Investigation into Melton City Council’s engagement of IT company, MK Datanet Pty Ltd

Date posted:

Download report

PDF - 2MB

Download report

Letter to the Legislative Council and the Legislative Assembly

To

The Honourable the President of the Legislative Council

and

The Honourable the Speaker of the Legislative Assembly

Pursuant to sections 25 and 25AA of the Ombudsman Act 1973 (Vic), I present to Parliament my Investigation into Melton City Council’s engagement of IT company, MK Datanet Pty Ltd.
.

Deborah Glass signature

Deborah Glass OBE
Ombudsman

9 June 2021

Foreword

When you’re in a Company and you see some opportunity, yes, I accept that yes, I did that. But yeah, the intention initially was not to do that.

Subject of investigation in interview with Ombudsman

I table this report as a cautionary tale for local councils and other busy public sector agencies.

The subject of this investigation was a well- paid, senior member of the IT staff of a busy metropolitan local council for over two years. While there, he was able to direct over a million dollars of IT work to one of his own companies, using other companies he controlled to provide additional, unfavourable, quotes to give the appearance that procurement rules had been satisfied.

Mr M, as we have called him, never declared any conflicts of interest in these processes, including when prompted by a form. His company became the successful tenderer for a major contract despite not meeting at least one of the mandatory requirements. The tender attached an OHS policy copied from another industry containing plainly irrelevant references to activities such as ‘mustering’ and ‘windmill maintenance’.

Clearly, no-one checked.

The sham was so childlike at times, Mr M even sent responses for quotes to himself under the guise of fake identities. He helped prepare the tender that he subsequently evaluated.

The charade that he was not connected with the company was maintained to the end – when the company thanked him for working with them and asked for a reference.

He told us he saw these matters as ‘just a formality’; he did not take signing the forms seriously, and he did not at the time think he was doing anything wrong.

His multiple breaches of Council policies went undetected at the expense of ratepayers’ money. It is staggering that proper checks and balances were not followed and that he was able to deceive the Council for as long as he did.

How could this happen in a modern, apparently well-run agency?

First, he was engaged by the Council through several layers of contractual arrangements, which helped to mask his associations. As a contractor, he did not receive the same induction as council employees.

Second, there was a lack of effective oversight. His various supervisors had limited oversight of his work, in part no doubt due to the technical nature of his role, and left him to get on with things. Oversight was also limited by the lack of specificity in the contract: one told us at interview that after trying to gain an understanding of ‘what the actual work was’, he ‘couldn’t make heads or tails’ of it

Finally, there was a worrying lack of due diligence in the tender and procurement processes. The subject controlled the tender process for a major contract. No reference checks were conducted on any of the three tenderers. In other procurement processes, company register checks would have revealed that the three registered directors and shareholders of the two unsuccessful companies who provided quotes had the same address, which happened to be a one- bedroom residential apartment where the person requesting the tender was living.

It is staggering that proper checks and balances were not followed and that he was able to deceive the Council for as long as he did.

This was not a one-off failing. We found procurement requirements not being adhered to for many engagements, with only single quotes obtained in cases requiring multiple quotes under Council policies. We found work split across multiple different engagements even though in some instances, multiple jobs seemingly related to one piece of work.

The inevitable conclusion of this investigation is that the subject knowingly misused his position at the Council to obtain a significant private benefit of about $1.6 million. Lax oversight allowed him to manipulate council processes for almost two years.

Other councils and agencies, be warned. Making these mistakes not only exposes you to huge and avoidable risk, you might also become the Ombudsman’s next headline.

Deborah Glass

Ombudsman

The investigation

  1. This investigation concerns Mr M, a former Melton City Council (‘the Council’) officer and the Council’s engagement of an information technology company, MK Datanet Pty Ltd (‘MK Datanet’).

The public interest complaint

  1. In December 2019, the Independent Broad-based Anti-corruption Commission (‘IBAC’) referred to the Ombudsman a ‘protected disclosure complaint’ (now a ‘public interest complaint’) under the Protected Disclosure Act 2012 (Vic) (now the Public Interest Disclosures Act 2012 (Vic)). The complaint alleged improper conduct, namely:
  • Melton City Council officer, Mr M failed to declare a conflict of interest with MK Datanet
  • since 2018, the Council continued to use and pay MK Datanet, despite it not performing or providing services under its contract.
  1. Following enquiries with the Council, the Ombudsman decided an investigation was warranted.

Jurisdiction

  1. On 15 January 2020 and pursuant to her remit under the Ombudsman Act 1973 (Vic), the Ombudsman notified the Minister for Local Government, the Mayor and Chief Executive Officer (‘CEO’) of the Council and the discloser of her intention to investigate the allegations.
  2. The investigation was conducted under section 15C of the Ombudsman Act, which at the time, provided that the Ombudsman must conduct an investigation on a protected disclosure complaint about conduct ‘by or in an authority or a protected disclosure entity’, subject to certain exceptions.
  3. The Council is an ‘authority’ for the purposes of the Ombudsman Act, and Mr M’s actions occurred in the Council at the relevant time.

How we investigated

  1. The investigation involved:
  • reviewing Council documents, including procurement documentation, contracts, invoices, payment information from the Council’s finance system, and relevant policies and procedures
  • analysing records from Mr M’s Council email account
  • reviewing documents retrieved from Mr M’s Council computer
  • undertaking company and director searches of the Australian Securities and Investments Commission’s (‘ASIC’) registers in relation to Mr M, MK Datanet and other relevant individuals and companies
  • searching publicly available information regarding Mr M, MK Datanet and other relevant individuals and companies
  • reviewing statements of bank accounts held by MK Datanet and Mr M, obtained by summons
  • conducting ‘voluntary’ interviews of four people:
    • the discloser
    • Council’s IT Manager
    • Council’s former Enterprise Application Coordinator
    • Council’s Business Transformation Coordinator
  • conducting two ‘compulsory’ interviews under oath or affirmation of Mr M and the former listed director of MK Datanet, who is referred to as ‘Ms J’ in this report
  • telephone conversations with other relevant Council staff
  • providing a draft report of the investigation for response to Mr M and Ms J on 26 October 2020
  • providing a draft report to the Council on 10 December 2020
  • providing a revised draft report to Mr M on 16 March 2021 for final response.
  1. The investigation acknowledges and appreciates the Council’s cooperation during the investigation.
  2. The investigation has been guided by the civil standard of proof, the balance of probabilities, in determining the facts of the investigation – taking into consideration the nature and seriousness of the allegations made, the quality of the evidence and the gravity of the consequences that may result from any adverse opinion.

Some statistics from the report

  • Mr M was paid $840 per day
  • 6 witnessess interviewed
  • 5 summons
  • $1.3m contract to MK Datanet
  • 21 months of improper conduct
  • Ombudsman conducted a year long investigation into Mr M

    Privacy and procedural fairness

    1. This report includes adverse comments about Mr M, Ms J and the Council. In accordance with section 25A(2) of the Ombudsman Act, the investigation has provided these parties with a reasonable opportunity to respond to the material in the report and fairly sets out their responses.
    2. In accordance with section 25A(3) of the Ombudsman Act, any other persons who are or may be identifiable from the information in this report are not the subject of any adverse comment or opinion. They are named or identified in the report as the Ombudsman is satisfied that:
    • it is necessary or desirable to do so in the public interest, and
    • identifying those persons will not cause unreasonable damage to those persons’ reputation, safety or well- being.

    About the Council

    1. Melton City Council is one of the 79 local council areas in Victoria, located 19 kilometres west of Melbourne. The Council’s main office is in the suburb of Melton.
    2. As at 30 June 2020, the area had a population of 173,072. According to the Council’s 2019-20 Annual Report, the City of Melton is one of Australia’s fastest growing municipalities.

    The Council’s business transformation program

    1. In 2017-18, the Council commenced a four- year business transformation program, made up of multiple projects centred on ‘modernising’ IT platforms and ‘becoming more productive as an organisation through [the] use of technology’.
    2. The program was initiated in response to problems the Council identified with its IT systems, including missing functionality, limited integration, excessive duplication and inefficient reporting.

    Mr M

    Role at the Council

    1. Mr M commenced his contract at Melton City Council on 15 May 2017 in the role of ‘Technology Architect’. His position was within a team tasked with designing the business transformation program and establishing its ‘underlying technical strategy’.
    2. He was engaged through a recruitment agency (‘the recruitment agency’), via the Council’s brokerage firm for temporary staff.
    3. After several contract extensions, Mr M finished at the Council on 29 November 2019, for reasons unrelated to this investigation.
    4. Mr M was paid $840 per day while working at the Council, meaning he was paid a total of $473,760 from May 2017 to November 2019.
    5. Mr M reported to the Council’s Enterprise Application Coordinator, a position which was held by four different people during his time at the Council.

    MK Datanet

    1. MK Datanet was registered as a company on 11 April 2013. On its website, MK Datanet describes itself as a ‘leading specialist full- cycle digital transformation consultancy’, stating:
    Our core team consists of niche experts in IT strategy, enterprise solution architecture, integration solutions and implementation of digital self-service initiatives ensuring top quality delivery of your IT strategic objectives and technical outcomes.
    1. On 12 November 2018, the Council awarded MK Datanet a three-year contract to provide about $1.3 million in IT services, with the contract commencing on 1 December 2018.
    2. Ms J was the sole registered director, secretary and shareholder of MK Datanet between 19 September 2014 and November 2020.
    3. While Ms J ceased her directorship in November 2020, she retained the role of secretary and a 10% shareholding in the Company. Mr M is now the sole director of MK Datanet and holds 50% of the shares. The remaining shares have been transferred to a third party.
    4. ASIC records show that the process for making these changes to the officeholding and directorship of MK Datanet commenced in late August 2020, about two weeks after Mr M and Ms J were interviewed by the investigation.

    Relevant policies, procedures and legislation – conflict of interest and procurement

    Code of conduct

    1. The Council’s relevant Employee Code of Conduct (September 2014) (‘Code of Conduct’) establishes the Council’s expectations of staff behaviour and states that it is binding on all employees, contractors and volunteers.
    2. The Code of Conduct provides that an employee has a conflict of interest when they have a private investment or connection to a matter under consideration which might compromise their ability to act in the public interest. It also states that it is the responsibility of individual staff members to identify and disclose conflicts of interest to their manager or an appropriate Council officer, and then step aside from the process in which they have the private interest.

    Local Government Act 1989 (Vic)

    1. The Local Government Act 1989 (Vic) (in operation at the time of the events described in this report) 1 also contained requirements in relation to conflict of interest.
    2. This included section 80C of the Act, which stated that where council staff or contractors who provided advice or a report to a Council meeting had a conflict of interest, they were required to disclose the type of interest when providing the advice or report, and before the advice or report was considered by the Council. A penalty of 60 penalty units applied for breach of this provision.

    Procurement Policy and Purchasing Procedures Manual

    1. At the relevant time, the Council’s Procurement Policy (‘the Procurement Policy’) 2 and Purchasing Procedures Manual (‘the Manual’) 3 set out the Council’s expectations and requirements for purchasing goods and services. The Procurement Policy and Manual applied to all Council staff involved in purchasing activities, including temporary employees, contractors and consultants.
    2. The Procurement Policy outlined ‘principles’ for procurement, including:
    • Procurement processes will be conducted in a fair, honest and open manner, with the highest levels of integrity.
    • Council officers will treat suppliers without bias.
    • Suppliers will have access to the same information when quoting or tendering for Council business.
    1. The Manual contained similar provisions, which emphasised fairness to suppliers and the obligation on individuals to identify and promptly declare conflicts. It also set out the processes for purchasing goods or services, depending on value, which included:
    • obtaining a minimum of:
      • one quote for purchases up to $2,500
      • three written quotes for purchases between $2,501 and $10,000
    • a formal request for quote for purchases between $10,001 and
      $135,000, with a minimum of three written quotes obtained
    • a tender process for purchases over $135,001, with Council approval required prior to expenditure (based on the requirements of section 186 of the Local Government Act 1989).
    1. The Manual outlined the requirements for tender processes, including:
    • Tender documents should ‘clearly specify the requirements for the work and indicate the criteria for evaluation’.
    • Tender documents must include the invitation to tender and tender schedules; a copy of the proposed contract; and specification for the work required which ‘clearly details the project objectives and requirements’.
    • A tender evaluation panel must be established prior to the close of the tender period, consisting of no less than three members, one of whom should be independent from the business unit undertaking the tender process.
    • All panel members must ‘fully understand the tender process and Council’s requirements relating to probity and conflict of interest’ and must disclose any potential and stability to comply with the requirements of the contract’.
    • The panel must maintain an ‘evaluation plan’ which, at a minimum, must contain the tender schedules; the evaluation and scoring criteria; the evaluation process; and the names and positions of panel members ‘signed and dated’.
    • ‘Due diligence’ of the preferred tenderer(s) must be undertaken where the contract value exceeds $135,000, to ensure they ‘have the capacity conflicts prior to assessing the tender submissions.
    1. The Manual also outlines the process for raising a purchase order, which must be issued to a contractor or supplier prior to requesting payment for goods or services. The Manual states that a purchase order must ‘clearly state the description, quantity, price and delivery requirements’ and:
      Purchase Orders cannot be split or issued in a way to specifically by-pass the expenditure authority levels. Any evidence of Purchase Order splitting is to be recorded and reported to the Finance Manager. [emphasis in original]

    Figure 1: Chronology of key events

    15 March 2007Datatech Consulting Pty Ltd (‘Datatech Consulting’) established, with Mr M as director and secretary
    March 2013Ms J registered as a co-director of Datatech Consulting
    11 April 2013MK Dataset registered as a company
    June 2013Ms J ceases to be a director of Datatech Consulting
    19 September 2014Ms J becomes sole registered director and shareholder of MK Datanet
    November 2014Liquidation of Datatech Consulting commences
    25 May 2015Mr M and Ms J execute ‘Deed of Agreement’, giving Mr M ownership and control of MK Datanet
    April 2017Datatech Consulting deregistered as company
    2017 - 2018The Council starts its four- year business transformation program
    15 May 2017Mr M commences with the Council as Technology Architect, to work on the business transformation plan
    9 February 2018In his role as Technology Architect, Mr M sends a request for quote for a Council job to:
    • MK Datanet
    • Softech Australia Pty Ltd (‘Softech Australia')
    • Datafusion Technology Pty Ltd ('Datafusion Technology')
    • IT Company A
    • three other companies
    13 February 2018 -
    5:37 PM
    Mr M receives response to request for quote from IT Company A
    13 February 2018 -
    10:02 PM
    Mr M sends email to Ms J telling her the rates MK Datanet should quote for the Council job
    15 February 2018Ms J sends MK Datanet’s response to the request for quote to Mr M at his Council email address, quoting the rates he provided to her two days earlier
    26 March 2018Datafusion Technology registered as a company
    9 April 2018In his role as Technology Architect, Mr M sends a request for quote for another Council job to three companies:
    • MK Datanet
    • Datafusion Technology
    • Softech Australia
    10 April 2018
    8:52 AM
    MK Datanet responds to the request for quote
    10 April 2018
    9:57 AM
    Mr M responds to the request for quote on behalf of Datafusion Technology, emailing his own Council email address under the fake identity of ‘Ayla Tran, Account Manage'
    10 April 2018
    10:01 AM
    Mr M responds to the request for quote on behalf of Softech Australia, emailing his own Council email address under the fake identity of ‘Lucy Wu, Senior Sales Manager’
    11 April 2018Softech Australia registered as a company
    29 September 2018The Council seeks tenders for the $1.3 million IT contract Mr M manages the tender process
    October 2018Mr M helps Ms J prepare MK Datanet tender submission for the Council
    October 2018The Council receives tender submissions for the $1.3 million contract from three companies:
    • MK Datanet
    • IT Company B
    • IT Company C
    12 November 2018The Council awards the $1.3 million contract to MK Datanet, upon recommendation of tender panel led by Mr M
    1 December 2018The Council’s $1.3m contract with MK Datanet commences
    29 November 2019Mr M leaves Technology Architect role at Council
    February 2020Mulesoft completes initial review of MK Datanet’s work
    24 August 2020Mr M becomes sole registered director of MK Datanet
    26 August 2020Mr M becomes sole registered shareholder and office holder in Datafusion Technology
    October 2020Softech Australia is deregistered as company
    25 November 2020Ms J ceases to be a director of MK Datanet

    Allegation 1: Mr M failed to declare a conflict of interest with MK Datanet

    1. The public interest complaint alleged that Mr M had an association with MK Datanet and that he failed to declare a conflict of interest when engaging MK Datanet for work at the Council. The complaint further said that Mr M misused his position at the Council in developing and evaluating a tender for ‘million-dollar contracts’ which ultimately went to MK Datanet.
    2. This allegation against Mr M was substantiated by the investigation. The evidence relating to Mr M’s relationship with MK Datanet and his role in the Council’s engagement of MK Datanet is detailed below.

    Mr M’s association with MK Datanet

    1. Early evidence obtained by the investigation showed that Mr M was directly involved in the procurement of MK Datanet’s services in his role as Technology Architect at the Council. The investigation went on to examine whether Mr M had any private associations or relationships with the company which created a conflict for him in that role.
    2. The investigation obtained a range of documents indicating links between Mr M and MK Datanet. This evidence suggested:
    • a lengthy professional association between Mr M and MK Datanet’s registered director, Ms J
    • Mr M had been working as a contractor through MK Datanet
    • Mr M in fact owned and controlled MK Datanet, despite not being listed as a director, officer or shareholder in the company at the time.
    1. Ultimately, the witness evidence at interview confirmed these associations. Details of this evidence are set out below.

    Relationship with MK Datanet director Ms J

    1. ASIC records showed that Mr M and Ms J had both previously been involved in a company called Datatech Consulting Pty Ltd (‘Datatech Consulting’). Datatech Consulting was registered as a company on 15 March 2007, at which time Mr M was the sole director and shareholder. Ms J was later listed as a co-director for a brief period in early 2013, showing Mr M knew her prior to his role at the Council.
    2. Ms J said at interview that she first met Mr M ‘more than 10 years [ago]’ and that they had a ‘professional relationship’.
    3. When asked why she was briefly listed as a director of Datatech Consulting along with another person in early 2013, Ms J said she didn’t remember the specifics, but recalls an ‘international opportunity for … something to do with IT’.
    4. Mr M’s evidence at interview was consistent with this, stating that there was a ‘global CRM [customer relationship management] project’ based in the United Kingdom, Singapore, Australia and Dubai, which they wanted to bid for and ‘basically nearly got’. He said that ‘Ms J came in because she wanted to manage it from Singapore’. He stated that Ms J and another individual were ‘non-beneficiary partners’ and that he was the only ‘beneficiary partner’.
    5. Datatech Consulting became insolvent in November 2014 and was deregistered in April 2017. Mr M said at interview that Datatech Consulting was liquidated as part of his divorce.

    Work as a contractor through MK Datanet

    1. Mr M said at interview that he had worked as a contractor through MK Datanet, including during his time at the Council. This was consistent with other evidence obtained during the investigation, including copies of contractor renewal forms and invoices from 2017 to 2019 retrieved from Mr M’s Council computer.
    2. These forms showed that Mr M was in fact placed in his role at the Council through MK Datanet, via several layers of contractual arrangements.
    3. However, even though Mr M’s contractor renewal forms and invoices stated he was engaged through MK Datanet, the Council was unaware of this because of the involvement of the Council’s brokerage firm for temporary staff and the recruitment agency in his engagement. The investigation did not obtain any evidence that the Council had ever been provided documents showing that Mr M was being supplied through MK Datanet.

    Figure 2: Mr M’s contractual arrangement with the Council

    Figure 2 Mr M’s contractual arrangement with
    Source: Victorian Ombudsman
    1. At interview, Mr M said that he did not keep it a ‘secret’ that he was working for MK Datanet when he started at the Council.
    2. In response to a draft report, Mr M stated he initially reported to Council’s Coordinator Business Engagement and informed her he was ‘the CEO’ of MK Datanet within a month of starting at the Council. He said he advised her of this when requesting MK Datanet be engaged as a preferred supplier for the Council through the Council’s brokerage firm for temporary staff.
    3. During a telephone call on 24 November 2020, the investigation asked the Coordinator Business Engagement for her recollection of these events. She said Mr M’s account was ‘… totally incorrect’ and that ‘at no point in time’ had he reported to her. She also expressed surprise regarding the relationship between MK Datanet and Mr M, stating that she had ‘no idea’.
    4. In response to a draft report, Mr M also stated he did not subsequently advise his new manager, Council’s former Enterprise Application Coordinator, of his association with MK Datanet because he assumed his manager would have been aware of this following a handover from the Coordinator Business Engagement.
    5. Mr M further claimed in his response that it was MK Datanet’s treatment as a preferred supplier by his manager, Council’s former Enterprise Application Coordinator and his subsequent manager, Council’s Application Support Coordinator that made him believe they were aware of his association with MK Datanet. He did however also acknowledge that he made a mistake by failing to raise his association with MK Datanet with them directly, noting that his conflict of interest could have been appropriately managed had he done so.

    Concealed ownership and control of MK Datanet

    1. In addition to working as a contractor through MK Datanet, the investigation obtained evidence indicating that Mr M in fact owned MK Datanet and had taken deliberate steps to conceal his ownership and control of the company.
    2. This evidence included a ‘Deed of Agreement’ between Mr M and Ms J, retrieved from Mr M’s Council computer.
    3. Among other things, the agreement stated that Mr M had ‘paid or provided the whole of the purchase monies’ for the shares of MK Datanet, and Ms J had agreed to hold ‘the Shares and all rights pertaining to the Shares and all income and proceeds of the Shares upon trust’ for Mr M ‘absolutely’.
    4. Ms J agreed she would, ‘if and when called upon’ by Mr M effect a transfer of the Shares’ to Mr M and ‘resign as an officer’ of MK Datanet.
    5. The version of the agreement retrieved from Mr M’s computer was unsigned and undated. However, a 2019 deed of variation, also found on Mr M’s Council computer, confirmed the original deed had been executed in May 2015.
    6. The 2019 deed of variation outlined a number of changes to the original deed, including:
    • Mr M had ‘gifted’ 12 out of the 120 shares to Ms J, meaning she now held these 12 shares ‘in her own right’. Ms J continued to hold the remaining 108 shares ‘on trust’ for Mr M.
    • ‘In consideration of [Ms J]’s obligations to run and manage the affairs of the Company’, they had agreed that ‘with any distribution of profits and or the payment of dividends’, Ms J would ‘over and above her entitlements to profits and dividends in accordance with her shareholding receive a further ten (10) per cent of the profits and or dividends’.
    • The parties acknowledged that ‘in addition to its day to day business, the company had agreed to act as a trustee of the ‘[Mr M] Family Trust’. Ms J agreed and acknowledged she had ‘no beneficial interest whatsoever in any trust of the property of the [Mr M] Family Trust’.

    Otherevidence indicatingMr M’sownership and control of MK Datanet

    1. In addition to the deeds mentioned above, the investigation obtained a range of other documents from Mr M’s Council computer, which further suggested his involvement in the company. These included:
      • MK Datanet’s 2016-17 and 2017-18 profit and loss statements and balance sheets
      • MK Datanet’s 2017-18 completed company tax return form
      • a rental agreement for a property in the name of MK Datanet
      • a landlord instruction form for the above property, which listed the landlord as MK Datanet, with Mr M’s mobile phone number and email address
      • copies of blank MK Datanet Director and Company Secretary resignation forms
      • a share transfer form for the transfer of MK Datanet’s shares from Mr M to Ms J.

    Ms J’s evidence regarding MK Datanet ownership

    1. At interview on 6 August 2020, Ms J asserted that she owned MK Datanet and that Mr M did not have any ownership in the company.
    2. She described purchasing the company from its previous owners, saying she did so because she ‘understood it was better to have something with a bit of a track record’:
    Essentially, the entity MK Datanet, was something that was basically no longer being used, and it was going to shut. And so, that came up as an option for me to use that, rather than create something all over again, from scratch.
    1. Ms J said that she currently ‘runs the business’ and that her role included managing staff, doing payroll, bookkeeping, managing clients and customers and going to events.
    2. When asked whether Mr M had any involvement in MK Datanet, Ms J described him as a ‘technical asset’; someone she goes to for advice about technical matters, stating he also contracted through MK Datanet previously.
    3. Investigators directly asked Ms J whether Mr M had any ownership of MK Datanet, to which she replied ‘no, [Mr M] doesn’t have ownership in the company’.
    4. Ms J was shown a copy of the original 2015 deed of agreement with Mr M, as well as the subsequent 2019 deed of variation, and asked to explain them. She said:
    Okay. Well, this document is not signed, though … This is not something that is in effect … So … I do not report to [Mr M].
    1. Ms J confirmed she signed the 2015 deed and that it was ‘in effect at that time’, but that the deed of variation was the ‘transitioning of the company essentially’.
    2. Ms J also said that Mr M had obtained the funding for the company for her through an overseas ‘contact’ and that the deed was drawn up as a ‘form of security’. She said that the money did not come direct to her from his contact because there was a ‘better arrangement of trust’ between Mr M and his contact.
    3. She also said that ‘on the front, on paper, when I present, I own the company, but the funds and everything, comes from someone else, so that’s not really my money’.
    4. Although initially asserting that she did not ‘report’ to Mr M, Ms J later conceded at interview that he indirectly ‘controlled’ the company because ‘the resources came through him, through his contact’.
    5. The day after her interview, Ms J contacted the investigation stating that she had had ‘more time to ponder’ and ‘wasn’t really prepared’ at the interview. She said:
    What I wanted to do … is basically let you know that, okay so we talked about the first deed … yes, you’re right, it is what it says it is. It [MK Datanet] was … basically being controlled by [Mr M], that was basically his ownership over it. I was there to do … administration, bookkeeping, all that kind of stuff.

    Mr M’s evidence regarding MK Datanet ownership

    1. At his interview, Mr M admitted that he owned and controlled MK Datanet;
      however, he was not initially forthcoming about why he had concealed his ownership. He said:
    I have got involvement in the company. I’m working in different projects with them. … So, technology, basically, I work with them. So, they have partnerships, I use their partnerships, and we [are] building a product together.
    1. When asked about MK Datanet’s ownership, Mr M said Ms J was the director of the company, but that they had an ‘agreement’ between them. When asked to elaborate on this, he said ‘well, we have an agreement … yeah, I have got ownership in the company’.
    2. Investigators showed Mr M a copy of the deed of agreement and asked him to explain it. Initially, his evidence about the purpose of the deed was unclear:
    [Y]ou can see that it’s from the start, yeah. So … we have an internal agreement. [I]t’s between me and her, we have this agreement which … when we actually do the other projects … it’s a pre-existing agreement which we have, yeah.
    1. When further questioned about how the deed came about, Mr M said that it was ‘a long time ago’ and that it came about ‘in the previous setting’ when he worked in the Middle East. He said the agreement was ‘to give us some flexibility in that’.
    2. After a short break in the interview, Mr M said that the reason for the agreement was so that Ms J could ‘handle Australia, and when I was in [the] Middle East I have my own company.’ He added:
    I’m truthful with you now. You have everything now … that’s what the purpose was. It wasn’t … to hurt anyone or anything. It was making a … new age kind of business setup, and that was the plan. That’s all.
    1. Mr M told the investigation that he purchased MK Datanet from the original owners and that Ms J had become the director because he ‘was planning to do other stuff overseas’. He said this occurred ‘all because’ he wanted to go overseas, and the deed of agreement ‘was suggested to us by the lawyer, to do [it] this way’.
    2. Mr M added:
    I am the strategic thinker, I just do that … if I was planning to stay in Australia, that would be different. It’s more from the perspective of me going … [to] Dubai and then having an Australian company … this was the main reason for it, because the setup thing.
    Because over there setups like, you … have to have other partners to have the business and all this stuff. So it’s all around that. We have that discussion and she [Ms J] said that she would do this and I would do that.
    1. Mr M acknowledged at interview that he had ‘concealed’ his ownership of MK Datanet but asserted that it was not ‘for any bad purposes’.
    2. After a further break in the interview, he said:
    I accept that I was behind the company and [Ms J] was the front of the company. That’s what we had, so I accept that … this is what it is, you know, what concealing all this stuff. Yeah, so I accept that. This is everything, so this is my acceptance.
    But I didn’t make it for any really bad reasons or anything. There was just a set up. You can make your judgement on it.
    1. He later stated:
    [W]hatever I did in Melton City Council was all in good faith, [it] was a very good thing. It wasn’t that I actually did anything bad over there.
    1. Investigators put to Mr M at interview that one possible explanation about why he concealed his ownership of MK Datanet was so he could get MK Datanet work at the Council, without staff knowing it was his company. In response, he said that it was not his original intention, but that he had later realised the situation presented an opportunity for him:
    So I just wanted … [to be able to] do work under [the] Company's umbrella. That was the [original] thing … but yes, later on when you're in a Company and you see some opportunity, yes, I accept that yes, I did that. But yeah, the intention initially was not to do that.

    Mr M’s involvement in the Council’s engagement of MK Datanet

    1. The investigation examined the processes used by the Council to engage MK Datanet and Mr M’s involvement in those processes. It considered whether Mr M had, in his role at the Council:
    • influenced processes used to engage MK Datanet to privately benefit himself and the company
    • failed to declare a conflict of interest in relation to MK Datanet.
    1. While investigating these issues, the investigation found evidence that Mr M had two other companies that were relevant to the investigation – Datafusion Technology and Softech Australia. These companies are discussed below.

    Initial short-term engagements

    1. The Council first engaged MK Datanet as a software consultant during early to mid-2018 to complete preliminary work on its business transformation program, for which it paid MK Datanet a total of $327,415. Details of these engagements are provided in the table below.

    Table 1: Preliminary work on the business transformation program completed by MK Datanet in 2018

    When the work was invoiced

    What the work related to

    Amount (inc GST)

    No. of quotes obtained

    May 2018

    ‘Civica Authority Consulting Services for creation of Authority in Azure Cloud’

    $33,000 for 20 days of work

    3

    May 2018

    ‘Consultancy Services for Azure Digital Analytics Consultant with knowledge of Civica Authority’

    $31,900 for 20 days of work

    3

    May 2018

    ‘Mulesoft Consultancy Services – for developing a POC – current financial year’

    $31,900 for 20 days of work

    3

    June 2018

    ‘MS Azure AD and Identity & Access Management, SAML, Risk based governance (POC)’

    $36,685 for 23 days of work

    1

    June 2018

    ‘Mulesoft Integration Platform (POC)’

    $74,965 for 47 days of work

    1

    June 2018

    ‘Civica Authority Environment Assessment Installation/configuration’

    $75,900 for 46 days of work

    1

    June 2018

    ‘MS Azure AD and Identity & Access Management, SAML, Risk based governance (POC)’

    $43,065 for 27 days of work

    1

    Source: Victorian Ombudsman, based on procurement records obtained from Melton City Council

    1. Mr M was the main Council officer responsible for MK Datanet’s engagements, stating at interview that he ‘introduced’ MK Datanet to the Council. His involvement also included:
    • requesting quotes from MK Datanet and other companies (where applicable)
    • selecting MK Datanet to undertake work
    • overseeing MK Datanet’s work.
    1. As indicated in the table above, only single quotes were sought from MK Datanet for the four jobs invoiced in June 2018, despite Council’s Purchasing Procedures Manual requiring three written quotes to be obtained for work exceeding $10,000.
    2. While Mr M sought quotes from two other companies (in addition to MK Datanet) for the jobs invoiced in May 2018, the investigation subsequently discovered that Mr M owned or controlled those two other companies as well.
    3. In addition to the above, the Council also engaged MK Datanet to undertake a small amount of work unrelated to the business transformation program during this period, for which it was paid a total of $64,442.40 between September and November 2018.

    Mr M’s other companies - Datafusion Technology and Softech Australia

    1. In addition to MK Datanet, the investigation obtained evidence that Mr M controlled two other IT companies, Datafusion Technology and Softech Australia.
    Concealed control
    1. The two registered directors of Datafusion Technology were Ms A and Ms B, appointed on 26 March 2018 and 5 April 2018 respectively. Ms B was the sole shareholder and at the time of her appointment as director, she was 21 years old.
    2. Softech Australia had one registered director and shareholder, Ms Z. At the time of her appointment to the company, Ms Z was 18 years old.
      - Company registers showed Ms A, Ms B and Ms Z as all having the same address a one-bedroom residential apartment located in inner Melbourne. This property was later found to be a rental property where Mr M lived.
    3. Aside from ASIC company records, the investigation was unable to find any publicly available information about Datafusion Technology and Softech Australia – neither had a company website, for example.
    4. Both companies were registered while Mr M was working at the Council. Datafusion Technology was registered on 26 March 2018 and Softech Australia was registered a fortnight later, on 11 April 2018.
    5. Although Mr M was not at that time listed as a director or shareholder of either company, several documents retrieved from his Council computer indicated he controlled the companies. These documents included:
    • company constitutions
    • ASIC certificates of company registration
    • share certificates
    • notices relating to the appointment of the company directors and shareholders
    • applications for the company shares
    • consent forms for the directors and shareholders of the companies to hold these positions
    • monthly service agreements for virtual offices for the companies, in Mr M’s name, listing his contact details
    • a Datafusion Technology contractor agreement which listed Mr M as the Managing Director.
    1. Also found on Mr M’s Council computer was a document containing what appeared to be instructions he had created for one of the directors of Datafusion Technology to complete a tax declaration for the company. The document, extracts of which are below, instructed the director to enter Mr M’s phone number in the tax declaration form if they wanted him to ‘handle it’.
    2. It also stated ‘give my address’ in relation to the ‘Business address’ section on the form and specified the address of his inner Melbourne apartment referred to above

    Figure 3: Excerpt from instructions on completing tax file declaration for registered director of Datafusion Technology found on Mr M’s Council computer

    1. Mr M acknowledged at interview that he owned Softech Australia and paid the ASIC fees.
    2. With respect to Datafusion Technology, he gave evidence that the company belonged to Ms A, a relative of his, who lived overseas, but that he ‘looked after’ the company for her.
    3. Company searches undertaken in March 2021 show that Softech Australia was deregistered in October 2020, approximately two months after Mr M was interviewed by the investigation.
    4. Datafusion Technology remains registered, but in August 2020, Mr M became the sole shareholder and office holder in the company.
    February 2018 request for quote process
    1. On 9 February 2018 Mr M sent emails to seven companies requesting quotes for Council work by a Systems Administrator and Azure Administrator. Three of those companies were MK Datanet, Softech Australia and Datafusion Technology.
    2. The requests for quote were sent to Softech Australia and Datafusion Technology over a month before they were registered as companies.
    3. The request for quote to MK Datanet is shown below.

    Figure 4: February request for quote sent to MK Datanet

    Figure 4: February request for quote sent to MK Datanet
    Source: Melton City Council
    1. Responses to the requests for quote were received from MK Datanet, Softech Australia, Datafusion Technology and one other company which Mr M was not associated with – IT Company A.
    2. Mr M received the response from IT Company A on 13 February 2018 at 5.37 pm.

    Figure 5: Response to February 2018 request for quote from IT Company A

    Figure 5: Response to February 2018 request for quote from IT Company A
    Source: Melton City Council
    1. At 10.02pm that evening, Mr M sent an email to Ms J, from his Council email account, telling her what rates MK Datanet should quote for the job.

    Figure 6: Email from Mr M to Ms J on 13 February 2018

    Figure 6: Email from Mr M to Ms J on 13 February 2018
    Source: Melton City Council
    1. While IT Company A’s response did not quote for the ‘System Admin’ portion of the work, the quote Mr M told Ms J to provide for the ‘Azure Admin’ work on behalf of MK Datanet was lower than the quote he had received from IT Company A that day.
    2. Two days later, on 15 February 2018, Ms J sent an email to Mr M copied to another Council officer, thanking him for the request for quote and providing the same table of rates he had sent to her.
    3. When shown a copy of the email Mr M sent her on 13 February 2018 in which he told her what rates MK Datanet should quote, Ms J said:
    So, I received an email asking for rates. I had a chat to [Mr M] about the request, and he sent me the info to send through.
    1. When asked whether she thought it was appropriate for Mr M to effectively provide a quote to himself to assess, Ms J said:
    That didn’t really cross my mind … that time was my first time, ever communicating with the Council, or the Council environment. So, I didn’t even think that … [it] never crossed my mind.
    1. When Ms J contacted the investigation the day after her interview to clarify her evidence, she said with respect to the February 2018 emails that at the time ‘that was basically the protocol for me. I’d get sent [an email saying] “this is what we should quote the client”, and I’d just do that’.
    2. Ms J added that she had never previously dealt with councils before, and said:
    Now, I am aware, because I’ve actually got myself more involved in the past year … [I have started] to learn they’ve got protocols, they’ve got certain measures and everything. But at the time, I had no idea. I was just following [directions to] ‘send this’.
    1. Mr M also confirmed at interview that he prepared MK Datanet’s quotes to the Council for the jobs it was engaged to complete during early to mid-2018.
    2. He acknowledged that this was ‘not appropriate’.
    3. When informed of the 13 February 2018 email from Mr M to Ms J, the Council’s IT Manager said at interview that ‘a Council employee or a contractor should not be doing anything like that’. He further said ‘I don’t think you even need to do an induction program to know that’s wrong’.
    4. In his response to a draft report, Council’s IT Manager further stated with respect to this request for quote process:
    The quotation provided by MK Datanet was the only service provider that had sourced an ex-employee of the incumbent software provider, and therefore the only choice from which to procure the required services.
    1. Mr M responded to this section of a draft report saying that while he now knows that seeking quotes from the two companies he owned was inappropriate, he considers that MK Datanet was the only option available to the Council that could provide a resource with both Civica and Azure experience.
    April 2018 request for quote process
    1. On 9 April 2018, Mr M sent another request for quote to three companies: MK Datanet, Datafusion Technology and Softech Australia. This request for quote was sent two days prior to Softech Australia being registered as a company.
    2. Email responses to the requests for quote were sent to Mr M by ‘Lucy Wu’, Account Manager at Softech Australia and ‘Ayla Tran’, Account Manager at Datafusion Technology.

    Figure 7: Response to April 2018 request for quote from Softech Australia

    Figure 7: Response to April 2018 request for quote from Softech Australia
    Source: Melton City Coucil

    Figure 8: Response to April 2018 request for quote from Datafusion Technology

    Figure 8: Response to April 2018 request for quote from Datafusion Technology
    Source: Melton City Council
    1. MK Datanet also responded, providing the cheapest quote, with a daily rate of $1,450 and total of $29,000 for 20 days’ work. Datafusion Technology quoted a daily rate of $1,600 ($32,000 for 20 days), and Softech Australia quoted $1,800 ($36,000 for 20 days). 4
    2. At interview, Mr M acknowledged that the requests to Datafusion Technology and Softech Australia were not genuine requests for quote, and that he had sent these requests to create the appearance of a competitive procurement process.
    3. Mr M also conceded that ‘Ayla Tran’ and ‘Lucy Wu’ were not real and that he ‘made them [up]’. He said he sent the responses to the requests for quote under the guise of these fake identities.
    4. In response to a draft report, Mr M stated that these were actually ‘virtual assistant’ email accounts related to virtual office subscriptions and this was a ‘new cost- effective way of doing things in the virtual world’. The investigation notes that this does not materially alter Mr M’s previous evidence that these accounts were used to falsely portray the appearance of a competitive procurement process.
    5. Mr M further stated in his response that the quotes and tender submissions were merely a formality, given it was ‘pre-determined’ MK Datanet would be selected to provide the services.
    Failure to declare a conflict of interest in relation to Datafusion Technology or Softech Australia
    1. The investigation identified no conflict of interest declarations made by Mr M in relation to Datafusion Technology and Softech Australia.
    2. He told the investigation that ‘[m]ultiple times during casual discussions’ with Council staff and contractors, including his original supervisor (Council’s former Enterprise Application Coordinator), Datafusion Technology and Softech Australia ‘came up’ when ‘chatting about [his] future plans /post Melton’. He said that he ‘mentioned these companies as “new breed” companies’.
    3. Mr M further said that Council’s former Enterprise Application Coordinator asked him to ‘get quotes from the “new breed” companies [he] spoke to him about’ for a particular piece of work, where no quote responses were received from existing Council suppliers.
    4. However, Council’s former Enterprise Application Coordinator told the investigation he was ‘unaware’ of Mr M having ‘an association with any other companies’ while at the Council and did not recall him ‘ever mentioning’ Datafusion Technology or Softech Australia. He said he recalled asking Mr M to ‘obtain quotes from other companies for some work, but again he never mentioned they were companies he owned’.
    5. Irrespective of whether Mr M told anyone at the Council about his ownership of Datafusion Technology and Softech Australia, he did not declare a conflict of interest when seeking quotes from these companies, in breach of the Council’s Code of Conduct, Procurement Policy and Purchasing Procedures Manual.

    Three-year $1.3 million contract awarded to MK Datanet

    1. On 29 September 2018, the Council sought tenders for a three-year $1.3 million contract (‘the contract’) to provide:
    • software licences for ‘Mulesoft Anypoint Platform’ 5 and ‘Sailpoint Identity’ 6
    • associated professional consultancy and development services for both of the above.
    1. On 12 November 2018 the Council awarded the contract to MK Datanet following a public tender process, during which two other companies, IT Company B and IT Company C also tendered.
    2. Mr M told the investigation that he primarily managed this tender process, which included:
    • preparing the request for tender documents based on templates and advice from the Council’s procurement department
    • leading the evaluation of the tender submissions
    • preparing a report for the elected Council recommending the contract be awarded to MK Datanet as the preferred tenderer.
    1. In response to a draft report, Mr M noted this was his first time writing a procurement report to be presented to a council; and he had been guided throughout the process by Council’s IT Manager, who provided him a previous procurement report to use as a template.

    Figure 9: Links between Mr M, MK Datanet and the Council

    Figure 9: Links between Mr M, MK Datanet and the Council
    Source: Victorian Ombudsman
    MK Datanet appointed as sole supplier, despite intended panel of providers
    1. The request for tender issued on 29 September 2018 stated that a panel of providers was to be appointed to provide the above services. However, ultimately MK Datanet was appointed as the sole supplier.
    2. The investigation was unable to conclusively verify why a panel was not appointed. The Council’s IT Manager said at interview that he was not sure why this did not occur but suggested it may have been due to the limited number of suitable tenderers who made submissions.
    3. Mr M said at interview that the intention was to appoint a panel and that there was ‘talk’ of re-tendering in light of the limited number of submissions received. He said there was discussion about re-tendering taking too long, so he just went ahead with the process. He also said that ‘the understanding of the organisation was to use MK Datanet from the start’, ‘because of the dependency on the work [which] was already done’.
    4. In his response to a draft report, Council’s IT Manager added:
    Following a review of the tender documentation, the tender should never have been a panel, or at least had separable portions with a direct appointment for the provision of software licencing and a panel for professional services. This may have led to confusion as a panel of service providers serves no purpose for the procurement of software licensing for the duration of the contract.
    1. He further stated that a search of email correspondence had found no communications or records to support Mr M’s claim that the understanding of the Council was always that it was going to use MK Datanet for the contract.
    Deficient tender evaluation process
    1. A report to the Council dated 12 November 2018 stated that a tender evaluation panel was established to discuss and score the tender submissions. The report states the panel comprised Mr M and two other Council officers:
    • the Application Support Coordinator
    • the Business Transformation Coordinator.
    1. The tender report listed each of the tenderer’s quoted prices as:
    • IT Company B – $2,187,000
    • IT Company C – $1,735,000
    • MK Datanet – $1,335,000.
    1. The report outlined a score of 20 for MK Datanet and 10 for IT Company B, with IT Company C’s submission being deemed non-compliant because it did not provide ASIC business registration.
    2. Despite the above, witness evidence suggests no evaluation panel was established. Council’s Business Transformation Coordinator told the investigation at interview that he ‘definitely wasn’t part of any … evaluation panel for any tenders involving MK Datanet’, and said he was ‘surprised’ to see the report listing him as a panel member. He said he believed Mr M solely managed the tender process.
    3. Council’s Application Support Coordinator told investigators during a telephone conversation that he also had no recollection of being involved in the tender process at all and he was not involved in any evaluation process.
    4. Mr M acknowledged at interview that no formal panel was established but gave evidence that one ‘pretty informal’ meeting occurred, where he presented to Council’s Application Support Coordinator and Council’s Business Transformation Coordinator on the tender submissions, and they then scored them together.
    5. However, Council’s Business Transformation Coordinator told the investigation:
    I don't recall any formal meeting with [Mr M] regarding … scoring MK Datanet for the tendering process.
    1. In his response to a draft report, Council’s IT Manager added ‘… email records show that Mr M had completed the scoring prior to the meeting with [Council’s Application Support Coordinator] and [Council’s Business Transformation Coordinator]’. He said an email search found that Mr M had undertaken the evaluation and presented the findings to both the Business Transformation Coordinator and Application Support Coordinator.
    2. The emails to which Council’s IT Manager refers show Mr M provided a PowerPoint presentation to Council’s Business Transformation Coordinator and Application Support Coordinator via email on 30 October 2018, which contained the scoring for the tender submissions. The email to Council’s Application Support Coordinator is blank, but the one to Council’s Business Transformation Coordinator states:

      Hi [Business Transformation Coordinator],
      As discussed. I will schedule a meeting with you to go through it.
      Kind Regards [Mr M]
    1. This suggests Mr M may have scored the tender submissions on his own. The investigation was unable to obtain any other documentation recording a discussion about the tender.
    2. In response to this section of a draft report, Mr M stated:
    … I did not score the tender submissions on my own. By way of context, I clarify that I used to sit next to [Council’s Application Support Coordinator] and there was a round meeting table and a white board next to us. [Council’s Business Transformation Coordinator’s] desk was in the adjacent building.
    I prepared the responses evaluation template in Power Point. On 30 October 2018 [Council’s Business Transformation Coordinator] came to my desk and I presented the response template to him. I had discussions with [Council’s Business Transformation Coordinator] and [Council’s Application Support Coordinator] about the tender responses including the scores. The discussion took place at the round meeting table next to mine and [Council’s Application Support Coordinator’s] desks. On my recollection.
    During that meeting, [Council’s Business Transformation Coordinator] said he had to leave and he asked to later flick him an email with the completed evaluation template. [Council’s Application Support Coordinator] and I continued the meeting and finalised the responses evaluation. After the meeting I sent an email to [Council’s Business Transformation Coordinator] with the completed evaluation template and in the email, I told him that I will book a time with him to go through the completed evaluation template. The next day, I met with [Council’s Business Transformation Coordinator] and asked him about the template. He told me that if [Council’s Application Support Coordinator] had no issue with the template then he had no issue. I told him that [Council’s Application Support Coordinator] had no issue with the template.
    I also send [sic] an email to [Council’s Application Support Coordinator] attaching the completed evaluation template. There was no narrative in the email as [Application Support Coordinator] and I have already discussed the response evaluation and we were in active conversation when I sent the email (I was sitting next to him).
    1. While conceding to the investigation that no panel was established, Mr M said he included a statement in the report that there was a panel because he was told it was required, but he saw it as just a ‘formality’. In response to a draft report, he said he had initially included a reference to ‘a vendor assessment process’, however Council’s IT Manager instructed him to amend this reference to ‘evaluation panel assessment of submissions’ when he reviewed a draft version of the report.
    2. When asked to respond to Mr M’s statement that he had asked Mr M to change the wording of the report to ‘evaluation panel assessment of submissions’, Council’s IT Manager stated the following in an email to investigators dated 1 December 2020
    The Council report was a long time ago, so I can't recall specific changes when I had reviewed the report at the time.
    However, let's assume I had asked [Mr M] to make this change, it would have been because any Council report that involves a tender should reference the evaluation panel decision rather than a vague statement of a process. If I had asked for the wording to be changed, I am sure a discussion would have accompanied it to confirm that it was an evaluation panel decision.
    1. The report to the Council also stated that no member of the tender evaluation panel declared a conflict of interest.
    2. In response to a draft report, Ms J indicated that she was not aware of Mr M’s role in considering MK Datanet’s tender submission, stating:
    It was always my understanding that the council staff/team would be the ones evaluating the tender and not a contractor like [Mr M].
    Nodue diligence or reference checks conducted
    1. Despite being required by the Council’s Purchasing Procedures Manual, no due diligence or reference checks were conducted for any of the three tenderers. Mr M told the investigation he did not complete these checks because he ‘was not asked to do so by Procurement’. He further said he ‘evaluated the tenders in accordance with the evaluation criteria’ and:
    In my honest opinion MK Datanet scored the highest which I shared with the acting application co-ordinator.
    It may be that I was not requested to do a due diligence or reference checks on MK Datanet because MK Datanet was known to the Council and already involved in the ‘business transformation project’.
    1. Had such checks been conducted, it would have been revealed that some of the information in MK Datanet’s tender submission was incorrect and potentially misleading, including:
    • MK Datanet’s statement that the company had ‘been in operation 5 years under the current name and 8 years under the name Datatech Consulting Pty Ltd’, when MK Datanet and Datatech Consulting are actually two separately registered companies.
    • Information about MK Datanet’s financial position, which was not consistent with its 2016-17 and 2017-18 profit and loss statements and balance sheets, copies of which were found on Mr M’s Council computer and provided to the investigation. For example:
      • MK Datanet’s total assets in 2016-17 were $683,931 and total
        liabilities were $750,400. However, the tender submission listed total assets as $1 million and total liabilities as $300,000
      • Similarly, in 2017-18, MK Datanet’s total assets were $919,268 and total liabilities were $1,053,866. However, the tender submission listed total assets as $1.5 million and total liabilities as $300,000.
    • Information about MK Datanet’s employees, including the duration of their employment with the company, which in some cases exceeded
      the time the company had been registered.
    1. Ms J reiterated this position when responding to a draft report, stating this was how they let ‘previous clients … know that [they] had rebuilt the business’. She said, ‘[b]oth businesses were owned by [Mr M] and run in a similar fashion which is why I saw it as being essentially a continuum of Datatech Consulting’.
    2. In response to the profit and loss statements obtained from Mr M’s computer, she stated she believed these were inaccurate, but did not provide any evidence to support this view

    Failure to declare a conflict of interest

    1. Mr M did not declare any conflict of interest in relation to MK Datanet during his time at the Council. This included failing to declare it when prompted by the ‘conflict of interest and confidentiality declaration’ form he was required to fill out and sign during the tender process in late 2018, extracts of which are below.

    Figure 10: Extracts from conflict of interest and confidentiality form signed by Mr M

    Figure 10: Extracts from conflict of interest and confidentiality form signed by Mr M
    Source: Melton City Council
    1. When asked about this form at interview, Mr M said ‘I know I signed it’ and ‘that was wrong’. He accepted it was not an honest declaration but defended his actions by saying that his intention was to get the project started. He indicated a misunderstanding of conflicts of interest, stating that he thought it might apply ‘if there is another company who is involved … [and] I’m taking something from them’, but said he didn’t see it ‘as a real conflict of interest over there [at the Council]’. He added ‘A lot of things happened over there like this … ’
    2. In response to a draft report, Mr M acknowledged he had not taken signing the conflict of interest form seriously and ‘[he] did not think at the time that [he] was doing anything wrong’. He also stated he became aware of the Council procurement rules after attending relevant workshops at the Council held in June 2019; and if he had of known these rules at the time, he would have done things differently.
    Limited oversight during tender process
    1. Mr M said at interview that Council’s former Enterprise Application Coordinator left the Council around the time the request for tender was issued. Despite having no financial delegations, and on his own interview evidence, he was ‘not very familiar’ with government procurement practices, Mr M was given primary responsibility for leading the tender process, and with limited oversight.
    2. Mr M said at interview that three weeks after the request for tender was issued:
    [Q]uestions came to me and I answered them, and then tender [submissions] came back and … [they were] sitting there. [Council’s Application Support Coordinator] was pretty busy in his work, and [former Enterprise Application Coordinator] was not there, so [Council’s IT Manager] asked me to look at the tender.
    1. Mr M said that he was told to fill out the relevant paperwork. As the next Council meeting was the following week, if the report was not ready by then, it would be another two months before the contract could be awarded. He said that a ‘series of fast work’ happened as a result.
    2. Mr M said that Council’s Business Transformation Coordinator and Application Support Coordinator attended one meeting regarding the tender evaluation, but that Council’s Business Transformation Coordinator was ‘quite sick’ at the time, and that like him, Council’s Application Support Coordinator ‘knew’ that MK Datanet was ‘going to do it’ (ie be awarded the contract) ‘because the resources [MK Datanet staff] were still on board’.
    3. Council’s Application Support Coordinator told investigators it was his understanding that the supplier had already been decided before he became involved with the project, saying that he was only involved in the execution of the project.
    4. While Council’s Business Transformation Coordinator said at interview that he was not a member of any tender evaluation panel, the investigation obtained a copy of a ‘conflict of interest and confidentiality declaration’ form for panel members which he appears to have signed.

    Figure 11: Conflict of interest declaration signed by Business Transformation Coordinator

    Figure 11: Conflict of interest declaration signed by Business Transformation Coordinator
    Source: Melton City Council
    1. When asked about this form at interview, Council’s Business Transformation Coordinator confirmed it was his signature on the form and said he recalled signing it, but that Mr M had presented it to him as something different from what it was. He said:
    What was presented to me … [had] already been agreed, or [a] decision already made to use Mulesoft and Sailpoint, and then this was like a formal process for me to sign off to then procure those products, not to evaluate them, if that makes sense.
    1. After being shown a copy of the form at interview, Council’s Business Transformation Coordinator conceded that it was ‘most definitely’ different from what he thought it was at the time, stating:
    Now that I read it, it says ‘as a member of the tender evaluation team’, [now] it’s highlighted to me. I didn’t take notice of … that first portion. I wasn’t a member of any evaluation team …
    1. When asked at interview whether he read the form before signing it, Council’s Business Transformation Coordinator said he did, however
    … certainly I didn’t read it well enough. I’m looking at it now and thinking, the first statement around “as a member of the tender evaluation team”, I should have questioned that, but obviously … that missed me, I missed that at the time.
    MK Datanet preferred tenderer, despite not meeting mandatory requirement
    1. The report to the Council outlined the reasons MK Datanet was the preferred tenderer, stating:
    Based on the score of 20, MK DATANET Pty. LTD is the preferred contractor. They have demonstrated strong experience and current familiarity in the core technologies which council use and present an excellent probability of success among all submissions.
    MK DATANET Pty. Ltd Scored highest overall. They have satisfied the tender evaluation panel with their capability and current familiarity and experience of the core technologies/applications which councils uses and enhance [sic].
    1. This was despite MK Datanet not meeting one of the mandatory requirements outlined in the request for tender, regarding occupational health and safety (‘OHS’). Specifically, the successful tenderer was required to show ‘demonstrated existence of, and commitment to, satisfactory Occupational Health & Safety policies and procedures’.
    2. MK Datanet’s tender submission used an OHS policy copied from the ‘Australian Centre for Agriculture Health and Safety’ with their company name inserted throughout.
    3. The policy did not include reference to Victorian OHS regulations, and was clearly not relevant to an IT company, containing references to agricultural activities such as ‘mustering’, ‘branding and tagging’, ‘fence tensioning’, ‘windmill maintenance’ and safety requirements to minimise the risk of falls when working at heights.
    4. The Council ultimately approved the recommendation to award the contract to MK Datanet, which commenced on 1 December 2018.

    Mr M’s involvement with MK Datanet’s tender submission

    1. After acknowledging his ownership of MK Datanet, Mr M told the investigation that he helped Ms J prepare MK Datanet’s tender submission for the Council contract. He said his input included providing advice about the ‘product price’ and the ‘daily rates’, as well as preparing the IT- related methodology component of the submission.
    2. In response to a draft report, Ms J said that she had proposed the licence pricing, after liaising with the vendors. She said, ‘I told [Mr M] what price I thought would be suitable and he did not disagree’.
    3. Mr M acknowledged at interview that providing this input was ‘not appropriate’ given he was the Council officer leading the assessment of the tender submissions. When asked whether he thought it was appropriate at the time, he said:
    Well as I said, to be honest, the whole thing, the understanding was that this tender is just a formality … if I think now, obviously it's not [a] very good [thing] to do. But … because I was there and in my understanding, it was the better solution for [the Council], and I still believe that …
    1. Mr M also asserted that he did not ‘rip [off]’ the Council but said he could have if he wanted to. He said the rates MK Datanet quoted to the Council were ‘very competitive’; and because MK Datanet became a partner of Mulesoft and Sailpoint, they were able to obtain a 35 per cent discount for the Council.
    Reference for MK Datanet
    1. Prior to Mr M finishing up at the Council in late 2019, Ms J sent him an email (see Figure 12 on following page) thanking him for working with MK Datanet and asking him to provide a reference for the work MK Datanet did for the Council.
    2. Mr M acknowledged at interview that it was ‘not appropriate’ for him to provide a reference for his own company and said the exchange was ‘a bit childish’ but was ‘nothing harmful’. When responding to a draft report he further addressed this email stating he was not proud of it and the only way ‘[he could] address this [was] to sincerely apologise and learn from it’.
    3. At interview, Ms J did not express any concern about the reference request, stating that she sent the email ‘because we wanted a reference on that particular project’. She said she thought there were no issues if Mr M ‘kept just [to] the facts on what was done’ and that ‘it wasn’t asking someone to write a reference, when there was, you know, nothing there [ie. no work done]’. She further said:
    [T]here was work done, and he was the best person in the Council to understand the delivery. So, he would’ve been the most appropriate person to ask that of, because the Coordinator that we worked with at that time … [was] no longer the Coordinator. And the previous Coordinator wasn’t there anymore that we worked with as well. And … he was the person who ran the project, so we figured that he would be the most suitable person to actually be able to speak about the project.
    1. Ms J expanded on this in her response to a draft report, saying she did this because the ‘new co-ordinator just seemed opposed to us from the get-go even though he had never worked with us before and was never involved with the project while we were engaged’.

    Figure 12: Email from Ms J to Mr M on 25 November 2018

    Figure 12: Email from Ms J to Mr M on 25 November 2018
    Source: Melton City Council

    Changes to IT procurement practices implemented by the Council

    1. As a result of the issues identified by the investigation, the Council’s IT Manager said he had implemented a change to the way IT services were procured at the Council. He said that some of the evidence he provided to the investigation made him realise ‘how easy it was to stack the odds in favour of one supplier by obtaining unfavourable quotes from organisations that may or may not exist’ (as Mr M had done).
    2. He said that going forward, ‘IT [staff] must procure professional services from our professional services panel of providers. These providers were sourced from a public tender, have gone through a level of evaluation and have been endorsed by Council. This is only for procurement of services up to $150,000 as anything above must still be tendered.

    Allegation 2: The Council continued to use and pay MK Datanet, despite non-performance

    1. In addition to Mr M failing to declare a conflict of interest when he engaged MK Datanet, the public interest complaint alleged that the Council continued to use and pay MK Datanet, despite it not performing or providing services as per its contract.
    2. The complaint raised several concerns about MK Datanet’s work for the Council, including that:
    • MK Datanet charged the Council for tasks which were ‘already implemented features’ of the software products (Mulesoft and Sailpoint) and ‘overestimated’ the effort required for other tasks.
    • There was no ‘traceability’ of the tasks completed by MK Datanet, including ‘no tracking … [of] how many days were actually spent and on what task’.
    • The Council was not using Mulesoft or Sailpoint ‘even after 18 months’ of work by MK Datanet; there was ‘nothing in production’ and ‘no business use/ business value’.

    The Council’s oversight of MK Datanet’s work

    Who was responsible?

    1. In addition to leading the tender process for the three-year contract ultimately awarded to MK Datanet, Mr M was the primary Council officer involved in overseeing MK Datanet’s work under the contract.
    2. The Council’s IT Manager said at interview that at an ‘operational level’ and from a ‘technical perspective’, Mr M was the Council officer primarily involved in MK Datanet’s work under the contract.
    3. Similarly, the director of MK Datanet, Ms J said at interview that Mr M was ‘pretty much running that project … within Melton’ and that he worked together with MK Datanet’s consultants.
    4. In responding to a draft report, Council’s IT Manager said:
    As the core technology platform is the responsibility of the Enterprise Application Coordinator, [Council’s Application Support Coordinator] was assigned as the program owner with [the Project Manager] appointed as the project manager ...
    Projectmanager broughtin dueto concernsabout visibility of work
    1. Council’s IT Manager told the investigation at interview that shortly after the contract commenced, there were some ‘relationship issues’ between Mr M and other staff, and concerns were raised about a lack of visibility over the work MK Datanet was completing. He said, ‘I had a number of people just coming to me saying that there's no visibility into the work that's going on’ and that ‘no one even had the kind of technical understanding [to know what was going on] …’
    2. Council’s IT Manager said that as a result, he installed a project manager to ‘oversight the entire delivery’, who then took responsibility for the final decisions that had to be made:
    So, you know … we might get an invoice, for instance, from say a supplier, MK Data[net] and [the Project Manager] … [would] check with [Mr M] [and] say ‘Okay, have they done this piece of work?’ and he would say ‘Yes, they have’ or ‘No they haven't’. And then [the Project Manager] … [would] authorise the payments to MK Data[net] based on achievement of the relevant milestone.
    1. In his response to a draft report, Council’s IT Manager stated ‘the reason for appointing a project manager is that a project of this scale and complexity must have a project manager otherwise it will fail’.
    2. Council’s IT Manager said that conflicts then started arising between the Project Manager and Mr M, and that things were ‘up and down’. He said that the new Applications Coordinator who started in mid-2019 ‘had more of an understanding of this type of work’, which then enabled the Council to make an ‘exit plan’ for Mr M.

    Limitations of the Council’s oversight of MK Datanet

    Project manager expertise
    1. Although the introduction of the Project Manager brought some additional oversight to the work MK Datanet was doing, Council’s IT Manager said at interview that he did not have technical IT expertise. This meant that the project manager was reliant on Mr M’s advice about whether MK Datanet had completed relevant work. He said ‘… [the Project Manager] … was more about the governance’.
    2. Council’s IT Manager said at interview that after starting, the Project Manager raised concerns with him about whether Mr M was ‘providing full transparency’ and said he would get into ‘technical arguments’, which were like ‘getting caught inside a cyclone’.
    3. In responding to a draft report, Council’s IT Manager said that his interview remarks had been ‘misunderstood and taken out of context.’ He said ‘[the Project Manager] is a technical project manager which was the reason he was assigned to manage the technology platform program’ and that he had often been assigned to technical projects in the past. He said his comments ‘meant to indicate that [the Project Manager] did not have Mulesoft and Sailpoint technical expertise. However, this is normal for most projects’.
    4. According to the IT Manager, ‘the role of the Project Manager is to plan and coordinate the work of those that have the skills … Mr M had the … expertise and therefore trust was placed in him that he would act in the best interest of Council’.
    Lackof specificityin tender and contract documents
    1. The Council’s oversight of MK Datanet’s work was also limited by the lack of specificity in the tender and contract documents. Council’s IT Manager said at interview that after trying to gain an understanding of ‘what the actual work was’, his view was that he ‘couldn’t make heads or tails … the specification was open to interpretation’.
    2. In terms of whether it was unusual to have a work specification which was ‘open to interpretation’, Council’s IT Manager said that ‘it shouldn't be like that … Sometimes you can have an outcome-based requirement… or you can be very specific and say “We want you to do A, B, C, D and E”.'
    3. Council’s IT Manager added that this contract could have been put in either category, and that consequently ‘… whether or not that work is actually going to get to the end outcome we're looking for, yeah, I'm not sure’.
    4. The Council noted that the key performance indicators (KPIs) in MK Datanet’s contract with the Council were also ‘minimal’ and did not ‘reflect the success of the project’ (see copy of KPIs below).
    5. In his response to a draft report, Council’s IT Manager stated that having worked with one of the software developers as part of a review of MK Datanet’s performance, and gained a better understanding of the work, ‘the requirements within the contract are specific and not outcomes based objectives’.

    Figure 13: Key Performance Indicators in the Council’s contract with MK Datanet

    Figure 13: Key Performance Indicators in the Council’s contract with MK Datanet
    Source: Melton City Council

    External review of MK Datanet work commissioned by the Council

    Mulesoft implementation

    1. While noting the above limitations, the Council decided during this investigation to commission one of the software suppliers, Mulesoft, to independently review the portion of MK Datanet’s work relating to their software.
    2. Council’s IT Manager told the investigation that the purpose of the review was to validate whether MK Datanet had completed the work the Council had engaged and paid it to complete. He said he decided to commission the review once he ‘started hearing [and] getting concerns that they hadn't delivered what they had expected to’. Council’s IT Manager said he had a discussion with the CEO and thought ‘Well, there’s only one way I'm going to find out whether or not they've done what they've done, and that's to go to the manufacturer’.
    3. Mulesoft prepared an initial report based on its review of MK Datanet’s work in February 2020 and sought MK Datanet’s response to the initial findings. Several different iterations of the report were subsequently produced based on responses from MK Datanet and the need for further review work by Mulesoft.
    4. At the time this report was being prepared, the most recent version of the Mulesoft review report stated that 34 issues across four functional areas had been identified as needing remediation, more than half of which were classified as either requiring ‘immediate attention’ or ‘should be considered for more immediate attention’.
    5. Of 18 work items from the scope of work MK Datanet was engaged to complete, the report stated that:
    • two items had been implemented
    • six items had been partially implemented
    • no ‘code’ or ‘configuration’ could be found for five items
    • the implementation status was ‘unknown’ for three items
    • two were considered ‘not applicable’ because they did not relate to Mulesoft or were no longer required.
    1. The report also noted that two of the work items were available as an ‘out of the box solution’ of the software, however, had not been included in the Council’s subscription.
    2. The report concluded that because of the issues identified, the Mulesoft software was ‘not being used at all’ and would ‘continue to be unused’ if the issues identified in the report were not addressed.
    3. At the time this report was prepared, the Council was continuing to liaise with MK Datanet and Mulesoft about the review, with potential further review work to be undertaken based on an additional response from MK Datanet.
    4. In response to a draft report, Ms J indicated the multiple changes of co- ordinators with ‘no handover’ disrupted delivery and disputed the findings of the Mulesoft report on the basis that the scope of the audit was ‘narrow’.

    Sailpoint implementation

    1. In regard to the Sailpoint software MK Datanet was also engaged to implement, Council’s IT Manager said at interview that he may also get Sailpoint to review MK Datanet’s work, but said he wanted to ‘take one step at a time’ and that the Mulesoft portion was ‘the bigger piece’.
    2. However, Council’s IT Manager also said at interview that the Council is now unlikely to progress with Sailpoint as ‘Microsoft have got a complimentary or a comparative product that's part of our new Enterprise Agreements anyway.’ He added that ‘ … we will only do the Sailpoint [review] from a perspective of did … MK Data[net] do what we had asked, not from the perspective of are we going to use it going forward … we're not going to use it.'

    Status of MK Datanet’s work

    1. Council’s IT Manager told the investigation at interview that MK Datanet’s work for the Council was stopped in early 2020, pending the outcome of the Mulesoft review. In terms of what may happen after the review was finalised, he indicated that he did not intend to continue using MK Datanet for any further work because of ‘the dramas that's gone on behind this contract, but also, you know, just … my confidence level in this organisation’.
    2. Council’s IT Manager further stated that if more work is required he has ‘every intention to retender this work’ to continue to build on this platform. In his words, the report ‘will be really important for me to help make a decision on what my next step is.’
    3. In response to a draft report, Ms J maintained work by MK Datanet was carried out consistent with the business plan and that it had actively engaged with a number of people on the Council’s IT team in relation to this. She further indicated that the only reason the Council was still not using the technologies was because it had stopped MK Datanet’s work prior to the agreed implementation stage, scheduled for financial year 2019-20. It was her view this was a Council management decision and not the fault of MK Datanet.
    4. Mr M also responded to this aspect of a draft report despite no definitive findings being made by the investigation in relation to allegation two. He noted that ‘[MK Datanet’s] work [could] not be verified by … testing the individual technology components of cloud foundation in isolation from each other’.

    Additional observations on the Council’s engagement of Mr M

    1. While examining Mr M’s conduct in this matter, the investigation received evidence indicating the Council provided limited oversight of Mr M. This was relevant for the investigation to consider, as it likely allowed Mr M’s conduct in this matter to occur and go undetected for some time.

    Initial engagement

    1. As mentioned earlier in the report, due to the Council’s use of the brokerage firm for temporary staff, it had less direct involvement in Mr M’s recruitment than it would when hiring a permanent employee.
    2. The Council’s IT Manager told the investigation that it is the recruitment agency which is responsible for undertaking ‘compliance checks’ of contractors; such as their eligibility to work, identity and references.
    3. Because of the Council’s limited involvement in Mr M’s hiring, it was unaware that he was working as a contractor for MK Datanet.
    4. The brokerage firm’s system, which the Council uses to manage contractors and temporary staff only specified that he was engaged through the recruitment agency with no mention of MK Datanet.
    5. Although Mr M’s contractor renewal agreements and invoices for his work at the Council stated he was working for MK Datanet, the Council had no visibility of these as it did not pay him directly.

    Induction training

    1. When Mr M started at the Council, he did not receive the same induction as direct Council employees because he was engaged through a brokerage firm. Council’s IT Manager said at interview that when Mr M was engaged in 2017, induction was essentially ‘left to the hiring manager to provide an overview’ to new starters, but this has subsequently changed.
    2. Upon commencing at the Council, Mr M was not required to sign anything in relation to the Council’s code of conduct or policies relating to conflict of interest and procurement, despite being required to sign forms confirming he understood other policies, relating to occupational health and safety, and internet and email use.
    3. At interview, Mr M said he did not see himself as a Council employee, but rather he saw and treated the Council as his ‘client’. This suggests there may have been a lack of clarity around the nature of his role at the Council and expectations in terms of compliance with Council policies. This was despite his working full-time and onsite at the Council for two and a half years.
    4. When responding to a draft report, Mr M highlighted that many of the people he worked with day to day at the Council were also contractors and that some of them also had consulting companies of their own. He said this meant that there was an element of competition and commercial secrecy, and therefore no transparency.
    5. Later in the investigation, Council’s IT Manager said that the Council had developed a new formal contractor induction process, which he said in September 2020 was ‘soon to be rolled out’. The new induction process includes providing new contractors relevant Council policies and procedures, which now include the Code of Conduct; child safe policy and procedure; privacy policy; and discrimination, harassment and bullying policy and procedure. The Council also developed a form which contractors will be required to sign confirming they have ‘read, understood and acknowledge’ these policies.

    Throughout his engagement

    1. Throughout his time working at the Council, evidence indicates that Mr M was able to operate with a high level of autonomy and limited oversight by management at the Council,

    Reporting line

    1. Mr M’s first manager at the Council was the Council’s former Enterprise Application Coordinator between 2016 and 2018. At interview, he told the investigation that ‘various’ contractors had reported to him while working at the Council, including Mr M. However, he said that this reporting line was only ‘on the books’ and he did ‘not really’ have oversight of Mr M’s work, nor did he ‘tell him what to do’.
    2. Conversely, when responding to a draft report, Mr M maintained that he did not do any tasks but for those assigned to him through the Council’s electronic task management system.
    3. Council’s former Enterprise Application Coordinator said at interview that Mr M was in practice reporting to the manager of the Council’s Business Transformation Program; however, he was also a contractor. He said that as a result, Mr M had to report to him ‘on the books’ so he could sign off on his timesheets.
    4. When asked at interview whether this was a common arrangement, Council’s former Enterprise Application Coordinator said:
    I think that happens anywhere where you’ve got a bunch of contractors working, if there’s a hierarchy there, you don’t want the contractors approving each other’s time sheets, that could be a problem … So basically, I just made sure he [Mr M] was doing the hours he was supposed to be doing, making sure he turned up. So it was a roll call rather than an output arrangement.
    1. Council’s IT Manager said at interview that reporting lines for contractors were much less formal than for employees:
    Because it's not part of the formal org[anisational] structure, you know, a contractor reporting to another one is just a discussion to say ‘Hey, you're now responsible for this person’ … a staff member's different … that's through a formal process. It's recorded and so forth. But a contractor … we just move them along as you need.
    1. In response to a draft report, Council’s IT Manager said that following an organisational restructure in late 2017, Council’s former Enterprise Application Coordinator had management responsibility for Mr M’s work output and ‘full oversight of his activities’. He stated that this was evidenced by minutes of team meetings where Mr M had reported on his activities.

    Management changes

    1. After the former Enterprise Application Coordinator left the Council in September 2018, the role was held by three different people during the remainder of Mr M’s time at the Council. Mr M said at interview that the Council advertised the role, but no one was permanently appointed to it for an extended period. He said that Council’s Application Support Coordinator was acting in the role for some time, but that:
    [H]e was doing two jobs. He had his own job and [was] also doing the Coordinator [role]. So, basically there was no Coordinator …
    The moment … [Council’s former Enterprise Application Coordinator] left … [Council’s Application Support Coordinator] said if I say something, ‘Oh, just go ahead. Just go ahead. Just go ahead’. So, it … [meant] that there was no Coordinator for me.
    1. The totality of the lax oversight of Mr M’s work and performance described above combined to present the Council with a significant governance and procurement risk which was not managed adequately, and ultimately cost the Council over a million dollars.

    Findings

    1. Procurement is a well-recognised high- risk area for corruption within public bodies. In 2019, IBAC released aSpecial report on corruption risks associated with procurement in local government, which noted the range of employees within councils who are responsible for procuring a diverse and complex range of goods, services and works.
    2. Conflict of interest regularly features in investigations by IBAC and the Ombudsman, often in the context of procurement activities.
    3. Like many previous investigations, this case highlighted the importance of proper oversight, transparency and appropriate internal controls in relation to activities such as procurement. Without these, corruption can flourish and even more troublingly, go undetected.

    Allegation 1 – Mr M failed to declare a conflict of interest with MK Datanet

    1. The investigation found that Mr M engaged in improper conduct, by dishonestly performing his functions while engaged by the Council.
    2. The investigation substantiated the allegation that Mr M was associated with MK Datanet and failed to declare a conflict of interest when engaging MK Datanet for work at the Council.
    3. As the effective owner of MK Datanet, Mr M stood to directly financially benefit from any decisions by the Council to engage MK Datanet. This represented a significant conflict of interest, which Mr M failed to identify, declare and manage, in breach of the Council’s Code of Conduct, Procurement Policy, Purchasing Procedures Manual and the Local Government Act.
    4. Ultimately, the conflict of interest uncovered by the investigation was more serious than that originally alleged. The investigation found that Mr M knowingly misused his position as a Technology Architect at the Council to obtain a private benefit for his company MK Datanet totalling approximately $1.6 million.
    5. Mr M deliberately concealed his ownership of MK Datanet through the deed with Ms J, who acted as the ‘front’ for the Company. While originally there may have been other motivating factors for Mr M to conceal his ownership of MK Datanet, the investigation considers that facilitating Council work for MK Datanet for ultimate personal benefit also became a motivating factor in his continuing to conceal his ownership.
    6. After starting at the Council, Mr M opportunistically ‘introduced’ MK Datanet to the Council and facilitated the company getting thousands of dollars of work. Procurement requirements were not adhered to for many engagements, with only single quotes obtained from MK Datanet, despite the cost of the jobs requiring multiple quotes under Council procurement policies.
    7. Additionally, work was split across multiple different engagements even though in some instances, multiple jobs seemingly related to one piece of work. Whether done deliberately to reduce scrutiny or erroneously due to lack of understanding of requirements, this breached the Council’s Purchasing Procedures Manual.
    8. vAt the time of these initial engagements, Mr M deliberately concealed his ownership of MK Datanet in order to facilitate further opportunities for MK Datanet at the Council. The investigation does not accept Mr M’s evidence that he made no ‘secret’ of the fact he was working for MK Datanet, noting that all of the Council staff interviewed by the investigation said they were unaware of any association he had with the company. Irrespective, Mr M conceded at interview that he did not disclose his ownership of MK Datanet to anyone at the Council.
    9. By facilitating MK Datanet’s initial engagements, Mr M created a situation where MK Datanet became entrenched in the Council’s program of work to the point where the Council became reliant on the Company. This meant that Mr M was able to hand MK Datanet a three-year $1.3 million contract in late 2018 – through a heavily compromised tender process with a predetermined outcome.
    10. The Council’s oversight of Mr M was lax; and the significant responsibility given to him in managing the tender process for this contract allowed him to manipulate the process to benefit MK Datanet. This occurred despite multiple breaches of the Council’s Purchasing Procedures Manual and incorrect information in MK Datanet’s tender submission, none of which were identified by the Council.
    11. The investigation does not accept Mr M’s attempt to rationalise his conduct at interview by stating that he acted ‘all in good faith’ while working at the Council and that he did not conceal his ownership of MK Datanet ‘for any bad purpose’. Irrespective of the benefits Mr M believed the Council would gain from MK Datanet’s work, the evidence suggests he was primarily driven by personal gain and that his actions were deliberate and deceptive.
    12. Although the Council appears not to have provided Mr M a thorough induction and he claimed he was ‘not very familiar’ with government procurement practices, the investigation is satisfied that he knew his actions were wrong or unethical at the time, noting his deliberate attempts to conceal his true involvement in MK Datanet, Datafusion Technology and Softech Australia. The investigation notes Mr M:
    • signed a false declaration stating that he had no conflict of interest during a tender process in which MK Datanet was a tenderer
    • invited and assessed quotes and a tender submission from MK Datanet which he effectively prepared
    • sent quotes to the Council from fictional persons, via fake email accounts he created for Datafusion Technology and Softech Australia.
    1. Like MK Datanet, Mr M deliberately concealed his ownership or control of Datafusion Technology and Softech Australia and failed to declare a conflict of interest when requesting quotes from the companies in early 2018. Some of these quotes were requested prior to Datafusion Technology and Softech Australia even being registered as companies, further undermining the legitimacy of these procurement processes.
    2. Although not a subject in the investigation, the director of MK Datanet, Ms J appears to have been complicit in Mr M’s conduct. It appears she agreed to be the ‘front’ for MK Datanet because she saw it as a potentially beneficial business opportunity for her and she acted on Mr M’s directions in relation to the company.
    3. In response to a draft report, Ms J said:
    I do wish to make it clear that when I took on this role there was never a plan or intention to target councils or to carry out anything deceptive. From what I understand some companies do have shadow directors. I took care of the operations and administrative side of things and [Mr M] did the technical side of things and procured the funding. I came on board MK [Datanet] long before we started working with Melton.
    1. The investigation notes the final paragraph of the email dated 26 November 2019 from Ms J to Mr M at his Council email address, in which she requested he provide a reference for MK Datanet in his role as a Council officer. The email read:
    Lastly, let’s keep in touch even after your engagement at Melton finishes. We have enjoyed working with you and I believe there’s always potential for future opportunities to work together. FYI – We are always on the lookout for experienced IT consultants as well!
    1. This email, and Mr M’s dismissal of it at interview as ‘a bit childish’ but ‘nothing harmful’, indicates a casual disregard for the truth on the part of both Ms J and Mr M.
    2. Ms J’s evidence was untruthful. She asserted that Mr M did not own MK Datanet, even when presented with evidence contradicting this. It was not until the day after her interview that she recontacted investigators and provided a truthful account of what had occurred.
    3. Council’s IT Manager stated that he believes the evidence he provided in response to a draft report (set out in this report) demonstrates that Council provided adequate oversight of Mr M’s work over the time he worked at the Council. But he states that the Council:
    … acknowledges that Mr M was able to manipulate Council oversight with respect to work allocated to MK Datanet prior to the … tender … [and] accepts that oversight of the qu[a]lity of work delivered by MK Datanet was compromised due to the trust placed in Mr M to act in the best interest of Council.
    1. While the investigation acknowledges that there were some mechanisms in place to oversight Mr M during the two and a half years that he worked at the Council, these mechanisms did not function effectively. The investigation does not consider any one member of Council staff is necessarily to blame for this. Rather, a series of failures occurred which provided Mr M the opportunity to engage in improper conduct which went undetected until this investigation.
    2. This investigation also highlights the integrity risks posed by the use of complex labour hire arrangements to engage staff in public bodies. In this case, Mr M was engaged by the Council through a number of contracts between the recruitment agency, the Council’s brokerage firm for temporary staff, MK Datanet and the Council. This arrangement lacked transparency and assisted Mr M in concealing his relationship with MK Datanet.
    3. The investigation acknowledges and welcomes the changes the Council introduced during the investigation to its induction program for contractors and the procurement process for engaging IT suppliers.

    Allegation 2 – the Council continued to use and pay MK Datanet, despite non- performance

    1. The investigation did not substantiate this allegation to the requisite degree of satisfaction. This was due to:
    • the limitations in the Council’s oversight of MK Datanet’s work, which likely made it difficult for the Council to determine whether contractual obligations had been met
    • the ongoing review work which was yet to be finalised at the time this report was prepared.
    1. However, the investigation notes that the Mulesoft review work highlighted several issues with MK Datanet’s work requiring remediation and that the Council likely no longer wishes to progress the Sailpoint component of MK Datanet’s work. This raises questions about whether the Council received value for money in its engagement of MK Datanet under this contract.
    2. Irrespective of the outcome of the Mulesoft review, the integrity of MK Datanet’s work is called into question based on the way Mr M dishonestly facilitated the company’s engagements with the Council.

    The Council’s response

    1. In a letter dated 23 December 2020 responding to a draft report, the CEO of the Council stated:
    As a local authority responsible for the expenditure of public monies, it is extremely disappointing that an individual was able to identify and exploit some previously unidentified flaws in Council’s internal control processes. As a result Council has already put in place a number of controls to prevent a reoccurrence, such as establishing a panel of IT Professional Services suppliers, modification of the procurement workflow and centralised management of contract staff onboarding via the People and Culture Unit.
    Council will continue to work towards strengthening its processes to achieve compliance with the draft recommendations.

    Recommendations

    The subject matter and findings of this investigation give rise to three recommendations pursuant to section 23(2A) of the Ombudsman Act.

    Recommendation 1

    That the Council consider the integrity risks identified in this report relating to conflict of interest and transparency in labour hire arrangements when developing and reviewing its policies and procedures as part of the implementation of the Local Government Act 2020 (Vic), and advise the Ombudsman of the steps taken to address these risks by 31 December 2021.

    The Council’s response:

    Accepted.

    Recommendation 2

    That the Council, within six months of receipt of the Ombudsman’s report, advise the Ombudsman of any steps taken to address the concerns raised in relation to Allegation 2 about the adequacy of the services provided to the Council by MK Datanet.

    The Council’s response:

    Accepted.

    Recommendation 3

    That the Council consider referring the issues raised in this report in relation to Mr M’s conduct, to Victoria Police and the Australian Securities and Investments Commission.

    The Council’s response:

    Accepted.


    1. On 24 October 2020, section 80C was repealed and replaced by new conflict of interest requirements in the Local Government Act 2020 (Vic).
    2. Version 5.0, 13 November 2014.
    3. Version 3.0, 15 October 2013.
    4. All figures excluded GST.
    5. The ‘Anypoint Platform’ is an integration software solution created by software company Mulesoft, for connecting applications, data and devices.
    6. ‘Sailpoint Identity’ is a governance-based identity and access management software solution created by software company Sailpoint.