The NSW Independent Commission Against Corruption has released guidance on handling the corruption risks public sector agencies may face during the COVID-19 pandemic.
ICAC notes that while most employees are trustworthy, fraud and corruption risks can arise during periods of disruption and economic downturn, where agencies “have little choice but to depart from normal levels of control and supervision”, and staff are “being left to their own devices”.
For example, in what seems to sum up Australia’s handling of COVID-19, ICAC has already received a report alleging a public official had stolen toilet paper and hand sanitiser from the workplace and advertised the products for sale online.
The commission recommends agencies consider the following points to address the risks posed by staff working remotely:
- Managers should make occasional telephone or video conference contact with their staff,
- Prohibit staff from allowing family members to use agency hardware and systems and ask staff to refrain from using their home printer for confidential agency documents,
- Remind staff not to use social media to post photographs of their home office or work station,
- Make a record of agency IT equipment and other valuables that staff have borrowed to use from home,
- Establish protocols for using electronic signatures, especially if staff are used to paper forms and giving approval by applying a written signature.
ICAC notes that during the pandemic, agencies may feel pressured to engage in emergency procurement, agree to contract variations, use direct negotiations and other exemptions to competitive procurement processes, pay suppliers quickly, and rely on staff to purchase items using agency-issued credit cards.
These procurement practices could lead to available funds being “diverted to an improper purpose or spent for the sake of consuming the allocated budget”. ICAC recommends agencies consider the following to address procurement risks:
- If an agency needs to perform emergency procurement, involve at least two people in the process, rather than giving one official end-to-end control,
- Emergency procurement carries more risk if the supplier is unknown to the agency or is not a member of an established pre-qualification scheme or contract,
- If aspects of procurement need to take place outside an agency’s online finance system, at least document decisions in an email or contemporaneous file note,
- Suppliers may have to rely on force majeure clauses in contracts. If contracts don’t contain these clauses, agencies should remember forcing suppliers to meet impossible deadlines could encourage dishonest conduct,
- An agency should use existing management accounting reporting and data analytics to identify split invoices/payments, unusual transactions and unusual suppliers.
In regards to COVID-19-related cyber frauds, ICAC suggests agencies:
- Assume that any request to change a supplier’s or employee’s bank account number could be an attempted fraud. Verify the request by phoning the supplier/employee, without using the information contained in a potentially false email,
- Be wary of adding new suppliers to the vendor master file, especially if they are not on a NSW Procurement pre-qualified panel or scheme, or if they have invoiced the agency without being issued a purchase order,
- Challenge suspicious requests for payment, even if it comes from a senior manager or the agency head,
- Don’t pay invoices without performing a three-way match,
- Alert customers to attempts by third parties to impersonate the agency or its staff,
- Remind staff not to open emails, attachments or links from untrustworthy sources.
As some agencies are rolling out programs aimed at stopping the spread of the COVID-19 virus, ICAC suggests also considering the following:
- If contracts have to be awarded quickly, agencies should still ensure that contractors understand and conform to public sector ethical obligations,
- Avoid giving a single official end-to-end control of a process,
- Articulate clear responsibilities and lines of communication, as corruption can thrive if staff don’t understand the plan and can’t be made accountable for their actions,
- Don’t allow exigent circumstances to be used as an excuse for subduing robust debate and frank advice,
- It might be necessary to seek advice from subject matter experts, as some public officials might find delivering programs or services in a compressed timeframe uncomfortable,
- Fast delivery of new services can lead to major departures from normal risk tolerances. If unable to conduct a risk assessment at the start of a program, management should still encourage staff to report any obstacles and workarounds as they arise,
- Rapid delivery could mean that issues such as regulatory compliance, due diligence and audit are neglected. While it may be necessary to consider these issues at a later point in time, they should not be forgotten altogether,
- Project managers should appoint a minute taker or otherwise document key decisions, especially following meetings that are held via telephone or video conference,
- Hasty programs may entail hasty recruitment, which could prevent agencies from completing employment screening procedures before staff commence. They should complete employment screening as soon as possible after commencement.