Integrity Maturity Framework Integrity Maturity Framework.pdf (1.16 MB)

The Commonwealth Integrity Maturity Framework is a set of 8 integrity principles, that are derived from the key Commonwealth integrity laws, policies and procedures. Each principle summarises the corresponding governance obligations and controls.

Each integrity principle is accompanied by a 4-level maturity scale, with each level of maturity building on the previous level.

Click on the below to find out more about the Integrity Principles and Maturity Indicators.


Overarching maturity index

Level 1
  • Values and integrity expectations are not promoted by leaders or well understood by employees.
  • The entity has an unclear approach to integrity meaning that is partially or not documented.
  • The entity monitors and evaluates organisational Integrity based only on meeting compliance obligations.
Level 2
  • Leaders communicate values and integrity expectations and employees understand and can explain their purpose.
  • The entity is tailoring its integrity approach to Commonwealth integrity standards and resources, and its mandate, powers and functions.
  • Integrity initiatives are responsive, planned for and coordinated, but not yet integrated.
  • The entity monitors and evaluates organisational integrity based on risk assessments encompassing employees and third parties.
Level 3
  • Values and integrity expectations are upheld by employees and third parties and integrated into business, including recruitment, procurement and grants.
  • The entity has a clear, documented approach to integrity policies and procedures.
  • Integrity initiatives are fit-for-purpose, adequately resourced and continuously refined.
  • The entity monitors and evaluates organisational integrity based on analysis of integrity breaches, results of risk assessments, and employee engagement at all levels.
Level 4
  • Values and integrity expectations are modelled and reinforced by leaders and practiced by employees and third parties who fulfil their obligations.
  • Integrity is fully integrated into all decision-making and planning.
  • Integrity initiatives are flexible enough to meet integrity challenges and respond to new risks.
  • The entity monitors and evaluates organisational integrity based on ongoing assessment and with a goal of continuous improvement.


Integrity principles and maturity indicators

Principle 1: Values and Code of Conduct

  1. Impartial: apolitical, unbiased, frank, honest and timely
  2. Committed to Service: professional, objective, innovative, efficient and collaborative
  3. Accountable: open and accountable to the Australian community
  4. Respectful and Inclusive: promoting equality and diversity of all people, including their gender, race, sex, heritage, culture, rights and ability
  5. Safety and Wellbeing: health and safety obligations are upheld; people are physically and psychologically safe at work
  6. Ethical: demonstrate leadership, be trustworthy, act with integrity, honesty, truthfulness, and accuracy
  7. Merit-based decision-making: decisions consider evidence, equity, legality and value for money and are transparent and accountable.
  8. Stewardship: look ahead, meet future challenges, be self-critical; sustain wisdom, expertise and continuity; build partnerships and the capability of others; remain steadfast to the public interest and sustain a culture of integrity
Code of Conduct
  1. Obligations of honesty, integrity, care, diligence, safety, respect, courtesy; avoidance (and prevention) of bullying, harassment and discrimination
  2. Compliance with laws and reasonable directions
  3. Maintain appropriate confidentiality
  4. Not provide false or misleading information
  5. Avoid and manage actual, perceived and potential conflicts of interest, and declare material personal interests
  6. Proper, efficient, effective, economical and ethical use of resources
  7. Not misuse duties, status, power or authority to gain a benefit or to cause detriment
  8. Uphold the integrity and good reputation of the entity and the Australian public service
  9. Maintain capability to investigate, sanction and record breaches of the Code along with avenues for appeal and review
Principle 1: Integrity Maturity Indicators
Level 1
  • Values: Values have not been established.
  • Code of Conduct: In place to meet compliance obligations but not widely promoted.
  • Investigations: Capability to investigate, address and learn from breaches of the Code is lacking (e.g. inadequate resourcing or training, insufficient policies and processes).
Level 2
  • Values: Values and other direction-setting statements (e.g. remit, vision and mission) have been developed and are promoted by leaders.
  • Code of Conduct: Employees are aware of the Code of Conduct, can explain its purpose and know where to find it.
  • Investigations: Procedures and guidance on investigating breaches of the Code have been implemented and basic case information is used for reporting.
Level 3
  • Values: Entity head, leaders, line managers and employees are all aware of the entity’s Values.
  • Code of Conduct: Leaders and line managers consistently promote the Code of Conduct and compliance is monitored (e.g. through performance management processes).
  • Investigations: Potential breaches of the Code are investigated and addressed, there is a quality assurance process in place to check for consistent application of procedures and a centralised system is used to monitor case progress, analyse trends and outcomes and generate reports.
Level 4
  • Values: Values are regularly promoted within the entity and externally to all stakeholders (e.g. published on the internet, in application information).
  • Code of Conduct: The Code of Conduct is promoted and applied consistently across employees, labour hire, contractors and suppliers.
  • Investigations: Results of investigations into breaches of the Code (by employees, former employees, labour hire, contractors and suppliers) are used to refine integrity policies and procedures as part of continuous improvement and self-review processes.

Go back to 8 Integrity Principles

Go to next principle

Principle 2: Integrity knowledge and performance management

Implement standards and systems governing:

  1. The knowledge and capabilities required by employees soon after entry and at key stages of career to ensure they can effectively implement integrity policies and procedures
  2. How agreed values are best addressed when assessing an employee’s performance
  3. Considering a person’s ability to model, champion and advance institutional integrity in leadership/management, recruitment and performance reviews
  4. Each head of entity in their annual performance report explicitly address their success in achieving high professional standards of conduct, delivery and stewardship in the entity they lead
Principle 2: Integrity Maturity Indicators
Level 1
  • Performance Management: Integrity is not explicitly referenced in employee duty statements or performance agreements.
  • Education: Integrity education is provided upon induction.
Level 2
  • Performance Management: Integrity is referenced in employee duty statements and performance agreements, but there are no mechanisms to ensure consistency of assessment.
  • Education: Integrity education is provided to help manage key integrity risks (e.g. conflict of interest, information management).
Level 3
  • Performance Management: Integrity is a core consideration in employee duty statements and performance agreements and consistently monitored in performance assessments.
  • Education: Integrity education is available at various stages of career development and feedback is collected and analysed with a view to continuous improvement.
Level 4
  • Performance Management: Individuals are assessed (e.g. randomly and periodically) to determine if and how integrity knowledge is being applied in practice in the workplace.
  • Education: Integrity education is tailored to high-risk roles, based on individual and organisational risk factors and, where relevant, in place for external stakeholders (e.g. labour hire employees, contractors and suppliers).

Go back to 8 Integrity Principles

Go to next principle

Principle 3: Integrity policies, resources and systems

  1. Maintain policies governing:
    1. gifts and benefits
    2. outside employment or volunteering
    3. information management and record-keeping
    4. privacy and confidentiality
    5. roles and responsibilities regarding the reporting and management of potential misconduct
    6. Impartiality, including use of social media and political activity
    7. Diversity, inclusion and respectful workplace behaviours
  2. Provide access to integrity advice
  3. Maintain systems to report and manage:
    1. Actual, perceived and potential conflict of interest and declarations of associations, assets and interests
    2. suspected misconduct, bullying, harassment, unlawful discrimination, fraud or corruption, including suspected wrongdoing under the Public Interest Disclosure Act, and information on how to contact authorised officers
    3. responses to ethical failures
    4. protection of reporting persons or witnesses
    5. gifts, benefits, hospitality, entertainment, and sponsored travel
Principle 3: Integrity Maturity Indicators
Level 1
  • Integrity policies, resources and systems: Not tailored to the entity’s functions or risks.
  • Awareness and advice: Employees are unsure about where to find advice/report on integrity matters as it is not documented but left to individual line managers.
Level 2
  • Integrity policies, resources and systems: Being developed and implemented to manage identified integrity risks. A position or team has been assigned to develop a policy register to record what policies exist, who owns them and their currency.
  • Awareness and advice: Employees know that line managers and certain functional area leaders (e.g. finance, human resources) provide advice about integrity matters.
Level 3
  • Integrity policies, resources and systems: Established and proportionate to specific integrity risks. A position or team manages the policy register to ensure policy owners are undertaking scheduled reviews.
  • Awareness and advice: The entity has a centralised ‘integrity’ function which provides consistent advice. Employees are aware of and seek advice from the integrity function.
Level 4
  • Integrity policies, resources and systems: Reviewed and improved continuously to address changes to the entity’s mandate, powers, functions and integrity risks.
  • Awareness and advice: The integrity function receives ongoing training to improve the quality of its integrity advice.

Go back to 8 Integrity Principles

Go to next principle

Principle 4: Integrity risk management Integrity Controls - Commonwealth Risk Management Policy

  1. Ensure principles of the risk management framework are integrated in the entity’s integrity framework to ensure consistency
  2. Ensure integrity and risk management is embedded in key business processes—such as governance, project planning, fraud control, audit, procurement, recruitment and assurance
  3. Assign responsibilities for managing and monitoring risk and integrity
  4. Develop a positive risk and pro-integrity culture—where:
    1. leaders, managers and supervisors consistently and positively role-model and discuss the importance of managing risk and encouraging a positive integrity culture
    2. employees talk openly and honestly about risk and integrity, raising concerns with authority figures, and those being challenged respond positively
    3. officials understand the risks facing their entity and consistently make appropriate risk-based decisions with the risk appetite of the entity
  5. Communicate and consult about risk and integrity in a timely and effective manner to internal and external stakeholders
  6. Maintain an appropriate level of resources and capability to manage risks, including consideration of the severity of the risks as informed by risk appetite
  7. Regularly review the effectiveness of controls to manage integrity risks – periodically and when there are changes to the operating environment
  8. Work collaboratively to identify and manage any shared integrity risks with other Commonwealth entities and relevant stakeholders

Integrity Controls:
Commonwealth Risk Management Policy

Principle 4: Integrity Maturity Indicators ( Commonwealth Risk Management Capability Maturity Model)
  • Risk management policy and framework have been endorsed but not integrated with broader governance.
  • Communication and understanding of risk and development of a prointegrity culture is ad hoc.
  • Limited resources are applied – employees are not empowered to talk openly about risk or integrity.
  • Risk management policy and framework have been implemented.
  • A common risk language is used, but inconsistently.
  • Accountabilities for risk management are shared with other responsibilities.
  • There are no activities to support the development of a pro-integrity culture.
  • Risk management framework is fully embedded.
  • Risk appetite statement is high-level and qualitative, but there is no structure to support open conversations about integrity.
  • Accountability for managing risk and integrity is clearly defined, and dedicated employees are responsible.
  • Risk and integrity management framework is part of the governance and management framework.
  • Risk appetite and information is linked to strategy and communicated.
  • The risk and integrity management program is reviewed regularly, including level of investment.
  • Risk management policy is integrated with strategic and business planning and updated to identify current, future, emerging and shared risks, which are clearly articulated.
  • Leaders drive risk management capability, and activities to support a pro-integrity culture are in development
  • Accountability is established for risk at business unit and program levels.
  • Risk management is an integral part of the governance system, including measures to allocate resources and identify, analyse, measure, monitor and report on risks and trends.
  • The risk appetite statement consistently informs decision making.
  • Leaders role-model a pro-integrity culture and encourage employee uptake through communications.

Go back to 8 Integrity Principles

Go to next principle

Principle 5: Prevent, detect and manage fraud and corruption

  1. Conduct fraud and corruption risk assessments regularly
  2. Implement a fraud and corruption control plan for identified risks
  3. Prevent fraud and corruption, including by ensuring that officials know what constitutes fraud and corruption, and the risk of fraud and corruption is considered in planning and activities
  4. Detect fraud and corruption and provide a process to report suspected fraud and corruption confidentially
  5. Investigate or deal with fraud and corruption or suspected fraud and corruption, and recording and reporting fraud and corruption

Integrity Controls:
Commonwealth Fraud Control Framework

Principle 5: Integrity Maturity Indicators
Level 1
  • Prevention: No appropriate mechanisms for preventing fraud and corruption, including infrequent fraud and corruption risk assessments (more than every 2 years) and inconsistent, minimal training.
  • Detection & Reporting: Reporting pathways exist to meet compliance obligations (e.g. public interest disclosure) but are not widely promoted and are not trusted (e.g. due to fear of repercussions or lack of response). No other proactive detection approaches.
  • Culture: Countering fraud and corruption is not resourced (e.g. no designated role or budget), and viewed by the entity’s executive staff as unimportant or not a priority.
Level 2
  • Prevention: Limited approach to fraud and corruption risk assessments (every 2 years), control plans and general training to meet minimum compliance requirements. No controls testing.
  • Detection & Reporting: Reporting pathways are being developed for employees and external stakeholders, these are clear and concise, include external avenues and strong statements about protection for those who speak up. Other detection methods are under consideration.
  • Culture: Fraud and corruption control is minimally resourced (e.g. as part of a multi-function role or team), with some engagement at executive levels within the entity.
Level 3
  • Prevention: Proactive fraud and corruption risk assessments, controls are occasionally tested and control plans reviewed. All staff must complete mandatory induction and periodic fraud and corruption training. Ad hoc approach to testing effectiveness of controls.
  • Detection & Reporting: Reporting pathways are in place, employees are aware of these pathways and make reports. Pathways are available for external stakeholders to report integrity matters and for anonymous reporting. Ad hoc internal and systems audits are undertaken to detect fraud and corruption.
  • Culture: The entity understands that countering fraud and corruption is critical to their programs and provides dedicated resources (e.g. through a dedicated role or team and budget line), and its leadership is actively involved in this effort.
Level 4
  • Prevention: Fraud and corruption risk assessments are embedded in activities of the entity and regularly reviewed. Controls are tested and performance benchmarked for continuous improvement. All staff complete mandatory training, and attendance is tracked and reported.
  • Detection: Reports are received regularly and reporters are provided timely follow-up. Data on reporting and response times is used to enhance and improve the mechanism. Regular internal and systems audits are completed to detect fraud and corruption, external integrity audits are also performed.
  • Culture: The entity has a culture that views countering fraud and corruption as a necessary, non-negotiable priority, including regular audit and refinement of processes, tools and allocated resources.

(*note: maturity indicators in Principle 1 relating to Code of Conduct investigations also relate to fraud/corruption investigations under this Principle)

Go back to 8 Integrity Principles

Go to next principle

Principle 6: Integrity in public resource management

  1. Uphold efficient, effective, economical and ethical use and management of public resources including as part of demonstrating value for money
  2. Maintain probity, accountability and transparency in the management of public resources, including assessment and provision of grants and procurement, and avoidance of political or other bias
  3. Contractors to declare conflicts of interest, not act fraudulently, and comply with all relevant Commonwealth laws and policies, including relevant APS or entity code of conduct provisions
  4. Officials to behave ethically and to manage the risk of fraud and/or unethical or corrupt conduct by the supplier or employees, including, depending on ethical risk, the use of a Probity Plan, a Fraud Control Plan and/or a Supply Chain Risk Plans
  5. Manage the risk of unethical supplier practices, such as actual, perceived or potential conflicts of interest, fraud, corruption, tax avoidance, and modern slavery

Integrity Controls:
PGPA Act and PGPA Rule
Commonwealth Grants Rules and Guidelines
Australian Government Contract Management Guide
Resource Management Framework
Commonwealth Procurement Rules
Policy on Ethics and Probity in Procurement

Principle 6: Integrity Maturity Indicators
Level 1
  • Policies and procedures: The entity has a standard set of templates and processes for procurement, contract management and grants to meet compliance obligations. No due diligence is undertaken.
  • Risk: Plans to identify the risk of corruption, fraud and unethical practice in procurement, contract management and/or grants are put in place to meet compliance requirements.
  • Third party integrity obligations: Contracts do not systematically set out integrity obligations for contracted or funded third parties.
Level 2
  • Policies and procedures: The level of attention to integrity and due diligence in resource management, procurement, contract management and grants usually depends on local circumstances and individual initiative. Ad hoc due diligence is undertaken.
  • Risk: Risks are identified and assessed but not systematically mitigated or monitored.
  • Third party integrity obligations: The integrity obligations of contracted or funded third parties are specified in contracts/agreements but not implemented by the entity (e.g. abatement points not applied; due diligence not undertaken).
Level 3
  • Policies and procedures: The entity maintains and promotes policies and procedures to support integrity and due diligence in resource management, procurement, contract management and grants.
  • Risk: Risks are identified, assessed and mitigated with inconsistent monitoring.
  • Third party integrity obligations: The integrity obligations of contracted or funded third parties are specified in tender documents, contracts and supplier briefings and breaches are investigated and addressed.
Level 4
  • Policies and procedures: Employees responsible for resource management, procurement, contract management and grants understand and apply the integrity and due diligence policies and procedures, upholding probity, accountability and transparency and avoiding political or other bias.
  • Risk: Risks are managed through effective, proportionate and systematic identification, assessment, mitigation and monitoring, and the development and implementation of risk documentation such as a probity plan, fraud and corruption control plan and/or supply chain risk plans where needed to manage risk.
  • Third party integrity obligations: The integrity obligations of contracted and funded third parties are aligned with the entity’s own integrity framework, understood and implemented.

Go back to 8 Integrity Principles

Go to next principle

Principle 7: Protect people, information and assets

Integrity Controls – Protective Security Policy Framework (PSPF)

  1. Assess and manage risks to the security of people, information and assets, and share information on risks as appropriate
  2. Screen and vet personnel and contractors to assess their eligibility and suitability, including integrity and honesty
  3. Assess and manage the ongoing suitability of personnel, and share relevant, appropriate concerns
  4. Ensure contractors comply with PSPF requirements
  5. Ensure separating personnel are informed of ongoing security obligations
  6. Assess the maturity of security capability and risk culture

Integrity Controls:
Protective Security Policy Framework (PSPF)

Principle 7: Integrity Maturity Indicators
Level 1
  • Some Protective Security Policy Framework (PSPF) core and supporting requirements are implemented although are not well understood across the entity. Security outcomes are not being achieved in some areas.
Level 2
  • The majority of PSPF core and supporting requirements are implemented, broadly managed and understood across the entity. The entity is largely meeting security outcomes.
Level 3
  • All PSPF core and supporting requirements are implemented, integrated into business practices and effectively disseminated across the entity. The entity meets security outcomes.
Level 4
  • All PSPF core and supporting requirements are implemented, effectively integrated and exceeding security outcomes. The entity’s implementation of better-practice guidance drives achieving high performance.

(*note: based on Protective Security Policy Framework (PSPF) Maturity Self- Assessment Model)

Go back to 8 Integrity Principles

Go to next principle

Principle 8: Monitor and evaluate organisational integrity

Monitor and evaluate integrity performance, including periodically assessing the maturity of the institution’s management of integrity risks, ideally including:

  1. Integrity incident evaluation and response
  2. Integrity testing (where available)
  3. A participative assessment and learning process involving a cross-section of employees, informed by integrity metrics, monitoring and reporting
  4. Identification of current and emerging integrity threats and vulnerabilities associated with the entity’s mandate, powers and functions, and consequent integrity risks
  5. Consideration of the likelihood and potential harm of integrity risks
  6. Identify and assess risks that require improved or new governance controls
  7. Recommending the implementation and monitoring of governance controls to mitigate risks
  8. Assessment of the level of maturity of the integrity governance system
  9. Reporting, and decision making, on recommendations to reach desired maturity levels, and to sustain a culture of integrity where institutional systems, policies and practices are purposeful, proportionate, legitimate and trustworthy
Principle 8: Integrity Maturity Indicators
Level 1
  • Monitoring: The entity monitors and evaluates organisational integrity based only on meeting compliance obligations.
  • Measurement: Some relevant data is available through human resource or security functions.
  • Governance: There is no dedicated governance process for reviewing integrity reports and issues.
Level 2
  • Monitoring: The entity monitors and evaluates organisational integrity based on risk assessments encompassing employees, contractors and suppliers.
  • Measurement: Integrity measurement is ad-hoc or in response to an integrity-related event or issue. The entity uses basic data to measure integrity and presents information at a point in time.
  • Governance: Integrity-related reporting is reflected within agency’s established governance, risk and/or audit reporting processes.
Level 3
  • Monitoring: The entity monitors and evaluates organisational integrity based on analysis of integrity breaches, results of risk assessments, and employee engagement at all levels.
  • Measurement: The entity is developing an approach to integrity metrics using data collected across its various functions, business and operational areas. The entity uses a broad range of data to inform integrity measurement and monitors change over time.
  • Governance: Integrity is reported through dedicated integrity governance structures and processes and directly informs decision making processes.
Level 4
  • Monitoring: The entity benchmarks and periodically assesses the maturity of its management of integrity risks, and implements measures to reach desired maturity levels and sustain a culture of integrity.
  • Measurement: Integrity measurement and reporting is an ongoing, frequent, routine business function (e.g. a standing agenda item at Executive Board meetings).
  • Governance: The entity head is provided with regular reports about the integrity framework including recommendations for improvement, and can provide assurance to external integrity bodies and other stakeholders (e.g. board, minister) that the approach to integrity is sound.

Go back to 8 Integrity Principles