee’s activities should augment the council’s risk management processes and identify and address corruption risks beyond fiscal considerations (eg. factors that could have a bearing on council’s reputation, operations, staff morale and ethical culture).

In a number of councils, audit committees now focus on risk more than internal financial accounts, with one council separating their audit committee from
their finance committee in order to focus on more strategic issues.

All six councils have audit committee charters that set out their committee’s objectives and responsibilities.  Most of the charters referenced monitoring their council’s risk-management plan and fraud policy. Only one charter specified reviewing or monitoring other corruption-resistance strategies.

A number of audit charters include other functions that may contribute to corruption resistance, such as:

• responsibility for investigations or review of identified instances of fraud, serious misconduct, and significant conflicts of interest
• monitoring the implementation of recommendations arising from reports
• reviewing the effectiveness of a range of internal control systems.

While all employees play a role in identifying and preventing corruption, ultimate responsibility must lie with senior management. It is therefore important for senior managers to have mechanisms to notify them of suspected corruption, to monitor trends that suggest areas of concern and act appropriately in response when they become aware of issues. 

Councils have a range of reporting mechanisms, including:

• protected disclosure procedures
• internal audit programs or reports by auditing committees to senior management
• delegations enforced within systems
• requirements that staff report corruption or illegal activity
• risk-management systems, particularly high-level monitoring and reports on strategic risks
• post-event analysis and independent reviews of incidents that are not protected disclosures.

​Additional measures included having systems based on the Australian Standard for Fraud and Corruption Control, ensuring that the governance advisor
is appropriately trained, and discussing risk and compliance at every executive meeting.

One council’s quarterly senior management team meeting covers a range of topics including financials, staffing, customer service figures and key risks, allowing the council to track trends on a range of issues and proactively detect adverse trends.

Senior managers must also ensure appropriate action is taken in response to reports. One council provided details of action they have taken in relation to a range of allegations, including additional audits, disciplinary action, education and revision of policies/information.  Such action demonstrates to employees (and on occasions the broader community) that council will act to combat corruption.

All six councils have staff or teams with anti-corruption responsibilities. All six councils have audit committees that provide independent oversight of council operations and all six nominated their protected disclosure coordinators and protected disclosure officers (who tend to be directors of governance,
corporate or executive services) as key staff with anti-corruption responsibilities.

A number of senior managers stated they also have a team or unit that is responsible for risk management and regulatory compliance, including anti-corruption measures.