Personnel Security: Due Diligence over Public Service Employees

Tabled: 21 May 2020

1 Audit context

In 2018–19, the VPS employed 47 961 people. Personnel security—including employment screening—is a critical part of managing this workforce.

1.1 Why this audit is important

VPS employees hold positions of trust, with responsibility for administering Victoria’s finances and assets, and providing a wide range of services to the community, including vulnerable Victorians.

The public expects that VPS employees are competent and appropriately qualified, and that they act in the public interest.

Employment screening helps to safeguard the integrity of the VPS, reduce the risk of fraud and corruption, and maintain the quality and safety of government services.

1.2 The VPS workforce

Figure 1A shows the composition of the VPS workforce and how it fits into the broader Victorian public sector.

Figure 1A
VPS workforce 2018–19

Figure 1A VPS workforce 2018–19

Source: VAGO, based on VPSC data.

1.3 Recruiting the right people

The integrity of the VPS relies on recruiting the right people.

Integrity bodies in Victoria and interstate have repeatedly highlighted public sector recruitment as a high-risk area for fraud and corruption.

Fraud is dishonest activity involving deception that causes actual or potential financial loss.

Corruption is dishonest activity in which an employee acts against their employer’s interests and abuses their position to achieve personal gain or advantage.

Fraud and corruption risks

The VPS is susceptible to fraud and corruption risks during recruitment, including:

  • false information on a resume
  • false references
  • failure to disclose a criminal record or past misconduct
  • failure of hiring managers to to declare and manage a COI.

Figure 1B summarises relevant audits and investigations that have exposed these weaknesses across Australia, and recent policy changes in Victoria related to employment screening.

Figure 1B
Key investigations, audits and policy changes relating to employment screening

Figure 1B Key investigations, audits and policy changes relating to employment screening

Source: VAGO, based on published reports and integrity bodies.

Employment screening requirements

Employment screening includes a range of pre-employment checks and, where appropriate, ongoing monitoring of employees.

Figure 1C summarises key employment screening activities in the VPS, based on better practice guidance from the Standard and relevant policies issued by VPSC. These are described further in Section 1.4.

Figure 1C
Key employment screening checks in the VPS

Type of check

Purpose

Identification

To verify a candidate’s identity using the ‘100 points’ formula and sighting some form of photo identification.

Criminal history check (police check)

  • national police check
  • international police check (optional)

To identify whether the candidate has a criminal record.

Shows any findings of guilt and, in Victoria, also includes intent to summons and charges.

An international police check may be warranted if an applicant has lived overseas for a substantial period of time.

Qualifications

To confirm currency and accuracy of any mandatory qualifications and professional memberships.

Employment references

To verify the candidate’s employment history and past conduct, including any performance concerns or misconduct matters.

Declarations and consent

For the candidate to disclose any misconduct history within the last 10 years for VPS executives and seven years for VPS employees.

Provide candidate consent for the prospective employer to verify the candidate’s employment history with current and past employers.

Eligibility to work

To confirm:

  • Australian residency status and thereby the candidate’s eligibility to work in Australia
  • the preferred candidate has not received a Voluntary Departure Package from the VPS, where a three-year restriction on re-engaging with the VPS applies.

Other—role specific

To comply with any other role-specific requirements, for example, Working with Children Checks (WWCC).

Source: VAGO, based on information from the Standard and VPSC policy guidance on employment screening.

Screening potential contractors and consultants

An agency can engage contractors and consultants using WoVG purchasing agreements, which includes SPCs and supplier registers. They can also use their own procurement processes.

Like VPS employees, contractors and consultants can hold positions of trust and, where necessary, they should be subject to the same screening.

WoVG agreements
State purchase contracts

DTF is responsible for managing and monitoring the following SPCs that we included in this audit:

  • staffing services (SS) SPC—provides government agencies with fixed-term, permanent and executive staff for the administration, information technology and specialised recruitment categories
  • professional advisory services (PAS) SPC—provides professional advice and consultancy services in relation to commercial and financial matters, tax, and probity.
eServices register

DPC is responsible for maintaining the eServices register. This register includes multiple suppliers for the public sector to engage across a broad range of information technology-related services, including the provision of software and equipment solutions and maintenance services.

Direct engagement of contractors and consultants

Government agencies can also use their own procurement processes when engaging contractors and consultants. This can occur when the hiring agency has resource needs outside the scope of the WoVG agreements or has tried unsuccessfully to find a suitable resource through WoVG agreements.

COI during recruitment

A COI is where a person has private interests that could improperly influence, or be seen to influence, their decisions or actions in the performance of their public duties. Conflicts may be actual, potential or perceived.

Recruitment is a high-risk area for COI. Employees involved in recruitment must identify, declare and appropriately manage any COI early in the recruitment process, for example if a candidate is a family member, friend or business associate.

In August 2018, VPSC released a model COI policy and guidance material for the Victorian public sector. It designed this to help government agencies assess their COI risks and implement their own COI policy, or align it with the new VPSC policy. The VPSC guidance clearly states that government agencies must ensure selection panels are aware of their obligation to declare and manage any COI during recruitment.

1.4 Legislation, policy and guidance

Australian employment screening standards

The Standard provides good practice guidance for employment screening. It is not mandatory but provides a foundation for VPS agencies to develop their employment screening policies and procedures. The Standard seeks to:

  • reduce the risk of a security breach
  • ensure the integrity of personnel within an organisation.

Protective security framework

The Australian Government’s Protective Security Policy Framework—issued by the Australian Attorney-General and mandatory for all Australian Government entities—states that personnel security is one of the three domains for protective security.

The Victorian Government does not have an equivalent whole-of-government protective security policy or framework. Instead, each VPS department and agency has its own approach.

Figure 1D shows how employment screening fits into an organisation’s protective security measures.

Figure 1D
Australian Government Protective Security Policy Framework 2018

Figure 1D Australian Government Protective Security Policy Framework 2018

Source: VAGO, based on information from the Protective Security Policy Framework.

Victorian employment-related legislation

The Public Administration Act 2004 and the Code of Conduct for Victorian Public Sector Employees 2015 set out the values and expected behaviours of VPS employees.

Under Part 3 of the Public Administration Act 2004, the Secretary of each department is responsible for employing VPS employees in their department. Part 2 obliges each Secretary, and in turn all VPS employees, to follow a set of employment principles, including that all recruitment decisions must be based on merit.

All employees must comply with the code of conduct, which includes demonstrating integrity and impartiality in all aspects of their role, including recruitment processes.

Each department must also take reasonable steps to minimise and manage the risk of fraud, corruption and other losses as per the Standing Directions of the Minister for Finance 2018, under the Financial Management Act 1994.

Victorian Protective Data Security Framework

Established under the Privacy and Data Protection Act 2014, and issued by the Office of the Victorian Information Commissioner, the Victorian Protective Data Security Framework Version 2, February 2020, aims to monitor and ensure the security of public sector information. The framework includes the Victorian Protective Data Security Standards October 2019, which are 12 high-level mandatory requirements to protect public sector information, covering:

  • governance
  • information security
  • personnel security
  • information technology security
  • physical security.

These standards mandate that all agencies establish, implement and maintain personnel security controls. These actions help to ensure employees’ suitability to access public sector information and mitigate agencies’ personnel security risks.

VPSC policy

VPSC aims to strengthen public sector efficiency, effectiveness and capability, and to help maintain public sector integrity. VPSC is also responsible for developing Victorian public sector policies and procedures.

VPSC leads the development of VPS-wide pre-employment screening policies, which are mandatory for all VPS roles and aim to minimise the risks of employing unsuitable candidates. Figure 1E summarises the policies.

Figure 1E
VPS pre-employment screening policies

Date of release

Policy

Details

30 October 2018

VPS Executive Pre-employment Screening Policy (rescinded)

This policy stated that VPS executives must:

  • complete a statutory declaration regarding the accuracy of their application
  • disclose any misconduct or disciplinary matters in their past 10 years of employment
  • give consent for pre-employment checks, including contacting their current and previous employers to verify past employment, conduct and performance.

13 September 2019

VPS Pre-employment Screening Policy (rescinded)

Introduced the same requirements for VPS employees as executives, except that they must disclose misconduct matters from the past seven years instead of 10.

23 December 2019

VPS Pre-employment Screening Policy

This policy replaced the previous two policies and covers both executives and VPS employees.

It maintains the different time frame for past misconduct disclosures for VPS employees and executives.

Source: VAGO, based on information from VPSC policies and guidelines.

Human Resources Systems Statement of Direction

In 2016, the Victorian Secretaries Board (VSB) issued the Human Resources Systems Statement of Direction for the VPS. It aims to uplift, modernise and deliver consistent human resources services across the VPS. Effective recruitment practices, including employment screening, are an important part of a human resources system.

The VSB includes the secretaries of each department, the Chief Commissioner of Police and the Victorian Public Sector Commissioner. It aims to coordinate policy initiatives, promote leadership and information exchange information in the public sector.

In January 2019, the VSB endorsed the establishment of One VPS as a branch within DPC. The One VPS initiative was designed to make it easier for the VPS to work together. Its remit included developing a shared human resources IT system for all government departments and Victoria Police, known as the HCM system. The HCM system is a critical part of the Human Resources Systems Statement of Direction for the VPS.

On 1 May 2020, the VSB announced that One VPS would cease, but the HCM project would continue as part of DPC's Enterprise Services Branch. The HCM project team is in the design phase, with implementation planned to start in 2020–21.

1.5 What this audit examined and how

We examined whether the audited agencies’ fraud and corruption controls regarding personnel security are well-designed and operating as intended. To do this, we:

  • analysed the recruitment and employment screening policies and procedures at all VPS departments and VPSC
  • compared policies and practices against the Standard, and VPS-wide policies and guidelines.

We then selected DHHS, DPC and DTF and performed detailed testing to determine how well they implement their policies and procedures and control personnel security risks.

We reviewed workforce and recruitment data and examined a sample of recruitment files from between 1 July 2017 and 30 June 2019. We focused on whether these agencies had completed the following employment screening for successful candidates:

  • police checks prior to their start date
  • reference checks
  • mandatory statutory declaration and consent forms for new executives.

We did not test the implementation of the VPS pre-employment screening policy, as it has only been effective since 1 October 2019.

We examined the screening practices for contractors and consultants engaged through three WoVG agreements, and the audited agencies policies and procedures for engaging contractors and consultants outside the WoVG agreements.

We also examined policies and procedures relating to COI during recruitment across all audited agencies.

We used data to examine whether:

  • agencies hired ex-VPS employees between 1 July 2017 and 30 June 2019, who had been terminated for misconduct or had resigned during a misconduct investigation between 1 July 2015 to 30 June 2019
  • staff engaged through the SS SPC between 1 July 2017 and 30 June 2019 had a police check prior to starting work.

We conducted our audit in accordance with the Audit Act 1994 and ASAE 3500 Performance Engagements. We complied with the independence and other relevant ethical requirements related to assurance engagements.

The cost of this audit was $490 000.

1.6 Report structure

The remainder of this report is structured as follows:

  • Part 2 examines employment screening of VPS employees.
  • Part 3 examines screening of contractors and consultants.

Back to Top