Investigation summaries

Operation Grey

15/03/2021

Operation Grey was an IBAC investigation into allegations of false record keeping by senior staff within the Dispute Settlement Centre of Victoria to meet performance targets. The investigation confirmed data had been modified but did not substantiate allegations of corrupt conduct. Opportunities to address several vulnerabilities identified during the investigation were found.

In June 2018, IBAC commenced Operation Grey to investigate allegations of false record keeping by senior staff within the Dispute Settlement Centre of Victoria (DSCV), an agency of the then Department of Justice and Regulation (the Department) in order to meet performance targets.

It was alleged that senior staff at DSCV improperly caused false reporting on a Victorian Government Budget Paper No. 3 (BP3) performance measure during the 2017-18 financial year. The performance measure related to the number of Dispute Resolution Advisory Services (DRAS) DSCV provides annually.

IBAC's investigation confirmed that data had been modified but did not substantiate allegations of corrupt conduct in relation to those modifications, noting there was no evidence of undue pressure by senior managers to meet DSCV's BP3 targets or any wider culture of meeting performance measures at all costs.

However the investigation did identify organisational issues regarding the absence of written authorisation for data modification, a lack of separation of duties and poor management of case deletion scripts used to make bulk modifications to the database.
IBAC identified opportunities for the Department to address vulnerabilities identified in Operation Grey, including removal or restriction of access to the case deletion scripts, procedures to prevent further unauthorised modification and audits to assist with compliance.

In May 2020 and January 2021 the Department wrote to IBAC outlining the actions it had taken to address the corruption vulnerabilities identified in Operation Grey.

IBAC publishes responses to our investigations to inform the community about actions agencies advise they are taking, and to share learnings that may help other agencies improve their systems and practices to prevent corruption and misconduct.
That the Department remove, or restrict access to, case deletion scripts on the agency’s servers

The editing of files was found by IBAC to be in response to a failure of officers to contemporaneously enter data as cases were active, thus leading to the need for back-capture and bulk data editing.

All cases are now being entered contemporaneously and monitored by managerial levels. There is no access to case deletion scripts by any DSCV employees (then or now). At the time of the incident, the case management system’s external provider was instructed to make these cases. The case management system was built by and is modified upon request by this external ICT provider.

The Department later acknowledged that 'some aspects of the letter of 22 May 2020 in relation to [this point] were incorrect', adding that, 'The deletion scripts were still on the server but were removed on 10 December 2020'.

Action to prevent further instances of unauthorised modifications to the DSCV and other performance reporting databases

The case management system is due to sunset at the end of the year. DSCV is merging with the Domestic Building Dispute Resolution Victoria (DBDRV) into one group. Dispute Services and DSCV will commence using the DBDRV system once modifications are built, which is currently underway. This system is managed by the Department's Technology Solutions and is used more broadly across the Department’s Regulation Group including Consumer Affairs Victoria.

Under the new DBDRV system, the layers of governance for modifications far exceed the one to one relationship between the then DSCV Operations Manager and the sole trader managing the previous case management system.

Any changes must be made through the local business unit and the Department's current operating procedures, which require a suitably authorised person at the manager level to make requests through Dispute Services ICT for progression to central departmental Technology Solutions. The DBDRV system also has customised access levels and a complete audit trail that cannot be deleted by Dispute Services staff, ICT or other users.

In the interim until the transition, DSCV has implemented a local policy that any changes to cases must be authorised by the Director by email.

The Department subsequently advised that:
- The DSCV application that housed the previous case management system was decommissioned in October-November 2020
- In December 2020, DJCS instructed CenITex to audit the file directory by examining the back- up tape. CenITex found that the deletion scripts have not been accessed by staff since February 2018.
Consideration of an audit of the DSCV case management system database

The Department has considered this recommendation but determined that there is a low risk of further fraudulent activity having occurred undetected. Given the way that the cases were created and the short duration of the issue, the extent of the incident is fully understood.

The current system will cease by the end of the year and additional data verification will be undertaken when the data is transferred to the new case management system. The data investigated relates to the counting of information and advice, which does not impose a risk to the service provided to the community.

Instead of a retrospective audit, the Department has since significantly expanded controls around verification of data reported which includes the documentation of a data dictionary for DSCV – which includes the measure, the counting rules, the approval process and authorisation of the data storage, and improved sign off protocols at the executive level.

The Department is seeking advice from its internal auditors on the possibility of extending planned controls audits to include some additional testing of the DSCV data.