4. Integrity frameworks and probity assurance
   1. In evidence to the inquiry, the Auditor-General emphasised that ‘ethical behaviour and integrity aren’t just doing narrow compliance’[1] and that ‘meeting mandatory requirements is not sufficient to ensure compliance with the high expectations set out in the principles-based legislation and frameworks’ that govern work in the public sector.[2]
   2. This was also a message in the recent APS Integrity Taskforce report, Louder Than Words, which stated ‘the law was never intended to be the maximum standard of behaviour required. Legality is the minimum standard expected of public servants’.[3] During the inquiry, the Australian Public Service Commission (APSC) agreed acting with probity is more than just meeting mandatory minimum compliance standards.[4]
   3. The sentiment is also contained in the APSC guidance on acting in accordance with the APS values contained in the Public Service Act1999 (PS Act).[5] The guidance specifies that upholding the ‘ethical’ value requires officers to act not just in a way that is technically and legally correct, but in a way that is right, such that knowing what is ‘right’ is likely to require having regard to the intent of a relevant law or policy.[6]
   4. However, notwithstanding the requirement to act ethically and with probity, the Australian National Audit Office (ANAO) is of the view its reports ‘provide evidence that the Australian public sector regularly falls short of complying with both the intent and requirements of its regulatory frameworks …’[7]
   5. As part of the inquiry, the Committee put questions to the five entities, asking how agencies assess whether they are acting in a way that is right and proper, and not just in a way that is technically and legally correct. The intention was to understand how agencies evaluate how they are positively acting according to the intent of the law and thus demonstrating probity as they conduct their activities.
   6. While entities can often demonstrate they have policies in place to prevent fraud, corruption, other illegal activity or conflicts of interest, the mere absence of illegality, fraud, conflicts or corruption does not prove an entity is acting with probity. What probity goes to is behaviours and ethics, described by Andrew Podger as ‘the processes by which you went about trying to achieve the results that you required’.[8]
   7. The responses from the entities, discussed in this chapter, show that agencies—drawing upon guidance from the APSC and the National Anti-Corruption Commission (NACC)—have expended significant effort to define probity (subsumed under the concept of integrity) in a way that is measurable through a range of metrics, and consequently, typically measure their integrity by such things as dealing with conflicts of interest, implementing fraud controls, and ensuring staff have completed training and have performance agreements.
   8. The focus is broadly on administrative and process arrangements; on putting measures in place in an attempt to prevent particular types of behaviour that are not ethical, not on examining behaviour that has occurred to see if officers, when working to achieve outcomes, are acting with probity. The measures might more accurately be considered integrity management rather than integrity performance.
   9. This chapter questions whether the integrity metrics would be effective in resolving the issues that were uncovered in the Artbank and Community Health and Hospitals Program (CHHP) audits in particular, and other audits highlighted by the ANAO and discussed briefly in chapter 1.

Audits into financial regulators

4.10This chapter touches, in the context of entity integrity frameworks, on the audits into the financial regulators. The audits into the Australian Securities and Investments Commission (ASIC), Australian Prudential Regulatory Authority (APRA), and the Australian Competition and Consumer Commission (ACCC) examined ‘probity management’ and followed a standard methodology.[9]

4.11The audits were not an examination of the effectiveness of these regulatory bodies or particular regulatory decisions taken. In this way they differ significantly from the performance audits of Artbank and CHHP, and cannot be used for a comparative performance assessment. Rather, the financial regulator audits assessed whether there were effective administrative arrangements (for instance, frameworks, guidelines, policies, procedures) in place to address nine selected probity risks, and whether these were enforced. In essence, the audits examined whether the agencies were in a position to act with probity when they undertook their regulatory roles.

4.12The nine selected probity risks were: code of conduct; probity in procurement; management of public interest disclosures; management of senior executive remuneration; management of conflict of interest; oversight of credit card expenditure; management of gifts, benefits and hospitality; identification and management of fraud risks; and management of key regulatory risks (regulatory capture risk and financial trading).[10]

4.13The findings of the reports were broadly positive: probity management at APRA and ASIC was found to be largely effective; at the ACCC it was found to be partly effective, however, initiatives were underway to strengthen internal arrangements.[11] The ANAO stated with regard to the ACCC, ‘Policies, procedures and arrangements relating to probity management in regulatory activities could be improved’.[12]

4.14Some shortcomings were identified in the performance of all entities. For instance, agencies had not consistently identified regulatory capture in their entity-level documents (for instance, corporate plans) though entities did identify and/or otherwise address it to varying extents in other subordinate policies.[13]

4.15Questions were raised about gifts and benefits policies. The ANAO found, amongst other things, that APRA should review whether its policy settings with regard to the receiving of gifts and benefits aligned with the internal principle established in the APRA Chair’s Finance Instructions and Policies.[14] The ANAO identified scope for ASIC to improve its gifts and benefits policies. In particular, the ANAO recommended that ASIC review its financial thresholds for declaring gifts, benefits, and hospitality, with a view to managing the risk of conflicts of interest when engaging with regulated entities.[15] The ANAO identified multiple issues with the ACCC’s approach to conflicts of interest with regard to its gifts, benefits, and hospitality register.[16]

4.16Some issues were identified in procurement processes. Notwithstanding the requirement to work with the APRA procurement team for procurements above $20,000, an internal APRA audit undertaken in January 2022 found there was no evidence of consideration of conflict of interest for procurements less than $80,000,[17] that 67 per cent of procurements made by APRA between $20,000 and $80,000 were not compliant with APRA’s policy to obtain at least three quotes; and that APRA’s tender evaluation methodology did not specify that no changes should be made to evaluation methodology after tenders had opened.[18]

4.17For the ten high-value procurements reviewed by the ANAO, ASIC partly complied with the requirements established in its internal ‘Procurement guideline — probity’. The selected requirements were not met in four of the procurements (40 per cent non-compliance); only one of the selected requirements was met in four of the procurements (40 per cent partial compliance); and all four of the selected requirements were met in only two of the procurements (20 per cent compliance).[19] The ANAO examined ten high value procurements that had been reviewed by the ACCC’s central procurement team and found absences of documented evidence of probity management, and probity plans that were not fully followed.[20]

4.18In credit card usage, the ANAO found that between June and July 2022 there were 106 credit card transactions made,[21] with 42 transactions considered non-compliant with APRA’s requirements.[22] The ANAO found that between June and July 2022 there were 197 credit card transactions made,[23] with 24 transactions considered non-compliant with ASIC’s acquittal requirements.[24] The ANAO found that ACCC personnel were compliant with requirements relating to corporate credit cards. However, there was no documentation of the process for approving the ACCC Commissioners’ credit card expenditure, nor was there mandatory training within the ACCC with respect to credit card use.[25]

4.19With regard to senior executive remuneration policies, at the time of the audits, neither APRA nor ASIC had senior executive remuneration policies; the ACCC did have a senior executive remuneration policy.[26]

Entity probity responses

Department of Infrastructure, Transport, Regional Development, Communications and the Arts

4.20The Artbank program sits within the Department of Infrastructure, Transport, Regional Development, Communications and the Arts (DITRDCA). As discussed previously, the audit of the Artbank program found there was no overarching strategy to support the direction of the program or measure its success; acquisitions had not been in accordance with the Commonwealth Procurement Rules (CPRs) or DITRDCA’s own policies and Artbank’s Collection Plan; management of the collection was insufficient to ensure its integrity; and the approach to leasing was not appropriate.[27]

4.21DITRDCA’s view of integrity is such that it was able to state, notwithstanding this assessment, that the ANAO had made no finding of unethical behaviour.[28]

Assessing whether behaviour is right and proper

4.22When responding to the Committee’s question on how DITRDCA assesses whether its officers are acting in a way that is right and proper, and not just in a way that is technically and legally correct, it provided information on its integrity strategy.[29]

4.23According to DITRDCA, its Integrity Strategy (launched in 2022) ‘delivers a clear and easy to understand narrative on the Department’s position and expectations of all staff when it comes to embedding integrity in their work’.[30]

4.24DITRDCA equates its definition of integrity with probity. DITRDCA’s Integrity Strategy defines integrity as ‘the pursuit of high standards of professionalism, which in turn means doing the right thing at the right time to deliver the best outcomes for Australia sought by the government of the day’. This is the definition provided by the APSC, and according to DITRDCA, aligns with the Department of Finance’s definition of probity, which requires complete and confirmed integrity, uprightness and honesty in a particular process.[31]

4.25Part of the Integrity Strategy is an Integrity Framework for managing integrity risks, and an Integrity Dashboard, which contains data identified using the APSC’s Integrity Metrics Resource.[32]

4.26DITRDCA’s Integrity Framework contains ‘three lines of defence’ for the management of integrity risks:

• people and procedure: policies, guidelines and frameworks front line staff use to manage integrity risks
• check and challenge: quality assurance processes to ensure work is evidence based and in line with the required frameworks
• independent assurance: providing the Executive with assurances that integrity risks are being managed effectively.[33]
  27. No further detail was provided on the substance of the Integrity Framework, or the mechanism by which it would allow DITRDCA to assess whether officers are acting in a way that is right and proper.
  28. It is through the Integrity Dashboard that DITRDCA states it is able to identify areas of integrity ‘that are doing well, and those that require greater focus’, allowing it to target education and awareness raising campaigns ‘to ensure staff are acting in a way that is right and proper’. Trend data, DITRDCA stated, would be used to ‘ensure the controls that govern integrity arrangements within the Department are working as intended’.[34]
  29. DITRDCA did not explain how the Integrity Dashboard would allow it to assess whether officers are acting in a way that is right and proper, for instance, undertaking procurements in compliance with finance law. However, given its prominence in DITRDCA’s response, it might be assumed the substance of the metrics identify what DITRDCA believes constitutes probity.

Integrity Metrics Resources

4.30As noted above, DITRDCA’s Integrity Dashboard contains data identified using the APSC’s Integrity Metrics Resource. The Integrity Metrics Resource provides a way, according to the APSC, for an agency to measure, monitor and report on integrity performance. It contains three tools:

• Integrity Metrics Maturity Model—a tool for an agency to self-assess its capability level in measuring and monitoring integrity
• Integrity Metrics Register—a list of metrics that can be used to measure integrity performance
• Integrity Dashboard—guidance on the effective display of integrity information.[35]
  31. The Integrity Metrics Maturity Model is concerned with the capability of an agency to measure integrity. It is a self-assessment tool where agencies determine where they sit at one of three levels in the following categories:
• the extent to which an agency undertakes integrity measurement, monitoring and reporting functions
• the quality/complexity of the data an agency is able to use to measure integrity
• the type of governance structures in the entity for reporting on integrity
• the frequency at which measurement occurs
• whether and to what extent integrity is explicitly referenced in employee performance agreements or duty statements.[36]
  32. The Integrity Metrics Register contains metrics across four categories that the document states can be used to measure agency and employee integrity.[37] These are:[38]
• human resources metrics:

• employee perception survey data—responses to integrity-related questions including perceptions of integrity issues such as APS values, bullying and harassment, corruption and fraud
• performance management data—for instance, percentage of staff with performance management agreements in place and cycle assessments, data on underperformance
• unscheduled absences data
• overtime and leave balances data
• Code of Conduct (CoC) reports and investigations
• compensable claims
• work, health and safety reports and incidents
• training completion rates
• evaluation and feedback reports on integrity-related activities, training and events
• issue resolution timeframes
• cessation processes—exit interviews and surveys

• declarations and self-reporting metrics

• monitoring and reporting on conflict of interest declarations and management plans
• monitoring and reporting of gifts and benefits
• monitoring and reporting on request for approval of outside employment and volunteering

• security metrics including pre-employment suitability screening, security clearances, breaches, access controls, and reporting under the protective security policy framework
• risk, fraud and corruption metrics

• monitoring of fraud and corruption reports and investigations
• monitoring privacy breaches
• monitoring Public Interest Disclosures.[39]

Assessing whether the agency is acting positively according to the intent of the law

4.33DITRDCA stated it monitors and evaluates its activities, in part, through governance committees, including the Executive Leadership Team, Enabling Committee, Priority and Delivery Committee, and Audit and Risk Committee.[40] No information was provided on how these committees assess whether the agency is positively acting according to the intent of the law or what evidence they consider.

4.34DITRDCA also has a ‘dedicated probity team’, that ‘supports internal stakeholders in ensuring that probity considerations are front and centre in decisions made’. The probity considerations were not identified by DITRDCA, but it assured the Committee ethical decision making and appropriate record keeping ‘are cornerstones of the Department’s approach to its actions’.[41] Amongst other things, the Artbank audit found shortcomings in record keeping, and the reliability of Artbank data a challenge.[42]

4.35DITRDCA stated it also has a conflict of interest process, and an internal audit program dealing with risk management, control, and governance processes. Internal audits are ‘periodically undertaken on key aspects of the department’s processes and frameworks to assess whether they are fit-for-purpose and achieving their intended objectives’.[43]

4.36The mechanism by which DITRDCA identified the intent of the laws and regulatory frameworks it is required for follow, for instance in procurement, and how it assessed whether it is complying with the intent of these laws and regulatory frameworks, or even just the letter, was not identified. The Artbank report provided evidence departmental officials were not undertaking procurements consistent with the CPRs or DITRDCA’s own policies.[44]

Department of Health and Aged Care

4.37The CHHP was administered by the Department of Health and Aged Care (Health). As discussed in chapter 3, the ANAO found the administration of the CHHP was ineffective and fell short of ethical requirements, including:

• deliberate breaches of the Commonwealth Grants Rules and Guidelines (CGRGs)
• failing to advise the minister there was no legislative authority for some grants
• governance and administration of funding arrangements that were not effective
• monitoring and evaluation arrangements that were only partly effective.[45]
  38. Health’s view of integrity is such that it was able to state that what lay at the heart of the issue was not a cultural problem but ‘capability and attention to detail. If you view that as having some ethical aspect to it—and you could argue that there is—then, yes’.[46] And further, Health argued the department at the time was of the view it had to balance the risk between managing the appropriation for CHHP within a tight timeframe and confirming legality, which ‘had to be dealt with retrospectively’.[47]
  39. As also discussed in chapter 3, Health suggested in a letter to the minister, in November 2022, the creation of an additional category of grant in the CGRGs to ‘support timely delivery of published and explicit decisions of Government’, and the development of ‘program level grant guidelines that can be re-used over subsequent years and funding rounds’.[48] The Audit Office had found in its report that Health had used the rationale ‘decisions of government’ to administer grants in a manner that did not meet the requirements of the CGRGS and as the basis for not responding to advice from the Department of Finance.[49]

Assessing whether behaviour is right and proper

4.40Health stated it has an Assurance Framework that provides guidance to staff on ensuring outcomes are being met in an efficient, accountable, and ethical manner. The framework identifies areas of assurance need, and provides advice on conducting assurance, and communicating findings to the Executive. It described the Assurance Framework as ‘an effective system of risk management and internal control to support the achievement of outcomes' and one that had ‘promoted a culture of probity’.[50] No further substantive information was provided, in particular what constitutes ‘assurance’ and the substance of these activities.

4.41Health also has a risk-based Internal Audit Work Program (IAWP), developed through an annual assurance mapping process. The IAWP has included audits dealing with fraud management, public interest disclosures, physical and cyber security, and conflicts of interest.[51]

4.42Health stated it undergoes independent external assurance, citing the ‘Halton Review of COVID-19 Vaccine and Treatment Purchasing and Procurement’ and ANAO audits. It ‘actively monitors the implementation of all internal and ANAO recommendations to promote a culture of improvement in relation to compliance’.[52]

4.43Health has an Essential Learning Program that includes modules on integrity and ethical conduct, dealing with fraud and integrity, and covering topics including the APS CoC, conflicts of interest, and responding to fraud.[53]

4.44Health states that the Assurance Framework and Essential Learning Program are underpinned by its Integrity Framework of policies, procedures, programs and committees ‘designed to promote a pro-active integrity culture which supports ethical behaviour …’ This framework is informed by the Commonwealth Integrity Maturity Framework—a set of eight integrity principles derived from key Commonwealth integrity laws, policies and procedures.[54]

4.45The purpose of the Commonwealth Integrity Maturity Framework (produced by the National Anti-Corruption Commission), which contains four levels of agency maturity, is to support Commonwealth agencies to ‘design, implement and review the effectiveness of their integrity frameworks so they are tailored to their risk profiles, size and contexts’.[55]

4.46The Integrity Maturity Framework is accompanied by a ‘self-assessment tool’ for agencies to self-assess their integrity maturity and plan to strengthen their pro-integrity culture and controls and address integrity risks. The self-assessment tool focusses on strategies for preventing integrity breaches; its purpose is not to detect, investigate or sanction integrity failures.[56]

4.47Health has developed a range of tools and policies against each of the integrity principles, which are summarised in the table below.[57]

Source: Department of Health and Aged Care, Submission 7.3, pages [13]-[15]

4.48As encouraged by the guidance materials produced by the APSC and the NACC, Health’s approach might be described as one of developing policies based on risk assessments, for instance conflicts of interest, and of assessing integrity on the basis of whether the policies are being followed, for instance, whether ‘essential learning’ has been undertaken, whether a conflict of interest declaration has been completed, whether the template for procurement or grants has been completed. The capacity of such a framework to assess whether officers are actually behaving in a way that is right and proper, to get at the issues raised by the ANAO in its report, such as ignoring advice from the Department of Finance and the Australian Government Solicitor, and generally administering a program in a manner that is not ethical, is not clear.

Assessing whether the agency is positively acting according to the intent of the law

4.49Health stated it assessed whether it was positively acting according to the intent of the law through the following activities:

• risk-based IAWP, which has included audits dealing with fraud management, public interest disclosures, physical and cyber security, conflicts of interest
• Assurance Framework (discussed above)
• improving its approach to grants administration, including by improving the content of guidance and templates to support compliance with finance law
• financial governance framework containing layered and integrated controls, including training and guidance, financial reporting and tiered governance, publication of legislation and rules, review of delegation schedules and Accountable Authority Instructions, including internal assurance over procurement and grant processes
• procurement controls, including guidance on ensuring probity through the procurement process, and a Procurement Assurance Program that tests a sample of procurement activities on a quarterly basis against the procurement framework, including the adequacy of the probity plan and the probity register.[58]
  50. Having a policy in place, such as conflict of interest policy, and requiring officers to undertake learning and make a declaration, may give an indication of whether an officer is in a position to act with probity. Absent robust assurance, however, it is difficult to see how an entity can determine whether its officers are positively acting according to the intent of the law by reference to administrative arrangements. Health did not provide any indication of whether it does undertake robust assurance, though it did say it ‘tests a sample of procurement activities’ against the procurement framework. While this has the potential to provide assurance, the lack of detail means this cannot be definitively determined.

Australian Competition and Consumer Commission

4.51As discussed above, the ACCC’s probity management was found to be partly effective, but the ANAO noted there were initiatives underway to strengthen internal arrangements.[59]

Assessing whether behaviour is right and proper

4.52The ACCC stated that demonstrating an absence of fraud, corruption, illegal activity or conflicts of interest is relevant to an assessment of levels of probity. Likewise, demonstrating, through an arm’s length audit, an entity is meeting legislated requirements is ‘a positive indication an agency is acting in accordance with expected standards but also has a broader culture of probity’.[60]

4.53However, providing some broader insight, the ACCC added, ‘… compliance with requirements is not a definitive measure of probity’. The objectives, values and culture of an agency, and the expectations set by senior leadership around acceptable behaviour, significantly influence how an agency operates—that is, whether it operates with probity. Indicators of culture can be monitored through staff census results, levels of engagements and trends in performance management.[61]

4.54The ACCC acknowledged there was scope for agencies to set their own standards of conduct beyond what was required by legislation by adopting additional transparency actions, which the ACCC had done, including by adding ‘independent’ and ‘trustworthy’ to the APS values of impartiality, committed to service, accountable, respectful and ethical. Agencies could also go beyond best practice, including by reducing the value for disclosure of gifts and making public disclosures.[62]

4.55The ACCC also noted demonstrating the absence of something or a negative obligation, for instance illegality or fraud, was difficult. Instead, an agency could demonstrate appropriate measures were in place to prevent unwanted conduct occurring, and to detect and address any such conduct—the ACCC detailed a range of activities it undertakes in this area, including reviewing data from the APS Census; reviewing structures, policies and procedures; and undertaking audits or inspections.[63]

4.56When asked how it tracked and traced compliance with integrity requirements and identified good behaviours, the ACCC responded it was cataloguing the obligations it had under legislation, policies and procedures; establishing ways to survey, audit and test for compliance; and building these into its systems and annual processes.[64] By way of example, the ACCC stated:

Conflict of interest is one of the key issues that we look at for probity and integrity. We've got a number of requirements but, historically, not always the best practice to work out in a measurable way whether our people are complying. For example, annually, every one of our people must put in a conflict of interest form. They must also do regular updates to that, depending on the issues that they're working on or the change in their own circumstances. We've had reasonable systems and are now getting much better systems to actually put that in train. As for the essential training that we require, we've had reasonable systems for making sure that people comply with such training. We're really stepping that up now through this compliance tool to make sure that we can track and trace whether people are actually doing that. That can then feed through to the layers of accountability, so it's not just the individual but also their leader and manager through to their senior executive: what are they doing and what do their results look like, in terms of the people for whom they're responsible?[65]

Assessing whether the agency is positively acting according to the intent of the law

4.57The ACCC stated it undertakes regular audits and compliance surveys; provides disclosure opportunities and requires staff training. However, it noted fundamental assurance that an agency was acting appropriately and demonstrating probity occurred through independent assessments. Agencies may assess their own levels of compliance, but this was not a substitute for independent, third party scrutiny.[66]

4.58The ACCC stated each year:

… consumer engagement and a survey tests the response of the community in general to the way that, as consumers, they see the responsiveness, trustworthiness and delivery of outcomes being in the interests of consumers. Also, we benchmark ourselves against other agencies in this regard … So we continue to measure ourselves against what that consumer survey tells us that the community is thinking about the way in which we're discharging our consumer protection responsibilities.[67]

Australian Securities and Investments Commission

4.59ASIC told the Committee it had a ‘robust and fit for purpose integrity management framework, overseen by an executive integrity committee’, and noted the findings of the ANAO report.[68]

4.60It emphasised:

• it had developed a Code of Conduct and Values, as required by its enabling legislation; identified key probity risks (conflict of interest, regulatory capture, financial trading, senior executive remuneration, procurement, corporate credit care expenditure, gifts, benefits and hospitality, fraud, and public interest disclosures)
• it had policies and procedures to manage identified risks
• personnel were effectively informed of probity requirements through training and messaging from senior officials
• it had a framework and arrangements for monitoring the effectiveness of internal controls and compliance with probity requirements, and providing assurance to the accountable authority
• it promoted, checked and followed up compliance with probity requirements
• it kept records to demonstrate probity.[69]
  61. ASIC also provided its ‘Guidance on using the Code’, under which, when faced with a decision, staff are asked to consider if they can answer ‘yes’ to a series of questions:
• Is the decision consistent with ASIC’s policies?
• Does it comply with legislation?
• Is it in ASIC’s best interests?
• Would I feel OK telling friends or family about this?
• Is it aligned to ASIC’s vision and values?
• Would it be OK if someone did this to me?[70]
  62. If staff answer ‘no’ or ‘not sure’ to any of the questions, they are to contact their people leader or seek further advice and guidance.[71] While the fact responses can only be ‘yes’ or ‘no’ might suggest the guidance results in definitive outcomes, responding yes or no requires significant judgement and is dependent, for instance, on how officers understand ASIC’s ‘best interests’, the ethical convictions of friends and family, and what officers believe is ‘okay’.
  63. It remains unclear from ASIC’s response how it assesses whether its officers are actually acting in a way that is right and proper, and not just in a way that is technically and legally correct. It should be noted the ANAO audit was not an examination of the effectiveness of ASIC or of any particular regulatory decisions taken. Rather, it assessed whether there were effective administrative arrangements (for instance, frameworks, guidelines, policies, procedures) in place to address nine selected probity risks.

Australian Prudential Regulation Authority

4.64APRA provided a brief response to the Committee’s questions, stating its Integrity Review Group examined probity-related metrics to ascertain whether behaviours corresponded with APRA’s expectations. Any insights or thematic observations were reported to the Audit and Risk Committee—an ‘independent’ committee.[72]

4.65APRA stated its Code of Conduct supported right and proper behaviour, and senior management communicated regularly with staff on probity-related procedures (such as declaring conflicts of interest), APRA’s expectations, and the importance of probity to the APRA’s operation and reputation.[73]

4.66To determine whether APRA is operating according to the intent of the law, APRA stated it had a ‘three lines of defence’ approach:

• Line 1—Management: operationalising adherence to probity procedures and ensuring the intent is understood
• Line 2—Independent Risk Team: owns and regularly reviews the probity-related policies and examines metrics (including incidents) to monitor the effectiveness of management activities
• Line 3—Internal audit: independent controls testing on whether ‘key controls are adequately enabling policy expectations’, with results communicated to the Audit and Risk Committee.[74]
  67. During the hearing, APRA stated it thought about probity from two perspectives—top-down or ‘stick’, and ‘carrot’.

You can think about it from two perspectives. If you like, there's the top-down framework, which really provides for probity and ethics across the organisation. So, at a high level, all APRA staff and statutory appointees, which are our executive board members, are required to comply with APRA's Code of Conduct, our Conflicts of Interest Framework and, of course, relevant legislation, and to adhere to the APRA values, which are binding on all of us. To support everyone in that, we have a raft of policies and guidance materials for staff to assist them to understand their obligations. We also have mandatory training and regular internal communications to ensure that people understand what it is that they need to do. In recent years, we've also rolled out a new capability framework for staff, which includes, amongst those capabilities, integrity as an important aspect. If you like, they are perhaps more 'the stick'.

Going beyond that, in terms of 'the carrot', we very much have a culture and environment where we support, encourage and recognise people who are adhering to the APRA values; for instance, rewards are given to people who meet particular standards of behaviour and ethics.[75]

4.68During the hearing APRA also disclosed it had been evolving the ways it thinks about measuring ethical behaviours, and had implemented an Integrity Review Group, comprising senior officers in the organisation including the senior executive, representatives from the culture team, general counsel and CRO.

What we do is meet quarterly and bring together and look at different data points across the organisation around joining the dots, if you like, to see where there may be potential vulnerabilities or integrity, fraud or risk issues emerging. So we look at whether any public interest disclosures have been made and whether staff conduct issues have been raised. Obviously, it's all anonymised, but it's getting a sense of whether themes or patterns are emerging. It's also looking at whistleblower reports: again, is there anything that's relevant to APRA that might give rise to concerns and things that we should look into more deeply?[76]

4.69Like the reports into the other financial regulators, the ANAO report was not a performance audit.

Footnotes

[1]Mr Grant Hehir, Auditor-General, Australian National Audit Office (ANAO), Committee Hansard, 8 September 2023, p. 42.

[2]ANAO, Submission 5, p. 4.

[3]Department of Prime Minister and Cabinet (DPMC), Louder Than Words: An APS Integrity Action Plan – APS Integrity Taskforce, November 2023, hereafter Louder Than Words, p. 4.

[4]Ms Jo Talbot, Acting Deputy Commissioner, Australian Public Service Commission (APSC), Committee Hansard, 20 November 2023, p. 2.

[5]PS Act, section 10.

[6]Australian Public Service Commission, Values and Code of Conduct in Practice, August 2017, paragraph1.2.9.

[7]ANAO, Submission 5, p. 6.

[8]Mr Andrew Podger AO, Committee Hansard, 20 November 2023, pages 15–16.

[9]See: ANAO, Probity Management in Financial Regulators — Australian Securities and Investments Commission, No. 36 2022–23, hereafter ASIC report; ANAO, Probity Management in Financial Regulators — Australian Competition and Consumer Commission, No. 38 2022–23, hereafter ACCC report; ANAO, Probity Management in Financial Regulators — Australian Prudential Regulation Authority, No.30 2022–23, hereafter, APRA report.

[10]See: ANAO, ACCC report, pages 8–9.

[11]ANAO, APRA report, p. 9; ANAO, ASIC report, p. 9; ANAO, ACCC report, p. 9.

[12]ANAO, ACCC report, p. 38.

[13]ANAO, APRA report, pages 9, 26–27, 33–36; ANAO, ASIC report, pages 27, 31–33, 35; ANAO, ACCC report, pages 10, 29–30, 38–41.

[14]ANAO, APRA report, pages 86–87.

[15]ANAO, ASIC report, p. 11.

[16]ANAO, ACCC report, pages 61–65.

[17]In February 2022, APRA added a check box to the procurement process where the requestor has to confirm there are no conflicts of interest. ANAO, APRA report, p. 44.

[18]ANAO, APRA report, pages 44, 60.

[19]ANAO, ASIC report, p. 11.

[20]ANAO, ACCC report, pages 91–95.

[21]The ANAO examined the credit card use of the accountable authority, deputy chairs, and chief operating officer. ANAO, APRA report, p. 81.

[22]ANAO, APRA report, p. 81.

[23]The ANAO examined the credit card us of the accountable authority, deputy chairs, and chief operating officer. ANAO, ASIC report, pages 76–77.

[24]ANAO, ASIC report, p. 77.

[25]ANAO, ACCC report, pages 11, 56, 73.

[26]ANAO, APRA report, pages 9–10; ANAO, ASIC report, p. 38; ANAO, ACCC report, p. 48.

[27]ANAO, Artbank report, pages 7–8, 30–31.

[28]Department of Infrastructure, Transport, Regional Development, Communications and the Arts (DITRDCA), Submission 4, p. 2.

[29]DITRDCA, Submission 4.2, p. [1].

[30]DITRDCA, Submission 4.2, p. [1].

[31]DITRDCA, Submission 4.2, p. [1].

[32]DITRDCA, Submission 4.2, pages [1]–[2].

[33]DITRDCA, Submission 4.2, pages [1]–[2].

[34]DITRDCA, Submission 4.2, p. [2].

[35]Australian Public Service Commission (APSC), Integrity Metrics: Resource, Commonwealth of Australia, 2022, hereafter APSC, Integrity Metrics Resource, pages 4–5.

[36]APSC, Integrity Metrics Resource, pages 6–7.

[37]APSC, Integrity Metrics Resource, page 9–15.

[38]This is a summary of key points.

[39]APSC, Integrity Metrics Resource, page 9–15.

[40]DITRDCA, Submission 4.2, p. [3].

[41]DITRDCA, Submission 4.2, p. [3].

[42]The ANAO made reference to the reliability of Artbank program data and recordkeeping in the following paragraphs: 3.21, 3.24, 3.41, 3.60, 4.5, 4.6, 4.11–4.13, 4.24, 4.37–4.40, 4.58, 5.6, 5.10, as well as in notes to Table 2.1, and Table3.2. See: ANAO, Artbank report, footnote 22. See also, for instance: ANAO, Artbank report, paragraphs 10, 3.18, 3.21, 3.23, 3.27, 3.39, 4.41, and notes to figure 4.1.

[43]DITRDCA, Submission 4.2, pages [3]–[4].

[44]ANAO, Artbank report, pages 7–8, 30–31.

[45]ANAO, Administration of the Community health and Hospitals Program, No.31 2022–23, hereafter CHHP report, pages 6, 8–9.

[46]Mr Charles Wann, Deputy Secretary, Corporate Operations, Department of Health and Aged Care (Health), Committee Hansard, 8 September 2023, p. 26.

[47]See discussion between Mr Wann and members of the Committee: Committee Hansard, 8 September 2023, pages 23–24.

[48]ANAO, CHHP report, p. 42.

[49]See, for instance: ANAO, CHHP report, pages 44–46, 52.

[50]Health, Submission 7.3, pages [12]–[13], [16].

[51]Health, Submission 7.3, pages [12]–[13].

[52]Health, Submission 7.3, p. [13].

[53]Health, Submission 7.3, p. [13].

[54]Health, Submission 7.3, p. [13].

[55]National Anti-Corruption Commission (NACC), 8 Integrity Principles and Maturity Indicators: Commonwealth Integrity Maturity Framework, undated, p. [2].

[56]NACC, Self-Assessment Guide and Frequently Asked Questions: Commonwealth Integrity Maturity Framework, undated, p. 4.

[57]Health, Submission 7.3, pages [13]–[15].

[58]Health, Submission 7.3, pages [12], [16]–[17].

[59]ANAO, ACCC report, p. 9.

[60]ACCC, Submission 6.2, p. 1.

[61]ACCC, Submission 6.2, p. 1.

[62]ACCC, Submission 6.2, p. 1.

[63]ACCC, Submission 6.2, pages 1–2.

[64]Mr Scott Gregson, Chief Executive Officer, ACCC, Committee Hansard, 8 September 2023, p. 6.

[65]Mr Scott Gregson, ACCC, Committee Hansard, 8 September 2023, p. 6.

[66]ACCC, Submission 6.2, p. 2.

[67]Ms Gina Cass-Gottlieb, Chair, ACCC, Committee Hansard, 8 September 2023, p. 5.

[68]ASIC, Submission 3.1, p. [1].

[69]ASIC, Submission 3.1, pages [1]–[2].

[70]ASIC, Submission 3.1, p. [4].

[71]ASIC, Submission 3.1, p. [4].

[72]APRA, Submission 8.1, p. [1].

[73]APRA, Submission 8.1, p. [1].

[74]APRA, Submission 8.1, p. [2].

[75]Ms Lucinda McCann, General Manager, Legal and General Counsel, APRA, Committee Hansard, 8September 2023, p. 3.

[76]Ms Lucinda McCann, APRA, Committee Hansard, 8 September 2023, p. 5.