Michelle Page, Senior Executive Director Performance Audit Services Group, delivered a presentation to the Institute of Internal Auditors – Public Sector Assurance Forum on 3 August 2023. The presentation was titled Lessons for promoting integrity in the effective management of probity.


The slidedeck for the presentation can be downloaded at Related documents on this page. The text of the slides is available below.

Presentation text

Lessons for promoting integrity in the effective management of probity

  • What does probity look like in your entity?
  • It starts at the top – creating a culture that supports probity
  • Taking a risk-based approach to target problem areas
  • Inform staff of probity requirements
  • Are internal controls for managing probity risks effective?
  • Promote and check compliance, and follow-up non compliance
  • Keep records to demonstrate probity
  • It is essential that financial regulators uphold high probity standards, to strengthen the legitimacy and integrity of the regulator and support the objectives of the regulatory scheme.
  • Strong governance strengthens the legitimacy and integrity of the regulator, supporting the high-level policy objectives of the regulatory scheme and will lead to better outcomes
  • Probity is the evidence of ethical behaviour, and can be defined as complete and confirmed integrity, uprightness and honesty in a particular process

What does probity look like in your entity?

The specific probity and ethical requirements applying to the personnel of your entity will depend on:

  • what type of entity it is
    • PGPA Act and PGPA Rule: framework for probity and ethical behaviour.
  • the legislation applying to it
    • Public Service Act 1999, including the APS Values and APS Code of Conduct.
    • an entity’s statutory/enabling legislation may set out requirements relating to probity.
  • the government policies and framework applying to it
    • grants administration, government procurement, government advertising, protective security, appearing before the Parliament, engaging with lobbyists, caretaker conventions, risk management and fraud control.
  • the internal policies and frameworks it has put in place.
    • entity may have specific internal frameworks (internal policies and guidance)
  • ASIC, APRA and ACCC all identified risks around personnel trading in financial instruments (eg. shares) when in possession of market-sensitive information. Controls are much tighter than for most public servants:
    • pre-approval required prior to trades and time limited (eg. must be within 3 business days, APRA and ASIC only)
  • Only ASIC had explicitly identified independence as a risk at an entity-level (see Figure 2.1 on regulatory capture)

Figure 2.1: ASIC Regulatory Capture Risk Controls

Figure 2

Source: Based on ASIC documentation — Capture RIsk Presentation from ASIC's Chief Risk Officer.

It starts at the top – creating a culture that supports probity

  • An entity’s accountable authority, and senior leadership team, are to promote the proper use and management of the public resources.
  • ‘Proper’ includes ethical use and management.
  • By extension, this includes promoting the integration of probity into an entity’s operations.


  • Messaging from senior officers can be an important tool to inform staff about probity and to set the tone from the top.
  • specific probity requirements apply to the APS Senior Executive Service employees and/or agency heads (e.g. declaration of interests and gifts and benefits).
  • The accountable authority and other senior leadership of the entity should be informed about the management of probity within an organisation through regular reporting. Examples from the financial regulator audits:
    • ASIC had an Integrity Committee (a sub-committee of its Executive Risk Committee) to oversee its Integrity Framework
    • APRA’s Board receives a variety of reporting on compliance with probity requirements (training and awareness activities, code of conduct, conflict of interest declarations and gifts register). There is also quarterly reporting to APRA’s Audit and Risk Committee.


  • Senior management sets the tone through probity-related messaging (all entities) and the emphasis they place on compliance with requirements:
    • APRA and ASIC had regular reporting to management committees on compliance. ACCC was establishing a compliance framework at the time of audit.
    • APRA and ASIC followed up on identified non-compliance.
  • Non-compliance by a senior manager with gifts and benefits requirements at APRA, and instances of accepting gifts from suppliers and regulated entities led to a recommendation to review policy settings

Taking a risk-based approach to target problem areas

  • Identifying key probity risks and establishing, maintaining and promoting policies, procedures and arrangements to manage those risks
    • Identify and assess probity risks related to your entity. Risks can range from broad (Australian Government wide) to specific (for example industry specific or entity specific). For example, regulatory capture risks and risks on trading in financial instruments are more relevant to the financial regulators.
    • Policies and procedures support an entity to ensure compliance with requirements and to manage probity risks — for example an entity’s procurement policy should be consistent with the Commonwealth Procurement Rules.
  • Clear and comprehensive policies and procedures mean that staff need to apply less discretion in probity matters, which decreases the chances of them engaging in conduct that is, or is perceived to be, inappropriate.
  • Regularly review and update policies and procedures — an enterprise framework for designing and reviewing internal policies can provide a structured approach to ensure that policies and procedures are up to date.


  • Where entities have a sound understanding of its key probity risks they can modulate the controls depending on the level of risk. Example is share trading policies (same as lesson 1).
  • ASIC’s procurement arrangements required greater probity controls for higher risk procurements (eg. procurements that were high value, high profile, high complexity).
  • In ACCC, in some cases arrangements were not tailored to the risks involved. For example, there were five recommendations aimed at strengthening policies, procedures and arrangements, including:
    • Establishing approval requirements for Commissioner share trading
    • PSPF compliance and ensuring need-to-know principle was complied with
    • Positional authority risks for expenses approval
    • Management of gifts, benefits and hospitality

Inform staff of probity requirements

  • The effectiveness of an entity’s arrangements for managing probity risks is dependent on personnel being effectively informed of the requirements with which they are required to comply.
  • Training can be used to inform staff about probity issues and requirements. Each of the financial regulators had training to address the probity risks examined in the audits. Some factors to consider when developing training are:
    • What will be mandatory and what will be optional training?
    • Will there be a requirement to periodically complete the training module (refreshers)?
  • Is training effective in addressing probity risks? How is this assessed?
  • How will compliance with training requirements be monitored?
  • Information about probity issues and requirements should be easily accessible by staff (for example on an entity’s intranet site) and there should also be contact details for specialist staff who can provide guidance and assistance.


  • All three entities had mandatory training that covered probity-related topics.
  • ASIC developed a suite of three modules that needed to be repeated once a year, with results reported to senior management committees.
  • ACCC did not require refresher training and did not have centralised monitoring.

Are internal controls for managing probity risks effective?

  • Information on the effectiveness of internal controls can provide confidence that risks are being effectively controlled or identify when controls are ineffective or absent.
  • A system of internal controls for managing probity risks can be varied and can include items such as a fraud control plan, internal audits and reviews, checking credit card issue and return processes, and training.
  • A framework for monitoring the effectiveness of controls can provide assurance to an entity’s accountable authority that the system of controls is / is not working effectively to manage probity risks.
  • The framework could set out:
    • roles and responsibilities for assessing controls
    • methodology for selecting controls for testing
    • frequency of testing
    • assessment approach (fully effective, partly effective, not effective)
    • reporting arrangements
    • continuous improvement arrangements
  • Internal audit provides an important mechanism for assessing the effectiveness of controls for probity risks.
  • Internal audits teams can provide multiple services including audits, advisory reviews and other products.
  • Internal audits or reviews might be cyclical / periodic or one-off.
  • A monitoring framework includes reviewing the appropriateness of the system of internal control.


  • ASIC had cyclical audits and reviews through which areas of key risks, including probity risks, are subject to audits or reviews on a set frequency.
  • APRA and ASIC had regular reviews of controls outside of the internal audit program, starting with high-risk areas, many of which related to probity.

Promote and check compliance, and follow-up non compliance

  • Entities which have arrangements to support staff to comply with probity requirements are more likely to have better outcomes.
  • Checking compliance with arrangements provides information about probity and provides the basis to respond to instances of non-compliance in a timely and appropriate manner.
  • Probity is best achieved when it is a part of the fabric of an entity — ASIC’s Compliance Policy states ‘compliance is sustained by embedding it in the culture, behaviour and attitude of our staff members, Senior Executives and Commission members’.
  • A documented approach for assessing compliance with probity requirements increases the chance of identifying non-compliance.
  • APRA’s Compliance Management Policy comprised the following:
    • a register of external compliance obligations
    • incident reporting and escalation standards
    • conflicts of interest framework (including for gifts and hospitality)
    • compliance monitoring
    • compliance training
    • compliance reporting and management oversight
    • actions management
  • Each of the three financial regulators had central compliance teams, responsible for delivering compliance frameworks.
  • Probity arrangements are strengthened when they are clear arrangements for following up instances of non-compliance and when consequences are clear.
  • One area that the audits found was lacking was around specifying clear consequences for breaching probity-related policies. The severity of consequences will depend on both the severity of risk and impact.


  • APRA and ASIC had regular compliance reporting to senior management, including relating to compliance with probity requirements.
  • All entities required regular attestations and reporting on their personnel’s interests. ASIC has begun requiring all staff to make an attestation once a year that they have complied with policies such as conflict of interest policy, trading policy, gifts and benefits policy, etc.

Keep records to demonstrate probity

  • Record keeping is a fundamental of public sector administration and records are kept for a variety of purposes. Probity is the evidence of ethical behaviour. In this context, records should be created to provide evidence of probity in processes.
  • There is no one-size fits all approach for record keeping on probity. Record keeping arrangements should be commensurate with the activity.
  • Effective record keeping is best supported by clear guidance and templates.
  • Some factors to consider when designing and implementing record keeping arrangements for probity are as follows:
    • Do record keeping policies and guidance align with Australian Government policies?
    • Are staff aware of their record keeping obligations and are these obligations clear?
    • What information is needed to understand probity risk level? Do the record keeping arrangements collection this information?
    • What information will be needed to assess the effectiveness of internal controls and compliance with probity requirements? Do the record keeping arrangements collection this information?
    • Do records allow performance to be measured?
    • Do the records allow for transparency and accountability — do the records actively demonstrate probity of a process?
    • Poor record keeping is an impediment to the ANAO and other external scrutiny bodies. For an ANAO audit, poor record keeping is likely to lead to a poorer audit outcome.


  • For some procurements, entities did not have records demonstrating that probity requirements were complied with (eg. procurement plan stated that a probity advisor would provide sign-off, but this did not occur).

Audit Insights

  • Quarterly publication
  • Themes
    • Procurement and contract management
    • Cyber security
    • Executive remuneration
    • Reporting meaningful performance information
  • Demonstrate best practise
  • Include examples and links to reports