Skip to content

Trusted Since 1888

Trusted Since 1888

ADVERTISE Subscribe

Hawkesbury Council Fraud Policy?

The Right Intent, the Wrong Benchmark

ANALYSIS

The discussion around Hawkesbury City Council’s draft Fraud and Corruption Control Policy has generated important debate about integrity, transparency and accountability among Ratepayers in the LGA. But some of that debate may have missed the forest for the trees.

The Gazette’s earlier analysis raised legitimate questions about independent reporting pathways, allegations involving senior office holders, and whether the policy could withstand worst case governance scenarios. Those questions remain worth asking.

However, there is a more constructive way to frame this discussion, one that gives Council a practical path forward without requiring anyone to claim the earlier concerns were wrong.

The Real Issue: A Superseded Standard

Imagine buying a brand-new computer with an antivirus software built in 2008. It might still detect some old viruses, but it would be poorly equipped for today’s ransomware, phishing attacks, identity compromise, payment redirection fraud and coordinated attempts to bypass detection. That is the problem with relying on a 2008 fraud control benchmark.

Council’s marked-up draft policy before Council on 12 May 2026 still lists AS 8001:2008, the previous Australian Standard for fraud and corruption control. That standard was published almost 18 years ago.

Council’s policy is fit for an earlier risk environment. But nature of fraud and corruption risks have changed. They can now involve insiders, external actors, digital systems, compromised credentials, false documentation, supplier impersonation, information misuse and coordinated schemes that exploit gaps between governance, technology and human decision-making.

A modern council needs a system that can detect, test, escalate and respond to the risks that exist now.

The new AS 8001:2021 superseded the 2008 version and is considered the benchmark for how organisations should mitigate fraud and corruption risks.
The Gazette is not demanding that Council should fully conform with the 2021 standard immediately without a proper gap assessment, implementation plan and review of related systems.The question before ratepayers is this:

Can a council operate with an Australian Standard from 2008, divorced from the current risk environment in 2026? Should Council have acknowledged the current standard and explained how its framework will be progressively aligned with it?

A review of publicly available council documents shows several NSW councils, including Penrith, Campbelltown, Upper Hunter and Queanbeyan-Palerang, have moved to AS 8001:2021 in their fraud and corruption policies or plans.
The question for Hawkesbury is why its draft policy remains anchored to the superseded 2008 standard without explaining whether a transition to AS 8001:2021 is planned.

What the 2021 Standard Actually Changes

To understand why this matters, ratepayers should know what actually changed when the standard was updated.

• Old Fraud Control Plans are replaced with a Fraud and Corruption Control System, a more robust, documented system rather than a plan that can sit on a shelf.
• Cyber risks are now explicitly included, whereas the 2008 version was heavily focused on internal activities; the revised standard recognises the significant rise of external threats.
• Definitions of fraud and corruption are updated to encompass the full scope of harmful behaviours, not just breaches of criminal law.
• Whistleblower protections are expanded with new guidance and requirements.
• Governing bodies and top management are required to play a critical role in improving fraud culture.
• Pressure testing of internal controls, such as submitting false invoices to test whether the system identifies anomalies, is now required.

Even the definition of fraud needs an upgrade. Hawkesbury’s draft frames fraud narrowly, around deliberate deception used to “gain advantage from a position of trust.”

The 2021 standard, adopted by forward looking councils, is broader: dishonest activity causing actual or potential gain or loss, by people inside or outside the organisation. The modern definition is to catch conduct the older one can miss.

These changes represent a fundamental shift in how organisations are expected to approach fraud and corruption control. It may be possible that Council has met some of the standards but has not articulated these adequately. This is why it is important the Gazette demonstrates that councillors and ratepayers should pay attention to this.

The Independence Question: A Genuine Concern

But the standard itself is not the only issue. The Gazette's question about who investigates allegations against the Mayor or General Manager is a fair one, and it deserves to be examined on its own merits.

Under the draft policy, allegations involving the General Manager would be dealt with by the Mayor, while allegations involving the Mayor would be referred to the Office of Local Government.

While the escalation pathway is the right one, critics argue this arrangement may not provide sufficient independence in situations involving senior decision makers, politically sensitive matters or conflicts of interest.

The concern is not that any particular individual has acted improperly. Rather, it is whether the policy itself contains adequate safeguards to ensure investigations are perceived as independent and free from influence.

Modern integrity frameworks increasingly emphasise independent reporting channels, external oversight and protections for whistleblowers. The draft policy does not clearly establish an independent internal reporting officer or external integrity adviser capable of receiving complaints involving senior executives or elected officials.

This is precisely the kind of gap that the AS 8001:2021 framework, with its emphasis on independent governance structures and clear reporting pathways, is designed to address.

The Due Diligence Issue

A related concern, and one that flows directly from the independence question, is the absence of a documented triage system.

Council needs a documented triage system before referral, especially where the subject is a councillor or where political or administrative conflict is alleged.
That triage system should be informed by public-sector fairness standards, including the principles that sit behind model litigant conduct: proper purpose, proportionality, consistency, fairness, evidence-based decision-making and avoidance of unnecessary escalation.

A fraud referral can trigger criminal investigation, reputational harm, legal costs, political consequences and public suspicion. For that reason, Council should not move directly from an expense dispute or policy question to an external fraud referral without documenting why lesser or alternative pathways were not appropriate.

The triage process should distinguish between administrative error, incomplete documentation, policy non-compliance, recoverable expense issues, Code of Conduct concerns, suspected corrupt conduct and suspected criminal fraud.
Where the matter involves a councillor, the Mayor, Deputy Mayor, the General Manager, a senior officer or politically sensitive circumstances, the triage should be undertaken or reviewed independently. No person with an actual, perceived or potential conflict of interest should control, influence or determine the referral pathway.

Without that safeguard, the same system can appear too weak in one case and too aggressive in another. A modern fraud and corruption control policy should be capable of showing why one matter was treated as an administrative issue, another as a Code of Conduct matter, another as suspected corrupt conduct, and another as a matter requiring referral to police or an integrity agency.

The Redaction Question: A Matter of Balance

A third area of concern, one that has drawn significant public attention, is the question of redaction and transparency.

The Gazette had previously raised concerns about over redaction and excessive confidentiality, citing the sewer report matter where Council refused to release a report into why Rising Main C took so long to repair.

The reported context involved a major sewer pipeline failure, emergency cartage costs, a failed legal case and significant financial consequences for residents.
Section 10A(2)(a) of the Local Government Act 1993 " allows a council to close a door to protect a person's privacy; it was never intended to be used as a blanket shield to bury the financial audit of a broken pipe.

Redaction has a legitimate place. Councils need to protect personal information, legal professional privilege, commercial in confidence material and genuinely confidential personnel matters.

But where major decisions involve public money, critical infrastructure or significant financial consequences, the public should be able to understand the basis on which decisions were made.

The question is therefore not whether every confidential report must be released in full. The question is whether Council considers releasing redacted versions, public summaries, findings only versions, or versions with names and personnel material placed in a confidential appendix.

A Constructive Path Forward

Taken together, these issues do not mean the draft policy is fundamentally flawed. It clearly states Council's commitment to preventing, deterring, detecting and investigating fraud and corruption. It references the ICAC's Operation Ricco recommendations. It establishes pathways to external agencies including ICAC, the NSW Ombudsman and the Auditor-General.

The question is whether the policy creates a modern, independent and transparent control system capable of dealing with difficult cases: allegations involving senior office holders, politically sensitive matters, cyber enabled fraud, conflicted reporting lines and major decisions involving public money. Before this policy is adopted, Council could reasonably be asked:

  1. Why does the draft policy cite AS 8001:2008 rather than AS 8001:2021? Was advice sought on the use of the superseded standard?
  2. Has Council completed a gap assessment against AS 8001:2021? Does it intend to claim conformance or only be guided by it?
  3. How does the framework address cyber enabled fraud, whistleblower protection and digital evidence? These are explicit requirements of the 2021 standard.
  4. What independent pathway applies if allegations involve the Mayor, councillors, the General Manager or a group of senior decision makers? How are conflicts removed from the reporting, referral and investigation chain?
  5. Where reports contain confidential information, can Council consider releasing redacted versions or public summaries rather than withholding entire reports?

The Bottom Line

The Gazette's earlier analysis was right to raise these questions. They are legitimate governance concerns that deserve answers.

But the debate can be more constructive than simply pointing out gaps. The real issue is whether Council is using the current fraud and corruption control benchmark, AS 8001:2021, or relying on a superseded standard without explaining why.

The Gazette does not make a claim that every operational detail must appear in the policy itself. It is an invitation for Council to acknowledge the current standard and explain how its framework will be progressively aligned with it.

For a council responsible for public money, procurement, planning decisions, regulatory functions and public trust, getting the policy right is a central governance issue. The discussion should be about how to get there, not about who was right or wrong along the way.

So, the final question for every resident of Hawkesbury is this: should the Council rely on an outdated standard, or should it acknowledge the current standard and commit to aligning with it?

Comments

Latest