An experienced IT consultant claims he was ordered to inflate budget figures while working at the Country Fire Authority and was dismissed after raising concerns that the organisation had falsely claimed it was compliant with the state’s data protection regulations.
An internal investigation into the man’s complaints found that, if proven, his concerns could result in a “serious security breach that could affect key mission critical operations systems during fire season”.
The Age can also reveal the the CFA lost its accreditation as a Registered Training Organisation in December last year.Credit:Jessica Shapiro
The man, who could not speak publicly after signing a non-disclosure agreement, said his contract with the CFA was terminated soon after he raised concerns.
“I was asked to inflate the budget of the IT project by not just a little bit, but by more than 50 per cent,” he said.
“I said I’m not doing it. You’re asking me to falsify budget figures and then tell him it’s going to cost $1.8 million to do this. And it’s not.”
The former IT contractor said he was willing to sign an affidavit if required.
The CFA said it had engaged Deloitte last year to investigate the allegations, but did not find evidence to support them.
The Age can also reveal the CFA failed an audit by the Victorian Registration and Qualifications Authority (VRQA) in December last year, but has never informed its regional managers or thousands of volunteers.
CFA volunteers are unable to receive certification for nationally recognised training programs because of the failed audit, according to a draft letter that was never sent to members.
One source, who asked not to be identified as they feared they could lose their job for speaking out, claimed they were instructed by a senior figure in the CFA’s learning and development department to lie to volunteers at a meeting on March 5.
“He said words to the effect that ‘I understand that we’re expecting you to lie to members’,” the source said.
Internal documents obtained by The Age reveal the problem should have been rectified by the end of January but remains unresolved, while volunteers remain unaware of the failed audit.
In response to the claims about the March 5 meeting, a spokesperson for the fire authority said: “CFA always endeavours to be honest and open with its members at all times and ensure that they have the right information, when they need it.”
Regarding the failed audit, the CFA said the VRQA found the fire authority had awarded statements of attainment to members who had completed a nationally accredited training unit without having a prerequisite unit.
“This was an administrative error that CFA was not aware of and had been issuing the statements of attainment in good faith,” a spokesperson said.
“The CFA has taken steps to identify and notify impacted members and update training systems to prevent the unit from being awarded again without the prerequisites .. . and retrospectively issued a replacement competency unit in 2020 to all affected members.”
The Age has been inundated with examples of harassment and bullying since publishing multiple stories about CFA’s repeated failure to reform its dysfunctional workplace culture.
It revealed last week the CFA instructed its own investigators to drop or avoid some complaints of serious sexual assaults, harassment and bullying and in one case forced staff in its integrity unit to sign non-disclosure contracts or face disciplinary action.
It also faces accusations of an entrenched culture of misogyny and discrimination, which has led to renewed calls for the release of a report by the Victorian Equal Opportunity and Human Rights Commission.
The report was suppressed in 2018 after a legal challenge by the powerful United Firefighters Union.
The IT consultant who worked briefly for the CFA said he raised concerns in early 2019 about the organisation’s mandatory self-assessment and reporting requirements within the Victorian Protective Data Security Standards.
Victorian government agencies are required to provide a high-level “protective data security plan” every two years to the Office of the Victorian Information Commissioner (OVIC) to show their level of compliance.
The former CFA contractor noticed inconsistencies between an internal audit completed by Ernst & Young for the CFA and the report they submitted to the OVIC. The version submitted to the OVIC made the organisation look partially compliant when it was not and hid the fact that the CFA was vulnerable to phishing or hacking, the man said.
“They’d gone in and … altered reports to the audit office. Their internal audit done by Ernst & Young, it differed from the reports they sent into OVIC of their security and data compliance,” he said.
He raised it with his manager and was told the differences were “just wordsmithing”.
“I said, 'This is not wordsmithing, this is saying you’re compliant with these practices,” he said.
“Out of the 18 measures you have to be compliant with the audit, you’ve just doctored five or six out of 13 to make them compliant without evidence and without attachments. So how can you send this stuff in?”
The man, now semi-retired, has worked for several large companies and organisations but said working for the CFA was the worst experience of his professional career. He said the CFA had a reputation as a “no-go zone” in the IT sector because of complaints and issues not being dealt with by management.
An internal investigation into the man’s claims completed in March last year and obtained by The Age recommended an external forensic auditor experienced in IT be engaged to investigate, and that IBAC should be alerted to the complaint.
“This is a serious allegation which if true could leave CFA exposed … to a serious security breach that could affect key mission critical operations systems during fire season,” he wrote.
The investigator also found that falsely reporting to VPDSS could result in legal action, adverse publicity, reputational damage and IBAC involvement.
Most Viewed in National
From our partners
Source: Read Full Article